CASE STUDY: DDOS TESTING

DDoS Testing to Secure European Railway Ticketing

A European company providing online railway ticketing and information needed to ensure that travelers could depend on it for uninterrupted and secure real-time service. The company therefore sought to verify the effectiveness of its DDoS protection measures, including evaluation of the security team’s ability to identify, mitigate and recover from an attack.

The Solution

Red Button designed seven advanced application-layer attack testing scenarios to challenge the company’s AWS-based DDoS protection, with a focus on CloudFront WAF configuration, detection mechanisms, procedures and protocols.

At the company’s request, a black-box methodology was adopted to emulate the behavior of a malicious attacker with no prior knowledge of the company’s digital architecture or protections. Our cybersecurity Red Team therefore initiated the simulations with typical hacker reconnaissance efforts intended to map out the architecture and discover the network flow. 

The Results

Red Button’s analysis of the test results indicated that the company’s DDoS protection is currently at a solid level of readiness. While five of the attack scenarios were detected and counteracted with no impact on its services, two of them caused short downtimes before being mitigated.

Notably, the company server suffered from downtime due to a relatively low number of requests, indicating excessive sensitivity to increased traffic rates. The rate limit rule thresholds in the company’s production environment are also significantly lower than recommended best practices, which can cause false positives.

Recommendations

Red Button recommended the following measures to improve the company’s DDoS mitigation outcomes even further:

  • Rate limits fine-tuning – Rate-limit thresholds should be reevaluated and tuned to match a baseline of actual, observed traffic patterns.
  • Improve website traffic capacity utilization – Set a higher performance baseline for origin servers. Mitigation measures can take time to kick in and more robust server configurations can prevent downtime during the interval.
  • Expand the tested surface – As the simulation testing only focused on specific assets, DDoS protection for additional online services should also be verified.
  • Test against direct-to-origin attack scenarios – The relevant online environment should also be tested using simulated DDoS attack scenarios directly targeting company IPs, emulating attempts to bypass known cloud protections.

 

 

Read Other
Case Studies

Check out these resources for more information
about our DDoS testing solutons for your business.