The business model and brand reputation of online gambling companies depend heavily on stability, reliability, and security. One such organization, managing several sites for sports betting, poker and other casino-style games, was concerned that recently trending “hit-and-run” application-layer DDoS attacks could disrupt or even paralyze their operations.
For its top-tier services’ DDoS protection needs, the company depends on Cloudflare’s Cloud WAF, with standard protection measures including bot management, rate limiting, and Cloudflare’s automatic L7 DDoS mitigation (known as HTTP DDoS). Hit-and-run attacks, however, involve short, intense, high-rate bursts of traffic that are relatively hard to detect and mitigate in time. Moreover, such attacks are increasingly popular among cybervandals because they are relatively low cost and easy to execute.
In consultation with Red Button, the company introduced a two-tiered rate-limiting system designed to mitigate hit-and-run application-layer DDoS attacks. A new rate-limit rule triggers a managed challenge for suspicious requests exceeding a defined threshold, while requests exceeding a higher rate-limit threshold are automatically blocked. These configurations are regularly fine-tuned based on the number of false positives detected each month.
Red Button then validated the company’s DDoS protection, focusing on the performance of the Cloudflare WAF and the new managed-challenge rate-limit layer. To that end, we designed a seven-vector hit-and-run DDoS test simulation.
For six vectors, the newly implemented WAF rate-limit rule was activated immediately, the requisite managed challenges were presented, and the DDoS attack was effectively mitigated with no impact on the company’s services. In one case, a managed challenge gave way to complete block on all attack traffic when a block-mode rate limit rule was automatically triggered.
Cloudflare could not prevent the impact of the seventh attack vector, however, as the backend resources of the target were overwhelmed by the initial spike, and an issue with the SSL certificate made the service inaccessible. Access to the targeted service was completely blocked within two minutes and even after the attack was terminated, the service remained unavailable for some time.
The simulation confirmed that the new measure implemented by the online gambling company is quite effective, but there was still room for improvement. We recommended the following measures to optimize the company’s DDoS mitigation outcomes:
Check out these resources for more information
about our DDoS testing solutons for your business.