How a Gaming Company Stopped Hit-and-Run DDoS Attacks

The business model and brand reputation of online gambling companies depend heavily on stability, reliability, and security. One such organization, managing several sites for sports betting, poker and other casino-style games, was concerned that recently trending “hit-and-run” application-layer DDoS attacks could disrupt or even paralyze their operations.

For its top-tier services’ DDoS protection needs, the company depends on Cloudflare’s Cloud WAF, with standard protection measures including bot management, rate limiting, and Cloudflare’s automatic L7 DDoS mitigation (known as HTTP DDoS). Hit-and-run attacks, however, involve short, intense, high-rate bursts of traffic that are relatively hard to detect and mitigate in time. Moreover, such attacks are increasingly popular among cybervandals because they are relatively low cost and easy to execute. 

The Solution

In consultation with Red Button, the company introduced a two-tiered rate-limiting system designed to mitigate hit-and-run application-layer DDoS attacks. A new rate-limit rule triggers a managed challenge for suspicious requests exceeding a defined threshold, while requests exceeding a higher rate-limit threshold are automatically blocked. These configurations are regularly fine-tuned based on the number of false positives detected each month.

Red Button then validated the company’s DDoS protection, focusing on the performance of the Cloudflare WAF and the new managed-challenge rate-limit layer. To that end, we designed a seven-vector hit-and-run DDoS test simulation.  

The Results

For six vectors, the newly implemented WAF rate-limit rule was activated immediately, the requisite managed challenges were presented, and the DDoS attack was effectively mitigated with no impact on the company’s services. In one case, a managed challenge gave way to complete block on all attack traffic when a block-mode rate limit rule was automatically triggered.

Cloudflare could not prevent the impact of the seventh attack vector, however, as the backend resources of the target were overwhelmed by the initial spike, and an issue with the SSL certificate made the service inaccessible. Access to the targeted service was completely blocked within two minutes and even after the attack was terminated, the service remained unavailable for some time.

Recommendations

The simulation confirmed that the new measure implemented by the online gambling company is quite effective, but there was still room for improvement. We recommended the following measures to optimize the company’s DDoS mitigation outcomes:

• Apply the new rule uniformly: Managed-challenge rate-limiting was a successful strategy. It should be implemented across all company brands and sites to maximize protection.
• Increase backend resources: During the successful simulated hit-and-run DDoS attack, the backend of one of the tested targets struggled to handle TCP/SSL handshakes under high load even with Cloudflare rules in place. The remedy is to increase available resources.
• Align managed-challenge rule priorities: Block mode should be prioritized to engage if the attack rate crosses a rate-limit threshold indicating highly excessive traffic. This both mitigates DDoS attacks and prevents server resources from being wasted on managed challenges that will go unvalidated. The managed-challenge rule priority should be lowered to allow the block mode rate-limit rule to take effect when the strongest mitigation action is needed.