Frequently Asked Questions

Case Study: DDoS Protection for Government Elections

What was the main challenge addressed in the 'Uncovering DDoS Protection Gaps in Time for Elections' case study?

A national government agency needed to ensure the continuity of its online infrastructure and services during an election period, anticipating an increase in DDoS attacks targeting government websites. The agency sought to verify its ability to mitigate both volumetric and application-layer DDoS attacks, especially those that are harder to detect. Note: The case study focuses on government use cases; results may differ for other industries. Source.

How did Red Button approach DDoS testing for the government agency?

Red Button used a 'grey box' testing methodology, where the agency disclosed its Akamai Cloud WAF configuration but not backend AWS capacity. Two customized DDoS simulation sessions were designed to challenge different web applications, some protected by Akamai Cloud WAF and others by a second vendor. The simulations focused on application-layer attacks, including HTTPS GET/POST/OPTIONS floods and Large File Uploads, to test backend resilience, API protection, and CDN cache services. Note: Full backend visibility was limited due to partial disclosure. Source.

What were the key findings from the DDoS simulations in the case study?

In the first simulation, 11 of 12 attack vectors targeting Akamai Cloud WAF-protected applications were detected and mitigated, but a Large File Upload (LFU) attack using an 8 KB file caused a denial of service. Akamai's rate limit rules and CDN caching were effective, and AWS backend infrastructure maintained low latency. In the second simulation, nine of 12 attacks succeeded in causing denial of service on services protected by the second vendor, mainly due to the failure of automatic DDoS protection to engage and misconfigured mitigation measures. Note: Results are specific to the tested configurations and may not generalize to all environments. Source.

What recommendations did Red Button provide to address the DDoS protection gaps?

Red Button recommended: (1) Adding a second layer of defense against Large File Upload attacks, such as reducing POST request paths and setting WAF custom rules for file size; (2) Closing Akamai DDoS protection gaps by adding rate limit rules at API endpoints and removing maximum-capacity throttling rules; (3) Consulting with the second vendor to clarify best practices; (4) Retesting all failed attack scenarios. Note: Recommendations are tailored to the agency's environment and may require adaptation for other organizations. Source.

Features & Capabilities

What types of DDoS attacks can Red Button simulate?

Red Button can simulate over 100 DDoS attack vectors, including HTTPS GET/POST/OPTIONS floods, Large File Uploads, and other sophisticated application-layer and volumetric attacks. Simulations can reach up to 300 Gbps, 5 million packets per second (PPS), and 500,000 HTTP requests per second (RPS). Note: Not all attack types may be relevant for every environment; consult Red Button for tailored scenarios. Source.

Does Red Button support compliance-grade reporting for regulations like ISO 27001 and SOC 2?

Yes, Red Button provides compliance-grade reporting and audit-ready evidence to support ISO 27001 and SOC 2 certification requirements. This includes detailed technical reports and validation of disaster recovery readiness, helping organizations meet regulatory demands such as DORA, SAMA, MAS, and HKMA. Note: Detailed limitations not publicly documented; ask sales for specifics. Source.

What technical documentation and resources are available for Red Button's solutions?

Red Button offers datasheets, a knowledge base, and white papers covering technical specifications, troubleshooting, and best practices for DDoS mitigation. These resources are available at the datasheets page, the knowledge base, and the white papers page. Note: Some resources may require registration or approval for access.

Use Cases & Benefits

Who can benefit from Red Button's DDoS testing services?

Red Button's services are designed for CISOs, security leaders, and engineering executives in organizations such as government agencies, financial services, gaming and media companies, telecom/ISPs, and enterprises with public-facing applications. Typical triggers for engagement include recent DDoS attacks, regulatory pressure (e.g., DORA compliance), new CDN or mitigation rollouts, or dissatisfaction with previous vendors. Note: Best fit for organizations with complex or regulated environments; smaller organizations may require a tailored approach. Source.

What business impact can customers expect from using Red Button?

Customers can expect enhanced operational resilience, reduced risk of downtime, improved regulatory compliance, actionable remediation insights, and cost savings by preventing outages and penalties. Red Button's experience includes handling over 30 global DDoS incidents annually, with attack volumes up to 1.2 Tbps. Note: Impact depends on implementation scope and organizational readiness. Source.

Implementation & Ease of Use

How long does it take to implement Red Button's DDoS testing, and what is required from the customer?

The onboarding phase typically takes around two weeks from kickoff to test execution, including scoping, architecture review, test plan drafting, and approval. Customers usually dedicate about five hours total: one hour for a pre-test interview, three hours for the live test, and one hour for results readout. Red Button's experts handle planning and execution, and tests can be scheduled during maintenance windows to minimize disruption. Note: Timelines may vary for highly complex or regulated environments. Source.

What feedback have customers given about the ease of use of Red Button's services?

Customers report that onboarding is efficient, typically requiring only about five hours of their time. The process is streamlined, with Red Button's DDoS experts handling planning, execution, and analysis. Tests can be scheduled flexibly to minimize operational impact. Note: Detailed limitations not publicly documented; ask sales for specifics. Source.

Pain Points & Problems Solved

What core problems does Red Button help organizations solve?

Red Button addresses unvalidated DDoS defenses, hidden vulnerabilities in network and application layers, regulatory compliance challenges, operational disruption risks, overconfidence in existing solutions, and the need for continuous improvement. For example, 75% of companies tested by Red Button failed to mitigate severe DDoS attacks, highlighting the importance of realistic testing. Note: Effectiveness depends on customer engagement and remediation follow-through. Source.

Customer Proof & Success Stories

Can you share examples of organizations that have used Red Button's services?

Red Button's customers include the European Central Bank, an Israeli Bank, a Big 4 Accounting Firm, Olympic Games logistics, and a European government agency. Case studies detail how these organizations identified and remediated DDoS protection gaps. For more, see Red Button case studies. Note: Outcomes are specific to each engagement and may not be representative of all customers.

Security & Compliance

What security and compliance certifications does Red Button hold?

Red Button supports ISO 27001 and SOC 2 compliance by providing audit-ready evidence and compliance-grade reporting. This helps organizations demonstrate disaster recovery readiness and meet regulatory requirements. Note: Red Button itself provides compliance support but is not a certifying body. Source.

Competition & Differentiation

How does Red Button differ from other DDoS testing providers?

Red Button employs dedicated DDoS specialists (not generalist penetration testers), offers over 100 attack vectors, provides vendor-agnostic recommendations, and supports compliance-grade reporting for regulations like ISO 27001 and SOC 2. Red Button is one of only two companies approved by both Azure and AWS for DDoS testing. Note: Best fit for organizations needing tailored, high-fidelity simulations; those seeking basic or automated testing may consider alternatives. Source.

Case Study: GOVERNMENT

Uncovering DDoS Protection Gaps in Time for Elections

Uncovering DDoS Protection Gaps in Time for Elections

A national agency was assigned the responsibility of maintaining the functional continuity of government infrastructure and services during an upcoming election period. It was assumed that various cyber-attacks, especially DDoS, would increase in an effort to undermine the democratic process.

Indeed, as indicated by recent 2024 research, government websites have become the primary target for hacktivist DDoS attacks.

The government agency turned to Red Button to help it verify its ability to mitigate DDoS attacks on its online assets. Specifically, the agency wanted to be sure that its protection measures could mitigate the more-difficult-to-detect application layer DDoS attacks.

The Solution

Red Button’s white box testing methodology ran up against the government’s natural hesitancy to reveal sensitive details about their specific system architecture. However, after a discussion regarding the drawbacks of black box testing, the customer was persuaded to disclose the configuration of its Akamai Cloud WAF services, but not its backend capacity in the AWS cloud.

With this “grey box” information, we designed two customized DDoS simulation sessions to specifically challenge the agency’s system, which was hosted on the AWS cloud. Each of the two sessions was designed to verify the protection of different web applications, some of which were protected by Akamai Cloud WAF and others by another vendor.

Our DDoS attack simulations were focused on the application layer and included sophisticated vectors like HTTPS GET/POST/OPTIONS flood, Large File Download and others, aimed at testing backend resilience, API protection, automatic mitigation rules, and the CDN cache service.

As an authorized AWS Partner, we independently executed the attacks on the agency’s web services, without the need for prior approval from AWS.

The Results

In the first simulation, targeting the applications behind the Akamai Cloud WAF, 11 of 12 attack vectors were detected and mitigated, while one disrupted the organization’s internet-based services.

Akamai’s rate limit rules performed exceptionally well, blocking all flood attacks within seconds of surpassing the defined average threshold. Additionally, Akamai’s CDN caching was highly effective, serving static content with minimal latency even during heavy attacks. The backend infrastructure on AWS also proved robust, efficiently handling high traffic rates and maintaining a very low latency. However, a Large File Upload (LFU) attack using an 8 KB file successfully caused a denial of service.

The second simulation targeted two services that use the Akamai Cloud WAF (CDN & WAF) for DDoS protection and another two services using the second vendor’s CDN and WAF. This time, nine of the 12 attacks succeeded in causing a denial of service.

The key problem was the failure of the vendor’s automatic DDoS protection to engage at any point in response to seven different attack vectors. Additional measures intended to mitigate the impact of the attack – an ACL list, geo-protection, and SSL connection drops – all led to an unintentional, self-initiated denial of service. This unexpected outcome was a critical discovery ahead of the upcoming elections.

Recommendations

Red Button recommended that the government agency take immediate steps to fortify its security measures, as follows.

  • Add a second layer of defense against Large File Upload-type attacks. This can include reducing the number of paths accepting POST requests and setting a WAF custom rule for request file sizes aligned with the maximum legitimate payload.
  • Close the few Akamai DDoS protection gaps by adding rate limit rules at the API endpoints and removing the maximum-capacity throttling rule (which, if unchanged, can trigger an internal DDoS).
  • Consult with the second vendor to clarify best practices for enhancing DDoS protection.
  • Retest all the failed attack scenarios.

Read Other Case Studies

Check out these resources for more information about our DDoS testing solutons for your business.

FINANCIAL SERVICES, GOVERNMENT

European Central Bank Identifies Gaps in Its DDoS Protection Stack

Read More

GOVERNMENT

Validating DDoS Resilience for a European Government Agency

Read More