Application layer DDoS mitigation in action

By Richard Yew, Principal Product Manager, Security, and Paul Rigor, Research Scientist

Ready to take a vacation? You’re not alone. But what would you do if you couldn’t access your favorite online travel booking website due to a DDoS attack? Like most people, I imagine you’d probably book your vacation on another travel website, which for Logitravel, would be a travel nightmare.

Logitravel Group is a tourism company which helps over two million people each year arrange their vacations. Their business is divided into two groups: technology and travel specialization. Logitravel, one of the Group’s travel brands, focuses on travel packages, cruises, tours and extended trips for travelers around the world.

Bluekiri provides the technological backbone that powers all of the Logitravel Group’s travel platforms. Verizon Digital Media Services is one of the partners Bluekiri’s trusts to help them keep Logitravel’s website protected and running at its best, so customers can shop and book their dream vacation 24 x 7.

Logitravel recently faced a massive DDoS attack. In fact, it was the largest attack in its history. Fortunately, their online customers never knew it was taking place. Here’s why.

On April 2, Logitravel was hit by multiple waves of application layer DDoS attacks. Unlike the large multi-Gbps attacks you’re used to seeing on the news, an application layer (L7) DDoS attack is designed to overwhelm a system through a massive flood of HTTP requests specifically crafted to target URLs involving back-end processes. In many dynamic applications, like API services for product pricing and availability, the network is usually not the bottleneck, back-end services, such as databases, are the problem. A targeted, smaller scale L7 DDoS can slip past typical network layer protections (including CDNs), to bring down a customer’s website.

Layer 7 DDoS attack

This particular incident hit Logitravel with multiple waves of L7 DDoS traffic with peaks reaching approximately 9 million requests/minute, or ~150,000 requests/second (Figure 1). To put this in perspective, Logitravel has daily peaks of ~3,300 requests/second across all their properties hosted on our Edgecast CDN. This attack represented a spike 50 times larger than the normal load on their origin infrastructure.

ddos_attack_profile

Figure 1. L7 DDoS attack profile over an 18-hour period.

Attack source

The sources of the attack primarily originated from Europe, with France, Spain and Italy (Figure 2) rounding out the top three countries where the attacks originated. Several hundred unique IP addresses were involved.

ddos_source_locations

Figure 2. L7 DDoS attack source locations.

Target endpoints

Further investigation revealed that all the requests were HTTP POSTs to Logitravel’s quoting and pricing summary API endpoints, which could involve an exceptional amount of back-end database queries (Figure 3). While we don’t completely understand the motives for the attack, the load was significant. Without proper L7 DDoS protection in place, Logitravel’s website and API endpoints would have most likely suffered an outage, forcing eager travel shoppers to visit a competitor’s website.

http_url_targets

Figure 3. HTTP method and URL targets.

Edgecast HTTP Rate Limiting mitigates Layer 7 DDoS attacks

The good news is that Logitravel had been utilizing our optional cloud-based HTTP Rate Limiting product for L7 DDoS protection, which automatically enforced policies to drop all of the attack traffic. Our Rate Limiting product blocked more than 730 million attack-related requests for Logitravel over the 18-hour attack period, and potentially prevented more than 8-hours of customer downtime, and a postmortem that could have taken as long as the attack. Nearly 90% of the attacks were mitigated by just one of our 125 points of presence (Figure 4) on the Edgecast CDN. And while HTTP Rate Limiting was protecting Logitravel’s site from unwanted queries, legitimate traffic was being processed without interruption.

ddos_pops

Figure 4. Distribution of attack across PoPs.

In comparison to the capacity and scale of Verizon Digital Media Services’ Cloud Security Solution (Figure 5), a top-of-the-line security appliance with >$200K price tag can only handle roughly half the amount of requests/second that we mitigated, and our protection is available at a fraction of the cost of having to buy and manage racks of hardware.

edgecast_cdn_network

Figure 5. The Edgecast CDN global network

For Logitravel, the added protection of Rate Limiting enabled customers to easily book their vacations without interruption. And helped Logitravel avoid a serious loss in revenue, customers and long-term damage to their reputation. Logitravel were so impressed with the effectiveness of Rate Limiting, they have deployed it to additional websites under their brand.

  • “Despite an eighteen-hour cyber attack with peak requests greater than 150,000 per second, we were able to maintain business continuity for Logitravel, servicing more than 3,300 requests per second of legitimate traffic across 50 websites worldwide. Without Verizon and their Application Layer DDoS security feature, Logitravel would have experienced a catastrophic loss of customers, revenue and brand reputation.”
  • –Iñaki Fuentes CEO, Bluekiri
    Platform services provider to Logitravel, Smyrooms, Roomdi, and numerous other high-traffic websites

Incidents like these demonstrate that in addition to accelerating your website through the Edgecast CDN, which includes network layer (L3) DDoS protection and transport layer (L4) DDoS protection, it’s also crucially important to complement that protection with a Layer 7 DDoS protection, such as our Rate Limiting product. Given the pervasiveness of Layer 3, 4 mitigation, Layer 7 attacks could be poised to rise, since they require fewer compromised machines to be effective.

To learn more about how Verizon DEFEND can maintain your website’s uptime by protecting it from massive DDoS attacks, click here.