WAF report from WEDOS Global Protection for August 2023

[gtranslate]

The second holiday month was definitely not a time of rest. Firstly, we continued to build WEDOS Global, but also had to deal with the increasing activity of some botnets that did not primarily intend to carry out DDoS attacks, but were looking for vulnerabilities. When their requests collapsed at one point, they managed to make some of our customers uncomfortable.

In recent months, the number of SQLi attacks in general has been increasing. These small-scale attacks run almost continuously and the attacking botnets try to be stealthy. Most of the time, we detect them by aggregating data from more than a hundred thousand domains hosted by us. However, in August the attackers really went big and one IP address tried several million requests per day.

What is SQLi?

SQLi (SQL injection) is a type of attack directed at databases. In this attack, unauthorized SQL statements are inserted into the input fields of the application in order to manipulate or gain access to the database. When an application does not validate and incorrectly process user input, it can allow an attacker to execute custom SQL code in the database. The consequences of SQLi can include data integrity breaches, data loss, acquisition of sensitive information, and in some cases, complete control of the database or host system.

In addition, IP addresses from China were involved in the attacks in late August. After a more detailed analysis, we found that these are mostly accesses from mobile devices. This is probably some kind of large-scale malware infection. IPv6 is widely used in China, so you need to watch out for that as well. Fortunately, we have been well prepared for IPv6 attacks for years, both in software and hardware.

At the end of August, Russian hackers started attacking Czech financial institutions. We have been monitoring the situation closely. Customers from financial institutions that have services with us were evaded by the attackers. Most recently, we successfully eliminated attacks by this group during the presidential election, when one of our customers was unsuccessfully attacked during the first round. In the second one, they left it out.

WEDOS Global

WEDOS Global is our global infrastructure built on BGP Anycast and reverse proxies. The main idea is to download traffic from the surrounding area via BGP to sites where we have hardware, and filter the traffic there, cache responses, etc. This allows us to resist even very strong DDoS attacks, because their greatest strength becomes their weakness.

We currently have our own physical servers in 24 locations. Each with a minimum of 45 physical servers and 2 switches and guaranteed connectivity of at least 100 Gbps. We are working on other sites.

We use the infrastructure to run Anycast DNS and our WEDOS Global Protection service. More services will be added in the future.

Locations

We did not launch any more sites in August.

We currently have a site in progress in Ireland (Dublin), where we have servers, switches and other hardware already in place, and are now waiting for everything to be wired up.

Strengthening of the Hluboká nad Vltavou site (oil)

One of the important locations that handles most of the traffic in the Czech Republic is in our WEDOS DC2 datacenter. It consists of 90 physical servers and 4 switches that are cooled in an oil bath. This is a very economical and at the same time environmentally friendly solution.

At this point we have increased the RAM on all servers. This is in preparation for testing new functionality that WEDOS Global can provide and better and more thorough traffic analysis to find and eliminate cyber threats in real time.

New peerings (connections)

Currently, WEDOS Global’s DNS is in the top 25 in the world, but if we want to be even better, constant expansion and optimization of our links is essential. We’re not going to move much further with the new sites. So, in existing sites we have to look for partners or IXPs with a large number of networks or users.

What is IXP peering?

Peering is an agreement between two Internet Service Providers (ISPs) that allows their network traffic to pass directly between them without having to go through a third party.

This direct data transfer can increase the speed and reliability of your internet connection, as the data does not have to travel as far or across other different networks. It can also reduce costs, as both parties can avoid fees they might otherwise pay to third parties for data transfer.

Peering usually takes place on the so-called. Internet Exchange Points (IXPs), where many ISPs can link their networks together.

LINX

LINX (London Internet Exchange) is one of the largest Internet Exchange Points (IXPs) in the world and is located in London (UK) where we also have one WEDOS Global point. In August we managed to finish everything we needed. Read more in separate article New direct LINX connection strengthens our WEDOS Global infrastructure

Other connections

During the summer months we did not slack off and successfully arranged other connections, which we will gradually implement in the following months. Specifically, Sweden, Finland (FICIX), Norway and Denmark.

In Amsterdam (Netherlands) we arrange the connection to the AMS-IX (Amsterdam Internet Exchange), which is one of the largest exchange points in the world.

Others, such as VIX.at, BIX.hu, SIX.sk and many others are in the process.

Would you like to learn more about WEDOS Global?

If you are interested in WEDOS Global and would like to learn more about the advanced technologies we use, for a deeper and more detailed look into the technological architecture on which the WEDOS Global infrastructure is built, we recommend listening to our presentation from the Kubernetes Community Days Czech & Slovak 2023 conference. This expert presentation was led by two colleagues who play a key role in the development of WEDOS Global.

WEDOS Global Protection

WEDOS Global Protection is the first service built on our WEDOS Global infrastructure. It is primarily designed to eliminate a wide range of cyber-attacks that go beyond the capabilities of an ordinary datacenter. Just start it and we’ll take care of everything. You don’t need to set anything up, just watch the graphs of the captured attacks.

But it doesn’t stop there. WEDOS Global Protection will significantly increase the responsiveness of your site worldwide with AnycastDNS. It will also help with high traffic due to web caching. In the future, it will also offer new technologies such as HTTP/3 without having to set up anything on your server. And the best part of it all is that you don’t have to move anything. Simply point your domain to our DNS, and we’ll clean up your traffic and speed up your existing provider’s site.

The service is now live and you can both try it out and buy it. And how will it help you specifically? Check out the WEDOS Global Protection usage overview on our website.

WEDOS Global Protection statistics

In August, invader activity continued to decrease. Tens of millions of requests in the form of L7 HTTP flood attack were not tried again. Rather, we see very short one-off attempts by attackers testing our defences.

What is an L7 DDoS attack?

L7 A DDoS attack is a type of cyber attack on a website or application that uses common internet requests such as GET and POST. The goal is to slow down or make a web page or an API inaccessible.

Attacks on L7 are difficult to detect and distinguish from normal traffic because they use the same protocols and methods as legitimate users. Special tools and techniques and a thorough analysis of network traffic are needed to eliminate them.

Still, it’s just a waste of resources for the attackers. They try a synchronised attack from several hundred IP addresses to cause a problem before specific protection kicks in, limits are applied, local blocking is turned on, etc. Usually it’s a few seconds, then they shut it down. The WAF is responsible for ensuring that the site can withstand the initial onslaught.

What is a Web Application Firewall (WAF)?

A WAF (Web Application Firewall) is a protection on our reverse proxies that is placed between the attacker and your website. It scans each request in real time, looking for specific signs of an attack or security hole exploitation. If it encounters a suspicious request, it can redirect it to a test (redirect, captcha) or block it.

On the other hand, a larger attack means more protections involved, stricter rules, specific rules for problem sites, and follow-up investigations that lead to the discovery of botnets or suggestions for improving our protections. Further attacks are then less and less effective.

And now the numbers 🙂

The following statistics are from the reverse proxies at the individual points (sites) that handle requests cleared of L3/L4 DDoS attacks. Furthermore, some of the requirements that we use to monitor the availability and performance of individual points are not included in the overview so as not to bias the statistics.

At the end of August, the number of domains protected by WEDOS Global Protection had grown to 4650 domains (+372). Some of these are domains that have been added by support due to attacks, or they are challenging sites that are greatly helped by web caching on a reverse proxy server. Outside of our country, WEDOS Global Protection is used by 1117 users (+88).

In August, a total of 2,638,773,794 requests were recorded from 8,494,078 unique IP addresses pointing to protected domains. On average, the proxy servers handled 85,121,735 requests per day.

Daily chart of accesses to WEDOS Global for August, adjusted for L3/L4 and statistics.

As far as the increase in unique IP addresses is concerned, seasonality or holidays have an impact. The majority of visitors to WGP-protected websites are still from the Czech Republic and Slovakia. These visitors were more likely to join from abroad. There is also an increase in large customers from abroad.

Number of accesses by country via WEDOS Global Protection.

Statistics of the ever-bored protectors 🙂

L7 DDoS – intercepted by limiting accesses (HTTP flood)5 885 991+72 %
L7 DDoS – intercepted problem connections (Slowloris, Connection Exhaustion, etc.)572 784-65,43 %
Blocked by WAF rule25 872 220+142,66 %
Further blocking of L75 321 633-4,66 %

These numbers are just the first attempts at an attack. Once there are repeated attempts that gain momentum (for example, tens of thousands of problem accesses per minute), the IP address goes blacklisted. However, it is more complicated because we treat different IPs differently (for example, a mobile operator gets a JavaScript redirect or capchta). Likewise about the different forms of attacks.

As for the numbers themselves, a 72% increase in L7 flood attacks looks scary, but in reality a single L7 flood can have hundreds of thousands of requests blocked before other protections kick in. WEDOS Global Protection is going global and we are seeing more and more “tests” of our protections. In addition, a large proportion of new WGP users are people who are under regular attack.

To drop attacks like Slowloris, Connection Exhaustion, etc. we currently have no explanation. We’ll see next month.

The increase of 142.66% blocked on WAF is due to the deployment of WordPress administration protections. All WordPress administrations are protected by an additional factor (captcha, JavaScript redirect). The 15M attempts are password cracking attempts, looking for vulnerabilities on the login form, etc.

The stricter rules on WAF can be seen in the statistics of the largest protected sites. Just because you don’t use WordPress doesn’t mean that someone isn’t trying to attack or look for vulnerabilities as if you have WordPress.

Statistics of the largest websites protected by WEDOS Global Protection for August.

Not all attacks on websites are visible in the statistics. It’s only the ones where we know exactly that it’s an attack on a specific guest that have made it to the WAF. Many times more end up on blacklists.

L3/L4

Of course our customers are also under attack by classic L3/L4 attacks. However, in most cases, it’s not worth talking about. Our protections are built for attacks in the hundreds of Gbps. Anything under 10 Gbps doesn’t even send a notification to the technicians. Everything is solved by automatons.

What are L3/L4 attacks?

DDoS attacks at the L3 and L4 layer target the network and transport layers and use a variety of techniques to overwhelm target servers or devices.

Network layer (L3) – provides routing of data between different networks using logical addresses (IP).

Transport layer (L4) – provides reliable and controlled data transfer between endpoints using protocols such as TCP or UDP.

As you can see in the graph below, there were really negligible DDoS attacks via L3/L4 during August. For just a brief moment, one approached 8 Gbps. The target was a customer on our web hosting.

In total, we recorded 6557 DDoS attacks.

Strongest L7 DDoS

Every month we prepare a list of the most powerful DDoS attacks via L7.

1st attack on wedos.com – peak 1.1M requests per minute

We award the first prize for the strongest DDoS to ourselves :). Someone decided to test our defenses late last night. He gave it 5 minutes, during which he was able to push 4M requests, with a peak of 1.15M from 1668 UIPs. It was an ordinary L7 flood. Nothing interesting or difficult to eliminate. In addition, we are testing some more advanced filtering methods on our own website.

2nd attack on wedos.com – peak 877K requests per minute

And in second place is … um … us again :). In late August, someone tried our defenses just before midnight. The attack lasted about 4 minutes, during which the attacker sent 3.5M requests, 877K at peak, from a total of 3013 unique IP addresses. This attack was pretty good in terms of the number of IP addresses used. There were more interesting things, but unfortunately we can’t share them because it’s already company know how 😔

3. attack on state infrastructure – peak 205K requests per second

If you follow our social media accounts or subscribe to our newsletter, you may have seen that even ministries (not Czech ones, they apparently prefer to be offline to please Russian propaganda) have websites here.

One such site came under attack in August and it has to be said that it was really interesting to watch. They switched to us from their American competitors, who couldn’t offer them traffic under their own DNS, ASN and IP addresses and were also not completely satisfied with L7 protection.

The attack as such was not strong. What’s a peak of 205k requests per second and only 242 UIP? However, it was quite different from what we normally encounter. They attacked on a completely different scale and in a different way. We’d love to talk about it, but the company know how…

Conclusion

Anyone can use WEDOS Global Protection to load faster and protect their websites. The service can be used without the need to move hardware or change web hosting providers. Simply point the domain to the WEDOS Global DNS and add the domain to the WEDOS Global Protection administration.