WAF report from WEDOS Global Protection for March 2023

[gtranslate]

In March, testing of the Web Application Firewall (WAF) rules continued. We had already reached the stage that WAF was automatically deployed for all newly added sites on WEDOS Global Protection and we were slowly getting ready to deploy it for everyone.

WEDOS Global – more new items in March

WEDOS Global Protection is the first service we are rolling out on our WEDOS Global infrastructure. It is a network built on BGP Anycast and reverse proxy technologies. We build the service only on our own hardware (currently more than a thousand physical servers), which we have in datacenters that guarantee future scaling and a minimum connectivity of 100 Gbps at each point.

New point in Sofia (Bulgaria)

On 6. March 2023 at 14:31 we launched another point in Europe. This point is located in the Bulgarian capital Sofia and will mainly handle traffic from South-East Europe.

On Monday 6. On March 2023 at 14:31 we launched another WEDOS Global point in Europe. This time in Sofia, Bulgaria. We have 2x Moonshot, i.e. 90 physical servers and 100 Gbps connectivity.

The new point has two Moonshot servers, which means 90 physical servers with 100 Gbps connectivity. This capability should temporarily help manage the quite strong attacks from North Africa and Southwest Asia that we have faced in the past. These will be addressed in the future by a point in Turkey and one more in the Middle East.

We are still unable to get the servers in Turkey up and running. The situation here is complicated.

New point in Toronto (Canada)

Monday 13. On March 20, 2023, at 20:52, we launched the WEDOS Global point in Toronto, Canada. Here we have 2 Moonshots, i.e. 90 physical servers and 4 switches. Currently, not much traffic goes past this point. Most of them are from Canada and some from the north of the USA.

Monday 13. On March 2023 at 20:52 we launched the WEDOS Global point in Toronto, Canada.

It will mainly help us with attacks and speeding up customer sites by automatically caching static content and redirects. You’d be surprised how many WordPress sites have poorly done redirects where the entire core needs to be loaded.

New points in the USA – Silicon Valley and Atlanta

As part of the first phase of building WEDOS Global, a total of 5 points were planned for the US and we are done! The two remaining points have been launched, in Atlanta and Silicon Valley. Atlantic Point was launched on 27. February 2023. The most interesting thing was that he immediately took over most of the requirements from Automattic for their Jetpack plugin for WordPress. This point handles mainly traffic from the USA, Brazil, British Virgin Islands, Antigua and Barbuda and Argentina.

V 9:02 27. On February 2023, we launched a fourth point in the US – Atlanta.

The second point in Silicon Valley was launched in mid-March and WEDOS Global now has 90 physical servers in the area. Although this endpoint only handles less than 1.5% of WEDOS Global’s total traffic so far, it is mostly requests from Amazon servers, where a number of third-party APIs have their endpoints.

Then in mid-March (16 February 2023), we launched another last planned point in the USA, this time in the strategic location of Silicon Valley.

We are working on other sites and tuning the peering

WEDOS Global servers are currently in 23 locations in 18 countries on 5 continents. We are actively working on 3 more sites that could be active soon. But it’s not as simple as providing housing for one server. For us, the minimum is 45 physical servers and 100 Gbps connectivity. They don’t just give you that everywhere 🙂

We also started to tune the peering. The CloudFest conference in Germany helped us a lot , where we gained valuable contacts. A number of things have moved faster than we ever planned.

WEDOS Global response worldwide as of 11.04.2023.

Currently, as far as the world’s largest DNS operators are concerned, thanks to WEDOS Global we are among the top 10 in Europe. But it’s gonna be a lot better. A couple of sites that we’ll sort out are spoiling our average a lot. Getting into the top 5 is realistic in the first phase.

Globally, we are TOP 27. However, a number of sites are still in the planning stages and we have not yet started peering on most of the existing sites. Long term goal is to get into the top 10 🙂

Traffic via WEDOS Global for March

There are already more than 2 thousand domains on WEDOS Global that are protected from various types of attacks.

In March, a total of 1.9 billion requests were recorded from 8.7 million unique IP addresses that were directed to protected domains. These are the requests net of DDoS attacks on L3 and L4 and all the traffic we have on blacklists.

DDoS attacks at the L3 and L4 layer target the network and transport layers and use a variety of techniques to overwhelm target servers or devices.

Network layer (L3) – provides routing of data between different networks using logical addresses (IP).

Transport layer (L4) – provides reliable and controlled data transfer between endpoints using protocols such as TCP or UDP.

In addition, 10.8 million requests were blocked using the WAF (web application firewall), which protects websites from application-level attacks (L7). WAF was gradually deployed to all newly added domains during March. Further L7 attacks were then stopped by smart filters that work with the current traffic.

L7 attacks are types of cyber attacks that attempt to make it impossible or difficult to access websites, APIs, etc. For example, HTTP runs on the Application Layer (L7).

Attacks on L7 are difficult to detect and distinguish from normal traffic because they use the same protocols and methods as legitimate users. Special tools and techniques and a thorough analysis of network traffic are needed to eliminate them.

The WEDOS Global infrastructure handled the most requests from the Czech Republic (1 259 million), the USA ( 190 million) and Slovakia (93 million).

WEDOS Global traffic by country – March 2023

The visualisation of which points visitors from each country connect to then looks like this. There is still a lot to improve here, but we are gradually starting to work on it.

A visualisation of the points where visitors from each country connected in March 2023.

The most active Czech providers are O2 (234 million), T-Mobile (145 million) and Vodafone (89 million).

Google (67 million) has overtaken Seznam (22 million) three times over, but it should be added that Google’s IP addresses are not only their bots, but also their customers’ servers and services.

Traffic via WEDOS Global by provider – March 2023

The largest protected site on WEDOS Global Protection received 92 million requests, the second 44 million and the third 38 million. WAF blocked the most requests for one customer with 3.37 million, for the second with 1.49 and the third is our Czech website with 1.46 million. However, our website had WAF on for the whole month of March. There are no other protections on L7 in these statistics.

It should be noted that most of the sites in the table run on our shared NoLimit/Extra web hosting and use content caching and selected requests directly on individual WEDOS Global points. Thanks to this, they are able to tighten such traffic without major complications. With few exceptions, everything is automated, so wherever you host, WEDOS Global can already help you significantly. You do not need to have any other services with us to use it. Simply point the domain to the WEDOS Global DNS. Try it, it can always be reverted (just switch the DNS back).

The strongest attacks

March was quite quiet as far as attacks are concerned. We do not deal with DDoS attacks up to 10 Gbps on L3/L4, these are handled by automation and are only logged. Moreover, thanks to WEDOS Global, they are spread out over individual sites, so that at one point over 10 Gbps is rare. If it does appear it is short, the automation often resolves it before the technician responds to the SMS. I guess the attackers are tired of us and are looking for other targets.

However, L7s are becoming more and more popular and sometimes we are surprised how strong traffic attackers can not only generate but also synchronize.

1st place attack on eshop – over 1.3M requests per minute

The strongest attack occurred in early March. At its peak, it had over 1.3 million requests per minute. When the attackers realized the target eshop would not crash, they ended the attack. We were surprised how nicely they were able to synchronize the attack. For 2289 IP addresses, it literally started within 1-2 seconds.

Strongest L7 DDoS attack for March 2023.

The target site was slower when the attack started, a few thousand requests went through to the webserver, but NoLimit can handle a lot.

2nd place eshop attack – over 1.2M requests per minute

The same assailant is apparently responsible for another attack in early March. The performance was very similar, including the force, which was almost 1.3M demands per minute. However, “only” 779 unique IP addresses were attacked. As you can see in the graph, the attacker really wanted to drop his target and towards the end he pushed the requirements as far as he could.

Second strongest L7 DDoS attack for March 2023.

3rd place attack on our website wedos.cz – over 756 thousand requests per minute

The third strongest attack in March had a strength of over 756,000 requests per minute during peak hours and came from 2299 unique IP addresses. Unlike the previous ones, which lasted a few minutes, this one lasted about 24 minutes.

Third strongest L7 DDoS attack for March 2023.

The most interesting attack – 277 thousand requests per minute from TOR alone

In March, there was certainly a lot to choose from, but the most interesting attack was purely through the TOR network, which provides the attacker with free anonymity. The attack was directed at the e-shop. It was performed only from 10 unique IP addresses that belonged to exit TOR nodes. At its peak, it generated 277,000 requests per minute.

DDoS attack from TOR network on eshop in March 2023.

TOR is used for attacks quite often. In fact, the vast majority of traffic is malicious (vulnerability scanning, comment spam, brute force attacks). That is why many hosting companies block it.

We were wondering what to do with TOR on WEDOS Global. In the end, we decided that all traffic will be protected by a captcha. If someone wants to use it to browse the web anonymously, they can, but if they want to visit a WEDOS Global Protection-protected site, they have to fill in a simple captcha.

TOR (The Onion Router) is a software project that enables anonymous communication on the Internet. It is used to protect users’ privacy by forwarding network traffic through several proxy servers that obscure the user’s original source IP address. This network of proxy servers is designed as onion layers, which means that each proxy server knows only the previous and next proxy server in the chain, but does not know the identity of the user itself or the final destination of the communication.

TOR can be used to access content on the Internet that is censored or blocked, but also to protect sensitive data such as bank details, or to communicate anonymously, for example for political activity or whistleblowing.

Conclusion

WEDOS Global is one of our largest and most challenging projects. We are gradually building and moving the network forward. We are getting more data and we are improving our data analysis and evaluation, so the next reports can be even more detailed and interesting.