In September, we also saw an increase in the number of attacks compared to the holiday months. In today’s report we will look at the “stronger” DDoS attacks on L3/L4 and probably the strongest L7 DDoS attack so far in terms of number of requests per minute. Of course, we will also discuss the building of WEDOS Global Protection and what we are currently working on.
Botnets continued to see significant activity in September, focusing on finding vulnerabilities in websites and popular content management systems. A botnet carrying out attacks from mobile devices in Pakistan was very prominent. There were days when this botnet made hundreds of thousands of requests. However, at these numbers, blacklists are already activated for a limited time, so in reality we would get to units of millions.
Just for the record, some days one of the most frequently called files was xmlrpc.php. Which is a huge draw for attackers. They often test for the existence of xmlrpc.php, even if you don’t have WordPress on your site.
What is xmlrp.php?
The xmlrpc.php file in WordPress is used to provide the XML-RPC interface, which is a protocol that allows communication between WordPress and other systems. Although this file is important for some functions, it can also be vulnerable to attack if not properly secured.
Attackers can use xmlrpc.php to perform brute force attacks on login credentials. XML-RPC allows attackers to send many login attempts in a single request, making them more effective at guessing passwords.
xmlrpc.php can also be exploited to perform DDoS attacks that overload the server by generating a huge number of requests, which can lead to crashes or slowdowns.
If there are vulnerabilities in WordPress, attackers can exploit xmlrpc.php to remotely execute malicious code.
Attackers can also abuse the XML-RPC feature to perform unwanted actions such as publishing spam posts or comments.
Of course, there were also attempts to find vulnerabilities through SQLi attacks. The Pakistani mobile botnet has been very active in this. However, other botnets from other countries such as China did not let up either. These are mainly characterised by the use of IPv6. IPv6 is widely used in China, so you need to watch out for that as well. Many mobile operators allocate the new IPv6 after connecting to the network, so a standard fail2ban solution may not be ideal for individual IPv6.
What is SQLi?
SQLi (SQL injection), is a type of attack directed at databases. In this attack, unauthorized SQL statements are inserted into the input fields of the application in order to manipulate or gain access to the database. When an application does not validate and incorrectly process user input, it can allow an attacker to execute custom SQL code in the database. The consequences of SQLi can include data integrity breaches, data loss, acquisition of sensitive information, and in some cases, complete control of the database or host system.
As for the popular L7 DDoS attacks, we have not noticed any new trend there. The same things we have seen before and are ready for are repeated over and over again. However, it should be noted that attacks are more intense, especially if they are conducted from compromised servers.
WEDOS Global
WEDOS Global is our global infrastructure built on BGP Anycast and reverse proxies. The main idea is to download traffic from the surroundings via BGP to locations where we have our hardware with reverse proxies, and work with the traffic there. In each site we can filter it, cache it, translate the protocol (HTTP/1.1 to HTTP/3) or provide IPv6 even if you don’t have it on your webhost/server.
Basically, reverse proxies can do anything and do it in a decentralized way all over the world, literally around the corner from the visitor. We are experimenting with a number of things that will take your website to the next level without having to modify anything on your server. Just point the domain using DNS and that’s it.
But this report is not about how we will make your website faster or solve some technical shortcomings. We’ll save that for a separate article 🙂
As a global network, WEDOS Global needs to be fast. To do this, we need to be in the important locations, connect to the main exchange nodes (IXPs), and fine-tune the peering so that all data always travels the shortest path.
What is IXP peering?
Peering is an agreement between two Internet Service Providers (ISPs) that allows their network traffic to pass directly between them without having to go through a third party.
This direct data transfer can increase the speed and reliability of your internet connection, as the data does not have to travel as far or across other different networks. It can also reduce costs, as both parties can avoid fees they might otherwise pay to third parties for data transfer.
Peering usually takes place on the so-called. Internet Exchange Points (IXPs), where many ISPs can link their networks together.
New locations
In September we added a new location Ireland (Dublin). In the new location we have 45 of our own physical servers, 3 switches and an agreed connectivity of 100 Gbps with scalability. Everything is also ready for a possible connection to local networks via an Arista pre-switch if this improves the quality of service in the future or if we have a larger number of local customers in Ireland.
New connections (peering)
At the end of August we launched a new peering to LINX (London Internet Exchange) see. blog article New direct LINX connection strengthens our WEDOS Global infrastructure. During September, we analyzed the operation in detail and gradually tuned everything to the satisfaction of our customers.
Another link we have implemented is to Netnod. This is a major IXP bringing together ISPs from the Nordic countries. We have connected to Netnode in Sweden and Finland.
Thanks to these interconnections, WEDOS Global is now ranked in the top 25 in the world and top 10 in Europe according to an independent measurement of global DNS. But we believe in ourselves and we’ll have a Top 5 in Europe in a few months 🙂
Would you like to learn more about WEDOS Global?
If you are interested in WEDOS Global and would like to learn more about the advanced technologies we use, for a deeper and more detailed look into the technological architecture on which the WEDOS Global infrastructure is built, we recommend listening to our presentation from the Kubernetes Community Days Czech & Slovak 2023 conference. This expert presentation was led by two colleagues who play a key role in the development of WEDOS Global.
WEDOS Global Protection
WEDOS Global Protection is the first service launched on the WEDOS Global infrastructure. Its primary purpose is to protect your website from a wide range of cyber attacks, no matter how extensive. At the same time, the emphasis is on the user not having to set anything up. The protections adapt to site traffic and are able to react very quickly to anomalies.
In addition, unlike competing solutions, we have access to a wide range of data and options to eliminate the attack. Different sites may approach attacks differently, attackers are very limited in their use of spoofed IP addresses, protection for us is not just about blocking access, we can test using redirects or captcha, or always return a cached version of the page to suspicious traffic.
WEDOS Global Protection is built on our data and experience gathered over 13 years of operating hundreds of thousands of websites. We know what bothers website owners, what bothers hosts, what bothers infrastructure operators, and when to take action.
WordPress plugin – WEDOS Global Protection
And that’s why we set out to create our official WordPress plugin. You can already find it in the WordPress repository and in your WordPress installation. It will help you activate WEDOS Global Protection for your domain. In the future, we are preparing further extensions and advanced features.
How to install it?
- Just select Plugins -> Plugin Installation in the left menu.
- Type WEDOS in the search box in the right corner.
- You will see WEDOS Global Protection and WEDOS OnLine monitoring.
- Select Install for WEDOS Global Protection.
- Then follow the instructions to set up your account and activate the service.
If you are also interested in the WEDOS OnLine monitoring plugin, you can learn more about it at en.wordpress.org/plugins/wedos-online-monitoring
From small requirements to big revelations: the power of data aggregation
Data is the most powerful tool in the fight against cyber threats. Thanks to our advanced data aggregation methods, we are able to detect threats hidden in seemingly insignificant requests. In How we use data aggregation to find attacks, we show you how this technique helps protect your sites.
WEDOS Global Protection statistics
In September, the number of WEDOS Global Protection users increased to 1,212 (+8.5%) and the number of protected domains to 5,021 (+7.39%). These are second-order domains. If you add a domain to WEDOS Global Protection, subdomains are automatically protected.
In September, 3,517,726,124 (+33.01%) requests were recorded out of 8,774,656 (+3.3%) unique IP addresses that were directed to protected domains. On average, the proxy servers handled 117,257,537 requests per day. The increase is due to new customers (protected domains), seasonality (holidays are over), and also an increase in L7 attacks (especially Pakistani and Chinese mobile botnet activity).
The increase compared to the previous month in the Czech Republic and Slovakia is mainly due to seasonality (end of holidays). For other countries, it is the extra attacks and new customers from abroad that have their foreign traffic. For some countries, the number has increased because we have more game sites and players from all over the world (especially for mobile games).
As for the increase from the US, it is mainly due to increased bot activity (mainly SEMrush and specific Amazon IP addresses). We will have to limit the SEMrush bot appropriately, because it really bothers some sites. Amazon has been running increased crawling from 3 IP addresses since August, we will have to limit it there too (these 3 IPs). There’s more. We plan to look at the robots in October and decide what to do next.
What about the L7 attacks? There have been more attacks on more targets than usual. Some of them were quite strong (in the hundreds of thousands of requests), which will be written into the statistics. Increase Slowloris, Connection Exhaustion etc. compensates for the significant drop in August. Blocked by the WAF rule are mostly attacks on WordPress and a smaller part of the search for general vulnerabilities.
L7 DDoS – intercepted by limiting accesses (HTTP flood) | 14 295 034 | +142,86 % |
L7 DDoS – intercepted problem connections (Slowloris, Connection Exhaustion, etc.) | 3 820 323 | +566,97 % |
Blocked by WAF rule | 26 112 821 | +9,30 % |
Further blocking of L7 | 6 145 289 | +15,48 % |
What is an L7 DDoS attack?
L7 A DDoS attack is a type of cyber attack on a website or application that uses common internet requests such as GET and POST. The goal is to slow down or make a web page or an API inaccessible.
Attacks on L7 are difficult to detect and distinguish from normal traffic because they use the same protocols and methods as legitimate users. Special tools and techniques and a thorough analysis of network traffic are needed to eliminate them.
These numbers are just the first attempts at an attack. Once there are repeated attempts that gain momentum (for example, tens of thousands of problem accesses per minute), the IP address goes blacklisted. However, it is more complicated because we treat different IPs differently (for example, a mobile operator gets a JavaScript redirect or a capcha). The same goes for different forms of attacks.
What is a Web Application Firewall (WAF)?
A WAF (Web Application Firewall) is a protection on our reverse proxies that is placed between the attacker and your website. It scans each request in real time, looking for specific signs of an attack or security hole exploitation. If it encounters a suspicious request, it can redirect it to a test (redirect, captcha) or block it.
The stricter protection of WordPress sites using WAF is also visible in the statistics of the largest protected sites. Those that use WordPress have more blocked attacks. However, remember that even if you don’t use WordPress, it doesn’t mean that someone isn’t trying to attack or look for vulnerabilities as if you have WordPress, which puts a strain on the webserver.
In September, attacker activity increased on all fronts. Our L3/L4 DDoS protection has also not been bored for a long time.
L3/L4
Of course, our customers are also under classic L3/L4 DDoS attacks. However, in most cases, it’s not worth talking about. Our protections are built for attacks in the hundreds of Gbps. Anything under 10 Gbps doesn’t even send a notification to the technicians. Everything is solved by automatons. However, they did send a couple of notifications in September to make sure everything was okay.
What are L3/L4 attacks?
DDoS attacks at the L3 and L4 layer target the network and transport layers and use a variety of techniques to overwhelm target servers or devices.
Network layer (L3) – provides routing of data between different networks using logical addresses (IP).
Transport layer (L4) – provides reliable and controlled data transfer between endpoints using protocols such as TCP or UDP.
In total we recorded 14 958 (+128.13 %) DDoS attacks. Part of this is linked to our public offer of WEDOS Global Protection to banks that have faced attacks by hacktivist groups. Someone just wanted to try us out.
Traditional DDoS attacks work a little differently. It’s multiple types of attacks at once. So individual attacks can be up to 10 Gbps, but in the end, when it all comes together, you get to tens or hundreds of Gbps. If we take the strongest attack, it comes out as follows:
The attack was conducted with brute force and reached a total of just over 30 Gbps and 4.5 million packets per second at peak. Coincidentally, there were also two smaller attacks on 2 different VPS at the time. It could have been related, but it might not have been.
For today’s review, we have also prepared a table of the strongest L3/L4 individual DDoS attacks for September 2023. Attackers usually combine such attacks into one massive one.
vIP | Target | Packets in peak | Bits/s |
---|---|---|---|
IPv4 | VPS | 2,0 M | 15,4 G |
IPv4 | Web hosting | 1,9 M | 12,5 G |
IPv4 | VPS | 1,2 M | 12,2 G |
IPv4 | Dedicated server | 1,2 M | 11,8 G |
IPv4 | Infrastructure | 1,1 M | 10,5 G |
IPv4 | VPS | 1,1 M | 10,2 G |
IPv4 | VPS | 633,8 k | 10,2 G |
IPv4 | VPS | 631,1 k | 10,0 G |
IPv6 | VPS | 599,1 k | 9,2 G |
IPv4 | VPS | 599,1 k | 9,2 G |
Strongest L7 DDoS
Every month we prepare a list of the most powerful DDoS attacks via L7.
1st attack on wedos.com – peak 2.1M requests per minute
At the end of the month, we saw probably the strongest DDoS attack on our website and one of the strongest L7 DDoS attacks ever on WGP. At peak, there were over 2.1M requests per minute and the attack was conducted from 4128 unique IP addresses. Security was able to filter it without any problems. We did not find any 502, 503 or 504 errors in the log.
Then in September, the following even more interesting attacks were launched on our website:
- At peak 1.2M of 1286 UIP
- At peak 879K out of 2532 UIP
- At peak 838K from 1516 UIP
Which would be ranked in other places. However, that would be boring 🙂
2nd attack on the sports team website – 313 thousand requests in peak hours
We were a little surprised by this. One sports team was getting ready for its big game and promotion was in full swing. Someone decided to thwart them with a minor DDoS attack. At peak, it was 313,000 requests per minute. A total of 512 unique IP addresses were involved in the attack.
3. attack on a political movement’s website – 180,000 requests in peak hours
We host many websites of political parties, movements and individual politicians. Gradually, we had to put most of them behind WGP, because today such a website can be brought down quite easily by a single attacker (thousands of requests per minute are enough).
However, in this case it was a little stronger. It was two separate attacks in one day. The stronger one had 183k requests at peak and went from 133 unique IP addresses. The second had a peak of 180,000 requests per minute and came from 179 unique IP addresses.
As you can see from the charts, the first attack quickly ended in failure. The other tried to “penetrate” in various ways, but without much success.
Conclusion
The number of customers using WEDOS Global Protection is growing, especially those who are currently dealing with an attack issue. So the attacks are increasing. We are also approached by large companies and institutions. However, it is still mainly about testing and a cautious approach in general. We believe that in a few weeks or months they will use our services, and then maybe attacks on them will appear in these statistics.