Hello and welcome to the Tuesday, August 2, 2020 edition of the Sands and its Storm Center's Stormcast. My name is Johannes Ulrich and today I'm recording from Jacksonville, Florida.

Today I wrote a quick summary of a small distributed denial of service attack, a DDoS attack that caused some performance

issues in a short amount of downtime on Friday morning. The attack was not very intense,

even though about 100,000 IP addresses participated in it, but each IP address individually did not really send a ton of requests.

I think we sort of ended up with about a dozen requests a second, so nothing really all that

extraordinary.

This is actually kind of a typical sort of small denial of service attack, as many small

sites tend to experience them from time to time.

So given that, I took the opportunity to walk through the process we used to bring our site

back online, even with the attack still ongoing. What made the attack a bit more tricky was that it involved valid HTTP requests.

So this wasn't just the flooding random packets, and it hit a page on our site that takes

significant database resources to create.

So someone went through the effort to actually catalog a page on our site,

figure out which page takes a lot of resources,

and then what was actually exhausted was database resources,

not bandwidth as in some of the simpler denial of service attacks.

But, well, of course, once we knew this and once we identified these requests, then all

we really had to do is block them with our web publication firewall, and that sort of took

care of it.

Now, when on an attack like this, the tricky part is often identifying the common artifact that

distinguishes attack traffic from normal traffic.

In this case, the artifacts were that all source IP addresses were located in China,

...