F5 launched Distributed Cloud Services in 2022, providing web application and API protection for enterprise organizations that need edge-based security that can be consumed as a service. In today’s interconnected world, cyber threats are on the rise and organizations must be prepared to protect their critical infrastructure from new evolving attack types. One of the most common types of cyberattacks is a distributed denial-of-service (DDoS) attack, which can bring down even the largest websites and online services.
Recently, a prominent pro-Russian hacktivist group known as Killnet launched a sophisticated L7 DDoS attack on a large European organization. The attack aimed to overwhelm the company’s servers with massive amounts of traffic, making it difficult for users to access the website with attack traffic peaking at 120K RPS. However, thanks to the efforts of the F5 Security Operations Center (SOC) and the advanced DDoS mitigation capabilities of F5 Distributed Cloud Services, the attack is being successfully mitigated, and the website has remained operational throughout the attack. This attack is part of several DDoS campaigns that have been occurring over the past few weeks originating from this group.
Note: This is an active attack campaign that has been happening for over a week, and we are successfully mitigating these attacks as this blog post is being written.
This specific DDoS attack originated from multiple locations across the globe. The grey dots on the map above represent attack origins, and the red boxes represent F5 Global Network points of presence where the application’s attack traffic is filtered, and legitimate traffic is being allowed.
One of the key characteristics of Killnet’s attacks is their focus on the application layer (L7). These attacks are particularly challenging to detect and mitigate, as they often involve mimicking normal user behavior (making them difficult to distinguish from legitimate traffic), multiple application attack vectors, and the ability to retool—including cycling through different source locations, IPs, and other attack components.
Attack traffic is originating from only 3 different TLS fingerprints, even though the source of the traffic is distributed across 35 different IP addresses and 19 countries. We are seeing 72% of attack traffic originating from 1 TLS Fingerprint which is shown in the above image. This fingerprint has been associated with Tofsee malware, where systems infected with Tofsee are used as part of a DDoS botnet.
The F5 SOC is employing a variety of strategies to defend against the attack, including traffic filtering, IP intelligence and rate limiting. This allows the team to identify and block only malicious traffic while allowing legitimate traffic to continue reaching the website. Another key component of successful mitigation is the team’s use of real-time threat intelligence and L7 DDoS auto-mitigation capabilities, which has blocked elements of this attack in real time without the need for human involvement. This information allows the team to stay ahead of the attackers and quickly adjust their defenses as the attack evolves across geos, different IP addresses, and new attack paths.
The successful mitigation of the L7 DDoS attacks by Killnet and other groups represents a new normal—check out more DDoS attack insights in our F5 Labs 2023 DDoS Attack Trends report. This attack recap highlights the importance of having a multi-layered security infrastructure in place and a well-trained security team ready to support in real time. By using a combination of traffic filtering, rate limiting, cloud-based DDoS scrubbing, real-time threat intelligence, and a solid disaster recovery plan, organizations can protect themselves against even the most sophisticated DDoS attacks targeting their infrastructure and applications.
If you are experiencing a disruptive attack and need emergency onboarding to F5 Distributed Cloud Services, contact our emergency support line at: (866) 329-4253 or +1 (206) 272-7969
About the Author
Related Blog Posts
F5 accelerates and secures AI inference at scale with NVIDIA Cloud Partner reference architecture
F5’s inclusion within the NVIDIA Cloud Partner (NCP) reference architecture enables secure, high-performance AI infrastructure that scales efficiently to support advanced AI workloads.
F5 Silverline Mitigates Record-Breaking DDoS Attacks
Malicious attacks are increasing in scale and complexity, threatening to overwhelm and breach the internal resources of businesses globally. Often, these attacks combine high-volume traffic with stealthy, low-and-slow, application-targeted attack techniques, powered by either automated botnets or human-driven tools.
F5 Silverline: Our Data Centers are your Data Centers
Customers count on F5 Silverline Managed Security Services to secure their digital assets, and in order for us to deliver a highly dependable service at global scale we host our infrastructure in the most reliable and well-connected locations in the world. And when F5 needs reliable and well-connected locations, we turn to Equinix, a leading provider of digital infrastructure.
Volterra and the Power of the Distributed Cloud (Video)
How can organizations fully harness the power of multi-cloud and edge computing? VPs Mark Weiner and James Feger join the DevCentral team for a video discussion on how F5 and Volterra can help.
Phishing Attacks Soar 220% During COVID-19 Peak as Cybercriminal Opportunism Intensifies
David Warburton, author of the F5 Labs 2020 Phishing and Fraud Report, describes how fraudsters are adapting to the pandemic and maps out the trends ahead in this video, with summary comments.
The Internet of (Increasingly Scary) Things
There is a lot of FUD (Fear, Uncertainty, and Doubt) that gets attached to any emerging technology trend, particularly when it involves vast legions of consumers eager to participate. And while it’s easy enough to shrug off the paranoia that bots...