Embedded DDoS Specialist: Shortcut to a Bulletproof DDoS Resilience
When we started offering DDoS Stresstests 10 years ago, we placed great emphasis on our technology and platform to provide customers looking to improve their defense systems with the best solution for DDoS testing under realistic conditions.
Around 2020, as we began to attract more and larger clients – such as banks and international corporations – it became clear to us that the root cause of outages was not always technical, but rather process-related. At that point, we began expanding our service offerings to include architectural support, threat intelligence, guided testing, and training. Et voila! “Embedded DDoS Specialist” was born: an experienced tester who works closely with the client’s teams to improve resilience against DDoS attacks more quickly.
Our experienced testers deliver demonstrable, highly effective value in the following areas:
- Attack Surface assessments: know your potential vulnerabilities to address them
guided testing with our Avydos-Platform to improve DDoS-defense faster - support in developing and test incident-response-playbooks, based on an intense knowledgebase of „what could possibly go wrong“
- support in choosing the right defense solutions, aka: POC-testing
training all things DDoS, as well as Ask-Me-Anything DDoS related - threat intel: define your own threat level based on the DRS to create custom and novel attack playbooks
Why to choose a specialist over do-it-yourself?
TL;DR: It’s all about Speed
Teams dealing with complex infrastructures and/or targeted attacks benefit from having a specialist who can help them understand and overcome complex DDoS challenges.
Our specialists – experienced penetration testers and system architects – know all the tricks of the trade for ensuring bulletproof DDoS resilience.
This service can also be helpful when getting started with our Avydos-Platform, where a specialist will guide you through tests and create individual playbooks to help you get the most out of the platform right from the start.
Case Study with a Managed Service Provider
Intro
The following case study is based on an Embedded DDOS Specialist-assignment, during which we worked with a team from a managed service provider with 400 employees to support a client that provided critical 24/7 services for KRITIS-csutomers. The goal was to improve the company’s DDoS resilience from zero to “We are ready to withstand a DDoS red team attack”.
T+0 Months
The customer contacted us after experiencing issues and impacts with ongoing DDoS-attacks. We began by conducting an technical assessment using “playbook-test” to investigate defense capabilities against volumetric attacks on the network and Layer 7 attacks against its primary load balancers.
The volumetric protection provided by a managed service provider appeared to be robust; no major vulnerabilities were identified.
The Layer 7 tests painted a different picture. 50% of the test cases failed, and it became clear that all parts of the stack were affected: firewalls, load balancers, frontend/backend services, logging systems, and storage. Not all at once and not always, but across various attack scenarios.
Although this result was unexpected, it served as the starting point from which we could continue our work.
Upon further analysis of the WAF technology in use, it quickly became clear that it would not withstand the current massive IoT botnet attacks; a new technology stack had to be procured to serve as the main protection layer.
Organizational Improvements and Architecture Review
T+2 Months
Meanwhile, we reviewed the organizational frameworks and Incident Response playbooks. There, too, we were able to improve and enhance resilience through team training sessions and workshops, sharpeing the workflows and eliminating blindspots.
This was followed by a comprehensive architecture review, during which we discovered additional hidden vulnerabilities, including:
- single point of failure in the main firewall, which could be taken offline with simple IP spoofing attacks
- An internally used two-factor authentication (2FA) appliance that was accessible from the outside without any protection
- Insufficient visibility / monitoring capabilities and incorrect thresholds, particularly regarding outbound traffic
Visibility and monitoring capabilities, in combination with usefull alerting-thresholds, were significantly improved; a fundamental building block for making the right decisions in the event of future attacks.
POC-Testing
T+4 Months
Since the initial testing revealed weaknesses in the current WAF, the customer decided to procure a new solution.
To select the right technology, we conducted several proof-of-concept (POC) tests with various vendors. The tests consisted of standard attack methods using various IoT-Bots as well as Browser-Bots, simulating the full range of attacks that are seen In The Wild.
A proof-of-concept (POC) testing process allows you to evaluate the strengths and weaknesses of a solution before actually purchasing it. This enables the customer to ensure that they are using the right technology for their specific threat level.
Implementing the final system
T+8 Months
After we had completely dismantled and reassembled the entire stack and fixed the vulnerabilities in the infrastructure, we helped the customer adapt and fine-tune the new WAF solution to meet their specific requirements with our Avydos-Platform.
After 10 rounds of testing and fine-tuning , we established a solid baseline for fully automatically defending against all DRS Level 1–5 attacks and assisted the client with templating the settings.
To test the incident response workflows and make them battle-proof, we concluded the process by conducting a tabletop exercise with the entire team, during which both the automated defenses and the manual processes were put through their paces, and any remaining weak spots were eliminated.
Final Boss
T+12 Months
Finally, during a 30-day DDoS red teaming exercise, we managed to make an impact only a handful of times—but it never lasted longer than 5 minutes, and only with attack methods that exceeded the threat level
After nearly 12 months and with the right mindset Challenge aAcepted!), the client’s team managed to stay ahead of the wave, automatically fend off all expected attacks, and, when an attack did get through, minimize the impact with the right workflows and decisions
Summary
As with many complex issues, DDoS protection – especially at the Layer 7 level – can’t be implemented overnight. And when you consider that in large organizations with complex, interdependent infrastructure, every change is subject to a defined change process, then 12 months is a tight timeline—after all, we weren’t working on the DDoS issue the entire time, but rather planned the changes and implemented them in several iterations.
However, we were able to help the client take some shortcuts thanks to our expertise. Instead of constantly playing catch-up with attackers through trial and error, we took a comprehensive approach to help implement a solid and bulletproof DDoS strategy by addressing all relevant subcomponents.
Key Benefits
- Accelerated development of a robust DDoS defense
- Minimization of external attack vectors
- Implementation of protection methods that withstand all current attacks, tested and verified
- Optimization of incident response (IR) processes
Infos & Contact
Cover Image: zeroBS
Chart; zeroBS
Broken Chain by Jackson Simmer / unsplash
Architecture by Maarten Deckers / unsplash
Proof by Martin Winkler / unsplash
Steelworker by Jeet Dhanoa / unsplash
Final Boss by TyliJura / pixabay
German 
English