Uncovering DDoS Protection Gaps in Time for Elections

A national agency was assigned the responsibility of maintaining the functional continuity of government infrastructure and services during an upcoming election period. It was assumed that various cyber-attacks, especially DDoS, would increase in an effort to undermine the democratic process.

Indeed, as indicated by recent 2024 research, government websites have become the primary target for hacktivist DDoS attacks.

The government agency turned to Red Button to help it verify its ability to mitigate DDoS attacks on its online assets. Specifically, the agency wanted to be sure that its protection measures could mitigate the more-difficult-to-detect application layer DDoS attacks.

The Solution

Red Button’s white box testing methodology ran up against the government’s natural hesitancy to reveal sensitive details about their specific system architecture. However, after a discussion regarding the drawbacks of black box testing, the customer was persuaded to disclose the configuration of its Akamai Cloud WAF services, but not its backend capacity in the AWS cloud.

With this “grey box” information, we designed two customized DDoS simulation sessions to specifically challenge the agency’s system, which was hosted on the AWS cloud. Each of the two sessions was designed to verify the protection of different web applications, some of which were protected by Akamai Cloud WAF and others by another vendor.

Our DDoS attack simulations were focused on the application layer and included sophisticated vectors like HTTPS GET/POST/OPTIONS flood, Large File Download and others, aimed at testing backend resilience, API protection, automatic mitigation rules, and the CDN cache service.

As an authorized AWS Partner, we independently executed the attacks on the agency’s web services, without the need for prior approval from AWS.

The Results

In the first simulation, targeting the applications behind the Akamai Cloud WAF, 11 of 12 attack vectors were detected and mitigated, while one disrupted the organization’s internet-based services.

Akamai’s rate limit rules performed exceptionally well, blocking all flood attacks within seconds of surpassing the defined average threshold. Additionally, Akamai’s CDN caching was highly effective, serving static content with minimal latency even during heavy attacks. The backend infrastructure on AWS also proved robust, efficiently handling high traffic rates and maintaining a very low latency. However, a Large File Upload (LFU) attack using an 8 KB file successfully caused a denial of service.

The second simulation targeted two services that use the Akamai Cloud WAF (CDN & WAF) for DDoS protection and another two services using the second vendor’s CDN and WAF. This time, nine of the 12 attacks succeeded in causing a denial of service.

The key problem was the failure of the vendor’s automatic DDoS protection to engage at any point in response to seven different attack vectors. Additional measures intended to mitigate the impact of the attack – an ACL list, geo-protection, and SSL connection drops – all led to an unintentional, self-initiated denial of service. This unexpected outcome was a critical discovery ahead of the upcoming elections.

Recommendations

Red Button recommended that the government agency take immediate steps to fortify its security measures, as follows.

• Add a second layer of defense against Large File Upload-type attacks. This can include reducing the number of paths accepting POST requests and setting a WAF custom rule for request file sizes aligned with the maximum legitimate payload.
• Close the few Akamai DDoS protection gaps by adding rate limit rules at the API endpoints and removing the maximum-capacity throttling rule (which, if unchanged, can trigger an internal DDoS).
• Consult with the second vendor to clarify best practices for enhancing DDoS protection.
• Retest all the failed attack scenarios.