Securing Olympic Games Logistics from DDoS Attacks

A leading global logistics company responsible for managing transportation and logistics for one of the recent Olympics Games sought to ensure their online systems were resilient against potential DDoS attacks.

The enterprise is dependent on Route 53, AWS’s DNS service, and Akamai’s content delivery network (CDN) and App & API Protector (APP) for initial cybersecurity. The Akamai web application firewall (WAF) protects against layer seven attacks and is integrated with Datadome to prevent bot attacks. Requests that are not blocked by the WAF or not already cached on Akamai’s servers are routed to Cloudflare’s Magic Transit, which filters network layer traffic to the on-premises environment. Finally, that traffic is inspected by local firewalls before reaching the servers providing the requested content.

The Solution

To comprehensively validate the company’s protective measures, we designed 12 different DDoS attack scenarios – six targeting the network layer and six targeting the application layer.

The first set of simulated attacks tested the network layer (L3/4) protection of Cloudflare’s Magic Transit service, while the second set challenged Akamai’s WAF DoS policy and rate limiting rules intended to protect against application layer (L7) attacks. Both average and burst rate limit thresholds were tested in the HTTPS flood-based attack vector simulations, with rates adjusted depending on the specific asset and incrementally increased to exceed predefined thresholds. The test also examined the WAF’s body size limitation rule, which drops all requests with a certain body size.

The Results

Five of the DDoS network layer attacks were detected and mitigated, but one – a TCP Middlebox Reflection Flood attack – caused steady service downtime.

Of the application layer attacks, only two scenarios were detected and mitigated. One scenario, a Large File Upload (LFU) attack, was detected, but no mitigation measures were in place to block the attack. The remaining three scenarios – two GET Floods and a POST Flood – were neither detected nor mitigated, disrupting service availability.

Recommendations

To address the identified protection gaps, we provided the corporation with the following recommendations:

• Contact Akamai: As Akamai’s WAF module App & API Protector (APP) rate limit policies failed to block DDoS traffic in several attack scenarios, we advised contacting the vendor to remedy the performance shortcomings.
• Adjust the environment: In a few scenarios, the company’s services became unavailable even before the test traffic reached predefined rate limit thresholds. This means that current thresholds are too high or that server resources are not optimized to handle expected traffic. Therefore, the company needed to either add servers or lower the rate limit thresholds to ensure that existing servers could handle the load and remain operational under high demand.
• Contact Cloudflare: The DDoS traffic leakage seen during the TCP Middlebox Reflection attack scenario indicated a failure of the Magic Transit network security service that needs to be investigated with Cloudflare. In particular, Red Button recommended focusing on the role of the request size.
• Enable the body size limit rule: As the Partial Request Body Inspection rule was effective for identifying excessive payloads, it should always be activated to prevent HTTPS BOMB/Large File Upload attacks. The threshold should be high enough to prevent false positives without compromising mitigation.
• Re-test L7 DDoS protection: Once all the gaps are addressed, it is important to retest network defenses against the previously executed DDoS scenarios. In this case, the focus should be on the identified application layer vulnerabilities.