How we helped an insurance company to block over 99% of malicious traffic

Problem

Company websites and applications faced regular DDoS attacks. Key challenges:

• Distinguishing genuine and malicious traffic
• Evolving attack techniques with frequently changed IP addresses

Our solutions and results:

To combat the DDoS attacks and provide comprehensive protection, we conducted a thorough analysis of the application workflow and recommended implementing a WAF DDoS policy with customised thresholds.

Our solution includes:

Average and Burst Thresholds:

We suggested setting an average threshold of 15 hits per second from a single IP within 2 minutes. A burst threshold of 20 hits per second from a single IP within 5 seconds was implemented.

Rule Logic and Alerting:

When the average threshold was breached, the system triggered an advanced monitoring mode, logging the traffic and immediately alerting the customer's security team for review and action. If the burst threshold is exceeded, the system automatically blocks the requests and corresponding IP addresses for one hour.

Rule Refinement:

To enhance accuracy, we fine-tuned the rules to consider GET, PUT, POST, and HEAD HTTP request methods as matching criteria.

The results: