Nokaut.pl is a leader on the Polish e-commerce market. As one of the most recognizable price comparison engines in Poland, it has been for many years a source of information to millions of consumers about prices of products available online. Also, Nokaut.pl is an independent expert service providing the public with current analytical data on online shopping.
The number of DDoS (Distributed Denial of Service) attacks increases globally every year. They attempt to paralyze the network infrastructure and applications by consuming all server memory resources and ultimately completely disabling the webpage/service.
A properly prepared attack, nowadays typically in the form of distributed attack, combined with more and more advanced tools used by cybercriminals, may have a devastating impact on the services. Unfortunately, effective protection against such attacks becomes more and more difficult, also for the largest and most trusted organizations.
The first attack
On July 21, 2016, the monitoring systems alerted the Nokaut.pl staff that the website is unavailable to the price comparison engine customers and API partners. The servers were flooded with so much traffic that the protection systems were unable to cope with the request volume. In an instant, all servers were cut off. The team managed by Marcin Grzybowski responded immediately.
Previous protection in Nokaut.pl
The Nokaut.pl staff blocked the malicious traffic at the edge routers and restored operational access to the infrastructure, but during the operation of diagnosing the attack source, they received a message from the cybercriminals. “We received an ultimatum,” says Marcin Grzybowski.
The message was unequivocal. “We were demanded to transfer to the hackers a certain amount of money for refraining from further attacks. We did not yield, but we needed professional help, because we were unable to protect ourselves against such a strong attack on our own. Our protection systems and servers turned out to be insufficient to cope with a DDoS attack. We had a number of potential protection options, but none of them was in our opinion sufficiently effective and fast to deploy,” explains Marcin Grzybowski. “So we started to look for a company that would help us in mitigating the attack. The decisive factors for entering into cooperation with Grey Wizard included immediate protection, an experienced engineer team, phone support available 24/7, and the capabilities of the solution to effectively protect us against similar attacks in the future,” concludes Marcin Grzybowski.
Activation of the protection
Activation of the Grey Wizard service is simple and fast. In the first step, we enter the IP address to be protected. Then, to activate the protection service for that address, we set in the DNS servers the IP address of the Grey Wizard protection service and wait until the address propagation across the Internet is completed. It is essential to make sure that a potential attacker does not know the address of our server.
“The settings management page is extensive, but very intuitive. There are many options that can be easily set. But an important feature is that the service is ready with the default settings, so it does not require much attention,” explains Marcin Grzybowski. “It is worth mentioning that the Grey Wizard engineers provided us with professional assistance during the commissioning phase. During the attack, they were available virtually round the clock,” he concludes.
Grey Wizard undertakes actions
The Grey Wizard security engineer team immediately started preparation to the traffic redirection and cleansing. After initial arrangements with the Nokaut.pl technical department, the system was ready to face an attack. Shortly before redirecting the attacked domains, the cybercriminals ceased their activities. The situation seemed to return to normal, but only apparently.
As soon as next morning, the attack was repeated. The Grey Wizard specialists suspected that to be the case from their experience. It is a typical behavior of criminals. With repeated intermittent attacks, they try to disorganize the IT department and cause as much financial losses as possible. As soon as the new attack was launched, a decision was made to redirect the whole traffic to Grey Wizard.
DDoS attacks are most often launched through multiple vectors. Every few minutes the hackers change the attack form. The same was in that case. The first wave of the attack is typically volumetric, i.e. consists in clogging up the victim’s link. Also used is so-called amplification effect, which means that the attack is multiplied by exploiting vulnerabilities in unprotected DNS and NTP servers and CMS applications. Thanks to high-capacity links, that form of attack was quickly mitigated and the protection had been provided immediately.
Cybercriminals' response to the protection
After a few minutes, the criminals figured out that the UDP flood type of attack would not bring expected results and changed the attack vector to SYN flood, combined with source-address spoofing. In this attack type, the available server processor and memory resources are consumed up, leading to TCP connections being rejected.
The symptom of such attack is an interruption of the website availability. Thanks to modern, proprietary hardware and software solutions, also in that situation the Grey Wizard protection responded in an instant.
Application-oriented attack vs. artificial intelligence
After a few tens of minutes, the attack form was changed again, to an application-oriented attack in which the website was flooded with HTTP requests. That was mitigated thanks to WAF (Web Applications Firewall) filters and anomaly-detection algorithms based on artificial intelligence. Within a minute or so, the Grey Wizard team isolated the group of approximately ten thousand IP addresses constituting the botnet and applied selective blocking, thus making the website services available again to their legitimate users.
During the remaining part of the day, the Grey Wizard engineers monitored repeated attack attempts, but thanks to the fact that the botnet had been already identified and the attack methods had been precisely diagnosed, the response of the protection system was immediate. Regardless of the layer the attacks were launched at, they were immediately blocked, without any impact upon operation of the Nokaut.pl infrastructure. After several hours, the cybercriminals gave up.
Consequences of the attack
In e-commerce, any unavailability of the service affects adversely the revenues, image, and reputation. “Longer unavailability may also lead to a lower position in the searching-engine rankings. That is why it is so important to make sure that the website is always available to the users and crawlers and always responds to all requests,” says Marcin Grzybowski. “It is also worth mentioning that Nokaut.pl is not only a comparison engine, but also offers multiple websites and services supporting the online shopping industry. Thanks to the fast response of the Grey Wizard engineers, we were able to restore the key services. After a few hours, availability of the Nokaut.pl comparison engine was also restored.
Further cooperation with Grey Wizard
Since activation of the protection of our services with the security shield, everything works perfectly. We have a convenient web panel enabling us to enter minor modifications ourselves. The service functions as it should, so we can honestly recommend it. Also, we can always rely on fast assistance from Grey Wizard.