Incapsula is a notable online service which offers to ramp up the security, speed and overall protection of client websites. The service recently came under a heavy barrage of DDoS attacks. Unlike common DDoS attacks, this attack made use of headless-browsers. Narrated below is how Incapsula dealt with this seemingly disastrous problem.
Headless-browser botnets are such botnets which essentially mimic human behaviour. Common botnets are simply bots trying to reach a given server and aiming to overwhelm it. But common botnets can be blocked because of their automated behavior.
Headless-browser botnets, on the other hand, are far more sophisticated because they may trick the security into thinking that they are actually human. One possible way to counter such botnets is to implement CAPTCHA, but for a fairly well-used website, the feature can be a huge turn-off for regular users as well.
In the case of Incapsula, an unidentified botnet made use of PhantomJS headless-browsers to launch attack at the servers. During the course of the attack, 180,000 IPs were used from all around the globe. The hackers kept changing the IPs rapidly so that any efforts to blacklist any given IPs wouldn’t work.
The attack lasted for a whopping 150 hours and attackers kept using different browsers for their browser botnets. Interestingly, these botnets mimicked human behaviour fairly successfully. Many of them would go to other landing pages and then redirect to the website, eventually targeting the servers.
Thankfully for Incapsula, the company has a huge database of signature variants about every visitor to the site, compiling only security-related data in order to thwart a possible attack. This database includes PhantomJS webkit, the tool used by the browser botnets targeting the site.
So as soon as this was identified, the security team at Incapsula blocked all PhantomJS instances. In case a real user was utilizing the said tool, a CAPTCHA was added to PhantomJS instances. This way, all bots were effectively blocked whereas real users were able to resume access to the site normally.
Courtesy: The Hacker News