Online offers boost sales – no doubt. This company publishes online offers on specific dates and site visitors validate with email authentication to receive the offers. However, analysis of the traffic revealed the presence of scripters, harvesting the offer and then on-selling on the black market. Additionally, high traffic loads and a variety of attacks were also detected. The organization already had a RedShield private node deployed to protect this service, so commissioned an emergency anti-scripting shield.
Within 24 hours, RedShield security researchers had analyzed the scripting behavior and proposed a technique to detect and block scripts. Understanding the attackers could modify their specific behavior to bypass detection, RedShield also proposed heuristic detection and fair use policy modifications. Honeypots were also introduced to detect, counteract and block all anomalous behavior.
These new shields were deployed on the RedShield cloud infrastructure and the DNS entry for the serv0ice modified point to the RedShield Cloud. For this solution RedShield did provide notification to the customer that the introduced controls were only a partial threat mitigation and that further fair weighted queuing and increased server resource should be implemented.
In the first release, millions upon millions of blocks occurred immediately and RedShield dynamically spread the load across 4 datacenters in 3 countries. The service did slow slightly and an emergency meeting was called. Based on the service slowdown, the customer, in conjunction with their system integrator consultants, decided to drop the RedShield Cloud service out of path.
“After introducing RedShield and seeing service degradation our incumbent IT service integrator quickly pointed the finger. However, it was immediately clear that RedShield was simply cleaning out the attack traffic and for the first time ever our servers were receiving fast legitimate traffic. RedShield has now become an integral part of our service, I am particularly impressed with how fast they can move to introduce new controls. They don’t overstate their defenses and never run away from a fight.”
The DNS entries were returned to point directly to the customer’s datacenters. The impact was immediate and catastrophic: firewalls, load balancers and servers immediately hit 100% and the service when offline. A second emergency meeting was called and the RedShield Cloud reinstated.
After server resets, the service came back and stayed back, the previously observed slight performance degradation re-occurred. Root cause analysis revealed that the RedShield controls had worked extremely well and the cause of the slowdown was related to a higher than expected legitimate number of requests being passed through to the server.
RedShield experts continue to monitor the tools and systems 24/7, audit the application defenses weekly, respond to any customer queries and application updates, and provide monthly commented analyst reports.