DDoS Attacks from Proxy Servers the New Normal | Alibaba Cloud Security Operations Center

Bolster the growth and digital transformation of your business amid the outbreak through the Anti COVID-19 SME Enablement Program. Get a $300 coupon package for all new SME customers or a $500 coupon for paying customers.

By Alibaba Cloud Security

Application layer distributed denial-of-service (DDoS) attacks differ greatly from traditional DDoS attacks. Traditional DDoS attacks initiate a large number of concurrent access requests to targets, which causes service unavailability and system crashes. Such attacks are easy to identify, and mature solutions are widely available in the market. Application layer DDoS attacks, however, can be disguised as normal traffic and even as normal business requests, which allow these attacks to easily bypass security protection and cause service interruption or loss of business.

Alibaba Cloud Security Operations Center has conducted an in-depth analysis of the application layer DDoS attacks during the coronavirus disease (COVID-19) epidemic. We hope our findings help enterprises enhance their defenses against these attacks.

Attack Frequency Remained High During the COVID-19 Epidemic

Gaming, Healthcare, and Online Education Have Become New Targets

During this period, healthcare, online education, and online collaboration gained unprecedented attention and a lot of resources were invested in these industries. Hackers looking to benefit from this increased value began to target these industries. During the COVID-19 epidemic, most of the population stayed at home, leading to a surge in the popularity of the gaming industry. As a result, the number of attacks in the gaming industry increased by more than 300% month-on-month (MoM).

Attacks Mainly Originated from Proxy Servers, Zombies, and Cloud Servers

As shown in Figure 3, a single attack was initiated by a single attack source, and only a few attacks were initiated from different attack sources. For example, if a proxy server is used to initiate an attack, zombies or cloud servers are not used to initiate attacks at the same time.

Different Attack Types Have Different Characteristics, Requiring Targeted Defense Measures

  • 78.6% from proxy IP addresses
  • 20.65% from zombies
  • 0.68% from major cloud servers

The percentages of different attack source types are as follows:

  • 12.40% for proxy servers
  • 87.42% for zombies
  • 0.18% for cloud servers

According to Figure 4 and Figure 5, the following observations are made:

1) Proxy Server Attacks Have Become a Norm, and Enterprises Need to Pay More Attention to Them

We recommend enterprises to block proxy servers for websites that do not need to be accessed by proxy when business-related proxy servers are allowed to achieve the defense with the same effectiveness and less effort.

2) Enterprises Should Adjust Their Defense Strategies for Scattered Zombie Attack Sources

For attacks initiated by these attack sources, we recommend enterprises not to use IP address-based defense. Most IP addresses of zombie servers are the broadband and base station egress IP addresses, which have a large number of regular users. Blocking an IP address previously used for attacks may block the regular access of hundreds of potential users.

Furthermore, the IP addresses of zombie servers change rapidly due to device location changes or the dynamic IP address allocation mechanism of internet service providers (ISPs). Therefore, it is not easy to block these IP addresses.

To defend against such attacks, it is necessary to block requests identified as impossible in advance based on regular business request features. For example, block requests from PCs for app-specific services. Enterprises can also adjust policies dynamically based on the differences between regular business requests and attack requests.

3) Attacks Initiated by Major Cloud Servers Have Been Significantly Reduced

Therefore, if the attack source IP addresses come from only a small number of class C addresses and few requests come from the CIDR block in normal cases, we recommend enterprises to block IP addresses to prevent malicious requests.


1) Exercise Caution When Blacklisting IP Addresses

2) Defense Effectiveness Is Limited When Only IP Addresses with a High Access Frequency Are Blacklisted

While continuing to wage war against the worldwide outbreak, Alibaba Cloud will play its part and will do all it can to help others in their battles with the coronavirus. Learn how we can support your business continuity at https://www.alibabacloud.com/campaign/fight-coronavirus-covid-19

Original Source:

Follow me to keep abreast with the latest technology news, industry insights, and developer trends.