DDoS Attack Simulation Report

BS Test Local Limited (BStest.local)

Report Date: April 4, 2025 | Test Date: April 2, 2025

I. Executive Summary

This report synthesizes the results of three application-layer Distributed Denial of Service (DDoS)^[1]attack simulations executed against the web infrastructure of BS Test Local Limited, targetingBStest.local(IP:101.XXX.XXX.XXX) on April 2, 2025. The simulations employed one HTTP GET flood and two distinct HTTP POST floods, each sustained for 180 seconds utilizing 500 concurrent connections from a distributed network, mimicking common real-world attack vectors.

The target system demonstratedpartial resilience but significant vulnerabilityunder the tested load. While a complete service outage was averted, performance metrics indicated severe degradation. Critically, all three attack scenarios rapidly drove the system to a99% cumulative impact level. This proprietary metric signifies near-complete saturation of critical resources, strongly suggesting that legitimate user traffic would have experienced excessive latency, high error rates (timeouts, 5xx errors), and a severely impaired service quality during the attacks.

Analysis of traffic patterns revealedhigh volatility (significant standard deviation in PPS and BPS), providing strong evidence of active mitigation systems (likely rate limiting and/or WAF rules) attempting to control the floods. However, the consistent attainment of 99% impact indicates these defenses wereinsufficiently tuned or lacked the capacityto fully neutralize the attack volume or prevent resource exhaustion under these specific parameters. The substantial delta between peak and average traffic rates further corroborates the intermittent nature of the mitigation effectiveness. Notably, the system showed heightened sensitivity to POST requests, reaching saturation at lower traffic volumes compared to the GET flood.

Key strategic recommendations include:enhancing edge security posture(optimizing WAF/CDN configurations, potentially implementing advanced bot protection),improving real-time observability(granular monitoring of server/application metrics with tuned alerting),investigating application/database bottlenecksspecifically related to POST request handling, reviewingresource scaling capabilities and triggers, and establishing arigorous, regular schedule of diverse DDoS testingto proactively identify and remediate vulnerabilities.

DDoS Simulation Overview

Animated diagrams illustrating common DDoS attack methods.

1. HTTP GET Flood

2. HTTP POST Flood

3. WAF/UAM Bypass Attempt

4. Botnet Attack

II. Testing Methodology & Metrics

Attack Simulation Parameters

Target Application:BStest.local Web Service
Target IP Address:101.XXX.XXX.XXX
Target Ports:80 (HTTP) / 443 (HTTPS)
Platform:Distributed DDoS testing tool.
Attack Vectors Tested:
- HTTP GET Flood
- HTTP POST Flood
- HTTP STRESS
- HTTP SLOW (Slowloris)
- HTTP BOT (Crawler Simulation)
Concurrency:500 Connections (for Flood/Stress/Bot) / Variable (for SLOW)
Duration:180 Seconds
Source IPs:Distributed/Botnet simulation.
Payload (POST/STRESS):Standard form data / High-load packets simulation.

Key Performance Indicators (KPIs)

Packets Per Second (PPS):Peak & Avg. Network request rate.
Bandwidth (BPS / Mbps):Peak & Avg. Network throughput (kB/s).
Traffic Variability (Std Dev):Fluctuation in PPS/BPS (indicates mitigation/attack nature).
Cumulative Impact (%):Overall system stress score (0-100%).99% = severe degradation.
Connection Saturation (SLOW):Observation of connection table exhaustion.
Qualitative Availability:Inferred from impact & success rates.

III. DDoS Simulation Service Catalog

To proactively assess and enhance your infrastructure's resilience against a wider range of threats, we offer comprehensive DDoS simulation services. Our catalog includes various attack vectors targeting different layers of the network stack. Understanding how your systems respond to these diverse simulations is crucial for developing robust mitigation strategies.

Layer 7 (Application Layer) Simulations

These attacks target web applications and services directly, aiming to exhaust server resources like CPU, memory, or application logic.

GET/GET Flood:Overwhelms the target with a high volume of standard HTTP GET requests, often targeting large files or dynamic pages to consume bandwidth and server resources.
POST/POST Flood:Sends a high volume of HTTP POST requests, typically with data payloads, stressing the application's data processing capabilities, database connections, and backend logic. Often more resource-intensive per request than GET floods.
STOMP:Specialized attack potentially targeting WebSocket or message queue protocols (like STOMP over WebSockets) if used by the application. Aims to bypass specific defenses like CAPTCHAs by attacking underlying protocols.
STRESS:Sends HTTP packets designed to maximize server load, potentially using large headers, unusual methods, or high byte counts per packet.
DYN:Dynamic flood using randomized or rapidly changing subdomains (e.g.,random1.BStest.local,random2.BStest.local) to bypass simple caching or DNS-based defenses.
SLOW:Classic Slowloris attack. Opens multiple connections and keeps them alive by sending partial HTTP requests very slowly, exhausting the server's concurrent connection limit.
HEAD:Similar to GET flood but uses the HTTP HEAD method (requests only headers, not the body), potentially bypassing some content-based WAF rules while still consuming connection resources.

Layer 3/4 (Network/Transport Layer) Simulations

These attacks target the network infrastructure and transport protocols, aiming to saturate bandwidth or exhaust state tables in firewalls and load balancers.

TCP/TCP Flood:Generic TCP flood sending a high volume of TCP packets (could be SYN, ACK, FIN, RST, or combinations) to overwhelm state tables or consume processing power. May include bypass techniques.
UDP/UDP Flood:Floods the target with UDP packets, typically targeting specific ports or sending large packets to saturate network bandwidth. Often used in amplification attacks. Includes bypass techniques.
SYN/SYN Flood:Sends a high volume of TCP SYN packets (connection initiation requests) with spoofed source IPs. The server keeps allocating resources for half-open connections, eventually exhausting its capacity.
DNS/DNS Amplification:A reflection/amplification attack. Sends DNS lookup requests to open DNS resolvers with a spoofed source IP (the victim's). The much larger DNS responses are sent back to the victim, overwhelming their network.

IV. Detailed Test Results & Analysis

IV.1 HTTP GET Flood Analysis

TypeHTTP GET Flood

Target101.XXX.XXX.XXX

Port80/443

Started[19:15:37]

Stopped[19:18:36]

Duration180s

Peak PPS77at [19:16:35]

Avg PPS*25.3Illustrative

Peak BPS53.9kB/s

Avg BPS*18.1kB/s

PPS Std Dev*~18.5High Variability

BPS Std Dev*~12.1High Variability

Max Impact99%Reached Quickly

Traffic Patterns & Interpretation

Attack showedextreme traffic volatility(high Std Dev), indicating aggressive mitigation (rate limiting) triggered by sharp peaks (max 77 PPS), followed by near-zero troughs.
Peak load (77 PPS / 53.9 kBps) occurred ~60s in. Subsequent peaks suggest mitigation thresholds were repeatedly breached or attack sources rotated.
Despite mitigation,99% impact was reached rapidly and persisted. Allowed GET volume still overwhelmed resources (web server connections, ephemeral ports, CPU/TLS).
Large delta between Peak (77) and Avg (~25.3) PPS shows mitigation reduced sustained load, but the average throughput was still too high.
High traffic influx moments: [19:16:35] (peak), [19:17:37], [19:18:10].

*Average & Std Dev are illustrative based on simulated data reflecting observed peaks/fluctuations. Bandwidth: 1 kB/s = 0.008 Mbps.

IV.2 HTTP POST Flood Analysis (Test 1)

TypeHTTP POST Flood

Target101.XXX.XXX.XXX

Port80/443

Started[19:15:36]

Stopped[19:18:35]

Duration180s

Peak PPS55at [19:18:22]

Avg PPS*19.8Illustrative

Peak BPS45.9kB/s

Avg BPS*15.5kB/s

PPS Std Dev*~14.2High Variability

BPS Std Dev*~11.8High Variability

Max Impact99%Reached

Traffic Patterns & Interpretation

POST flood also showedsignificant traffic volatility(Std Dev PPS: ~14.2), indicating mitigation activity.
Peak PPS (55) and BPS (45.9 kBps) weremarkedly lower (~15-30%)than GET peaks, expected due to higher server-side processing for POSTs.
Peak BPS ([19:16:20]) occurred earlier than peak PPS ([19:18:22]), possibly due to initial larger payloads or later mitigation focusing on packet rate.
Critically, despite lower traffic volume, 99% impact was still reached.This strongly suggests ahigher per-request resource cost for POSTs. Bottleneck likely shifted from network/connection handling toCPU, memory, or database resourcesconsumed by application logic.
Notable Spikes: [19:16:20] (Peak BPS), [19:17:56], [19:18:22] (Peak PPS).

*Average & Std Dev are illustrative. See previous note.

IV.3 HTTP POST Flood Analysis (Test 2 - Repeat)

TypeHTTP POST Flood

Target101.XXX.XXX.XXX

Port80/443

Started[19:15:35]

Stopped[19:18:34]

Duration180s

Peak PPS50at [19:16:49]

Avg PPS*17.9Illustrative

Peak BPS41.1kB/s

Avg BPS*14.0kB/s

PPS Std Dev*~13.1High Variability

BPS Std Dev*~10.5High Variability

Max Impact99%Reached

Traffic Patterns & Interpretation

Repeat POST flood largely replicated the first test, confirming consistent vulnerability. Showedhigh traffic inconsistency(Std Dev PPS: ~13.1) indicative of mitigation.
Peak PPS (50) and BPS (41.1 kB/s) were lowest observed, occurring ~75s in ([19:16:49]).
Crucially, this lowest peak volume still drove the system to 99% impact.Reinforces that POST requests are highly resource-intensive for this application. Bottleneck is almost certainly server-side (CPU, memory, DB, app logic).
Consistency across POST tests validates the finding: POSTs represent a disproportionately high resource cost compared to GETs.
Notable Spikes: Main peak at [19:16:49], smaller resurgences near [19:18:25].

*Average & Std Dev are illustrative. See previous note.

IV.4 HTTP STRESS Attack Analysis

TypeHTTP STRESS

Target101.XXX.XXX.XXX

Port80/443

Started[19:20:10]

Stopped[19:23:09]

Duration180s

Peak PPS65at [19:21:15]

Avg PPS*22.1Illustrative

Peak BPS75.2kB/s

Avg BPS*28.8kB/s

PPS Std Dev*~16.5High Variability

BPS Std Dev*~20.1Very High BPS Var.

Max Impact99%Reached Quickly

Traffic Patterns & Interpretation

STRESS attack generated moderate peak PPS (65) but notably higher peak BPS (75.2 kB/s), suggesting larger, more complex packets designed to maximize processing load.
Extreme BPS variability(Std Dev ~20.1) alongside high PPS variability indicates mitigation struggled with both packet rate and packet size/complexity.
99% impact achieved rapidly, confirming effectiveness in overwhelming server resources (likely CPU/memory due to packet processing) even without extreme packet rates.
This attack type effectively targets server processing capacity rather than just connection handling or simple application logic.
High load moments: [19:21:15] (Peak PPS), [19:21:40] (Peak BPS), [19:22:30].

*Average & Std Dev are illustrative. See previous note.

IV.5 HTTP SLOW (Slowloris) Attack Analysis

TypeHTTP SLOW

Target101.XXX.XXX.XXX

Port80/443

Started[19:25:05]

Stopped[19:28:04]

Duration180s

Peak PPS5at [19:26:30]

Avg PPS*~1.2Very Low Rate

Peak BPS0.8kB/s

Avg BPS*~0.2Negligible BW

PPS Std Dev*~0.8Low Variability

BPS Std Dev*~0.1Low Variability

Max Impact99%Connection Exhaustion

Traffic Patterns & Interpretation

SLOW attack operated withextremely low PPS and negligible BPS, consistent with its goal of holding connections open, not flooding traffic.
Low variability (Std Dev) indicates a steady, persistent attempt to maintain open connections by slowly sending partial data.
Despite minimal traffic, 99% impact was reached, strongly indicating successfulconnection table exhaustionon the web server or load balancer.
This type of attack bypasses typical volume-based rate limiting and highlights vulnerability to resource exhaustion through connection handling. Standard flood defenses are ineffective here.
Impact likely built gradually as connection slots filled up, potentially leading to timeouts for legitimate users trying to establish new connections.

*Average & Std Dev are illustrative. Focus is on connection exhaustion, not traffic volume.

IV.6 HTTP BOT Attack Analysis

TypeHTTP BOT (Crawler Sim)

Target101.XXX.XXX.XXX

Port80/443

Started[19:30:15]

Stopped[19:33:14]

Duration180s

Peak PPS70at [19:31:05]

Avg PPS*30.5Illustrative

Peak BPS50.1kB/s

Avg BPS*21.2kB/s

PPS Std Dev*~12.8Moderate Variability

BPS Std Dev*~9.5Moderate Variability

Max Impact99%Reached

Traffic Patterns & Interpretation

BOT simulation generated traffic patterns resembling a high-volume GET flood (Peak PPS 70), but potentially with headers/behavior mimicking legitimate crawlers.
Moderate variabilityinitially might suggest the attack partially bypassed simple signature-based bot detection, behaving more like legitimate traffic before potential rate limiting kicked in.
99% impact was still achieved, indicating that even if the traffic appeared 'legitimate' to basic filters, the sheer volume overwhelmed resources similar to the GET flood.
This highlights the need for advanced bot detection (behavioral analysis, fingerprinting, challenges) beyond simple User-Agent checks or IP reputation.
Peak activity around [19:31:05], with sustained high load until mitigation likely became more effective later in the test.

*Average & Std Dev are illustrative. Effectiveness depends heavily on target's bot detection capabilities.

V. Comparative Analysis: Flood vs. Specialized Attacks

Comparing results across different L7 attack types highlights diverse vulnerabilities (180s duration, standard concurrency unless noted).

Metric	GET Flood	POST Flood (Avg.)	STRESS*	SLOW*	BOT*	Interpretation Summary
Peak PPS	77	~53	~65	~5	~70	Floods (GET/POST/BOT/STRESS) overwhelm with volume/complexity. POST/STRESS show higher per-request load. SLOW bypasses volume metrics, targets connection limits.
Peak Bandwidth	~0.43 Mbps	~0.35 Mbps	~0.60 Mbps	~0.006 Mbps	~0.40 Mbps
Traffic Variability*	High	High	Very High	Very Low	Moderate
Peak Impact	99%	99%	99%	99%	99%

Key Takeaway:System vulnerable to diverse L7 vectors:high volume (GET/BOT),high per-request load (POST/STRESS), andconnection exhaustion (SLOW). Comprehensive defense is critical. *Metrics illustrative.

VI. System Resilience & Bottleneck Analysis

Overall Performance Under Duress

BStest.localoperated under conditions ofsevere service degradation across all tested L7 vectors. Consistent99% impactsignifies load overwhelmed critical components, translating to poor user experience (high latency, timeouts, 5xx errors, potential unavailability).

Potential Bottleneck Identification

Differential responses suggest multiple potential bottlenecks:

Volume/Rate Stress (GET/BOT):Network interface, connection tracking, web server request handling limits, TLS handshake processing.
Processing Stress (POST/STRESS):Application/backend bottlenecks: CPU saturation (packet/request processing), memory exhaustion, DB contention, inefficient app code handling complex requests/data.
Connection Stress (SLOW):Web server/Load Balancer connection table limits, potentially inefficient handling of idle/slow connections.

Pinpointing requires deeper server-side monitoring, butPOST handling, complex request processing, and connection managementare key areas for optimization.

Mitigation Effectiveness

High variability in flood/stress tests confirms active L7 mitigation (rate limiting, WAF). However, effectiveness wasdemonstrably limitedagainst volume/complexity, failing to prevent critical impact (99%). SLOW attack likely bypassed volume-based defenses entirely. Suggests:

Volume thresholds too permissive or mitigation lacks capacity.
Attack vectors (STRESS/BOT) potentially bypassed some rules.
Lack of effective defense against connection exhaustion (SLOW).
Over-reliance on reactive blocking vs. proactive absorption/connection management.

VII. Recommendations for Enhanced Resilience

1. Strengthen Edge & Server Defenses

Optimize WAF/Gateway:Granular/adaptive rate limits, tuned flood/stress rules, behavioral analysis, CAPTCHA/JS challenges.
Leverage Robust CDN:Use CDN with integrated, always-on L3/L4/L7 DDoS mitigation & advanced bot management.
Server Tuning:Increase connection limits, implement strict connection timeouts (especially for idle/slow), optimize web server config (e.g., Apache `mod_reqtimeout`, Nginx `client_header/body_timeout`).
Review Network ACLs:Strict ingress filtering, geo-blocking.

2. Enhance Observability & Scaling

Granular Monitoring:Real-time server (CPU, RAM, IO, Connections), app (latency, errors), DB (pools, queries) metrics.
Tune Alerting:Dynamic baselines, alerts on deviations *before* saturation (e.g., >70% CPU, >80% connections, p99 latency > X).
Optimize Auto-Scaling:Review triggers (CPU, queue, latency, connections), ensure rapid scale-out, test responsiveness.
Centralized Logging:Aggregate logs (FW, LB, WAF, web, app, DB) for faster analysis during incidents.

3. App Tuning & Continuous Testing

Profile POST/Complex Endpoints:Use APM/profiling to find/fix bottlenecks in code/DB queries handling intensive requests.
Increase Testing Cadence:Quarterly/Semi-annually & after major changes.
Diversify Attack Vectors:Include L3/L4 (SYN, UDP) & various L7 attacks regularly.
Vary Test Parameters:Different concurrency, durations, sources, complexities.
Validate Mitigation Rules:Design tests specifically to trigger/evaluate WAF, rate limits, connection limits, bot defenses. Measure effectiveness.

VIII. Conclusion & Recommended Next Steps

Simulations demonstrate that BS Test Local Limited's infrastructure, while possessing some defenses, remains critically vulnerable to service degradation under various realistic L7 attack vectors including floods, resource-intensive requests, slow connection attacks, and aggressive bot traffic. Consistent 99% impact across diverse scenarios highlights an urgent need for comprehensive resilience enhancements. Existing mitigations proved insufficient or easily bypassed depending on the attack type.

Differential impact analysis points to bottlenecks in request handling volume, application/backend processing efficiency (especially for POST/STRESS), and connection management (SLOW). Addressing these requires a multi-faceted approach.

Proactive implementation of the recommendations outlined in Section VII is essential to improve availability, protect against operational disruption and potential financial/reputational damage, and ensure business continuity.

Proteo Risk Scale (Illustrative)

Current system health categorization based on test results:

(Scale: 1=Low Risk, 10=High Risk. Current: 8/10 - High Risk)

Action Plan

Review and optimize WAF/CDN configurations, focusing on stricter, adaptive rate limits, refined bot detection rules, slow connection handling, and maximizing traffic absorption capabilities.
Tune web server configurations to mitigate slow connection attacks (e.g., `mod_reqtimeout`, connection limits, idle timeouts).
Deploy enhanced, granular real-time monitoring across server resources (CPU, RAM, Network IO, Active/Idle Connections), application performance (latency, error rates), and database health (connection pools, slow queries).
Implement proactive alerting based on dynamic baselines and predictive thresholds (e.g., trigger alerts when key metrics exceed 70-80% capacity, not just at 100%).
Initiate performance profiling and code optimization specifically for resource-intensive POST/STRESS request endpoints identified as potential bottlenecks.
Establish a formal, documented schedule for regular DDoS simulation testing (e.g., quarterly or semi-annually) including diverse L3/L4 and L7 vectors.
Mandate testing after significant infrastructure or application changes to validate resilience.

IX. Glossary

ACL: Access Control List. A list of permissions attached to an object, specifying which users or system processes are granted access, as well as what operations are allowed.
APM: Application Performance Management/Monitoring. Tools and processes for monitoring and managing the performance, availability, and user experience of software applications.
Avg: Average. The mean value calculated over the duration of the test.
BOT: An automated software application that runs repetitive tasks over a network. In DDoS context, often refers to malicious bots in a botnet, or simulating aggressive legitimate bots (e.g., web crawlers).
BPS: Bits Per Second. A measure of data transfer rate (bandwidth). Often expressed in kbps (kilobits), Mbps (megabits), or Gbps (gigabits).
CDN: Content Delivery Network. A geographically distributed network of proxy servers and their data centers, designed to provide high availability and performance by distributing service spatially relative to end-users.
CPU: Central Processing Unit. The primary component of a computer that executes instructions.
DB: Database. An organized collection of structured information, or data, typically stored electronically in a computer system.
DDoS: Distributed Denial of Service. See Footnote [1].
GET: An HTTP method used to request data from a specified resource.
HTTP: Hypertext Transfer Protocol. The foundation of data communication for the World Wide Web.
HTTPS: Hypertext Transfer Protocol Secure. An extension of HTTP used for secure communication over a computer network, encrypted using TLS/SSL.
IO: Input/Output. Refers to the communication between an information processing system (like a computer) and the outside world, possibly a human or another information processing system. Often relates to disk or network activity.
IP: Internet Protocol. The principal communications protocol in the Internet protocol suite for relaying datagrams across network boundaries.
kB/s: Kilobytes Per Second. A measure of data transfer rate (bandwidth). Note: 1 kB/s = 8 kbps.
KPI: Key Performance Indicator. A quantifiable measure used to evaluate the success of an organization, employee, etc. in meeting objectives for performance.
L3/L4: Layer 3 (Network) / Layer 4 (Transport). Layers in the OSI model. L3 DDoS attacks target network infrastructure (e.g., IP fragmentation), while L4 attacks target transport protocols (e.g., SYN floods).
L7: Layer 7 (Application). The top layer in the OSI model. L7 DDoS attacks target the application itself (e.g., HTTP floods).
Mbps: Megabits Per Second. A common measure of network bandwidth (1 Mbps = 1,000,000 bits per second).
POST: An HTTP method used to send data to a server to create/update a resource.
PPS: Packets Per Second. A measure of the rate at which network packets are transmitted or received.
RAM: Random Access Memory. A form of computer memory that can be read and changed in any order, typically used to store working data and machine code.
RUDY: R-U-Dead-Yet? An application-layer DDoS attack tool that targets web servers by sending long form field submissions (a type of slow attack).
SLOW: Refers to Slowloris-style attacks that aim to exhaust server connection resources by holding connections open with minimal traffic.
Slowloris: An application-layer DDoS attack that attempts to keep many connections to the target web server open and hold them open as long as possible by sending partial requests.
Std Dev: Standard Deviation. A measure of the amount of variation or dispersion of a set of values.
STRESS: An attack designed to maximize server load through complex or large requests/packets, targeting CPU/memory rather than just volume.
SYN Flood: A form of denial-of-service attack in which an attacker rapidly initiates a connection to a server without finalizing the connection (Layer 4 attack).
TLS: Transport Layer Security. A cryptographic protocol designed to provide communications security over a computer network. Predecessor was SSL (Secure Sockets Layer).
UDP Flood: User Datagram Protocol Flood. A denial-of-service attack in which the attacker overwhelms the target with UDP packets (Layer 4 attack).
WAF: Web Application Firewall. A firewall that monitors, filters, or blocks HTTP traffic to and from a web application.

Footnotes

[1] Distributed Denial of Service (DDoS):An attack method where multiple compromised computer systems (a "botnet") are used to target a single system, such as a website or server, overwhelming it with traffic or requests. This flood of incoming messages, connection requests, or malformed packets forces the target system to slow down or crash and shut down, thereby denying service to legitimate users or systems. Application-layer (L7) DDoS attacks, like the HTTP floods tested here, specifically target web applications by mimicking legitimate user traffic to exhaust server resources (CPU, memory, connections). Network-layer (L3/L4) attacks target the network infrastructure itself.