DDoS Attack on Municipal Web Infrastructure Successfully Mitigated

Recently, the website of an Israeli city administration experienced a brief but intense Layer 7 DDoS attack. The attack resulted in a flood of approximately 18 million HTTP requests, averaging over one million per minute. The attackers targeted only the root domain of the city’s website, leaving APIs and other endpoints unaffected. 

Technical Analysis of the Incident

The requests were generated by a globally distributed botnet with IP addresses from various countries, including Germany, Russia, and Ukraine. The nature of the attack suggests a classic Layer 7 DDoS scenario, which aims to overwhelm web applications by flooding them with a large volume of seemingly legitimate HTTP requests. The distribution across different IPs and countries indicates a botnet structure with globally distributed nodes.

Layer 7 attack pattern (HTTP flood)  

Since only HTTP requests were directed at the root endpoint and other APIs remained unaffected, this indicates an HTTP flood attack at the application level (Layer 7). These attacks are more difficult to block than volumetric attacks (Layer 3/4) because they mimic legitimate traffic. No complex attack techniques such as low-and-slow or dynamic header variations were observed, suggesting standardized, generic bot traffic. 

Mitigation Measures in Place 

Thanks to a prepared architecture with load balancing, web application firewall (WAF) and automatic scaling, the affected platform was able to react quickly to the unusual load. The most important components at a glance:

• Dynamic scaling via Kubernetes 

The application runs on a Kubernetes cluster with horizontal pod autoscaling. As the load increased, additional reverse proxy instances were automatically deployed. This rapid scaling ensured that neither the CPU nor memory resources became bottlenecks. 

• Web Application Firewall (WAF) with Rate Limiting 

A centralized WAF instance within the multi-tenant cluster continuously monitors traffic patterns. During the attack, the WAF automatically enforced a rate limit of 60 requests per minute per IP address. If that threshold was exceeded, the system triggered Rate Limit block and requests will be blocked.  

• Web Application Firewall (WAF) with Dynamic Rule Limiting

Dynamic rule count blocked request and if detect a lot of blocked requests from single IP it was moved to a quarantine state. In this state, all subsequent requests from those IP addresses were ignored at the application level, which significantly reduced unnecessary load on backend services. 

The technical defense delivered a clear result:

• Out of 18 million requests, around 17.7 million were automatically blocked or rejected. This corresponds to a success rate of more than 99%.

• System availability: The website remained available without interruption throughout the incident. Users did not notice any delays or outages.

• Resource utilization: Neither CPU nor RAM of the cluster nodes were pushed to their limits. The automatic scaling responded reliably and precisely.

Lessons Learned and Recommendations

The successful mitigation of this attack underscores the importance of layered security strategies. 

• Proactive scaling: Use infrastructure that can scale dynamically under stress. 

• Intelligent Filtering: Implement behavioral detection mechanisms and adaptive rate limiting. 

• Dynamic bot detection: Static block lists are insufficient against globally distributed botnets. Instead, analyze anomalies in request behavior in real time and enforce appropriate rules automatically. Tools such as JavaScript challenges or CAPTCHA alternatives are often effective. 

• Challenge-response mechanisms: Incorporate unobtrusive methods, such as JavaScript challenges, to differentiate bots from human users. 

• Segmentation: Ensure a clear separation between the different parts of your application (e.g., APIs and public web pages) to localize potential attack vectors. 

Conclusion 

In summary, although the DDoS attack was significant in terms of volume and geographic spread, the combination of automated defences and modern cloud infrastructure ensured a fast, transparent, and effective response that did not impact user experience or operational continuity. 

Even publicly accessible platforms with relatively small data sets can be targets of automated mass attacks. Resilient infrastructure combined with intelligent traffic analysis and a timely response protects not only availability, but also citizens’ trust in digital government services. 

Fortunately, with the right setup, most of these attacks can be fended off completely automatically, with no impact on users or the operations team. 

Share this post