Real-World DDoS Simulation Reveals Critical Weaknesses in Infrastructure Defences

This public utilities organisation manages essential online assets, websites and data centre resources that support critical infrastructure across the Middle East. To protect these systems, they invested in continuous, cloud-based mitigation services managed by their ISP. 

After previously experiencing DNS-based attacks they couldn’t block, the organisation sought a realistic assessment of both their ISP’s capabilities and their internal WAF configuration. 

The Challenge

With only a 120-minute maintenance window available, the organisation needed to: 

• Test the effectiveness of their ISP’s mitigation service 
• Validate the performance of their on-premise WAF 
• Simulate multiple types of attacks (Layer 3, Layer 7, DNS) 
• Confirm their systems could stay operational under real-world conditions 

Their goal was straightforward but critical: understand the true strength of their defences and uncover weaknesses before an attacker did. 

The Solution

A controlled yet aggressive test plan was developed: six distinct attack types would be launched against three different targets. 

Over a 104-minute test window, the attacks were delivered using four botnet armies, consisting of 120 bots across 21 global locations, accurately simulating real adversarial activity. 

The sequence included:

• HTTP Slow Post Attack: Although the server stayed operational, the SIEM was overwhelmed, risking instability.
• DNS Request Flood: The DNS server became unresponsive. The ISP’s mitigator mislabelled the attack as a false positive. Other hosts on the subnet suffered collateral disruption.
• UDP Flood: The targeted website slowed, then became unavailable, and no mitigation alerts were sent.
• Dynamic HTTP Flood: High-volume random URL requests went undetected by both the ISP and the WAF.
• Tsunami SYN Flood: The organisation ultimately blocked all global traffic. Although effective, the system still appeared externally as down. 
• During testing, every team member monitored a live dashboard to document discrepancies in real time. 

The Findings & Impact 

The evaluation exposed several critical issues: 

• Major Failures in ISP Detection and Response: Multiple attacks went unnoticed or unreported. 
• Misconfigured Internal WAF Rules: Application-layer attacks bypassed expected safeguards. 
• Bystander Fallout: Unintended assets on the same subnet were disrupted. 
• Telemetry Gaps: SIEM systems were overwhelmed and unable to provide meaningful alerts during stress events. 

These findings reshaped the customer’s understanding of their security posture. 

Recommendations & Next Steps

Enhanced Log Parsing & Real-Time Alerting: Better analysis tools would help detect anomalies before escalation. 

Formal ISP Engagement: Further investigation was advised to determine why mitigation failed. 

A Second Round of Testing: Repeating the evaluation after improvements would validate the actions taken and demonstrate a commitment to resilience: a valuable signal for regulators, auditors and partners.