How DataDome Protected a Major Asian Gaming Platform from a 3-Week, Distributed Credential Stuffing Attack
In this article, we cover the details of a three week-long, highly distributed credential stuffing attack that targeted a major Asian gaming platform. By the end of the attack, more than 25 million malicious login attempts had been stopped by DataDome’s protection.
Key Metrics
For three weeks—from Feb 10 to Mar 3, 2024—the login API of the gaming platform was targeted in a credential stuffing attack.
The attack included:
Credential Stuffing Attack Overview
The graph below (Figure 1) represents the bot traffic detected during the 3-week attack by our detection engine. The attack reached a peak of more than 1.2 million malicious login attempts per 12h on Feb 25, 2024.
Figure 1: Number of malicious login attempts handled by the DataDome bot detection engine over time during the attack.
Distribution of the Attack
Over the 3-week period of the attack, the attacker used more than 172K distinct IP addresses located on different autonomous systems in different countries. Figure 2 represents the number of malicious login attempts per country—inferred from the IP address location—for the top 10 countries.
Figure 2: Volume of malicious login attempts per country involved in the attack.
Attack Indicators of Compromise (IoCs)
While the attack is heavily distributed with more than 172K IP addresses, the attacker used a static server-side fingerprint. All of the requests have the same combination of HTTP:
- The attacker used a single user agent:
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36 OPR/106.0.0.0
. - The bot used a single accept language:
vi-VN,vi;q=0.9
. - The bot used an accept header consistent with the API targeted:
application/json, text/plain, */*
. - However its accept encoding doesn’t contain the brotli encoding (br):
gzip,deflate
. - Each bot sets a referrer equal to the login page where the POST login API request is made.
- The bots didn’t execute JavaScript.
How was the attack blocked?
Thanks to our multi-layered detection approach, the attack was blocked using different independent categories of signals. Thus, had the attacker changed part of its bot (for example, fingerprint or behavior), it would have likely been caught using other signals and approaches.
The main signals and detection approaches here were the following:
- Lack of JavaScript execution: The attacker never sent any of the JS payload either from our JS tag or from our Device Check page.
- Server-side fingerprinting inconsistency: The attack had a unique server-side fingerprint hash that exhibited some inconsistencies, such as specific HTTP headers order, or the absence of brotli encoding on the Opera browser.
- DataDome session cookie mishandling: The bot used in the attack handled cookies in an incorrect manner, in particular when it comes to the DataDome session cookie that was transferred across different IPs located in different countries.
- Behavioral detection: Our behavioral engine detected an abnormal volume of failed login attempts per session and per IP address.
- Residential proxy detection: Our ML models were also able to leverage the fact the most of the attacker requests came from IP addresses flagged as proxies.
Conclusion
Credential stuffing attacks can cause massive drains on your server resources, not to mention the risk of account takeover that can lead to negative impacts on brand reputation and customer experience. These attacks can be performed by one or two IP addresses—but more and more attackers are using highly distributed methods to try and bypass protection. DataDome’s powerful multi-layered ML detection engine looks at as many signals as possible, from fingerprints to reputation, to detect even the most sophisticated bots. Keeping up with bots evolving fingerprints, such as proxy usage, is key to fighting today’s main threats—and DataDome can handle it.
To get a better look at how DataDome can stop credential stuffing attacks, book a demo today.
*** This is a Security Bloggers Network syndicated blog from DataDome authored by Antoine Vastel. Read the original post at: https://datadome.co/threat-research/gaming-platform-distributed-credential-stuffing/