Mitigating a DoS Attack on a Healthcare Research Website: A Story of Proactive Monitoring

This story details the successful mitigation of a Denial-of-Service (DoS) attack on a healthcare research studies website belonging to one of our healthcare clients. It highlights the importance of a robust monitoring setup using ELK Stack (Elasticsearch, Logstash, Kibana) and Prometheus, along with quick response procedures to ensure website uptime and data integrity.

The ELK Stack: A Powerful Monitoring Trio

Our team implemented the ELK Stack for centralized log management and analysis. Fluent Bit, a lightweight log forwarder, was installed on all servers, efficiently pushing logs to Logstash. Logstash then parsed and transformed the logs before sending them to Elasticsearch, the data storage engine. Kibana, the visualization layer, provided real-time insights into server logs. On top of this, Elastic Alert was configured to actively query log patterns. Upon detecting specific patterns, it would trigger alerts via Slack and Pagerduty, notifying the on-call engineers about potential issues.

Prometheus: Monitoring Beyond Logs

The website's monitoring system wasn't limited to logs. Our team also implemented Prometheus, a monitoring tool, alongside Alertmanager and Blackbox Exporter. Prometheus scraped metrics from various sources, including the website itself. Alertmanager served as the central hub for routing alerts generated by Prometheus based on pre-configured thresholds. Blackbox Exporter, another tool implemented by our team, actively monitored critical website URLs and APIs, ensuring their availability.

Early Detection, Prompt Action

One early morning, the team was bombarded with continuous 5XX error alerts from the Prometheus setup. These alerts signified critical website errors. Simultaneously, the team observed a significant degradation in website performance, with intermittent outages preventing user logins.

The proactive monitoring system proved its worth. Before users could even report issues, the engineering team was already on the case, thanks to the real-time alerts.

Diagnosing the DoS Attack and Corrupted Database

Analyzing the impacted logs through Kibana, the engineers identified a DoS attack targeting the website. This malicious traffic was causing the intermittent slowness and outages.

Swift action was taken. The identified attacker's IP address was promptly blocked on the application firewall, effectively neutralizing the DoS attack.

While the attack was mitigated, further investigation revealed a more significant problem. The website's database had become corrupted. Upon closer inspection, it was discovered that the attacker exploited a vulnerability in an outdated plugin. The attacker likely gained access to the system through this vulnerability and attempted to upgrade the plugin to a malicious version. However, this upgrade process failed, causing the database corruption.

Restoration and Securing the System

Thankfully, a nightly backup routine, meticulously set up by our team, diligently uploaded backups to a secure Amazon S3 bucket. The team swiftly retrieved the latest backup and restored the database, bringing the website back online with clean data.

The vulnerability in the outdated Drupal plugin was meticulously investigated. A patch was promptly applied to address the security flaw, and additional measures were implemented to further secure the entire system.

Lessons Learned

This incident served as a valuable learning experience, highlighting the importance of:

• Proactive Monitoring: A robust monitoring system that combines ELK Stack for log analysis with Prometheus for comprehensive infrastructure monitoring is crucial for early detection of anomalies.
• Alerting and Notification: Timely alerts ensure the engineering team can address issues before they impact users.
• Security Best Practices: Regular updates, vulnerability patching, and secure coding practices are essential to prevent system compromises.
• Data Backups: Consistent backups stored offsite guarantee data recovery in case of disasters.

By implementing these practices, healthcare research institutions can ensure the availability, integrity, and security of their critical websites, safeguarding vital research data and facilitating continued progress in the medical field.