When Your Login Page Becomes the Frontline: Lessons from a Real-World DDoS Attack

February 12, 2025

Introduction

As an IAM SaaS company, our work often remains in the shadows—until something goes wrong. Today, I want to shed light on how we handle security at the very first layer all IAM systems have: the login page. Specifically, I’ll walk you through an incident we managed at Cloud-IAM, where we provide a managed Keycloak solution, and share some insights on securing authentication systems against evolving DDoS threats.

‍

The Challenge: IAM Security Beyond MAUs

‍

Many of our clients are tech enthusiasts and small companies that want to avoid the complexity of configuring and maintaining Keycloak. Our larger clients, on the other hand, demand resilience. However, resilience is often measured in terms of Monthly Active Users (MAUs), without fully considering the exposure of their service.

‍

For example, take two hypothetical companies:

Company A: A SaaS for plant analysis with a high number of MAUs.
Company B: An IoT platform managing security cameras.

Despite Company A having more MAUs, Company B is likely more exposed to attacks because of the nature of its infrastructure. This exposure factor is rarely accounted for but plays a critical role in IAM security.

‍

Attacks Are Inevitable—So We Adapt

‍

Attackers exploit the same logic and processes as normal users, making them difficult to detect. The more information they have, the better they can impersonate real users and bypass detection systems. Many companies rely on Load balancer rate limiting or Low Level Firewall, both of which are great initial defenses. However, attackers have evolved beyond these measures.

‍

At Cloud-IAM, we take a multi-layered approach to attack mitigation:

Advanced web server filtering & logging for future learning.
IP packet filtering for early-stage attack mitigation.
Dynamic rule assignment based on specific client domains.
Web Application Firewall (WAF) protection.
AI-driven rule detection (in progress) to automate and optimize security rules based on real-time threats.

‍

Case Study: The Month-Long Attack on a Cloud-IAM Client

‍

All our clients operate with two distinct lifecycles:

The client product lifecycle (e.g., how a service integrates with IAM for authentication and security).
The IAM product lifecycle (e.g., updates, fixes, security patches, and infrastructure resilience).

‍

One of our clients, a widely used SaaS platform, regularly experiences DDoS attacks due to its high exposure and millions of MAUs. In this particular case, the client had a specific IP restriction policy that influenced how the attack unfolded.

‍

A major challenge for this client is that they demand to scale up their infrastructure in advance to handle high user loads efficiently. This means they anticipate peak demand and adjust their infrastructure capacity before the load arrives. For instance, before major events like an SSO update, they anticipate and prepare for 1 million users reconnecting within a short window. While this improves user experience, it also complicates attack detection, as malicious traffic can blend with legitimate user activity, making it significantly harder to distinguish between normal behavior and an attack.

This operational complexity required a highly tailored security response.

‍

The incident: A Stealthy, Persistent Enumeration Attack

‍

Phase 1: The First Sign of Trouble

In early January, we identified a misconfiguration in Keycloak, which revealed inefficiencies in how our system handled enumeration attempts.
Attackers exploited this, sending requests at a rate that overwhelmed the connection pool, preventing new connections from being established.
Our systems detected the issue before it had any impact on the client, allowing us to intervene proactively.
We patched the situation before it escalated into a total deadlock, ensuring system stability.
Within 24 hours, we deployed a fix to prevent this specific vulnerability from being exploited again.

‍

Phase 2: The Quiet Defense

Following the initial issue, attackers ramped up their efforts, generating over 8,000 connections per minute.
Our system automatically detected and banned these low-level attempts, preventing any significant impact.
No manual intervention was required, as the automated bans effectively mitigated this phase of the attack.

‍

Phase 3: The Storm Grows

Two weeks later, the attack escalated, becoming 3x bigger and lasting 100x longer than the previous phase.
The attack reached 2,500 authentication attempts per minute, a decrease compared to the previous phase, but sustained over 12 hours.
Despite the prolonged nature of the attack, our monitoring systems detected the pattern early, allowing us to take swift action.
No manual intervention was required, as the automated bans effectively mitigated this phase of the attack.

‍

What Made This Attack Unique?

‍

Analyzing the attackers' strategy, we observed a shift in their approach across phases. Initially, in Phase 1, they experimented with limited but targeted attempts. In Phase 2, they believed that overwhelming the system with a high number of requests (8,000 per minute) would break through defenses. However, this only led to rapid bans.

‍

By Phase 3, they changed their strategy, opting for a prolonged attack rather than an intense burst. Even though the request rate dropped to 2,500 per minute, the total number of requests in this phase was significantly higher due to the 12-hour sustained attack.

This shift is evident in the following visualizations:

‍

‍

Request Rates During DDoS Attack Phases (left): Showing how each phase varied in request rates.
Total Requests During DDoS Attack Phases (right): Demonstrating how the last phase, despite lower request intensity, was far more impactful in sheer volume.

‍

How We Handled It

Learn: Our monitoring stack signaled an anomaly.
Detect: We identified the attack as an enumeration attempt.
Block: A traditional Low Level Firewall approach wouldn’t work due to the rapid IP rotation, so we had to analyze the context in real time.
Enable: We empowered both our team and our client with insights to respond proactively.
Share: We documented our findings internally and externally (hence, this article!).

‍

What’s Next? AI-Powered Defense

‍

Our goal isn’t to become a full-fledged Security Information and Event Management (SIEM) system, but to integrate smarter protections. We’re currently developing an AI-driven tool that dynamically adjusts security rules based on user prompts, allowing for:

Faster detection of attack patterns.
Automated responses tailored to specific client needs.
Better protection without unnecessary blocking of legitimate users.

‍

Final Thoughts

‍

IAM security isn’t just about stopping attackers—it’s about learning, adapting, and empowering. The attack we faced in January reinforced that traditional defenses aren’t enough. A layered, context-aware approach is critical for modern IAM systems, especially in high-exposure environments.

‍

At Cloud-IAM, we take pride in our resilience, but security is an ever-evolving challenge. We continuously refine our defenses, learning step by step from every incident. There is always room for improvement, and we remain humble in our commitment to staying ahead of emerging threats.

‍

If you believe there are areas where we can improve or if you want to strengthen your own system’s security, don’t hesitate to reach out. We’re always open to collaboration and new insights.

‍

If you manage an IAM service, consider: How well are you protecting your login page?

‍

Get my Keycloak deployment now

Written by

Last update :

Luis RUBIERA

February 12, 2025

The latest Keycloak news delivered straight to your inbox

Our last news

keycloak release

Keycloak v24 performance issues

Blog post

Passkey: how does it work ?

Blog post