How We Secured a Public Institution's Website

Public institutions face unique cybersecurity challenges. Unlike private sectors with flexible infrastructure, government websites must maintain stability, availability, and accessibility for citizens—often while under relentless attack.

This case study explores how we secured a Spanish public institution enduring constant DDoS attacks from NoName057(16), a pro-Russian hacktivist collective, transforming chaos into operational excellence.

The Challenge: Architecture Under Siege

The institution's CMS-based website suffered from a combination of architectural vulnerabilities:

• CMS inefficiency: The original platform consumed excessive resources, making it vulnerable to volumetric attacks
• Resource exhaustion: Legitimate citizen requests could not be served when bot traffic flooded the system
• No traffic filtering: All incoming traffic—including obvious bot requests—reached the origin servers
• DDoS exposure: The institution faced multiple attack vectors simultaneously: HTTP floods, bandwidth saturation, and application-layer exploits

Rapid Response During Active Attacks

The severity became apparent during the onboarding phase itself. Within hours of beginning deployment, NoName057 intensified their attacks, testing our ability to protect while establishing new security measures.

This required real-time orchestration of protection layers while maintaining service continuity.

The Protection Strategy Deployment

1. Under Attack Mode & Anti-DDoS

We activated Perimetrical's Under Attack Mode combined with dedicated Anti-DDoS capabilities, enabling:

• Aggressive traffic filtering at the edge
• Automated mitigation of volumetric attacks
• Real-time switchover between protection profiles

2. Edge-Level Configuration

Using VCL (Varnish Configuration Language), we deployed sophisticated logic at the edge:

• Caching optimization: Aggressive cache keys and directives to maximize hit ratio
• Smart redirects: Malicious traffic redirected away from origin infrastructure
• Dynamic routing: Legitimate requests prioritized based on behavioral analysis

3. WAF & Anomaly Detection

The Web Application Firewall (WAF) combined with statistical anomaly detection created a multi-layered defense:

• Threshold-based responses:
  • More than 500 req/s from a single source → automatic email alert
  • More than 1,500 req/s → CAPTCHA challenge automatically triggered
  • Suspicious IPs with abnormal patterns → JavaScript Challenge for verification
• Geo-blocking during incidents: Requests originating outside Spain during attacks → temporary User-Agent Match (UAM) applied
• IP reputation blocks: Known botnet infrastructure flagged for immediate blocking
• Selenium detection: Automated browser attacks identified and blocked
• Form protection: POST/PUT requests filtered with strict WAF rules for forms and AJAX endpoints

4. Transparent Edge's Intelligent Response System

Our platform detected multiple attack signatures in real-time:

• XSS injection attempts: Blocked before reaching the origin
• SQL injection probes: Automatically caught and logged
• Scraper traffic: Recognized and rate-limited to prevent data exfiltration
• Bot networks: Fingerprinted by behavioral analysis (User-Agent, request patterns, timing)

5. Customization & Whitelist Management

Even sophisticated protection requires nuance. We implemented custom rules for edge cases:

• Accessibility service iframe: A third-party accessibility plugin was flagged as suspicious. We whitelisted it while maintaining protection from actual threats.
• News agency scraping: Legitimate news aggregators needed access to headlines. We created specific rules allowing news agencies to fetch content while blocking malicious scrapers.
• Government partner integrations: Other public bodies needed programmatic access—configured with API-specific security policies

Results: Protection in Action

The combined strategy delivered quantifiable results:

• 86% cache hit ratio: Most requests served directly from edge caches, never reaching origin
• Zero downtime: Despite sustained attacks from a sophisticated threat group, service remained available 100% of the time
• Origin protection: Actual DDoS traffic never breached the perimeter—all attacks absorbed at edge
• Performance improvement: Legitimate users experienced faster response times due to aggressive caching and edge processing

Strategic Value: The Dashboard as Command Center

Beyond immediate protection, Perimetrical's analytics dashboard became the institution's control and visibility center:

• Real-time attack forensics showing attacker patterns, geographies, and bot behavior
• Historical trend analysis identifying when attacks occur and from which ASNs
• Rule effectiveness metrics proving which security policies prevent the most threats
• Customizable alerts keeping technical teams informed without noise (a crucial lesson—see our article on Alert Fatigue)

Key Takeaways

This case demonstrates that government websites can achieve both security and performance under attack:

• Architectural decisions at the edge matter—filters applied close to users prevent resource exhaustion at origin
• Sophistication requires customization—whitelists and context-specific rules balance security with usability
• Visibility drives action—dashboards transform raw telemetry into strategic intelligence
• Speed matters in crisis—rapid deployment of protection profiles during attacks prevents chaos

For public institutions operating under constant threat, the path forward is clear: deploy intelligent edge protection that adapts faster than attackers can evolve.