Get a free application, infrastructure and malware scan report - Scan Your Website Now

Subscribe to our Newsletter
Try AppTrana WAAP (WAF)

Managed WAF

Starts at $99

Guided onboarding, monitoring of latency, false positives, and DDoS attacks, custom rules, and more

Try Free For 14 Days

Application Layer 7 DDoS Attack Protection

Posted DateJuly 21, 2016
Posted Time 4   min Read

‘Let me tell you the difference between Facebook and everyone else, we don’t crash EVER! If those servers are down for even a day, our entire reputation is irreversibly destroyed! Users are fickle, Friendster has proved that. Even a few people leaving would reverberate through the entire user base. The users are interconnected, that is the whole point. College kids are online because their friends are online and if one domino goes, the other dominos go, don’t you get that?’

In the 2010s critically acclaimed movie ‘The Social Network’, Zuckerberg’s character was quoted in stating something extremely practical about social networks.  When you think about it, it’s equally relevant to every digital business. Either you stay online or users find someplace else. It’s that simple.

Artur Bergman, Founder & CEO of Fastly says ‘Most employees react to a DDoS attack as an operational problem. They try hard to prove that it’s not their fault and completely overlook the emotional aspects that a company and its customers face.’

He believes that it is important to look into the emotional dimension of such attacks to overcome them, a fact that he learned after a recent attack.

Isn’t that thought-provoking? A company cannot hold anyone responsible for application DDoS debacles. After all, they are fighting humans with malicious intent and the attack being perpetrated is not exercising the application in a non-standard way. It’s not as if there is a particularly known vulnerability that is being exploited.

In fact, most businesses in the digital age with exponentially growing traffic and customers don’t have the slightest of an idea how to deal with the situation. Of course, they can read about it, train their developers on best practices with regards to secure coding, issue advisories, or even prepare a plan for it. But what does it feel to be under such an attack, what are the usual responses, and what not to do?

First Warning Signs

There is rarely a DDoS attack that does not give out warning signals beforehand. A little spike in the traffic, requests originating from unfamiliar locations, or pings from IPs with a questionable background. It is all there for us to see. However, most companies aren’t equipped to identify the red flags and consequently neglect the signs.

In one recent attack targeting a large financial institution, the Director of Information Security received an automatic notification that their application server was suddenly running on 30% maximum load. Nobody suspected that sudden load, which then led to 50% maximum load and then to a total app blackout.

Looking at the server logs today, they see it as a problem that could have been avoided with proper monitoring and mitigation. If only there was someone who had handled such situations.

 

Free Website Security Check Camp: Get Test Report

 

Anxious Customers-Clueless Employees

As the application layer 7 DDoS attack matures, services go down. It usually starts with the domain under attack but then expands to all other business processes.

Take this example of an e-commerce website that recently took a DDoS hit. There were a series of incoming calls to their call center with customers complaining about inaccessibility to their shopping accounts and transaction history. Other than the IT staff, no one had the slightest of a clue on what was going on. Therefore, they kept on stalling them with the usual pitches.

This situation was the opposite in their Order Processing department. Employees sat idle without any orders to act on. In just a few hours, they lost hundreds of orders that day.

Modern Ransom Notes

A massive percentage of application-layer DDoS attacks are launched by competitors or disgruntled employees who seek nothing but damage. However, a large number of hackers are increasingly throwing attacks followed by ransom notes to take back the attack and allow resuming services.

According to the Information Security Media Group, banks lose up to $100,000 per hour under a DDoS attack. Though there is no report to correlate the data for e-commerce and other digitally-driven verticals, DDoS costs can’t be drastically low for them.

That is why many companies agree to pay 10-20 Bitcoins, which is roughly a ransom of $7K – $14K rather than losing direct revenue and brand reputation among their customers.

Everyone’s Problem

An application-layer DDoS attack is everyone’s problem from the boardroom down to the front line.

Layer 7 DDoS Attack

So which way would you choose? Going down or giving a ransom and staying online for a temporary period of time?  Keep in mind, one or two payments won’t eliminate the threat; just simply postpone another extortion attempt in the near term.

There is another way. You can have a security expert to identify zombie traffic before it affects your application’s performance or allows unauthorized access to sensitive data.  The cost of manning a team of security experts can be untenable for many organizations.  PayScale estimates that a salary for a CISO starts at $145k, a figure that is quite conservative given the dearth of talent in the market.  When you add a team of 3-4 for web application security analysts under the CISO, your investment in human capital to support your security initiatives will be over $600,000 per year. For most growing companies, that is a sizeable information security investment.

Indusface AppTrana provides you with an application security team with expertise in analyzing traffic, identifying DDoS attempts, creating custom rules to stop attacks instantly, and monitoring your applications 24×7.

But, application security is not simply just a layer 7 DDoS protection. AppTrana DDoS Protection is a fully managed application SaaS solution that provides detection, protection, and monitoring of all domains by offering automated web application scanning, on-demand pen testing, remediation, web application firewall, application DDoS mitigation, and reporting within one web-based console.

Need help protecting your business from layer 7 DDoS attacks?

web application security banner

Venkatesh Sundar

Venky is an Application Security technologist who built the new age Web application Scanner and Cloud WAF - AppTrana at Indusface as a Founding CTO. Currently, he spends his time on driving Product Roadmap, Customer Success, Growth, and technology adoption for US businesses.

Share Article:

Join 47000+ Security Leaders

Get weekly tips on blocking ransomware, DDoS and bot attacks and Zero-day threats.

We're committed to your privacy. indusface uses the information you provide to us to contact you about our relevant content, products, and services. You may unsubscribe from these communications at any time. For more information, check out our Privacy Policy.

Related Posts

Must have features of DDoS mitigation solution
Essential Features Required for an Efficient DDoS Mitigation Solution

Not all DDoS security vendors offer the same level of features and protection. Here is a comprehensive list of features that should be considered when evaluating a DDoS mitigation solution.

Read More
Mitigate DDoS Attacks
How Automation Can Be Used To Mitigate DDoS Attacks?

DDoS attacks have been rising exponentially over the years. Automation must be effectively and efficiently leveraged by businesses to mitigate DDoS attacks.

Read More
Key Considerations While Selecting DDoS Protection
Key Considerations While Selecting DDoS Protection

Distributed Denial of Service (DDoS) attacks are increasingly devious, complicated and vicious attacks on websites/ web applications that exhaust the computing resources available to make the websites/ web applications unavailable.

Read More

AppTrana

Fully Managed SaaS-Based Web Application Security Solution

Get free access to Integrated Application Scanner, Web Application Firewall, DDoS & Bot Mitigation, and CDN for 14 days

Get Started for Free Request a Demo

Gartner

Indusface is the only cloud WAAP (WAF) vendor with 100% Customer Recommendation for 3 consecutive years.

A Customers’ Choice for 2022 and 2023 - Gartner® Peer Insights™

The reviews and ratings are in!