Application Layer 7 DDoS Attacks

In today’s day and age, websites and web applications play a central in the business strategies of most businesses. These web properties need to be agile, fast, and efficient with zero downtimes or latencies. Or, the business stands to lose customers who will immediately bounce and go to the competitor’s website.

Distributed denial of service (DDoS) attacks, by causing downtimes and crashes, make websites and web applications unavailable to legitimate traffic. Apart from the monetary losses, businesses also face the hefty loss of brand image, goodwill, and reputation due to their high noticeability. DDoS attacks are often used as smokescreens for other malicious activities and attacks and are, therefore, detrimental to business profitability and growth. So, businesses need to have a proactive approach towards DDoS protection to ensure the sustained and consistent availability of their website and web applications.

Understanding the different types of DDoS attacks

To prevent DDoS attacks, it is critical that businesses understand the different types of these attacks that can happen and accordingly, choose a mitigation strategy and solution.

DDoS attacks are often equated with volumetric and network-level attacks. However, only half the DDoS attacks are volumetric or network layer attacks such as UDP flooding, ICMP flooding, SYN Floods, DNS Amplification, etc. which overwhelm the webserver/ application with voluminous fake/ illegitimate requests to erode the bandwidth and other resources and make the website unavailable.

The other half of the DDoS attacks are Application-layer or Layer 7 attacks which are often small and silent. Layer 7 attacks leverage loopholes, vulnerabilities, and/or business logic flaws in the application layer to orchestrate the attacks. These attacks do not require lots of devices, packets, or bandwidth; they are often less than 1Gbps in magnitude. Attackers send seemingly legitimate requests to take down the application; often requesting access to load a single page. These very qualities make Layer 7 attacks much sneakier and more dangerous. Examples of Layer 7 attacks are Slowloris, GET/POST Floods, etc.

Most Common Layer 7 Attacks

The most common application-layer DDoS attack is the HTTP Flooding. There are 4 different categories in HTTP flooding.

1. Basic HTTP Floods:

As the name suggests, these are the simplest and most common HTTP Flooding attacks. The attackers use the same range of IP addresses, user agents and referrers (smaller in number than volumetric attacks) to gain access to the same webpage or resource over and over again. The server is unable to handle the sudden flow of requests and crashes.

2. Randomized HTTP Floods:

In this kind of HTTP Flooding attacks, attackers leverage a wide range of IP addresses, randomized URLs/ user agents/ referrers to carry out more complex attacks. Here, botnets may be controlling a number of different devices that are probably infected with malware and that they use to send these GET/POST requests to the server.

3. Cache-bypass HTTP Floods:

These are a sub-category of Randomized HTTP flooding attacks where attackers use different strategies to bypass the web application caching systems and force the server to use up a lot of bandwidth in completing the requests. One example is attackers searching for un-cached content or generic dictionary searches that use up server resources and cause downtimes. Cache Bypass Flooding attacks are considered to be the smartest.

4. WordPress XML-RPC Floods:

In this attack type, attackers leverage the simple WordPress pingbacks of several other WordPress installations as a reflection for orchestrating the Flooding Attack.

Randomized HTTP flooding and Cache-Bypass HTTP flooding are the most common even among the HTTP flooding attacks.

5. Slowloris Attacks:

This is the easiest, most common, and most lethal among the Application-layer DDOS attacks. The lethalness and viciousness of this attack type lie in its underlying simplicity. Slowloris attacks do the opposite of the volumetric attacks – instead of bombarding the server with many requests, the server is sent payloads slowly (hence the name slow loris) while keeping the connection open for a long period of time.  By launching this attack, even in very low volumes, the server connection pool can be exhausted in waiting to receive the full request from the slow loris attack payloads, thereby, preventing it from serving other legitimate users

The key to protecting against Layer 7 attacks

As mentioned earlier, it is critical yet difficult to identify Layer 7 DDoS attacks because of their sneakiness and seeming to request legitimacy. To address these attacks, the DDoS mitigation solution must:

• provide always-on, instant protection including real-time alerts
• allow custom rules and policies
• include the services of certified security experts
• provide security analytics to be prepared for future attacks
• provide real-time visibility to the risk posture.

But most DDoS mitigation solutions tend to focus singularly on volumetric attacks and do not offer such comprehensive security against Layer 7 attacks. Make sure to choose a DDoS protection service that offers an intelligent and comprehensive managed WAF such as AppTrana so that you can ensure your web applications are always available.

Stay tuned for more relevant and interesting security articles. Follow Indusface on Facebook, Twitter, and LinkedIn.