Shining a light on application layer DDoS attacks

Shining a light on application layer DDoS attacks

DDoS attacks are rightly understood as one of the biggest cyber threats today, with their frequency and size growing every year and their financial consequences more dire than ever. DDoS attacks increased by 90% across last year, and with high profile targets ranging from HSBC to the BBC and the U.S. Library of Congress, they have the potential to affect virtually everyone.

But despite widespread fears of DDoS attacks, they are too often viewed just as a network security issue. This is because network layer DDoS attacks are the largest and most aggressive, usually measured gigabytes per second and taking place with the aid of massive botnets. As a result, smaller, more incisive, and often more dangerous application layer DDoS attacks get overlooked, leaving most websites as vulnerable as ever.

This is why it’s important to take action on application layer DDoS security — not only implementing key defenses, but also testing them with a simulated DDoS attack to make sure they are set up properly.

Below, we’ve explained how application layer DDoS attacks can punch above their weight, and why DDoS simulation testing is such an important part of building effective mitigation.

Why application layer DDoS attacks are so effective

If you imagine network-layer DDoS attacks as acts of brute force, application layer attacks are like special ops. They are less powerful and use less bandwidth, making them more difficult to detect, and they exploit a number of common vulnerabilities that are left open.

Oftentimes application layer attacks are so effective because their low bandwidth lets them appear as legitimate users and avoid being stopped by a website’s outer defenses, letting them overload the site with seemingly normal requests. This can include anything from overusing available memory, to focusing on server-dependent requests, to crawling an application for sensitive information like the origin server’s IP address.

How application layer DDoS attacks break through your defenses

Even for websites that take substantial DDoS mitigation measures, there are numerous ways that application level attacks can break through their defenses and cause serious damage. A typical DDoS mitigation infrastructure will consist of the following: a content distribution network (CDN), which caches content on separate servers so an attacker can’t reach the origin server; an on-premise device, like a firewall or a DDoS appliance, that can recognize irregular traffic and block it; and a traffic scrubbing program or service that specializes in detecting attackers.

DDoS defense

The most basic way an attacker can break through a CDN is by finding places where your application layer can’t use cached content and has to access the origin server. Common examples are login pages, search pages, authentication pages, and form submissions. By targeting these, an attacker can overwhelm the origin server with requests without getting caught in the CDN.

Another key thing an attacker will look for when bypassing your CDN is the IP of your origin server, and there are several places at the application level where they can obtain this. Sometimes it is hidden in logs, headers, and response bodies that are accessible externally. Your origin IP can also be leaked through your DNS when a URL inadvertently points your origin IP. Once an attacker has this, they can send massive amounts of traffic to your origin server.

Once an attacker gets past your CDN, this is where on-premise devices and traffic scrubbers come into play by detecting irregular traffic, which, in this case, means an exceedingly high volume of traffic that has to come from a bot instead of a human. These tools are designed to cut off bot traffic and save the origin server from being overwhelmed.

But the additional danger of application layer DDoS attacks is that they are small and incisive enough to trick your defenses into thinking they are legitimate traffic. Very frequently, the rate limits of DDoS mitigation tools are configured in a way that lets attackers get in just under the radar and still cause serious damage. Often, rate limits are too high compared to the normal use of the application, or they are only implemented on the CDN and unable to stop traffic that reaches the origin server.

Why you need to test your DDoS mitigation systems for application layer attacks

The only way to fully protect against application layer attacks is to set up a mitigation infrastructure and test it with a simulated DDoS attack. Application layer attacks are so nuanced and so varied that every website and its corresponding DDoS mitigation infrastructure needs to be fine-tuned to detect the specific behavior of its good users and the possible malicious actions of its bad users.

After conducting numerous simulated DDoS attacks, we at DDoS Strike have found that 94% of DDoS mitigation tools need rate tuning and need to be applied differently across a whole infrastructure. As a result, while application layer DDoS attacks are smaller, we find that they are often more successful and capable of doing more damage. In fact, two application layer attack types, HTTP Flood and Slow Loris, make up over 50% of successful attacks.

To learn more about the types of DDoS attacks, including application layer attacks, view the diagram below and watch the presentation by our lead DDoS consultant Michael Bennett.

Contact us at DDoS Strike for more information about how a simulated DDoS attack can help seal your defenses against DDoS attacks.

Shining a light on application layer DDoS attacks
Common DDS attacks

Share this article on Linkedin