Application Layer DDoS attacks are an extremely popular, and effective, technique used by cybercriminals to disrupt web-based services. There are several variations of application layer attacks, so mitigating them can be a challenge.
What are application layer DDoS attacks?
Essentially, application layer DDoS attacks are designed to overload a web-based resource, such as a website, stopping it from functioning properly. Also known as a Layer 7 attack (after the application layer in the OSI networking model), the idea is to consume as many system resources as possible, preventing legitimate traffic from being served. For an online business, loss of web app functionality or availability could be disastrous.
There are six ways that hackers can launch application layer DDoS attacks:
1. Slowloris – A tool that allows a single computer to send partial requests, forcing the receiving web server to keep each connection open until the request is completed. Eventually, the number of open ports exceeds the maximum allocated to the application, causing the server to slow and/or crash.
2. Slow post – Similar in aim to slowloris, the slow POST attack uses a botnet to send thousands of POST requests to a web server. The traffic appears completely legitimate, but each POST message is sent as slowly as possible, sometimes just one byte every two minutes. Again, the server dedicates resources to each request until it runs out of allocation, bringing the web application to a standstill.
3. Slow read – The opposite of the slow post, this technique sees the botnet taking as long as possible to read responses sent by the web server. Each bot maintains an active connection to prevent timeout, eventually overwhelming resources, causing the server to crash.
4. Low and slow – Slowloris is just one example of this form of attack. Again, easily accessible tools can crash a server with relatively small amounts of web traffic, simply by sending network packets very slowly to the target machine until allocated resources are exhausted. These attacks can be launched using HTTP or TCP protocols.
5. Jumbo payload attacks – Hackers send a data structure encoded XML to the target webserver. The application then tries to decode the data structure by creating an in-memory SOAP message, consuming all available memory and causing the application to crash.
6. HTTPs flooding/Mimicked user browsing – A distributed botnet sends thousands of simultaneous legitimate looking HTTP/HTTPs requests to a webserver, overloading its resources and causing it to crash. This attack looks very similar to a spike in normal web traffic. Some online businesses may experience similar crashes caused by genuine web users during periods of peak traffic like on Black Friday and Cyber Monday.
Tips for mitigating Layer 7 DDoS attacks
Here are some proven best practices for mitigating application layer DDoS attacks:
Many DDoS attacks are designed to go undetected to maximise damage and disruption. The more ‘normal’ the incoming traffic requests look, the less likely they are to trigger DDoS mitigation systems. By establishing a baseline of what ‘normal’ traffic looks like, your web application engineers will be better placed to identify a DDoS attack when it does happen.
Use your logs
Web server logs contain a goldmine of information about web traffic norms. If you suspect the early stages of a slow post/slow read attack, the server logs will help to confirm if one is underway.
Employ a multi-layer approach to defence
No single tool will protect completely against application layer attacks – so deploy several. DDoS detection and mitigation can be complemented by network perimeter firewalls, web application firewalls and advanced network routing and filtering rules.
Invest in next-gen DDoS monitoring and mitigation
Criminals will typically monitor the progress of their attack, tweaking configurations to avoid detection and mitigation techniques. A next generation detection tool like FastNetMon uses a range of techniques to proactively identify application layer DDoS attacks in just two seconds without having to rely on retroactively applied signatures and rules. Automating monitoring, detection and mitigation can stop an attack before server and application performance are affected.
That’s not to say you should ignore signatures completely. If your DDoS prevention mechanisms include updates, you should test and apply them as quickly as possible. The more layers of defence you can implement, the better protected you will be against attack.
Application layer DDoS attacks are particularly sneaky because they don’t always rely on vast volumes of traffic. As we have discussed, some attacks are extremely slow, using very small amounts of traffic to cause disproportionate levels of damage. As such, traditional DDoS mitigation tools and strategies may not be effective in the modern cybersecurity environment.
To learn more about FastNetMon and how it will help your online business avoid application layer DDoS attacks and outages, sign up for a free one-month trial.