At this point in time, people tend to have a pretty decent understanding of DDoS attacks. Not because they’re particularly interesting or enthralling, but because they’ve become as frequent as they are damaging. And when you’re paying out tens or even hundreds of thousands of dollars to deal with them, well, it’s nice to know what they even are.
Beyond that surface-level understanding of what they are, where they might be coming from and what they do when they arrive, though, the general public’s DDoS knowledge tends to drop off. Especially when it comes to application layer attacks, which can seem a little complex. However, application layer attacks are on the rise, and attackers are counting on that complexity to help them get away with their dirty work. If we’re going to try and stop the onslaught, we need to break down the mystery surrounding application layer DDoS attacks.
Dripping in finesse
Let’s start with what application-layer attacks aren’t: network-layer attacks. Network-layer attacks are the ones you see in the headlines swinging 1+ Tbps worth of malicious traffic at a target, often through the use of a botnet made up of hundreds of thousands of IoT devices. When successful, they throw so much traffic at the victim network no one else can get through.
If network-layer attacks can basically be summed up with the words BOTNET SMASH, application-layer attacks can be summed up with the word finesse. These distributed denial of service attacks leave the network alone and instead take aim at server-side resources with the goal of exhausting these resources so there are none left for the people actually trying to access the website or service in question.
By focusing on specific server-side resources, attackers can keep application-layer attacks so small they fly right under the radar of many DDoS mitigation efforts that are watching for influxes of traffic or requests of a certain size. That combined with the fact that application-layer attacks use requests that appear to be legitimate often keeps these attacks unnoticed until a website, service and/or back-end systems go down. Sneaky, sneaky, sneaky.
One attack fits all
According to the Q4 2017 DDoS Global Threat Landscape Report from mitigation providers Imperva Incapsula, application-layer attacks are on the rise to the tune of 43% compared to the quarter before it. This uptick is likely due to a few different reasons. One is that network-layer attacks just aren’t as successful now that leading DDoS mitigation providers are all cloud-based with infinite scalability. Another is that because these attacks require less botnet firepower, they’re cheaper for the attackers.
Application-layer DDoS attacks are also attractive to two distinctly different types of attackers. The people lacking the knowledge to launch their own attacks who use DDoS for hire services instead tend to prefer application-layer attacks because of their low cost and potentially higher chance of success. At the other end of the attacker spectrum are the professionals, who make an effective attack type even more efficient by researching their targets to find the website elements that require the most work from the server and targeting those.
Common attack types
There are a few common application-layer attack types, with HTTP flood attacks one of the most popular. These attacks send HTTP requests to the server and these requests are often specifically formulated to require an intensive response from the server. For example, using HTTP POST requests to ask for dynamic content that is not cacheable and requires trips to the origin server for retrieval. Think of it like working in a storefront and customers coming in one after the other to ask for the heaviest item you store at the very back of the warehouse.
Another type of application-layer DDoS attack is the ICMP or UDP fragmentation attack. Unlike an HTTP flood, which uses legitimate requests, fragmentation attacks send fraudulent ICMP or UDP packets to the server. Since they’re fake, the server struggles to reassemble them, exhausting its resources.
The Slowloris attack lands somewhere in between HTTP floods and fragmentation attacks. Though the requests used in this attack are legitimate, they’re only partial, opening connections with the victim server but never completing them, leaving them open and waiting and unavailable to users trying to make a real connection.
Fighting clever with clever
What it all comes down to is a pretty simple point: distributed denial of service attacks are getting smarter, so your DDoS mitigation needs to get smarter too. Granular traffic inspection combined with intelligent bot detection from a leading cloud-based DDoS mitigation provider is about all that’s going to keep your business safe from the application-layer threat, and the application-layer threat is one that’s growing. Now that you’re forewarned, you need to get forearmed.