Distributed denial-of-service (DDoS) attacks have become a popular and inexpensive form of cyber attack. Malicious actors can buy cheap DDoS kits online or hire others to do their dirty work. When we see reports about DDoS in the news, they are usually referring to large-scale network attacks that are focused on Layers 3 and 4 of the network stack. From a mitigation point of view, network-layer attacks are unsophisticated. The ability to mitigate this type of attack always comes down to a simple question: who has more network capacity, the attacker or the mitigation service?
But there is another type of DDoS out there, and it’s a horse of a very different color. It’s called an application-layer DDoS attack, sometimes referred to as a “Layer 7” DDoS attack. This type of network assault is difficult to detect and even more difficult to defend against. It’s the kind of attack that can go unnoticed until not only your website is down, but several back-end systems are as well, leading to the panicked call that every CTO dreads.
Because your website along with the supporting systems, applications and so on are exposed to the outside world, they are ripe targets for more-sophisticated attacks designed to either exploit uncorrected flaws or the way the various systems work. As application development continues to move to the cloud, this attack will continue to be difficult to defend against. When trying to protect your network from these stealthy and complex methods, success depends not on how big you are, but rather how smart your security technology is and how well you can employ it.
Run Silent, Run Deep
Rather than relying on the brawn of network capacity, effective mitigation of the Layer 7 DDoS attack relies on the ability to accurately profile incoming traffic: to distinguish between humans, human-like bots and hijacked web browsers and connected devices, such as home routers. As a result, the Layer 7 mitigation process is often much more complex than the attack itself. This complexity, combined with the fact that—if done right—the attack will remain transparent, contributes to the lack of headlines on this subject. The security industry in general prefers to talk in terms of network capacity, which of course says nothing about your resilience against application-layer attacks.
The typical attacks that focus on Layers 3 and 4 overwhelm specific functions or features of a website with the intention of disabling them. An application-layer attack is different because many vulnerabilities that exist in the proprietary code of web applications are unknown to existing security-defense solutions.
The new normal in application development is the cloud and pervasive cloud-based platforms. Though a boon in many ways, they have increased the attack surface for many organizations. To defend against the ever-changing DDoS landscape, developers need to integrate security measures while in the application’s development phase.
They can get educated on some of the current web threats by reading “Top Ten Most Critical Web Application Security Risks” by the Open Web Application Security Project (OWASP). Although the report outlines 10 of the most prevalent application-layer risks, this information is only released every three years. In the meantime, new and more-sophisticated attack methods are being perpetrated at an alarming rate. Until developers ingrain security solutions into their products, it will be up to security teams to be ever vigilant by implementing solutions that are designed to identify anomalous behavior in the network on ingress.
The Multipurpose Threat
The application layer can be targeted in an even more sinister way than mere disruption of the network. It was reported earlier this year that attackers are employing methods that are short in duration but are large in traffic volume. Hackers employ these methods for a variety of reasons. Shopping (e-commerce) websites, for example, are particularly prone to this type of attack, in which paying customers are blocked at the last minute, forcing them to abandon their purchase.
Another less obvious but more nefarious use of Layer 7 attacks is to identify the vulnerability of a network’s resources, such as how much memory or bandwidth there is, to determine the amount of traffic that will be needed to flood the network. Once determined, the hackers will use a volumetric attack to distract IT personnel while accessing the application layer from the back end. This type of attack typically will have been preceded by the injection of malware or the identification of a security flaw that allows the attacker to gain a measure of control.
What IT security teams need to be able to do is determine whether or not incoming traffic is legitimate. In other words, what is a bot and what is a customer? Advanced security tools will be needed to execute this type of protection.
Mitigation: A Four-Step Process
In light of the serious potential consequences of Layer 7 attacks, IT-security professionals and software developers should follow these recommendations:
- Learn about the latest threats. Get to know the web-application security risks that have already been identified. The OWASP Top 10 web-application security risks list is a great start.
- Check content and security policies. Can your company’s current strategy protect critical data assets from DDoS attacks? Is it current? Are you meeting compliance regulations? Are all company divisions involved? Remember, representation from business, IT and security should all be a part of the software-development life cycle.
- Get expert insights. Learn from industry experts. Whether it’s a solution provider or an analyst firm, look to the professional to learn what best practices are recommended in today’s threat environment and develop a mitigation plan that accounts for all threats, including the hard-to-spot Layer 7 DDoS attack.
- Secure the network from within. This task will require appliances that are custom built to detect and mitigate application-layer (Layer 7) attacks intelligently and quickly. Such protection is available as a feature of other network/security appliances, but complete protection requires custom-built anti-DDoS appliances.
Application-layer attacks are sophisticated and effective, which means that cyber thugs will continue to launch them. While you go about your daily security duties, a Layer 7 attack is slowly eating up network resources or testing your bandwidth for a later exfiltration assault. Though these attacks are hard to detect, IT-security personnel are not defenseless. Educate yourself on the latest threats and use a combination of policies and security appliances to create a comprehensive security strategy.
About the Author
Rishi Agarwal is Chief Evangelist at NSFOCUS, Inc. He has 12+ years’ experience in product marketing, strategy, business development and product management. He has broad domain expertise in network security, compute and storage. Before NSFOCUS, he was a senior manager at Arbor Networks. Additionally, he has worked at leading technology vendors such as Microsoft, Intel and SanDisk.