Beyond Volumetric Attacks: Defending Against Sophisticated Layer 7 DDoS Threats

Your organization’s online presence is at risk of attack from all corners of the Internet. Threats are constantly growing in numbers and sophistication, which means you really should lock down your application’s vulnerabilities as soon as possible.

This is especially true of Layer 7 attacks on your application, including DDoS and other bot attacks. Although basic volumetric DDoS attacks are detectable because of their high numbers of requests from a single IP address, most attackers are using more sophisticated strategies.

As a result, DDoS protection has never been more important.

IMAGE: UNSPLASH

Understanding Layer 7 DDoS Attack Vectors

In part because of the growing number of IoT and other vulnerable devices, the number of bots is growing, and a consequence of this is an increasing volume and intensity of DDoS attacks.

This problem is exacerbated by things like DDoS-as-a-service, which allows even a completely inexperienced attacker to launch a DDoS attack on your network.

One type of attack that is both difficult to detect and difficult to stop is the volumetric DDoS attack. Volumetric DDoS attacks involve massive amounts of traffic that suddenly descend upon your website or application, rendering it nearly impossible to use for your customers.

Most web apps don’t have the bandwidth to handle the attack, which then takes up all available computing resources.

Without available resources, it’s very difficult to stop a volumetric DDoS attack. So, much of the time, these attacks don’t end until the attacker is ready. Generally, the best way to mitigate these threats is by taking preventative measures that protect potential vulnerabilities.

This type of attack often exploits Layer 7, or the application layer of the OSI model of the Internet. By targeting this layer, bots exploit the access that an application has to your organization’s network. Some common application layer vulnerabilities can be exploited with a few types of attacks, including:

• HTTP flood. In a basic HTTP flood, bots find a single resource-intensive web page or task in an application and repeatedly access that component of your site or app. More complex types of HTTP flood behave similarly, but they might use botnets to send requests directly to your server or to make requests that bypass your app’s cache.
• DNS flood. Often using nonexistent DNS addresses, this type of attack sends large numbers of DNS requests to the server. Because many of the addresses do not exist, your resources are monopolized as the system attempts to find the correct resolution.
• Slowloris. Although they are not actually volumetric attacks, Slowloris and other low-and slow attack techniques cause a similar outcome. Rather than flooding your resources with large volumes of requests from multiple sources, Slowloris relies on very slow, fractional requests that keep connections open for long periods of time. The net effect of this is that your resources are fully occupied as if there had been a volumetric DDoS attack.

Because these attacks exploit weaknesses in application execution and function, it’s important to limit your application’s contact with malicious traffic as much as possible. Once the attacker is able to access your application and begin contacting your resources, stopping the attack becomes very difficult.

Advanced Detection Mechanisms For Layer 7 Attacks

Detecting malicious traffic, however, is much easier said than done. Many modern DDoS attacks succeed because the bots are sophisticated enough to successfully imitate legitimate traffic. Alternatively, some attacks succeed because they use botnets with many different IP addresses.

Since one way to detect a DDoS attack in the past has been to look for large numbers of requests from a small number of IP addresses, mitigation solutions don’t always account for the size and resources of large botnets.

To solve this problem, implement advanced detection solutions that are informed by machine learning.

Machine learning-based anomaly detection can improve your DDoS protection substantially. It is more adaptable and more accurate than traditional detection software because machine learning is able to detect novel patterns and choose to allow or block based on context.

Rather than requiring your security team to manually update rules, machine learning-based detection can often adjust its parameters automatically.

Behavioral analysis of application traffic is another useful detection tool. Solutions that use behavioral analysis can collect and parse traffic data, helping you to understand where your traffic is coming from and what typical behavior looks like.

This visibility makes it easier for your security teams to catch attacks early as behavioral analysis will alert them to potentially malicious activity.

Mitigation Strategies For Complex Layer 7 DDoS

Having a solution that leverages advanced detection to catch potential Layer 7 attacks is important, but you should also be prepared for DDoS attacks with mitigation strategies.

Although detection will catch the majority of attacks, DDoS attacks are constantly evolving, so you need to be prepared for some attacks to slip through the cracks of your defenses.

It’s difficult to effectively mitigate a DDoS attack once it starts, but there are a few strategies that can prevent the attack from completely shutting down your website or application:

• Adaptive rate limiting. This limits the amount of bandwidth allotted to each request. Individual users who make too many of the same requests in a defined time period are blocked.
• Challenge-response mechanisms. Authenticating users with these mechanisms can restrict bots from accessing your application. Users must interact correctly with the challenge to gain access, something that is very challenging for bots.
• Application-aware traffic filtering. Traditional solutions have relied on IP addresses of users to distinguish between legitimate and illegitimate users. With VPNs and other tools that can camouflage a user’s IP, this is not always effective. To solve this problem, some solutions now look at a user’s destination. If the destination is not critical to legitimate users, the number of users permitted to access it can be limited during periods of high traffic.

Layer 7 DDoS attacks could pose a major problem for your organization. However, by implementing effective detection tools that use machine learning, you can reduce your risk of a successful attack. Additionally, putting mitigation strategies in place in case of an attack can limit the damage done to your application.

IMAGE: UNSPLASH

If you are interested in even more technology-related articles and information from us here at Bit Rebels, then we have a lot to choose from.