Application-Layer DDoS Attacks: Bad Things Come in Small Packages
Distributed Denial of Service attacks come in many flavours. One of the more popular these days is the application-layer attack, sometimes called a Layer 7 attack because it targets the top layer of the OSI model, which supports application and end-user processes.
While service providers can detect and block volumetric attacks as well as larger application-layer attacks, smaller application attacks can easily escape detection in the large ISP backbone, while still being large enough to cause a problem for the enterprise network or data centre.
A Growing Threat
Application-layer attacks figure prominently in the DDoS threat landscape, according to Arbor Networks’ 12th Annual Worldwide Infrastructure Security Report. Indeed, an estimated 88% of all DDoS attacks are smaller than two gigabits per second. Domain name system servers (DNS), the directories that route internet traffic to specific IP addresses, are the most common targets, cited by 81% of the report’s respondents. HTTP and secure HTTPS services are also targeted frequently, rendering them unavailable to legitimate requests. In fact, many business-critical applications are built on top of HTTP or HTTPS, making them vulnerable to this form of attack even though they may not look like traditional public web-based applications. For a financial institution or online retailer that depends on its web presence to attract and serve customers, the impact can be catastrophic. Not only does the attack prevent the normal conduct of business, but it can also make a site invisible to search engines, or at least bump it from the front page of search results.
Protecting Apps is Not Enough
IT security teams are often under the mistaken impression that a web application firewall (WAF) provides adequate protection against application-layer attacks. Since applications are the targets, this seems logical on the surface. And WAFs are certainly necessary to filter or block attempts to gain access to servers or data. But they are vulnerable to state or resource exhaustion. The problem is that what starts as a trickle of legitimate-looking app service requests eventually turns into a flood, and application-level defences won’t recognise the flood of legitimate requests as an attack at all.
For these reasons, a DDoS perspective is necessary to detect and thwart application-layer attacks. Without a dedicated DDoS solution, security teams may not even realise they are under attack when the site goes offline. They’re left scrambling to restore service on the fly, diverting IT resources and eating up hours or even days that can translate into millions of dollars of lost business.
The First Line of Defence
To effectively detect and mitigate this type of attack in real time, what’s needed is an inline, always-on solution deployed on-premise as part of a best-practice, hybrid DDoS defence strategy combining cloud-based and on-premise mitigation. An intelligent on-premise system will have the visibility and capacity to quickly detect and mitigate these stealthy, low-bandwidth attacks on its own, early enough to avoid the need for cloud mitigation. Should the attack turn into a flood, the on-premise system can instantly activate cloud-based defences through cloud signalling.
The best place to deploy application-layer DDoS detection and mitigation measures is at the traffic entry point at the edge of the enterprise data centre or ISP infrastructure – ideally outside the firewall. Because of the small scale of these attacks, they are harder to detect and stop once they have worked their way into the data centre or network. An edge-based DDoS protection system gives operators the ability to customise detection and mitigation for the specific applications running within the data centre.
Please contact Brookcourt Solutions for more information on Application DDoS monitoring: t: +44 (0) 1737 886111 e: contact@brookcourtsolutions.com
