You have just become the victim of an application layer denial-of-service (DDoS) attack. This type of disturbance, sometimes referred to as a “Layer 7” DDoS attack, is difficult to spot and even more difficult to defend against.
Because your website and the supporting systems, applications, and so on are exposed to the outside world, they are ripe targets for sophisticated attacks designed either to exploit uncorrected flaws or to change the way these systems work. As application development continues to move to the cloud, such attacks will continue to be difficult to defend against.
Strength vs. Smarts
The DDoS attacks that you hear about in the news usually refer to large-scale network attacks focused on Layer 3 and 4 of the network stack. However, from a mitigation point of view, network layer attacks are not particularly sophisticated. Ultimately, it boils down to one simple question: Who has more network capacity, the attacker or the mitigation service?
Dealing with a Layer 7 attack, however, is more complicated. When defending against these stealthy and complex methods, success does not depend on how big you are, but rather how smart your security technology is and how well it can be used.
In order to defend against application layer attacks, security teams must be able to accurately profile incoming traffic and distinguish between humans, human-like bots, and hijacked Web browsers and connected devices (home routers, for example).
As a result, the Layer 7 mitigation process is often much more complex than the attack itself. This complexity, combined with the fact that when done right the attack will remain transparent, contributes to the lack of headlines on the subject. The security industry in general prefers to talk in terms of network capacity, which says nothing about resilience in the face of application layer attacks.
Attacks on the network overwhelm certain aspects of a website, intending to disable it. An application layer attack, on the other hand, is different because many vulnerabilities that reside in the proprietary code of Web applications are unknown to existing security defense solutions.
It’s already been noted that the attack surface has increased for many organizations due to the cloud and the pervasive cloud-based platforms quickly becoming the new normal in application development. In order to defend against the ever-changing DDoS landscape, developers need to integrate security measures during the development phase of the application itself.
The Open Web Application Security Project (OWASP) was created to assist in defending against Web threats. In its Top Ten Most Critical Web Application Security Risks, the group focuses on some of the critical risks facing organizations today.
Though the report, with its list of the most prevalent application layer risks, can be helpful to security teams, this information is only released every three years. In the meantime, new and more sophisticated attack methods are being deployed at an alarming rate.
Until developers build security solutions into their products, security teams will need to be ever-vigilant and implement solutions designed to identify anomalous behavior in the network upon ingress.
Advanced DDoS Tactics
IT admins must pay close attention to Layer 7 DDoS attacks because the application layer can be targeted in an ever more sinister ways. It was reported earlier this year, for example, that attackers are employing methods that are short in duration but large in traffic volume. Shopping (eCommerce) websites are particularly prone to this type of attack, in which paying customers are blocked at the last minute, forcing them to abandon their purchase.
In order to determine the amount of traffic that will be needed to flood a network, this attack method can help hackers identify the vulnerability of the network’s resources (such as available memory or bandwidth). Once they know that, the hackers will use a volumetric attack to distract IT personnel while accessing the application layer from the back-end. Hackers will typically precede such with the injection of malware or the identification of a security flaw allowing them to gain a measure of control.
Is the traffic legitimate? That’s the question that challenges network personnel. In other words, what is a bot and what is a customer? Advanced security tools will be needed to provide this type of protection.
Recommendations for Securing Critical Applications
At a minimum, the following best practices should be followed if you are a software developer or cyber security professional:
Review content and security policies – Does a strategy exist for protecting company data assets from DDoS attacks? Is it current? Are you meeting compliance regulations? Are all company divisions involved? Remember, representatives of business, IT, and security should all be part of the software development life cycle.
Get educated about the threats – Learn about the Web application security risks that have already been identified. The OWASP Top 10 Web application security risks list is a great start.
Talk to a security expert – Learn from those who have gained experience in the trenches. Whether it’s an analyst firm or a solution provider, look to the professionals to learn what best practices are recommended in today’s threat environment and develop a mitigation plan that accounts for all threats, including the hard-to-spot Layer 7 DDoS attack.
Deploy equipment that secures the network from within – This requires appliances that are custom-built to detect and mitigate application Layer 7 attacks intelligently and quickly. Such protection is available as a feature of other network/security appliances, but complete protection requires custom-built anti-DDoS appliances.
Application layer attacks are sophisticated and effective, either as a disruption in themselves or as a distraction while exfiltration or other mayhem takes place. These attacks show no signs of slowing down, so organizations need to act now to defend themselves and their customers.
In addition to having and implementing secure application development policies, security teams should look to round out their efforts with dedicated security appliances that can help everyone rest easier.