Massive application-layer attacks could defeat hybrid DDoS protection

Unusual application-layer DDoS attacks that consume a lot of bandwidth could spell trouble for on-premise DDoS defenses

Security researchers have recently observed a large application-layer distributed denial-of-service attack using a new technique that could foil DDoS defenses and be a sign of things to come for Web application operators.

The attack, which targeted a Chinese lottery website that used DDoS protection services from Imperva, peaked at 8.7Gbps. In a time when DDoS attacks frequently pass the 100Gbps mark, 8.7Gbps might not seem much, but it's actually unprecedented for application-layer attacks.

DDoS attacks target either the network layer or the application layer. With network-layer attacks, the goal is to send malicious packets over different network protocols in order to consume all of the target's available bandwidth, essentially clogging its Internet pipes.

However, with application-layer attacks, which are also known as HTTP floods, the goal is to consume the computing resources -- CPU and RAM -- that a Web server has at its disposal to process requests. When their limit is reached, the server will stop answering to new requests, resulting in a denial-of-service condition for legitimate clients.

Unlike network-layer attacks, HTTP floods don't normally rely on the size of the sent data packets to do damage, but rather on the number of requests that need to be processed by the targeted Web application. Until now, even the largest HTTP floods, which generated over 200,000 requests per second, didn't end up consuming more than 500Mbps, because the packet size of every request was very small.

Most companies build their infrastructure so that an application can handle a maximum of 100 requests per second. Unless these applications are protected by an anti-DDoS service that identifies and filters bogus requests, it's easy to disrupt them, according to researchers from Imperva.

Defending against network-layer attacks usually involves routing all traffic destined for a protected network through the network infrastructure of a DDoS mitigation provider. The provider scrubs the traffic of malicious packets and only forwards the legitimate ones to the customer's network.

On the other hand, protecting against application-layer attacks is often done through a special-purpose hardware appliance that sits on the customer's own network in front of the Web server.

This type of hybrid DDoS protection -- cloud-based network-layer defense combined with on-premise application-layer defense -- can be ineffective when facing massive HTTP floods like the 8.7Gbps one recently encountered by Imperva.

That attack was launched from a botnet made up of computers infected with the Nitol malware that sent legitimate HTTP POST requests mimicking the Web crawler of the Baidu search engine. The requests, 163,000 per second, attempted to upload randomly-generated large files to the server, resulting in the attack's unusually large bandwidth footprint.

"Application layer traffic can only be filtered after the TCP connection has been established," the Imperva researchers said in a blog post. "Unless you are using an off-premise mitigation solution, this means that malicious requests are going to be allowed through your network pipe, which is a huge issue for multi-gig attacks."

This means the network-layer DDoS mitigation service will let the packets through to be inspected by the customer's on-premise appliance designed to protect the application layer. However, those packets won't even reach the appliance because they will generate more traffic than the customer's Internet uplink will be able to handle. It's like hiding a network-layer attack behind an application-layer one.

"Granted, some of the larger organizations today do have a 10 Gb burst uplink," the Imperva researchers said. "Still, perpetrators could easily ratchet up the attack size, either by initiating more requests or by utilizing additional botnet resources. Hence, the next attack could easily reach 12 or 15 Gbps, or more. Very few non-ISP organizations have the size of infrastructure required to mitigate attacks of that size on-premise."

For organizations in certain industries like finance, there's no easy answer to fighting off such high-bandwidth application-layer attacks. Their Web applications need to use HTTPS to encrypt data in transit and they need to terminate those HTTPS connections inside their own infrastructure to be in compliance with regulatory requirements regarding the protection of financial and personal data.

Therefore, the application-layer DDoS protection that relies on inspecting the requests after they've been decrypted also needs to happen within their own infrastructure.

Join the PC World newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Essentials

Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >

Mobile

Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >

Exec

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?