Massive application-layer attacks could defeat hybrid DDoS protection

Unusual application-layer DDoS attacks that consume a lot of bandwidth could spell trouble for on-premise DDoS defenses

Security researchers have recently observed a large application-layer distributed denial-of-service attack using a new technique that could foil DDoS defenses and be a sign of things to come for Web application operators.

The attack, which targeted a Chinese lottery website that used DDoS protection services from Imperva, peaked at 8.7Gbps. In a time when DDoS attacks frequently pass the 100Gbps mark, 8.7Gbps might not seem much, but it's actually unprecedented for application-layer attacks.

DDoS attacks target either the network layer or the application layer. With network-layer attacks, the goal is to send malicious packets over different network protocols in order to consume all of the target's available bandwidth, essentially clogging its Internet pipes.

However, with application-layer attacks, which are also known as HTTP floods, the goal is to consume the computing resources -- CPU and RAM -- that a Web server has at its disposal to process requests. When their limit is reached, the server will stop answering to new requests, resulting in a denial-of-service condition for legitimate clients.

Unlike network-layer attacks, HTTP floods don't normally rely on the size of the sent data packets to do damage, but rather on the number of requests that need to be processed by the targeted Web application. Until now, even the largest HTTP floods, which generated over 200,000 requests per second, didn't end up consuming more than 500Mbps, because the packet size of every request was very small.

Most companies build their infrastructure so that an application can handle a maximum of 100 requests per second. Unless these applications are protected by an anti-DDoS service that identifies and filters bogus requests, it's easy to disrupt them, according to researchers from Imperva.

Defending against network-layer attacks usually involves routing all traffic destined for a protected network through the network infrastructure of a DDoS mitigation provider. The provider scrubs the traffic of malicious packets and only forwards the legitimate ones to the customer's network.

On the other hand, protecting against application-layer attacks is often done through a special-purpose hardware appliance that sits on the customer's own network in front of the Web server.

This type of hybrid DDoS protection -- cloud-based network-layer defense combined with on-premise application-layer defense -- can be ineffective when facing massive HTTP floods like the 8.7Gbps one recently encountered by Imperva.

That attack was launched from a botnet made up of computers infected with the Nitol malware that sent legitimate HTTP POST requests mimicking the Web crawler of the Baidu search engine. The requests, 163,000 per second, attempted to upload randomly-generated large files to the server, resulting in the attack's unusually large bandwidth footprint.

"Application layer traffic can only be filtered after the TCP connection has been established," the Imperva researchers said in a blog post. "Unless you are using an off-premise mitigation solution, this means that malicious requests are going to be allowed through your network pipe, which is a huge issue for multi-gig attacks."

This means the network-layer DDoS mitigation service will let the packets through to be inspected by the customer's on-premise appliance designed to protect the application layer. However, those packets won't even reach the appliance because they will generate more traffic than the customer's Internet uplink will be able to handle. It's like hiding a network-layer attack behind an application-layer one.

"Granted, some of the larger organizations today do have a 10 Gb burst uplink," the Imperva researchers said. "Still, perpetrators could easily ratchet up the attack size, either by initiating more requests or by utilizing additional botnet resources. Hence, the next attack could easily reach 12 or 15 Gbps, or more. Very few non-ISP organizations have the size of infrastructure required to mitigate attacks of that size on-premise."

For organizations in certain industries like finance, there's no easy answer to fighting off such high-bandwidth application-layer attacks. Their Web applications need to use HTTPS to encrypt data in transit and they need to terminate those HTTPS connections inside their own infrastructure to be in compliance with regulatory requirements regarding the protection of financial and personal data.

Therefore, the application-layer DDoS protection that relies on inspecting the requests after they've been decrypted also needs to happen within their own infrastructure.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Cool Tech

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Breitling Superocean Heritage Chronographe 44

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?