Application-layer DDoS attacks are becoming increasingly sophisticated

Attackers are using real browsers on infected computers to attack Web applications and bypass DDoS protection

The number of DDoS (distributed denial-of-service) attacks that target weak spots in Web applications in addition to network services has risen during the past year and attackers are using increasingly sophisticated methods to bypass defenses, according to DDoS mitigation experts.

Researchers from Incapsula, a company that provides website security and DDoS protection services, recently mitigated a highly adaptive DDoS attack against one of its customers that went on for weeks and combined network-layer with application-layer -- Layer 7 -- attack techniques.

The target was a popular trading site that belongs to a prominent player in a highly competitive online industry and it was one of the most complex DDoS attacks Incapsula has ever had to deal with, the company's researchers said in a blog post.

The attack started soon after an ex-partner left the targeted company and the attackers appeared to have intimate knowledge of the weak spots in the target's infrastructure, suggesting that the two events might be connected, the researchers said.

The attack began with volumetric SYN floods designed to consume the target's bandwidth. It then progressed with HTTP floods against resource intensive pages, against special AJAX objects that supported some of the site's functions and against Incapsula's own resources.

The attackers then switched to using DDoS bots capable of storing session cookies in an attempt to bypass a mitigation technique that uses cookie tests to determine if requests come from real browsers. The ability to store cookies is usually a feature found in full-fledged browsers, not DDoS tools.

As Incapsula kept blocking the different attack methods, the attackers kept adapting and eventually they started flooding the website with requests sent by real browsers running on malware-infected computers.

"It looked like an abnormally high spike in human traffic," the Incapsula researchers said. "Still, even if the volumes and behavioral patterns were all wrong, every test we performed showed that these were real human visitors."

This real-browser attack was being launched from 20,000 computers infected with a variant of the PushDo malware, Incapsula later discovered. However, when the attack first started, the company had to temporarily use a last-resort mitigation technique that involved serving CAPTCHA challenges to users who matched a particular configuration.

The company learned that a PushDo variant capable of opening hidden browser instances on infected computers was behind the attack after a bug in the malware caused the rogue browser windows to be displayed on some computers. This led to users noticing Incapsula's block pages in those browsers and reaching out to the company with questions.

"This is the first time we've seen this technique used in a DDoS attack," said Marc Gaffan, co-founder of Incapsula.

The challenge with application-layer attacks is to distinguish human traffic from bot traffic, so DDoS mitigation providers often use browser fingerprinting techniques like cookie tests and JavaScript tests to determine if requests actually come from real browsers. Launching DDoS attacks from hidden, but real browser instances running on infected computers makes this type of detection very hard.

"We've been seeing more and more usage of application-layer attacks during the last year," Gaffan said, adding that evasion techniques are also adopted rapidly. "There's an ecosystem behind cybercrime tools and we predict that this method, which is new today, will become mainstream several months down the road," he said.

DDoS experts from Arbor Networks, another DDoS mitigation vendor, agree that there has been a rise in both the number and sophistication of Layer 7 attacks.

There have been some papers released this year about advanced Layer 7 attack techniques that can bypass DDoS mitigation capabilities and the bad guys are now catching on to them, said Marc Eisenbarth, manager of research for Arbor's Security Engineering and Response Team.

There's general chatter among attackers about bypassing detection and they're doing this by using headless browsers -- browser toolkits that don't have a user interface -- or by opening hidden browser instances, Eisenbarth said.

In addition, all malware that has man-in-the-browser functionality and is capable of injecting requests into existing browsing sessions can also be used for DDoS, he said.

Layer 7 attacks have become more targeted in nature with attackers routinely performing reconnaissance to find the weak spots in the applications they plan to attack. These weak spots can be resource-intensive libraries or scripts that result in a lot of database queries.

This behavior was observed during the attacks against U.S. banking websites a year ago when attackers decided to target the log-in services of those websites because they realized they could cause significant problems if users are prevented from logging in, Eisenbarth said. "We continued to see attackers launch those type of attacks and perform reconnaissance to find URLs that, when requested, may result in a lot of resource activity on the back end," he said.

More and more companies are putting together DDoS protection strategies, but they are more focused on network-layer attacks, Gaffan said. They look at things like redundancy or how much traffic their DDoS mitigation solution can take, but they should also consider whether they can resist application-layer attacks because these can be harder to defend against than volumetric attacks, he said.

With application-layer attacks there's an ongoing race between the bad guys coming up with evasion techniques and DDoS mitigation vendors or the targeted companies coming up with remedies until the next round, Gaffan said. Because of that, both companies and DDoS mitigation providers need to have a very dynamic strategy in place, he said.

"I think we will continue to see an evolution in the sophistication of application-layer attacks and we will see more and more of them," Gaffan said. They won't replace network-layer attacks, but will be used in combination with them, he said.

Having Layer 7 visibility is very important and companies should consider technologies that can provide that, Eisenbarth said. In addition to that, they should perform security audits and performance tests for their Web applications to see what kind of damage an attacker could do to them, he said.

Join the CSO newsletter!

Error: Please check your email address.

Tags arbor networksapplication developmentWeb services developmentsecuritysoftwareWeb serversIncapsula

More about Arbor NetworksArbor Networks

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place