Massive application-layer attacks could defeat hybrid DDoS protection

Unusual application-layer DDoS attacks that consume a lot of bandwidth could spell trouble for on-premise DDoS defenses

Security researchers have recently observed a large application-layer distributed denial-of-service attack using a new technique that could foil DDoS defenses and be a sign of things to come for Web application operators.

The attack, which targeted a Chinese lottery website that used DDoS protection services from Imperva, peaked at 8.7Gbps. In a time when DDoS attacks frequently pass the 100Gbps mark, 8.7Gbps might not seem much, but it's actually unprecedented for application-layer attacks.

DDoS attacks target either the network layer or the application layer. With network-layer attacks, the goal is to send malicious packets over different network protocols in order to consume all of the target's available bandwidth, essentially clogging its Internet pipes.

However, with application-layer attacks, which are also known as HTTP floods, the goal is to consume the computing resources -- CPU and RAM -- that a Web server has at its disposal to process requests. When their limit is reached, the server will stop answering to new requests, resulting in a denial-of-service condition for legitimate clients.

Unlike network-layer attacks, HTTP floods don't normally rely on the size of the sent data packets to do damage, but rather on the number of requests that need to be processed by the targeted Web application. Until now, even the largest HTTP floods, which generated over 200,000 requests per second, didn't end up consuming more than 500Mbps, because the packet size of every request was very small.

Most companies build their infrastructure so that an application can handle a maximum of 100 requests per second. Unless these applications are protected by an anti-DDoS service that identifies and filters bogus requests, it's easy to disrupt them, according to researchers from Imperva.

Defending against network-layer attacks usually involves routing all traffic destined for a protected network through the network infrastructure of a DDoS mitigation provider. The provider scrubs the traffic of malicious packets and only forwards the legitimate ones to the customer's network.

On the other hand, protecting against application-layer attacks is often done through a special-purpose hardware appliance that sits on the customer's own network in front of the Web server.

This type of hybrid DDoS protection -- cloud-based network-layer defense combined with on-premise application-layer defense -- can be ineffective when facing massive HTTP floods like the 8.7Gbps one recently encountered by Imperva.

That attack was launched from a botnet made up of computers infected with the Nitol malware that sent legitimate HTTP POST requests mimicking the Web crawler of the Baidu search engine. The requests, 163,000 per second, attempted to upload randomly-generated large files to the server, resulting in the attack's unusually large bandwidth footprint.

"Application layer traffic can only be filtered after the TCP connection has been established," the Imperva researchers said in a blog post. "Unless you are using an off-premise mitigation solution, this means that malicious requests are going to be allowed through your network pipe, which is a huge issue for multi-gig attacks."

This means the network-layer DDoS mitigation service will let the packets through to be inspected by the customer's on-premise appliance designed to protect the application layer. However, those packets won't even reach the appliance because they will generate more traffic than the customer's Internet uplink will be able to handle. It's like hiding a network-layer attack behind an application-layer one.

"Granted, some of the larger organizations today do have a 10 Gb burst uplink," the Imperva researchers said. "Still, perpetrators could easily ratchet up the attack size, either by initiating more requests or by utilizing additional botnet resources. Hence, the next attack could easily reach 12 or 15 Gbps, or more. Very few non-ISP organizations have the size of infrastructure required to mitigate attacks of that size on-premise."

For organizations in certain industries like finance, there's no easy answer to fighting off such high-bandwidth application-layer attacks. Their Web applications need to use HTTPS to encrypt data in transit and they need to terminate those HTTPS connections inside their own infrastructure to be in compliance with regulatory requirements regarding the protection of financial and personal data.

Therefore, the application-layer DDoS protection that relies on inspecting the requests after they've been decrypted also needs to happen within their own infrastructure.

Join the CSO newsletter!

Error: Please check your email address.

More about Imperva

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place