NordVPN Promotion

Home / Industry

Defending Against Layer 7 DDoS Attacks

Map of Botnets From Recent Layer 7 Attack Mitigated by Verisign (Note: The above geolocation is based on source IPs that may have been spoofed) Click to Download Full Report

Layer 7 attacks are some of the most difficult attacks to mitigate because they mimic normal user behavior and are harder to identify. The application layer (per the Open Systems Interconnection model) consists of protocols that focus on process-to-process communication across an IP network and is the only layer that directly interacts with the end user. A sophisticated Layer 7 attack may target specific areas of a website, making it even more difficult to separate from normal traffic. For example, a Layer 7 DDoS attack might target a website element (e.g., company logo or page graphic) to consume resources every time it is downloaded with the intent to exhaust the server. Additionally, some attackers may use Layer 7 DDoS attacks as diversionary tactics to steal information.

A Multi-Vector Approach

VERISIGN DDOS TRENDS REPORT
VOLUME 3, ISSUE 2 – 2ND QUARTER 2016 (Click to Download Full Report)
Verisign’s recent trends show that DDoS attacks are becoming more sophisticated and complex, including an increase in application layer attacks. Verisign has observed that Layer 7 attacks are regularly mixed in with Layer 3/Layer 4 DDoS flooding attacks. In fact, 35 percent of DDoS attacks mitigated in Q2 2016 utilized three or more attack types.

In a recent Layer 7 DDoS attack mitigated by Verisign (see latest DDoS Trends Report), the attackers started out with NTP and SSDP reflection attacks that generated volumetric floods of UDP traffic peaking over 50 Gigabits per second (Gbps) and over 5 Million packets per second (Mpps) designed to consume the target organization’s bandwidth. Verisign’s analysis shows that the attack was launched from a well-distributed botnet of more than 30,000 bots from across the globe with almost half of the attack traffic originating in the United States.

Once the attackers realized that the volumetric attack was mitigated, they progressed to Layer 7 HTTP/HTTPS attacks. Hoping to exhaust the server, the attackers flooded the target organization with a large number of HTTPS GET/POST requests using the following methods, amongst others:

  • Basic HTTP Floods: Requests for URLs with an old version of HTTP no longer used by the latest browsers or proxies
  • WordPress Floods: WordPress pingback attacks where the requests bypassed all caching by including a random number in the URL to make each request appear unique
  • Randomized HTTP Floods: Requests for random URLs that do not exist—for example, if example.com is the valid URL, the attackers were abusing this by requesting pages like www.example.com/loc id=12345, etc.

Lessons Learned

The challenge with a Layer 7 DDoS attack lies in the ability to distinguish human traffic from bot traffic, which can make it harder to defend against the volumetric attacks. As Layer 7 attacks continue to grow in complexity with ever-changing attack signatures and patterns, organizations and DDoS mitigation providers will need to have a dynamic mitigation strategy in place. Layer 7 visibility along with proactive monitoring and advanced alerting are critical to effectively defend against increasing Layer 7 threats.

As organizations develop their DDoS protection strategies, many may focus solely on solutions that can handle large network layer attacks. However, they should also consider whether the solution can detect and mitigate Layer 7 attacks, which require less bandwidth and fewer packets to achieve the same goal of bringing down a site.

For a look at more DDoS attack trends, download a complimentary copy of Verisign’s quarterly DDoS Trends Report.

Written by Michael Kaczmarek, VP, VSS Marketing and Product at Verisign.

By Verisign, A Global Provider of Critical Internet Infrastructure and Domain Name Registry Services

Verisign, a global provider of domain name registry services and internet infrastructure, enables internet navigation for many of the world’s most recognized domain names. Verisign enables the security, stability, and resiliency of key internet infrastructure and services, including providing root zone maintainer services, operating two of the 13 global internet root servers, and providing registration services and authoritative resolution for the .com and .net top-level domains, which support the majority of global e-commerce. To learn more about what it means to be Powered by Verisign, please visit Verisign.com.

Visit Page

Filed Under

Comments

Commenting is not available in this channel entry.
CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

Related

Topics

Threat Intelligence

Sponsored byWhoisXML API

Brand Protection

Sponsored byCSC

New TLDs

Sponsored byRadix

IPv4 Markets

Sponsored byIPv4.Global

Domain Names

Sponsored byVerisign

Cybersecurity

Sponsored byVerisign

DNS

Sponsored byDNIB.com

NordVPN Promotion