Menu
Massive application-layer attacks could defeat hybrid DDoS protection

Massive application-layer attacks could defeat hybrid DDoS protection

Unusual application-layer DDoS attacks that consume a lot of bandwidth could spell trouble for on-premise DDoS defenses

Security researchers have recently observed a large application-layer distributed denial-of-service attack using a new technique that could foil DDoS defenses and be a sign of things to come for Web application operators.

The attack, which targeted a Chinese lottery website that used DDoS protection services from Imperva, peaked at 8.7Gbps. In a time when DDoS attacks frequently pass the 100Gbps mark, 8.7Gbps might not seem much, but it's actually unprecedented for application-layer attacks.

DDoS attacks target either the network layer or the application layer. With network-layer attacks, the goal is to send malicious packets over different network protocols in order to consume all of the target's available bandwidth, essentially clogging its Internet pipes.

However, with application-layer attacks, which are also known as HTTP floods, the goal is to consume the computing resources -- CPU and RAM -- that a Web server has at its disposal to process requests. When their limit is reached, the server will stop answering to new requests, resulting in a denial-of-service condition for legitimate clients.

Unlike network-layer attacks, HTTP floods don't normally rely on the size of the sent data packets to do damage, but rather on the number of requests that need to be processed by the targeted Web application. Until now, even the largest HTTP floods, which generated over 200,000 requests per second, didn't end up consuming more than 500Mbps, because the packet size of every request was very small.

Most companies build their infrastructure so that an application can handle a maximum of 100 requests per second. Unless these applications are protected by an anti-DDoS service that identifies and filters bogus requests, it's easy to disrupt them, according to researchers from Imperva.

Defending against network-layer attacks usually involves routing all traffic destined for a protected network through the network infrastructure of a DDoS mitigation provider. The provider scrubs the traffic of malicious packets and only forwards the legitimate ones to the customer's network.

On the other hand, protecting against application-layer attacks is often done through a special-purpose hardware appliance that sits on the customer's own network in front of the Web server.

This type of hybrid DDoS protection -- cloud-based network-layer defense combined with on-premise application-layer defense -- can be ineffective when facing massive HTTP floods like the 8.7Gbps one recently encountered by Imperva.

That attack was launched from a botnet made up of computers infected with the Nitol malware that sent legitimate HTTP POST requests mimicking the Web crawler of the Baidu search engine. The requests, 163,000 per second, attempted to upload randomly-generated large files to the server, resulting in the attack's unusually large bandwidth footprint.

"Application layer traffic can only be filtered after the TCP connection has been established," the Imperva researchers said in a blog post. "Unless you are using an off-premise mitigation solution, this means that malicious requests are going to be allowed through your network pipe, which is a huge issue for multi-gig attacks."

This means the network-layer DDoS mitigation service will let the packets through to be inspected by the customer's on-premise appliance designed to protect the application layer. However, those packets won't even reach the appliance because they will generate more traffic than the customer's Internet uplink will be able to handle. It's like hiding a network-layer attack behind an application-layer one.

"Granted, some of the larger organizations today do have a 10 Gb burst uplink," the Imperva researchers said. "Still, perpetrators could easily ratchet up the attack size, either by initiating more requests or by utilizing additional botnet resources. Hence, the next attack could easily reach 12 or 15 Gbps, or more. Very few non-ISP organizations have the size of infrastructure required to mitigate attacks of that size on-premise."

For organizations in certain industries like finance, there's no easy answer to fighting off such high-bandwidth application-layer attacks. Their Web applications need to use HTTPS to encrypt data in transit and they need to terminate those HTTPS connections inside their own infrastructure to be in compliance with regulatory requirements regarding the protection of financial and personal data.

Therefore, the application-layer DDoS protection that relies on inspecting the requests after they've been decrypted also needs to happen within their own infrastructure.

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Featured

Slideshows

Arrow exclusively introduces Tenable Network Security to A/NZ channel

Arrow exclusively introduces Tenable Network Security to A/NZ channel

Arrow Electronics introduced Tenable Network Security to local resellers in Sydney last week, officially launching the distributor's latest security partnership across Australia and New Zealand. Representing the first direct distribution agreement locally for Tenable specifically, the deal sees Arrow deliver security solutions directly to mid-market and enterprise channel partners on both sides of the Tasman.

Arrow exclusively introduces Tenable Network Security to A/NZ channel
Examining the changing job scene in the Kiwi channel

Examining the changing job scene in the Kiwi channel

Typically, the New Year brings new opportunities for personnel within the Kiwi channel. 2017 started no differently, with a host of appointments, departures and reshuffles across vendor, distributor and reseller businesses. As a result, the job scene across New Zealand has changed - here’s a run down of who is working where in the year ahead…

Examining the changing job scene in the Kiwi channel
​What are the top 10 tech trends for New Zealand in 2017?

​What are the top 10 tech trends for New Zealand in 2017?

Digital Transformation (DX) has been a critical topic for business over the last few years and IDC is now predicting a step change as DX reaches macroeconomic levels. By 2020 a DX economy will emerge and it will become the core of what New Zealand industries focus on. From the board level through to the C-Suite, Kiwi organisations must be prepared to think and act digital when the DX economy emerges in 2017.

​What are the top 10 tech trends for New Zealand in 2017?
Show Comments