What is an application layer attack?
Application layer attacks, also known as DDoS attacks, are on the rise. They´ve become one of the most favoured ways of launching an attack, which is why organisations protect themselves from the increasing amount (and power) of application layer attacks.
What is an application layer attack?
An application layer attack, or 'DDoS attack', targets an application and specific vulnerabilities or issues, so the application is not able to communicate and or deliver content to its user(s). Applications commonly targeted are web servers, but can also be SIP voice services and BGP.
Application Layer Attacks include low-and-slow attacks, GET/POST floods, attacks that target Apache, Windows or OpenBSD vulnerabilities and more. Comprised of seemingly legitimate and innocent requests, the goal of these attacks is to crash the webserver. The magnitude of the attack is measured in Requests per second (Rps).
DDoS attacks are usually low-to-mid volume since they have to conform to the protocol the application is using, which often involves protocol handshakes and protocol/application compliance. This means that these attacks will primarily be launched using discrete intelligent clients, usually Internet of Things (IoT) devices, and cannot be spoofed.
What are the different types of application layer attack?
When looking at DDoS trends over time, attacks are cyclical in nature. Attackers develop new attack types and vectors, which are used to launch a new wave of attacks. As defenders become more proficient in stopping these new attacks, the attackers develop new types of attacks and the cycle repeats itself.
The proliferation of insecure IoT devices in recent years has been a boon to the DDoS attackers as there are now a nearly unlimited number of intelligent devices that can be used to launch more advanced application layer attacks.
Common application layer attacks might include:
- BGP hijacking
- Show post
- Slow read
- HTTP(/s) flooding
- Low and slow attack
- Large payload post
- Mimicked user browsing
What are the signs of an application layer attack?
Application layer attacks can be detected using security-focused flow analysis; however, since they are low-volume attacks, it is necessary to use behavioural analysis or deep packet analysis to uncover them. What is required is the use of IDMSs to detect the specific attack vector used by either employing virtual or physical appliances' visibility into the traffic.
Why are application layer attacks dangerous?
Cybercriminals are constantly evolving their toolset and looking for new application layer attack techniques. And because they now have access to millions of vulnerable IoT devices, they can launch complex DDoS attacks at scales never seen before.
What makes application layer attacks most dangerous is that even when multi-vector attacks contain identifiable patterns, a determined attacker will monitor the results of his attack and modify it to thwart a skilled and determined defender. Because active attackers are known to continually modify payload patterns to avoid simplistic DDoS mitigation, maintaining an ongoing list of known attack patterns quickly becomes impractical due to scale issues and the rate at which this list must be updated. Further, since payload patterns bring a high risk of causing collateral damage, maintaining a long-lived set of payload patterns may be unwise.
How to mitigate and prevent application layer attacks
Because DDoS attacks can be complex in nature and a determined attacker will rapidly change the attack vector to avoid mitigation, the IDMS should use a set of methods to analyse and block these kinds of attacks.
DDoS protection best practices
Best practices to defend against constantly evolving types of denial of service attacks include:
- Use flow telemetry analysis supplemented with behavioural analysis to detect abnormalities and attacks. Focus on understanding what is normal. This will simplify the identification of abnormalities.
- Use an IDMS to detect abnormal behaviour and application layer attacks that require advanced and active mitigation, and using this approach in conjunction with BGP FlowSpec Offload when and where appropriate.
If implemented successfully, these DDoS protection techniques will force the attacker to behave like normal clients, rendering the DDoS attack ineffective and allowing for the use of application-level analysis to detect any abnormal traffic or usage patterns.