The Growing Threat of Application-Layer DDoS Attacks
In the cat-and-mouse game between DDoS hackers and defenders, it seems protection vendors have made great progress in the past year – particularly in the realm of application-layer attacks.
Unsurprisingly, this forced hackers to scale up their attack methods.
Here’s what we’ve seen in the past year or so, in this ongoing battle between hackers and solution providers.
Application-Layer DDoS Attacks
First, a bit of background.
Volumetric DDoS attacks (also known as “floods”) are typically associated with the term “DDoS” due to press headlines. Their less-famous cousin, application-layer attacks, are nevertheless extremely effective and hard to detect.
Instead of compromising a service with a volume of requests, application-layer attacks – or layer 7 attacks – target an edge server that executes a web application. Their effectiveness comes from their ability to disrupt both a targeted server and network resources, with a relatively low total bandwidth. Attacks are also difficult to detect since they are comprised of seemingly legitimate and innocent requests.
DDoS attacks at the application level are constantly growing in popularity and sophistication. During a recent Cyber Forum event at the House of Lords in London, it was reported that 56% of DDoS attacks on AWS customers were application-layer attacks. A Radware report points out that total malicious web application and API transactions increased by 171 percent in 2023, with a significant part of this increase attributed to layer 7 encrypted web application attacks.
DDoS Protection Vendors Improve Their Tools
In light of the prevalence of application-layer attacks, leading DDoS protection solutions like Cloudflare, Imperva, Akamai, as well as cloud computing platforms like AWS, and Azure, have made significant strides towards protecting against such attacks.
Best-in-class solutions are currently able to automatically identify and mitigate some application-layer attacks – mostly the simpler types, such as GET/POST requests, suffocating the internet pipeline by repeat HTTP requests for heavy static content, and the like. Put differently, such attacks will be mitigated automatically without the need for any specific configuration or settings on your part. A few solutions have also succeeded in significantly reducing the time to mitigation.
Bot protection is probably the most significant step vendors have taken. Many vendors have acquired companies or integrated bot protection technology into their WAF products as an integral element in their DDoS protection options. Bot protection has become critical in the overall online security game, as many DDoS attacks make use of botnets that include more than 5,000 IPs.
Another area of improvement is management dashboards. This goes beyond trivial graphical capabilities. A well-designed dashboard provides operational functionality, helping IT and security teams to quickly identify and understand the nature of an attack and the real-time mitigation status.
Generally speaking, the leading mitigation tools are constantly improving in their ability to distinguish humans from bots, reduce false positives, and introduce challenges when needed.
Attackers Enhance Their Strategies
On the other hand, barriers to launching DDoS attacks, including application-layer attacks, have been significantly lowered with the emergence of DDoS-for-hire services (a.k.a. stressers or booters).
Booters, or ready-made tools for hire, are cheap and easy to use, allowing a novice attacker to launch sophisticated attacks. DDoS tools are continuously improving, including the type of servers used for attacks, the number of servers and bots, the use of randomization, and more.
On the technical front, cheap or even free DDoS-for-hire services offer improved capabilities with multiple attack types, including HTTP request floods, SYN floods, and others. Developers of attack tools are familiar with vendor mitigation technologies, as they offer corresponding attack methods (for example, the MSDDOS tool offers an option named “CloudFlare Bypass”).
Three Takeaways
As a business trying to implement the best DDoS protection, here are three steps you can take to keep up in the mitigation arms race.
Realistic DDoS test simulation. Running DDoS simulation testing to know your mitigation status is a given. However, you should ensure your provider can run effective tests that realistically simulate the most recent and up-to-date attacks.
Tool configuration. While tools and services are constantly improving, they can never be used with out-of-the-box settings and still meet your specific requirements. Spend time adjusting and tweaking your configuration.
Ongoing DDoS hardening. The DDoS game is an ongoing one. You should periodically check your systems, test your protection and mitigation processes, and close any gaps discovered.