Application layer DDoS attacks rising
The size, scope and sophistication of distributed denial of service (DDoS) attacks continue to grow at an alarming rate, some recent DDoS attacks have exceeded 1 Tbps, making them the largest on record, but it is not just the large-scale attacks that can threaten your applications and your business.
Despite the perceived spike in DDoS attack size, the average DDoS attack peaked at 14.1 Gbps in 2017’s first quarter, according to Verisign’s DDoS Trends Report (Note: Verisign is an A10 Networks Security Alliance Partner).
While that average attack size seems minuscule in comparison to the colossal, record-breaking attacks of late last year, DDoS attacks that target the application layer tend to be smaller and can go unnoticed until it’s too late. These types of attacks are often referred to as “slow-rate” or “low and slow” attacks, meaning they target applications in a way that they look like actual requests from users until they become overburdened and can no longer respond.
Application layer attacks, or layer 7 attacks as they are often called, are typically part of a multi-vector DDoS attack target not only applications, but also the network and bandwidth. The Verisign report estimates that 57% of DDoS attacks in Q1 2017 were multi-vector as opposed to single vector attacks. The most common types of application layer DDoS attacks include those targeting DNS services, HTTP and HTTPS. And like other types of DDoS attacks, they have one goal: to take out an application, a website or an online service.
According to Imperva’s Q1 2017 Global DDoS Threat Landscape Report, application layer attacks are on the rise. The report found that application layer DDoS attacks reached an all-time high of 1,099 attacks per week in the second quarter of 2017, a rise of 23% over the previous quarter’s 892.
One reason for the uptick in application layer attacks is the Mirai malware. According to Threat Post, a new variant of Mirai is being used to launch application layer attacks. While Mirai originally carried out Layer 2 and 3 DDoS attacks, some of the more recent Mirai-fuelled DDoS attacks, including a 54-hour assault against a US college, are aimed squarely at Layer 7.
“Looking at the bigger picture, this variant of Mirai might be a symptom of the increased application layer DDoS attack activity we saw in the second half of 2016,” Imperva’s Dima Bekerman wrote. “That said, with over 90% of all application layer assaults lasting under six hours, an attack of this duration stands in a league of its own.”
Application layer DDoS attacks becoming shorter in duration—the 54-hour onslaught against the college being an exception to that rule—but are growing in frequency, complexity and persistence.
That means attackers target a web server, or an application server, and flood it with just enough traffic to knock it offline. In the case of a web server, it is sending hundreds to thousands of HTTP requests per second that the server just cannot handle—and BOOM!—the site or service is gone.
Because of this, application layer attacks are less expensive for threat actors to carry out and are perceived as harder for security solutions to detect than attacks aimed at the network layer.
So how do you protect applications from this uptick in application layer attacks and from the overall scourge of multi-vector DDoS attacks?
Businesses require a high-performance, surgical multi-vector DDoS protection. It is imperative that a DDoS solution not only detects, but also mitigates attacks large and small, from megabit to terabit in size, including application, volumetric, protocol, resource and IoT-based attacks.
A DDoS defence solution should also be able to be deployed in proactive and reactive mode, depending on a business’s preference, to ensure appropriate protection.
The right DDoS defence solution not only protects your application layer from attacks, but also your network layer and other vectors, ultimately helping your organisation avoid falling victim to a damaging DDoS attack.
IDG News Service