Clever Attackers Gaining Ground in the DDoS Landscape


One of the most oft-cited pieces of advice bandied by teachers, parents, bosses and other well-meaning figures of authority is ‘work smarter, not harder.’ Even though these people must know almost no one is paying attention they just keep on saying it, confident in the idea that someone, somewhere is listening.

Well, those authority figures are right, someone has been listening. Unfortunately for the internet and business world at large, it’s DDoS attackers. Crafty application layer attacks are on the rise, and that is bad news for anyone trying to keep online users happy.

The meaning of it all

At its core, the DDoS meaning is distributed denial of service, which is a type of cyberattack that seeks to keep legitimate users of a targeted website or online service from connecting to or using that website or online service.

DDoS attackers accomplish this using a botnet – a network of internet-connected devices and computers that have been infected with malware that allows them to be controlled remotely by the person or persons using the botnet. This gives attackers a wealth of computing resources with which to aim at target websites or services in an effort to either knock it offline, or slow its performance enough that it is basically unusable. This is typically accomplished one of two ways.

A layered approach

Distributed denial of service attacks can be broadly split into two categories: network layer attacks, and application layer attacks. Network layer attacks are aimed at, wait for it, the network layer of the targeted website. These attacks tend to be large in scale, designed to be big enough to saturate the bandwidth of the target, clogging the network pipelines so legitimate users are unable to get through.

The application layer is where attackers work smarter, not harder. Application layer distributed denial of service attacks work to bypass security measures by mimicking normal user behavior with what appears to be legitimate requests, such as the repeated loading of a web page or site element, in order to exhaust finite server-side resources like the CPU.

These attacks can be quite small and are most efficient when they force the application or server to allocate a maximum amount of resources in response to every individual request – for instance, by sending small DNS queries to the server that require the server to send back responses that are up to 70 times larger than those initial queries.

Problem one

The first problem with application layer attacks is that they can be difficult to stop. With network layer DDoS attacks, it’s essentially botnet muscle vs. DDoS mitigation muscle, if the target has DDoS mitigation. There is little finesse to it; whoever is more powerful wins.

Application layer attacks, on the other hand, are sneaky and sophisticated, and protecting against them is much more complex. DDoS attacks on their own cause enough damage in the form of lost traffic and revenue and long-term eroded user loyalty, but application layer attacks are also often being used to mask hackings and data theft attempts, making them even more dangerous for businesses and websites that store any form of intellectual property or sensitive data.

Problem two

The second problem with these hard-to-stop attacks is that they’re on the rise. While the number of network layer attacks has been falling for four straight quarters, the number of application layer attacks is climbing. In the second quarter of 2017, 1099 application layer attacks per weekwere mitigated by DDoS mitigation firm Incapsula compared to 269 network layer attacks per week. While the weekly number of network layer attacks held pretty steady between Q1 and Q2, application layer attacks increased by about 200 per week.

The solution to both

Dealing with application layer attacks requires DDoS mitigation that can distinguish between legitimate user traffic, good bots, bad bots and full-on attack traffic, treating each type of traffic accordingly. For attack traffic, this means bouncing it to a scrubbing server before it can impact the access afforded to legitimate users and good bots. Further, this traffic categorization process needs to include progressive challenges that help to quickly analyze and categorize traffic that ranks as suspicious but can’t be immediately identified as good or bad.

While DDoS attackers get to work smart but not hard with their application layer attacks, DDoS mitigation has no such luxury. In order to protect against all forms of distributed denial of service attacks, DDoS mitigation needs to be both powerful and smart. For most websites and businesses, this will mean a leading cloud-based managed mitigation service with granular traffic inspection.