Detecting and Mitigating an Application Layer HTTP Flood DDoS Attack
Cybercriminals are increasingly using application layer Distributed Denial of Service (DDoS) to attack their victims. Unlike a Layer 3-4 DDoS attack that consumes network bandwidth, an application layer or L7 attack can be much smaller in traffic volume and can go unnoticed until too late. This type of attacks effectiveness lies in its ability to mimic genuine HTTP request traffic, bypassing standard IDS tools. Application layer attacks of this nature are often part of a wider multi-vector DDoS that looks to disrupt different parts of a victim’s infrastructure.
The accepted definition of a HTTP Flood is a type of Layer 7 (L7) DDoS (Distributed Denial of Service) attack, designed to overwhelm a server with HTTP requests. There are multiple types of HTTP flood attack, including GET, POST and Fragmentation attacks. Layer 7 is the application layer of the Open Systems Interconnection (OSI) model which defines standards such as HTTP for different computer systems to communicate with each other. The HTTP protocol is how we send and receive content over the internet, like loading webpages.
A Fragmentation attack can use multiple devices to send fragments of a request to consume resource from the target server because it has to keep the connection open, waiting for the full request to arrive, or a GET attack could send multiple GET requests to exhaust processing on the target web server. This is all seen as legitimate behaviour according to the HTTP protocol which means that when additional requests are made, the target web server simply cannot cope and will stop responding.
A HTTP-POST attack typically hijacks the process of form submission on a website. During this attack multiple post requests are sent directly to a targeted server until its capacity is saturated and denial-of-service occurs. This is because the process of handling the form data and running the relatively complex functions of pushing the data to the persistence layer (usually a database) or running computations on the data, take up significant resource.
The above Wreckuests is a script which allows you to run DDoS attacks with HTTP-flood(GET/POST). It’s written in pure Python and uses proxy-servers as “bots”.
HTTP flooding works best when the target server allocates a lot of resources in response to a single request. In order to enhance the effectiveness of a HTTP flood, attackers will create botnets to maximise the number of requests sent.
Mitigating an application layer DDoS attack in large networks is a complex issue. As with cyber threats in general and at any network size, it comes down to visibility (you cannot stop what you cannot see) and giving SecOp teams the ability to block malicious traffic in real-time.
Telesoft enables organisations that transport large volumes of data to protect themselves and their customers from this type of attack using a combination of flow monitoring in real time, data prioritisation and aggregation through auto-discovered or user configured entity sets, IP and domain reputation, Signatures and Selective Record. This enables security analysts to discover anomalous behaviour, evaluate impact and take corrective action to remove or redirect traffic.