Application layer DDoS attacks, and how they can be mitigated
DDoS (distributed denial of service) and DoS (denial of service) attacks can be broadly classified into three categories based on the layers of the OSI model they target: network layer (Layer 3), transport layer (Layer 4), and application layer (Layer 7).
Layer 3 and Layer 4 attacks are typically less complex–even though that they might be very challenging to mitigate–and involve flooding the network and transport layer with traffic, overburdening the target system’s resources and making it unavailable to legitimate users. These types of attacks can be launched using various techniques such as ICMP floods, TCP SYN floods, or UDP floods.
An ICMP flood for example, is a Layer 3 attack in which a large number of ICMP packets are flooded into to the target system, rendering it unresponsive. A TCP SYN flood, on the other hand, is a layer 4 attack which exploits the ways TCP connections are established.
In a SYN flood attack, the attacker sends many SYN packets to the target system, but never sends an ACK packet to complete the connection. This causes the system to allocate resources for each connection attempt which eventually overloading the system and making it unavailable to legitimate users. A UDP flood sends a large number of UDP packets to a target system, consuming its resources and making it unresponsive.
Application layer DDoS attacks
Application layer attacks are more complex and harder to mitigate than layer 3 and layer 4 attacks. These attacks target the application layer (layer 7) of the target system and exploit vulnerabilities in the application itself. Layer 7 attacks can do more damage because they can directly impact applications and underlying infrastructure. You won’t be able to mitigate layer 7 DDoS attacks with layer 3 or layer 4 tools such as with network firewalls.
HTTP floods, Slowloris attacks, and DNS amplification attacks are Layer 7 denial of service attacks. These attacks require more sophisticated defenses such as application-layer firewalls, intrusion prevention systems, and CDN (content delivery networks).
HTTP floods
HTTP floods attacks are performed using GET or POST requests to overwhelm the target server. Flood attacks using GET requests are usually simpler and require fewer resources because they only ask for information from the server. POST requests, on the other hand, typically require sending large amounts of data.
One of the reasons HTTP flood attacks are difficult to mitigate is that they are often launched from a large number of sources, making it difficult to identify and block all malicious traffic. Additionally, attackers can use techniques such as IP spoofing to disguise their true identities and make it even more difficult to trace the source of their attacks.
Defending against HTTP flood attacks can be complicated. Different types of attacks require different mitigation strategies. Common defenses against HTTP flood attacks include rate limiting, blacklisting, and web application firewalls. However, these techniques can be resource-intensive and may not be sufficient to thwart more sophisticated attacks.
Slowloris attacks
Slowloris is a type of flooding attack in which the way web servers handle client connections is targeted. This attack works by opening a large number of connections to the server, but sending the requests at a slow rate, keeping each connection open as long as possible. This type of attack can consume all available resources of the server and allows attackers to consume CPU, memory, or network bandwidth, etc. without even triggering the typical rate limiting and traffic filtering mechanisms commonly used to detect and block other types of DDoS attacks.
To carry out a Slowloris attack, attackers typically use scripts or tools that send HTTP requests to a server, but deliberately delay sending subsequent requests. The request is designed to look like a legitimate request, but with an incomplete header that keeps the connection open indefinitely. Over time, the server will have many open connections waiting for additional data from the client, causing the server to stop responding to legitimate traffic.
Slowloris attacks can be difficult to detect due to their covert design and relatively low bandwidth. This makes it an effective tool for attackers who want to sabotage their servers without triggering alerts or creating suspicion.To defend against Slowloris attacks, web servers can implement several countermeasures. For example, limit the number of connections that can be established from a single IP address or set a timeout for incomplete requests. Some web application firewalls and DDoS mitigation services have built-in protection against Slowloris attacks, using algorithms that can detect and block such traffic in real time.
Layer 7 DDoS mitigations
Rate limiting
Rate limiting involves setting a threshold on the number of requests that can be made from a specific IP address or user agent in a specific period of time. The concept is very similar to rate limiting in layer 3 but it has to be implemented at layer 7.
The purpose of rate limiting is to prevent an attacker from overloading the web application with a large number of requests, causing server disruption. Rate limiting can be implemented at various layers of your web application architecture, on a web server, load balancer, or application firewall. Implementations typically involve tracking the number of requests made by a particular IP address or user agent and blocking further requests when a predefined threshold is reached.
A common approach for implementing rate limiting in web applications is to use middle-ware or plugins that track the number of requests made by each client and block further requests when the threshold is exceeded. is to These plugins can be configured to apply different rate limiting policies based on factors such as the type of request, user agent, or client IP address.
For example, a simple rate limiting policy can limit requests from a single IP address to a maximum of 10 requests per minute. If a client exceeds this threshold, subsequent requests are blocked until the period expires.
Application-layer rate limiting products are available for popular web servers and cloud services, including:
Apache
Apache has several modules that can be used for rate limiting, such as mod_limitipconn, which limits the number of simultaneous connections from a given IP address, and mod_qos, which provides various quality of service controls including rate limiting.
Furthermore, ModSecurity Web Application Firewall has a rate limiting feature that can block clients exceeding a defined threshold. In addition to the modules mentioned above, Apache also provides mod_evasive. This is a module that can be used to rate limit and block clients that exceed a defined threshold. Detect and block rogue clients using a variety of techniques, including IP and user-agent tracking.
Nginx
Nginx provides ngx_http_limit_req module. This can be used to limit the request rate from certain clients based on IP address or other factors. This module uses a token bucket algorithm to allocate tokens to each client based on a rate limiting policy. Besides ngx_http_limit_req module, Nginx also provides ngx_http_limit_conn module. This can be used to limit the number of connections from specific clients or IP addresses. This module uses a token bucket algorithm to allocate tokens based on rate limiting policies.
IIS
Microsoft’s Internet Information Services (IIS) includes a dynamic IP limiting module that can be used for rate limiting. This module can be configured to block requests from IP addresses that exceed predefined thresholds and can also provide alerts and logs for monitoring. In addition to the Dynamic IP Limiting module, IIS also provides a Request Filtering module that can be used to limit the request rate of specific clients based on various criteria such as IP address, user agent, and request method.
AWS
Amazon Web Services (AWS) offers several services that can be used for rate limiting, including AWS WAF with rate limiting as a feature.
AWS Shield offers DDoS protection including rate-based rules that can block requests from IP addresses above a certain threshold. Additional to AWS WAF and AWS Shield, AWS also offers AWS Elastic Load Balancer. It includes various rate limiting policies that can be configured to block clients over predefined thresholds.
Azure
Microsoft Azure offers several services that can be used for rate limiting, including Azure Application Gateways. It includes a web application firewall that can be configured to limit the rate of incoming requests. Additionally, Azure Front Door offers a rate limiting feature that can block requests from IP addresses above a predefined threshold. In addition to Azure Application Gateway and Azure Front Door, Azure also offers Azure Firewall. This can be used to rate limit and block clients exceeding a defined threshold.
GCP
Google Cloud Platform (GCP) offers Cloud Armor, a web application firewall with rate-limiting capabilities that can block requests from clients that exceed a defined threshold.
These application-layer rate-limiting products can effectively mitigate HTTP flood attacks by limiting the number of requests from rogue clients. However, it is important that they are properly configured to not block legitimate traffic and used in conjunction with other security measures such as firewalls and DDoS mitigation services to provide comprehensive protection against DDoS attacks.
Timeouts for incomplete requests
Below are some Slowloris application layer mitigation methods which are listed for Apache, Nginx, and IIS web-servers, and load-balancers and additional features for AWS, Azure, and GCP services:
Apache
In addition to the modules mentioned above, Apache also provides a module, mod_reqtimeout, that can be used to set a timeout for incoming requests. If the client sends a request that takes longer than the specified timeout, the server will close the connection. This will prevent slowloris attacks.
Nginx
Besides ngx_http_limit_conn module and ngx_http_limit_req module, Nginx also provides his ngx_http_request module. This can be used to limit the time it takes for the upstream server to process the request. If the upstream server takes longer than the specified timeout, Nginx will close the connection.
IIS
Additional to the Dynamic IP Restrictions and Request Filtering modules, IIS also provides a kernel mode driver HTTP.sys. This allows you to set a timeout for incoming requests. If the client sends a request that takes longer than the specified timeout, the server will close the connection.
AWS
In addition to AWS WAF and AWS Shield, AWS additionally gives Elastic Load Balancer, which incorporates numerous connection timeout rules that may be configured to shut connections that take longer than a predefined threshold.
Azure
In addition to Azure Application Gateway and Azure Front Door, Azure additionally gives Azure Load Balancer, which incorporates a configurable idle timeout characteristic that may be used to shut connections which might be idle for a predefined period.
GCP
Google Cloud Platform (GCP) gives numerous connection timeout alternatives for its services, which include Cloud Load Balancing, which incorporates a configurable timeout characteristic that may be used to shut connections that take longer than a predefined threshold.
Conclusion
In conclusion, DDoS and DoS attacks can be classified based on the layers of the OSI model they are targeted at, such as the network layer (Layer 3), transport layer (Layer 4), and application layer (Layer 7).
While layer 3 and layer 4 attacks flood the network and transport layers with traffic, layer 7 attacks are more complex and exploit vulnerabilities in the applications themselves. HTTP floods and Slowloris attacks are examples of layer 7 denial of service attacks. Countermeasures against these attacks include rate limiting, blacklisting, and web application firewalls. Identifying and containing attacks in real time requires a comprehensive, multi-layered defense strategy that includes monitoring, detection, and response capabilities.
Additionally, attackers can customize their techniques and tailor their attacks to evade detection and evade security measures. Therefore, it is imperative that organizations implement a comprehensive, multi-layered defense strategy that includes monitoring, detection, and response capabilities to rapidly identify and contain attacks in real time. This may include using advanced machine learning algorithms and behavioral analytics to detect and block malicious traffic patterns.
Post Disclaimer
The views, information, or opinions expressed are solely those of the author and do not necessarily represent those of his employer or the organizations with which he is affiliated.
The information contained in this post is for general information purposes only. The information is provided by Farhad Mofidi and while he strives to keep the information current and accurate, he does not make any representations or warranties of any kind, express or implied, regarding the completeness, accuracy, reliability, suitability or availability of the website. Farhad makes no representations or warranties. or any information, products or related graphics contained in any Post for any purpose.
Also, AI may be employed as a tool to provide suggestions and improve some of the contents or sentences. The ideas, thoughts, opinions, and final products are original and human-made by the author.