503 “Service Unavailable”…Busy Server or DDoS Attack?

NETSCOUT Arbor
503 service unavailable, server busy or ddos attack

503 “Service Unavailable” …ever receive this error code from one of your web servers?

How about this in your log files?

TCP        192.168.3.102:34678                     91.128.45.2:443               ESTABLISHED

TCP        192.168.3.102:34680                     198.23.78.45:80               ESTABLISHED

TCP        192.168.3.102:34685                     40.33.75.45:443               TIME_WAIT

TCP        192.168.3.102:34696                     40.33.75.45:443               TIME_WAIT

TCP        192.168.3.102:34705                     91.13.15.23:443               TIME_WAIT

TCP        192.168.3.102:34715                     91.13.15.23:443               TIME_WAIT

Busy server? Maybe not. It could be the result of an application-layer DDoS attack.

What is an application-layer DDoS attack?

The modern-day DDoS attack is complex as it typically executes a dynamic combination of Volumetric, TCP-State Exhaustion and Application-layer attack vectors. And according to NETSCOUT Arbor’s 13th annual Worldwide Infrastructure Security Report (WISR), application-layer attacks are on the rise. 

503 service

 

As the graphic above shows, each attack vector has a specific goal in mind.

Volumetric attacks are designed to saturate bandwidth, internet facing router interfaces, circuits etc. These types of attacks can be quite large (up to 600 Gbps). According to the WISR, volumetric attacks make up 52% of all DDoS attacks – interestingly this is a drop from 60% in 2016.

TCP-state exhaustion attacks are designed to take out, what’s in many cases, an organization’s first line of defense; meaning their firewalls, IPS, etc.

Application-layer attacks are designed to target and exhaust resources in application servers using commands like HTTP GET, PUT etc. The number of application-layer attacks is increasing. For example, in 2017, 32% of all DDoS attacks were application-layer attacks vs. 25% in 2016. As in years past, top targeted applications were HTTP, HTTPS, and DNS. However, this year’s report indicated a rise in new targets such as email and SIP/VoIP applications.

Why are application-layer DDoS attacks on the rise?

What’s driving this?  Well one reason is that attackers believe in the old adage “size isn’t everything.”  “Stealth” is just as important. Attackers understand that unlike volumetric attacks which draw attention, application-layer attacks are “low and slow”; meaning they consume very little bandwidth and normally fly under the radar of traffic management systems - yet the results can be just as impactful.

How to prevent DDoS attacks

The NETSCOUT Arbor APS (APS) is an industry leading DDoS attack protection device that can stop all types of DDoS attacks. In fact, APS excels at automatically detecting and stopping application layer attacks. So, the next time you see:

“503- Service Unavailable” or TIME-WAIT

Don’t just assume it’s a busy server – you may be under a DDoS attack.

For more information about NETSCOUT Arbor APS product, visit here.