What is an Application Layer DDoS Attack? How do I prevent an Application Layer DDoS Attack?
Application layer DDoS attacks are designed to attack the application itself, focusing on specific vulnerabilities or issues, resulting in the application not being able to deliver content to the user. Application layer DDoS attacks are designed to attack specific applications, the most common is web servers, but can include any application such SIP voice services and BGP.
Such DDoS attacks are usually low-to-mid volume since they have to conform to the protocol the application is using, which often involves protocol handshakes and protocol/application compliance. This means that these DDoS attacks will primarily be launched using discrete intelligent clients, usually Internet of Things (IoT) devices, and cannot be spoofed.
What Are the Different Types of Application Layer DDoS Attack?
When looking at DDoS trends over time, attacks are cyclical in nature. Attackers develop new DDoS attack types and vectors, which are used to launch a new wave of attacks. As defenders become more proficient in stopping these new DDoS attacks, the attackers develop new types of attacks and the cycle repeats itself.
The proliferation of insecure IoT devices in recent years has been a boon to the DDoS attackers as there are now a nearly unlimited number of intelligent devices which can be used to launch more advanced application layer attacks.
Common application layer attacks might include:
What Are the Signs of an Application Layer DDoS Attack?
Application layer DDoS attacks can be detected using security-focused flow analysis; however, since they are low-volume DDoS attacks, it is necessary to use behavioral analysis or deep packet analysis to uncover them. What is required is the use of IDMSs to detect the specific attack vector used by either employing virtual or physical appliances' visibility into the traffic.
Why Are Application Layer DDoS Attacks Dangerous?
Cybercriminals are constantly evolving their toolset and looking for new application layer attack techniques. And because they now have access to millions of vulnerable IoT devices, they can launch complex DDoS attacks at scales never seen before.
What makes application layer DDoS attacks most dangerous is that even when multi-vector attacks contain identifiable patterns, a determined attacker will monitor the results of his attack and modify it to thwart a skilled and determined defender. Because active attackers are known to continually modify payload patterns to avoid simplistic DDoS mitigation, maintaining an ongoing list of known attack patterns quickly becomes impractical due to scale issues and the rate at which this list must be updated. Further, since payload patterns bring a high risk of causing collateral damage, maintaining a long-lived set of payload patterns may be unwise.
How to Mitigate and Prevent Application Layer DDoS Attacks
Because DDoS attacks can be complex in nature and a determined attacker will rapidly change the attack vector to avoid mitigation, the IDMS should use a set of methods to analyze and block these kinds of DDoS attacks.
Best practices to defend against constantly evolving types of denial of service attacks include:
- Use flow telemetry analysis supplemented with behavioral analysis to detect abnormalities and attacks. Focus on understanding what is normal. This will simplify identification of abnormalities.
- Use an IDMS to detect abnormal behavior and application layer attacks that require advanced and active mitigation; and using this approach in conjunction with BGP FlowSpec Offload when and where appropriate.
If implemented successfully, these DDoS protection techniques will force the attacker to behave like normal clients, rendering the DDoS attack ineffective and allowing for the use of application-level analysis to detect any abnormal traffic or usage patterns.