i Layer 7 DDOS Attack – All things in moderation

Layer 7 DDOS Attack

An application layer DDoS attack (sometimes referred to as layer 7 DDoS attack) is a form of denial-of-service (DDoS attack) where attackers target the application layer of the OSI model. The attack over-exercises specific functions or features of a website with the intention to disable those functions or features. This application-layer attack is different from an entire network attack, and is often used against financial institutions to distract IT and security personnel from security breaches.[1]
To understand what a layer 7 DDoS attack is you must first understand what is meant by the application layer.

There are seven layers in total, each fulfilling its own purpose in a connected networking framework called the Open System Interconnection Model. The short version being referred to as the OSI Model.

In a nutshell, the OSI model is separated into seven layers that transport data up and down the chain, from the user, all the way to the physical server and back again. Each layer is its own protocol, responsible for carrying out its assigned function.

Here is an example of the OSI Model:

OSI-Model

The seven layers of the Open System Interconnection (OSI) Model.

And here is the breakdown of the function of each layer:

DDOS-LAYER-7-OSI-Layer-Functions

Layer functions of the OSI Model.[2]

As you can see from the model, Layer 7 is the application layer, the place where data both originates and returns. When you clicked into this article, this entire series of events occurred in the background.

We classify Syn Floods, Ack Floods, UDP-based amplification attacks (including DNS, SSDP, NTP, etc) all as network-layer DDoS attacks.

We categorize the HTTP Floods (Layer 7 DDoS attempts) into 4 major categories:
Basic HTTP Floods: Common and simple attacks that try to access the same page over and over. They generally use the same range of IP addresses, user agents and referrers.
Randomized HTTP Floods: Complex attacks that leverage a large pool of IP addresses and randomized the URLs, useragents and referers used.
Cache-bypass HTTP Floods: A sub-category of the randomized HTTP Floods that also try to bypass web application caching.
WordPress XMLRPC Floods: A sub-category that uses WordPress pingback as a reflection for the attacks.

Here are some of the ways to stop a DDoS attack:[3]

  • Block spoofed TCP attacks before they enter your network.
  • Don’t let dark address packets pass your perimeter.
  • Block unused protocols and ports.
  • Limit the number of access per second per source IP.
  • Limit numbers of concurrent connections per source IP.
  • Filter foreign TCP packets.
  • Do not forward packets with header anomalies.
  • Monitor self similarity in traffic.
  • Keep unwanted guests away.
  • Use specialized DDoS mitigation equipment.

We hope we were able to provide some insights on the size and types of the Application layer (HTTP Floods) attacks we are seeing in the wild and help bring more attention to this type of threat.

If you have any additional question or would like to know something specific from our data, let us know

In the next post, we will introduce each part in detail.
References:
1. https://en.wikipedia.org/wiki/Application_layer_DDoS_attack
2. https://blog.sucuri.net/2015/09/analyzing-popular-layer-7-application-ddos-attacks.html
3. http://ddosattackprotection.org/blog/layer-7-ddos-attack/

Leave a Reply