The 2-Faces of DDoS Attacks

November 3, 2014 Updated: April 23, 2016

DDoS has recently been making waves around the online business community. Although all types of DDoS should be taken seriously, not all threats are created equal.  Let’s take a look at the major categories of DDoS, and determine the most pressing security issues facing your online business.

Bark and Bite

The first category of DDoS tends to get most of the attention. Attacks targeting Layers 3 and 4 of the OSI protocol are often grouped together as Network Layer DDoS. Meant to overload a network’s bandwidth with bot-generated data, Layers 3 and 4 can be characterized as flashy but clumsy. Network Layer DDoS is ‘loud’; it makes its presence known by consuming abnormally large amounts of data.

If Network Layer DDoS is a brute, Layer 7 or Application Layer DDoS is a ninja. Layer 7 does not cause a fracas in the OCI protocol; rather, it stealthily strikes single applications, gradually bringing down a site’s infrastructure. One of the difficulties of handling Layer 7 is the sheer number of protocols a hacker can target: HTTP, FTP, SSH, to name a few. Another is the natures of the attack itself, which uses bots that, for most part, will act like and look like regular human visitors or regular search engine crawlers. Faced with these, the real challenge is: “how can I block malicious bots without getting blacklisted and without blocking regular human visitors?”

Defensive Strategies

These two categories of DDoS diverge even further when it comes to mitigation. Defending against Network Layer DDoS requires a strong network; one that can withstand between 200-300 Gbps. This level of network bulk should be enough to withstand 99.9% of attacks. IT specialists tend to be more prepared to handle volumetric attacks on bandwidth, as Layers 3 and 4 were once the most common methods.

Application Layer DDoS, however, is a different story. Layer 7 DDoS reach the application layer by establishing ‘legitimate’ connections with the target server. At this point the malicious bot requests have already bypassed firewalls and other traditional defensive measures. Some larger companies still believe they can hide behind their big network and firewall and be safe from hackers. This is plainly not the case.  

As mentioned, to stop Application Layer DDoS, you first need a method of separating malicious bot requests from those of your human users. Simply shutting down your site or blocking various IPs will only ‘deny service’ to your customers, and thus the hackers have accomplished their mission.

The complex process of Application Layer DDoS mitigation was recently detailed by Incapsula, a cyber-security firm that specializes in dealing with Application Layer assaults.

The 5-step mitigation process described by Incapsula begins with sifting through traffic to determine the type of attack they are up against. Then they examine the online ‘reputation’ of the IPs and individual visitors, further clarifying the sources of traffic.

Next Incapsula employees a series of noninvasive identification challenges (ex. cookie support, JavaScript execution, etc.). Only in rare cases will they administer CAPTCHA tests because it hinders down human users.

Finally, Incapsula performs behavior analysis on the visitors. During such analysis the system monitors the behavior, trying to deal with the question: Is the visitor browsing in abnormal patterns, or is he/she behaving as expected? (e.g., visiting robots.txt first,  in case of Search Engines)

As you can see, Application Layer attacks require defensive infrastructure that’s even more sophisticated than the threats posed by hackers. How do you plan to mitigate an attack that when you can’t identify your enemy?

Take With You

So, what should be your first priority in protecting your online business? Application Layer DDoS or Layer 7 presents a range of challenges that can send even expert IT personnel reeling. Still, as Application Layer attacks multiply, it’s important to make Layer 7 protection part of your overall anti-DDoS strategy.