Map of Botnets From Recent Layer 7 Attack Mitigated by Verisign (Note: The above geolocation is based on source IPs that may have been spoofed) Click to Download Full Report
Layer 7 attacks are some of the most difficult attacks to mitigate because they mimic normal user behavior and are harder to identify. The application layer (per the Open Systems Interconnection model) consists of protocols that focus on process-to-process communication across an IP network and is the only layer that directly interacts with the end user. A sophisticated Layer 7 attack may target specific areas of a website, making it even more difficult to separate from normal traffic. For example, a Layer 7 DDoS attack might target a website element (e.g., company logo or page graphic) to consume resources every time it is downloaded with the intent to exhaust the server. Additionally, some attackers may use Layer 7 DDoS attacks as diversionary tactics to steal information.
A Multi-Vector Approach
Verisign's recent trends show that DDoS attacks are becoming more sophisticated and complex, including an increase in application layer attacks. Verisign has observed that Layer 7 attacks are regularly mixed in with Layer 3/Layer 4 DDoS flooding attacks. In fact, 35 percent of DDoS attacks mitigated in Q2 2016 utilized three or more attack types.
In a recent Layer 7 DDoS attack mitigated by Verisign (see latest DDoS Trends Report), the attackers started out with NTP and SSDP reflection attacks that generated volumetric floods of UDP traffic peaking over 50 Gigabits per second (Gbps) and over 5 Million packets per second (Mpps) designed to consume the target organization's bandwidth. Verisign's analysis shows that the attack was launched from a well-distributed botnet of more than 30,000 bots from across the globe with almost half of the attack traffic originating in the United States.
Once the attackers realized that the volumetric attack was mitigated, they progressed to Layer 7 HTTP/HTTPS attacks. Hoping to exhaust the server, the attackers flooded the target organization with a large number of HTTPS GET/POST requests using the following methods, amongst others:
The challenge with a Layer 7 DDoS attack lies in the ability to distinguish human traffic from bot traffic, which can make it harder to defend against the volumetric attacks. As Layer 7 attacks continue to grow in complexity with ever-changing attack signatures and patterns, organizations and DDoS mitigation providers will need to have a dynamic mitigation strategy in place. Layer 7 visibility along with proactive monitoring and advanced alerting are critical to effectively defend against increasing Layer 7 threats.
As organizations develop their DDoS protection strategies, many may focus solely on solutions that can handle large network layer attacks. However, they should also consider whether the solution can detect and mitigate Layer 7 attacks, which require less bandwidth and fewer packets to achieve the same goal of bringing down a site.
For a look at more DDoS attack trends, download a complimentary copy of Verisign's quarterly DDoS Trends Report.
Written by Michael Kaczmarek, VP, VSS Marketing and Product at Verisign.
Verisign, a global leader in domain names and internet security, enables internet navigation for many of the world's most recognized domain names and provides protection for websites and enterprises around the world. Verisign ensures the security, stability and resiliency of key internet infrastructure and services, including the .com and .net domains and two of the internet's root servers, as well as performs the root-zone maintainer functions for the core of the internet's Domain Name System (DNS). Learn More
|Data Center||Policy & Regulation|
|DNS Security||Regional Registries|
|Domain Names||Registry Services|
|Intellectual Property||Top-Level Domains|
|Internet of Things||Web|
|Internet Protocol||White Space|
Afilias - Mobile & Web Services