Home / Industry

Defending Against Layer 7 DDoS Attacks

Don't miss a thing – sign up for CircleID Weekly Wrap newsletter delivered to your inbox once a week.

Map of Botnets From Recent Layer 7 Attack Mitigated by Verisign (Note: The above geolocation is based on source IPs that may have been spoofed) Click to Download Full Report

Layer 7 attacks are some of the most difficult attacks to mitigate because they mimic normal user behavior and are harder to identify. The application layer (per the Open Systems Interconnection model) consists of protocols that focus on process-to-process communication across an IP network and is the only layer that directly interacts with the end user. A sophisticated Layer 7 attack may target specific areas of a website, making it even more difficult to separate from normal traffic. For example, a Layer 7 DDoS attack might target a website element (e.g., company logo or page graphic) to consume resources every time it is downloaded with the intent to exhaust the server. Additionally, some attackers may use Layer 7 DDoS attacks as diversionary tactics to steal information.

A Multi-Vector Approach

VERISIGN DDOS TRENDS REPORT
VOLUME 3, ISSUE 2 – 2ND QUARTER 2016 (Click to Download Full Report)
Verisign's recent trends show that DDoS attacks are becoming more sophisticated and complex, including an increase in application layer attacks. Verisign has observed that Layer 7 attacks are regularly mixed in with Layer 3/Layer 4 DDoS flooding attacks. In fact, 35 percent of DDoS attacks mitigated in Q2 2016 utilized three or more attack types.

In a recent Layer 7 DDoS attack mitigated by Verisign (see latest DDoS Trends Report), the attackers started out with NTP and SSDP reflection attacks that generated volumetric floods of UDP traffic peaking over 50 Gigabits per second (Gbps) and over 5 Million packets per second (Mpps) designed to consume the target organization's bandwidth. Verisign's analysis shows that the attack was launched from a well-distributed botnet of more than 30,000 bots from across the globe with almost half of the attack traffic originating in the United States.

Once the attackers realized that the volumetric attack was mitigated, they progressed to Layer 7 HTTP/HTTPS attacks. Hoping to exhaust the server, the attackers flooded the target organization with a large number of HTTPS GET/POST requests using the following methods, amongst others:

  • Basic HTTP Floods: Requests for URLs with an old version of HTTP no longer used by the latest browsers or proxies
  • WordPress Floods: WordPress pingback attacks where the requests bypassed all caching by including a random number in the URL to make each request appear unique
  • Randomized HTTP Floods: Requests for random URLs that do not exist — for example, if example.com is the valid URL, the attackers were abusing this by requesting pages like www.example.com/loc id=12345, etc.

Lessons Learned

The challenge with a Layer 7 DDoS attack lies in the ability to distinguish human traffic from bot traffic, which can make it harder to defend against the volumetric attacks. As Layer 7 attacks continue to grow in complexity with ever-changing attack signatures and patterns, organizations and DDoS mitigation providers will need to have a dynamic mitigation strategy in place. Layer 7 visibility along with proactive monitoring and advanced alerting are critical to effectively defend against increasing Layer 7 threats.

As organizations develop their DDoS protection strategies, many may focus solely on solutions that can handle large network layer attacks. However, they should also consider whether the solution can detect and mitigate Layer 7 attacks, which require less bandwidth and fewer packets to achieve the same goal of bringing down a site.

For a look at more DDoS attack trends, download a complimentary copy of Verisign's quarterly DDoS Trends Report.

Written by Michael Kaczmarek, VP, VSS Marketing and Product at Verisign.

Verisign

About Verisign – Verisign, a global leader in domain names and internet security, enables internet navigation for many of the world's most recognized domain names and provides protection for websites and enterprises around the world. Verisign ensures the security, stability and resiliency of key internet infrastructure and services, including the .com and .net domains and two of the internet's root servers, as well as performs the root-zone maintainer functions for the core of the internet's Domain Name System (DNS). Learn More

Related topics: Cyberattack, Cybercrime, DDoS, Malware, Cybersecurity

 
   

Related Blogs

Related News

Explore Topics

Dig Deeper

Afilias

DNS Security

Sponsored by Afilias
Afilias Mobile & Web Services

Mobile Internet

Sponsored by Afilias Mobile & Web Services
Verisign

Cybersecurity

Sponsored by Verisign

Promoted Posts

Now Is the Time for .eco

.eco launches globally at 16:00 UTC on April 25, 2017, when domains will be available on a first-come, first-serve basis. .eco is for businesses, non-profits and people committed to positive change for the planet. See list of registrars offering .eco more»

Boston Ivy Gets Competitive With Its TLDs, Offers Registrars New Wholesale Pricing

With a mission to make its top-level domains available to the broadest market possible, Boston Ivy has permanently reduced its registration, renewal and transfer prices for .Broker, .Forex, .Markets and .Trading. more»

Industry Updates – Sponsored Posts

Leading Internet Associations Strengthen Cooperation

Verisign Releases Q4 2016 DDoS Trends Report: 167% Increase in Average Peak Attack from 2015 to 2016

Verisign Q3 2016 DDoS Trends Report: User Datagram Protocol (UDP) Flood Attacks Continue to Dominate

2016 U.S. Election: An Internet Forecast

Government Guidance for Email Authentication Has Arrived in USA and UK

ValiMail Raises $12M for Its Email Authentication Service

Don't Gamble With Your DNS

Understanding the Risks of the Dark Web

New TLD? Make Sure It's Secure

Verisign Releases Q2 2016 DDoS Trends Report - Layer 7 DDoS Attacks a Growing Trend

How Savvy DDoS Attackers Are Using DNSSEC Against Us

Facilitating a Trusted Web Space for Financial Service Professionals

MarkMonitor Partners with CYREN to Deepen Visibility into Global Phishing Attacks

Verisign Named to the Online Trust Alliance's 2016 Honor Roll

Verisign Q1 2016 DDoS Trends: Attack Activity Increases 111 Percent Year Over Year

Is Your TLD Threat Mitigation Strategy up to Scratch?

i2Coalition to Host First Ever Smarter Internet Forum

Encrypting Inbound and Outbound Email Connections with PowerMTA

Resilient Cybersecurity: Dealing with On-Premise, Cloud-Based and Hybrid Security Complexities

Verisign Releases Q4 2015 DDoS Trends - DDoS Attack Activity Increasing by 85% Year Over Year