Tuesday, October 29, 2013

Layer Seven DDoS Attacks

What is Layer 7?
The process of sending and receiving data from one host to another, data encapsulation, is possible due to the existence of a seven layer protocol suite presented as the OSI model (see diagram 1).
Although while examining DoS attacks, we’ll occasionally refer to various layers of this OSI model, special emphasis is to be laid upon the seventh layer, the application layer. In essence, it procures an interface to end-user tasks, and facilitates programs such as web browsers, email services, and photo applications in sending network communications (e.g., SMTP or HTTP).
Diagram 1
layer seven DDoS Attacks Compared to Other Types
The tendency of DDoS attacks shows infallibly that perpetrators take aim and move up the OSI network model over time. The relocation of the prime target is logical, since more DDoS defence systems focus their primary detection powers on lower layers (Imperva, 2012). Therefore, attacks on the web application layer are increasingly popular. Furthermore, layer seven penetration, the top layer in the OSI model, provides an outlet on a business logic layer, which is considered an abstract extension of the aforementioned network protocol suite (F5 Networks, Inc. 2013).

Given that the internet is built vertically by multiple protocol layers, it would be perfectly understandable if internet DDoS attacks assume a vertical classification, as well (Abliz, 2011).

If we adopt this approach, some common types of DDoS attacks include:

  • IP attacks on the network bandwidth – Layer 3 (Network Protocol)
  • TCP attacks on server sockets – Layer 4 (Transport Protocol)
  • HTTP attacks on Web server threads – layer seven (Application Protocol)
  • Web application attacks on CPU resources – layer seven+
(Imperva, 2012)

Now that we grasp the difference between DDoS attacks, in terms of OSI model classification, let’s go through some general features that distinguish layer seven DDoS attacks from others:

  1. While network layer DDoS attacks attempt to overwhelm the victim server with bogus requests, the application layer DDoS attacks rely on legitimate ones (Beitollahi & Deconinck, 2011).
  2. In layer seven DDoS attacks, attacking computers have to set up a full TCP connection. Thus, while providing genuine IP addresses is something you cannot dispense with, the entire action proceeding may seem legitimate in the absence of traffic spikes. They may virtually swindle even a vigilant DDoS defence mechanism, and they’re stealthy. (Manthena, 2011).
  3. A layer seven DDoS attack, in contrast to the others, may exploit vulnerabilities in application software, thus circumventing detection and aiming directly at the targeted Web server (Manthena, 2011). In other words, they are more sophisticated, since they do not count entirely on a brute force to achieve desired ends.
  4. Perhaps the most notable difference; so-called volumetric DDoS attacks strive to bring down network infrastructure and servers by employing high-bandwidth-consuming flooding. That benefits from an inherent blind spot of the internet medium. On the other hand, layer seven DDoS attacks take the victim server in the rear, first engaging well-known applications such as Hypertext Transfer Protocol (HTTP), Voice Over Internet Protocol (VoIP), or Domain Name System (DNS) (Arbor Networks, Inc. 2012).
  5. The goal of application layer DDoS attacks usually have nothing to do with overwhelming bandwidth. Some IT experts call them “low and slow” for a reason. Frequently, at close range are exhausted CPU or memory resources. Hence, layer seven DDoS leverage as well inherent flaws and limitations of applications, for example, system resources are always finite. There’s surprise here actually. Heavy resource consumption will eventually render the server incapacitated (Imperva, 2012).
  6. Protection and mitigation of common volumetric attacks is something that IT specialists are well familiar with. In contrast, layer seven DDoS attacks often stand as a more formidable challenge (Breaking Point Labs, 2011).
The outlined picture of importance and future prevalence of application layer DdoS attacks was shared by experts from the OWAS Foundation in 2010: “We believe layer seven attacks may supersede layer four as the modus operandi of DDoS botnets in this new decade (Breaking Point Labs, 2011, par. 5).”

Layer Seven DDoS Attacks Statistics
To continue the layer seven DDoS topic, let’s review a couple of interesting sources of relevant statistics. First, according to Arbor’s statistical information, with an over 102% increase of DDoS attack size when compared to the previous year, 2010 appears to be a cornerstone in DDoS evolution. A year later, a Radware Security Survey: Attack Count by Type and Bandwidth claims that application layer attacks are prevalent

==> Read More

No comments:

Post a Comment

Support : Relax Viet
Copyright © 2013. Security24h - All Rights Reserved
Design by Namkna
Best View Resolution 1024 x 768 pixel