Application-Level Denial-of-Service (DoS)
What are Application DDoS Attacks?
Application DDoS attacks are distributed denial of service (DDoS) attacks designed to make online application services unavailable by overwhelming them with a virtual flood of internet traffic. The significant increase in traffic overwhelms machines and networks, making them unable to process the incoming requests and shutting them down. Computers, servers, and internet of things (IoT) devices are often compromised and used to support an application DDoS attack.
There are three basic types of DDoS attacks. These include volume-based attacks, protocol-based attacks, and application-level attacks. Volume-based attacks are generally measured in bits per second, protocol-based attacks are measured in packets per second, and application-level attacks are measured in requests per second.
Volume-based attacks include tactics such as UDP floods, ICMP floods, and other “spoofed” packet flooding designed to saturate and exhaust the bandwidth of the targeted IP address. Protocol attacks include SYNfloods, the “Ping of Death,” and other tactics. Protocol attacks generally target communication equipment or servers.
Application-level DDoS attacks, also referred to as level 7 (L7) DDoS attacks, refer to a particular type of DDoS attack that targets processes executing in the top application layer of the open system interconnection (OSI) computer networking model. Application DDoS attacks typically involve database access and end-user protocols such as FTP, SMTP, Telnet, and RAS.
An application DDoS attack may target the processes that generate web pages in response to simple HTTP requests. One HTTP request may be small, but the required work to respond by the server may be many times larger. As a result, threat actors may flood the server with many HTTP requests, making it impossible for the server to respond to legitimate requests in any practical timeframe. Examples typically include website forms (login, uploading of photo/video, submitting feedback, etc.).
Application DDoS attacks are often difficult to detect and diagnose because they resemble legitimate website traffic. The most simple L7 attacks, such as those targeting login pages with random user IDs and passwords, or repetitive random searches on dynamic websites, can still critically overload CPUs and databases. In addition, threat actors can change the signatures of an application-level attack, making it more difficult to detect and stop.
L7 attacks overuse website features in a targeted attempt to make those features inoperable due to the traffic load. Additionally, application DDoS attacks have been used for targeted purposes, including distracting the information technology (IT) and security operations center (SOC) teams from another ongoing data breach.
Types of Application DDoS attacks
BGP Hijacking. Threat actors maliciously reroute Internet traffic by falsely announcing ownership of blocks of IP addresses that they do not own. As other networks accept this false information, traffic is redirected to the attacker. There can be a range of motives behind an L7 BGP Hijacking, including intercepting Internet traffic and redirecting it to a fake website as part of a man-in-the-middle attack.
Slow Post. In a Slow Post application DDoS attack, the threat actor sends HTTP POST headers to a Web server. In these headers, everything in the message header appears valid and legitimate. However, the message body is sent at such a slow speed that the server’s connection pool reaches its limit, thus enabling a DoS attack.
HTTP Flood. An HTTP flood is a DDoS attack in which the threat actor exploits HTTP GET or POST requests. These types of attacks are also called volumetric attacks. HTTP flood attacks use botnets of computers that malware has compromised. HTTP flood attacks are more sophisticated and generally harder to identify and block.
Large Payload POST. A Large Payload Post is an application attack where the threat actor manipulates the XML encoding used by targeted web servers. The threat actor sends the webserver a data structure encoded in XML. The server then attempts to decode but is forced to use rapidly increasing amounts of memory, thus overwhelming the system and crashing the service.
Slow Read. A slow read application DDoS attack lengthens the time to read the response from the Web server, although the threat actor sends what appears to be a legitimate HTTP request. When the threat actor sends many legitimate requests, this will keep open multiple connections to the Web server, resulting in a DoS. The threat actor will read the results very slowly, sometimes just a few bytes in a minute, preventing the targeted server from incurring a timeout. The server assumes the client is reading the data and keeps the connection open.
False User Browsing Traffic. In this application-level attack, threat actors utilize botnets that appear as valid users attempting to access the targeted website. As the volume increases, the targeted website will be unable to respond to legitimate users, and in some instances, the targeted server will crash. False User Browsing Traffic replicates the activity of completely legitimate users and is often difficult to detect and diagnose.
Motivations driving application DDoS attacks can vary substantially but are similar to those for any other type of DDoS. Financial considerations are often a key driver. These considerations may manifest themselves through the extortion of a ransom payment from targeted business entities. In some cases, the targeted business entity is under attack by a competitor licensed DDoS resources and launched an anonymous attack. In other cases, attacks may be caused by a current or former employee or someone who views a DDoS attack as a prank. Hacktivism is often a driver for DDoS activity in support of a political or a personal cause. Finally, nation-states and cyber warfare may also be behind DDoS attacks that target opposing political views and enemy countries.
Get started with Bugcrowd
Hackers aren’t waiting, so why should you? See how Bugcrowd can quickly improve your security posture.