Application-Layer DDoS Attacks Are Growing: Three to Watch Out For

BreakingPoint Labs
October 4, 2011

Earlier this year, the Arbor Worldwide Infrastructure Security Report highlighted important trends in distributed denial of service (DDoS) attacks. Several findings stand out, including the overall expansion of attack surface and the escalation of attack size and frequency. This chart shows the growth in the average size of attacks from January 2009 through February 2011:

DDoS attacks average size Arbor

From what I can see, Arbor’s most interesting finding is that application-layer DDoS attacks are increasing rapidly—representing as much as a quarter of today’s DDoS attacks. This meshes with field reports I've been reading from our engineers.

Why Application-Layer DDoS Attacks Are Such a Vexing Threat

Simple bulk attacks such as UDP, ICMP, and SYN floods still pose challenges to network operators. But detection and mitigation of these common “volumetric” attacks (their success depends on using a large volume of traffic) are well understood by network security professionals. More difficult to stop are application-layer attacks such as Slowloris and Rudy.

Application-layer attacks can affect many different applications. A lot of them target HTTP, in which case they aim to exhaust the resource limits of Web services. Often, they are customized to target a particular Web application by making requests that tie up resources deep inside the affected network. These attacks are typically more efficient than TCP- or UDP-based attacks, requiring fewer network connections to achieve their malicious purposes. They are also harder to detect, both because they don’t involve large amounts of traffic and because they look similar to normal benign traffic.

These factors have led security researchers to conclude that application-layer attacks will be an area of continuing growth. As Wong Onn Chee and Tom Brennan of the OWASP Foundation stated in a November 2010 presentation on DDoS attacks [PDF], “We believe Layer 7 attacks may supersede Layer 4 attacks as the modus operandi of DDoS botnets in this new decade.”

Three Application-Layer DDoS Attacks

While variations on these attacks are endless, here are three application-layer attacks in particular that are worth a close look. You should be testing the ability of your network defenses to handle these DDoS attacks, whether they appear by themselves or layered with other attacks. The major global service providers we are working with are doing this now. At the end of this post you’ll find a list of resources to help you with that testing.

1. Slowloris — This HTTP GET-based attack has been discussed extensively among security researchers since Robert Hansen wrote the Slowloris tool in 2009. (The concept dates back to at least 2005.) The basic idea is simple: a limited number of machines, or even a single machine, can disable a Web server by sending partial HTTP requests that proliferate endlessly, update slowly, and never close. Once every available socket is taken up by these requests, the Web server—and the site it supports—becomes inaccessible.

Earlier this year, Arbor found Slowloris included on a botnet, and RSA discovered a customized implementation of Slowloris included in a plug-in for the malicious SpyEye botmaster software. While this attack cannot be stopped by the servers themselves, our customer Korea Telecom has used our sophisticated traffic emulations to configure server load balancers and anti-DDoS appliances and to improve capacity planning to effectively mitigate Slowloris across infrastructures.

2. SlowPost — This attack, described by Wong and Brennan in the OWASP presentation cited above, works in somewhat the same way as Slowloris, except that it uses HTTP POST commands—transmitted very, very slowly—instead of GETs to tie up Web services. The attack uses a complete HTTP header that defines the “Content-Length” field for the POST message body as it would for benign traffic . . . but then sends along the data to fill that message body on the order of one byte every two minutes. The server waits indefinitely for each message body to be completed while the SlowPost attack proliferates connections and achieves the DDoS.

As Arbor engineer Richard Wray explained in a presentation last month [PDF], attacks like these can be combined with volumetric attacks to “bring down critical data center services.” The threat of these layered attacks means that you should be testing the ability of your infrastructure to handle multiple types of DDoS, alone or in combination. That requires accurate simulations of DDoS traffic running alongside the mix of benign application traffic you typically see on your network.

3. SIP INVITE Flood — The two attacks above both target HTTP; this one is a VoIP flood that targets SIP. It takes advantage of the normal time lag during the SIP call initiation process to overload a SIP server. Since SIP runs over UDP, a single packet from a caller, hacker, or botnet can start the process of “dialing” and ringing at the beginning of a phone call. In our everyday lives, we don’t think anything of the 20-second delay between entering a phone number and hearing “Hello” or the voicemail prompt from the other end. But that delay, when multiplied across thousands of simultaneous connections, can crash a server and potentially open the door for even more mayhem within a VoIP-based call center. Plus, it’s very difficult to determine in advance which calls are legitimate and which ones are part of a DDoS, especially if an attacker is clever enough to spoof the IP addresses in UDP headers, or to spoof SIP headers so they don’t match the corresponding UDP headers.

SIP and other VoIP protocols are ubiquitous in the converged networks of today’s call centers. Hackers are taking advantage of the complexity of voice and data application traffic in these environments to find new vectors for attack, which means you must test your call center infrastructure with the same complex traffic it will see in the real world—complete with VoIP-based DDoS attacks. We have built our extensive (and growing) library of application protocols specifically to enable that kind of real-world testing. In fact, BreakingPoint is the only company that can hammer your converged network with a SIP INVITE flood so you can validate defenses and perform accurate capacity planning.

Protecting Your Infrastructure from Application-Layer DDoS Attacks

One commonality you’ll notice is that all of these attacks carry out their malicious intent by taking advantage of the core functionality of the application itself. The way it’s built, HTTP must perform GET and POST requests to function at all. SIP must perform the INVITE function for the normal operation of VoIP telephony. The difficulty in detecting which GETs, POSTs, and INVITEs are malicious is exactly what makes these application-layer attacks so tricky.

If you are not conducting frequent testing to ensure you can detect and mitigate these attacks, it’s time to start. As Korea Telecom learned, it is possible to fortify DDoS defenses across many kinds of infrastructures, whether through rigorous device evaluations, improved configurations, or better capacity planning. But only when you test them under real-world conditions.

Throughout this month, we will go into more detail about various aspects of DoS and DDoS attacks. We will also show you how to create accurate simulations of your network conditions so you can test the validity of your attack detection and mitigation efforts. Meanwhile, you can take a look at some of the resources listed below to deepen your understanding of DoS and DDoS attacks—and what to do about them.

BreakingPoint Resources:

Other Resources:

blog comments powered by Disqus