Application-layer DDoS - a new threat vector

Stewart, international president at Corero Network Security, explores the growing threat of application DDoS attacks and offers some timely advice for security resellers.

André Stewart, international president at Corero Network Security, explores the growing threat of application DDoS attacks and offers some timely advice for security resellers.

Distributed denial of service (DDoS) attacks are a growing threat across all commercial and public sectors, disrupting online business, damaging corporate brands and blocking access to information and services. In particular, attackers are employing application-layer techniques that are both very difficult to detect and mitigate.

VARs must position themselves as the security experts, advisors and suppliers of solutions in the face of these new, highly advanced cyber attacks. Customers look to the channel to provide education and guidance about the danger the latest DDoS attacks pose to their organisations. As a consequence, resellers, as trusted partners, are well-positioned to maximise these opportunities by providing the products and services to detect and block these attacks, and secure their customers' businesses.

So how do VARs advise customers on how to remain secure against the evolving and increasingly sophisticated DDoS attacks, including application-layer attacks?

Rather than the usual volumetric network-layer attack which floods the network, the application-layer attack, as the name would suggest, targets applications within websites, such as forms that require the site to perform requests for information. These requests then work to slow down the network, using up the limited resources of log files, causing users to become frustrated and abandon their search results, subsequently causing a loss of business.

Application-layer DDoS attacks are far more difficult to identify, because they appear to be legitimate requests. Attacks such as recursive GET DDoS techniques establish a connection with the web server, as opposed to traditional volumetric attacks, such as SYN Floods, which overwhelm the target with sheer numbers of messages. Further, these attacks consume far less bandwidth than traditional DDoS attacks that flood a network with traffic. In the absence of such intense traffic spikes, victim organisations may not even realise they are under attack and look for more benign explanations for unresponsive websites, such as application or system issues. ISPs are similarly slow to recognize such attacks - at times despite their customers' insistence that an attack is in progress.

Because application-layer attacks do not require huge volumes of traffic, the attackers require fewer resources, that is, smaller numbers of hijacked computers comprising botnets, than traditional network-layer attacks. In fact, recent research demonstrates that effective application attacks can be executed by a single computer, rendering websites inaccessible to legitimate users, disrupting or disabling other enterprise assets, such as DNS servers or even VoIP systems. 

It's imperative that resellers emphasise to their customers that organisations of all sizes and in all vertical markets are at risk of DDoS attack. DDoS awareness has grown, largely because of high-profile DDoS attacks on high-profile targets, such as the Vatican, leading banks, government agencies, stock exchanges, the FBI, and entertainment industry organisations and companies by politically and ideologically motivated "hacktivist" groups, such as Anonymous.

However, application-layer DDoS attacks often target the enterprise for commercial or criminal gain. Unscrupulous companies attack competitors to get unfair business advantages, frustrating customers and, they hope, encouraging them to turn to their sites to purchase products and services. These attacks result in both immediate and long-term loss of business and damaged brand reputation. Because application-layer attacks are so difficult to detect, the attacking companies cannot be traced and thus have "plausible deniability".  What's more, cyber criminals are available as "hired guns" at very modest fees to launch DDoS attacks on behalf of their clients.

Criminals also extort money from companies under threat of DDoS attack (a variation of the classic protection racket, in which victims are forced to pay under threat of assault or physical attacks on their business).

DDoS attacks also are used as a smoke screen to launch other attacks, for example, to infiltrate the network and steal sensitive information, such as customer records or intellectual property.

Organisations would be unwise to believe that they are not a target, particularly if they are reliant on the Internet.  Resellers have an opportunity to educate end users on the growing threat of DDoS attacks, and what organisations should be doing to maintain online availability and business continuity.

Read more on Data Protection Services