Like Godzilla reducing a high-rise to rubble with its bare fists, booming network layer distributed denial of service or DDoS attacks tend to attract a lot of attention for the sheer magnitude of their assaults – a thorough thumping of security blogger Brian Krebs’ website here, a record-breaking attack on the Dyn DNS server there. These bandwidth busters do know how to grab the headlines.

Although the truly monstrous network layer attacks like the ones referenced above are, admittedly, nightmarish to deal with, DDoS mitigation experts know that while those 600 Gbps attacks are attracting all the attention, sophisticated application layer attacks are causing the real problem from a security standpoint. Which is too bad, really, since these attacks are on the rise.

The Other End of the Spectrum

A distributed denial of service attack aimed at the network layer directs a big blast of packets at the target in an attempt to either saturate the network’s bandwidth, or exhaust the network’s resources, either way leaving legitimate users unable to reach the website when one of these attacks is successful. This is not a case where less is more. More is definitely more, and dealing with these attacks comes down to a basic question: does the attacker have more network capacity, or the mitigation appliance or service?

Application layer attacks, on the other hand, require DDoS mitigation to be intelligent, not just high-capacity.

Smaller but Sneaky

If you picture yourself sitting in a chair, a network layer attack would be like someone running straight at you and tackling you in it, while an application layer attack would be more like someone sneaking underneath the chair and unscrewing the bolts on the legs until they give out. If successful, the end- result of both types of attack may be the same, but the latter is much harder to stop because it’s harder to see coming.

Instead of simply slamming a target with firepower, the goal of an application layer attack is to sneak by security measures and exhaust finite server-side resources like memory or the CPU. The application layer is the layer of the OSI model that interacts with end users, thus, in order to bypass security measures. these attacks mimic normal user behavior with seemingly legitimate requests, such as the repeated loading of a web page.

These attacks often aim small by targeting a specific element of a website, a graphic, for example, consuming resources every time that element is downloaded, eventually exhausting the server and booting the site offline. Application layer attacks are generally most effective when they can force the application or server to allocate the maximum resources in response to each individual request.

Brains vs. Brawn in Mitigation

Handling an application layer attack requires a mitigation service that can distinguish between legitimate users, good bots, bad bots and attack traffic and treat each category of traffic accordingly, allowing users through to the website even if an attack is ongoing, giving good bots the access they need, blocking bad bots, and sending DDoS attack traffic to a scrubbing server before it can ever reach the target application.

It’s especially important for a mitigation service to be able to classify traffic from the outset and keep attack traffic from reaching its target because application layer attacks are often used to distract security professionals, while intrusions and other more targeted attacks are launched. So, a sneaky application layer attack could be masking an even sneakier intrusion, which can often result in the injection of malware or the theft of data.

Accurately categorizing traffic is a complex process that requires the mitigation service to inspect traffic at a granular level in addition to relying on fingerprinting and reputation. A lot of traffic can either be immediately flagged as malicious or whitelisted as legitimate visitors. For traffic that ranks somewhere in between as potentially suspicious, a mitigation service should institute a series of progressive challenges such as JavaScript execution to see if the client behaves as a legitimate visitor should. A CAPTCHA test can be used as a last resort for identifying human visitors whose browsers did not pass all previous tests.

On the Rise

According to DDoS mitigation provider Incapsula’s Q1 2017 DDoS Threat Landscape Report, the number of network layer attacks attempted has been falling for four quarters in a row while application layer attacks are on the rise.

In the first quarter of 2017, network layer attacks mitigated by Incapsula fell to 269 per week, down from 435 per week in the fourth quarter of 2016, while application layer attacks rose to 1099 per week in Q1, up from 892 per week in Q4 2016.

What this means is that while the big bruising network layer attacks are garnering all the attention thanks in part to Internet of Things botnets of unprecedented sizes, skilled attackers are quietly going to work with targeted and sophisticated application layer attacks. What this also means is that websites of all sizes, especially those in competitive industries, need to invest in DDoS protection that offers more than a high network capacity. Without smart mitigation capable of quickly classifying all traffic and quickly bouncing attack traffic to a scrubbing server, websites all over the internet will increasingly be knocked offline – and possibly hacked as well – with that muscular network capacity able to offer no help whatsoever.

About the Author

Debbie Fletcher is an enthusiastic, experienced writer who has written for a range of different magazines and news publications over the years. Graduating from City University London specialising in English Literature, Debbie’s passion for writing has since grown. She loves anything and everything technology, and exploring different cultures across the world. She’s currently looking towards starting her Masters in Comparative Literature in the next few years.