New application level attack bodes ill for hybrid DDoS protection

Imperva has recently witnessed a new type of DDoS attack they believe might become a go-to for cyber criminals looking to take sites and services down.

The attack was an application layer DDoS attack, aimed at exhausting a target server’s RAM and CPU resources. But unlike previous ones they have seen, this one was “ginormous.”

“While deadly to servers, application layer attacks are not especially large in volume. Nor do they have to be, as many application owners only over-provision for 100 requests per second (RPS), meaning even small attacks can severely cripple unprotected servers,” Imperva’s Igal Zeifman explained.

“Moreover, even at extremely high RPS rates – and we have seen attacks as high as 268,000 RPS – the bandwidth footprint of application layer attacks is usually low, as the packet size for each request tends to be no larger than a few hundred bytes.”

But this one peaked at 163,000 requests per second, and consumed bandwidth at 8.7 gigabits per second, because the malicious POST requests flooding the server also included a script that randomly generated large files and attempted to upload them to the server.

“Application layer traffic can only be filtered after the TCP connection has been established. Unless you are using an off-premise mitigation solution, this means that malicious requests are going to be allowed through your network pipe,” Zeifman explains the problem.

“A case in point are hybrid DDoS protection solutions, in which an off-premise service is deployed to counter network tier threats, but an customer-premises equipment (CPE) is used to mitigate application tier attacks.”

Unfortunately, not all targets will have equipment with a large enough uplink to prevent their network connection to be choked with DDoS requests.

“Granted, some of the larger organizations today do have a 10 Gb burst uplink. Still, perpetrators could easily ratchet up the attack size, either by initiating more requests or by utilizing additional botnet resources,” he noted. “Hence, the next attack could easily reach 12 or 15 Gbps, or more. Very few non-ISP organizations have the size of infrastructure required to mitigate attacks of that size on-premise.”

An additional problem is that application layer attacks can be easily sustained for days, weeks, and even months, and they could end up costing the targets a lot.

This particular attack was launched from the Nitol botnet (from over 2.700 IP addresses) and targeted a Chinese lottery website. It is still ongoing, and Imperva fears that other attackers will start copying this effective strategy.

The solution in this particular problem is to employ off-premise mitigation solutions that terminate HTTP/S outside of the network perimeter. And those who can’t do that because of regulations (e.g. organizations in the finance industry) should consider upgrading their mitigation appliances to a 10 Gb burst uplink (at least).