This is the final post in a series about Layer 3, Layer 4, and Layer 7 DDoS attacks.
Layer 7 DDoS attacks are insidious because they bypass traditional network-layer defenses and target the specific workings of applications and services. Their ability to mimic normal user behavior makes them challenging to detect and mitigate.
Layer 7 DDoS attacks, also known as application layer DDoS attacks, target the top layer of the in the Open Systems Interconnection (OSI) model.
Layer 7 of the Open Systems Interconnection (OSI) Model: One of the Targets for DDoS Attacks
Layer 7 manages the interactions between users and applications. Successful Layer 7 DDoS attacks overwhelm the functionality of websites, servers, or applications. While they copy the behavior of legitimate traffic, they do so at a scale that exhausts the target’s resources. Here’s a detailed look at how Layer 7 DDoS attacks work:
Targeting Application Resources, Leading to DDoS Downtime
Unlike Layer 3 and 4 DDoS attacks, which focus on overwhelming the network infrastructure (bandwidth, routers, or servers) – Layer 7 DDoS attacks aim to exhaust the application resources by sending requests that seem legitimate.
These attacks exploit specific features or services of an application to overload its ability to respond.
HTTP Flood Attacks
One of the most common forms of Layer 7 DDoS attacks is an HTTP Flood. In this type of attack, the attacker sends a large number of HTTP requests to a website or web server. This overwhelms the server’s processing capabilities because every HTTP request requires the server to deliver a web page, load resources (like images or scripts), and possibly to interact with databases. The HTTP requests to the website or web server can be of the following types:
- GET Flood: Attackers send a HTTP GET requests, asking the server to retrieve resources like web pages or images. The server is flooded with requests, causing delays or complete downtime.
- POST Flood: This attack involves sending a flood of POST requests, which require more server-side processing (such as form submissions or database queries), further straining the server’s resources.
Slowloris Attack
In a Slowloris attack, the attacker sends partial HTTP requests but never completes them. The server allocates resources waiting for the remainder of the request, tying up available connections.
Since the requests are slow and seem to be legitimate, the server is stuck handling multiple incomplete connections. It cannot process new legitimate requests, leading to downtime.
DNS Query Floods
Attackers can target DNS servers, sending floods of DNS requests. The server tries to resolve an overwhelming number of domain name queries, which can saturate its resources and prevent it from responding to legitimate DNS requests.
Exploitation of Complex Web Requests
Layer 7 DDoS attacks can exploit the complexity of dynamic web content. When attackers flood the target with requests for dynamic content (such as product search queries, account logins, or database-driven pages), the server must process each request.
This often involves backend database queries or heavy computation. The process exhausts server CPU, memory, or database connection pools – leading to server overload or crashes.
How Do Layer 7 Attacks Impact the Network?
The goal of a Layer 7 DDoS attack is to make the web application or service inaccessible to legitimate users by:
- Overloading the server’s CPU and memory
- Maxing out the application’s database or processing limits
- Slowing down response times to the point where users experience significant delays or service disruptions
Targeting Weak Points in Applications
Layer 7 attacks often target the weakest or most resource-intensive aspects of an application. These can include:
- Login pages: Attackers may flood login pages with requests, forcing the server to handle a large number of authentication attempts. This can include brute-force login attempts or it can more simply overwhelm the login functionality.
- APIs: If a website or service exposes Application Programming Interfaces (APIs) to the public, attackers can flood API endpoints with requests, consuming server resources and causing legitimate API requests to be delayed or dropped.
- Search functions: Search features are a common target in Layer 7 attacks, as every search query involves processing on the server side, often requiring interaction with databases or complex algorithms.
Attributes Common to Layer 7 Attacks
Key characteristics of Layer 7 attacks include:
- Low bandwidth, high impact: One key characteristic of Layer 7 DDoS attacks is that they can cause significant damage without consuming as much bandwidth as Layer 3 or Layer 4 attacks. By sending fewer but more complex requests (such as asking for web pages or querying databases), attackers can cripple a website or application with far less traffic.
- Use of botnets and attack automation: Attackers often use botnets, networks of compromised devices, to automate and scale Layer 7 DDoS attacks. Each device in the botnet sends legitimate-looking traffic to the target, making it difficult to distinguish between real users and malicious activity. This is especially dangerous because the attack traffic can appear normal (at first glance), making it harder to block without affecting legitimate users.
- Stealth: Layer 7 attacks are often more stealthy than lower-layer attacks. Instead of sending a massive volume of traffic that can be detected by volumetric filters, these attacks focus on low-volume, high-impact requests that closely mimic legitimate user behavior. This makes them harder to detect and mitigate using traditional DDoS defenses.
How to Mitigate Layer 7 DDoS Attacks
Defending against Layer 7 DDoS attacks requires more sophisticated techniques because of their ability to blend with normal traffic. Key mitigation strategies include:
- Web Application Firewalls (WAFs): A WAF can help filter out malicious traffic by analyzing requests for known attack patterns. It can also be configured to block or throttle suspicious activity (such as large numbers of requests from the same IP address).
- Rate limiting: This involves limiting the number of requests a single user or IP address can make within a certain period. It prevents attackers from overwhelming the server with requests.
- CAPTCHA: Requiring users to complete a helps differentiate between legitimate users and automated bots. It can significantly reduce the effectiveness of bot-based Layer 7 DDoS attacks.
- Traffic analysis and behavioral monitoring: Continuous monitoring of traffic patterns and behavior helps detect anomalies that could indicate a Layer 7 DDoS attack. Advanced DDoS protections can learn typical user behavior and alert for suspicious deviations.
- CDNs and Load balancers: Content Delivery Networks (CDNs) and load balancers distribute incoming traffic across multiple servers, reducing the load on any single server and helping absorb the impact of the attack. CDNs mitigate the impact of a Layer 7 attack by intelligently filtering and distributing network traffic.
DDoS Vulnerability Testing Enables the Proactive Elimination of DDoS Attacks
DDoS vulnerabilities such as network misconfigurations leave traditional DDoS protection solutions vulnerable. The current surge in DDoS attacks and realization that DDoS vulnerability testing is a necessity – combined with the fact that traditional DDoS protections have inherent limitations – means that organizations must adopt a new approach to DDoS security: continuous DDoS vulnerability testing.
MazeBolt RADAR™ is the only solution that identifies and enables the elimination of DDoS vulnerabilities ahead of time, without a disruption to business continuity, so that organizations can stay protected without requiring maintenance windows or service downtime.
To learn more about DDoS Vulnerability Management, speak with a MazeBolt expert.
This post is part of a series about Layer 3, Layer 4, and Layer 7 DDoS attacks.