Application security

Layer Seven DDoS Attacks

Dimitar Kostadinov
May 11, 2018 by
Dimitar Kostadinov

What is Layer 7?

The process of sending and receiving data from one host to another, data encapsulation, is possible due to the existence of a seven layer protocol suite presented as the OSI model (see diagram 1).

Although while examining DoS attacks, we'll occasionally refer to various layers of this OSI model, special emphasis is to be laid upon the seventh layer, the application layer. In essence, it procures an interface to end-user tasks, and facilitates programs such as web browsers, email services, and photo applications in sending network communications (e.g., SMTP or HTTP).

Diagram 1

layer seven DDoS Attacks Compared to Other Types

The tendency of DDoS attacks shows infallibly that perpetrators take aim and move up the OSI network model over time. The relocation of the prime target is logical, since more DDoS defence systems focus their primary detection powers on lower layers (Imperva, 2012). Therefore, attacks on the web application layer are increasingly popular. Furthermore, layer seven penetration, the top layer in the OSI model, provides an outlet on a business logic layer, which is considered an abstract extension of the aforementioned network protocol suite (F5 Networks, Inc. 2013).

Given that the internet is built vertically by multiple protocol layers, it would be perfectly understandable if internet DDoS attacks assume a vertical classification, as well (Abliz, 2011).

If we adopt this approach, some common types of DDoS attacks include:

  • IP attacks on the network bandwidth – Layer 3 (Network Protocol)
  • TCP attacks on server sockets – Layer 4 (Transport Protocol)
  • HTTP attacks on Web server threads – layer seven (Application Protocol)
  • Web application attacks on CPU resources – layer seven+

(Imperva, 2012)

Now that we grasp the difference between DDoS attacks, in terms of OSI model classification, let's go through some general features that distinguish layer seven DDoS attacks from others:

  1. While network layer DDoS attacks attempt to overwhelm the victim server with bogus requests, the application layer DDoS attacks rely on legitimate ones (Beitollahi & Deconinck, 2011).
  2. In layer seven DDoS attacks, attacking computers have to set up a full TCP connection. Thus, while providing genuine IP addresses is something you cannot dispense with, the entire action proceeding may seem legitimate in the absence of traffic spikes. They may virtually swindle even a vigilant DDoS defence mechanism, and they're stealthy. (Manthena, 2011).
  3. A layer seven DDoS attack, in contrast to the others, may exploit vulnerabilities in application software, thus circumventing detection and aiming directly at the targeted Web server (Manthena, 2011). In other words, they are more sophisticated, since they do not count entirely on a brute force to achieve desired ends.
  4. Perhaps the most notable difference; so-called volumetric DDoS attacks strive to bring down network infrastructure and servers by employing high-bandwidth-consuming flooding. That benefits from an inherent blind spot of the internet medium. On the other hand, layer seven DDoS attacks take the victim server in the rear, first engaging well-known applications such as Hypertext Transfer Protocol (HTTP), Voice Over Internet Protocol (VoIP), or Domain Name System (DNS) (Arbor Networks, Inc. 2012).
  5. The goal of application layer DDoS attacks usually have nothing to do with overwhelming bandwidth. Some IT experts call them "low and slow" for a reason. Frequently, at close range are exhausted CPU or memory resources. Hence, layer seven DDoS leverage as well inherent flaws and limitations of applications, for example, system resources are always finite. There's surprise here actually. Heavy resource consumption will eventually render the server incapacitated (Imperva, 2012).
  6. Protection and mitigation of common volumetric attacks is something that IT specialists are well familiar with. In contrast, layer seven DDoS attacks often stand as a more formidable challenge (Breaking Point Labs, 2011).

The outlined picture of importance and future prevalence of application layer DdoS attacks was shared by experts from the OWAS Foundation in 2010: "We believe layer seven attacks may supersede layer four as the modus operandi of DDoS botnets in this new decade (Breaking Point Labs, 2011, par. 5)."

Layer Seven DDoS Attacks Statistics

To continue the layer seven DDoS topic, let's review a couple of interesting sources of relevant statistics. First, according to Arbor's statistical information, with an over 102% increase of DDoS attack size when compared to the previous year, 2010 appears to be a cornerstone in DDoS evolution. A year later, a Radware Security Survey: Attack Count by Type and Bandwidth claims that application layer attacks are prevalent:

Diagram 2

In 2012, Prolex's annual report mentioned a 42.97 % growth in layer seven DdoS attacks.

diagram2

Diagram 3

Total Application Layer Attacks 2011 vs. 2012

In addition, quarterly reports by Prolex show a definite tendency of increasing popularity, particularly of HTTP GET DDoS attacks in the period from April 2012 to June 2013.

Diagram 4

Why Are Application-Layer DDoS Attacks Such a Vexing Threat?

The top layer of the internet protocol suite has two main categories of protocols: protocols that directly service users (e.g., HTTP, FTP, IMAP, Telnet, SMPT/POP, IRC, XMPP, SSH etc.) and support protocols that underpin various system functions (e.g., DNS, SNMP, BOOTP/DHCP, TLS/SSL, SIP, RTP, NTP etc.) (Abliz, 2011).

Here are seven reasons of why layer seven DDoS attacks represent such a vexing threat:

May affect many different applications

Any one of the protocols examined above may be subject to a DDoS attack (Abliz, 2011). Many of them target HTTP to exhaust a web server's vitality (Breaking Point Labs, 2011).

Highly-targeted strikes

According to general practice, layer seven DDoS attacks are often customized to target a specific web application. For example, web servers that run a combination of Java, PHP5, and ASP.NET may be targeted by specially crafted HTTP requests, which may collide with the web server's hashing operation "when unique requests return non-unique and overlapping responses (Katz, 2012, p. 3)." A great amount of these "hash-busting" requests sent in a short time, like a MG-42 machine gun, would deplete essential web resources and create a denial of service.

Simplicity of layer seven

It's thought that if thousands of users simultaneously keep pressing the refresh button on their browsers, that would crash the server soon or later. Whether or not it's possible, many hacktivists use layer seven DDoS attacks time and again. An unsophisticated "low and slow" attack, for instance, is the one that struck a major credit card company that ceased providing services to WikiLeaks in 2010. In this case, the first experienced downtime was caused by a brute-force HTTP traffic flood towards application, originating from approximately 940 computers (Katz, 2012).

Maximum Results with Limited resources

Unlike other denial of service attacks, layer seven requires very little investment by attackers. In fact, along with the ulterior nature of the weaponry in question, a feasible execution presupposes tactics reminiscent of guerrilla warfare (Kenig, 2013).

Conducive to collateral damage

Application layer DDoS attacks carry a special mark. A DNS attack, for instance, directed at single DNS provider, may spread and affect all of its customers (Arbor Networks Inc., 2012).

Appearance of legitimacy

Slow traffic, legitimate as far as protocol rules and rates are concerned, and normal and complete TCP connections, are the main prerequisites that entail the benign appearance typical of layer seven DdoS attacks.

Bypass one security shield or take the "shortcut"

As a usual practice, applications that are subject to attack are usually "allowed" through security devices such as firewalls or IPS devices (e.g., HTTP or DNS traffic) (Arbor Networks, Inc. 2012). Hence, one security layer can be eliminated with ease.

Diagram 5

In addition, whereas a Network DDoS attack operates in the logical "Access Zone," an application DDoS attack targets the "Application Zone." That consists of the web front-end and the data storage for it. In order for an application DDoS attack to be successful, it has to go around the entire set of "Access Zone" devices and mechanisms in place, take advantage of a security gap on the "Application Zone," and then finally inject a payload that goes on to establish a direct communication line with the web server, to strike either the server itself or application (Imperva, 2012).

Layer seven DDoS methods and attacks

Types of common layer seven DDoS attacks

They're divided into four basic categories:

Request-Flooding Attacks

High rates of seemingly legitimate application requests, such as HTTP GETs, DNS queries and SIP INVITEs), deluge web servers to degrade and disrupt its normal functioning.

Asymmetric Attacks

"High-workload" requests that take a heavy toll of server resources such as CPU, memory or disk space.

Repeated Single Attacks

An isolated "high-workload" request being sent across many TCP sessions, a stealthier way to combine asymmetric and request-flooding layer seven DDoS attacks.

Application-Exploit Attacks

The attack vectors here are vulnerabilities in applications, for instance, hidden-field manipulation, buffer overflows, scripting vulnerabilities, cross-site scripting, cookie poisoning, and SQL injection.

(Arbor Networks, Inc. 2012)

Layer seven DDoS methods

First and foremost, it's important to note that this means of attack manages to complete the three-way TCP handshake, hereby evading devices and measures that give protection against layer four DdoS attacks. These attacks often appear normal and fly under the radar. The second phase of the DDoS attack is different, however, contingent on application type and the methodology chosen by the aggressive side. Some examples of HTTP attacks:

HTTP GET

This approach uses GET requests; meant to acquire particular data at a URL point. By entering a URL in the relevant bar, a GET request is also ready (Pornin, 2013).

HTTP GET flooding is when many of these requests, sometimes tens of thousands, are sent within a short period of time, attempting to drain server resources. Simplicity itself makes this type of DDoS attack more common.

Other HTTP GET-based methods are HTTP Malformed Attacks that dispatch invalid HTTP packets (e.g., ZafiB worm), and HTTP Idle Attacks that slowly send incomplete HTTP requests (Arbor Networks, Inc. 2012).

HTTP POST

This method employs HTTP POST requests used with forms whose entire set of headers is sent correctly, including the Content-Length number. However, the distinction here is a POST message body that is sent at a very low rate (Content-Length transmitted byte by byte). They preclude connection from proper completion (Imperva, 2012). Hence, practically any website that has forms accepting HTTP POST requests (for example, submitting feedback, login, uploading photo/video attachments, sending email and etc.) is susceptible to this method (The OWASP Foundation, 2010).

HTTP Slow Read

The modus operandi here functions the other way around, the data isn't being pushed slowly to the server, the malicious entity himself forces the targeted server to forward a large amount of data, which, in turn, is read again in a drawn-out, protracted manner. When the connection process is established, the attacker produces a tiny receive window, which compels the server to break down the response to many small fragments that'll fit the buffer size, leading eventually to extremely slow ongoing responses (Imperva, 2012).

As the author of this method says, "the idea of the attack I implemented is pretty simple; bypass policies that filter slow-deciding customers, send a legitimate HTTP request and read the response slowly, aiming to keep as many connections as possible active (Henderson, 2012, par. 3)."

Others

Although HTTP is the most targeted protocol, other application types are attacked as well, such as; DNS dictionary attacks, VoIP (SIP INVITE Flood Attack), SMTP buffer overflow attacks. (Arbor Networks, Inc. 2012).

Layer seven DDoS Tools

LOIC (Low Orbit Ion Cannon)

Originally created as a network stress testing application, LOIC is now a widely-used open-source flooding tool used for DDoS attacks by Anonymous. It generates illegitimate UDP, TCP, or HTTP (HTTP GET method) packets that inundate a web server under attack. For coordinated DDoS attacks, hacktivists often recourse to the Hive Mind mode in order to harness a great number of computers. (http://security.radware.com/knowledge-center/DDoSPedia/loic-low-orbit-ion-cannon/)

IRC (Internet Relay Chat) allows remote control of many machines, such as botnets. No advanced IT literacy is needed to use LOIC, which that predisposes it to drawing more people to hacktivists' causes. (http://ethicalhackingtech9.blogspot.com/2013/01/loic-low-orbit-ion-cannon-ddos-tool_11.html, 2013)

Convenient as most mobile objects are, the mobile version of LOIC represents an attack page that contains JavaScript attacking code, which is downloaded automatically to the visitor's browser and executed. Then, the script generates a new image, a victim's web page, which goes under DDoS assaults as long as it remains open on the visitor's browser.

The accessibility, simplicity, and normal appearance of this tool gives a feeling of safety, especially when it comes to users that are concerned about breaking the law. (Imperva, 2012)

Speaking of legal implications, the use of LOIC isn't anonymous, which means that perpetrators may be revealed through the chain of causation attacking IP addresses to ISPs. A good idea would be to route the strike through anonymizer, such as Tor or I2P.

"If you try to run it through the Tor network…layer seven attacks... it's like a guided missile: it just sends a few packets that do not harm anything, and when it gets to the server, bang! The server becomes unavailable." (David B, 2012, par. 12)

R.U.DY (R U Dead Yet?)

A perfect description is provided by http://www.ehacking.net (2011, par. 4):

"R-U-Dead-Yet, or RUDY for short, implements the generic HTTP DoS attack via long field submissions [HTTP POST]. This tool runs with an interactive console menu, automatically detecting forms within given URL, and allowing the user to choose which forms and form fields are desirable to use for the parameters within a configuration file. In version 2.x RUDY supports SOCKS proxies and session persistence using cookies when available."

Slowloris

Slowloris is a GET-based DDoS instrument founded on the concept of exhausting server resources with limited investment in the process. Since the sole target is usually the web server, excluding other services, this tool passes as more stealthy than most. (Imperva, 2012)

Slowloris directly implements HTTP GET attack postures. Once the penetration reaches the application zone, the attacker launches a multitude of requests that have incomplete and time-delayed HTTP refer headers. That's done in order to keep the HTTP connection open for as long as is needed to deplete the web server threads or resources. (The OWASP Foundation, 2010)

When the server receives a partial HTTP header, it assumes that a user is on an unreliable and slow network, and the rest will arrive in fragmented packets. Instead, the request usually never gets completed and, "to express its gratitude to bad customer service," ties up incoming lines.

Diagram 6


Slowloris isn't a flooding tool, and normally only a minimally distributed effort is needed to work. Some web servers that are vulnerable to this attack include: Apache 1.x, Apache 2.x, dhttpd, and GoAhead WebServer. (http://www.bullten.com, 2011)

Regarding the Slowloris subject, an interesting case was the hunt of hacktivists participating in DDoS attacks on the U.S. Department of Justice, whitehouse.gov, and music label UMG. That happened immediately after the arrest of Kim Dotcom in January 2012. An unknown hacker succeeded in smuggling a Zeus trojan in a publicly available Slowloris tool. As a result, every hacktivist who downloaded the application had their own PC compromised. (Bangeman, 2012)

Other Tools

Dirt Jumper – Method: HTTP flood, SYN flood, POST flood, and more.

Tor's Hammer – Method: Slow POST

Nuclear DDoSer – Method: Slowloris, Slow POST

Railgun – Method: Slowloris or Slow POST

Conclusion

Just like how everything in this paper revolves around the number seven, this conclusion will provide seven basic things you should know about layer seven DDoS attacks:

  1. They attack the top layer OSI model.
  2. They have low bandwidth consumption.
  3. They have a legitimate and stealth appearance.
  4. They're mostly non-volumetric.
  5. They're increasingly popular.
  6. There are a variety of methods, targets, and open-source tools.
  7. They're difficult to defend against.
  8. INTERESTED IN LEARNING MORE? CHECK OUT OUR ETHICAL HACKING TRAINING COURSE. FILL OUT THE FORM BELOW FOR A COURSE SYLLABUS AND PRICING INFORMATION.

    Reference List

    Abliz, M. (2011). internet Denial of Service Attacks and Defense Mechanisms. Retrieved on 13/10/2013 from http://people.cs.pitt.edu/~mehmud/docs/abliz11-TR-11-178.pdf

    Arbor Networks, Inc. (2012). The Growing Threat ofApplication-Layer DDoS Attacks. Retrieve on 13/10/2013 from http://whitepapers.datacenterknowledge.com/content12127

    Bangeman, E. (2012). Slowloris DDoS tool used by Anonymous hacked to include Zeus trojan. Retrieved on 13/10.2013 from http://arstechnica.com/tech-policy/2012/03/slowloris-ddos-tool-used-by-anonymous-hacked-to-include-zeus-trojan/

    Beitollahi, H. & Deconinck, G. (2011). Tackling Application-layer DDoS Attacks. Retrieved on 13/10/2013 from http://www.esat.kuleuven.be/electa/publications/fulltexts/pub_2334.pdf

    BreakingPoint Labs, 2011. Application-Layer DDoS Attacks Are Growing: Three to Watch Out For. Retrieved on 13/10/2013 from http://blogs.ixiacom.com/ixia-blog/application-layer-ddos-attacks-growing/

    david b.

    (2012). Generations of DoS attacks 2: Layer 4, layer seven and Link-Local IPv6 attacks. Retrieved on 13/10/2013 from http://privacy-pc.com/articles/generations-of-dos-attacks-2-layer-4-layer-7-and-link-local-ipv6-attacks.html

    F5 Networks, Inc. (2013). Mitigating DDoS Attacks with F5 Technology. Retrieved on 13/10/2013 from http://www.f5.com/pdf/white-papers/mitigating-ddos-attacks-tech-brief.pdf

    Henderson, N. (2012). Slow Read DOS Attack Created by Software Engineer Shows HTTP Server Vulnerability. Retrieved on 13/10/2013 from http://www.thewhir.com/web-hosting-news/slow-read-dos-attack-created-by-software-engineer-shows-http-server-vulnerability

    http://www.bullten.com (2011). What is SlowlorisDOS Attack and How to Mitigate Its Effect. Retrieved on 13/10/2013 from http://www.bullten.com/blog/what-is-slowiris-ddos-attack-and-how-to-mitigate-its-effect/

    http://ethicalhackingtech9.blogspot.com

    (2011). LOIC-Low Orbit Ion Cannon- (DDoS) tool. Retrieved on 13/10/2013 from http://ethicalhackingtech9.blogspot.com/2013/01/loic-low-orbit-ion-cannon-ddos-tool_11.html

    http://unknownhad.wordpress.com


    (2013).What is DDOS layer seven and Layer 4 and Low-Rate Ddos. Retrieved on 13/10/2013 from http://unknownhad.wordpress.com/2013/03/16/what-is-ddos-layer-7-and-layer-4-and-low-rate-ddos/

    Imperva (2012). Denial of Service Attacks: A Comprehensive Guide to Trends, Techniques, and Technologies. Retrieved on 13/10/2013 from https://www.imperva.com/docs/HII_Denial_of_Service_Attacks-Trends_Techniques_and_Technologies.pdf

    Katz, O. (2012). Protecting Against Application DDoS Attacks with BIG-IP ASM A Three Step Solution. Retrieved on 13/10/2013 from http://www.f5.com/pdf/white-papers/ddos-attacks-asm-tb.pdf

    Kenig, R. (2013). Why Low & Slod DDoS Application Attacks are Difficult to Mitigate. Retrieved on 13/10/2013 from http://blog.radware.com/security/2013/06/why-low-slow-ddosattacks-are-difficult-to-mitigate/

    LOIC (Low Orbit Ion Cannon). Retrieved on 13/10/2013 from
    http://security.radware.com/knowledge-center/DDoSPedia/loic-low-orbit-ion-cannon/


    Manthena, R. (2011). Application-layer Denial of Service. Retrieve on 13/10/2013 from
    http://forums.juniper.net/t5/Security-Mobility-Now/Application-layer-Denial-of-Service/ba-p/103306

    Ponin, T. (2013). Retrieved on 13/10/2013 from
    http://security.stackexchange.com/questions/29220/what-is-http-get-post-flooding-attack

    Scanlon P. (Arbor Networks, Inc.) (2012). DDoS Threat Trends and Data. Retrieved on 13/10/2013 from https://www.arbornetworks.com/docman-component/doc_download/500-arbor-2010-security-report-findings.

    The OWASP Foundation (2010). H.....t.....t....p.......p....o....s....t . Retrieved on 13/10/2013 from https://www.owasp.org/images/4/43/Layer_7_DDOS.pdf

    Diagrams:

    Diagram 2 – Based on 4 Massive Myths of DDoS by Carl Herberger, Myth # 2 Graph. Retrieved on 13/10/2013 from http://blog.radware.com/security/2012/02/4-massive-myths-of-ddos/

    Diagram 3 – Based on Global DDoS Attack KEY METRICS by Prolexic. Retrieved on 13/10/2013 from http://www.prolexic.com/knowledge-center-ddos-attack-report-2011-2012-metrics-graph.html

    Diagram 4 – Based on information provided by Prolexic Technologies Inc. on page 9 of Prolexic Quarterly Global DDoS Attack Report Q 2013. Retrieved on 13/10/2013 from http://www.prolexic.com/knowledge-center-ddos-attack-report-q2-2013-vs-q1-2013-metrics-graph.html

    Diagram 5 – Based on a graph provided by Imperva on page 3 of Denial of Service Attacks: A Comprehensive Guide to Trends, Techniques, and Technologies. Retrieved on 13/10/2013 from https://www.imperva.com/docs/HII_Denial_of_Service_Attacks-Trends_Techniques_and_Technologies.pdf

    Dimitar Kostadinov
    Dimitar Kostadinov

    Dimitar Kostadinov applied for a 6-year Master’s program in Bulgarian and European Law at the University of Ruse, and was enrolled in 2002 following high school. He obtained a Master degree in 2009. From 2008-2012, Dimitar held a job as data entry & research for the American company Law Seminars International and its Bulgarian-Slovenian business partner DATA LAB. In 2011, he was admitted Law and Politics of International Security to Vrije Universiteit Amsterdam, the Netherlands, graduating in August of 2012. Dimitar also holds an LL.M. diploma in Intellectual Property Rights & ICT Law from KU Leuven (Brussels, Belgium). Besides legal studies, he is particularly interested in Internet of Things, Big Data, privacy & data protection, electronic contracts, electronic business, electronic media, telecoms, and cybercrime. Dimitar attended the 6th Annual Internet of Things European summit organized by Forum Europe in Brussels.