Distributed denial of service attacks are a reality for today’s web-reliant organizations including credit unions. In Q2 2016, DDoS attacks continued to become more persistent, intricate and multi-vectored.
The Reston, Va.-based Verisign’s Distributed Denial of Service Trends Report for the second quarter of 2016 revealed 64% of the DDoS attacks, mitigated from April 1, 2016 through June 30, 2016, employed multiple attack types indicating that DDoS attacks continue to increase in complexity, and as a result, require more time and effort to resolve.
The report also indicated the number of attacks increased 75% year over year. The top three industries targeted, according to the report, are IT services/cloud/SAAS, 45%; financial services, 23%; and public sector, 14%.
In Q2 2016, Verisign observed a growing trend of low-volume application layer, also known as Layer 7, attacks that probe for vulnerabilities in code, employing various techniques to use HTTP/S field headers within request packets in order to disable the application. These attacks, frequently coupled with high-volume user datagram protocol, flood attacks to distract the victim from the Layer 7 attack component.
“These types of sophisticated low-bandwidth DDoS attacks are a form of denial of service attack that typically uses less traffic but increases its effectiveness by aiming at a weak point in the victim’s system design,” the report said. These attacks often utilize SQL injection, a code injection technique, to attack data-driven applications by inserting nefarious SQL statements into the request entry fields for execution. The malicious requests typically include long host values in the request (Click on image to view full infographic).
Layer 7 attacks frequently require multiple, advanced filtering techniques, which are some of the most difficult attacks to mitigate because they mimic normal user behavior and are harder to identify. The application layer consists of protocols that focus on process-to-process communication across an IP network and is the only layer that directly interacts with the end user. A sophisticated Layer 7 attack may target specific areas of a website, making it even more difficult to separate from normal traffic.
Verisign’s recent trends report showed that DDoS attacks are becoming more sophisticated and complex. One example found an attack launched from a well-distributed botnet of more than 30,000 bots from across the globe with almost half of the attack traffic originating in the United States. Once the attackers recognized the mitigation of the volumetric attack, they progressed to Layer 7 HTTP/HTTPS attacks.
Hoping to exhaust the server, the attackers flooded the target organization with a large number of HTTPS GET/POST requests typically using the following methods:
- Basic HTTP Floods: Requests for URLs with an old version of HTTP no longer used by the latest browsers or proxies.
- WordPress Floods: WordPress pingback attacks where the requests bypassed all caching by including a random number in the URL to make each request appear unique.
- Randomized HTTP Floods: Requests for random URLs that do not exist – for example, if www.example.com is the valid URL, the attackers were abusing this by requesting pages like www.example.com/loc id=12345, etc.
Verisign suggested the challenge with a Layer 7 DDoS attack lies in the ability to distinguish human traffic from bot traffic, which can make it harder to defend against the volumetric attacks. As Layer 7 attacks continue to grow in complexity with ever-changing attack signatures and patterns, organizations and DDoS mitigation providers need to have a dynamic mitigation strategy in place. Layer 7 visibility, along with proactive monitoring and advanced alerting, are critical to defend against increasing Layer 7 threats effectively.
As organizations develop their DDoS protection strategies, many may focus solely on solutions that can handle large network layer attacks. However, Verisign recommended they should also consider whether the solution could detect and mitigate Layer 7 attacks, which require less bandwidth and fewer packets to achieve the same goal of bringing down a site.
