The Surge in Layer 7 DDoS Attacks: Unmasking the Growing Threat

By Chirag Raichura, Regional Director – Enterprise, India, Radware

In the ever-evolving landscape of cybersecurity, DDoS attacks remain a persistent and concerning threat. According to Radware’s 2023 H1 Global Threat Analysis Report, Web DDoS attacks have become more sophisticated, utilizing high Request Per Second (RPS) traffic while randomizing multiple elements of the request to create seemingly legitimate traffic. This tactic has found favour with numerous hacktivist groups, including Anonymous Sudan and NoName057(16). Hacktivists constitute a major part of the L7 DDoS problem. While the total number of DDoS events decreased by 33% compared to the first half of 2022 and the average attack volume per customer per month declined by 70%, the number of malicious web application transactions skyrocketed by 500%. In 2022 we observed a near-linear growth in the number of malicious web transactions per quarter; in H1 2023 this growth accelerated exponentially. While the number of DDoS events in H1 2023 was below the number for H1 2022, it surpassed the total for the whole of 2021.

While DDoS attacks targeting Layer 3 and Layer 4 have long been a menace, the cybersecurity landscape has witnessed a concerning trend – a significant increase in Layer 7 DDoS attacks. Layer 7 attacks target the application layer of the OSI model, making them particularly challenging to mitigate. This surge in Layer 7 DDoS attacks has raised alarm bells in the cybersecurity community, prompting experts to examine the reasons behind this rise in malicious activity.

Understanding Layer 7 DDoS attacks

In the world of networking and the OSI (Open Systems Interconnection) model, Layer 7, also known as the Application Layer, plays a pivotal role in ensuring effective communication and data exchange between devices and systems. This layer, situated at the top of the OSI model, holds immense importance as it directly interacts with end-users and their applications. Unlike traditional DDoS attacks that flood network infrastructure, Layer 7 attacks exploit vulnerabilities in web applications and services, overwhelming them with malicious traffic that mimics legitimate user requests. These attacks are more challenging to detect and mitigate because they often appear as legitimate traffic.

Reasons behind the surge in Layer 7 DDoS attacks

• Complexity of Modern Web Applications: Modern web applications have become increasingly complex, with rich features, APIs, and integrations. This complexity provides attackers with a larger attack surface and numerous potential vulnerabilities to exploit. Layer 7 attacks take advantage of these complexities, making them an attractive choice for cybercriminals.
• Evolving Attack Techniques: Attackers are continually refining their techniques. They use sophisticated tools and botnets to carry out Layer 7 attacks that are challenging to distinguish from legitimate user traffic. These techniques can include slow-rate attacks, application-specific attacks, and even multi-vector attacks that combine Layer 7 tactics with other attack vectors.
• Motivated Attackers: The motives behind DDoS attacks have evolved beyond simple disruption. Attackers may seek financial gain, revenge, or even political objectives. Layer 7 attacks can be particularly effective for achieving these goals because they can disrupt critical services and damage a target’s reputation.
  Cloud Services and Content Delivery Networks (CDNs): While cloud services and CDNs provide numerous benefits, they can inadvertently make web applications more susceptible to Layer 7 attacks. These services often serve as a buffer between attackers and the target, making it more difficult to identify malicious traffic.
• The Pervasiveness of Open APIs: Open APIs enable applications to interact and share data, but they can also expose vulnerabilities if not properly secured. Attackers may exploit weak API security to launch Layer 7 attacks.

Key characteristics of Application Layer DDoS attacks:

• Application-Level Targeting: Application layer DDoS attacks are designed to exploit vulnerabilities in web applications themselves. Attackers often send seemingly legitimate HTTP/HTTPS requests to exhaust server resources, rendering the application inaccessible to legitimate users.
• Low Traffic Volume: Unlike network-layer DDoS attacks, which rely on massive traffic volumes, application-layer attacks can be executed with relatively low traffic levels. Attackers aim to maximize the impact by targeting specific vulnerabilities in the application.
• Complexity: These attacks can be highly sophisticated, mimicking legitimate user behavior to bypass security measures. Common techniques include slow HTTP requests, low-and-slow attacks, and GET/POST floods.
• Resource Consumption: Application layer attacks consume server resources such as CPU, memory, and bandwidth, making them harder to mitigate compared to volumetric attacks that primarily rely on traffic filtering.
• Stealthy Nature: Attackers often blend malicious requests with legitimate ones, making it challenging to distinguish between genuine and malicious traffic, leading to false positives in mitigation.

There are 4 mechanisms behind Application Layer DDoS attacks

• HTTP Floods: Attackers send a high volume of HTTP requests to a web server, overloading it and causing service degradation or outage. These requests may be legitimate GET or POST requests but are issued in an overwhelming volume.
• Slowloris Attacks: In a Slowloris attack, the attacker opens multiple connections to the target server and sends partial HTTP requests. By keeping these connections open for extended periods, the attacker consumes server resources until it becomes unresponsive.
• HTTP POST Flood: Attackers send a high volume of HTTP POST requests to a specific URL, potentially causing the application to exhaust its resources while processing these requests.
• API Attacks: Modern web applications often rely on APIs to function. Attackers may target these APIs with excessive requests, affecting the application’s core functionality.

Layer 7 DDoS attacks pose a significant threat to web applications and can be challenging to detect and mitigate due to their ability to mimic legitimate traffic. However, with the right combination of security measures and best practices, organizations can bolster their defenses against these attacks.

• Traffic Analysis and Rate Limiting
• Web Application Firewalls (WAFs)
• Content Delivery Networks (CDNs)
• Load Balancers
• Intrusion Detection Systems (IDS)
• Application Security Testing
• Regular Security Audits

DDoS attacks on the application layer pose a significant threat to online services and businesses. These attacks are not only disruptive but can also damage an organization’s reputation and revenue. With the right combination of security measures and best practices, organizations can bolster their defenses against these attacks. A multi-layered approach that includes WAFs, rate limiting, monitoring, and CDN services can help protect your web infrastructure and ensure its availability to legitimate users while mitigating the impact of Layer 7 DDoS attacks. As the threat landscape continues to evolve, staying informed and implementing robust security measures is crucial to safeguarding your digital assets and ensuring uninterrupted service delivery.