Defending applications from complex and modern attacks

Rajiv Kapoor, Senior Product Marketing Manager, NGINX at F5 elaborates on DoS attacks and precautions that need to be taken against it. 

The earliest Denial-of-service (DoS) attacks flooded servers with requests for TCP or UDP connections (so‑called volumetric attacks) at the network and transport layers (Layers 3 and 4).

Increasingly, though, DoS attacks use HTTP/HTTPS requests or API calls to attack at the application layer (Layer 7). Bad actors also launch distributed denial-of-service (DDoS) attacks by linking many computers into a botnet that sends requests. With DDoS attacks, the possible number of requests is greater and the distributed nature of the attack makes it more difficult to identify the source of the requests and block them.

Across the world, DoS attacks are on the rise and negatively affecting user experiences:

• DoS attacks are among the most popular partly because of the proliferation of APIs
• Layer 7 attacks have increased by 20% in recent years, and the scale and severity of their impact has risen by nearly 200%.
• The digital shift prompted by COVID‑19 saw a surge in DDoS attacks in 2020.

Layer 7 attacks abuse apps, APIs, and other application resources in ways that hamper user experience and prevent you from collecting revenue. Proper DoS protection is therefore vital to ensure users can access the services they need without interruption.

A new kind of attack

Layer 7 cyberattacks have evolved in response to the increasing complexity of the Internet and sophistication of application architectures. Volumetric attacks at Layers 3 and 4 – for example, UDP reflection, and ICMP and SYN flooding – are not as prevalent as they used to be. Why? Infrastructure engineers have had years to build defense mechanisms. That makes them more expensive for attackers, in terms of time and money, so they’ve moved on.

However, Layer 7 attacks are more complex to design than network attacks, and many tools that can handle Layer 3/4 attacks don’t protect modern application architectures. Layer 7 DDoS attacks are more difficult to detect because bots and automation allow attackers to disguise themselves as legitimate traffic, especially when they’re using sophisticated security penetration tools. If a hacker can assemble a botnet – thousands of compromised machines under the hacker’s control – it’s easy to initiate attacks on a huge scale.

When most attacks are made at the application layer, you need regular insight into application behavior to establish baselines that help determine if traffic is malicious, and without burdening your security team.

Today, devices and applications are developed at unprecedented speed, and as environments shift into new landscapes, new vulnerabilities and opportunities for attacks arise.

For instance, devices used every day are fast becoming smart devices. According to Omdia, the total number of devices on the Internet of Things (IoT) reached 23.5 billion in 2020, and will likely reach 27.8 billion by the end of 2021. The more devices there are, the more vulnerabilities are exposed. As phones, TVs, and refrigerators become connected IoT devices, security controls are often overlooked, and the lack of controls makes for easy exploitation in botnets. With new developments and 5G capability on mobile devices, DoS attacks have increased significantly.

Modern landscapes require modern solutions.

The high cost of layer 7 attacks

With the world on lockdown during most of 2020, consumers bought more products online, and enterprises had to accelerate their digital transformation to keep pace with demand. Unfortunately, cyber attackers exploited the increased reliance on the Internet, and DDoS attacks surged too.

Layer 7 attacks are cheap to launch, but expensive to mitigate for the site owner, and without protection, recovery from an attack can take from days to weeks.

So, what is the ideal solution? What are the key components that protect against Layer 7 attackers?

On a basic level, you need a tool that recognizes when your site is under attack – something that’s able to distinguish between legitimate and malicious traffic. It must be able to do this not just in traditional environments with their more unified structure, but also in modern, distributed app architectures employing microservices and Kubernetes. With the shift away from monolithic applications, a new approach must be used that is as adaptive and dynamic as the modern environments it protects.

This means DoS protection that works in both current and future landscapes. Today’s attackers are constantly changing their strategies, so attack‑prevention mechanisms must be able to observe changing user and service behavior and adapt continuously in response.

Crucially, teams need adaptable and powerful protection, focusing on safety, security, and speed. This should include:

• Seamless integration. Strong security controls that integrate seamlessly into modern infrastructure architectures is key.
• High performance. A solution’s performance impact on customer experience and the application itself must be minimal to nil, both under normal conditions and during an attack. Continuous monitoring and real‑time signatures with zero‑day attack protection will ensure optimum application performance and effective attack mitigation.
• Agile security. A solution needs to be integrated into continuous integration and development pipelines, removing operational inefficiencies by automatically baselining and entering blocking mode once new code is deployed. Security can then be automated to facilitate a ‘security as code’ integration with DevOps tools, which prevents it from slowing down app innovation.
• Attack prevention. Cyber attackers may adjust their tactics, so a dynamic solution is needed. With embedded tools for learning from user and service behavior, Layer 7 security can react to attackers before any damage is incurred. Any behavior anomaly that is detected has a mitigation deployed automatically.
• Reduced‑cost speed. CI/CD takes the deployment burden off developers so they can focus on delivering features, fast. It also enables emerging DevSecOps teams to integrate security into automated app delivery. No‑touch configuration enables cost‑effective protection at scale for distributed app and API environments like microservices and removes friction between DevOps and SecOps teams.

Remember, when it comes to Layer 7 DoS protection, it’s essential to integrate flexible and adaptive products that can endure modern, ever‑changing landscapes. Business owners deserve the confidence that – with every digital shift – their site remains accessible, fast, and safe.