Author: Rishi Agarwal, Chief Evangelist, NSFOCUS
When the news reports on DDoS attacks, it is generally referring to large-scale network attacks that are focused on Layer 3 and 4 of the network stack. However, from a mitigation point of view, network layer attacks are not sophisticated. The ability to mitigate this type of attack always comes down to a simple question: who has more network capacity, the attacker or the mitigation service?
On the other hand, the application/Layer 7 attack is a completely different animal. When defending against these stealthy and complex methods, success does not depend on how big you are, but rather how smart your security technology is and how well it can be utilized.
The Invisible Attack
Successful mitigation of the Layer 7 DDoS attack relies on the ability to accurately profile incoming traffic – to distinguish between humans, human-like bots and hijacked Web browsers and connected devices, such as home routers. As a result, the Layer 7 mitigation process is often much more complex than the attack itself. This complexity, combined with the fact that—if done right—the attack will remain transparent, contributes to the lack of headlines on this subject. The security industry in general prefers to talk in terms of network capacity, which of course says nothing about your resilience against application layer attacks.
While network attacks over-exercise specific functions or features of a website with the intention of disabling them, an application-layer attack is different because many vulnerabilities that exist in the proprietary code of Web applications are unknown to existing security defense solutions.
The Cloud and pervasive cloud-based platforms that are becoming the new normal in application development have increased the attack surface for many organizations. In order to defend against the ever-changing DDoS landscape, developers need to integrate security measures while in the development phase of the application itself.
To assist in defending against Web threats, the Open Web Application Security Project (OWASP) was created. It releases some of the most critical risks facing organizations in its “Top Ten Most Critical Web Application Security Risks.”
While the report outlines ten of the most prevalent application-layer risks, this information is only released every three years. In the meantime, new and more sophisticated attack methods are being perpetrated at an alarming rate. Until developer’s ingrain security solutions into their products, it will be up to security teams to be ever vigilant by implementing solutions that are designed to identify anomalous behavior in the network upon ingress.
Best Practices to Protect Critical Applications.
If you are a software developer or cyber security professional it is vital that the following best practices be followed, at a minimum.
- Educate yourself on the threats – Become familiar with Web application security risks that have already been identified. The OWASP Top-10 Web application security risks list is a great start.
- Review your organization’s policies as they relate to content and security – Is there a valid plan for protecting company data assets from DDoS attacks? Is it current? Are you meeting compliance regulations? Are all company divisions involved? Remember, representation from business, IT and security should all be a part of the software development lifecycle.
- Speak with a security expert – Gain insight from the experts in the field. Whether it’s an analyst firm or a solution provider, look to the professional to learn what best practices are recommended in today’s threat environment and develop a mitigation plan that accounts for all threats, including the hard-to-spot Layer-7 DDoS attack.
- Install equipment that secures the network from within– This needs appliances that are custom built to detect and mitigate Application Layer -7 attacks intelligently and quickly. Such protection is available as-a-feature of other network /security appliances, but complete protection requires custom build anti-DDoS appliances.
In summary, application layer attacks are here to stay and grow in frequency and complexity. It may not be economical to develop new applications from ground up. Therefore, secure application development policies need to be complemented by dedicated security appliances for complete “peace of mind” protection.