What are the differences between DDoS attacks on the application layer and the network layer

What are the differences between DDoS attacks on the application layer and the network layer

November 13, 2023 | NSFOCUS
Uma imagem que ilustra um teclado com uma tecla escrita ddos attack.

The market for services protecting against distributed denial of service attacks, or Anti-DDoS, has a significant focus on mitigating attacks aimed at the network layer of companies’ infrastructure.

In this type of attack, infected vectors are commonly used to generate requests without the aim of concrete communication, intending to flood internet transmission links with an excessive amount of packets, creating more traffic than these links can handle. In other words, the illegitimate traffic becomes much greater than the capacity the link has under contract or even what it can physically support, rendering the service unavailable.

For this reason, despite the wide variety of strategies and protocols used in DDoS crimes at the network layer, this type of attack is easier to detect and mitigate. Sometimes, it draws so much attention from a company’s infrastructure team that it is also used as a ‘smokescreen,’ as it diverts attention to its countermeasures, other undetected vulnerabilities are exploited simultaneously.

“In application layer DDoS attacks, attackers use more sophisticated mechanisms. They do not flood the network with traffic or sessions but slowly deplete resources of specific applications or services within that layer. These attacks can be effective even with low traffic rates, and from the protocol’s perspective, the involved traffic may appear legitimate, making them even harder to detect. Examples of application layer attacks include HTTP floods and Slowloris attacks.

For defense against application layer attacks, NSFOCUS has developed customized algorithms based on the traffic characteristics of different layers. For instance, in the case of an HTTP Flood, if a botnet uses tools to launch an attack with a real TCP/IP protocol stack, TCP/IP source authentication alone cannot recognize it as an attack.

Therefore, it is necessary to enable source authentication at the application layer, such as HTTP 302 to redirect requests and verify if the browser sending the request is trustworthy. Only real browsers have a complete mechanism for verifying the HTTP protocol stack, and through this authentication, one can determine whether the traffic at that moment is legitimate or not.

If you have any questions or want to know more about NSFOCUS solutions, please contact our team!