Operationally Necessary Cookies
Application DDoS attacks are distributed denial of service (DDoS) attacks designed to make online application services unavailable by overwhelming them with a virtual flood of internet traffic. The significant increase in traffic overwhelms machines and networks, making them unable to process the incoming requests and shutting them down. Computers, servers, and internet of things (IoT) devices are often compromised and used to support an application DDoS attack.
There are three basic types of DDoS attacks. These include volume-based attacks, protocol-based attacks, and application-level attacks. Volume-based attacks are generally measured in bits per second, protocol-based attacks are measured in packets per second, and application-level attacks are measured in requests per second.
Volume-based attacks include tactics such as UDP floods, ICMP floods, and other “spoofed” packet flooding designed to saturate and exhaust the bandwidth of the targeted IP address. Protocol attacks include SYNfloods, the “Ping of Death,” and other tactics. Protocol attacks generally target communication equipment or servers.
Application-level DDoS attacks, also referred to as level 7 (L7) DDoS attacks, refer to a particular type of DDoS attack that targets processes executing in the top application layer of the open system interconnection (OSI) computer networking model. Application DDoS attacks typically involve database access and end-user protocols such as FTP, SMTP, Telnet, and RAS.
An application DDoS attack may target the processes that generate web pages in response to simple HTTP requests. One HTTP request may be small, but the required work to respond by the server may be many times larger. As a result, threat actors may flood the server with many HTTP requests, making it impossible for the server to respond to legitimate requests in any practical timeframe. Examples typically include website forms (login, uploading of photo/video, submitting feedback, etc.).
Application DDoS attacks are often difficult to detect and diagnose because they resemble legitimate website traffic. The most simple L7 attacks, such as those targeting login pages with random user IDs and passwords, or repetitive random searches on dynamic websites, can still critically overload CPUs and databases. In addition, threat actors can change the signatures of an application-level attack, making it more difficult to detect and stop.
L7 attacks overuse website features in a targeted attempt to make those features inoperable due to the traffic load. Additionally, application DDoS attacks have been used for targeted purposes, including distracting the information technology (IT) and security operations center (SOC) teams from another ongoing data breach.
Motivations driving application DDoS attacks can vary substantially but are similar to those for any other type of DDoS. Financial considerations are often a key driver. These considerations may manifest themselves through the extortion of a ransom payment from targeted business entities. In some cases, the targeted business entity is under attack by a competitor licensed DDoS resources and launched an anonymous attack. In other cases, attacks may be caused by a current or former employee or someone who views a DDoS attack as a prank. Hacktivism is often a driver for DDoS activity in support of a political or a personal cause. Finally, nation-states and cyber warfare may also be behind DDoS attacks that target opposing political views and enemy countries.
Stay current with the latest security trends from Bugcrowd