Brad Christian

Brad Christian

Senior Search Engine Optimization Specialist

Published
Last Updated
Arrows Pointing to Application

Understanding Layer 7 DDoS Attacks

Layer 7 DDoS attacks target the application layer, where users and applications directly interact, such as web browser traffic. These sophisticated attacks use a variety of methods to take down applications. These attacks are often more difficult to detect early as they do not typically cause network congestion or deplete available bandwidth.

How Layer 7 Attacks Work

Layer 7 DDoS attacks aim to exploit vulnerabilities in particular applications or services by overwhelming resources via large volumes of malicious requests masked as legitimate user traffic. This leads to disrupted services, making the target website or application unavailable to real users. In targeting applications, these attacks can have a significant impact on user experience, leading to frustrated customers and employees.

Application Layer Attack Shown in Crosshairs

Common Types of Layer 7 DDoS Attacks

To disrupt user-facing applications and services, attackers strategically select DDoS attack vectors that surgically target the services that allow these applications to function properly. Common application layer attack vectors leveraged include:

  1. HTTP Flood: By utilizing what appear to be legitimate HTTP GET or POST requests to flood a web server or application, these attacks often rely on a botnet to cause the target server or application to allocate the most resources possible to directly respond to each request, leaving minimal resources available to legitimate users. HTTP Flood traffic is virtually indistinguishable from legitimate user traffic as they use standard URL requests.
  2. Slowloris Attacks: Leverages partial HTTP requests to open connections between a single computer and a target web server. The attacker then leaves the connection open as long as possible to overwhelm and slow down the target. This attack requires minimal bandwidth to launch and only impacts the direct target, and can target many types of web server software.
  3. DNS/NXDOMAIN Floods: Also known as a DNS water torture attack, a NXDOMAIN flood is when an attacker overwhelms the target domain name system (DNS) server with a large volume of requests for invalid or non-existent records. This results in both the authoritative and proxy DNS servers using the majority of their resources handling the bad requests, slowing responses for legitimate requests, ultimately leading to not handling any new requests at all.

Layer 7 vs Layer 3 vs Layer 4 Attacks

Layer 3 and layer 4 DDoS attacks, targeting the network and transport layers, are often volumetric attacks that aim to send as much malicious traffic through network infrastructure as possible. Meanwhile, layer 7 attacks are more sophisticated by targeting specific functions or features of a web application or service. They require complex server processing, which can cause disruptions with far less traffic being sent; layer 7 attacks use a scalpel-like approach instead of pure flooding.

Identifying Layer 7 Attacks

To identify a layer 7 attack, teams should look for some telltale signs. These include unusual, sudden traffic spikes from specific IP addresses. Another sign that an attack is occurring is suspicious traffic from unusual or unexpected geographic locations. Additionally, if latency or CPU or memory usage increases or response times become slower, an attack may be occurring, too. This could be due to key resources being overwhelmed to handle the attack traffic. Connection issues are another telltale sign of attacks, as the resources needed to establish key connections are unavailable to handle legitimate user traffic.

The use of specialized tools and technology can also help detect attacks. Web Application Firewalls (WAFs) can analyze and filter traffic, detecting anomalous behavior and warning of attacks. That said, layer 7 attacks are designed to mimic legitimate user behavior, making them difficult to detect.

How NETSCOUT Helps Protect Against Layer 7 Attacks

NETSCOUT's Arbor DDoS protection solution is designed to protect against all types of DDoS attacks, including layer 7 attacks. In addition to traditional DDoS protection techniques, such as rate limiting, the Arbor DDoS solution set is armed with real-time threat intelligence to automatically detect and mitigate the latest DDoS threats. Featuring both cloud-based DDoS protection and on-premises DDoS solutions, security teams can protect all areas of the most complex networks in the world from all types of attacks.