Application layer attacks (infrastructure layer)
These types of attacks are used when it is necessary to seize or disable hardware resources. The attacker’s goal may be to occupy both physical and RAM or processor time. There is no need to overload the bandwidth. It is enough only to overload the victim’s processor or, in other words, fill the entire processing time.
Types of application layer DDoS attacks
• Sending large incoming packets directly to the processor . The device cannot handle complex calculations and starts to crash, thus preventing visitors from accessing the site.
• With the help of a script, the server is filled with unnecessary content (log files, user comments, etc.). If the system administrator has not set a limit for the server, the hacker can create very large file packages that will fill the entire hard disk.
• Problems with the quota system: Some servers use a CGI (Common Gateway Interface) to communicate with external programs. When gaining access to CGI, an attacker can write his own script that will exploit some resources, such as processor time, to their advantage.
• Non-verification of visitor data : It also leads to prolonged or even endless use of CPU resources to the point of exhaustion.
• Type II attack pattern. It will cause false alarm in the protection system, which can automatically shut off the source from the outside world.
Application Layer Attacks
An application layer DDoS attack exploits deficiencies in generating code that expose the software to external threats. This type of attack can be attributed to a common attack such as Ping of death (Ping of death – sending ICMP packets to the victim’s computer with a longer length causing a buffer overflow). But professional hackers rarely resort to such a simple method as bandwidth congestion. To attack the complex systems of large companies, they try to fully understand the system structure of the server and try to write a program, chain of commands or a piece of program code that takes into account the vulnerability of the victim’s software and is used to attack a computer.
1. DNS server software is in the first targeted group. These include common types of cybercrime, such as a Zero-day attack and Fast Flux DNS.
One of the most common types of DNS attacks is DNS Spoofing (DNS spoofing). Meanwhile, the attackers change the IP address in the server cache and redirect the user to a fake page. During the migration, the attacker gains access to the user’s personal data and can use them to his advantage. For example, in 2009, users were unable to access Twitter for an hour due to DNS spoofing. This attack was of a political nature. Cybercriminals attacking the homepage of the social network were warnings of Iranian hackers about American aggression.
2. The second group is DdoS attacks that cause DNS servers to fail. If they fail, the user will not be able to navigate to the requested page, as the browser will not be able to find the inherent IP address of a particular site.
DDoS Prevention and Protection
Most of the companies around the world are exposed to Access Denial attacks every month. Moreover, their number reaches 50. Site owners who do not provide server protection against DDoS attacks not only suffer huge losses, but also reduce customer trust and competitiveness in the market.
The most effective way to protect against DDoS attacks is filters installed by the provider on high-bandwidth Internet channels. They perform a consistent analysis of all traffic and detect suspicious network activity or errors. Filters can be installed both at the router level and using special hardware devices.
1. Even at the software stage, you need to consider the security of the site. Carefully check your software for bugs and vulnerabilities.
2. Update your software regularly and consider downgrading if problems arise.
3. Access restrictions should be observed. Administrative services should be completely turned off from third-party access. Protect your administrator account with strong passwords and change them frequently. Delete the accounts of resigning employees in a timely manner.
4. The Admin interface should only be accessed from the internal network or via VPN.
5. Scan the system for security vulnerabilities. The most dangerous variants of the vulnerabilities are regularly published by the authoritative OWASP Top 10 rating.
6. Implement a firewall (WAF-Web Application Firewall) for applications. WAF monitors forwarded traffic and monitors validity of requests.
7. Use CDN (Content Delivery Network). CDN is a content network running over a distributed network. Traffic is sorted by multiple servers, which reduces visitor access latency.
8. Control inbound traffic using Access Control Lists (ACLs), which list the people who have access to the object (program, process, or file) and their roles.
9. You can block traffic from attacking devices. This is done in two ways: using firewalls or ACLs. In the first case, a certain flow is blocked, but screens cannot distinguish “positive” traffic from “negative” traffic. Second, small protocols are filtered out. Therefore, it will be of no use if the hacker executes premium requests.
10. To protect against DNS spoofing, you should periodically clear the DNS cache.
11. Use protections like captcha against spambots. Again, reCaptcha (“I am not a robot” checkbox) etc. to fill out forms.
12. Type of reverse attack. All malicious traffic is directed to the attacker. It not only repels the attack, but also destroys the attacker’s server.
13. Hosting resources on several independent servers . If one server fails, it will continue with the rest.
14. Use of proven hardware DDoS protection . For example, Impletec iCore or Arbor.
15. Choose a hosting provider that works with a reliable cybersecurity provider. Among the reliability criteria, experts recommend: availability of guarantees, protection against all threats, round-the-clock technical support, transparency (customer access to statistics and analytics) and auditing for malicious traffic.
In this article, we looked at what a DDoS attack means and how to protect your site from attacks. It is important to note that such malicious activity can disable even the safest and largest web resources. This will have serious consequences in the form of massive reputational losses and loss of customers. Therefore, protecting your resource from DDoS attacks is an urgent task for all business and government agencies.