The Evolution of DDoS: L7 DoS and Application Security

Is DDoS an Outdated Attack Technique?

November 2024 was a period that reawakened us to the importance of information security in digitized administrative and public services. Multiple government ministries, public institutions, and public enterprise homepages, as well as websites providing online public services, suffered DDoS attacks for three days from November 5th to 7th. 

Some institutions that had thoroughly established security systems minimized the damage, but those that had not could not avoid the consequence of service suspension. And that damage was passed directly to the users. The use of online public services, which has settled into a daily routine, was paralyzed by malicious attacks, and these attacks are having a direct impact on general users. 

DDoS is a cyber attack that has been prevalent since the early 2000s and has attracted attention since the acceleration of ICT development and digitalization. Because of its long history, one might question looking at this incident, "Are we still affected by outdated attacks like DDoS?" However, DDoS defense is by no means simple enough to be dismissed merely as an "outdated attack technique." 

Why is DDoS Defense Difficult?

• Asymmetry of Attack: Attackers can generate an overwhelming scale of traffic utilizing cloud servers or zombie networks. While there is no limit to the amount of attack traffic an attacker can create, security administrators must block massive attack traffic in real-time with limited resources.

• Variety of Attack Techniques: Various DDoS techniques that cross between the network layer and the application layer, such as SYN Flooding, UDP Flood, and HTTP GET/POST Flood, are mixed and used, making defense even more difficult. 

• Defense Cost vs. Attack Cost: Attackers can generate massive traffic at a relatively low cost, whereas defenders bear the burden of maintaining expensive equipment and solutions and continuously responding. 

• Distinction from Normal Traffic: In application layer (L7) attacks, it is difficult to distinguish between normal user requests and malicious requests, requiring more resources and detailed analysis to defend against them. 

For these reasons, security managers at many institutions are struggling with DDoS defense. Even now, DDoS attack techniques are evolving into various forms, and the targets of attackers are also diversifying. 

According to PIOLINK's analysis, the recent DDoS attacks were also confirmed to have applied various attack techniques as explained above. The main techniques used in this attack were SYN Flooding, Slow HTTP Header DoS (hereinafter Slowloris), and Slow HTTP POST DoS (hereinafter RUDY). This white paper intends to explain each attack technique in detail and introduce countermeasures.

SYN Flooding

SYN Flooding is an attack technique that occurs at the network layer (L3/L4), exhausting the target server's network resources by transmitting a massive amount of SYN packets. The commonly known DDoS attack utilizing zombie PCs and C&C servers is essentially the SYN Flooding technique. 

SYN Flooding can be compared to the bottleneck phenomenon that occurs on highways during holidays. During holidays, vehicles flock beyond the capacity the highway can accommodate, paralyzing the road to the point where vehicles can no longer move. 

SYN Flooding attacks are similar. When TCP connection request packets (SYN packets) exceeding the network bandwidth are sent to the target server, the server becomes unable to process normal connections. Furthermore, it has the characteristic of paralyzing both network bandwidth and equipment performance simultaneously because it maintains sessions in an incompletely established state, gradually exhausting resources. 

Fortunately, SYN Flooding attacks can be effectively blocked with traditional DDoS defense solutions. By utilizing traffic filtering or SYN Cookie technologies of DDoS defense solutions to protect server resources and limiting the number of connection requests per second, excessive connection requests can be countered. 

Slowloris

Slowloris is an attack technique that exhausts server connection resources by splitting HTTP request headers into small units and sending them slowly, keeping the server connection open for a long time. 

Slowloris is similar to a malicious customer who occupies a bank teller window and, instead of finishing business at once, continues requests little by little. This malicious customer prevents other customers from using the window by dragging out requests. 

Similarly, Slowloris occupies and exhausts server connection resources, preventing other users from using the service normally. Since this type of attack occurs at the application layer (L7), it is difficult to respond with defenses at the network layer (L3/L4) alone. 

RUDY

RUDY is also an attack that occurs at the application layer (L7). RUDY is an attack technique that consumes the resources needed for the server to process and store data by transmitting a massive amount of fragmented POST requests when sending HTTP requests to the server. 

This can be described as monopolizing an elevator by loading small items one by one when moving. A server under a RUDY attack cannot process requests from other users because CPU and memory usage surges, causing performance degradation. 

Since RUDY attacks aim to exhaust the resources of servers responsible for data processing and storage, defending against them requires detailed security settings such as data size limits or request rate limits. 

Thus, unlike SYN Flooding which targets the network layer (L3/L4), Slowloris and RUDY target the application layer (L7) and focus on exhausting server resources. 

Unlike traffic spikes occurring at the network level, these two attacks exploit the process of handling HTTP request packets on the web application server. To effectively defend against these attacks, a Web Application Firewall (WAF) operating at the application layer (L7) can be a powerful solution. 

L7 DoS and Application Security

A Web Application Firewall is a security solution that analyzes HTTP/HTTPS traffic entering the server, blocking abnormal requests and allowing normal user requests, thereby supporting the web application server to provide smooth services. 

In particular, it provides specialized functions to detect and block abnormally slow requests caused by Slowloris attacks or excessive data requests caused by RUDY attacks.
PIOLINK's WAF/WAAP, WEBFRONT-K, also provides various security functions to protect servers from DoS attacks targeting the application layer (L7). 

WEBFRONT-K L7 DoS Security Functions

1. Detection and blocking of attacks attempting to maintain server connections for a long time (Slowloris, etc.) by manipulating HTTP/HTTPS header information through setting the maximum transmission time for request session headers.
   
2. Detection and blocking of attacks attempting to maintain server connections by transmitting HTTP/HTTPS bodies slowly (RUDY, etc.) through setting the maximum transmission time for request session bodies and minimum allowable body size.
   
3. Detection and blocking of attacks attempting to exhaust server resources by reading data slowly with a small receive buffer (Slow Read DoS, etc.) by detecting cases where response session processing is abnormally slow.
   
4. Fundamental defense against attacks attempting to exhaust server resources (HTTP Flooding, etc.) by limiting the number of requests per session or proxy and setting IPs sending excessive requests as banned IPs to detect abnormal traffic.
   
5. Detection and blocking of L7 DoS attacks exploiting APIs (JSON Bomb, etc.) by limiting allowed method types and request counts per URL, and setting the maximum nesting depth for JSON format data.
   
6. Detection and blocking of attacks that consume server resources with abnormal usage patterns even if frames themselves are normal (HTTP2 Rapid Reset DDoS) by setting an hourly allowable threshold when HTTP/2 requests and RESET frames are requested simultaneously.
   

A Web Application Firewall is a security solution that analyzes HTTP/HTTPS traffic entering the server, blocking abnormal requests and allowing normal user requests, thereby supporting the web application server to provide smooth services. 

In particular, it provides specialized functions to detect and block abnormally slow requests caused by Slowloris attacks or excessive data requests caused by RUDY attacks. PIOLINK's WAF/WAAP, WEBFRONT-K, also provides various security functions to protect servers from DoS attacks targeting the application layer (L7). 

DDoS/DoS attacks are no longer simple attacks targeting a single layer. Because they are difficult to defend against and have a high success rate, DDoS has become a "bestseller-like" attack technique for attackers. However, we must reflect on whether we are letting our guard down because of its familiar name. 

What attackers are targeting is precisely this complacency, and they will not miss the gap to attempt even fiercer attacks. If we respond complacently to potential DDoS threats, damage incomparably larger than this recent incident may occur. 

To prevent such damage, PIOLINK continuously delivers messages to awaken awareness in customers and the market, while simultaneously continuing research and investment to prepare for continuously evolving attacks. 

Problems are easier to find better answers to when pondered together. Especially if that "together" is with experts in the field, the effect is doubled. PIOLINK is a group of experts who constantly research so that customers' infrastructure environments can be improved and become safer, even if just a little. 

If you have concerns about network and security, please feel free to contact PIOLINK at any time. We will find the solution together.