+420-602-558-144 I'm under attack Log in Sign Up
Main Library Learning Center
What Are Application Layer (L7) DDoS Attacks?

DDOS

Content

  • Application Layer (L7) DDoS Attacks Definition
  • Which Protocols Are Included in Layer 7
  • How Application Layer (L7) DDoS Attacks Work
  • Types of Application Layer (L7) DDoS Attacks
    • Slow HTTP Attacks: Slowloris, R.U.D.Y.
    • Massive Attacks: Mēris, Mantis
    • Hacktivism
  • Impact on Business
  • How to Protect from L7 DDoS Attacks


What Are Application Layer (L7) DDoS Attacks?

A Distributed Denial-of-Service (DDoS) attack is a malicious attempt to disrupt the normal functioning of a server, network, web application, etc., by overwhelming the target or its surrounding infrastructure with malicious traffic through a number of simultaneous, coordinated Denial-of-Service (DoS) attacks.

Layer 7 (L7) DDoS attacks, also known as application layer DDoS attacks, target the processes operating at the top layer of the OSI model. Unlike network layer (L3) and transport layer (L4) attacks that focus on the core network equipment and firewalls, respectively, L7 DDoS attacks aim directly at the servers that run web applications.

Application layer attacks can be particularly damaging because malicious traffic can look very similar to legitimate user traffic. This makes it harder to detect and mitigate such attacks. Another dangerous feature of L7 DDoS attacks is that they require much less magnitude to be successful.


Which Protocols Are Included in OSI Model Layer 7

Although there are a lot of protocols that are included in the application layer of the OSI model, just two of them are usually targeted by L7 DDoS attacks:

  • HTTP (Hypertext Transfer Protocol) is the foundation of data communication for the World Wide Web. This protocol defines how messages are formatted and transmitted between web servers and browsers.
  • HTTPS (Hypertext Transfer Protocol Secure) is an extension of HTTP that provides secure communication over the internet by encrypting data exchanged between a web browser and a server.

An honorable mention goes to DNS and NTP protocols, which are also part of the application layer of the OSI model. These protocols are frequently exploited by DDoS attackers, particularly in DNS and NTP amplification attacks. However, the actual targets in these attacks are the core network equipment, such as routers, that work with Internet Protocol (IP). Therefore these attacks are classified as network layer (L3) DDoS attacks.


How Application Layer (L7) DDoS Attacks Work

Application layer (L7) DDoS attacks exploit the resource-intensive nature of processing HTTP and HTTPS requests. The complexity of handling HTTP and the additional computational power required for HTTPS decryption make these protocols particularly vulnerable, allowing attackers to maximize their impact while overwhelming web servers.

On top of that, as we mentioned earlier, malicious HTTP and HTTPS traffic highly resemble legitimate user traffic, making it much harder to detect and handle the attack. This is especially true for HTTPS traffic because it is extremely challenging to differentiate between legitimate and malicious requests without decryption.

The overall goal of an L7 DDoS attack is to exhaust the resources of the servers running the web application, causing them to become slow, unresponsive, or completely unavailable to legitimate users.

This can be done in several ways. One is to flood the targeted servers with a massive amount of garbage HTTP/HTTPS requests. Another is to overwhelm the server's capacity with a small number of specially crafted requests, cleverly using peculiarities of the protocols. Yet another way is to concentrate traffic from a large number of fake users that, formally speaking, is legitimate, while being useless from a business perspective and overall harmful to a targeted server.


Types of Application Layer (L7) DDoS Attacks

From a practical standpoint, it is convenient to distinguish three categories of L7 DDoS attacks: slow HTTP attacks, massive attacks that use botnets, and hacktivism. Let's briefly discuss each of them.

Slow HTTP attacks

Slow-rate L7 DDoS attacks, also known as "Low and slow," rely on clever exploitation of protocol features to exceed a server's capacity without spending too many resources on the attacker's end. Here are the most notable examples of slow HTTP attack tools:

  • Slowloris: this DDoS tool opens HTTP sessions and slowly sends headers to the targeted server without ever completing the requests. The victim server has to keep these connections open, which eventually exhausts its capacity. This causes the server to deny connection attempts from legitimate users.
  • R.U.D.Y. (R U Dead Yet): Similarly, this attack keeps a web server busy by submitting form data at an extremely slow pace. The R.U.D.Y. tool finds form fields, creates HTTP POST requests, and submits data in tiny packets at random intervals, overwhelming the server's capacity and making it unavailable to legitimate traffic.

Massive attacks involving botnets

The most massive L7 DDoS attacks use botnets consisting of large numbers of compromised devices. These attacks rely on the collective power of the botnet to generate massive amounts of HTTP/HTTPS requests, overloading the targeted servers.

  • Mēris: A massive botnet that consisted of up to 200,000 compromised MikroTik routers. This botnet was involved in several extremely intensive L7 DDoS attacks, with the magnitude peaking at 46 million requests per second during the 2022 attack on Google.
  • Mantis: Another powerful botnet that consisted of about 5,000 hijacked virtual machines and servers. Despite its relatively small size, this botnet was capable of launching highly effective L7 DDoS attacks, with the magnitude peaking at 26 million requests per second during the 2022 attack on Cloudflare.

Hacktivism

Last but not least, DDoS attacks are often organized by hacktivists — groups with shared ideologies that use cyberattacks to express their protest. Hacktivists leverage a combination of techniques to perpetrate DDoS attacks, utilizing slow HTTP attack tools, botnets, and pseudo-legitimate user traffic coming from their mobilized followers.

To make matters worse, hacktivist DDoS attacks are often accompanied by hacking attempts, content theft, and other malicious activities.

  • PlayStation Network attack: A classic example of a hacktivist attack is the December 2014 DDoS assault launched by the hacktivist group known as Lizard Squad on Sony's PlayStation Network. Their goal was to demonstrate the network's weak security, and they chose the busy holiday season to emphasize that large companies like Sony need to improve their security measures.


Impact on Business

Successful Denial-of-Service attacks, particularly L7 DDoS attacks, can significantly disrupt business operations, financial stability, and company reputation.

Financial impact: L7 DDoS attacks lead to immediate financial losses due to web application downtime and the cost of recovery. Businesses may also incur expenses related to regulatory fines, compensating affected customers, and paying ransom to attackers, as DDoS attacks have become increasingly popular among ransomware gangs.

Operational impact: Successful L7 DDoS attacks cause the unavailability of web applications, severely disrupting normal business operations. Additionally, they divert resources to managing and mitigating the aftermath of the attack.​

Reputational impact: Beyond direct damage, a successful L7 DDoS attack can have long-lasting effects on a company's reputation. Customers may lose trust and loyalty due to perceived unreliability, and negative publicity can lead to lost business opportunities and increased customer attrition.


How to Protect from Application Layer (L7) DDoS Attacks

From a practical standpoint, businesses have a few options when it comes to layer 7 DDoS protection:

  • On-premise DDoS protection: This approach involves setting up dedicated anti-DDoS equipment within a company's infrastructure. While it offers more control, it has significant drawbacks such as very limited capacity and the need for continuous investment in training the internal team, making it less effective, especially against large-scale attacks.
  • DDoS protection offerings from telecom operators: Telecom providers typically have the resources and expertise needed to fight network (L3) and transport (L4) layer DDoS attacks. However, they are significantly less effective when it comes to layer 7 DDoS attacks. Relying solely on DDoS protection provided by a telecom operator also creates a single point of failure, reducing redundancy and increasing vulnerability during an attack.
  • Cloud Anti-DDoS Protection: This approach is particularly effective against L7 DDoS attacks. To ensure flexibility and high throughput while avoiding bottlenecks, cloud providers like Qrator Labs strategically place traffic filtering centers connected to Tier 1 or leading regional internet providers.

    If any of the centers fails, the traffic is seamlessly redirected to other ones, thanks to a unified control plan. These centers analyze traffic across all OSI layers using advanced algorithms to detect and mitigate sophisticated L7 DDoS attacks. Qrator Labs' substantial filtering capacity and extensive expertise ensure reliable DDoS protection.

Qrator Labs uses cookies to improve your experience, deliver personalized content and analyze our traffic. By clicking “Accept All” you agree to the storing of cookies on your device to enhance website navigation and analyze usage, assisting in our marketing efforts and improving user experience. You may modify your cookies settings at any time, as explained in our Cookie notice.

Cookies Preference Center

Strictly Necessary Cookies

Always Active

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information. Detailed information about this category of cookies can be found in the Cookie Policy.
Performance/Analytics Cookies
These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site and will not be able to monitor its performance. Detailed information about this category of cookies can be found in the Cookie Policy.
Targeting/Marketing Cookies
These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising. You may opt out of Targeting/Marketing cookies through the "Cookie settings" button. Detailed information about this category of cookies can be found in the Cookie Policy.
Functionality Cookies
These cookies enable the Website to provide enhanced functionality and personalization. Company sets some functionality cookies, while third party providers whose services Qrator Labs added to the website set the rest of these cookies. If you do not allow functionality cookies, then services relying on functionality cookies may not function properly.