What Are Application Layer (L7) DDoS Attacks?

Understanding Application Layer (L7) DDoS Attacks

A Distributed Denial-of-Service (DDoS) attack is a malicious attempt to disrupt the normal functioning of a server, network, web application, etc., by overwhelming the target or its surrounding infrastructure with malicious traffic through a number of simultaneous, coordinated Denial-of-Service (DoS) attacks.

Layer 7 (L7) DDoS attacks, also known as application layer DDoS attacks, target the processes operating at the top layer of the OSI model. Unlike network layer (L3) and transport layer (L4) attacks that focus on the core network equipment and firewalls, respectively, L7 DDoS attacks aim directly at the servers that run web applications.

Application layer attacks can be particularly damaging because malicious traffic can look very similar to legitimate user traffic. This makes it harder to detect and mitigate such attacks. Another dangerous feature of L7 DDoS attacks is that they require much less magnitude to be successful.

Which Protocols Are Included in OSI Model Layer 7

Although there are a lot of protocols that are included in the application layer of the OSI model, just two of them are usually targeted by L7 DDoS attacks:

  • HTTP (Hypertext Transfer Protocol) is the foundation of data communication for the World Wide Web. This protocol defines how messages are formatted and transmitted between web servers and browsers.
  • HTTPS (Hypertext Transfer Protocol Secure) is an extension of HTTP that provides secure communication over the internet by encrypting data exchanged between a web browser and a server.

An honorable mention goes to DNS and NTP protocols, which are also part of the application layer of the OSI model. These protocols are frequently exploited by DDoS attackers, particularly in DNS and NTP amplification attacks. However, the actual targets in these attacks are the core network equipment, such as routers, that work with Internet Protocol (IP). Therefore these attacks are classified as network layer (L3) DDoS attacks.

How Application Layer (L7) DDoS Attacks Work

Application layer (L7) DDoS attacks exploit the resource-intensive nature of processing HTTP and HTTPS requests. The complexity of handling HTTP and the additional computational power required for HTTPS decryption make these protocols particularly vulnerable, allowing attackers to maximize their impact while overwhelming web servers.

On top of that, as we mentioned earlier, malicious HTTP and HTTPS traffic highly resemble legitimate user traffic, making it much harder to detect and handle the attack. This is especially true for HTTPS traffic because it is extremely challenging to differentiate between legitimate and malicious requests without decryption.

The overall goal of an L7 DDoS attack is to exhaust the resources of the servers running the web application, causing them to become slow, unresponsive, or completely unavailable to legitimate users.

This can be done in several ways. One is to flood the targeted servers with a massive amount of garbage HTTP/HTTPS requests. Another is to overwhelm the server's capacity with a small number of specially crafted requests, cleverly using peculiarities of the protocols. Yet another way is to concentrate traffic from a large number of fake users that, formally speaking, is legitimate, while being useless from a business perspective and overall harmful to a targeted server.

Types of Application Layer (L7) DDoS Attacks

From a practical standpoint, it is convenient to distinguish three categories of L7 DDoS attacks: slow HTTP attacks, massive attacks that use botnets, and hacktivism. Let's briefly discuss each of them.

Slow HTTP attacks

Slow-rate L7 DDoS attacks, also known as "Low and slow," rely on clever exploitation of protocol features to exceed a server's capacity without spending too many resources on the attacker's end. Here are the most notable examples of slow HTTP attack tools:

  • Slowloris: this DDoS tool opens HTTP sessions and slowly sends headers to the targeted server without ever completing the requests. The victim server has to keep these connections open, which eventually exhausts its capacity. This causes the server to deny connection attempts from legitimate users.
  • R.U.D.Y. (R U Dead Yet): Similarly, this attack keeps a web server busy by submitting form data at an extremely slow pace. The R.U.D.Y. tool finds form fields, creates HTTP POST requests, and submits data in tiny packets at random intervals, overwhelming the server's capacity and making it unavailable to legitimate traffic.

Massive attacks involving botnets

The most massive L7 DDoS attacks use botnets consisting of large numbers of compromised devices. These attacks rely on the collective power of the botnet to generate massive amounts of HTTP/HTTPS requests, overloading the targeted servers.

  • Mēris: A massive botnet that consisted of up to 200,000 compromised MikroTik routers. This botnet was involved in several extremely intensive L7 DDoS attacks, with the magnitude peaking at 46 million requests per second during the 2022 attack on Google.
  • Mantis: Another powerful botnet that consisted of about 5,000 hijacked virtual machines and servers. Despite its relatively small size, this botnet was capable of launching highly effective L7 DDoS attacks, with the magnitude peaking at 26 million requests per second during the 2022 attack on Cloudflare.

Hacktivism

Last but not least, DDoS attacks are often organized by hacktivists — groups with shared ideologies that use cyberattacks to express their protest. Hacktivists leverage a combination of techniques to perpetrate DDoS attacks, utilizing slow HTTP attack tools, botnets, and pseudo-legitimate user traffic coming from their mobilized followers.

To make matters worse, hacktivist DDoS attacks are often accompanied by hacking attempts, content theft, and other malicious activities.

  • PlayStation Network attack: A classic example of a hacktivist attack is the December 2014 DDoS assault launched by the hacktivist group known as Lizard Squad on Sony's PlayStation Network. Their goal was to demonstrate the network's weak security, and they chose the busy holiday season to emphasize that large companies like Sony need to improve their security measures.

Impact on Business

Successful Denial-of-Service attacks, particularly L7 DDoS attacks, can significantly disrupt business operations, financial stability, and company reputation.

Financial impact: L7 DDoS attacks lead to immediate financial losses due to web application downtime and the cost of recovery. Businesses may also incur expenses related to regulatory fines, compensating affected customers, and paying ransom to attackers, as DDoS attacks have become increasingly popular among ransomware gangs.

Operational impact: Successful L7 DDoS attacks cause the unavailability of web applications, severely disrupting normal business operations. Additionally, they divert resources to managing and mitigating the aftermath of the attack.​

Reputational impact: Beyond direct damage, a successful L7 DDoS attack can have long-lasting effects on a company's reputation. Customers may lose trust and loyalty due to perceived unreliability, and negative publicity can lead to lost business opportunities and increased customer attrition.

How to Protect from Application Layer (L7) DDoS Attacks

From a practical standpoint, businesses have a few options when it comes to layer 7 DDoS protection:

  • On-premise DDoS protection: This approach involves setting up dedicated anti-DDoS equipment within a company's infrastructure. While it offers more control, it has significant drawbacks such as very limited capacity and the need for continuous investment in training the internal team, making it less effective, especially against large-scale attacks.
  • DDoS protection offerings from telecom operators: Telecom providers typically have the resources and expertise needed to fight network (L3) and transport (L4) layer DDoS attacks. However, they are significantly less effective when it comes to layer 7 DDoS attacks. Relying solely on DDoS protection provided by a telecom operator also creates a single point of failure, reducing redundancy and increasing vulnerability during an attack.
  • Cloud Anti-DDoS Protection: This approach is particularly effective against L7 DDoS attacks. To ensure flexibility and high throughput while avoiding bottlenecks, cloud providers like Qrator Labs strategically place traffic filtering centers connected to Tier 1 or leading regional internet providers.

    If any of the centers fails, the traffic is seamlessly redirected to other ones, thanks to a unified control plan. These centers analyze traffic across all OSI layers using advanced algorithms to detect and mitigate sophisticated L7 DDoS attacks. Qrator Labs' substantial filtering capacity and extensive expertise ensure reliable DDoS protection.