Large scale network DDoS attacks tend to draw a lot of attention. However, from a mitigation point of view, Layer 3-4 attacks are not sophisticated. The ability to mitigate this type of attack always come down to a simple question: who has more network capacity, the attacker or the mitigation service.
On the other hand, Application Layer DDoS attacks are a completely different story. When defending against these stealthy and complex attacks, success does not depend how big you are, but rather how smart your security technology is and how well it can be utilized.
Successful mitigation of Layer 7 DDoS attacks relies on the ability to accurately profile incoming traffic - to distinguish between humans, human-like bots and hijacked web browsers. As a result, the Layer 7 mitigation process is often much more complex than the attack itself. This complexity, combined with the fact that - if done right – the solution will remain transparent, contribute to the lack of headlines on this subject. The security industry in general prefers to talk in terms of network capacity, which of course says nothing about your resilience against application layer attacks.
Here in Incapsula we are also "guilty" of referring to our high network capacity, but as we do – we know it isn’t the whole story. That is why, today, we want to give you an in-depth look at our Layer 7 protective solutions.
Adding Security Brains to Network Brawn
From a conceptual standpoint, Incapsula's DDoS protection is based on a set of concentric rings around the application, each of which filters a different portion of the traffic. Each of these rings by itself can be easily bypassed; however, working in unison they stop almost all malicious traffic. While some DDoS attacks may be stopped at the outer rings, persistent multi-vector attacks can only be stopped by using all (or most) of them.
Equally important, Incapsula's approach lets the vast majority of legitimate visitors access a website under attack without noticing any change and without any interruptions to the user experience.
Ring 5: Client Classification vs Volumetric Layer 7 Attacks
In some cases, attackers may use a volumetric application layer attack (e.g., HTTP flood) as a distraction intended to mask other more targeted attacks. These attacks are often carried out by relatively primitive bots, whose high network utilization allows attackers to deliver very large volumetric attacks with minimum computing resources. By stopping volumetric attacks at the most external layer, Incapsula is able to filter out the white noise created by these attacks and hone in on the detection of more targeted attacks.
Incapsula's advanced client classification uses proxies that are purposely-built from the ground up. This makes it easy to introduce subtle changes and deviations from protocol, and test how the client handles them.
An additional important role of client classification and fingerprinting is in identifying the "good bots," such as search engines, monitoring tools, and other known bots that are essential for Ops, SEO, Payment, and other critical site functionality.
Ring 4: Visitor Whitelisting and Reputation
After flagging and blocking the malicious volumetric traffic, Incapsula partitions the rest of the website traffic into "grey" (suspicious) and "white" (legitimate) visitors.
This task is supported by Incapsula’s reputation system, which is able to isolate legitimate traffic, thus reducing the “noise” for other mitigation solutions while also making the mitigation process transparent for identified human visitors.
By maintaining the visitor state across sessions within an application, the system is able to identify real users, as well as repeat offenders. This is especially useful when working with “registered users only” environments, where session persistency is key.
In this context, reputation-based solutions mainly exist to prevent perpetrators from obtaining legitimate tokens and replaying them to bypass other rings of protection.
Ring 3: Web Application Firewall for Direct Attack Vectors
In some cases, DDoS attacks can be used as a means to end, setting the stage for more traditional attack vectors (e.g., exploiting known vulnerabilities or other protocol or web server weaknesses). In such a scenario, attackers use DDoS to weaken perimeter defenses or crash security appliances, enabling them to gain access to corporate networks, steal data, etc.
In addition to offering DDoS protection, Incapsula's service also includes an enterprise-grade Web Application Firewall that protects websites from any application layer threat, such as SQL injection, cross site scripting, illegal resource access and remote file inclusion.
The example below illustrates the combined use of DDoS tactics and traditional vectors, and is indicative of what we see on a frequent basis – especially when providing protection to online assets of large companies and government organizations.
In this example, attackers used a variant of the SQLMap scanning tool to look for an SQL injection vulnerability. This scan uses "db sleep" (commonly used in DDoS attacks) as the injected vector. However, in this case the purpose of the sleep command was not denial of service in itself. Instead, it was used as a Blind SQL Injection scanning technique for detecting vulnerable parameters - the scanner tests for delay in response to identify successful injection.
Ring 2: Progressive Challenges
As a last resort, human users that for some reason failed any of the tests would have the option to complete the CAPTCHA test and move on. Using this algorithm, only 0.01% of visitors are ever subjected to a CAPTCHA.
Ring 1: Behavioral Anomaly Detection
Each of the described security rings can be individually circumvented. Session cookies can be captured and replayed, and botnets can use numerous IPs (we have seen cases with more than 20,000 distinct sources). In fact, some attack vectors can even use real (hijacked) people’s PCs and real browsers.
This is why Incapsula also uses Anomaly Detection rules to detect possible instances of sophisticated Layer 7 attacks. This ring acts as an automated safety net to catch attacks that may have slipped through the cracks. The Anomaly Detection rules detect behavioral patterns that are clearly non-human and may indicate hijacked or malware-infected host computers being remotely controlled to carry out a DDoS attack.
Ring 0: Incapsula's Dedicated Security Team
At the end of the day, people are ingenious and persistent. With the proper motivation and given enough time and resources, they will eventually find a way to penetrate any defense. Accordingly, there is no such thing as a 100% fully automated DDoS prevention service, at least not when persistent multi-vector attacks are involved.
Successful attack vectors can come out of unexpected places. Attackers are always trying to find and exploit the weak spot, whether it be a specific URL, resource or web proxy. This endless "cat and mouse" game requires ongoing vigilance and agility from a security standpoint.
Incapsula provides organizations with continuous monitoring and mitigation by a team of experienced Security Operations Center (SOC) professionals. Our security team and 24x7 support staff proactively analyze the internal behavior of the application and detect irregular usage before it becomes widespread. Using a flexible scripting language of possible actions and decisions, Incapsula's team can immediately adapt security policies in real time in response to potential threats.
The Bottom Line
Most DDoS attack vectors cannot be mitigated by network capacity alone. Today, the emergence of sophisticated new threats compels the DDoS protection industry to stop focusing on the network component and start thinking in terms of traffic profiling and visitor classification.
In an age of browser-based botnets and JS deciphering bots, anti-DDoS solutions must also evolve. To provide consistent and non-intrusive mitigation, these services must adopt a multi-layer architecture whose design requires networking skills, security expertise and in-depth understanding of traffic routing.