21
Oct
2013

Large scale network DDoS attacks tend to draw a lot of attention. However, from a mitigation point of view, Layer 3-4 attacks are not sophisticated. The ability to mitigate this type of attack always come down to a simple question: who has more network capacity, the attacker or the mitigation service.

On the other hand, Application Layer DDoS attacks are a completely different story. When defending against these stealthy and complex attacks, success does not depend how big you are, but rather how smart your security technology is and how well it can be utilized.

Successful mitigation of Layer 7 DDoS attacks relies on the ability to accurately profile incoming traffic - to distinguish between humans, human-like bots and hijacked web browsers. As a result, the Layer 7 mitigation process is often much more complex than the attack itself. This complexity, combined with the fact that - if done right – the solution will remain transparent, contribute to the lack of headlines on this subject. The security industry in general prefers to talk in terms of network capacity, which of course says nothing about your resilience against application layer attacks.

Here in Incapsula we are also "guilty" of referring to our high network capacity, but as we do – we know it isn’t the whole story. That is why, today, we want to give you an in-depth look at our Layer 7 protective solutions.

Adding Security Brains to Network Brawn

From a conceptual standpoint, Incapsula's DDoS protection is based on a set of concentric rings around the application, each of which filters a different portion of the traffic. Each of these rings by itself can be easily bypassed; however, working in unison they stop almost all malicious traffic. While some DDoS attacks may be stopped at the outer rings, persistent multi-vector attacks can only be stopped by using all (or most) of them.

Incapsula's 5-Rings of Layer 7 DDoS Protection

Equally important, Incapsula's approach lets the vast majority of legitimate visitors access a website under attack without noticing any change and without any interruptions to the user experience.

Ring 5: Client Classification vs Volumetric Layer 7 Attacks

In some cases, attackers may use a volumetric application layer attack (e.g., HTTP flood) as a distraction intended to mask other more targeted attacks. These attacks are often carried out by relatively primitive bots, whose high network utilization allows attackers to deliver very large volumetric attacks with minimum computing resources. By stopping volumetric attacks at the most external layer, Incapsula is able to filter out the white noise created by these attacks and hone in on the detection of more targeted attacks.

Incapsula uses client classification to identify and filter out these bots by comparing signatures and examining various attributes: IP and ASN info, HTTP headers, cookie support variations, Javascript footprint and other telltale signs. Incapsula distinguishes between humans and bot traffic, between "good" and "bad" bots, and identifies AJAX and APIs.

Incapsula GUI: Volumetric DDoS Attack Mitigated

Incapsula's advanced client classification uses proxies that are purposely-built from the ground up. This makes it easy to introduce subtle changes and deviations from protocol, and test how the client handles them.

An additional important role of client classification and fingerprinting is in identifying the "good bots," such as search engines, monitoring tools, and other known bots that are essential for Ops, SEO, Payment, and other critical site functionality.

Ring 4: Visitor Whitelisting and Reputation

After flagging and blocking the malicious volumetric traffic, Incapsula partitions the rest of the website traffic into "grey" (suspicious) and "white" (legitimate) visitors.

This task is supported by Incapsula’s reputation system, which is able to isolate legitimate traffic, thus reducing the “noise” for other mitigation solutions while also making the mitigation process transparent for identified human visitors.

DDoS Mitigation - Blocked by IP Reputation

By maintaining the visitor state across sessions within an application, the system is able to identify real users, as well as repeat offenders. This is especially useful when working with “registered users only” environments, where session persistency is key.

In this context, reputation-based solutions mainly exist to prevent perpetrators from obtaining legitimate tokens and replaying them to bypass other rings of protection.

Ring 3: Web Application Firewall for Direct Attack Vectors

In some cases, DDoS attacks can be used as a means to end, setting the stage for more traditional attack vectors (e.g., exploiting known vulnerabilities or other protocol or web server weaknesses). In such a scenario, attackers use DDoS to weaken perimeter defenses or crash security appliances, enabling them to gain access to corporate networks, steal data, etc.

In addition to offering DDoS protection, Incapsula's service also includes an enterprise-grade Web Application Firewall that protects websites from any application layer threat, such as SQL injection, cross site scripting, illegal resource access and remote file inclusion.

DDoS Mitigation, Supported by Enterprise-grade WAF

The example below illustrates the combined use of DDoS tactics and traditional vectors, and is indicative of what we see on a frequent basis – especially when providing protection to online assets of large companies and government organizations.

In this example, attackers used a variant of the SQLMap scanning tool to look for an SQL injection vulnerability. This scan uses "db sleep" (commonly used in DDoS attacks) as the injected vector. However, in this case the purpose of the sleep command was not denial of service in itself. Instead, it was used as a Blind SQL Injection scanning technique for detecting vulnerable parameters - the scanner tests for delay in response to identify successful injection.

Ring 2: Progressive Challenges

Incapsula applies a set of progressive challenges that are designed to ensure the optimal balance between strong DDoS protection and an uninterrupted user experience. The idea is to minimize false positives by using a set of transparent challenges (e.g., cookie support, Javascript execution, etc.) of provide pinpoint identification of the client (human or bot, "good" or "bad").

As a last resort, human users that for some reason failed any of the tests would have the option to complete the CAPTCHA test and move on. Using this algorithm, only 0.01% of visitors are ever subjected to a CAPTCHA.

CAPTCHA challenge - Last Resort

A large amount of effort in a mitigation service is dedicated to avoiding challenges, or making them transparent. Any advanced website today uses AJAX and images. In more and more cases today, DDoS agents are able to simulate a browser, including cookie based session state management. However, implementing other browser features, such as Javascript support, is more complex. Incapsula uses a sophisticated algorithm that analyzes the risk posed by the client and decides on the appropriate challenge level.

Ring 1: Behavioral Anomaly Detection

Each of the described security rings can be individually circumvented. Session cookies can be captured and replayed, and botnets can use numerous IPs (we have seen cases with more than 20,000 distinct sources). In fact, some attack vectors can even use real (hijacked) people’s PCs and real browsers.

This is why Incapsula also uses Anomaly Detection rules to detect possible instances of sophisticated Layer 7 attacks. This ring acts as an automated safety net to catch attacks that may have slipped through the cracks. The Anomaly Detection rules detect behavioral patterns that are clearly non-human and may indicate hijacked or malware-infected host computers being remotely controlled to carry out a DDoS attack.

Ring 0: Incapsula's Dedicated Security Team

At the end of the day, people are ingenious and persistent. With the proper motivation and given enough time and resources, they will eventually find a way to penetrate any defense. Accordingly, there is no such thing as a 100% fully automated DDoS prevention service, at least not when persistent multi-vector attacks are involved.

Successful attack vectors can come out of unexpected places. Attackers are always trying to find and exploit the weak spot, whether it be a specific URL, resource or web proxy. This endless "cat and mouse" game requires ongoing vigilance and agility from a security standpoint.

DDoS Protection - Security Team

Incapsula provides organizations with continuous monitoring and mitigation by a team of experienced Security Operations Center (SOC) professionals. Our security team and 24x7 support staff proactively analyze the internal behavior of the application and detect irregular usage before it becomes widespread. Using a flexible scripting language of possible actions and decisions, Incapsula's team can immediately adapt security policies in real time in response to potential threats.

The Bottom Line

Most DDoS attack vectors cannot be mitigated by network capacity alone. Today, the emergence of sophisticated new threats compels the DDoS protection industry to stop focusing on the network component and start thinking in terms of traffic profiling and visitor classification.

In an age of browser-based botnets and JS deciphering bots, anti-DDoS solutions must also evolve. To provide consistent and non-intrusive mitigation, these services must adopt a multi-layer architecture whose design requires networking skills, security expertise and in-depth understanding of traffic routing.

calculator