In case you haven’t heard, HTTP Floods are on the rise, which may beg this question — what is an HTTP Flood? HTTP Floods are a type of Distributed Denial of Service (DDoS) attack that occurs at Layer 7 of the OSI stack, which may beg this question — what is Layer 7 of the OSI stack? We’ll answer both questions, so keep reading. In another few minutes you’ll get all the answers, including why HTTP Floods are especially virulent and what you can do to protect your organization from them.
As a point of clarity, references to HTTP herein also apply to HTTPS. Over 99% of internet traffic is HTTPS; the S stands for secure, which means it’s encrypted with Transport Layer Security (TLS).
A Quick Refresher on the OSI (Open Systems Interconnection) Layers
In the early 1980’s, a decade before we happily surfed the internet and prepared to purchase our first cell phone (the 3-pound brick), computer manufacturers and telecom companies got together to determine how their equipment, applications and respective technologies could work together. It was a brilliant and prescient move. They came up with 7 communication layers, each one building on top of the previous layers. They called it the OSI model, and it was adopted by the International Organization for Standardization (IOS) in 1984.
The initial, or bottom, layer is the physical layer. It is Layer 1 and covers the transmission and reception of raw data over physical media. It determines how bits of data are sent and represented so they can be properly and accurately converted on the receiving end. The top, or last, layer is the application layer. It’s Layer 7 and is the closest layer to the end user. It’s how we interact with a network or application. As an example, applications connected to the internet operate at Layer 7. And what operates at this layer? The HTTP protocol.
(For point of reference, layers 1 through 7 are: physical, data, network, transport, session, presentation and application.)
Why is Layer 7 The New DDoS Target?
Most DDoS attacks have targeted layers 3 and 4, the network and transport layers. Many refer to these as infrastructure attacks. They are large and loud attacks and attempt to overload a network’s capacity. Detection is doable, but not easy. Now, attacks targeting Layer 7 are on the rise, which is why it’s so important to protect against them.
As an FYI, HTTP Floods are nothing new. They’ve been known about — at least in technology circles — for several years. But in the past several months, a massive amount of them have been reported by many AppSec cloud vendors, global public cloud providers (AWS, GCP) and others.
HTTP Flood attacks are more sophisticated and aggressive than traditional DDoS attacks of the past. To call them a headache for security teams and leaders is a gross understatement. Here’s why — in the attacks, a large number of legitimate-looking HTTP requests are sent to victims’ servers, overwhelming and exhausting resources. At the onset of an HTTP Flood attack, the victim’s server allocates the maximum possible amount of resources it has to accommodate the requests. It then begins to drop legitimate requests, ultimately becoming unresponsive.
What makes HTTP Floods especially harmful is that they’re hard to detect and differentiate from legitimate traffic. They are standard URL requests. And because they are lower bandwidth attacks — as opposed to volumetric attacks — they fly under the radar more easily. That is, until it’s finally revealed just how much damage they have done. In June of this year, an organization was hit with an HTTP Flood that resulted in over 45 million requests. For comparison purposes, it was the equivalent of Wikipedia’s daily requests…occurring in less than 10 seconds. A server doesn’t exist that can handle that.
Next month, we’ll go into several of the most noteworthy HTTP Flood attacks that have taken place over the past year. In addition, we’ll discuss attack durations, patterns detected, botnet usage, and more.
Your Best Defense Against DDoS Attacks, Including HTTP Floods
There is a reason so many organizations, enterprises and governments rely on Radware to provide industry-leading IT security to remain safe and operating at optimal levels. Our experts have one goal in mind — keep customers secure by detecting and stopping attacks before they overwhelm their infrascture. Reach out to them here. They would love to hear from you. Protection from DDoS and other attacks is just a click away.
If you’ll be attending the RSA Conference in San Francisco on April 24-27, make sure and stop by the Radware booth (#2139). Meet with our team of experts and take your cybersecurity to the next level. Better yet, you can set up an appointment with them here.