Layer 7 bot attacks and mitigation techniques
Diana Kamkina • October 5, 2020
Diana Kamkina • October 5, 2020
Of all the cyber threats we see on a daily basis, 50% fall into Layer 7 attacks. It is increasingly important businesses understand this type of malicious activity, its drivers, target areas and possible solutions.
What are Layer 7 attacks?
Layer 7 (L7) attacks are those targeting the top layer in the OSI model. These would mostly be the common HTTP(S) requests, in contrast to the network layer attacks such as DNS Amplification. The aim is to crash the organisation’s servers by overworking it with the HTTP GET or HTTP POST requests.
That’s why these attacks are mainly directed towards the most resource-hungry elements of an application or database. This might be a whole channel or server, but it also could just be a page that requires a lot of computing – lists of products and pricing, login forms, PHP scripts that generate reams of lines and so on.
Layer 7 (L7) attacks are those targeting the top layer in the OSI model. These would mostly be the common HTTP(S) requests, in contrast to the network layer attacks such as DNS Amplification. The aim is to crash the organisation’s servers by overworking it with the HTTP GET or HTTP POST requests.
That’s why these attacks are mainly directed towards the most resource-hungry elements of an application or database. This might be a whole channel or server, but it also could just be a page that requires a lot of computing – lists of products and pricing, login forms, PHP scripts that generate reams of lines and so on.
The most vulnerable Layer 7 areas
1. Search function. In the example below, the website shut down and stopped responding from a low initial activity of ten-requests per second penetration. This is very common.
2. Entry fields – authorisation, comment and other forms. Nowadays developers tend to create complex hashes to protect the login database from attacks, but this approach leads to consuming significant CPU resources. A high enough stream of fake authorisations leads to processor failure.
3. Heavy content – pictures, binary files, PDF documentation etc. Attacks here overload the file system in order to slow down the speed and clog channels.
4. Mail protocols or MySQL. Mail protocols are less affected than databases but are still vulnerable. SSH sometimes can eat up almost the entire CPU on the attacked server, leaving no resources for legitimate authorisations.
5. Server connections. The number of open connections in Apache and similar solutions is limited. If an attacker launches multiple connections, the solutions no longer accept new ones.
1. Search function. In the example below, the website shut down and stopped responding from a low initial activity of ten-requests per second penetration. This is very common.
2. Entry fields – authorisation, comment and other forms. Nowadays developers tend to create complex hashes to protect the login database from attacks, but this approach leads to consuming significant CPU resources. A high enough stream of fake authorisations leads to processor failure.
3. Heavy content – pictures, binary files, PDF documentation etc. Attacks here overload the file system in order to slow down the speed and clog channels.
4. Mail protocols or MySQL. Mail protocols are less affected than databases but are still vulnerable. SSH sometimes can eat up almost the entire CPU on the attacked server, leaving no resources for legitimate authorisations.
5. Server connections. The number of open connections in Apache and similar solutions is limited. If an attacker launches multiple connections, the solutions no longer accept new ones.
Why are Layer 7 attacks so dangerous?
Compared to network or transport layer attacks, L7 attacks are typically low and slow yet very disruptive as they:
1. come directly to the application, which means that the network protection tools are often helpless in mitigating these attacks;
2. use certain logic to consume targeted CPU, memory, hard drive and other resources in a highly efficient manner;
3. are some of the most difficult bot attacks to mitigate because they are hard to identify and mimic genuine user behaviour. This is especially the case in an HTTP flood attack where the traffic is not spoofed and may appear “normal”. In the case of a circumspect attack, not even logs can help spot the actual penetration and set the legitimate requests apart.
Because these requests seem legitimate, organisations cannot effectively distinguish bot activity from human requests, and bad bots from good ones. Then there’s the challenge of actually allowing the legitimate traffic to pass through whilst malicious requests get blocked.
Compared to network or transport layer attacks, L7 attacks are typically low and slow yet very disruptive as they:
1. come directly to the application, which means that the network protection tools are often helpless in mitigating these attacks;
2. use certain logic to consume targeted CPU, memory, hard drive and other resources in a highly efficient manner;
3. are some of the most difficult bot attacks to mitigate because they are hard to identify and mimic genuine user behaviour. This is especially the case in an HTTP flood attack where the traffic is not spoofed and may appear “normal”. In the case of a circumspect attack, not even logs can help spot the actual penetration and set the legitimate requests apart.
Because these requests seem legitimate, organisations cannot effectively distinguish bot activity from human requests, and bad bots from good ones. Then there’s the challenge of actually allowing the legitimate traffic to pass through whilst malicious requests get blocked.
Layer 7 protection techniques
The request-response technique – used to verify correct network behaviour from the source, this method permits traffic which proves to be “true”. Whilst effective on the network layer, on L7 it requires high level CPU power, actions and code complexity from the mitigator.
Pattern identification – used to identify repeat patterns in the traffic headers. The traffic headers are easy to parse within the network layer, however at L7 HTTP headers are loosely defined due to variable ranges and lengths. The mitigator has to separate each packet from Layer 3, Layer 4 and Layer 7 to find the pattern which, again, means more code and CPU.
Rate limit – protection based on configured traffic thresholds and responses. The fall back is blocking of all genuine requests that fall outside the predefined rate limit.
Layer 7 attacks continue to grow in complexity, but organisations keep believing that good L3 & L4 security products are enough for comprehensive protection. The websites behind CDNs and load balancers are still vulnerable to L7 attacks because those tools are simply not designed for real-time bot detection.
Organisations should have proactive monitoring and advanced alerting, an adaptive strategy and properly configured tools to better mitigate the amount of unwanted traffic.
The request-response technique – used to verify correct network behaviour from the source, this method permits traffic which proves to be “true”. Whilst effective on the network layer, on L7 it requires high level CPU power, actions and code complexity from the mitigator.
Pattern identification – used to identify repeat patterns in the traffic headers. The traffic headers are easy to parse within the network layer, however at L7 HTTP headers are loosely defined due to variable ranges and lengths. The mitigator has to separate each packet from Layer 3, Layer 4 and Layer 7 to find the pattern which, again, means more code and CPU.
Rate limit – protection based on configured traffic thresholds and responses. The fall back is blocking of all genuine requests that fall outside the predefined rate limit.
Layer 7 attacks continue to grow in complexity, but organisations keep believing that good L3 & L4 security products are enough for comprehensive protection. The websites behind CDNs and load balancers are still vulnerable to L7 attacks because those tools are simply not designed for real-time bot detection.
Organisations should have proactive monitoring and advanced alerting, an adaptive strategy and properly configured tools to better mitigate the amount of unwanted traffic.
How do we block Layer 7 attacks?
When we first launched our traffic filtering service, we immediately decided not to deal with IP transit, but to protect HTTP, API and game services - thus we transmit all the L7 traffic in the TCP protocol instead.
When we first launched our traffic filtering service, we immediately decided not to deal with IP transit, but to protect HTTP, API and game services - thus we transmit all the L7 traffic in the TCP protocol instead.
All the requests go through a cluster (servers + network equipment). We break up the traffic into separate requests, accurately and quickly analyse all sessions from each IP address to effectively detect bots and legitimate users without blocking IP addresses. This not only protects Layer 7 but simultaneously and automatically blocks L3 and L4 attacks. In addition, it takes us less than 10 milliseconds to identify and stop malicious traffic.
If you would like to find out more about our Active Bot Protection technology, drop us a line via variti.io
