14 DAY TRIAL // Imperva's security team reports on a gigantic DDoS Layer 7 attack that broke previous records and funneled traffic of almost 8.7 Gbps towards its target.
While 8.7 Gbps is hardly a number that impresses when it comes to classic network-level packet flood DDoS attacks, which can easily go over 100 Gbps and can sometimes peak at around 500 Gbps, Layer 7 DDoS attacks are different.
Instead of trying to push so much data to a target by having DDoS bots sling content at a server, Layer 7 attacks only send a few poisoned network packets, which initiate intense server processing operations that exhaust its CPU and RAM resources.
This method achieves the attacker's goal of bringing down servers, just like classic DDoS attacks, but in these scenarios, the hackers rarely need more than a few thousand requests per second and 1-2 Gbps of network traffic.
Nitol botnet used to launch Layer 7 DDoS attack of 8.7 Gbps
This is the reason Imperva's team noticed that something was different about a recent DDoS attack against one of their clients, a Chinese lottery website.
Over 2,700 IPs part of the Nitol botnet, most of which were spread across South-East Asia, were sending about 163,000 HTTP POST requests to the website's server, disguised as Baidu's search crawler.
These requests appeared legitimate up to the point when they established TCP connections and when Imperva's Layer 7 DDoS protection system was allowed to inspect the traffic.
The requests were generated by a script that put together randomly generated large files and tried to upload them to the server. While, at the network level, the DDoS attack didn't trigger DDoS protection systems, it was later detected and stopped when TCP inspection kicked in and discovered the threat.
Layer 7 DDoS attacks of over 10 Gbps may cause problems in the future
The issue that caught Imperva's attention was that, because of those "randomly generated large files" attached to the HTTP POST requests, this attack managed to account for over 8.7 Gbps of traffic.
The security vendor is warning companies that, in certain network setups, some issues may arise in the form of a bottleneck. Because network level and Layer 7 DDoS mitigation systems work at different points and have been designed to handle different bandwidths, some companies install connections with a smaller bandwidth after the network-level DDoS protection system.
In the attack described above, if the Chinese website had used a 7Gbps connection in its network topology after the first DDoS protection system, the Layer 7 DDoS attack would have passed undetected and overwhelmed the second portion of the network with more traffic than it could have handled.
This extra traffic would have done its job, and it would have stopped other people from accessing the website.
"As we speak, the aforementioned attacking botnet remains active and the technique used in the attack is still being employed," Imperva's Igal Zeifman notes. "Furthermore, it is likely to become more pervasive as additional botnet operators discover its damage potential."
UPDATE: Bryant Rump, principal security solutions engineer, Neustar, has provided a counterpoint to the idea that hybrid DDoS protection systems can be defeated by this type of attack.
