Get Ready for Application-Layer DDoS Attacks


For years, businesses offering Internet services have had to deal with distributed denial of service (DDoS) attacks. That threat has gotten worse.

How do DDOS attacks work? Put simply, they overwhelm services with traffic, making it impossible to address legitimate service requests, and leaving an unfavorable impression on customers who can’t get what they want. Who do customers blame, for example, if they can’t pay bills online because the bill paying service’s website is offline? Not the DDoS attack. They don’t even know about it. They blame the billing service.

Why Signature-based Defense Tactics Don’t Work

Various forms of defense have arisen in response. Most work by looking for some relatively simple signature, such as the specific IP addresses of attacking botnets.

Lately, however, attackers are defeating this kind of defense with specific, precision-targeted attacks. By focusing on layer seven (the application layer) of the standard OSI network model, they can hammer a site with service requests that appear to be legitimate, but aren’t. And because they’re harder to recognize, they’re also harder to stop.

This can be devastating — especially when it brings a business’s online operations to a standstill.

Consider a recent case cited by Imperva, in which more than 163,000 layer seven attacks per seconds were observed, consuming 8.7 Gb/second of bandwidth — shutting out customers entirely for the duration of the attack. Such attacks can, in theory, be sustained for days or even weeks, bringing Internet-facing services to a halt the entire time.

How Do You Fight DDOS Attacks At Every Layer?

At neteffect, a leading Charlotte-based IT service specialist, we’ve been tracking attacks of this sort for some time and have partnerships with top-tier security providers offering technology that responds effectively.

One of these partners is Fortinet, provider of the FortiDDOS solution which can recognize and block DDOS attacks at every layer — three, four and seven. This is possible because FortiDDOS is both faster and smarter than competing offerings, thanks to custom ASICs that assess incoming traffic at a packet level, then figure out what it’s trying to accomplish.

This means that instead of simply looking at where attacks originate, FortiDDOS also recognizes threat behavior. For example, it can determine if traffic is going to overwhelm the crucial link between an application and a customer information database to bring down the whole service — and after identifying the threat as a layer seven DDOS attack — stop the attack.

The whole process is extraordinarily fast, because the analysis is performed by optimized hardware (custom ASICs) and orchestrated via predefined policies that typically don’t require real-time human authorization. The upshot is that however powerful a layer seven DDOS attack may be, it gets very little time to impact business — so little time, in fact, customers may not even notice.

Of course, it’s also true that because FortiDDOS is relatively advanced, not all organizations have the in-house expertise to deploy and integrate it effectively. A partner of Fortinet, neteffect can help you defend against DDOS attacks of all types, including the application layer, by leveraging Fortinet FortiDDoS technology to work for you.