Cyber threats continue to grow in complexity and volume, and Layer 7 attacks remain especially difficult to defend against1. Each layer presents its own set of vulnerabilities for threat actors to exploit. The 7th layer, or application layer, handles application-specific communications. That makes it a useful target because modern applications are complex and varied.
Defending against Layer 7 attacks requires continuous tuning and adaptation1. Microsoft highlighted the issue in June 2023, when it reported a traffic surge that temporarily affected the availability of some of its services1.
Microsoft's Layer 7 DDoS Attacks
Microsoft's security team detected and tracked DDoS activity from a threat actor it called Storm-1359. The actor used a mix of resources, including multiple virtual private servers (VPS), rented cloud infrastructure, open proxies, and DDoS tools1.
The activity did not target layers 3 or 4. It targeted layer 7, where requests can look like regular traffic and arrive from source IPs distributed around the world.
The Attack Methods
Storm-1359 used several attack types, including:
- HTTP(S) Flood Attack: The attacker aimed to exhaust system resources with a high load of SSL/TLS handshakes and HTTP(S) request processing. This attack led the application backend to run out of compute resources such as CPU and memory1.
- Cache Bypass: The attacker attempted to overload the origin servers by bypassing the CDN layer1.
- Slowloris: In this case, the client opens a connection to a web server, requests a resource, such as an image, but fails to acknowledge the download or accepts it slowly. This causes the web server to keep the connection open and hold the requested resource in memory1. Strengthening Layer 7 Protections
Microsoft mitigated the majority of disruptions by hardening its Layer 7 protections. It fine-tuned Azure Web Application Firewall (WAF) to better defend customers from the impact of similar DDoS attacks1.
Azure Web Application Firewall, ModSecurity, and DDoS Attacks
Azure Web Application Firewall (WAF), part of Microsoft's security architecture, is built upon ModSecurity4, a well-established open-source Web Application Firewall (WAF) module1. The DDoS attack Microsoft faced highlighted potential limitations in using ModSecurity, or any conventional WAF, as the primary defence mechanism against such threats.
ModSecurity's Limitations in DDoS Defence
ModSecurity is effective against a variety of web application threats, but it has limitations when dealing with DDoS attacks:
- Lack of Scalability: ModSecurity is not inherently scalable. It can struggle to handle the enormous traffic volume associated with DDoS attacks.
- Delayed Response: ModSecurity's rule-based approach can result in slower response times to evolving DDoS threats. While it can block threats based on established rules, it can take time to identify and create rules for new or uncommon attack patterns.
- Operational Complexity: ModSecurity requires substantial expertise and constant fine-tuning to remain effective, potentially slowing down response times during a fast-paced DDoS attack.
These limitations were visible during the DDoS attack Microsoft experienced. Even though Microsoft utilised ModSecurity via Azure WAF, the time it took for Azure to respond underlines the challenge of using traditional WAFs for this class of attack1.
The Role of Residential Proxy Networks in Layer 7 DDoS Attacks
Residential proxy networks create a specific problem in the defence against Layer 7 DDoS attacks3. These networks use IP addresses tied to physical locations, often originating from typical home or office internet connections. That makes it harder to separate legitimate traffic from malicious traffic.
Unlike traditional proxy or VPN networks, where traffic can be blocked or rate-limited based on their recognisable IP ranges, residential proxy networks blend in with legitimate users. That complicates identifying and blocking malicious requests, as any blocking or limiting measures could affect legitimate traffic from residential IPs.
A Potential Solution
In this context, fingerprinting can help distinguish between legitimate clients and malicious actors. Fingerprinting involves gathering data points from each client request, including user agent, IP address, headers, cookies, and more. The combination of these data points creates a unique 'fingerprint' for each client.
By analysing these fingerprints, it is possible to detect anomalous request patterns and potentially identify malicious clients hidden behind residential IPs. Fingerprinting can improve the accuracy of identifying malicious traffic, but it is not foolproof and should sit inside a broader, layered defence strategy.
Implementing effective fingerprinting also requires substantial technical expertise and resources. The measures need to avoid degrading user experience or breaching privacy regulations.
The Need for Specialised Rate Limiting Services
A specialised rate limiting service could have offered a faster and more effective response to the DDoS attack. Rate limiting restricts the number of requests that an IP address can make within a specific time period2.
Such a service offers several advantages when defending against DDoS attacks:
- Rapid Response: Rate limiting can provide a quick initial defence against a DDoS attack by immediately limiting traffic from suspicious IP addresses.
- Flexibility: Rate limiting rules can be applied to factors such as IP addresses, URL, headers, response codes, and more, creating more granular defence mechanisms.
- Reduced Load: By limiting the rate of requests, these services can reduce the load on the server, preserving resources for legitimate traffic.
Advanced Rate Limiting and Custom Keys
One way to defend against these attacks is through advanced rate limiting2. Rate limiting restricts the number of requests an IP address, URL, or another custom key can make in a set time period. This can stop a single actor from flooding a network with traffic.
Criteria Used in Rate Limiting
Rate limits can be defined using different criteria:
- IP Address
- URL
- Query String
- Headers
- Response Codes
- GeoIP Information: ASN or Country Code
- Parsed User Agent Information: Different rules for search engines vs. generic 'bots'
- Fingerprints: TCP, TLS or H2 fingerprints can uniquely identify the connecting software
- Meta Information: From bot protection service2
This allows rate limiting to 'bucket' requests using different criteria, effectively rate limiting a larger group of connections.
The Role of Anomaly Detection
Anomaly detection is another useful tool against these attacks. It identifies patterns or events that deviate from the norm and may indicate suspicious activity. Detecting those anomalies quickly can help teams respond faster, identify a suitable rate limit key and stop the potential attack.
Caching as a Mitigation Strategy
Caching is an effective mitigation strategy for Layer 7 attacks. It stores static responses to requests, reducing load on the server by serving those responses instead of processing each request individually. In a DDoS scenario, where a flood of requests is sent to the server, caching can help maintain availability. Ignoring client-provided 'Cache Control' headers such as 'max-age=0' or 'no-cache' can be effective because these headers are typically used to bypass a CDN.
Recommendations for Defence Against Layer 7 Attacks
- Use anomaly detection to identify an active attack.
- Use Layer 7 protection services, including rate limiting, with past 99th percentile hit rates as a starting point.
- Apply bot mitigation techniques, as most Layer 7 attacks originate from bots.
- Use IP reputation as an early warning sign, as many IPs have been involved in attacks before.
- Block, limit, or redirect traffic from outside a defined geographic region.
- Rate limit or block requests from data centre and hosting ASNs.
- Create custom WAF rules to automatically block and rate limit HTTP or HTTPS attacks with known signatures.
- Use effective CDN caching and ignore client-presented Cache-Control headers.
Defending against Layer 7 attacks requires several controls working together. Rate limiting, anomaly detection, and effective caching all have a role.
Peakhour's advanced rate limiting and DDoS mitigation strategies help protect applications from sophisticated Layer 7 attacks. Contact our team to strengthen your defences.
