Distributed Denial of Service (DDoS) attacks represent a persistent and significant threat to businesses that operate within our always-connected digital environment. By overwhelming a target system with massive volumes of network traffic, these malicious attacks can render essential websites, applications, APIs, and entire networks unusable for their users. For industries that depend heavily on constant online interactions with their customers and users, such as e-commerce, retail, financial services, or online gaming, the immediate and direct revenue loss resulting from a successful DDoS attack can be substantial.
While many people associate DDoS attacks primarily with high-volume network floods that saturate bandwidth, circuits, and routers, a more sophisticated and often highly effective form of this attack targets the application layer. Understanding the mechanisms behind these specific attacks is the important first step toward building a robust and effective defense strategy. This post will explore the nature of application-layer DDoS attacks in more detail and explain how a modern, cloud-based Web Application Firewall (WAF) can serve as a critical component in your overall mitigation strategy.
Understanding Application-Layer DDoS Attacks
An application-layer (Layer 7) DDoS attack employs a botnet to inundate a web server, application, or its supporting databases and APIs with a flood of HTTP or HTTPS requests. The objective of this deluge is to exhaust the target’s critical resources, such as CPU cycles, available RAM, and disk I/O capacity, thereby rendering the service unavailable to legitimate users.
Unlike volumetric attacks, which primarily aim to saturate network bandwidth and overwhelm network infrastructure, application-layer attacks operate at a higher level, directly targeting the resources of the web server, application, or its underlying services. This distinction means they inflict a much wider and more granular range of adverse effects on their target beyond simple network congestion.
With most modern websites and APIs using Transport Layer Security (TLS), it makes most network-based DDoS mitigation technologies unable to inspect HTTP requests to identify attack indicators and block malicious traffic. Instead, network-based mitigation has to rely on less-accurate detection mechanisms based on packet statistics such as number of TCP sessions, bytes in, and size of TCP packets.
Web application firewalls (WAFs), load balancers, and caching proxies, while critical components of modern application infrastructure, are inherently resource-intensive when processing incoming traffic. During an application-layer DDoS attack, these components can become overwhelmed, leading to service degradation or outright failure. Such failures can result in the application becoming entirely unavailable to legitimate users. Even more concerning is the possibility of a “fail-open” scenario, where these systems continue to allow traffic without sufficiently inspecting it, thereby exposing the application to other, non-DDoS, types of application attacks. This failure in security could potentially enable malicious actors to perform defacement, exfiltrate sensitive data, or exploit vulnerabilities for further attacks, thereby compounding the impact of the original DDoS event.
HTTP responses, which commonly consist of HTML pages, PDF documents, or images, are inherently larger in data size (100k bytes to several megabytes or larger) compared to the initial client requests (500-1000 bytes). Consequently, during an application-layer attack, a web server attempting to process and respond to a flood of these requests can rapidly exhaust its outbound bandwidth and processing capabilities. This depletion of resources renders the server unable to effectively deliver content to legitimate users, ultimately leading to service degradation or complete unavailability.
Every HTTP request sent to a webserver creates a log entry, which is stored in an access log file. These logs record details about each request, such as the time, IP address, browser type, and resource accessed. Over time, as the number of requests grows, these log files can expand significantly, gradually consuming more and more space on the server’s hard drives. If left unchecked, this accumulation of data can eventually fill up the server’s storage entirely, leading to performance issues or even causing the operating system to crash, rendering the server non-functional until the issue is resolved.
Many web applications rely on back-end services like APIs, databases, or fileservers, which are crucial for storing and managing data. Application-layer DDoS attacks can generate excessive demand on these back-end severs and overwhelm them with excessive traffic, making them inaccessible to legitimate users.
Common application-layer DDoS attack techniques include:
- HTTP GET Flood: A brute-force attack where a high volume of GET requests overwhelms a server’s memory, CPU, or disk I/O. Attackers often target resource-intensive pages to maximize the strain on the server.
- Proxy-Busting: By adding a random query string to a URL, attackers can bypass caching mechanisms like a Content Delivery Network (CDN). This forces each request to be forwarded directly to the origin application server, magnifying the attack’s impact.
- Form Actions: Attackers can repeatedly submit data through forms on a website, such as login or search forms. These POST requests are often more resource-intensive for a server to process than GET requests, leading to rapid resource depletion.
- TLS Session Exhaustion: By initiating a large number of TLS handshake requests, which require significant computational effort to process, attackers can quickly deplete a server’s ability to handle legitimate connections.
These are just a few examples of how application-layer attacks can cripple an application. For a more detailed look at the various types of application-layer attacks, you can read our guide on how to defend against application-layer DDoS attacks.
Key Cloud WAF Features for DDoS Mitigation
A cloud-based Web Application Firewall (WAF) is a critical defense against application-layer DDoS attacks. When hosted in the cloud, a WAF dynamically scales to absorb vast amounts of malicious traffic, ensuring uninterrupted service for legitimate users without complex on-premise infrastructure. It filters and monitors HTTP and HTTPS traffic, identifying and blocking malicious requests in real time before they reach your application servers. Cloud WAFs offer advanced features such as behavior analysis, rate limiting, and real-time traffic filtering to detect and mitigate sophisticated attack patterns. This distributed architecture, when combined with a network-layer DDoS mitigation service, creates a comprehensive, multi-layered defense strategy that prevents all types of DDoS attack traffic from reaching origin servers.
Distributed Deployment Footprint
A distributed deployment across multiple Points of Presence (PoPs) ensures enhanced security, performance, and reliability for modern coud-based WAFs. By leveraging geographically dispersed PoPs and BGP anycast or dDNS-based-based load balancing, traffic can be routed through the nearest location, reducing latency and optimizing user experience. Additionally, this setup enables efficient load balancing and reduces the likelihood of a single point of failure, thereby improving system resilience. The distributed architecture also facilitates localized threat detection and mitigation, ensuring that malicious activities are identified and addressed closer to their source. This approach not only strengthens the protection against distributed denial-of-service (DDoS) attacks but also maintains consistent service availability under varying network conditions.
Integrated Network-Layer Protections
Integrated network-layer protections are a critical component of a robust cloud WAF solution, addressing large-scale volumetric DDoS attacks. These protections are designed to safeguard your infrastructure by detecting and mitigating malicious traffic targeting network protocols such as TCP, UDP, and ICMP. By leveraging globally distributed networks and network-layer protections in front of a cloud WAF, the WAF can block high-volume attacks without compromising application performance or availability. This ensures seamless protection across all entry points, maintaining the stability and reliability of your services even during the most complex attack scenarios.
Blocking Non-HTTP/HTTPS Traffic
A primary function of a WAF is to inspect web traffic. As a first line of defense, a WAF can be configured to block all traffic that doesn’t use the standard web protocols HTTP and HTTPS. This simple rule helps to passively filter out a significant portion of malicious traffic from network-layer attacks that might otherwise reach your application servers.
Scale on Demand
An effective cloud WAF is designed with excessive capacity to handle increased levels of traffic, including sudden spikes caused by DDoS attacks. By being built on cloud infrastructure, the WAF can accommodate increased demand for web content without compromising performance or availability. This overscaling capability ensures that legitimate user requests are served seamlessly, even during high-traffic periods, while maintaining robust protection against threats. Such scalability is critical for businesses with global audiences or those subject to unpredictable traffic patterns.
TLS Termination and X.509 Certificates
To inspect encrypted traffic, a WAF must first decrypt it. By terminating the TLS connection at the WAF, security teams can analyze the full content of each request. This process, also known as SSL offloading, frees up application server resources that would otherwise be spent on decryption. The WAF can also validate X.509 client certificates to ensure that traffic is coming from trusted sources, providing an additional layer of authentication.
HTTP Rate Controls
Rate limiting is one of the most effective WAF features for stopping application-layer DDoS attacks. This feature allows you to set thresholds on the number of requests a single IP address or user session can make within a specific timeframe. When a source exceeds this limit, the WAF can automatically block or throttle its traffic, preventing it from overwhelming your application. These rules can be customized for different parts of your application based on normal traffic patterns.
Custom Rules to Block Attack Signatures
Because application-layer attacks can be tailored to exploit specific vulnerabilities, the ability to create custom rules is crucial. A WAF allows security teams to define rules that block requests based on specific attack signatures. These signatures can be identified by analyzing various components of an HTTP request, including:
- User-Agent: Attack tools often use common or easily identifiable User-Agent strings. A WAF can be configured to block requests from User-Agents known to be associated with malicious bots.
- Query String: For attacks like proxy-busting, which use randomized query strings, a WAF can apply rules to identify and block patterns indicative of this technique.
- Denial of Service Vulnerabilities: Some attacks such as ApackeKiller, #refref and XML API DoS use vulnerabilities in the application to generate excessive application load. These can be detected and blocked with WAF rules.
- Virtual Patching: Other application vulnerabilities impact availability and are assigned Common Vulnerabilities and Exposures (CVE) identifiers. These identifiers can be used to quickly add a virtual patch to the application to protect it from exploitation.
IP and CIDR Blocking
For scenarios requiring more precise and granular control over network access, a Web Application Firewall (WAF) provides the capability to block specific IP addresses or entire IP address ranges, leveraging Classless Inter-Domain Routing (CIDR) notation. This functionality proves invaluable in situations where security teams identify a limited number of source IPs that are generating a disproportionately high volume of malicious requests, such as during a targeted attack or an attempted brute-force compromise. By pinpointing and blocking these specific origins, the WAF can effectively neutralize immediate threats without broadly impacting legitimate user traffic.
IP Reputation and Cyber Threat Intelligence
Not all traffic sources are equal; their inherent trustworthiness varies significantly. A cloud-based Web Application Firewall (WAF) frequently incorporates integrations with comprehensive threat intelligence databases. These databases diligently maintain and update extensive lists of IP addresses that have been positively identified as originating from malicious actors, such as those participating in botnets, engaging in phishing campaigns, or orchestrating various forms of cyberattacks. By systematically leveraging this continually updated IP reputation data, a WAF gains the capability to proactively block incoming traffic originating from these known malicious sources, thereby preventing potential threats from reaching critical web applications and infrastructure.
Geoblocking by Country or Region
Geoblocking provides an advanced level of control by allowing administrators to restrict access based on the geographic origin of incoming traffic. This can be implemented through the use of IP addresses to identify the locations of users attempting to access the network. By selectively blocking countries or regions that exhibit high levels of malicious activity or where no legitimate business operations occur, organizations can significantly reduce their vulnerability to cyberattacks. For instance, if an organization primarily serves customers within a localized market, traffic from external regions can be blocked without impacting legitimate users. This strategic method not only minimizes potential threats but also optimizes network resources by ensuring that bandwidth and processing power are not consumed by unnecessary or harmful traffic.
Visibility and Log Analysis
Effective defense requires visibility. Cloud WAF provides detailed logs of all web traffic, which are invaluable for both real-time monitoring and post-incident analysis. By analyzing these logs, security teams can identify traffic patterns, detect emerging threats, and refine WAF rules to improve protection. Consistent monitoring helps distinguish between a legitimate traffic spike and a coordinated DDoS attack.
Strengthen Your Web Application Defenses with UltraWAF
A robust defense against DDoS requires a solution that is both powerful and adaptable. DigiCert UltraWAF is a cloud-based web application firewall that provides comprehensive protection against application-layer DDoS and other application attacks. With features like advanced rate limiting, custom rule creation, and integrated threat intelligence, UltraWAF empowers you to protect your applications without sacrificing performance.
By routing your traffic through our globally distributed and resilient network, UltraWAF ensures that malicious requests are filtered out long before they reach your infrastructure. This allows you to maintain application availability and deliver a secure, uninterrupted experience for your legitimate users.
To learn more about how UltraWAF can safeguard your applications and enhance your security posture, contact us today. Our team of experts is ready to help you determine if UltraWAF is the right solution for your organization.
