Flood sign

POST traumatic stress: why a massive DDoS attack means trouble for hybrid protection

Flood sign

As human beings most of us have come to expect terrible things to occasionally happen. And so we prepare for them. Even if those terrible things can’t be prevented, they can be protected against, the damage minimized as much as possible.

The key to preparing for potential disaster is understanding the threats we’re facing. It’s why we go underground when a tornado is coming, or get to high ground during a flood. But what happens if a family scurries underground during a tornado warning only to try and emerge from a hatch door in the ground hours later and find they’re pinned in their shelter by rain-induced flooding?

It isn’t possible to prepare for every possible outcome, but it is possible to recognize the warning signs of a new and potent type of threat. That’s why the story of a China-based lottery website and a massive POST flood DDoS attack cannot go ignored, especially by organizations using hybrid DDoS solutions.

Unlucky numbers

As a leading DDoS protection service provider, it takes a lot for the engineers at Imperva Incapsula to find themselves surprised by a DDoS attack. But an attack on a China-based lottery website was exactly that: a lot, and not in the way DDoS attacks usually are.

Application layer attacks are, as expected, DDoS attacks that target the application layer. These attacks overuse specific features or functions of a website in order to disable those features or functions for legitimate users. So while application layer attacks wreak havoc on a server, they’re not volumetric attacks that eat up bandwidth the way network layer DDoS attacks are. At least, they weren’t.

The attack on the China-based lottery website was an application layer HTTP POST flood attack that peaked at a rate of 163,000 requests per second. A high number to be sure, but not previously unheard of. What was previously unheard of was an application layer attack gobbling up bandwidth at a rate of 8.7 Gbps the way this one was. This was reportedly a record for an application layer attack.

The problem this presents

You might be wondering what the big deal is. After all, network layer attacks regularly hit between 200 and 400 Gbps and those are easily handled by advanced DDoS protection solutions of all types. But network layer attacks are typically always large; DDoS protection solutions are aware of this and are prepared for it, just as they’re prepared for application layer attacks that stress the server.

Because up until this point application layer attacks have had small bandwidth footprints, an unfortunate number of security vendors have operated based on the assumption that it is safe to mitigate them with filtering solutions that don’t necessarily offer much scalability.

Hybrid hiccups

A common form of DDoS protection is a hybrid solution in which an off-premise service is used against network layer attacks, while an on-premise service handles application layer attacks. The off-premise solution is likely cloud-based, giving it all the scalability necessary to deal with bloated network layer assaults. As previously mentioned, that on-premise service that’s designed to deal with tricky application layer attacks may not have the scalability necessary to deal with even that 8.7 Gbps application layer attack. So while Imperva Incapsula’s fully cloud-based DDoS protection service was able to easily handle the attack on the China-based lottery website, a hybrid solution would have buckled.

This is because with the way the OSI model works – application layer traffic is filtered after the TCP connection has been established. So unless a website is protected with an off-premise DDoS mitigation solution that can filter application layer traffic outside of the network perimeter, a DDoS attack’s malicious requests are going to go through the network pipe. Even if an on-premise DDoS solution is capable of filtering these requests, the network pipe could get clogged by the requests before the DDoS solution even has a chance to do its job, resulting in a denial of service.

In order for a well-designed on-premise DDoS to successfully mitigate the nearly 9 Gbps attack directed at the lottery website, it would have to have a 10 Gb network uplink. Some large organizations do have a 10 Gb burst uplink, but what’s to stop attackers from using a bigger botnet to ratchet up the attack size, perhaps even hitting 15 Gbps application? There are not many organizations that have the infrastructure to deal with an application layer attack of that size.

That’s not even mentioning the jaw-dropping overage fees that are going to accompany the mitigation of such an application layer attack. And application layer attacks are known as the low and slow attacks: they can go on and on and on. A recent application layer attack lasted for over 100 days.

Scalability availability

If you read between the lines of the above section, you probably noticed that the problem with hybrid DDoS protection is really just the on-premise service. Organizations are actually better off putting all of their DDoS protection eggs in one basket, so long as that basket is a solid cloud-based DDoS solution that has all the scalability necessary for bloated network layer attacks as well as sneakily sizable application layer attacks.

It’s terrifying to think of all the known threats that could mutate, going from things we know how to prepare for and deal with into something entirely different. Get yourself cloud-based DDoS protection to guard against known and emerging DDoS threats.

Photograph by Howard Lake

Share This