Layer 7 bot attacks and mitigation techniques

Of all the cyber threats we see on a daily basis, 50% fall into Layer 7 attacks. It is increasingly important businesses understand this type of malicious activity, its drivers, target areas and possible solutions. 

What are Layer 7 attacks?

Layer 7 (L7) attacks are those targeting the top layer in the OSI model. These would mostly be the common HTTP(S) requests, in contrast to the network layer attacks such as DNS Amplification. The aim is to crash the organisation’s servers by overworking it with the HTTP GET or HTTP POST requests.

That’s why these attacks are mainly directed towards the most resource-hungry elements of an application or database. This might be a whole channel or server, but it also could just be a page that requires a lot of computing lists of products and pricing, login forms, PHP scripts that generate reams of lines and so on.

The most vulnerable Layer 7 areas

1. Search function. In the example below, the website shut down and stopped responding from a low  initial activity of ten-requests per second penetration. This is very common.

Graph showing a website shut down and stopped responding from a low  initial activity of ten-requests per second penetration.

 

2. Entry fields authorisation, comment and other forms. Nowadays developers tend to create complex hashes to protect the login database from attacks, but this approach leads to consuming significant CPU resources. A high enough stream of fake authorisations leads to processor failure.

3. Heavy content pictures, binary files, PDF documentation etc. Attacks here overload the file system in order to slow down the speed and clog channels.

4. Mail protocols or MySQL. Mail protocols are less affected than databases but are still vulnerable. SSH sometimes can eat up almost the entire CPU on the attacked server, leaving no resources for legitimate authorisations.

5. Server connections. The number of open connections in Apache and similar solutions is limited. If an attacker launches multiple connections, the solutions no longer accept new ones.

Why are Layer 7 attacks loved by hackers?

L7 attacks need much fewer resources and have a greater impact - HTTP requests are cheap and easy for the perpetrator to execute while being very resource-consuming to respond to, thus requiring only few infected servers to be effective. A single HTTP request can force a web application to do a lot of work and crash sooner or later. 

Why are Layer 7 attacks so dangerous?

Compared to network or transport layer attacks, L7 attacks are typically low and slow yet very disruptive as they:

1. come directly to the application, which means that the network protection tools are often helpless in mitigating these attacks;

2. use certain logic to consume targeted CPU, memory, hard drive and other resources in a highly efficient manner;

3. are some of the most difficult bot attacks to mitigate because they are hard to identify and mimic genuine user behaviour. This is especially the case in an HTTP flood attack where the traffic is not spoofed and may appear “normal”. In the case of a circumspect attack, not even logs can help spot the actual penetration and set the legitimate requests apart.

Because these requests seem legitimate, organisations cannot effectively distinguish bot activity from human requests, and bad bots from good ones. Then there’s the challenge of actually allowing the legitimate traffic to pass through whilst malicious requests get blocked. 

Layer 7 protection techniques

The request-response technique used to verify correct network behaviour from the source, this method permits traffic which proves to be “true”. Whilst effective on the network layer, on L7 it requires high level CPU power, actions and code complexity from the mitigator.

Pattern identification used to identify repeat patterns in the traffic headers. The traffic headers are easy to parse within the network layer, however at L7 HTTP headers are loosely defined due to variable ranges and lengths. The mitigator has to separate each packet from Layer 3, Layer 4 and Layer 7 to find the pattern which, again, means more code and CPU.

Rate limit protection based on configured traffic thresholds and responses. The fall back is blocking of all genuine requests that fall outside the predefined rate limit. 

Layer 7 attacks continue to grow in complexity, but organisations keep believing that good L3 & L4 security products are enough for comprehensive protection. The websites behind CDNs and load balancers are still vulnerable to L7 attacks because those tools are simply not designed for real-time bot detection.

Organisations should have proactive monitoring and advanced alerting, an adaptive strategy and properly configured tools to better mitigate the amount of unwanted traffic.

How do we block Layer 7 attacks?

When we first launched our traffic filtering service, we immediately decided not to deal with IP transit, but to protect HTTP, API and game services - thus we transmit all the L7 traffic in the TCP protocol instead. 

201005 Layer 7 attacks diagram

All the requests go through a cluster (servers + network equipment). We break up the traffic into separate requests, accurately and quickly analyse all sessions from each IP address to effectively detect bots and legitimate users without blocking IP addresses. This not only protects Layer 7 but simultaneously and automatically blocks L3 and L4 attacks. In addition, it takes us less than 10 milliseconds to identify and stop malicious traffic.

 

If you would like to find out more about our Active Bot Protection technology, drop us a line via variti.com 

Recent Articles

What are RDP attacks and how to spot them?

Malicious activities via remote access protocols have been flooding the market – there have been...

How to mitigate RDP attacks?

Since the start of the COVID-19 pandemic, the number of brute force attacks targeting RDP...

Protecting Tochka bank from DDoS attacks

Protecting Tochka bank  the world’s first online-only bank for businesses by efficiently...