Disabling an Application Layer Distributed Denial of Service Attack

Description

It is relatively easy to launch a distributed denial-of-service (DDoS) attack. Hackers deploy already hacked systems so that the targeted network is flooded with junk traffic. The goal is to prevent legitimate visitors from being able to load the site or to use the service under attack. 

A large number of misconfigured systems are located at legitimate companies. Most of the infected servers, from where the congestion creation traffic originates, are Windows-based servers powered by Microsoft’s IIS Web server technology. Some of the more interesting Internet addresses seen launching attacks come from Internet space owned by Adobe, Cisco, Costco, Expedia, Experian, Honeywell, IBM, KPMG, Lockheed Martin, Opera Software, Sony, Symantec Corp., and the U.S. Federal Home Loan Bank of Dallas.

DDoS traffic can originate from anywhere in the world, though in a recent case the systems being used in attack came from three countries — Taiwan, India, and Vietnam. These were “Layer 7” assaults — that mimic legitimate Web browsing activity in a bid to avoid detection. This is a form of attacks that targets the application layer of the Open Systems Interconnection model (OSI) model, which standardizes the partitions into layers. The attack will disable specific functions or an application as opposed to an entire network. Attempts to apply DDoS application congestion is often used against financial institutions to distract IT and security personnel from security breaches because of its simplicity.

Executive Guidance

The web addresses that generate traffic for an application level DDoS should block client and server updates as well as transaction transfers. The addresses of the offending sources should be obtained by means of continuous monitoring of offending traffic and then executed at a speed that is warranted by the severity and risk levels of incoming messages.

The already installed firewall or “sand-box” should allow for cataloguing of “white-lists” of only certified sources of communications. Specified offending domains, such as sources from defined countries, should be filtered out altogether.