How to Avoid Getting Crushed Under a Tidal Wave of Traffic

Botnet proliferation is growing at an alarming rate. In 1H 2022 alone, NETSCOUT’s global honeypot network observed more than 67 million connections from 608,000 unique IP addresses, spanning 13,000 autonomous system numbers (ASNs), 30,000 organizations, and 165 countries.   Direct-path attacks are becoming a tool of choice for adversaries – a fact further established by an 11% increase in direct-path attacks from 2H 2021 to 1H 2022. This growth is due largely to innovation in the botnet landscape. The continuous move to direct-path attacks sourced from botnets translated to more application-layer attacks, a trend on the rise since early last year. 

What Is an Application-Layer Attack? An application-layer distributed denial-of-service (DDoS) attack is a form of DDoS attack in which attackers target application-layer processes. The attack overexercises specific functions or features of an application or website with the intention to disable those functions or features, resulting in the application not being able to deliver content to the user. These attacks manifest themselves in multiple ways, but they are often employed as two-phased attacks, with the first phase rendering a web application dysfunctional and the second phase exploiting another web application and exfiltrating its data.   At times this botnet activity can inadvertently cause issues that resemble a DDoS attack, as was the case last month with Ticketmaster selling Taylor Swift tickets. In fact, in this case, the botnets had a legal purpose, but because they were accessing the ticket transaction application at the same time the other users were trying to buy tickets, they ended up overwhelming the server’s resources, mimicking an application-layer attack.    “Botnets are often used to launch DDoS attacks; they’re also used to do other things such as attempting to quickly (and unfairly!) snap up tickets to popular events the moment they go on sale,” Roland Dobbins, a DDoS expert, and principal engineer with NETSCOUT, explained to Dark Reading. “Even though the intent in the latter scenario isn’t to cause an outage – which defeats the purpose of the bot-driven purchases – high levels of aggressive, bot-driven, ‘flash crowd’ transactions can effectively constitute an unintentional application-layer DDoS attack against the online ticket vending system, if all the key elements in the system’s service delivery chain haven’t been designed with resilience, scale, and defense against application-layer DDoS attacks in mind.” Rather than a targeted, intentional DDoS attack, Ticketmaster’s outage was simply the result of the system getting crushed under a tidal wave of traffic. But the result was the same: disruption.   

How to Block It

For a real application-layer DDoS attack, the organization needs to test traffic for legitimacy and use a combination of traffic-profiling techniques so it can track and block abnormal activity, while also deploying progressive security challenges. By issuing a requirement such as a JavaScript computational challenge to the requesting machine, it is possible to test whether a bot is involved in an application-layer attack, and thus mitigate that attack if it is.

Another important aspect is access to robust DDoS threat intelligence. When properly applied, this threat intel can effectively and automatically block application-layer attacks by identifying known botnet hosts and blocking known sources of DDoS attack traffic, including application-layer attacks. This provides a unique and effective way to stop application-layer attacks that might trick conventional DDoS protection solutions.     For the Ticketmaster scenario, Ticketmaster needed to be able to look at the traffic and understand the differences between the botnets snapping up tickets and the millions of users trying to buy tickets. It then falls on the organization to decide how to manage each of those traffic streams. Having an on-premises solution that maps out each of these streams and provides the ability to manage each stream independently would be ideal. This also holds true for an application-layer attack, where you can identify the illegitimate traffic and either automatically block it or block it with manual intervention. 

Learn more about DDoS attacks here.