Application DoS != Network DoS
There was quite a bit of news at the end of October regarding the denial of service (DoS) attacks that dropped major web properties, including Netflix, Twitter, Slack, and Github (and others), off of the Internet. When I read the media posts about this DoS attack, and other distributed denial of service (DDoS) attacks, I found a lot of inaccuracies and hand waving about the details of exactly how a DoS or DDoS functions. I want to take a second and help people understand exactly how these attacks occur and what can be done to stop them.
When we look at the specific details, there are many different types of DoS attacks, however, in general they all do the same thing. They exhaust some type of resource required for the continued operation of the target. At a fundamental level, DoS attacks exhaust availability of computing resources like processing power or memory, available bandwidth, or network connection capabilities of a host. DoS attacks can be broken into two separate major classifications, network DoS attacks and application DoS attacks.
Network layer DoS attacks aim to exhaust resources at the network or host layer of the target.
Most of the traditional DoS attacks fall into the network resource exhaustion area. The recent attacks that caused a denial of services for sites like Reddit.com, Spotify and Netflix were the result of a flood of network packets at the domain name server infrastructure that supports these properties. When the domain name servers were disrupted, the ability for users to access the respective sites was also disrupted. The flood of network packets was sourced from a botnet of compromised home routing, webcam, and other IoT devices throughout the world. When enough packets were sent to the target, the network availability was exhausted and legitimate traffic couldn’t get through.
Application layer DoS attacks, unlike network layer DoS attacks, do not always require a flood of traffic from a bot-net to disrupt services. Instead, these attacks attempt to exhaust server resources by targeting specific resource intensive functionality provided by the application.
In addition, cache evasion techniques can be used to force the web server to perform more work than it normally would. By sending numerous requests to resource intensive functionality, an attack can consume all available CPU, memory, or storage space on the server, resulting in a denial of service to legitimate users. Common vulnerable functionality targeted are search queries, login queries, or other data retrieval features of the application. When these features are overwhelmed with a large number of requests, the operation of the entire web site will suffer.
It’s important to understand the difference between network and application layer DoS attacks because the successful defense of these attacks can vary drastically depending on the resource types being targeted. Most of the time security organizations look to lessen the chance of network layer DoS attack by implementing anti-DDoS hardware or anti-DDoS CDN technologies. This is great, but bear in mind that these types of solutions aren’t a silver bullet for all DoS models, instead, you have to have a multi-solution DoS mitigation strategy that secures both network and application layer DoS attacks.
Thanks for reading
At Signal Sciences we provide a modern approach to web application security defense that DevOps teams love! We provide a short book The Roadmap for DevOps and Security that outlines the 4 key areas Security can provide value in a DevOps organization.
