Home / Blog / DoS: Application Layer

DoS: Application Layer

Posted on 05/21/2015, by David Cantón (INCIBE)

Application layer denial of service attacks are the second main group of Denial of Service (DoS) attacks, along with DoS attacks against the infrastructure layer. As its name indicates, these types of attacks are targeted at the application layer or layer seven of the OSI model. Their objective is to cause a denial of service, taking advantage of design flaws in the communications protocol of this layer, or failures in the design or implementation of the applications themselves.

Map of daily DDoS attacks

Map of daily DDoS attacks. (Source: digitalattackmap)

Attacks against the infrastructure layer are mainly focussed on using up bandwidth, memory and/or the throughput of the system through brute force techniques, such as the massive send of malformed packets. This type of practice is often accompanied by reflection techniques to boost it.

DoS attacks against the application layer also aim to use up the memory and process time that the application requires to function properly while minimising the resources employed by the attacker by using vulnerabilities or flaws in the application. The main characteristics of this type of attack are:

  • The requirement for less bandwidth compared to other methods such as SYN Flood attacks, and as such, the infrastructure necessary to launch a successful attack is usually minor.
  • Greater difficulty in distinguishing between malicious and legitimate traffic. Many of the most common protection measures or systems focus on the network or transport layer, and as such, they would not be efficient when the target of the attack is the application layer. It is even difficult for the defence systems that monitor this layer to distinguish between malicious and legitimate traffic.

Attack types and Bandwidth

Comparison between DoS Application and Network attacks. (Source: radware.com))

Below, we will outline some of the main denial of service attacks against the application layer whose target is usually the HTTP protocol, which is the communications protocol of the application layer par excellence and, therefore, that which is most attacked.

Main denial of service attacks

Main denial of service attacks. (Source: RIOREY)

HTTP fragmentation

In a HTTP fragmentation attack, the attacker establishes a valid connection against the target server, sending all of the HTTP data traffic in small fragments as slow as the server's timeout configuration will allow. This attack is maximised in cases in which the configuration of the timeout mechanisms of the web servers is inadequate.

This technique forces the server to maintain active sessions over long periods of time, and as such, if the number of connections is high, it will end up exhausting the resources assigned to the server's connection table, resulting in a denial of service condition. If this attack is carried out through a botnet and each bot opens a series of connections against the server, the number of bots necessary is usually lower than using DoS infrastructure attack techniques.

Another feature of this attack is the difficulty in distinguishing it from traffic from legitimate clients with slow connections or who send fragmented data.

Excessive HTTP Verb

This attack consists of creating a high rate of HTTP requests against the target server, using any of the possible request methods (GET, PUT, POST, DELETE, etc.) defined by the standard (RFC 2616). The objective of this attack is to consume the server's resources by using requests that, a priori, cannot be distinguished from legitimate requests, choosing for this purpose requests that are specially selected to maximise the effect, such as a request for large files. In this type of attack, the target is the web server, since it is responsible for processing the HTTP protocol.

One of the most used HTTP methods is GET, this attack being known since 2005. A clear example of this attack is the Michal Zalewski´s report of 2007, in which he explains how using both the definition of the HTTP standard and its implementation, high server resource consumption can be caused with minimal bandwidth consumption by the attacker.

Michal explains how thanks to the header field "Range", in the Apache and IIS web servers, an attacker can request the same fragment of a file an arbitrary number of times and each request is sent in a different "envelope". Combined with the possibility of using TCP Window Scale Option with sizes of up to 1 Gb (RFC 1323), the resources of the system attacked can be exhausted with a low number of simple requests.

Another variant of this type of attack is "slow HTTP POST", which was exposed at the OWASP 2010 Application Security Conference. The attack is based on sending a POST request with the correct "content-length" header field, which indicates to the web server the amount of data that it should expect to receive. Once all the headers are sent normally, the attacker sends the body of the POST message slowly, with the aim of creating a bottleneck in the connection by consuming the server's resources. This attack is very similar to HTTP fragmentation; however, this attack is not mitigated by load balancers as occurs in the fragmentation attack.

Excessive Verb Single Session

A variant of the Excessive Verb attack that uses the HTTP 1.1 characteristic, which allows various requests to be carried out within the same HTTP session. In this manner, the attacker can considerably reduce the speed of each HTTP request and simultaneously avoid the protection measures that control the transmission speed. Both "Excessive Verb" and "Excessive Verb Single Session" have similar effects on the victim.

Multiple Verb Single Request

This is an evolution of the "Excessive Verb" attack, in which the attacker creates multiple HTTP requests but does not send them individually, but rather creates a single packet containing all of the requests. A high number of requests can thus be generated in the server while maintaining a low packet rate, undetectable using anomaly detection techniques such as NetFlow. Furthermore, if the attacker choose correctly the HTTP requests, they can also avoid the deep packet inspection techniques.

Recursive GET requests

Another evolution of the "Excessive Verb" attack is the recursive GET attack. In this variant, the attacker generates GET requests from web pages or images that simulate the behaviour of a user.

This method, which can be combined with any of the foregoing techniques, increases the difficulty of detection since it is more complicated to distinguish between these malicious requests and legitimate requests.

Random recursive GET requests

This attack is an evolution of the recursive GET requests attack and it targets websites that are numerically indexed, usually sequentially.

These sites are vulnerable to attacks in which the requests are randomised by the generation of random numbers that form part of the HTTP request within the valid range of reference numbers. It is also difficult to detect attacks here, since they do not follow any pattern.

Application´s vulnerabilities

The previous attacks basically focus on the resources that the web server requires in order to respond to HTTP requests. Another step in the evolution of this type of attack is attacking the web application itself.

The idea is to take advantages of weaknesses in the design, the implementation, or even the functioning of the application. Examples of this type of attack include the use of SQL injection techniques to disable the database, or particularly "heavy" requests. For example, if the web application has a search engine, an attack could be to carry out searches that require a high level of resources to generate a bottleneck and eventually disable the service.

As we have indicated, this type of attack is very specific, and generally require fewer resources from the attacker to achieve devastating effects in the systems attacked. However, this type of attack requires more time to analyse the targeted system in order to discover vulnerabilities or bottlenecks that can be exploited during the attack.

Lastly, although the types of attacks explained in this article focus on the HTTP protocol, since it is one of the most used on the Internet, there are similar attacks for other protocols of the application layer, such as SMTP, SNMP, FTP, SIP, etc.