Report: Layer 7 Increasingly Under DDoS Gun
A new report shows an upward trend where attack tools exploit layer 7 to maximize the impact of DDoS assaults. Here's what you can do to blunt the threat.
By Bill Brenner , Senior Editor
January 27, 2010 — CSO —
A report from the CYBER SECURITY Forum Initiative (CSFI) offers further evidence that botnet herders are getting a bigger bang out of distributed denial-of-service (DDoS) attacks by targeting security holes at layer 7, more commonly known as the application layer.
A paper on the findings, L7DA (Layer 7 DOS Attack) Report v1.0, was passed along to CSOonline by Paul de Souza, a Chicago-based security analyst and founder of CSFI, a group of IT security practitioners who volunteer their guidance and support to companies that have suffered cyber attacks.
The findings stem from an investigation conducted by 11 volunteers from the IT security community. According to the paper, CWFI/CSFI was contacted by a company that claimed to be experiencing a new layer 7 DDoS. CSOonline.com has left out the specific names of companies and agencies involved as much of the information is confidential.
"The attack has been found in the wild and [was] possibly created by Chinese hackers," the paper states. "It is said to have been deployed to Chinese-owned botnets at this time. According to our source, this new L7DA targets IIS and Apache servers."
Specifically, the attack exploits a system design in both IIS and Apache applications and can crash the targeted servers within minutes. "This type of attack would focus on the HTTP Post method of the IIS and Apache applications. This variation of L7DA was claimed to have been discovered by our source in Singapore where their Beijing, China branch collected intelligence about Chinese hackers implementing a new Layer 7 DDOS attack," the paper continued.
The attacks are also being enabled by a hacker tool one hacker site described as a "low-bandwidth yet greedy and poisonous HTTP client" that "essentially keeps an HTTP session alive indefinitely (or as long as possible) and repeating that process a few hundred times," leading to a sustained DDoS.
At the request of CSFI, the name of the attack tool in question is not mentioned here.
The paper also points to some findings on the SANS Internet Storm Center site, which explains it this way:
"The tool works by exhausting Apache processes; this is done by sending incomplete request headers so Apache keeps waiting for the final header line to arrive, the tool instead just sends a bogus header to keep the connection open. Besides Apache (both versions 1.x and 2.x), Squid is also affected. Knowing how many servers running on Apache there are, this makes the tool very dangerous since it doesn't require absolutely any knowledge from the attacker -- all he/she has to do is run the tool and the target site goes down."