Report: Layer 7 Increasingly Under DDoS Gun

A report from the CYBER SECURITY Forum Initiative (CSFI) offers further evidence that botnet herders are getting a bigger bang out of distributed denial-of-service (DDoS) attacks by targeting security holes at layer 7, more commonly known as the application layer.

A paper on the findings, L7DA (Layer 7 DOS Attack) Report v1.0, was passed along to CSOonline by Paul de Souza, a Chicago-based security analyst and founder of CSFI, a group of IT security practitioners who volunteer their guidance and support to companies that have suffered cyber attacks.

The findings stem from an investigation conducted by 11 volunteers from the IT security community. According to the paper, CWFI/CSFI was contacted by a company that claimed to be experiencing a new layer 7 DDoS. CSOonline.com has left out the specific names of companies and agencies involved as much of the information is confidential.

“The attack has been found in the wild and [was] possibly created by Chinese hackers,” the paper states. “It is said to have been deployed to Chinese-owned botnets at this time. According to our source, this new L7DA targets IIS and Apache servers.”

Also see DDoS Returns: What Researchers Are Learning About Targets, Tactics

Specifically, the attack exploits a system design in both IIS and Apache applications and can crash the targeted servers within minutes. “This type of attack would focus on the HTTP Post method of the IIS and Apache applications. This variation of L7DA was claimed to have been discovered by our source in Singapore where their Beijing, China branch collected intelligence about Chinese hackers implementing a new Layer 7 DDOS attack,” the paper continued.

The attacks are also being enabled by a hacker tool one hacker site described as a “low-bandwidth yet greedy and poisonous HTTP client” that “essentially keeps an HTTP session alive indefinitely (or as long as possible) and repeating that process a few hundred times,” leading to a sustained DDoS.

At the request of CSFI, the name of the attack tool in question is not mentioned here.

The paper also points to some findings on the SANS Internet Storm Center site, which explains it this way:

“The tool works by exhausting Apache processes; this is done by sending incomplete request headers so Apache keeps waiting for the final header line to arrive, the tool instead just sends a bogus header to keep the connection open. Besides Apache (both versions 1.x and 2.x), Squid is also affected. Knowing how many servers running on Apache there are, this makes the tool very dangerous since it doesn’t require absolutely any knowledge from the attacker — all he/she has to do is run the tool and the target site goes down.”

The CSFI team tested the tool in question and was able to “kill” an Apache2 patched Ubuntu 9.10 in less than 20 minutes, including a testing run that took 15 minutes.”

According to CSFI’s code review, the program has a default timeout of 5 seconds and also includes code that will try to figure out the target connection timeout. If the timeout of the target is too low, the paper states, the script is not functional and will bail out.

That botnets are being loaded with layer 7 DDoS capabilities is of little surprise to CSFI member and Northrop Grumman Senior Security Analyst Emily Watts-Darraj. In an e-mail exchange, she said the important thing is to start developing countermeasures.

As for those countermeasures, the paper says one possible defense is to “create a process that watches the connections table or system resources, which can detect the system becoming overloaded. The server would then automatically change its connections timeout to a smaller window to reduce the load.”

Also see How a Bookmaker and a Whiz Kid Took on an Online Extortion Attack

Another approach would be to put a device in front of the Web server that accepts the connections on behalf of the server and creates a connections table of the connections. “Then based on set values, it will adjust the timeout and kill connections that exist when the timeout value is adjusted,” the paper said.

In the recent CSOonline.com article “DDoS Attacks Are Back (and Bigger Than Before)” experts noted that DDoS attacks are growing more ferocious in recent years because attackers have a bottomless pit of resources at their command — specifically botnets with millions of hijacked machines that can be used to launch the assaults.

“We see a lot less of the fire-and-forget malware-based attacks designed to bog down the machines that were infected,” Akamai Technologies CSO Andy Ellis said, referring to old-school worm attacks like Blaster, Mydoom and Code Red. “Now the malware is used to hijack machines for botnets and the botnets themselves are used as the weapon.”