CloudFlare recently posted a blog on its observations about the changing nature of cybersecurity attacks, highlighting a shift from simple attacks (a flood in the volume of traffic a victim receives) to more complex means. The web performance and security company noted that it has seen a significant drop in simple attempts to flood its own network with junk traffic and a shift to different types of attack higher up the network stack.
Traditionally, an attacker gains capacity and leans on that to launch an attack to overwhelm the victim’s network hardware with spam traffic so that they couldn’t respond to legitimate requests and their website would go down. This is referred to as a Layer 3/4 attack. Mitigating these attacks requires capacity and security filters that take down junk traffic associated with Layer 3/4 DDoS attacks.
Recently, attackers have started switching to more sophisticated approaches. As it has become harder for attackers to clog up the network capacity of a target, threat actors are beginning to perform attacks that are harder to detect.
Cloudflare reported that it is still seeing large scale network level attacks greater than 300 and 400 Gbps, but network level attacks in general have dramatically slowed down. This is partly following its announcement about a new policy, ‘Unmetered Mitigation’ designed to reassure costumers (including those on Cloudflare’s free plan) that they will not be removed from Cloudflare’s network just for receiving a too large DDoS attack.
A Shift to More Advanced Layer-Attack Strategies
Instead, the Internet services provider is seeing a shift to more advanced application-layer attack strategies. Cloudflare is noticing the trend in metrics from both its automated attack mitigation services and its frontline customer support engineers. Application Layer (Layer 7) attacks are more difficult to distinguish from real traffic than Layer 3/4 attacks.
Layer 7 attacks resemble normal web requests rather than junk traffic, for instance, attacks can order their Botnets to attack websites with “Headless Browsers” without a user interface. The Headless Browers will work just like normal browsers except they are programmatically controlled instead of via a window on a user’s screen. They can be exploited to make HTTP requests that load and act like normal web requests. As this can be done on mass, attackers can order bots to repeat the HTTP requests very rapidly, thus taking up the total capacity of a website and forcing it offline for ordinary visitors.
How to Deal with Layer 7 Attacks
Cloudflare notes that there are two ways to effectively deal with Layer 7 attacks:
- Limit requests that are in great excess to what the website expects as they are clearly abusive
- Make the balance between requester and server less asymmetric by making it more straightforward to serve web requests
As CloudFlare (and other competitors) grows the capacity of its network, attackers are targeting the applications themselves. It’s no longer sufficient to just use a large network, but it must be aided by tooling that can filter sophisticated malevolent Application Layer attack traffic.
How do DDoS Attacks Happen?
DDoS attacks traditionally happen via three different mechanisms: (i) botnets (a network of infected computers that an attacker can centrally control to send spam emails or undertake a DDoS attack; (ii) IoT devices (as everyday appliances become connected to the Internet, they can be taken over by malware and used to launch large-scale DDoS attacks) (iii) DNS amplification (DNS is the Internet’s phonebook and it can be used for malevolent means by someone making a DNS query on behalf of someone else; if this is amplified, it can almost break the Internet.
Cloudflare’s Own Recent Takedown
The Cloudflare post on The New DDoS landscape followed news reports from two days previously that Cloudflare had gone down across various parts of the U.S. Down Detector – a site that monitors web outages reported service problems for Cloudflare around the world, particularly focused on the U.S. Cloudflare quickly issued a statement to say, “We have implemented a fix for this issue and are currently monitoring the results. We will update once we have confirmed it is resolved.” However, it didn’t prevent users from commenting widely on the takedown for a company that prides itself on making “the Internet Work the Way It Should for Anything Online”.