A traditional Web Application Firewall (WAF) can no longer protect against the subtle and pernicious attacks that happen at the application layer. Given below are some of the ways in which these Layer 7 attacks happen:
1)Slow partial headers
Also known as “Slowloris” a malicious client could send out a partial header and an unsuspecting server could keep the connection open waiting forever for the rest of the headers to arrive. This would eventually result in an exhaustion of available connections for other legitimate users.
2)Slow Response processing
In this type of attack an attacker sends a well formed request but then takes an interminable amount of time to read the response from the server. Once again this would keep the connection live since the server would have no way of detecting that this is a malicious request.
3)Slow POST
In this type of attack an attacker could start off by sending a legitimate request complete with the size of the message request to follow but could then delay for an inordinate amount of time while sending the payload. Since the server has no way of deciding whether this is a legitimate request which has slowed down due to network issues or an intentional slow down the connection is kept alive thereby denying other users from using a potentially available connection.
All the above modes of attack are subtle in that the requests are legitimate and even when they are multiplied several thousand times over each request does not exceed typical bandwidth limits so typical rate limiting may not work.
4)Masking IP addresses behind a NAT
There could be one malicious user hiding behind the NAT and so blocking users on the basis of the source IP would result in denying even legitimate users who use the NAT. There has to be another way to detect the signature of a malicious client and so static rules which block IP addresses are no longer effective.
5)Challenger Collapsar attack
Here the attacker requests a URI which involves extensive computations on the server which could eventually exhaust all the server’s resources if the request is sent repeatedly. Once again there is no way to blacklist this request since it could be legitimate. Read more about it here.
6)Abusing the TLS handshake
Another creative way to exhaust a server’s resources is to send garbage data as part of the TLS handshake. Firewalls have no way of determining if the handshake data sent is garbage and even performing the TLS handshake on garbage data can consume time and computational resources. Implementing decryption at the firewall is cost-prohibitive.
Conclusion
Given all these pernicious methods being used to perform DOS attacks at Layer 7 traditional approaches like IP reputation filtering, API rate limiting etc. just don’t make the cut. At Samvit we are working on developing the next generation of Intrusion Prevention systems by employing sophisticated Machine learning techniques which use various parameters to uniquely identify the signature of clients sending out requests. Talk to us to learn more.