DDOS attack happens at OSI: the third, fourth, and seventh layers. This article will introduce DDoS attacks at the seventh layer, known as application-layer attacks, and provide corresponding countermeasures.

 

Http Flood

Definition：

HTTP is a network protocol usually used for browsing website pages. HTTP flood attacks mainly attack website pages by disguising as typical HTTP Requests and occupying the Web Server’s computing resources. Therefore, it targets paralyzing the website connection session and causing real traffic leads users unable to connect to the website. This attack is also called CC attack (Challenge Collapsar Attack)

The definition of HTTP Request in the Restful architecture has two ways to fetch website resources. That is, Http GET and Http POST, which are also the major disguise methods of HTTP Flood:

1. HTTP GET : Request data from a specified website, mainly requests for images, video files, texts, etc. The attacker uses multiple Zombies to fetch simultaneously, which exhausts the webserver's resources.
2. HTTP POST : The action including require the secure transmission of data, such as clicking on the membership application and account submission on the website, are all done through HTTP POST. In addition, this action usually connect the back-end database. The attacker continuously or instantly sends many POST requests, which can also lead to service saturation and even denial of service.

In addition, unlike the traditional attack method injecting large packets with the HTTP GET method, R-U-Dead-Yet attacks servers by slowly occupying multiple machine threads (Slow-Rate attacks) to cause the host to fail.
 

Solution：

1. Set up WAF (Web Application Firewall), such as AWS Cloud Shield, GCP Cloud Armor, Alibaba Anti-DDOS.
2. Before taking the POST action, identify the user through various methods, such as image recognition.
3. Set up a reverse proxy such as Load Balance to prevents the host server from being attacked.
4. Traffic cleaning, by identifying the IP source and comparing it with its whitelist library to confirm whether to let it go.
5. Slow-Rate attacks can be prevented by expanding the host thread. But it still reduces low speed in response. Therefore, use the above methods to defend is better.

 

DNS Hijacking 

Definition：

DNS hijacking attack replaces the authentic website IP with DNS redirection, so users connect to a fake website without notice. In the general DNS query mode, the user sends a query message to the DNS Server. And the DNS server returns the correct IP to the user. However, DNS hijacking is an attacker changing DNS settings by various methods, allowing users to access the wrong IP。
For example, when the user accesses google.com, the correct IP address is 8.8.8.8. However, if the DNS server has been attacked, the user would return a wrong IP address such as 192.168.3.4.

DNS hijacking has four attack modes:

1. Local hijacking:
   A malicious attacker will install a Trojan horse program on the user’s computer to change the DNS setting on the local side, causing the user to connect to a fake website.
2. Man in the Middle attack (Man in the Middle attack) referred to as MITM attack:
   The attacker intercepted the packet sent from the user to the DNS server and modified it, causing the user to connect to the wrong IP location.
3. Router hijacking:
   Attack user’s router to modify the DNS setting, which leads to incorrect IP response.
4. Rogue DNS Server:
   Attackers attack the DNS Server and modify the DNS settings in it, which causes the most damage for users but hard to succeed.

Solution：

DNSSEC (Domain Name System Security Extensions)

－Because DNS Server usually uses UDP communication method and this method does not check the source. Hence, attacks develop DNS attack methods for this feature. To protect DNS Server and prevent fake DNS records affecting the server, DNSSEC technology solves this problem, which all DNS responses must have a digital signature to ensure authentic DNS records.

DNS cache pollution - DNS Spoofing

Definition：

Use DNS Spoofing (DNS forgery) to make the DNS cache server record the wrong IP address.

Nowadays, the DNS server is a reliable system for users to query on the Internet. However, sometimes, to distribute the workload of these servers, other DNS servers will be used to query as well.

DNS servers will record the first query result to offer faster for the next fetch. Based on this reason, the attack uses DNS Spoofing to pollute the records of the DNS Server. This technique also influences other nearby DNS Servers, causing severe consequences. For instance, several government organizations deliberately carry out DNS pollution to prevent their citizens from connecting to specific websites. It may also affect users in other countries on the Internet.

Solution：

DNSSEC (Domain Name System Security Extensions)

－Because DNS Server usually uses UDP communication method and this method does not check the source. Hence, attacks develop DNS attack methods for this feature.To protect DNS Server and prevent fake DNS records affecting the server. DNSSEC technology solves this problem, which all DNS responses must have a digital signature to ensure authentic DNS records.

Memcached Attack

Definition：

Memcached is a distributed object caching system. It is used to reduce database workload to improve effective website operation.The Memcached attack is similar to NTP and DNS amplification attacks. It uses diverse UDP servers that process Memcached on the network to respond to larger packets and send them to the victim by IP Spoofing. It will terminate the user’s connection to servers.

Solution:

1. If you don't have needed in UDP Port, close UDP Port to prevent yourself from becoming an accomplice of amplifying packets. Also, only monitor your internal IP.
2. Set up a firewall in front of the Memcached Server.
3. Identify the IP source
4. Cloud-native defense services.

 

Conclusion：

There are more and more attack methods from the fourth to the seventh layer of OSI. Certainly, hackers would always try to interrupt the service operation. This concept tells us that detecting website traffic is the core of defense modes.

Fortunately, diversified information security products for IT personnel apply it in their system nowadays. However, such diversified services and products also confuse developers on which product best suits their business.

Therefore, HigherCloud aims to help customers have a service architecture that has high availability and well-designed. Our expert team has solved clients’ cloud issues for many years in hybrid cloud integration, network, information security, etc.We could give you the best choice based on your business. We love hearing from you. Feel free to contact us! Let HigherCloud help you eliminate unnecessary workload.

Higher Cloud，Higher than YOU think。