YOU ARE AT:FundamentalsApplication layer DDoS attacks: What is an HTTP(S) flood?

Application layer DDoS attacks: What is an HTTP(S) flood?

HTTP flood is the most common type of application layer DDoS attacks

Distributed denial-of-service (DDoS) attacks refer to a malicious actor or actors temporarily or indefinitely disrupting services of a host connected to a network to render an entire network or website unavailable. There are generally considered three types of DDoS attacks: Volumetric attacks, which involve generating massive volumes of traffic to completely saturate a network’s bandwidth; protocol attacks, which eat up the processing capacity of network infrastructure resources; and lastly, the subject of this article, application or Layer 7 attacks, which exploit weaknesses in the layer of a website that interfaces between human input and the site’s technical backend.

Damian Menscher, one of the lead engineers on Google’s DoS Security SRE team, told RCR Wireless News that a few years ago, application layer attacks — particularly those targeting the protocol Hypertext Transfer Protocol (HTTP) — were not growing as quickly as some other types of DDoS attacks. At the time, he found this surprising, and sure enough that trend began to shift. “In late 2021 or early 2022, there was a new method that attackers started using for those application layer attacks and so that exponential growth has now taken off and caught up with the others,” he said, adding that as a result, application layer attacks are “the current focus on everyone’s mind.”

For Google, though, application layer attacks were always a priority, according to Menscher: “Google approached [DDoS] differently. Most other companies in the world were worried about network level — packet and bandwidth — attacks and they developed a lot of expertise in those and now are starting to worry about [application layer attacks],” he noted.

He explained further that the reason for this is that Google has much more bandwidth than most other companies and so bandwidth flooding-type events weren’t as much of a concern for the tech giant. “Most of our capabilities started on the other end of the spectrum with defending against application layer attacks and then working backwards to develop the other types of defenses everyone else considers standard,” he said.

But what is HTTP, and what happens if it’s a target?

In Layer 7 there are two protocols that are typically the focus of such attacks: HTTP — mentioned earlier — and Domain Name System (DNS). Of the two, HTTP are the most common types of application layer DDoS attacks. HTTP is the primary protocol used to send data between a web browser and a website, and HTTPS or Hypertext transfer protocol secure is a more secure, encrypted version of this protocol. HTTPS is important for certain, sensitive data transactions on the internet, such as banking or accessing your email or health records.

In the case of an HTTP or HTTPS flood, a bad actor will initiate a flood of seemingly legitimate HTTP(S) requests, using up the network’s resources, and eventually causing it to lag or even entirely shut down. Because the requests mimic legitimate traffic so well, this is a particularly challenging DDoS attack to catch.Web browsers, like Google, take HTTPS very seriously, as Menscher already alluded to. Non-HTTPS websites will be flagged by browsers as not secure.

“Google incrementally took steps to nudge websites towards incorporating HTTPS over a number of years,” DDoS mitigation company Cloudflare reports on its website, adding that Google also considers HTTPS when assessing how to return search results. “[T]he more secure the website, the less likely the visitor will be making a mistake by clicking on the link Google provided,” the IT company said.

How to defend against HTTP(S) flood attacks?

When it comes to protecting your network from DDoS attacks, Menscher said it’s not really a one-size-fits-all situation: “Different places may be focused on different threats depending on where they fit in their business or what their business concerns are,” he offered. However, if HTTP(S) attacks are of particular concern, there are some specific actions that can be taken, even if mitigating such attacks is notably complex.

For example, limiting the number of concurrent connections allowed to the service port can help prevent HTTP flood attacks. Even better, utilizing a partner-provided solution that can automatically stop sending new connections to the service port once this maximum is reached, will further ensure protection. Once the number of connections on the port dips back below the threshold, these solutions can resume sending connections through.

While instances of DDoS attacks in general are increasing both in frequency and size, Menscher advises companies not to panic. “Exponential growth is expected in computers — we expect computers to increase in power over time, hard drives get larger, networks get faster — so if attacks get larger, that is totally normal and expected,” he shared. “I don’t tend to panic over these things. I think it’s helpful to know what to plan for but certainly I don’t think the world is coming to an end over any of this.”

ABOUT AUTHOR

Catherine Sbeglia Nin
Catherine Sbeglia Nin
Catherine is the Managing Editor for RCR Wireless News and Enterprise IoT Insights, where she covers topics such as Wi-Fi, network infrastructure and edge computing. She also hosts Arden Media's podcast Well, technically... After studying English and Film & Media Studies at The University of Rochester, she moved to Madison, WI. Having already lived on both coasts, she thought she’d give the middle a try. So far, she likes it very much.