Application Attack DDoS Testing

An application attack directly targets a service or application at layer 7, the end user level. Huge problems can be caused with just one dedicated attack machine, and because attackers can get away with using low traffic rates, they can be difficult to detect and neutralise. Over the last couple of years this form of attack has become more and more commonplace.

These attacks are specifically tailored for the target server software or system behaviour. However, as they also masquerade as legitimate traffic for the target server, they are more difficult to stop “in the cloud” (than volumetric or protocol attacks) without risking blocking legitimate traffic or interrupting encryption integrity.

HTTP GET attacks

The classic attack of this type is the HTTP (Hypertext Transfer Protocol) GET attack.  A web server receives an HTTP GET command from a browser to request some kind of information – perhaps an image, some text, or the result of a database query. Actioning each request uses up some CPU, memory, I/O and other resources on the server – and so a server has a finite limit to the number of HTTP GET commands it can handle.

An attacker simply uses a sufficient volume of HTTP GET requests – usually asking for resource-heavy information such as database queries. Like a protocol attack, the volume of inbound (request) traffic is low, but the target server can be overwhelmed very quickly. Unlike a protocol attack, the traffic looks legitimate and sophisticated techniques are required to distinguish between a user browsing the site, and a bot making spurious and damaging requests.

Things to consider when DDoS testing application attacks

activereach can recreate application attacks with DDoS testing. These tests mimic user behaviour and often take advantage of web-based encryption (i.e. SSL), which can hide the attack from mitigation systems and services. The difficulty here is ensuring that mitigation can distinguish illegitimate traffic from legitimate traffic and minimise or eliminate false-positives. Aggressive mitigation can impact legitimate users and a test can help enumerate the risks or poor customer experience.

It is usual to select at least one volumetric and one application attack – and one other, with the type determined in consultation with the client. The more the testing company knows about the mitigation systems in place, the better the choice of attack might be to demonstrate something interesting, or previously unknown about the customer’s security posture.

Layer 7 (Lower volume, higher connections, low and slow, application attacks) that activereach can simulate via DDoS testing include:

·         BroBot

·         DNS ANY Query

·         DNS Reflection Attack

·         Dynamic HTTP Flood

·         Extreme Bot Attack

·         HTTP/s Flood with Browser Enumeration

·         HTTP GET Flood/HTTP Flooders

·         HTTPS Flood

·         PHP Hash Collision

·         Pyloris

·         RefRef

·         RUDY

·         SlowLoris

·         Slow Post

·         Tor’s Hammer

Please browse the activereach DDoS Dictionary for the full range of DDoS attacks that can be simulated our Managed Testing platform.