According to data published by the 2H2020 Threat Intelligence Report, the unprecedented number of distributed denial of service (DDoS) attacks that happened in 2020 will most definitely spill over in 2021. That prediction has held true. According to the report, over 2.9 million DDoS attacks happened during the first quarter of 2021 alone, which is an increase of more than 31 percent compared to the same period in 2020.
This record-breaking activity means that if this rate holds, we will end 2021 with the number of attacks overtaking the 10 million attacks recorded for the duration of 2020. This also shows that threat actors are working overtime to conduct their nefarious activities because the first quarter of every year is usually the lowest in terms of the number of attacks, but the numbers show an uptick instead.
This surge in attacks can be attributed to the sudden and abrupt change in work dynamics all across the globe brought about by the COVID-19 pandemic. The majority of businesses shifted operations from inside offices to work-at-home arrangements. This has left many networks vulnerable and more prone to attacks.
Threat actors realized that many organizations have not prepared their IT infrastructure for this sudden surge in network traffic coming from outside the premises. They have not initiated security protocols and many have also failed to install security features like a load balancer and a web application firewall.
In a high-traffic situation such as a DoS or DDoS attack, a load balancer can provide the added resiliency to one’s IT assets by routing traffic from one server to another when server failures happen. This mitigates or eliminates the risk of having a single point-of-failure and essentially provides redundancy in both normal situations and during attacks.
Load balancing can also scale traffic capacity during surges, which is a common occurrence during high-traffic seasons such as flash e-commerce sales or going viral. Meanwhile, a WAF will prevent attacks at the application layer, reducing the threat of SQL injections, cross-site-scripting, and similar threats.
The preferred method of threat actors
Threat actors employ many methods to exploit weaknesses and vulnerabilities of an organization’s IT infrastructure or to gain access to the network in order to steal sensitive data. But among the many methods these cybercriminals employ, one has emerged as a preferred attack method – application-layer attacks.
Application layer attacks are a type of malicious cyber method that targets what is referred to as the top layer in the OSI model. These are also referred to as Layer 7 or L7 DDoS attack. It primarily targets rudimentary internet requests such as HTTP GET and HTTP POST.
These types of attacks are more effective compared to network layer attacks like DNS Amplification because it uses both server resources and network resources.
The difficulty of preventing application layer attacks
Cybercriminals prefer application layer attack methods more than any other malicious method in their playbook. This is because of the relative harmlessness or ubiquity of this method. An application-layer attack is relatively indistinguishable from normal traffic, for example, a botnet that would perform an HTTP flood attack targeting an organization’s server. The requests will look benign because the network requests will look like it is legitimate, therefore, the traffic is not flagged and will go through to the server.
One more reason for the difficulty of preventing application layer attacks is that this layer is also, by design, the most accessible to outside traffic. Applications need to be accessible over port 80 or port 443 the ports associated with http and https. This makes it difficult to secure since, by design, it needs to be open to be accessible to users.
Another way application layer attacks become successful is through exploiting unique vulnerabilities in the proprietary code of applications. These vulnerabilities, since it is unique to each individual application, will be undetected by security systems put in place in the network. A relentless cybercriminal or hacker will tenaciously look for these exploits or vulnerabilities (these are also called zero-day vulnerabilities). A successful hacker will be able to exploit this weakness and will most likely not be detected if he breaches security using this vulnerability.
Because of the surreptitious nature of application-layer attacks, the human factor will also play a role in the success of these types of attacks.
There are two types of human-related factors that could enable criminals to become successful in their attempts.
The subject of vulnerabilities was discussed above, and this relates to this factor, which is poor configuration of the application or the server. Hackers, in their attempts to find zero-day vulnerabilities, will also look for weaknesses that are caused by poor configuration. When they find out, the application layer-level attacks can then be implemented.
Another human-related factor involves users of the applications. Hackers and malicious actors can implement tricks that would fool users into performing certain actions that would then expose the server, which would then now be open to an application layer attack.
Protecting against application-layer attacks
The very nature of application-layer attacks makes them hard to detect and prevent. What is needed is a strategy and security protocol that will be robust and adaptive to these kinds of malicious actions. First and foremost, administrators need to check how the network is secured and determine if proper configurations are implemented across the whole enterprise. This will shut one door of vulnerability that hackers and criminals could exploit.
Implementing security features will also help prevent application-layer attacks. For example, a web application firewall will prevent certain types of application attacks by filtering dubious traffic that will attempt to connect to the server. Setting up a load balancer will also help tremendously in keeping the integrity of the server when an application layer attack does happen. By distributing the flow of traffic across servers, the network can continue operations and not be overwhelmed by a sudden upsurge in traffic that is usually associated with a DDoS attack. In fact, the tandem of a WAF and load balancer can help mitigate the detrimental effects of an application layer attack.
Application layer attacks are now the most prevalent type of malicious attack on servers, comprising almost 80 percent of all attacks. It has become the preferred method of malicious actors because it is harder to detect. But IT administrators and organizations can still defend the integrity of their servers by implementing an adaptive strategy that will be robust enough to quickly address the vulnerabilities in the server and be able to swiftly act when an attack does happen.