In a previous article, we talked about one of the two main types of DDoS attacks, namely those of Network Layer 3 and 4. This time we will deepen the other category, that of the attacks at the application layer, ie Layer 7.
As you can already guess from the name, these attacks are designed to saturate server resources of the victim trying to increase the load of the application software. For example, on a web server that hosts sites, the attacker may try to require numerous web pages simultaneously, simulating a peak of bogus visits exhausting server resources. Real users no longer be able to visit the Web site normally.
The attack of the example is quite trivial. There are a lot more sophisticated attacks. The strength of this DDoS attacks type is that you do not need much web traffic to obscure the victim, however the attackers need a reasonable number of IP from which to attack. When the attacks are aimed towards a website, the attacker tries to make malignant visits look as much like to regular visitors, so to evade the systems that control the abnormal traffic.
Always among the attacks aimed at the Web sites, the attacker may try to request very heavy pages to be processed by the server, especially taking advantage of the knowledge of CMS systems widely used in Web sites, such as WordPress, Drupal, Joomla, Prestashop etc … He can also try to saturate the capacity of the web server to handle HTTP requests by transmitting request data slowly (Slowloris).
DDoS attacks on layer 7 facing instead to other types of services such as game servers and voice servers, are based on the same principle as those for HTTP services, but they aim more often to exploit vulnerabilities in software or configuration errors to overload the server. In these cases, usually the only solution is to install the patch of the developer of the software, which corrects the flaw.
Compared to the DDoS attacks on layer 3-4 there are more solution to defend themselves at more affordable costs, however it is always cheaper to rely on specialized companies (like Scudlayer) in defense against this type of attack, which with the own experience can also effectively protect against those larger and more sophisticated with less cost. We take care with our Anti DDoS protection services to protect our customers as well as these types of application layer attacks, in particular we have a specific plan for protecting HTTP and HTTPS Web services.