The last few months have seen an increase in the number of distributed denial-of-service (DDoS) vectors with sophisticated techniques, including attack targeting authoritative DNS servers for domain names, attacks launched from botnets built using hijacked virtual machines and HTTP application-layer attacks with highly randomized fingerprints.
“The second quarter of 2023 was characterized by thought-out, tailored and persistent waves of DDoS attack campaigns on various fronts,” web security company Cloudflare said in a new report. These included DDoS attacks launched by pro-Russian hacktivist groups like REvil, Killnet, and Anonymous Sudan against Western websites; a large increase in targeted DNS attacks; UDP amplification attacks leveraging a vulnerability in Mitel MiCollab business phone systems; and an alarming escalation in HTTP attack sophistication, the company said.
Carefully engineered HTTP attacks
DDoS attacks are split into two main categories: network-layer attacks that target core data transmission protocols that exist at layers 3 and 4 of the OSI model such as TCP, UDP, ICMP, or IGMP, and application-layer attacks that target the communication protocols used by applications to send and receive messages to users, the most common of which is HTTP. According to Cloudflare, the second quarter of this year saw a 14% decrease in network-layer DDoS attacks, but a 15% increase in application-layer attacks.
The goal of HTTP attacks is to saturate the computing resources available to a web application or web API and impact their ability to answer requests from legitimate users by keeping them busy answering rogue requests initiated by bots. That’s why the most important attribute for judging the severity of HTTP attacks is their requests per second (rps) rate rather than the volume of data transmitted (Gbps), like in the case of network-layer attacks that seek to saturate the target’s available bandwidth.
Mitigating HTTP DDoS attacks requires a combination of techniques to differentiate between legitimate users and bots. For example, if an application experiences an unusually high rps rate, a DDoS mitigation provider might choose to temporarily enforce CAPTCHA checks before allowing requests to reach the application. These checks can also be triggered if the user-agent reported by the client during the request is unusual and doesn’t match typical browsers or if the request header as a whole has a known fingerprint matching a known botnet.
“We’ve observed an alarming uptick in highly randomized and sophisticated HTTP DDoS attacks over the past few months.” Cloudflare said. “It appears as though the threat actors behind these attacks have deliberately engineered the attacks to try and overcome mitigation systems by adeptly imitating browser behavior very accurately, in some cases, by introducing a high degree of randomization on various properties such as user agents and JA3 fingerprints to name a few.”
