How to Prevent Layer 7 DDoS & Application Layer Attacks
First, what is a layer 7 DDoS attack?
Layer 7 DDoS Attack: A distributed denial of service (DDoS) attack that targets the “top layer” (application layer) in the OSI model. Compared to the better-known network layer attacks, layer 7 (L7) attacks are typically low and slow, and for businesses that generate important revenue online, they can be extremely disruptive.
Preventing layer 7 DDoS attacks should be a key concern for you if your business revenue is heavily dependent on your online presence. Your first step to evading layer 7 DDoS damage to your business and customers is to understand how the attacks work and the best methods for protecting your website, mobile app, and/or API.
Here’s what we will cover in this article:
Layer 7 DDoS Attacks Explained
To understand layer 7 DDoS attacks, you must first understand denial of service and DDoS.
Denial of service (DoS)—aka OWASP automated threat OAT-015—occurs when a network resource, such as a website or app, is made unavailable to its intended users. DoS is typically the result of a cyberattack, but it can also be unintentional (we’ll get back to this shortly).
When most people hear of DDoS (distributed denial of service) attacks, they think of so-called “volumetric” attacks, in which attackers try to crash a target system simply by saturating its bandwidth. By making a higher number of requests than a target server can handle, attackers are able to quickly bring down the system and block real users from accessing the website, app, or service.
Volumetric attacks typically target the network or transport layers (layer 3 or 4) in the OSI model. In contrast, application layer (layer 7) attacks target specific elements of an application or service, for example a server executing WordPress.
Layer 7 DDoS Statistics
DDoS attacks—which Norton has called “one of the most powerful weapons on the internet”—saw a huge and long-lasting spike (a 542% increase) with COVID-19 in 2020. Here’s how Comparitech reports DDoS attacks have progressed since then:
- DDoS attacks continue increasing. 2022 brought twice as many (application) layer 7 DDoS attacks compared to 2021.
- The attacks are lasting longer. The average DDoS attack lasted 30 minutes in Q2 2021 vs. an average of 50 hours in Q2 2022.
- In Q3 2021, 78% of DDoS attacks were multi-vector attacks combining several techniques.
- In September 2022, Google announced that it had managed to stop a DDoS attack sending 46 million requests per second.
The average cost of downtime for an enterprise can reach up to $2 million. Here’s how the costs add up:
- Enterprises estimated that their hourly revenue risk is $250,000 or higher, and that mitigating DDoS attacks takes from 3 to 24+ hours.
- 20 DDoS attacks in 30 days can degrade customer web traffic by 35%.
- The cost in conversions is also significant. Mazebolt estimates that a 35% degradation in traffic equates to a 60% drop in online purchases and a 40% increase in abandoned shopping carts.
What the total cost would look like for your business depends on a multitude of factors, but the costs are universally significant.
Who perpetrates layer 7 DDoS attacks, and why?
Most layer 7 DDoS attacks target specific organizations or services, and the aim is to harm the target in one way or another. The possible motivations are many:
- Business Competition
- Revenge (From an unhappy employee, for example.)
- Political or Ideological Disagreement (“Hacktivism”)
- For Bragging Rights Among Hackers
In some cases, cybercriminals also use DDoS attacks as a diversion tactic. By keeping the target’s IT staff busy with the layer 7 DDoS attack, the attackers can execute even more sinister tasks, such as performing unauthorized transactions, without interruption.
As we mentioned before, denial of service can also be unintentional—for example, when a site gets an unexpected traffic spike from legitimate users. Many small website owners have learned of unintentional DoS the hard way after a link to their site has been posted to the Reddit front page—an event known as the “Reddit Kiss of Death”.
Similarly, a large volume of bot traffic can bring a site to its knees, even if that wasn’t the bot operators’ intent. For example, DirectVelo is the leading French-language website for cycling news. Among other types of content, the website offers live coverage of cycling events and comprehensive race results, from junior races to major professional competitions.
DirectVelo’s content attracted scraper bots in such volumes that the traffic peaks started to slow down loading times, and even crashed the site at particularly busy times, such as during live coverage of important events.
The scraper bots weren’t actively trying to bring down DirectVelo (in fact, downtime made the coveted content unavailable to the scrapers), but the result was the same. The service was made unavailable for legitimate users; it was a “denial of service”.
The Anatomy of a Layer 7 DDoS Attack
Layer 7 DDoS attacks are typically “low and slow” compared to network layer DDoS attacks, but can be just as devastating. In layer 7 DDoS, attackers target application-layer processes with the intention of overwhelming their functions or features.
The most common type of layer 7 attacks are so-called “HTTP floods,” which send seemingly legitimate requests in too large of numbers. HTTP floods are particularly effective when they target resource-hungry elements of the web application, such as large file downloads or form submissions.
Individually, the requests may seem legitimate, but the intensity exhausts resources, such as memory and CPU.
HTTP flood attacks are relatively easy to perform, since they require much less bandwidth than network-layer attacks to be effective. A single bot can do enough damage to bring down your website with a network-layer attack.
While responding to attacks can be very resource-consuming for the targeted application, HTTP requests are cheap for attackers to execute. For example, “DoS-as-a-Service” packages have been sold for as little as $5 per month:
Prevent Layer 7 DDoS: Common Defense Strategies
As easy as they can be to perpetrate, layer 7 attacks are notoriously difficult to mitigate. The traffic pattern typically mimics legitimate human user behavior, and is often not detected before it’s too late.
Unlike network-layer attacks, layer 7 attacks can’t be mitigated by the strength of your network capacity alone. Some companies rely on web application firewalls (WAFs), manual IP filtering, and ad-hoc network analysis for protection—but the problem with these approaches is twofold:
- Attackers now distribute bots easily via hundreds of thousands of different IP addresses (including residential proxies), making IP-based filtering largely ineffective.
- Manual filtering is very resource-consuming and generally too slow to efficiently mitigate large attacks.
The most effective way by far to protect your applications against Layer 7 DDoS attacks is to accurately profile all of your incoming traffic and requests in real time to distinguish bots from humans. You can then block any unwanted or suspicious traffic without disturbing the user experience for your real users and customers.
…thanks to Datadome, it is the end of DDoS attacks and our website is always available.
Paul M, CTO
How DataDome Protects Against Layer 7 DDoS Attacks
DataDome is the only SaaS bot protection solution on the market, driven by machine learning models designed and continuously updated to protect websites, mobile apps, and APIs from layer 7 DDoS attacks and all other OWASP automated threats. Our algorithm analyzes billions of daily events (3 trillion signals per day) and adjusts in real time across all our customers’ endpoints to best detect both known bots and new, unfamiliar threats.
DataDome’s layer 7 DDoS protection solution deploys in minutes on any web infrastructure, with no changes to the host architecture. Layer 7 attack detection and prevention run on autopilot.
DataDome sends you real-time notifications when your site is under an application layer attack, but you won’t need to do anything. Once you have set up an allowlist of trusted partner bots, DataDome will take care of all unwanted traffic.
Are you ready to see which layer 7 DDoS attacks are targeting your website? Start your free trial now, or contact us to request a demo.