Application-Layer DDoS Detection

Charles Herring

DDoS Recap

In an earlier blog entry, I described how traditional, flood-based DDoS could be detected with Lancope’s StealthWatch System. With our upcoming release of StealthWatch 6.4, we are also introducing application-layer DDoS detection.

Defining Traditional DDoS

“Traditional” TCP DDoS overwhelms a server by flooding the listening port with a high number of request (SYN) packets. The benefit to attackers is that since the flood is on the request, the source(s) of the packets can be spoofed, making it very difficult to track or block. Analogously, TCP DDoS is like thousands of clients screaming “look at me,” leaving the server overwhelmed in trying to respond to these phantom requests.

Defining Application-Layer DDoS

Where TCP DDoS is focused on thousands of “shouts,” application-layer DDoS is like having several never-ending, uncomfortable, boring conversations. In protocols such as HTTP that normally have quick conversations (downloading an image, file or web page), application-layer DDoS is most effective. The attacking host will start multiple (hundreds) of conversations with the server, then say very little. Each conversation that remains open consumes memory on the server and pushes it to its upper limit of maximum concurrent connections. When valid clients try to connect to the service, they will be given an error that the service is currently unavailable (because of the number of current connections).

Comparative Analysis

When comparing the impact of each type of DDoS attack, the graph below shows how a server can be greatly degraded by either approach.

A server can be greatly degraded by either approach

From a detection perspective, TCP DDoS generates high packets per second (pps) and bits per second (bps) rates that are easy to see on a utilization graph, but application-layer DDoS is nearly invisible in these graphs.

Application-layer DDoS is nearly invisible in these graphs

Detecting Application-Layer DDoS

In StealthWatch 6.4, application-layer DDoS is simple to detect. A new alarm and Concern Index™ (CI) event called “Slow Connection Flood” monitor for these high numbers of connections with little data exchange on each. Below is a flow object showing a Slowloris HTTP DoS attack.

A flow object showing a Slowloris HTTP DoS attack.

The resulting intelligence on these flows allows StealthWatch to throw a “Slow Connection Flood” alarm for this application-layer DoS attack.

A "Slow Connection Flood" alarm

Wrap Up

By monitoring multiple characteristics of every flow coming into the network, and the collective behavior of each host inside and outside the network, StealthWatch is able to detect both routine and advanced threats. The release of StealthWatch 6.4 further enhances DDoS detection by examining the flow data points that clearly indicate application-layer DoS. Click here for more details on DDoS detection by Lancope.