An application layer DDoS attack (sometimes referred to as layer 7 DDoS attack) is a form of denial-of-service (DDoS attack) where attackers target the application layer of the OSI model. The attack over-exercises specific functions or features of a website with the intention to disable those functions or features. This application-layer attack is different from an entire network attack, and is often used against financial institutions to distract IT and security personnel from security breaches. As of 2013, application layer DDoS attacks represent 20% of all DDoS attacks. According to research by the company Akamai, there have been "51 percent more application layer attacks" from Q4 2013 to Q4 2014 and "16 percent more" from Q3 2014 over Q4 2014.
Contents
Application layer
The Open Systems Interconnection (OSI) model (ISO/IEC 7498-1) is a conceptual model that characterizes and standardizes the internal functions of a communication system by partitioning it into abstraction layers. The model is a product of the Open Systems Interconnection project at the International Organization for Standardization (ISO). The model groups similar communication functions into one of seven logical layers. A layer serves the layer above it and is served by the layer below it. For example, a layer that provides error-free communications across a network provides the path needed by applications above it, while it calls the next lower layer to send and receive packets that make up the contents of that path. Two instances at one layer are connected by a horizontal connection on that layer.
In the OSI model, the definition of its application layer is narrower in scope. The OSI model defines the application layer as being the user interface. The OSI application layer is responsible for displaying data and images to the user in a human-recognizable format and to interface with the presentation layer below it.
Method of attack
An application layer DDoS attack is done mainly for specific targeted purposes, including disrupting transactions and access to databases. It requires less resources and often accompanies network layer attacks. An attack is disguised to look like legitimate traffic, except it targets specific application packets. The attack on the application layer can disrupt services such as the retrieval of information or search function as well as web browser function, email services and photo applications. In order to be deemed a distributed denial of service attack, more than around 3–5 nodes on different networks should be used; using fewer than 3–5 nodes qualifies as a Denial-of-service attack and not a DDoS.
Defending application layer DDoS attacks
Defending against an application layer DDoS attack requires DDoS mitigation. Success of mitigation requires correctly identifying incoming traffic to separate human traffic from human-like bots and hijacked browsers.