The 4 Things You Need to Know About Application Denial of Service
Bad bots strike websites hard and fast, attacking in overwhelming numbers before moving on. If your website is a target, you need to concerned about where the assaults are hitting. Sudden traffic spikes on your homepage may just slip by, revealing limited collateral damage.
More sophisticated attacks, such as account takeover, credit card fraud, form spamming, and some forms of scraping, require deeper penetration into your applications. In these, your login page or payment processor traffic numbers instantly spike—without warning—leaving you helpless until the bots have moved on. Meanwhile your customers are locked out, uptime (SLA) guarantees go out the window, and your application is offline for an indefinite period of time.
How frequent are such assaults? It’s difficult to find a measurement for application denial of service since every application is different, but Distil found that 32.36% of our customers affected by one or more “spike days” (when bad bot traffic was three times the daily average) per year in our 2017 Bad Bot Report.
Of those experiencing such spikes, the range of spikes days was 84 (90 days on the high end and six days on the low end). The majority (77%) of sites affected by such spikes realized between 1 – 19 spike days over the course of a year.
If your site is in the 32.36 percentile, it’s likely to suffer multiple spike days over the course of a year. While it’s most likely to experience six spike days in total, as many as 90 could occur. On average, you should expect 15.59 spike days in a single year.
Your site is most likely to fall within the percentile group if it has attributes such as payment processors, pricing and other data, signups/logins, and/or web forms.
If your job is to keep your application online, one spike day is too many. Spikes in bad bot traffic will invariably increase fixed costs, e.g., bandwidth. They increase ever upward if new infrastructure has to be provisioned to handle additional load.
If the application goes down, costs to your business, such as lost revenue, poor customer experience, and brand damage, can be exponential—not to mention the cost of your time yanked away from important projects and initiatives while you struggle with damage control and conduct post mortem investigations.
What is Application Denial of Service and How Does it Work?
During a volumetric DDoS attack a website is flooded, preventing access to its services. Being an easy-to-spot, OSI layer 3 assault, it can flood your upstream infrastructure to the point where packets never arrive at the web server.
In contrast, an application denial of service occurs when bots programmatically abuse the business logic of your website. This happens at layer 7 (the application layer), so your firewall and load balancer continue to function just fine. Rather, it's the web application and backend that keel over.
For example, if your home page traffic to triples, you can handle it. But the same amount of traffic to a shopping cart page will incur a much higher computational hit, because the requests impact inventory and cross-sell databases—in addition to payment processing, fraud, and other tools. It doesn't take much traffic on that page for an application DoS attack to take hold.
Mirai Botnet: Massive Application Denial of Service Attack
Bad bot attacks can be launched from personal computing devices, server farms, and IoT devices. In September of 2016, the popular krebsonsecurity.com security blog site was taken offline by a record 620 Gbps attack launched from an army infected IOT devices.
Shortly thereafter, the source code for an IoT botnet dubbed “Mirai” was leaked. Subsequent large-scale DDoS attacks have ensued—including attacks on some of the world’s largest DNS providers.
Mirai is such a potent threat because it leverages devices that have no way of affording any protecting—it is a new type of threat. Basically being small computers, IoT devices are shipped out to retailers, vulnerabilities and all, with no way to contact their manufacturer should a vulnerability emerge. The result is that every IoT device transforms into a weapon controlled by online assailants. Security patching usually doesn’t exist and the device’s new role is likely unknown to the its unsuspecting owner.
Why Most Prevention Methods Fail
When discussing bot problems with prospective clients, Distil often hears, “I’ve got a web application firewall (WAF) to handle that.” However, WAFs were never designed to to manage the volume, variety, and sophistication of today’s bots. Instead, they only identify and block application exploits seeking to attack a coding vulnerability. They are IP-centric and use attack signatures.
But in the bot world, there are no signatures. They aren’t limited to perpetrating website attacks; rather, they programmatically abuse and misuse websites, resulting in a wide assortment of problems. Bots are also dynamic—they can attack anything. If a hacker can dream up a way to misuse a site or its data (and they always do), then they can create a bot to do their dirty work. In the end, WAFs and bot detection solutions solve different problems.
Perhaps you’re thinking rate-limiting is a better alternative? If the problem with aggressive bad bots is that they make enough requests to take applications offline, why not limit the amount of requests made to an application?
This is wishful thinking. Rate-limiting is only a minor annoyance to modern, highly-sophisticated bad bots. They easily distribute their attacks across multiple devices (sometimes hundreds of thousands of devices ,if needed), with their internal directive being to limit their requests total specifically to avoid rate-limiters.
How Distil Stops Application Denial of Service
Managing all of your site traffic via reverse proxy architecture, Distil Networks is the only proactive solution for mitigating malicious bot traffic—blocking malicious website traffic before it ever has a chance to reach your application.
While Distil is pre-configured to detect bots based on traps, tests, challenges, and unique identifiers (i.e., Distil Hi-Def Fingerprint), some attacks demand even more firepower. We offer several tools that make on-the-fly thwarting of a more sophisticated threat actor easy and effective.
Using the Distil Universal Access Control List feature, customers are able to enact robust custom rules through an easy-to-use graphical user interface—no coding skills required. If the threat isn’t well enough defined to tackle by way of rule based blocking, customers have another implement in their toolbelt—machine learning.
Machine learning-based rules are unique to your traffic patterns, and the malicious behaviors our network has evaluated from around the globe. In emergency situations, machine learning can be ratcheted up to block inbound traffic more aggressively, until an attack is brought down.
Your site may be the target of a highly sophisticated, multi-staged attack such as GiftGhostBot. In those situations you have access to the experts—Distil Analyst Managed Service is a team of highly trained infrastructure and cyber security experts who will provide valuable insights, intervening on your behalf to shut down any would-be attacker.
Why Build.com Uses Distil Networks for Application Denial of Service
Distil Networks is the only proactive bot mitigation solution for application denial of service. But don’t just take our word for it. Here, Build.com—a top 5k, Alexa-ranked Ecommerce site—shares how Distil Networks helps them combat application denial of service.
For more information about our solution, visit our application denial of service page.
And if you’d like to share your experiences regarding application denial of service with an expert, we invite you to get the process started by contacting us.
About the Author
Peter Zavlaris weighs in on various topics around bot mitigation, bot defense sharing white papers, videos and other resources on the topic.More Content by Peter Zavlaris