Security professionals know the dangers associated with distributed denial-of-service attacks (DDoS). These attacks typically target the core data transmission protocols that form the foundation of every organization' internet services.
However, these network-layer attacks are not the only type of DDoS attack that exists. Hackers can also target application-layer protocols like HTTP.
These attacks used to be difficult and expensive to carry out.
Traditionally, only well-funded nation-state threat actors could reliably leverage the infrastructure needed to carry out advanced HTTP flood attacks.
This appears to be changing, with non-nation-state-affiliated threat actors carrying out HTTP flood attacks in higher numbers. These cybercriminals presumably use DDoS-as-a-service tools developed by one or more major cybercrime syndicates.
Like regular DDoS attacks that target the network layer, HTTP flood attacks leverage botnets to overwhelm target servers with frivolous requests, forcing them to stop working. Achieving this on the application layer involves considerable technical challenges. Cybercriminals must hijack virtual machines and provision them with highly randomized fingerprints while enabling them to make complex HTTP requests.
In both cases, these attacks mimic the actions of legitimate human users in ways that traditional DDoS attacks do not. Targeting the application layer involves creating significantly more complex requests than, for example, a late 1990s-style Ping of Death.
Mitigating attacks on the application layer presents additional challenges to organizations. Many solutions impact the usability of web-based assets and create user friction.
For example, CAPTCHA-style tests can prevent bots from abusing the HTTP protocol. However, forcing users to undergo CAPTCHA tests every time they navigate to your website doesn't help the user experience.
Under-the-hood solutions like JavaScript computational challenges can also mitigate some of these attacks. Many web application firewalls include technologies for detecting and blocking malicious HTTP traffic.
However, many of these solutions are not sufficiently advanced to protect against the highly randomized fingerprinting observed in recent attacks. New techniques enable cybercriminals to blend fraudulent traffic with traffic from reputable third-party DNS resolvers like Google and Cloudflare. You can't block every query from these addresses without damaging your web capabilities.
Add the increased bandwidth and complexity that hijacked virtual machines offer to hackers, and new "hyper-volumetric" attacks become possible. That' how attackers reached a new record-breaking 71 million requests per second in an early 2023 attack.
Managed detection and response providers like Lumifi are in the right position to help organizations defend against increasingly sophisticated HTTP flood attacks. Instead of relying on security measures designed for highly automated network-layer attacks, Lumifi uses curated threat intelligence and behavioral analytics to pinpoint abusive HTTP traffic.
Lumifi provides organizations with the expertise they need to implement these technologies successfully.
Find out how your security team can leverage advanced detection and response capabilities to mitigate the risk of HTTP flood attacks.
