Denial of Service (DoS) attacks have been around since the beginning of the web era. Originally, DoS involved networking packet traffic floods that overwhelmed a web server, denying service to other legitimate users.
A new type of DoS attack has emerged in recent months that goes beyond the basics and takes aim at the higher levels of the networking stack. A pair of researchers from security firm Trustwave - SpiderLabs are detailing the new DoS attacks this week at the Black Hat D.C. security conference and providing some suggestions on how to mitigate risk.
"Denial of Service at layer 4 is about simultaneous connections on the network layer that overloads connections," Tom Brennan, director at Trustware SpiderLabs told InternetNews.com. "Now you can use layer 7 and web applications to cause a Denial of Service."
Brennan explained that a layer 7 DoS occurs when a client comes to a web server and makes a connection request such as a form field via an HTTP POST request. The web server waits for the form field request data, which is sent by the attack at a very slow rate.https://o1.qnsr.com/log/p.gif?;n=203;c=204660766;s=9477;x=7936;f=201812281312070;u=j;z=TIMESTAMP;a=20392931;e=i
"What if I was able to have one machine create 20,000 plus connections to the web server and send a really slow form request," Brennan said. "What I'm doing is a Denial of Service that is going to make the web server unavailable to legitimate clients."
Brennan is involved with OWASP (Open Web Application Security Project) and has published a tool called the HTTP POST tool (http://www.owasp.org/index.php/OWASP_HTTP_Post_Tool) to help enable security professionals to see if they are at risk from a layer 7 DoS attack. The potential risk from the HTTP POST DoS attack is wide ranging as it could prevent users of a web service from logging into a site, which uses a form login.
As opposed to traditional DoS attacks which can be blocked by an IPS, the layer 7 attacks are harder to deal with.
"The main paradigm shift has to do with focusing away from network bandwidth and looking at local resources on the Web server platform itself," Ryan Barnett senior security researcher at Trustwave SpiderLabs told InternetNews.com. "The bottom line is that the overall amount of traffic needed to potentially take down a website is much less than is required to flood the network pipe leading to the web server."
"Mod_reqtimeout certainly helps as it allows the Apache admin to place hard limit timeouts on fully receiving both the request headers and/or body," Barnett said. "While this is a good step, this module is still experimental."
Barnett noted that currently the RequestReadTimeout settings are global and would apply to an entire site. Apache can further be secured with the help of the modsecurity which is an open source Web Application Firewall (WAF) effort that Barnett helps to lead. Trustwave also has a commercial product called WebDefend which is a WAF that builds on the open source modsecurity effort.
"We added in the SecReadStateLimit directive to give an alternative approach to identifying/reacting to Slow HTTP Header types of attacks," Barnett said. "This is not a timing threshold approach but it will identify when clients have too many connections that are sitting in the SERVER_BUSY_STATE mode."
That said Barnett warned that Layer 7 DoS Attacks includes a wide net of attacks. His Black Hat presentation is focused on what he calls "Connection Consumption Attacks" from the app server's point of view.
"This means that both the slow headers and slow body attacks are opening all of the connection threads available on the web server and then just sitting idle," Barnett said. "There are, however, other types of Layer 7 DoS attacks that can impact web applications. For example, we have seen with our customers where attackers will send in SQL Injection attacks that cause the back-end DB to become unresponsive, thus causing a DoS condition for all users."
Barnett added that being able to measure the application performance and identify deviations is tremendously useful. Trustwave's WebDefend WAF has Application Performance Monitoring capabilities which can help in that area.
With some types of web attacks, web applications developers can do things to help reduce the risk, but that's not necessarily the case with layer 7 DoS.
"These types of slow HTTP request DoS scenarios are essentially the cart before the horse in that they attack the underlying protocol handling by the web server platform itself (Apache, IIS, etc ) before the requests ever reach the actual web application code," Barnett said. "This is a perfect example of how organizations need to have proper situational awareness for the live systems and where secure coding from within the application will not protect you from everything."
Keep up with security news; Follow eSecurityPlanet on Twitter: @eSecurityP.