DDoS (distributed denial of service) and DoS (denial of service) attacks can be broadly classified into three categories based on the layers of the OSI model they target: network layer (Layer 3), transport layer (Layer 4), and application layer (Layer 7).

Layer 3 and Layer 4 attacks are typically less complex–even though that they might be very challenging to mitigate–and involve flooding the network and transport layer with traffic, overburdening the target system’s resources and making it unavailable to legitimate users. These types of attacks can be launched using various techniques such as ICMP floods, TCP SYN floods, or UDP floods.

An ICMP flood for example, is a Layer 3 attack in which a large number of ICMP packets are flooded into to the target system, rendering it unresponsive. A TCP SYN flood, on the other hand, is a layer 4 attack who exploit the TCP connections in exploit.

in a SYN flood attack, һөҗүмче максат системага күп SYN пакетларын җибәрә, ләкин тоташтыруны тәмамлау өчен ACK пакетын беркайчан да җибәрми. Бу системаның һәр тоташтыру омтылышы өчен ресурслар бүлеп бирүенә китерә, нәтиҗәдә, системага йөкләнеш китерә һәм аны легитимлы кулланучылар өчен кулланмый. UDP ташкыны максатчан системага күп санда UDP пакетларын җибәрә, ресурсларын сарыф итә һәм җавап бирми.

Кушымта дәрәҗәсендәге DDoS һөҗүмнәре

Кушымта катламына һөҗүмнәр катлаулы һәм йомшарту авыррак 3 һәм катлам 4 һөҗүмнәр. Бу һөҗүмнәр кулланма катламына юнәлтелә (катлам 7) максатчан системаның һәм кушымтаның үзендәге җитешсезлекләрдән файдалана. Layer 7 һөҗүмнәр күбрәк зыян китерергә мөмкин, чөнки алар кушымталарга һәм нигез инфраструктурасына турыдан-туры тәэсир итә ала. You won’t be able to mitigate layer 7 DDoS attacks with layer 3 or layer 4 tools such as with network firewalls.

HTTP floods, Slowloris attacks, and DNS amplification attacks are Layer 7 denial of service attacks. These attacks require more sophisticated defenses such as application-layer firewalls, intrusion prevention systems, and CDN (content delivery networks).

HTTP floods

HTTP floods attacks are performed using GET or POST requests to overwhelm the target server. Flood attacks using GET requests are usually simpler and require fewer resources because they only ask for information from the server. POST requests, on the other hand, typically require sending large amounts of data.

One of the reasons HTTP flood attacks are difficult to mitigate is that they are often launched from a large number of sources, making it difficult to identify and block all malicious traffic. Additionally, attackers can use techniques such as IP spoofing to disguise their true identities and make it even more difficult to trace the source of their attacks.

Defending against HTTP flood attacks can be complicated. Different types of attacks require different mitigation strategies. Common defenses against HTTP flood attacks include rate limiting, blacklisting, and web application firewalls. However, these techniques can be resource-intensive and may not be sufficient to thwart more sophisticated attacks.

Slowloris attacks

Slowloris is a type of flooding attack in which the way web servers handle client connections is targeted. This attack works by opening a large number of connections to the server, but sending the requests at a slow rate, keeping each connection open as long as possible. This type of attack can consume all available resources of the server and allows attackers to consume CPU, memory, or network bandwidth, etc. without even triggering the typical rate limiting and traffic filtering mechanisms commonly used to detect and block other types of DDoS attacks.

To carry out a Slowloris attack, attackers typically use scripts or tools that send HTTP requests to a server, but deliberately delay sending subsequent requests. The request is designed to look like a legitimate request, but with an incomplete header that keeps the connection open indefinitely. Over time, the server will have many open connections waiting for additional data from the client, causing the server to stop responding to legitimate traffic.

Slowloris һөҗүмнәрен аларның яшерен дизайны һәм чагыштырмача аз полосалы мәгълүмат күләменә бәйле рәвештә ачыклау авыр булырга мөмкин. Бу аны серверларын бозарга теләгән һөҗүмчеләр өчен нәтиҗәле корал итә, алар хәбәрдарлык тудырмыйча яки шик барлыкка китермичә эшли ала. Slowloris һөҗүмнәренә каршы тору өчен, веб-серверлар берничә каршылык чарасын кертеп эшли ала. Мисал өчен, бер IP-адрестан тоташу санын чикләү яки тулы түгел сорауларга вакыт чикләү урнаштыру. Кайбер веб-кулланма ут-мәйданы һәм DDoS киметү хезмәтләрендә Slowloris һөҗүмнәренә каршы төзелгән яклау бар, шундый трафикны реаль вакытта ачыклап һәм блоклый алучы алгоритмнар кулланып.

Layer 7 DDoS киметүләр

Ставканы чикләү

Рейтингны чикләү махсус IP адрес яки кулланучы агенты буенча билгеле бер вакыт аралыгында ясалган сораулар санын билгеләүне үз эченә ала. Бу төшенчә катламдагы рейтингны чикләүгә бик охшаш 3 Ләкин аны катламда гамәлгә кертү кирәк 7.

Рейтингны чикләүнең максаты - һөҗүмче зур күләмдәге сораулар белән веб кушымтаны йөкләмәүдән саклау, серверның бозылуына китермәү. Рейтингны чикләүне веб кушымтаның төрле катламнарында гамәлгә кертергә мөмкин, веб серверда, йөк дәрәҗәсе баланслагычта, яки кушымта янгын диварында. Гамәлгә кертү гадәттә билгеле бер IP адрес яки кулланучы агент тарафыннан ясалган сораулар санын күзәтүне һәм билгеләнгән лимитка җиткәч, киләсе сорауларны блоклауны үз эченә ала.

A common approach for implementing rate limiting in web applications is to use middle-ware or plugins that track the number of requests made by each client and block further requests when the threshold is exceeded. is to These plugins can be configured to apply different rate limiting policies based on factors such as the type of request, user agent, or client IP address.

Мисал өчен, a simple rate limiting policy can limit requests from a single IP address to a maximum of 10 requests per minute. If a client exceeds this threshold, subsequent requests are blocked until the period expires.

Application-layer rate limiting products are available for popular web servers and cloud services, including:

Apache

Apache has several modules that can be used for rate limiting, such as mod_limitipconn, which limits the number of simultaneous connections from a given IP address, and mod_qos, which provides various quality of service controls including rate limiting.

Furthermore, ModSecurity Web Application Firewall has a rate limiting feature that can block clients exceeding a defined threshold. In addition to the modules mentioned above, Apache also provides mod_evasive. This is a module that can be used to rate limit and block clients that exceed a defined threshold. Detect and block rogue clients using a variety of techniques, including IP and user-agent tracking.

Nginx

Nginx provides ngx_http_limit_req module. This can be used to limit the request rate from certain clients based on IP address or other factors. This module uses a token bucket algorithm to allocate tokens to each client based on a rate limiting policy. Besides ngx_http_limit_req module, Nginx also provides ngx_http_limit_conn module. This can be used to limit the number of connections from specific clients or IP addresses. This module uses a token bucket algorithm to allocate tokens based on rate limiting policies.

IIS

Microsoft’s Internet Information Services (IIS) includes a dynamic IP limiting module that can be used for rate limiting. This module can be configured to block requests from IP addresses that exceed predefined thresholds and can also provide alerts and logs for monitoring. In addition to the Dynamic IP Limiting module, IIS also provides a Request Filtering module that can be used to limit the request rate of specific clients based on various criteria such as IP address, user agent, and request method.

AWS

Amazon Web Services (AWS) offers several services that can be used for rate limiting, including AWS WAF with rate limiting as a feature.

AWS Shield offers DDoS protection including rate-based rules that can block requests from IP addresses above a certain threshold. Additional to AWS WAF and AWS Shield, AWS also offers AWS Elastic Load Balancer. It includes various rate limiting policies that can be configured to block clients over predefined thresholds.

Azure

Microsoft Azure offers several services that can be used for rate limiting, including Azure Application Gateways. Бу кергән сорауларның күләмен чикләр өчен көйләнергә мөмкин булган веб-кулланма утрыгы (firewall)ны үз эченә ала. Additionally, Azure Front Door тәкъдим итә күчерешләрне чикләү функциясе алдан билгеләнгән чикне узган IP-адреслардан килгән сорауларны блоклый ала. Azure Application Gateway һәм Azure Front Door кертеп, Azure шулай ук Azure Firewall тәкъдим итә. Бу билгеләнгән чикне узган клиентларны чикләү һәм блоклау өчен кулланыла ала.

GCP

Google Cloud Platform (GCP) Cloud Armor тәкъдим итә, бу - веб-кулланма утрыгы (firewall) дәрәҗәсендә күчерешләрне чикләү мөмкинлекләре белән, билгеләнгән чикне узган клиентлардан килгән сорауларны блоклый ала.

Бу кушымта катламы дәрәҗәсендәге күчерешләрне чикләү продуктлары, явыз клиентлардан килгән сораулар санын чикләү аша HTTP флуд һөҗүмнәрен нәтиҗәле киметергә мөмкин. However, it is important that they are properly configured to not block legitimate traffic and used in conjunction with other security measures such as firewalls and DDoS mitigation services to provide comprehensive protection against DDoS attacks.

Timeouts for incomplete requests

Below are some Slowloris application layer mitigation methods which are listed for Apache, Nginx, and IIS web-servers, and load-balancers and additional features for AWS, Azure, and GCP services:

Apache

In addition to the modules mentioned above, Apache also provides a module, mod_reqtimeout, that can be used to set a timeout for incoming requests. If the client sends a request that takes longer than the specified timeout, the server will close the connection. This will prevent slowloris attacks.

Nginx

Besides ngx_http_limit_conn module and ngx_http_limit_req module, Nginx also provides his ngx_http_request module. Бу югары дәрәҗә серверның сорауны эшкәртү вакытын чикләү өчен кулланылырга мөмкин. Әгәр югары дәрәҗә сервер билгеләнгән вакыттан озаграк эшләсә, Nginx тоташуны ябар.

IIS

Dynamic IP Restrictions һәм Request Filtering модульләренә өстәп, IIS шулай ук керналы режимдагы драйвер тәкъдим итә HTTP.sys. Бу кергән сораулар өчен вакыт чикләүне билгеләргә мөмкинлек бирә. If the client sends a request that takes longer than the specified timeout, the server will close the connection.

AWS

AWS WAF һәм AWS Shield өстенә, AWS өстәмә рәвештә Elastic Load Balancer тәкъдим итә, ул күпсанлы тоташу вакытын чикләү кагыйдәләрен үз эченә ала, алар билгеле бер вакыттан озак тоташуларны ябу өчен конфигурацияләнергә мөмкин.

Azure

Azure Application Gateway һәм Azure Front Door кертеп, Azure өстәмә рәвештә Azure Load Balancer тәкъдим итә, ул билгеле бер вакыт дәвамында утырып торган тоташуларны ябу өчен кулланылучы көйләргә мөмкинIdle timeout үзенчәлеген үз эченә ала.

GCP

Google Cloud Platform (GCP) gives numerous connection timeout alternatives for its services, which include Cloud Load Balancing, which incorporates a configurable timeout characteristic that may be used to shut connections that take longer than a predefined threshold.

Conclusion

In conclusion, DDoS and DoS attacks can be classified based on the layers of the OSI model they are targeted at, such as the network layer (Layer 3), transport layer (Layer 4), and application layer (Layer 7).

While layer 3 һәм катлам 4 attacks flood the network and transport layers with traffic, катлам 7 attacks are more complex and exploit vulnerabilities in the applications themselves. HTTP floods and Slowloris attacks are examples of layer 7 denial of service attacks. Countermeasures against these attacks include rate limiting, blacklisting, and web application firewalls. Identifying and containing attacks in real time requires a comprehensive, multi-layered defense strategy that includes monitoring, detection, and response capabilities.

Additionally, attackers can customize their techniques and tailor their attacks to evade detection and evade security measures. Therefore, it is imperative that organizations implement a comprehensive, multi-layered defense strategy that includes monitoring, detection, and response capabilities to rapidly identify and contain attacks in real time. This may include using advanced machine learning algorithms and behavioral analytics to detect and block malicious traffic patterns.