Edge Articles

(image source: Vladimir Buynevich, via Flickr)

Many companies have experienced an application-level DoS event without ever being the target of a real attack. Every time a retail company has complained that "so many people came to our site to buy our special product!" they've managed to use marketing to launch a DoS attack against themselves.

In addition to simply DoSsing themselves, companies can find a DoS attack on their application layer that comes in any of several flavors. One of the more insidious, and one that puts application layer DoS in a different category of attacks than the others to ba addressed, is called "low and slow."

How It Works
Low and slow attacks take advantage of the timeout setting of a server — the time between actions before the server "gives up" on a transaction and terminates the session — to generate just enough traffic, just often enough, to keep the application operating at full capacity.

Low and slow attacks are frequently launched using tools with names like Slowloris, which attacks by keeping HTTP sessions barely alive, and R.U.D.Y, which submits form data at an excruciating — but fast enough to keep the session alive — pace.

How to Defend Against It
Application-level attacks can use HTTP headers, HTTP GET, HTTP PUT, or TCP traffic to do their dirty work. Because they don't depend on either massive traffic flows or misshapen packets to be effective, they can be difficult to defend against.

Web application firewalls (WAFs) and, depending on the application's architecture, cloud service firewalls can help, but security teams should work closely with application developers to make sure that legitimate customers — with their legitimate dollars — aren't excluded from transactions.

{Continued on Next Page}

2 of 4