“Low-and-slow” may sound like an outdated topic, but it is still very, relevant and timely. 65% of organizations suffered low-and-slow attacks in 2020, 30% of them monthly. So let’s give this the five minutes it deserves!
When an attacker wants to bring an application down, the easiest way is to launch a massive amount of traffic to the application and take down the application server (Distributed Denial of Service, or DDoS). However, there are many technologies today that can detect and block such attempts, either by IP or signature-based blocking, quota management or dedicated DDoS mitigation solutions.
In the last month, other than floods, we have seen another, old yet very effective technique coming back: the low-and-slow attack.
Instead of generating a sudden burst in traffic volume, low-and-slow (aka low-rate) attacks fly under the radar. They are aimed at bringing a target down quietly by leaving connections open on the target by creating a relatively low number of connections over a period of time and leaving those sessions open for as long as possible.
Common methods include sending partial HTTP requests and sending small data packets or “keep alive” messages to keep the session from going idle or time-out. These attack vectors are not only hard to block, but also to detect.
[You may also like: How to Keep APIs Secure in an Interconnected World]
There are several known tools that are available for perpetrators to launch such attacks including SlowLoris, SlowPost, SlowHTTPTest, Tor’sHammer, R.U.Dead.Yet and LOIC.
Low-and-slow attacks, which used to be very effective against applications, are taking advantage of overlooked APIs that aren’t as guarded as applications are, making their way to the target. Due to the low volume — and what might appear as a legitimate attempt to connect to the application or server resources — a different mitigation technology is required. The source should be blocked on a behavioral basis rather than reputation.
The synchronization between the detection and mitigation components is one reason why Radware is a recognized industry leader in DDoS protection: Behavioral learning algorithms monitor and measure the TCP connection response times of both client and server and make sure the source is indeed interacting with the application as expected.
This method involves no interaction with the application and introduces no risk to it, as the mitigation is done at the session level. Then, using a unique signaling mechanism and automated workflows, next attempts will be blocked at the network perimeter making no impact on the application.
*** This is a Security Bloggers Network syndicated blog from Radware Blog authored by Ben Zilberman. Read the original post at: https://blog.radware.com/security/ddosattacks/2021/03/mitigating-low-and-slow-attacks-on-applications-and-apis/
What really is cyber security and why doesn't the traditional CIA triad of confidentiality, integrity, and availability work? And what's…
The widespread adoption of cloud services has introduced cybersecurity challenges and compliance complexities due to various privacy regulations in different…
Last week, we hosted Michael Tapia, Chief Technology Director at Clint ISD in Texas, and Kobe Brummet, Cybersecurity…
Authors/Presenters: Binbin Zhao, Shouling Ji, Xuhong Zhang, Yuan Tian, Qinying Wang, Yuwen Pu, Chenyang Lyu, Raheem Beyah Many thanks to…
Overview In an effort to safeguard our customers, we perform proactive vulnerability research with the goal of identifying zero-day vulnerabilities…
What is a cybersecurity vulnerability, how do they happen, and what can organizations do to avoid falling victim? Among the…