503 “Service Unavailable” … Busy Server or DDoS Attack?
503 “Service Unavailable” …Ever receive this error code from one of your web servers?
How about this in your log files?
TCP 192.168.3.102:34678 220.127.116.11:443 ESTABLISHED
TCP 192.168.3.102:34680 18.104.22.168:80 ESTABLISHED
TCP 192.168.3.102:34685 22.214.171.124:443 TIME_WAIT
TCP 192.168.3.102:34696 126.96.36.199:443 TIME_WAIT
TCP 192.168.3.102:34705 188.8.131.52:443 TIME_WAIT
TCP 192.168.3.102:34715 184.108.40.206:443 TIME_WAIT
Busy server? Maybe not. It could be the result of an application-layer DDoS attack.
What is an application-layer DDoS attack?
The modern-day DDoS attack is complex as it typically executes a dynamic combination of Volumetric, TCP-State Exhaustion and Application-layer attack vectors. And according to NETSCOUT Arbor’s 13th annual Worldwide Infrastructure Security Report (WISR), application-layer attacks are on the rise.
As the graphic above shows, each attack vector has a specific goal in mind.
Volumetric attacks are designed to saturate bandwidth, internet facing router interfaces, circuits etc. These types of attacks can be quite large (up to 600 Gbps). According to the WISR, volumetric attacks make up 52% of all DDoS attacks – interestingly this is a drop from 60% in 2016.
TCP-state exhaustion attacks are designed to take out, what’s in many cases, an organization’s first line of defense; meaning their firewalls, IPS etc.
Application-layer attacks are designed to target and exhaust resources in application servers using commands like HTTP GET, PUT etc. The number of application-layer attacks is increasing. For example, in 2017 32% of all DDoS attacks were application-layer attacks vs. 25% in 2016. As in years past, top targeted applications were HTTP, HTTPS, and DNS. However, this year’s report indicated a rise in new targets such as email and SIP/VoIP applications.
Why are Application-layer DDoS attacks on the rise?
What’s driving this? Well one reason is that attackers believe in the old adage “size isn’t everything”. “Stealth” is just as important. Attackers understand that unlike volumetric attacks which draw attention, application-layer attacks are “low and slow”; meaning they consume very little bandwidth and normally fly under the radar of traffic management systems – Yet the results can be just as impactful.
How to prevent DDoS Attacks
The NETSCOUT Arbor APS (APS) is an industry leading DDoS attack protection device that can stop all types of DDoS attacks. In fact, APS excels at automatically detecting and stopping application layer attacks. So, the next time you see:
“503- Service Unavailable” or TIME-WAIT
Don’t just assume it’s a busy server – you may be under a DDoS attack.
For more information about NETSCOUT Arbor APS product visit here.