503 “Service Unavailable” … Busy Server or DDoS Attack?

503 “Service Unavailable” …Ever receive this error code from one of your web servers?

How about this in your log files?

TCP   192.168.3.102:34678      91.128.45.2:443      ESTABLISHED

TCP   192.168.3.102:34680      198.23.78.45:80      ESTABLISHED

TCP   192.168.3.102:34685      40.33.75.45:443      TIME_WAIT

TCP   192.168.3.102:34696      40.33.75.45:443      TIME_WAIT

TCP   192.168.3.102:34705      91.13.15.23:443      TIME_WAIT

TCP   192.168.3.102:34715      91.13.15.23:443      TIME_WAIT

Busy server? Maybe not. It could be the result of an application-layer DDoS attack.

What is an application-layer DDoS attack?

The modern-day DDoS attack is complex as it typically executes a dynamic combination of Volumetric, TCP-State Exhaustion and Application-layer attack vectors. And according to NETSCOUT Arbor’s 13th annual Worldwide Infrastructure Security Report (WISR), application-layer attacks are on the rise.

As the graphic above shows, each attack vector has a specific goal in mind.

Volumetric attacks are designed to saturate bandwidth, internet facing router interfaces, circuits etc. These types of attacks can be quite large (up to 600 Gbps). According to the WISR, volumetric attacks make up 52% of all DDoS attacks – interestingly this is a drop from 60% in 2016.

TCP-state exhaustion attacks are designed to take out, what’s in many cases, an organization’s first line of defense; meaning their firewalls, IPS etc.

Application-layer attacks are designed to target and exhaust resources in application servers using commands like HTTP GET, PUT etc. The number of application-layer attacks is increasing. For example, in 2017 32% of all DDoS attacks were application-layer attacks vs. 25% in 2016. As in years past, top targeted applications were HTTP, HTTPS, and DNS. However, this year’s report indicated a rise in new targets such as email and SIP/VoIP applications.

Why are Application-layer DDoS attacks on the rise?

What’s driving this?  Well one reason is that attackers believe in the old adage “size isn’t everything”.   “Stealth” is just as important. Attackers understand that unlike volumetric attacks which draw attention, application-layer attacks are “low and slow”; meaning they consume very little bandwidth and normally fly under the radar of traffic management systems – Yet the results can be just as impactful.

How to prevent DDoS Attacks

The NETSCOUT Arbor APS (APS) is an industry leading DDoS attack protection device that can stop all types of DDoS attacks. In fact, APS excels at automatically detecting and stopping application layer attacks. So, the next time you see:

“503- Service Unavailable” or TIME-WAIT

Don’t just assume it’s a busy server – you may be under a DDoS attack.

For more information about NETSCOUT Arbor APS product visit here.