Websites and applications live outside the data center in the cloud. It is not easy to protect such perimeter, today, but there are intelligent ways to get around these problems. One is to understand the profundity of these attacks. DDoS attacks target either the network layer or the application layer.
With network-layer attacks, the goal is to send malicious packets over different network protocols in order to consume target’s available bandwidth, and clog its internet pipes. With application layer attacks, however, the goal is to consume the computing resources, CPU and RAM, that a web server has at its disposal to process requests. There are state-exhaustion attacks, as well, that target the connection state tables in firewalls, web application servers, and other infrastructure components.
Network layer attacks are the ones we read often in the media and that are attributed to the disruption service on many major sites. SYN floods, ACK floods or UDP based amplification attacks can all be classified as network layer attacks. Network layer attacks are typically measured in Gbps (gigabits per second), for the amount of bandwidth they’re able to consume per second. As they “gan-rush” the website, they are also called volumetric attacks. Arbor reported on such attacks in 2015 and described 17% of all attacks they handled as bigger than 1GBps with the average size of the attack at 804 Mbps/ 272K pps. The big ones peaked at 335 Gbps.
Application layer attacks, however, can be small and silent compared to network layer attacks, but just as disruptive, and actually more complex to handle. Application layer attacks generally require a lot less packets and bandwidth to achieve the same goal: take down a site. Application layer assaults are measured in RPS (requests per second), for the amount of processing tasks initiated per second. They are executed by bots— inhuman visitors that are able to establish a TCP handshake to interact with a targeted application.