Using Human Behavioral Analysis to Stop DDOS at Layer 7

As hackivists and hackers of all types have honed their distributed denial-of-service (DDoS) attack techniques, they've learned to get around a lot of the typical Layer 4 network heuristics intended to detect these attacks and moved on to elsewhere in the stack. Experts today say organizations need to do a better job detecting attacks at the application layer if they don't want their networks knuckling under DDOS pressure.

"The conventional way of doing DDoS mitigation is using network heuristics, looking at the packet header or looking at the aggregate of the packet and seeing how that compares to the known good behavior," says Jeffrey Lyon, president and CEO of Black Lotus. "You're looking for that anomaly in the data set to mitigate the attack at Layer 4. But Layer 4 is very difficult to use to determine if the attack even exists if it is a very small attack."

According to figures from DOSarrest, a DDoS mitigation service, about 85% of the attacks that it sees have a Layer 7 component to them. The general idea behind an attack is to overload systems by using HTTP GET or POST requests with high impact on server resources, wrote Kurt Marko in July in InformationWeek Reports' "Why a DDoS Mitigation Service Could Save Your Assets." He explained that the technique is very effective at lower volumes and can fly under the radar because it looks like normal Web traffic. Such attacks are typically designed by developers who might do their homework by looking over websites for page requests that aren't cacheable and are CPU-intensive.

"Layer 7 attacks are tough to defeat, not only because the incremental traffic is minimal, but because it mimics normal user behavior," he wrote.

This is where Black Lotus hopes to step in with a new launch announced this week that uses a patent-pending form of heuristics it calls Human Behavioral Analysis (HBA) to put the microscope on Layer 7 traffic for better detection of this tricky attack technique.

"We're taking it a step further in trying to determine whether every single person visiting a customer's website is, in fact, a real human," he said. "It is heuristics at the application layer."

Black Lotus, a DDoS mitigation service provider with a decade of experience in helping organizations of all sizes fight these attacks, has been developing and refining HBA for three years now, Lyon said.

"Up until this calendar year, we've kept it very secret," he said, explaining that it took time to develop and figure out the patent situation.

During that time, the company helped customers interested in trying a "new mitigation method" by using HBA without explicitly giving away what it was. The success it saw from these deployments and the forward progress of its patent application helped the company move forward with the product's launch this week. As it starts to publicly market HBA, Lyon said Black Lotus will not only service traditional enterprise customers in competition with bigger players like VeriSign and Prolexic, but it will also go after traditionally underserved markets like pre-IPO small organizations that couldn't normally afford the five- or six-figure price tags generally asked for in this market.