Figure 6: Application attacks are the most prevalent today.

An application attack is different from a network attack in that it is specific to the application being targeted. Whereas a SYN flood can be launched against an IP address, an application attack will usually exploit properties specific to the victim, such as the repeated downloading of a single PDF file on the website. To lower-level security devices such as firewalls, the attack connections are indistinguishable from normal traffic.

BIG-IP ASM brings together a variety of anti-attack and DDoS prevention technologies specifically designed to mitigate application layer attacks, including the majority of the OWASP Top 10. BIG-IP ASM learns the expected input for every page in the site it protects and generates a security policy to protect that page. Because BIG-IP ASM is application-aware, it can foil application-layer attacks that abuse the application, the database, or the business logic.

BIG-IP ASM can distinguish between humans and robots as the sources of traffic and use this information during an attack to block non-human visitors. It can also inject JavaScript redirect code into the stream to foil the majority of botnet slaves while allowing access to legitimate browsers. Finally, BIG-IP ASM can also rate-limit traffic to specific application servers when it detects that an attack may be underway.

A solution that can provide early warning about the attack vectors and defend against multiple, simultaneous vectors is therefore the most effective. The combination of BIG-IP LTM, appropriate iRules, and BIG-IP ASM defeats a large number of application-layer attacks.

Figure 7: Multiple attack vectors can be defeated by BIG-IP technologies and products working together.

BIG-IP ASM can mitigate these attacks from a different angle, however, by monitoring the application's response time (which is by itself the most accurate detection method) and then sequentially applying three different countermeasures:

1. A smart JavaScript injection that will verify that the user is indeed using a browser. Most attacking tools are not browser-based, since browsers are not designed to send a lot of requests per second. In addition, this countermeasure can deal even with an attacker using a website behind a proxy without affecting the traffic of legitimate users connecting through the same proxy. In either case, the identified attacker's connection is dropped.
2. If the JavaScript injection doesn't solve the problem, (for example, when it doesn't effect a positive change in latency), then BIG-IP ASM will rate-limit GET requests from even the chattiest IP addresses.
3. If neither the first nor the second countermeasures solves the issue, BIG-IP ASM escalates to rate-limiting per URL.

Slowloris attacks

The Slowloris and PyLoris attack tools achieve denial of service by feeding an HTTP header to a server in an extremely slow fashion. Slowloris starts by probing the target service to determine its inactivity timeout—usually about five minutes or 300 seconds. Once the interval is known, Slowloris opens connections that emulate a simple browser and sends a bogus HTTP header just ahead of the timeout (for instance, every 299 seconds):

 HTTP/1.1 GET / X: a <299 second pause> X: a <299 second pause> X: a <299 second pause>

The connections will go on like this forever. When enough of them have engaged a specific web server, that server will no longer have enough connections to accept new requests, resulting in a denial of service.

BIG-IP LTM, as a standard, layer 7, full-proxy virtual server for HTTP, mitigates these attacks in its TMOS high-performance traffic management microkernel or simply dilutes the attack with the PVA. It will never pass along Slowloris and Pyloris requests because it will be waiting for the final double carriage return that marks the end of the headers. Since the attack tools never send that token, BIG-IP LTM does not consider the connections valid. Eventually they will be discarded without ever consuming resources behind the ADC.

For distributed Slowloris attacks, where millions of Slowloris connections may pile up at the BIG-IP device, a Slowloris iRule takes a more proactive approach to dealing with the attack.

Slow POST attacks

The slow POST attack is similar to the Slowloris attack but can only be mitigated with the BIG-IP ASM module. Slow POST works by starting an HTTP POST operation (like an upload) and then feeding the upload data in very slowly:

 HTTP/1.1 POST /target-url Content-Length: 1048576 Host: a a <pause> b <pause> c <pause>

BIG-IP ASM mitigates this and other low-bandwidth attacks by cataloging the performance of each request and then limiting the number of very slow connections per CPU core.

By establishing and enforcing a limit on these kinds of attacks, BIG-IP ASM allows access to legitimate clients with poor connections while defending the resources from malicious overloading.

BIG-IP LTM mitigates this HashDoS attack through the application of a public iRule that drops any POST that contains an excessive number of form variables or an excessively large payload. By mitigating the problem at the ADC, organizations protect all back-end web server platforms at the same time. BIG-IP ASM mitigates this attack by using a signature and limiting the total number of parameters that can be sent on a single request.

Figure 8: F5 solutions protect all web service platforms against HashDoS attacks.