Saturday Night Fever: Layer 7 attacks against CloudFlare sites

Recently, I've taken a look at DDoS attacks against CloudFlare sites at the IP level and the source of those attacks. The worst time for those DDoS attacks is the Wednesday Witching Hour and because of source IP address forgery most of the attacks seem to come from Mars. But layer 7 attacks, where the attacker actually connects to our hardware using TCP and makes apparently valid HTTP requests are another matter: their source is traceable because of the need to establish a TCP connection.

Layer 7 attacks are in some ways the simplest attacks: an attacker performs lots of HTTP requests hoping to overwhelm the target server. To the target these requests look perfectly valid and have to be serviced. That uses up resources on the target server and either causes it to slow down or crash. CloudFlare's automatic system monitor unusual spikes in HTTP traffic and automatically deal with HTTP DoS attacks (often with a little help from our staff). At the same time the systems gather statistics about attacks.

Looking at our attack statistics we see a layer 7 DoS attack against a CloudFlare site 95.5% of the time. Those attacks come from just 0.05% of the IP addresses we see connecting to our network. There's virtually no rest for the systems (and people!) that deal with these attacks. The attacks come in the form of floods of HTTP requests made to the site that the attacker wants to knock off line. CloudFlare's systems record the IP addresses of the machines making layer 7 attacks because the address cannot be forged and are useful for filtering purposes.

Although the attacks come all the time the worst day is Saturday. The following chart shows the number of unique IP addresses use in layer 7 DoS attacks by day of the week for the period January to August 2012.

Focusing on the largest attacks shows the same trend with an uptick on Saturdays and layer 7 DoS attackers seeming to take a bit of a break on Sundays.

Looking at the time of day shows that attacks are occurring 24 hours a day with only a slight dip in the overall number of attacks around 0700 UTC (the middle of the night in California).

But focussing on the largest attacks reveals a pattern with which our team is familiar. The largest layer 7 attacks come during the night in California (around midnight, 0800 UTC) and then again at around 1800 UTC (just when the folks who've been up half the night fighting attacks are coming into work).

So whether it's night in California, or in Europe, the layer 7 DoS attackers keep the team busy.

The trend across the year shows some intriguing, and dramatic, dips in layer 7 DoS activity. The dips in the chart are around the following dates: January 30, February 21 (Mardi Gras), March 20 (attackers recovering from St. Patrick's Day?), April 22 (did attackers take Earth Day off, or did people switch off their home machines making botnets smaller for a day?), May 29 (Memorial Day weekend), June 28 (just before July 4).

The overall trend month on month is up. For the first 6 months of 2012 we say a 10% increase in layer 7 DoS attacks but a 21% increase in large layer 7 attacks. Statistics for lower level DDoS attacks show a slight decline. Attackers appear to be switching to layer 7 attacks to take sites offline.

Since the source of layer 7 attacks is known it's possible to look at where attacks originate (or at least where the machines performing the attack are). Most of these machines will be zombies taking part in botnets. The top five countries that attack CloudFlare sites are: 18.34% from US, 11.47% from China, 7.88% Turkey, 6.96% Brazil, 6.55% Thailand.

Focussing on the US the biggest networks that attack CloudFlare sites are: Verizon Online, Comcast, AT&T, Cox, Cablevision and Charter. That's consistent with the fact that attackers use botnets of machines connected to home broadband connections for their attacks.

Of course, at CloudFlare we spend a great deal of time defending against these attacks (both automatically and with tools like I'm under attack mode). And we've successfully defended small and large sites (such as the Eurovision Song Contest) against all layers of attack.

CloudFlare's mission is all about making sure our customers' web sites stay alive.