Not only have attackers added complexity with increased size and scope of botnet armies, complexity within each attack has also increased by combining various attack vectors in a single campaign. Application-layer attacks are employed in these campaigns in a variety of ways. Sometimes they are used to distract IT and security personnel from other security breaches taking place at the same time, such as malware intrusion. And sometimes the volumetric attacks are the distraction to hide the more focused application-level attacks, which do the real damage.
The other part of a comprehensive DDoS protection strategy must focus on attacks that cloud solutions are not equipped to detect in a timely manner. Due to the impression of legitimate traffic employed by application-layer attacks, they will not automatically trigger attack traffic rerouting employed by cloud-scrubbing solutions. Additionally, cloud solutions are not typically equipped to monitor the encrypted HTTP traffic that makes up most of the application-layer traffic mainly because most networks do not want their authorized certificates residing in the cloud, nor do cloud vendors want the responsibility of managing their customers certificates.
A hybrid or layered defense combining on-premises and cloud-based detection and mitigation, informed by global threat intelligence alerts and powered by automation, is widely considered best practice for detection and mitigation of all DDoS attacks, including application-layer attacks
In this paper, we explore application-layer attacks against core DNS infrastructures, namely authoritative name servers (ANSs). Compared to volumetric DoS attacks, application-layer attacks are more appealing to adversaries. In particular, they (i) are significantly harder to distinguish from benign traffic, (ii) not only target bandwidth, but also computational resources, and (iii) do not rely on IP address spoofing and can be launched even though providers deploy egress filtering . This makes them attractive for botnets.
We present an application-layer attack against DNS that create an order of magnitude more queries per second than existing attacks. For this attack, we revisit how DNS chains can be abused to amplify traffic, and are the first to combine application-layer attacks with amplification.
We now propose a novel type of DNS application layer attacks that abuse chains in DNS to overcome the aforementioned limitations of water torture, yet stay in a similar threat model (Sect. 2). The main intuition of our attack is that an attacker can utilize request chains that amplify the attack volume towards a target ANS. This is achieved via aliases, i.e., a popular feature defined in the DNS specification and frequently used in practice.
We will now discuss countermeasures to reduce the impact of DNS application-level attacks. First, we cover the authoritative view, how zones could be managed and the effect of response rate limiting. Then we look at the behavior of recursive resolvers and how they could reduce the impact on ANSs.
Application-Layer DDoS in DNS: Several application-layer DDoS defenses have been proposed in the past [12, 30, 39, 52]. Many defenses are not immediately applicable to DNS. Protocol changes, such as client puzzles, would need widespread support, which is unrealistic to achieve in a short to medium time frame. Countermeasures which introduce more latency are especially problematic, as DNS is tuned for high efficiency. Filtering techniques, such as egress or ingress filtering, do not apply to DNS Unchained, because it works without IP address spoofing. Blocking DNS traffic can even lead to more inbound traffic  and always risks blocking legitimate users.
We have presented a new DDoS attack against DNS authoritatives that leverages amplification on the application layer. DNS Unchained achieves an amplification of 8.51 using standard DNS protocol features, by chaining alias records (e.g., CNAME) and forcing resolvers to repeatedly query the same authoritative name server. We performed full Internet scans and found 10 054 077 open DNS resolvers and 178 508 recursive resolvers. We determined that 74.3% of those resolvers support uncachable DNS responses, creating a large pool of amplifiers that can be abused for chaining attacks.
TLS is an internet standard to secure the communication between servers and clients on the internet, for example that of web servers, FTP servers, and Email servers. This is possible because TLS was designed to be application layer independent, which allows its use in many diverse communication protocols.
ALPACA is an application layer protocol content confusion attack, exploiting TLS servers implementing different protocols but using compatible certificates, such as multi-domain or wildcard certificates. Attackers can redirect traffic from one subdomain to another, resulting in a valid TLS session. This breaks the authentication of TLS and cross-protocol attacks may be possible where the behavior of one protocol service may compromise the other at the application layer.
We evaluated the real-world attack surface of web browsers and widely-deployed Email and FTP servers in lab experiments and with internet-wide scans. We find that 1.4M web servers are generally vulnerable to cross-protocol attacks, i.e., TLS application data confusion is possible. Of these, 114k web servers can be attacked using an exploitable application server. As a countermeasure, we propose the use of the Application Layer Protocol Negotiation (ALPN) and Server Name Indication (SNI) extensions in TLS to prevent these and other cross-protocol attacks.
Probably not. For the ALPACA attack to succeed, many preconditions need to be fulfilled. The generic attack requires a MitM attacker that can intercept and divert the victim's traffic at the TCP/IP layer. However, if you run application servers such as FTP and email on non-standard ports that are not blocked by browsers, you should make sure that you are not vulnerable to the web attacker variant of ALPACA that can affect users of Internet Explorer.
Here is a list of analyzed implementations in regards to their vulnerability (see Table 3 in the paper): Sendmail SMTP allowed reflection attacks that work in Internet Explorer when used over STARTTLS. Cyrus, Kerio Connect and Zimbra IMAP servers allowed download and reflection attacks that work in Internet Explorer. Courier, Cyrus, Kerio Connect and Zimbra allowed download attacks that work in Internet Explorer. Microsoft IIS, vsftpd, FileZilla Server and Serv-U FTP servers allowed reflection attacks that work in Internet Explorer. And the same FTP servers allowed upload and download attacks that work in all browsers.
It might be. If you are hosting several TLS-enabled application servers on the same hostname, or if you use multi-domain certificates, or if you use wild-card certificates, you may be vulnerable to the general confusion attack. If one of the application servers you are hosting has an exploitable upload, download, or reflection vector, this may negatively impact the security of your webserver.
However, no browser protects the user against all possible ALPACA attacks. In particular, all browsers can be compromised by a Man-in-the-Middle attacker who has write-access to an error-tolerant FTP server presenting a certificate compatible with a target web server under attack. Although the FTP server can in theory protect against this particular attack by detecting HTTP POST requests and/or terminating the connection after a small number of errors, this attack variant shows that this is not a bug in the browser, the web server, or the application server, but an emergent property of the TLS landscape.
The ALPACA attack is not fundamentally new. Cross-protocol attacks on HTTP were first described by Jochen Topf (2001), and Jann Horn presented the first attack on a TLS-secured HTTP connection in 2014 involving ProFTPD. We did the first systematic study for cross-protocol attacks against the browser exploiting popular SMTP, IMAP, POP3, and FTP servers, performed an internet-wide scan to estimate the number of affected web servers, and generalized the attack away from a browser-specific issue to a general property of misconfigured TLS servers. We think that this new perspective is useful in focussing countermeasures on a limited number of effective options, rather than patching application servers one at a time as more exploits are found.
The ALPACA attack is only possible because TLS does not protect the source or destination IP and port address of the TCP connection. As is stated in the TLS RFC, TLS is application layer independent. However, this gap in protection gives the attacker the flexibility to redirect traffic from one server to another. If the presented certificate of the substitute server is compatible with that of the intended server, the general content confusion attack is possible (although it depends on the server and client behavior if it can actually be exploited). 2b1af7f3a8