Asked by ..
Your Intrusion Detection System (IDS) doesn't seem to be listing any new security attacks on your network.
Which of the following DDoS attack methods is MOST likely being used?
answer
Application Layer DDoS
Protocol DDoS
Amplification DDoS
TCP SYN flood attack
I want to review this question
All Answers 1
Answered by
GPT-5 mini
AI
Answer: Application Layer DDoS.
Why: Application‑layer (Layer 7) attacks are designed to look like legitimate user activity (e.g., many HTTP GETs, slow requests, valid TCP handshakes), so signature‑based or network‑level IDS often won’t flag them as “attacks.” Protocol/Amplification and SYN‑flood attacks generate obvious network anomalies (huge packet/connection spikes, malformed traffic, spoofed sources) that most IDSs will detect, so the stealthiest method when your IDS shows no new alerts is an application‑layer DDoS.
What to review/detect:
- Unusual request patterns to specific URLs or endpoints (many requests to a heavy page or API).
- Increased response times, CPU/memory on web/app servers, or rising error (5xx) rates.
- Many short, low‑bandwidth sessions from many IPs, or many connections that look like normal browsers.
- Long-lived connections (Slowloris‑style) or a high number of valid TCP handshakes but few completed transactions.
- Low entropy in User‑Agent/Referrer fields or repeated parameter values.
Mitigations:
- Web application firewall (WAF) with behavioral rules and rate limiting.
- CAPTCHA/ JavaScript challenges for suspicious clients.
- Use CDN / traffic scrubbing / rate limiting at edge.
- Application‑level anomaly detection and logging (not just network IDS).
- Blacklist abusive IPs or use reputation services, and implement connection/request throttling.
If you want, I can give specific checks/queries to run on your logs (web server, load balancer, IDS) to confirm an application‑layer DDoS.
Why: Application‑layer (Layer 7) attacks are designed to look like legitimate user activity (e.g., many HTTP GETs, slow requests, valid TCP handshakes), so signature‑based or network‑level IDS often won’t flag them as “attacks.” Protocol/Amplification and SYN‑flood attacks generate obvious network anomalies (huge packet/connection spikes, malformed traffic, spoofed sources) that most IDSs will detect, so the stealthiest method when your IDS shows no new alerts is an application‑layer DDoS.
What to review/detect:
- Unusual request patterns to specific URLs or endpoints (many requests to a heavy page or API).
- Increased response times, CPU/memory on web/app servers, or rising error (5xx) rates.
- Many short, low‑bandwidth sessions from many IPs, or many connections that look like normal browsers.
- Long-lived connections (Slowloris‑style) or a high number of valid TCP handshakes but few completed transactions.
- Low entropy in User‑Agent/Referrer fields or repeated parameter values.
Mitigations:
- Web application firewall (WAF) with behavioral rules and rate limiting.
- CAPTCHA/ JavaScript challenges for suspicious clients.
- Use CDN / traffic scrubbing / rate limiting at edge.
- Application‑level anomaly detection and logging (not just network IDS).
- Blacklist abusive IPs or use reputation services, and implement connection/request throttling.
If you want, I can give specific checks/queries to run on your logs (web server, load balancer, IDS) to confirm an application‑layer DDoS.
Submit Your Answer
We prioritize human answers over AI answers.
If you are human, and you can answer this question, please submit your answer.