Protecting Your Apps from Layer 7 DoS Attacks with NGINX App Protect Denial of Service

F5 NGINX Thumbnail
Published September 09, 2021

User experience is everything. There’s no reason to have apps and websites if consumer and customers don’t use them. So it’s important to ensure a positive and consistent user experience, especially when users are becoming less tolerant of latency, downtime, and errors.

When users have a negative experience with your app or website, you might lose them as customers for life. In a Salesforce survey, 61% of consumers reported that after a single bad experience they switched to a competitor. Repeat the bad experience, and desertion is inevitable. Brand loyalty only counts for so much when there are so many choices online.

One of the primary causes of consumer dissatisfaction is downtime, and denial of service (DoS) attacks are a major culprit for sustained downtime. Due to shifts in application design, new threat vectors have emerged, and attackers have adapted DoS attacks – in use for over two decades – to exploit modern architectures. Between January 2020 and March 2021, DoS attacks at the application layer (Layer 7) increased sharply, comprising 16% of all DDoS incidents. In fact, half of the requests to the F5 Security Incident Response Team are for help with application‑layer DoS attacks.

Centralized security mitigation can be effective for volumetric DoS attacks at the network layer (Layer 4), but application‑layer DoS attacks are more targeted and thus require specialized defenses to protect modern applications that are increasingly distributed, made up of APIs and microservices, and live on more flexible infrastructures, such as cloud.

Moving Beyond Traditional Protection

Even if the source of a DoS attack is distributed (making it a DDoS attack), basic volumetric attacks at the network layer are generally targeted at a single device or service, and traditional protection tools are similarly monolithic and centralized. And while these tools still have their place in the application security landscape, they aren’t enough. Today, cloud‑based DDoS protection services are industry standard. However, they still don’t address the fact that applications are no longer monolithic single services but instead have many integration points that need protection.

Before digital transformation and the large‑scale architecture shift to APIs, microservices, and cloud‑based integrations that came with it, a basic web application firewall (WAF) could largely mitigate vulnerability exploits and DoS attacks. In a volumetric attack, manifesting as a flood on the client side, for example, a basic WAF and traditional DoS tools are effective because the traffic is centralized – a cloud‑scrubbing service can mitigate attacks before traffic enters the ingress pipes, or protection can be placed in front of the application stack. And basic WAFs still protect against traditional attacks, largely through rate limiting, denylisting, and bot signatures, but the threat landscape has moved beyond this.

In short, the game has changed and basic WAFs and traditional DoS protection aren’t effective with modern application architectures.

Modern DoS attacks are happening at Layer 7, and because they are hidden in encrypted channels and target application logic, they are far harder to detect. Hence, you need an additional layer of protection to measure client behavior and server stress – the two biggest indicators of a DoS attack.

To help address this issue, we recently released the NGINX App Protect Denial of Service module. You might wonder whether you need a DoS module if you already have a WAF and traditional DoS protection. You do indeed – read on to learn why.

Modern Architectures Need Modern Protection

Encryption is everywhere, and traditional DoS protection wasn’t designed for decryption at scale. In the era of monolithic applications, centralized DoS mitigation made sense because encryption wasn’t so pervasive, and attacks could largely be detected by looking at the client side alone. Today, almost all traffic is encrypted, so stateless DoS mitigation that focuses solely on ingress traffic is largely ineffective, especially when an attack uses a single targeted request to inflict application stress.

Applications are now designed and optimized for distributed architectures like microservices, and end-to-end encryption is becoming commonplace thanks to increased emphasis (and subsequent legislation) on user privacy and advances in cryptography. Modern architectures rely heavily on APIs, and API-to-API communication (also called east‑west traffic) might not even pass through centralized security controls.

Effective application‑level DoS protection requires end-to-end visibility and context, including the ability to detect client‑side anomalies and server‑side stress. Advanced Layer 7 DoS attacks are often disguised as legitimate traffic, so basic mitigations such as rate limiting, denylisting, signatures, and protocol conformance are no longer sufficient.

Sophisticated Layer 7 attacks look like legitimate traffic on the surface, and basic WAFs lack the behavioral analysis needed to detect them. NGINX App Protect DoS is specifically designed to look at both client anomalies and server stress, and can dynamically identify and mitigate attacks, and measure mitigation effectiveness, without requiring attention from already overburdened security teams.

If you rely solely on basic WAF defenses and traditional DDoS mitigation, you don’t have proper visibility and context into a Layer 7 attack, and the potential consequences are huge – latency, downtime, abandoned revenue, and damaged brand. With behavioral analysis, client anomalies and service health can be constantly analyzed in order to detect a zero‑day DoS attack. Looking closely at site behavior enables us to answer questions like: Is there anything abnormal compared to baseline traffic patterns? Is the request missing information we expect a browser to include, even though it seems to come from a browser? Does the request include a complex database query that is causing high CPU utilization?

By building a picture of normal performance and behavior, NGINX App Protect DoS can focus on Layer 7 attacks that evade traditional defenses and inflict application stress.

Diagram depicting eight types of attacks blocked by NGINX App Protect WAF and DoS

Mitigate with Multiple Modules

The outcomes of DoS attacks haven’t changed: slow performance, frustrated users, and abandoned revenue. But the way that DoS attacks occur can be very different, with hackers using encryption and security tools to disguise their threat as legitimate traffic.

While your users may not be able to tell the difference between architectures, they can tell the difference between good and bad site performance. Barrages of attack traffic cause latency that makes the user experience feel slow. Slow enough, and even the most patient users (of which they aren’t many!) abandon the transaction and switch to a different site. A single, targeted request may cause latency and server stress, so specialized application DoS protection is critical.

Web application security solutions continue to evolve to keep up with the new attacks, such as those outlined in the OWASP Automated Threats to Web Applications. But you need protection that integrates natively into your application runtime. Something dynamic. Something adaptable. While other DoS solutions may be designed for network DDoS attacks like SYN floods, the NGINX App Protect DoS solution is specialized for Layer 7 attacks that stress application resources. Combining WAF and Layer 7 DoS solutions ensures that applications are protected from both vulnerability exploits and business logic abuse – preventing compromise as well as latency, degradation, and downtime.

Commerce is largely online now. People are mostly online now. You need to make it a safe and secure place to be. By combining the NGINX App Protect WAF and NGINX App Protect DoS modules, you can have robust protection that makes sense for your environment, applications, and business.

Try out NGINX App Protect for yourself – start your free 30-day trial today or contact us to discuss your use cases.

"This blog post may reference products that are no longer available and/or no longer supported. For the most current information about available F5 NGINX products and solutions, explore our NGINX product family. NGINX is now part of F5. All previous links will redirect to similar NGINX content on"