"We've been seeing more and more usage of application-layer attacks during the last year," Gaffan said, adding that evasion techniques are also adopted rapidly. "There's an ecosystem behind cybercrime tools and we predict that this method, which is new today, will become mainstream several months down the road," he said.
DDoS experts from Arbor Networks, another DDoS mitigation vendor, agree that there has been a rise in both the number and sophistication of Layer 7 attacks.
There have been some papers released this year about advanced Layer 7 attack techniques that can bypass DDoS mitigation capabilities and the bad guys are now catching on to them, said Marc Eisenbarth, manager of research for Arbor's Security Engineering and Response Team.
There's general chatter among attackers about bypassing detection and they're doing this by using headless browsers -- browser toolkits that don't have a user interface -- or by opening hidden browser instances, Eisenbarth said.
In addition, all malware that has man-in-the-browser functionality and is capable of injecting requests into existing browsing sessions can also be used for DDoS, he said.
Layer 7 attacks have become more targeted in nature with attackers routinely performing reconnaissance to find the weak spots in the applications they plan to attack. These weak spots can be resource-intensive libraries or scripts that result in a lot of database queries.
This behavior was observed during the attacks against U.S. banking websites a year ago when attackers decided to target the log-in services of those websites because they realized they could cause significant problems if users are prevented from logging in, Eisenbarth said. "We continued to see attackers launch those type of attacks and perform reconnaissance to find URLs that, when requested, may result in a lot of resource activity on the back end," he said.
More and more companies are putting together DDoS protection strategies, but they are more focused on network-layer attacks, Gaffan said. They look at things like redundancy or how much traffic their DDoS mitigation solution can take, but they should also consider whether they can resist application-layer attacks because these can be harder to defend against than volumetric attacks, he said.
With application-layer attacks there's an ongoing race between the bad guys coming up with evasion techniques and DDoS mitigation vendors or the targeted companies coming up with remedies until the next round, Gaffan said. Because of that, both companies and DDoS mitigation providers need to have a very dynamic strategy in place, he said.
Sign up for CIO Asia eNewsletters.