Application DDoS
Web And Mobile Application Threat

Automated threats are responsible for millions in cyberfraud losses per day

Application Layer DDoS

Application Layer DDoS is the use of automation to repeatedly query resource-intensive services until the website no longer has the capacity to support legitimate users.

For example, a major insurer with over 20 million members relies on its website to deliver information on providers, benefits, and plans. Because the services offered by the insurer are complex and highly personalized, search is a popular and essential website component.

Recently, an attacker flooded the search function with queries for multiple days. The resulting application layer distributed denial-of-service (app layer DDoS) caused the search function to fail and prevented members from using it. Other sections of the website also failed since web server resources are shared across website elements.

Cybercriminals often use DDoS attacks to extort targets or to mask other concurrent attacks. In this case, the attacker did not contact the company. However, Shape researchers observed low-level automated scraping activities occurring at the same time as the DDoS attack, indicating the DDoS attack may have been a diversionary tactic.

Shape defends companies against increasingly sophisticated automated cyber attacks, including application DDoS, an attack used to extort targets or to mask other attacks. Shape detects and mitigates automated attacks in real-time, preventing site outages and slow-downs for the largest airlines, insurance companies, and government agencies in the world.

Application Layer DDoS is an OWASP Top 20 Threat

The Open Web Application Security Project (OWASP) is a worldwide non-profit organization focused on improving the security of software. The OWASP Top 20 represents the most critical automated threats.


Application Layer DDoS (OAT-015)

Threat Mechanism: 

Adversaries use automation to repeatedly query resource-intensive services until the website no longer has the capacity to support legitimate users.


Disable critical site functionality to extort money or advance social/political/competitive causes.

Symptoms: Other Names:

Account Lockout, App Layer DDoS, Business Logic DDoS, Cash Overflow, Forced Deadlock, Hash DoS, Indexer DoS, Resource Depletion, Sustained Client Engagement

3 minute preview

Avivah Litan:

VP Distinguished Analyst, Gartner

How to Stop Automated Attacks on Web Applications.
Learn how and why automation-based attacks pose serious threats to web applications.

View Full On-Demand Webinar

Assess your current automated threat level

Get Threat Assessment