HTTP Flood

Last updated November 06, 2024

HTTP Flood is a type of Distributed Denial of Service (DDoS) attack in which the attacker manipulates HTTP and POST unwanted requests in order to attack a web server or application. These attacks often use interconnected computers that have been taken over with the aid of malware such as Trojan Horses. Instead of using malformed packets, spoofing and reflection techniques, HTTP floods require less bandwidth to attack the targeted sites or servers than layer-4 attacks.

Attack description

In an HTTP flood, the HTTP clients such as web browser interact with an application or server to send HTTP requests. The request can be either “GET” or “POST”. The aim of the attack is when to compel the server to allocate as many resources as possible to serving the attack, thus denying legitimate users access to the server's resources. Attackers inject legitimate looking, but randomised HTTP headers in an attempt to avoid detection, and make make use of proxies to hide their source IP address.

GET flood

The GET request is used to retrieve static content like images, scripts and style sheets. The request may simply fetch the root or specifically target large assets. The requests do not typically require authentication, cannot evade Captchas and induce relatively low load on the server per request.

POST flood

An HTTP POST flood (or simply POST flood) is a denial of service attack that uses POST requests, which are part of the Hypertext Transfer Protocol (HTTP).^[1] As of late 2013, POST floods were increasingly being launched from mobile devices.^[2]

POST requests are more likely to require the server to perform some kind of processing, such as looking up items in a database. Therefore, HTTP POST flood attacks typically impose higher load on the server per request.^{[ citation needed ]}

Methods of mitigation

As HTTP flood attacks use standard URL requests hence it is quite challenging to differentiate from valid layer-4 network traffic. One of the most effective mitigation methods is the combination of traffic profiling methods that mainly includes identification of IP reputation, tracking abnormal actions and employing progressive sanctuary challenges.^[3]

Related Research Articles

HTTP is an application layer protocol in the Internet protocol suite model for distributed, collaborative, hypermedia information systems. HTTP is the foundation of data communication for the World Wide Web, where hypertext documents include hyperlinks to other resources that the user can easily access, for example by a mouse click or by tapping the screen in a web browser.

In computing, a denial-of-service attack is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to a network. Denial of service is typically accomplished by flooding the targeted machine or resource with superfluous requests in an attempt to overload systems and prevent some or all legitimate requests from being fulfilled. The range of attacks varies widely, spanning from inundating a server with millions of requests to slow its performance, overwhelming a server with a substantial amount of invalid data, to submitting requests with an illegitimate IP address.

In computer networking, IP address spoofing or IP spoofing is the creation of Internet Protocol (IP) packets with a false source IP address, for the purpose of impersonating another computing system.

In computer networking, a proxy server is a server application that acts as an intermediary between a client requesting a resource and the server providing that resource. It improves privacy, security, and possibly performance in the process.

A Smurf attack is a distributed denial-of-service attack in which large numbers of Internet Control Message Protocol (ICMP) packets with the intended victim's spoofed source IP are broadcast to a computer network using an IP broadcast address. Most devices on a network will, by default, respond to this by sending a reply to the source IP address. If the number of machines on the network that receive and respond to these packets is very large, the victim's computer will be flooded with traffic. This can slow down the victim's computer to the point where it becomes impossible to work on.

A multilayer switch (MLS) is a computer networking device that switches on OSI layer 2 like an ordinary network switch and provides extra functions on higher OSI layers. The MLS was invented by engineers at Digital Equipment Corporation.

A SYN flood is a form of denial-of-service attack on data communications in which an attacker rapidly initiates a connection to a server without finalizing the connection. The server has to spend resources waiting for half-opened connections, which can consume enough resources to make the system unresponsive to legitimate traffic.

<span class="mw-page-title-main">Anycast</span> Network addressing and routing methodology

Anycast is a network addressing and routing methodology in which a single IP address is shared by devices in multiple locations. Routers direct packets addressed to this destination to the location nearest the sender, using their normal decision-making algorithms, typically the lowest number of BGP network hops. Anycast routing is widely used by content delivery networks such as web and name servers, to bring their content closer to end users.

A pingback is one of four types of linkback methods for Web authors to request notification when somebody links to one of their documents. This enables authors to keep track of who is linking to, or referring to their articles. Some weblog software and content management systems, such as WordPress, Movable Type, Serendipity, and Telligent Community, support automatic pingbacks where all the links in a published article can be pinged when the article is published. Other content management systems, such as Drupal and Joomla, support pingbacks through the use of addons or extensions.

Internet security is a branch of computer security. It encompasses the Internet, browser security, web site security, and network security as it applies to other applications or operating systems as a whole. Its objective is to establish rules and measures to use against attacks over the Internet. The Internet is an inherently insecure channel for information exchange, with high risk of intrusion or fraud, such as phishing, online viruses, trojans, ransomware and worms.

In computer networks, rate limiting is used to control the rate of requests sent or received by a network interface controller. It can be used to prevent DoS attacks and limit web scraping.

In computer networks, a reverse proxy or surrogate server is a proxy server that appears to any client to be an ordinary web server, but in reality merely acts as an intermediary that forwards the client's requests to one or more ordinary web servers. Reverse proxies help increase scalability, performance, resilience, and security, but they also carry a number of risks.

Misuse of a Network Time Protocol (NTP) server ranges from flooding it with traffic or violating the server's access policy or the NTP rules of engagement. One incident was branded NTP vandalism in an open letter from Poul-Henning Kamp to the router manufacturer D-Link in 2006. This term has later been extended by others to retroactively include other incidents. There is, however, no evidence that any of these problems are deliberate vandalism. They are more usually caused by shortsighted or poorly chosen default configurations.

On Internet usage, an email bomb is a form of net abuse that sends large volumes of email to an address to overflow the mailbox, overwhelm the server where the email address is hosted in a denial-of-service attack or as a smoke screen to distract the attention from important email messages indicating a security breach.

An application delivery network (ADN) is a suite of technologies that, when deployed together, provide availability, security, visibility, and acceleration for Internet applications such as websites. ADN components provide supporting functionality that enables website content to be delivered to visitors and other users of that website, in a fast, secure, and reliable way.

Media Independent Handover (MIH) is a standard being developed by IEEE 802.21 to enable the handover of IP sessions from one layer 2 access technology to another, to achieve mobility of end user devices (MIH).

Sockstress is a method of attacking servers and other devices that accept TCP connections on the Internet and other TCP-based networks. This method depletes local resources in order to crash a service or an entire machine, essentially functioning as a denial-of-service attack.

High Orbit Ion Cannon (HOIC) is an open-source network stress testing and denial-of-service attack application designed to attack as many as 256 URLs at the same time. It was designed to replace the Low Orbit Ion Cannon which was developed by Praetox Technologies and later released into the public domain. The security advisory for HOIC was released by Prolexic Technologies in February 2012.

The BlackNurse attack is a form of denial of service attack based on ICMP flooding. The attack is special because a modest bandwidth of 20 Mbit/s can be effective for disrupting a victim's network.

Data center security is the set of policies, precautions and practices adopted at a data center to avoid unauthorized access and manipulation of its resources. The data center houses the enterprise applications and data, hence why providing a proper security system is critical. Denial of service (DoS), theft of confidential information, data alteration, and data loss are some of the common security problems afflicting data center environments.

References

↑ "DDoS Quick Guide" (PDF). National Cybersecurity and Communications Integration Center, Department of Homeland Security. 29 January 2014. Retrieved 2017-01-24.
↑ Player, Chris (2014-01-18). "Mobile devices become launchpads for DDoS attacks". PCWorld . Retrieved 2017-01-24.
↑ Cid, Daniel (February 6, 2014). "Layer 7 DDOS – Blocking HTTP Flood Attacks". Sucuri Blog. Retrieved December 7, 2016.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[dhs-2017-01-24-1] "DDoS Quick Guide" (PDF). National Cybersecurity and Communications Integration Center, Department of Homeland Security. 29 January 2014. Retrieved 2017-01-24.

[pcworld-2014-01-18-2] Player, Chris (2014-01-18). "Mobile devices become launchpads for DDoS attacks". PCWorld . Retrieved 2017-01-24.

[3] Cid, Daniel (February 6, 2014). "Layer 7 DDOS – Blocking HTTP Flood Attacks". Sucuri Blog. Retrieved December 7, 2016.

[1]

[2]

[3]