CFB-MHDDOS is an HTTP flood designed to overwhelm web servers’ resources by continuously requesting single or multiple URLs from many source attacking machines.
CFB-MHDDOS uses a large pool of user agents and referrers when trying to flood a targeted server. When the servers’ limits of concurrent connections are reached, the server can no longer respond to legitimate requests from other users.CFB-MHDDOS requests are designed specifically to bypass CDN-based anti-bot protections.
Technical Analysis
As seen in Image 1 CFB-MHDDOS, like any other HTTP Flood, starts with a standard TCP handshake.
“Image 1 – TCP Handshake”
As seen in Image 2, an HTTP GET request is sent with a random URL.
“Image 2 – GET Request”
CFB-MHDDOS can also be used to attack sites with HTTPS, which will then include an SSL handshake.
Image 3 shows a whole TCP connection cycle: packets 1-5-6 (SYN -> SYN-ACK -> ACK) establish the connection, then HTTP GET is sent from the agent, the victim responds with HTTP 200 OK (please notice the length of the packets) and then the connection is closed by packet 10 (RST-ACK)
“Image 3 – TCP Connection cycle including HTTP request and response”
As seen in Image 5 the capture analyzed is 9 seconds long, and the average number of packets per second is at 87. The rate is around 0.1MBit/sec. Attack rates could be much higher.
“Image 5 – CFB-MHDDOS attack Stats”
A typical CFB-MHDDOS attack running against an unsuspecting host will look similar to the above analysis. The statistics include smaller packets of TCP handshake and larger packets of HTTP requests.
Analysis of CFB-MHDDOS attack in Wireshark – Filters:
Using the ‘http’ filter, you can filter out anything except HTTP requests. If a single IP address is seen as the source of multiple such requests, it might be an attacker.
“http.request.method == GET” Will show HTTP GET requests.
Download Example PCAP of CFB-MHDDOS Attack:
*Note: IP’s have been randomized to ensure privacy.