COOKIE-MHDDOS is an HTTP flood designed to overwhelm web servers’ resources by continuously requesting single or multiple URLs from many source attacking machines.
COOKIE-MHDDOS is an HTTP flood attack based on the MHDDOS attack tool. MHDDOS contains multiple attack vectors designed to bypass various DDoS mitigation types.
COOKIE-MHDDOS generates requests with a PHP cookie. The attack uses a large pool of user-agents and referrers .When the servers’ limits of concurrent connections are reached, the server can no longer respond to legitimate requests from other users.
As seen in Image 1 COOKIE-MHDDOS, like any other HTTP Flood, starts with a standard TCP handshake.
“Image 1 – TCP Handshake”
As seen in Image 2, an HTTP GET request is sent.
“Image 2 – GET Request”
COOKIE-MHDDOS can also be used to attack sites with HTTPS, which will then include an SSL handshake.
Image 3 shows a whole TCP connection cycle: packets 11-12-13 (SYN -> SYN-ACK -> ACK) establish the connection, then HTTP GET is send from the agent, the victim responds with HTTP 200 OK (please notice the length of the packets) and then the connection is closed by packet 28 (RST-ACK)
“Image 3 – TCP Connection cycle including HTTP request and response”
As seen in Image 4 the capture analyzed is 9 seconds long, and the average number of packets per second are at 175. The rate is around 0.24MBit/sec. Attack rates could be much higher.
“Image 4 – COOKIE-MHDDOS attack Stats”
A typical COOKIE-MHDDOS attack running against an unsuspecting host will look similar to the above analysis. The statistics includes smaller packets of TCP handshake and larger packets of HTTP requests.
Analysis of COOKIE-MHDDOS attack in Wireshark – Filters:
Using the ‘http’ filter, you can filter out anything except HTTP requests. If a single IP address is seen as the source of multiple such requests, it might be an attacker.
“http.request.method == GET” Will show HTTP GET requests.
Download Example PCAP of COOKIE-MHDDOS:
*Note: IP’s have been randomized to ensure privacy.Download