Dynamic HTTP Flood

A Dynamic HTTP flood is a layer 7 DDoS attack that targets web servers and applications.

Layer 7 is the application layer of the OSI model. The HTTP protocol is an Internet protocol which is the basis of browser-based Internet requests and is commonly used to send form contents over the Internet or to load web pages.

HTTP floods are designed to overwhelm web servers’ resources by continuously requesting single or multiple URL’s from many source attacking machines, which simulate HTTP clients such as web browsers (Though the attack analyzed here does not use browser emulation).

A Dynamic HTTP Flood may consist of different HTTP request methods, GET (images and scripts), POST (files and forms), or combined GET and POST requests. There are also more exotic attacks that may utilize other HTTP methods such as PUT, DELETE, etc.

Unlike a regular HTTP flood, a Dynamic HTTP flood is a DDoS attack that continuously changes the suffix of the HTTP request (i.e adding a randomly generated suffix to the base URL e.g. “https://example.com/?nghfy=5g2fj“) and uses the “Cache-Control” header to force services like CDNs to generate a request to the originating web server.

When the server’s limit of concurrent connections is reached, the server can no longer respond to legitimate requests from other clients attempting to connect, causing a denial of service.

HTTP flood attacks use standard HTTP requests, hence it may be quite challenging to differentiate from valid traffic. Traditional rate-based volumetric detection is ineffective in detecting HTTP flood attacks since traffic volume in HTTP floods is often under detection thresholds.

Technical analysis

To send an HTTP request, a client first establishes a TCP connection with a server, using the TCP 3-Way Handshake (SYN, SYN-ACK, ACK), seen in packets 4,49,50 in Image 1. The HTTP request will be in a PSH, ACK packet.

Image 1 – Example of TCP connection

An attacker (IP 10.128.0.2) sends HTTP/1.1 POST & HTTP/1.1 GET requests with a randomly generated URL suffixes, while the target responds with HTTP/1.1 200 OK as seen in Images 2 & 3.

While in this flow we see an HTTP/1.1 200 OK response, that might change depending on the web server settings.

Image 2 – Example of HTTP request & response

The attacker (IP 10.128.0.2) sends GET and POST requests, changing the URL suffix dynamically, while the target (10.128.0.3) responds with an HTTP/1.1 200 OK as can be seen in Image 3.

Image 3 – Example of Dynamic HTTP packets exchange between an attacker and a target

The capture analyzed is around 8 seconds long while it contains an average of 172 PPS (packets per second), with an average traffic rate of 0.017 Mbps (considered low, the attack you are analyzing could be significantly higher).

Image 4 – Dynamic HTTP Flood stats

Analysis of Dynamic HTTP Flood in WireShark – Filters

“http” filter – Will show all http related packets.

“http.request.method == <Method_Name>” – Will show the HTTP method requests type we are looking for.

It will be important to review the user agent and other HTTP header structures as well as the timing of each request to understand the attack underway.

Download example PCAP of Dynamic HTTP Flood attack

*Note: IP’s have been randomized to ensure privacy.

Download