Dynamic HTTP Flood
Dynamic HTTP flood is a layer 7 DDoS attack that targets web servers and applications.
Layer 7 is the application layer of the OSI model. The HTTP protocol is an Internet protocol which is the basis of browser-based Internet requests, and is commonly used to send form contents over the Internet or to load web pages.
HTTP floods are designed to overwhelm web servers’ resources by continuously requesting single or multiple URLs from many source attacking machines, which simulate HTTP clients such as web browsers (Though the attack analyzed here does not use browser emulation).
An HTTP Flood may consist of either GET (images and scripts), POST (files and forms) or combined GET and POST requests. There are also more exotic attacks which may utilize other HTTP methods such as PUT, DELETE etc.
Unlike a regular HTTP flood, a “dynamic” HTTP flood is a DDoS attack which continuously changes the suffix of the HTTP request (i.e adding to the base URL ‘learn.mazebolt.com’ randomly generated suffix ‘/nowqerwr/21dsa’). This forces services like CDNs to generate a request to the originating web server.
When the servers’ limit of concurrent connections is reached, the server can no longer respond to legitimate requests from other clients attempting to connect, causing a denial of service.
HTTP flood attacks use standard URL requests, hence it may be quite challenging to differentiate from valid traffic. Traditional rate-based volumetric detection is ineffective in detecting HTTP flood attacks, since traffic volume in HTTP floods is often under detection thresholds.
As you can see in Image 1, to send HTTP request client establishes a TCP connection:
“Image 1 – Example of TCP Connection”
Before sending an HTTP request a TCP connection between a client and a server is established, using 3-Way Handshake (SYN, SYN-ACK, ACK), as seen in packets 3,12,13 in the example above.
Then the attacker sends HTTP POST request packet with a random generated URL suffix as seen in packet 14 in Images 1 and 2.
An attacker (IP 10.128.0.2) sends GET and POST requests, changing the URL suffix dynamically, while the target (10.0.0.2) responds with HTTP/1.1 404 Not Found as can be seen in Image 2:
“Image 2 – Example of Dynamic HTTP Packets Exchange Between an Attacker and a Target”
As seen in Image 3, the capture analyzed is around 8.7 seconds long and the average number of packets per second is around 80, with a rate of around 0.091 Mbps (considered low, actual attack rates could be significantly higher).
“Image 3 – Dynamic HTTP Flood Stats”
Analysis of Dynamic HTTP Flood in WireShark – Filters
“http” filter – Will show all http related packets.
“http.request.method == GET” or “http.request.method == POST” – Will show HTTP GETs or POSTs respectively. You can also apply filters of any other HTTP Methods (e.g. PUT, DELETE).
It will be important to review the user agent and other HTTP headers as well as the timing of each request to understand the attack fully.
Download example PCAP of Dynamic HTTP Flood attack
*Note IP’s have been randomised to ensure privacy.