GET-MHDDOS is an HTTP flood designed to overwhelm web servers’ resources by continuously requesting single or multiple URLs from many source attacking machines.

GET-MHDDOS  is an HTTP flood attack based on the MHDDOS attack tool. MHDDOS contains multiple attack vectors designed to bypass various DDoS mitigation types.

GET-MHDDOS  generates GET requests. The attack uses a large pool of user agents and referrers. When the servers’ limits of concurrent connections are reached, the server can no longer respond to legitimate requests from other users.

Technical Analysis

As seen in Image 1 GET-MHDDOS, like any other HTTP Flood, starts with a standard TCP handshake.

“Image 1 – TCP Handshake”

As seen in Image 2, an HTTP GET request is sent.

“Image 2 – GET Request”

GET-MHDDOS can also be used to attack sites with HTTPS, which will then include an SSL handshake.

Image 3 shows a whole TCP connection cycle: packets 1-5-6 (SYN -> SYN-ACK -> ACK) establish the connection, then HTTP GET is sent from the agent, the victim responds with HTTP 200 OK (please notice the length of the packets) and then the connection is closed (RST-ACK).

“Image 3 – TCP Connection cycle including HTTP request and response”

As seen in Image 4 the capture analyzed is 9 seconds long,  and the average number of packets per second are at 196. The rate is  around 0.23MBit/sec.  Attack rates could be much higher.

“Image 4 – GET-MHDDOS attack Stats”

A typical GET-MHDDOS attack running against an unsuspecting host will look similar to the above analysis. The statistics includes smaller packets of TCP handshake and larger packets of HTTP requests.

Analysis of GET-MHDDOS attack in Wireshark – Filters:

Using the ‘http’ filter, you can filter out anything except HTTP requests. If a single IP address is seen as the source of multiple such requests, it might be an attacker.

“http.request.method == GET” Will show HTTP GET requests.

Download Example PCAP of GET-MHDDOS:

*Note: IP’s have been randomized to ensure privacy.