GoldenEye is similar to a HTTP flood and is a DDoS attack designed to overwhelm web servers’ resources by continuously requesting single or multiple URLs from many source attacking machines.
GoldenEye changes generated requests dynamically – it randomizes user agents, referrers and almost all of the various parameters used. GoldenEye attempts to keep the connection alive and also adds a suffix to the end of URLs which will allow the request to bypass many CDN systems (Also known as “No Cache”). When the servers’ limits of concurrent connections are reached, the server can no longer respond to legitimate requests from other users.
As seen in Image 1 GoldenEye, like any other HTTP Flood, starts with a standard TCP handshake.
“Image 1 – TCP Handshake”
In Images 2 you can see it will then send a GET request with a random URL.
“Image 2 – GET Request”
Image 3 below highlights some of the different parameters being randomized between different requests. You can compare with Image 2 to see the differences.
“Image 3 – Parameters are randomized between requests”
GoldenEye can also be used to attack sites with HTTPS, which will then include an SSL Handshake.
Image 4 shows a whole TCP connection cycle: packets 1-5-6 (SYN -> SYN-ACK -> ACK) establish the connection, then HTTP GET is send from the agent, the victim responds with HTTP 200 OK (please notice the length of the packets) and then the connection is closed by packets 2045, 2057 (FIN-ACK -> ACK)
“Image 4 – TCP Connection cycle including HTTP request and response”
As seen in Image 5 the capture analyzed is 8 seconds long, and the average number of packets per second are at 264. The rate is around 1.96MBit/sec. Attack rates could be much higher.
“Image 5 – GoldenEye attack Stats”
A typical GoldenEye attack running against an unsuspecting host will look similar to the above analysis. The statistics includes smaller packets of TCP handshake and larger packets of HTTP requests.
Analysis of GoldenEye attack in Wireshark – Filters:
Using the ‘http’ filter, you can filter out anything except HTTP requests. If you see a single source IP sending many such requests, he could very well be an attacker.
“http.request.method == GET” Will show HTTP GET requests.
Download Example PCAP of GoldenEye Attack:
*Note: IP’s have been randomized to ensure privacy.
Download GoldenEye PCAP