HTTPS MHDDOS GSB is an HTTP flood designed to overwhelm web servers’ resources by continuously requesting single or multiple URLs from many source attacking machines.
HTTPS MHDDOS GSB is an HTTP flood attack based on the MHDDOS attack tool. MHDDOS contains multiple attack vectors designed to bypass various DDoS mitigations.
HTTPS MHDDOS GSB uses a large pool of user agents and referrers when trying to flood a targeted server. When the servers’ limits of concurrent connections are reached, the server can no longer respond to legitimate requests from other users. GSB-MHDDOS requests are specifically designed to bypass google shield protection.
Technical Analysis
As seen in Image 1 HTTPS MHDDOS GSB, like any other HTTP Flood, starts with a standard TCP handshake.
“Image 1 – TCP Handshake”
As seen in Image 2, an HTTP HEAD request is sent with a random URL.
“Image 2 – HEAD Request”
HTTPS MHDDOS GSB can also be used to attack sites with HTTPS, which will then include an SSL handshake.
Image 3 shows a whole TCP connection cycle: packets 1-50-51 (SYN -> SYN-ACK -> ACK) establish the connection, then HTTP HEAD is sent from the agent, the victim responds with HTTP 200 OK (please notice the length of the packets) and then the connection is closed by packet 655 (RST-ACK).
“Image 3 – TCP Connection cycle including HTTP request and response”
As seen in Image 4 the capture analyzed is 10 seconds long, and the average number of packets per second are at 128. The rate is around 0.14MBit/sec. Attack rates could be much higher.
“Image 4 – HTTPS MHDDOS GSB attack Stats”
A typical HTTPS MHDDOS GSB attack running against an unsuspecting host will look similar to the above analysis. The statistics includes smaller packets of TCP handshake and larger packets of HTTP requests.
Analysis of HTTPS MHDDOS GSB attack in Wireshark – Filters:
Using the ‘http’ filter, you can filter out anything except HTTP requests. If a single IP address is seen as the source of multiple such requests, it might be an attacker.
“http.request.method == HEAD” Will show HTTP HEAD requests.
Download Example PCAP of HTTPS MHDDOS GSB:
*Note: IP’s have been randomized to ensure privacy.
Download