GSB-MHDDOS is an HTTP flood designed to overwhelm web servers’ resources by continuously requesting single or multiple URLs from many source attacking machines.
GSB-MHDDOS is an HTTP flood attack based on the MHDDOS attack tool. MHDDOS contains multiple attack vectors designed to bypass various DDoS mitigations.
GSB-MHDDOS uses a large pool of user agents and referrers when trying to flood a targeted server. When the servers’ limits of concurrent connections are reached, the server can no longer respond to legitimate requests from other users. GSB-MHDDOS requests are specifically designed to bypass google shield protection.
As seen in Image 1 GSB-MHDDOS, like any other HTTP Flood, starts with a standard TCP handshake.
“Image 1 – TCP Handshake”
As seen in Image 2, an HTTP HEAD request is sent with a random URL.
“Image 2 – HEAD Request”
GSB-MHDDOS can also be used to attack sites with HTTPS, which will then include an SSL handshake.
Image 3 shows a whole TCP connection cycle: packets 1-50-51 (SYN -> SYN-ACK -> ACK) establish the connection, then HTTP HEAD is sent from the agent, the victim responds with HTTP 200 OK (please notice the length of the packets) and then the connection is closed by packet 655 (RST-ACK).
“Image 3 – TCP Connection cycle including HTTP request and response”
As seen in Image 4 the capture analyzed is 10 seconds long, and the average number of packets per second are at 128. The rate is around 0.14MBit/sec. Attack rates could be much higher.
“Image 4 – GET-MHDDOS attack Stats”
A typical GSB-MHDDOS attack running against an unsuspecting host will look similar to the above analysis. The statistics includes smaller packets of TCP handshake and larger packets of HTTP requests.
Analysis of GSB-MHDDOS attack in Wireshark – Filters:
Using the ‘http’ filter, you can filter out anything except HTTP requests. If a single IP address is seen as the source of multiple such requests, it might be an attacker.
“http.request.method == HEAD” Will show HTTP HEAD requests.
Download Example PCAP of GSB-MHDDOS:
*Note: IP’s have been randomized to ensure privacy.Download