HTTP Flood

HTTP flood is a layer 7 DDoS attack that targets web servers and applications.

Layer 7 is the application layer of the OSI model. The  HTTP protocol –  is an Internet protocol which is the basis of browser-based Internet requests, and is commonly used to send form contents over the Internet or to load web pages.

HTTP floods are designed to overwhelm web servers’ resources by continuously requesting single or multiple URL’s from many source attacking machines, which simulate a HTTP clients, such as web browsers (Though the attack analyzed here, does not use browser emulation).

An HTTP Flood may consist of either GET (images and scripts), POST (files and forms) or combined GET and POST requests. There are also more exotic attacks which may utilize other HTTP methods such as PUT, DELETE etc.

When the servers’ limits of concurrent connections are reached, the server can no longer respond to legitimate requests from other clients attempting to connect, causing a denial of service.

HTTP flood attacks use standard URL requests, hence it may be quite challenging to differentiate from valid traffic. Traditional rate-based volumetric detection, is ineffective in detecting HTTP flood attacks, since traffic volume in HTTP floods is often under detection thresholds.

Technical analysis

To send HTTP request client establishes TCP connection

Image 1 – Example of TCP connection

Before sending a HTTP request a TCP connection between a user agent and a server is established, using 3-Way Handshake  (SYN, SYN-ACK, ACK) , seen in packets 6,7,24 in the example above.

HTTP request packet will generally be in a PSH, ACK packet, as seen in packet 25 above.

Image 2 – Example of HTTP packets exchange between an attacker and a target:

http packets

An attacker (Ip sends GET / HTTP / 1.1 and POST requests, while the target responds with HTTP/1.1 200 OK and HTTP/1.1 403 accordingly.

Image 3 – HTTP Flood stats

As seen in the image above. The capture analyzed is around 9.7 seconds and the average number of packets per second are around 198 PPS, with a rate of around 0.28Mbps per second (considered low, the attack you are analyzing could be significantly higher).

Analysis of HTTP Flood in WireShark – Filters

“http” filter – Will show all http related packets.

“http.request.method == GET” or “http.request.method == POST” – Will show HTTP GETs or POSTs respectively.

It will be important to review the user agent and other HTTP header structures as well as the timing of each request to understand the attack underway.

Download example PCAP of HTTP Flood attack

*Note: IP’s have been randomized to ensure privacy.