Detecting and Mitigating an Application Layer HTTP Flood DDoS Attack
The accepted definition of a HTTP Flood is a type of Layer 7 (L7) DDoS (Distributed Denial of Service) attack, designed to overwhelm a server with HTTP requests. There are multiple types of HTTP flood attack, including GET, POST and Fragmentation attacks. Layer 7 is the application layer of the Open Systems Interconnection (OSI) model which defines standards such as HTTP for different computer systems to communicate with each other. The HTTP protocol is how we send and receive content over the internet, like loading webpages.
A Fragmentation attack can use multiple devices to send fragments of a request to consume resource from the target server because it has to keep the connection open, waiting for the full request to arrive, or a GET attack could send multiple GET requests to exhaust processing on the target web server. This is all seen as legitimate behaviour according to the HTTP protocol which means that when additional requests are made, the target web server simply cannot cope and will stop responding.
A HTTP-POST attack typically hijacks the process of form submission on a website. During this attack multiple post requests are sent directly to a targeted server until its capacity is saturated and denial-of-service occurs. This is because the process of handling the form data and running the relatively complex functions of pushing the data to the persistence layer (usually a database) or running computations on the data, take up significant resource.
The Wreckuests is a script that allows you to run DDoS attacks with HTTP flood(GET/POST). It’s written in pure Python and uses proxy-servers as “bots”.
HTTP flooding works best when the target server allocates a lot of resources in response to a single request. In order to enhance the effectiveness of a HTTP flood, attackers will create botnets to maximise the number of requests sent.
Mitigating an application layer DDoS attack in large networks is a complex issue. As with cyber threats in general and at any network size, it comes down to visibility (you cannot stop what you cannot see) and giving SecOp teams the ability to block malicious traffic in real-time.
Telesoft enables organisations that transport large volumes of data to protect themselves and their customers from this type of attack using a combination of flow monitoring in real time, data prioritisation and aggregation through auto-discovered or user-configured entity sets, IP and domain reputation, Signatures and Selective Record. This enables security analysts to discover anomalous behaviour, evaluate the impact and take corrective action to remove or redirect traffic.
Find out more about Telesoft DDoS detection tools or contact our sales here.
You may also like
400GBPS FlowProbe: Network Traffic Monitoring
Monitor real time traffic information and network performance whilst using anomaly detection to maintain cyber security with our ultra high performance 4x 100GbE network traffic monitor.
100GBPS CERNE: INTRUSION DETECTION
100 Gbps IDS engine and alert driven packet recorder that enables 24/7 real-time network threats monitoring and access control.
400GBPS TRITON: CYBER WARFARE SIMULATION
Prove and enhance your cyber security posture with our Cyber Warfare Simulation tool and our world class SLA and advanced on-site/ off-site support.
TDAC: Digital Forensics
Unlocks network visibility and threat identification