Get news about our products, which events we are attending plus industry insights and commentary

Detecting and Mitigating an Application Layer HTTP Flood DDoS Attack

Written by Sarah Chandley on Thursday, 01 November 2018. Posted in Cyber

Cybercriminals are increasingly using application layer Distributed Denial of Service (DDoS) to attack their victims. Unlike a Layer 3-4 DDoS attack that consumes network bandwidth, an application layer or L7 attack can be much smaller in traffic volume and can go unnoticed until too late. This type of attacks effectiveness lies in its ability to mimic genuine HTTP request traffic, bypassing standard IDS tools. Application layer attacks of this nature are often part of a wider multi-vector DDoS that looks to disrupt different parts of a victim’s infrastructure.

The accepted definition of a HTTP Flood is a type of Layer 7 (L7) DDoS (Distributed Denial of Service) attack, designed to overwhelm a server with HTTP requests. There are multiple types of HTTP flood attack, including GET, POST and Fragmentation attacks. Layer 7 is the application layer of the Open Systems Interconnection (OSI) model which defines standards such as HTTP for different computer systems to communicate with each other. The HTTP protocol is how we send and receive content over the internet, like loading webpages.

A Fragmentation attack can use multiple devices to send fragments of a request to consume resource from the target server because it has to keep the connection open, waiting for the full request to arrive, or a GET attack could send multiple GET requests to exhaust processing on the target web server.  This is all seen as legitimate behaviour according to the HTTP protocol which means that when additional requests are made, the target web server simply cannot cope and will stop responding.

A HTTP-POST attack typically hijacks the process of form submission on a website. During this attack multiple post requests are sent directly to a targeted server until its capacity is saturated and denial-of-service occurs. This is because the process of handling the form data and running the relatively complex functions of pushing the data to the persistence layer (usually a database) or running computations on the data, take up significant resource.  

The above Wreckuests is a script which allows you to run DDoS attacks with HTTP-flood(GET/POST). It’s written in pure Python and uses proxy-servers as “bots”.

HTTP flooding works best when the target server allocates a lot of resources in response to a single request. In order to enhance the effectiveness of a HTTP flood, attackers will create botnets to maximise the number of requests sent.

Mitigating an application layer DDoS attack in large networks is a complex issue. As with cyber threats in general and at any network size, it comes down to visibility (you cannot stop what you cannot see) and giving SecOp teams the ability to block malicious traffic in real-time.

Telesoft enables organisations that transport large volumes of data to protect themselves and their customers from this type of attack using a combination of flow monitoring in real time, data prioritisation and aggregation through auto-discovered or user configured entity sets, IP and domain reputation, Signatures and Selective Record. This enables security analysts to discover anomalous behaviour, evaluate impact and take corrective action to remove or redirect traffic.

Find out more about Telesoft DDoS detection tools This email address is being protected from spambots. You need JavaScript enabled to view it.

About the Author

Sarah Chandley

Sarah Chandley

Sarah is an experienced B2B technology marketing professional, creating content for the Cyber Security, Telco and Government Infrastructure sectors. 

Information cookies

Cookies are short reports that are sent and stored on the hard drive of the user's computer through your browser when it connects to a web. Cookies can be used to collect and store user data while connected to provide you the requested services and sometimes tend not to keep. Cookies can be themselves or others.

There are several types of cookies:

  • Technical cookies that facilitate user navigation and use of the various options or services offered by the web as identify the session, allow access to certain areas, facilitate orders, purchases, filling out forms, registration, security, facilitating functionalities (videos, social networks, etc..).
  • Customization cookies that allow users to access services according to their preferences (language, browser, configuration, etc..).
  • Analytical cookies which allow anonymous analysis of the behavior of web users and allow to measure user activity and develop navigation profiles in order to improve the websites.

So when you access our website, in compliance with Article 22 of Law 34/2002 of the Information Society Services, in the analytical cookies treatment, we have requested your consent to their use. All of this is to improve our services. We use Google Analytics to collect anonymous statistical information such as the number of visitors to our site. Cookies added by Google Analytics are governed by the privacy policies of Google Analytics. If you want you can disable cookies from Google Analytics.

However, please note that you can enable or disable cookies by following the instructions of your browser.