• Security

What is an HTTP flood attack?

An HTTP flood attack is a special form of DDoS attack (Distributed Denial of Service). The attacker attempts to crash the targeted website or application through a huge number of visits from different locations. An HTTP flood attack is often called a layer 7 attack. Layer 7 refers to the “application layer” in the OSI model, which states that the internet consists of 7 layers.

An attack at this level consists of depriving the network or server of its resources. As soon as the hardware no longer has sufficient resources available, the responses to requests through the client require more time. Because countless requests continue to be sent to the hardware, a constant overloading of the system is caused and the server or entire network are no longer reachable.

When attackers utilize an HTTP flood, they attempt to cause a server crash via requests that are completely standard. How does this HTTP process become a dangerous attack?

How does an HTTP flood occur?

An HTTP flood attack is based on the client’s GET or POST request. When a client – in other words, the browser that calls up the website – sends one of these requests, the server processes the request and sends the result back to the client.

With the GET request, static content such as images and text blocks are retrieved. A POST request is used if access to the dynamic resources is requested. Simply put, the GET method receives data from the server and the POST method sends data to the server. Both methods can be applied in the attack, however, the POST method is utilized more often as is it triggers complex processing by the server.

The HTTP flood attack relies on the fact that many requests will be submitted at the same time across a longer period. In doing so, a botnet is usually utilized to increase the volume of requests. The HTTP flood attack is designed in such a way that the server allocates the most possible resources to each request. In a normal situation, this is how the server is supposed to work, as is doesn’t receive thousands or hundreds of thousands of requests per minute. However, with the massive number of requests and call ups, the attacker expects that the server will become overburdened with the sheer number of process-intensive requests and that the website or application will no longer be properly displayed.

HTTP flood attacks from a botnet to a server
During an attack, thousands of bots each send several requests per second to the server and consequently cause the server or network to crash.

How to stop the attack

As it definitely can happen that a page receives a lot of valid traffic, it is difficult to know whether the increased number of requests stem from an attack or are only the result of a successful marketing campaign. If an HTTP flood attack is detected, however, firewalls can identify and block the suspicious IP adresses.

As a first step, you can send a JavaScript Challenge back to the client. This will allow you to analyze whether the client belongs to a botnet or a regular user. Unlike bots, every browser for a normal user can deal with this additional hurdle.

If the attacker’s strategy is known, simple rules can be introduced into the firewall system that automatically block the botnet’s IP address. Normally, an HTTP flood can be identified and stopped in just a few minutes once you know that this is the cause of the system failure.

How can you protect yourself from these attacks?

It is difficult to protect oneself from an HTTP flood attack, as the requests initially look like normal traffic on the website. No malware is sent to the server and there are no attempts to exploit possible security gaps. Instead, the attackers flood the server with authorized accesses. Because this uses considerably less bandwidth than a substantial infiltration into the page code, the attacks are mostly unrecognized in the early stages.

Most websites have recourse to a captcha test that must be manually executed by a real user. In this way, a botnet can be identified beforehand, and the IP addresses can be blocked. However, there are also firewalls for websites and applications. These systems review and analyze the traffic that arrives at the website. They only slow your website minimally, and in exchange guarantee your protection and stability. Should the site itself already be data- and process-intensive, there is the option of integrating a loading screen while the homepage loads in the background.

Note

HTTP flood is only one of the various forms of DDoS attacks. Attackers may also attempt to halt the service of web servers with methods including ping flood, SYN Flood, UDP Flood, and the ping of death.

  • Security

Related articles

Man-in-the-middle attack

Man-in-the-middle attack

A man-in-the-middle attack is a deceitful espionage attack which aims to listen, record, or manipulate sensitive data being sent between unsuspecting internet users. To do this, hackers rely on methods that enable them to position themselves, unnoticed, between two or more computers communicating with one another. We introduce you to some well-known attack patterns and countermeasures that can be…

Man-in-the-middle attack
What is Social engineering?

What is Social engineering?

The most effective system break-ins often happen without a scene. Instead of disrupting central network devices with DDoS attacks or sneaking through onto operating systems with Trojan horse techniques, hackers increasingly try to exploit the human security gap. There are various such methods that fall within the broader category of social engineering: a technique that sees hackers gather publicly…

What is Social engineering?
ARP Spoofing – flaws in network security

ARP Spoofing – flaws in network security

When it comes to network security, administrators focus primarily on attacks from the internet. But often times, the danger lurks in the internal network. If the LAN turns out to be a blind spot in the security IT, then internal attackers have an easy time. A popular method of attack is ARP spoofing. With this, hackers switch undetected between two communication partners in order to intercept,…

ARP Spoofing – flaws in network security
What is HTTP?Titima OngkantongShutterstock

What is HTTP?

Every web address begins with the letters HTTP. But what does HTTP mean? And why is it important? We’ll show you what you need to know about the Hypertext Transfer Protocol, one of the oldest and most important internet protocols that is required for your web browser to communicate with the web server. So, how exactly does it work?

What is HTTP?
What is Log4Shell? Causes and effects of the Java vulnerability

What is Log4Shell? Causes and effects of the Java vulnerability

A shock was felt around the world at the end of 2021 when the Log4Shell vulnerability became known to the public. Attackers were able to completely take over remote systems without much effort. All major companies and many of the most widely used services were affected by it. In our article, we’ll explain why Log4Shell was so disastrous, how the exploits work, and what protective measures are…

What is Log4Shell? Causes and effects of the Java vulnerability
We use cookies on our website to provide you with the best possible user experience. By continuing to use our website or services, you agree to their use. More Information.