What is an HTTP flood attack?

An HTTP or HTTPS flood is a type of Distributed Denial of Service (DDoS) attack in which at attempt is made to overload a web server or application with a flood of HTTP/S requests. Such DDoS attacks on the application layer (Layer 7) are among the most common forms of attack today.

Sequence of an HTTP Flood Attack


A definition of HTTP flood

As the name implies, flood attacks “flood” a server with process-intensive requests until it no longer has the capacity to respond to legitimate user requests. While SYN or ACK flood attacks are carried out on the network and transport layer (Layers 3 and 4), HTTP or HTTPS flood attacks target the application layer (Layer 7) in order to penetrate the weakest component of an infrastructure and thus cause an overload. The distinctive feature: unlike other attacks, HTTP floods are based on technically correctly formulated (valid) requests to the web server being attacked. Because the malicious HTTP/S requests are virtually indistinguishable from regular traffic, they are particularly difficult to detect and defend against. However, with the right protection technology, this problem can also be managed.


How does an HTTP flood attack work?

In an HTTP flood attack attackers flood a web server with HTTP requests that specifically request pages with large loading volumes. This ultimately causes the server to overload and it is no longer able to process legitimate requests. As a result, the website or web application is no longer accessible for users.

Cybercriminals often employ botnets for such attacks to maximize the efficiency and impact of their attacks. Botnets usually consist of thousands of commandeered and then remotely controlled computers and networked systems from the IoT. They bombard the target’s infrastructure with concurrent requests until it crashes under the load. The Myra SOC (Security Operations Center) has already observed HTTP flood attacks in which the number of malicious requests rose to the mid-triple-digit million range.


What are the most frequent types of HTTP flood attacks?

The Hypertext Transfer Protocol (HTTP) provides several methods for exchanging data between a web browser and a website. By far the most commonly used are HTTP GET and HTTP POST. A GET request fetches information from the server without changing any data on it. With the POST method, data is sent to and processed on the server, such as content from a web form. HTTP flood attacks typically take advantage of these two HTTP methods:

HTTP GET flood

In an HTTP GET flood attack, the attacker (via a botnet) accesses a massive number of pages on a website that contain particularly large static content such as images. These files then have to be sent each time by the web server, which overloads it over time. As a result, it is no longer able to respond to legitimate requests, and the website or web application becomes inaccessible.


In an HTTP POST flood attack, the attacker repeatedly sends data to the web server in order to increase the resources required on the server side to maximum capacity with each request. As a result, the server will sooner or later be incapable of providing any responses and the website or web application will no longer be accessible. Although this type of attack is more complex, it is also much more effective than relatively simple HTTP GET flood attacks. It causes even more damage with a similarly modest use of resources.


How can HTTP flood attacks be detected?

Instead of infiltrating the system via security vulnerabilities or injecting malware as in other attacks, in HTTP flood attacks criminals flood the server with valid requests. Since these are standard URL requests, this traffic is nearly indistinguishable from normal data traffic. In addition, traffic data such as the sender (IP address), client, or user agent identifier (browser name) can be manipulated and forged, which makes identifying attacks even more difficult.

To reliably distinguish attack traffic from legitimate user requests, it is essential to understand the content of the requests and put them in context. Modern protection systems do this by analyzing all incoming requests before they reach the web server. This enables them to automatically detect abnormal traffic patterns and ward off HTTP flood attacks at an early stage.


How can HTTP flood attacks be mitigated?

Once the attack traffic is identified, the requests associated with it can be rigorously blocked or discarded. This leaves the web server with sufficient resources to respond to all legitimate requests. An additional verification process can be used to ensure that legitimate requests are not inadvertently blocked or discarded: Requests classified as illegitimate can regain their status as legitimate requests by resolving a CAPTCHA. After being successfully verified, they are forwarded to the web server and responded to.

In any event, defending against HTTP flood attacks requires expertise and technology that only application layer (Layer 7) DDoS protection can provide. Protection systems for the network and transport layers (Layer 3 and 4), for example, are unable to distinguish between an HTTP GET flood attack and a valid download. Accordingly, reliably detecting attacks and safeguarding a website or web application requires DDoS protection on all relevant layers. This is the only way operators can prevent attack-related disruptions and downtimes, which are often accompanied by loss of revenue, image, and trust.

Myra DDoS Web Protection gives companies in any sector a customized solution for protecting digital business processes. The fully automated technology analyzes incoming traffic in real time and filters out malicious data streams before virtual attacks do any real harm. Thanks to its cloud-based design, implementation of the protection solution is quick and easy, requiring no additional hardware or software.