What is an HTTP Flooding Attack?

An HTTP flood attack utilizes what appear to be legitimate HTTP GET or POST requests to attack a web server or application. These flooding attacks often rely on a botnet, which is a group of Internet-connected computers that have been maliciously appropriated through the use of malware such as a Trojan Horse.

What Are the Signs of an HTTP Flooding Attack?

These types of DDoS attacks are designed to cause the targeted server or application to allocate the most resources possible in direct response to each request. In this way, the attacker hopes to overwhelm the server or application, “flooding” it with as many process-intensive requests as possible.

HTTP POSTs are often used because they involve complex server-side processing, while HTTP GET attacks are easier to create, thus lending themselves to botnet attacks which rely on scale to achieve the desired disruption.

Why Are HTTP Flooding Attacks Dangerous?

Because they use standard URL requests, HTTP flooding attacks are nearly indistinguishable from valid traffic. Because they don’t rely on malformed packets, spoofing or reflection techniques, they are difficult to detect. And since they require lower bandwidth than brute force attacks, they can often “fly under the radar” while bringing down a targeted site or server.

HTTP flooding attacks are specifically designed for the particular target they are aimed at, making them much harder to uncover and block.

How to Mitigate and Prevent an HTTP Flooding Attack

Since traffic volume in HTTP flooding attacks is generally below detection thresholds, standard rate-based detection is ineffective at detecting these attacks. A better approach is a combination of traffic profiling techniques, including establishing an IP reputation database so as to track and block abnormal activity, and deploying progressive security challenges.  By issuing a requirement such as a JavaScript computational challenge to the requesting machine, it is possible to test if a bot is involved, and thus mitigate an attack if it is.

Additional means of preventing an HTTP flooding attack include a web application firewall (WAF), as well as constant monitoring by threat engineers.