HTTP Flood Attack

An HTTP flood attack is a type of DDoS attack in which attackers overwhelm a web server with a massive number of HTTP or HTTPS requests, exhausting its resources and denying service to legitimate users. These attacks often use botnets to generate larger volumes of requests. 

What is an HTTP flood attack? 

An HTTP flood attack is a type of application-layer DDoS attack that overwhelms a target’s web server by flooding it with seemingly legitimate HTTP or HTTPS requests. This attack targets the application layer (Layers 5-7) of the OSI model, aiming to disrupt the application server, its operating system, and its data sources rather than its underlying network infrastructure. These attacks can utilize both GET and POST requests to exhaust the server’s resources, making it unable to respond to real users’ requests.  

Unlike traditional DDoS attacks that overwhelm network bandwidth, HTTP flood attacks use less bandwidth but generate massive traffic volumes at the application layer. This makes HTTP flooding attacks harder to detect because the traffic can blend in with legitimate user traffic. Attackers often employ botnets to generate the flood, flooding a website with traffic and making it inaccessible.  

The attacker sends an overwhelming number of HTTP requests, often leveraging weaknesses in POST commands or using Secure Sockets Layer (SSL) or Transport Layer Security (TLS) encryption to mask the attack. This forces the server to allocate resources to process each request, eventually leading to resource exhaustion. HTTP attacks are difficult to detect as they mimic normal user behavior, making them more effective at bypassing security controls like Intrusion Detection Systems (IDS) which cannot see inside the encrypted data stream. 

How does an HTTP flood attack impact the business? 

These HTTP flooding attacks can result in significant downtime, financial losses, and damage to reputation as services become unavailable to legitimate users. HTTP flood attack prevention measures are critical for businesses that rely on continuous uptime, such as e-commerce websites, streaming video services, and financial institutions’ online banking.  

By implementing proactive defenses such as WAFs and traffic monitoring, businesses can reduce the risk of becoming a victim of these types of DDoS attacks. 

Prevention of HTTP flood attacks. 

Preventing an HTTP flood DDoS attack involves multiple strategies: 

• Traffic filtering and rate limiting: Limiting the number of requests per source IP address per time unit helps mitigate HTTP DDoS attacks.  For example, a very prudent rate limiting setting would be 300 requests in 60 seconds. 
• DDoS mitigation services: Purpose-built DDoS mitigation services can detect HTTP floods at the network level and can block them and other types of DDoS attacks. 
• WAFs: Configuring WAFs to block or filter malicious traffic before it overwhelms the application server.  WAFs can identify the signature of HTTP requests used in an attack but also support rate limiting. 
• CDNs: Content Delivery Networks (CDNs) help distribute traffic across multiple servers, making it harder to overwhelm a single target and by limiting the impact of a localized outage.  Most CDNs also support WAF configurations on them. 
• Monitoring and alerts: Keeping track of abnormal spikes in traffic and web server availability can help detect and mitigate the attack early. 

How Vercara can help. 

Vercara’s UltraWAF is a cloud-based WAF deployed to over 15 points-of-presence.  It supports HTTP request rate limiting based on source IP address, session ID, or path inside of the website.  Administrators can deploy custom rulesets on UltraWAF to detect and block the signatures of a HTTP flood DDoS attack based on criteria such as User-Agent, referer header, or cookie value.  UltraWAF also has countermeasures for the most common attacks such as SQL injection and command injection.  

Vercara’s network DDoS mitigation service, UltraDDoS Protect, functions at the network layer to detect and block HTTP flood DDoS attacks plus a wide variety of other DDoS attacks.  With 15 Tbps of DDoS traffic ingestion across over 15 points of presence, UltraDDoS Protect can absorb and mitigate the largest attacks seen to date.  UltraDDoS Protect is operated 24/7 by Vercara’s Security Operations Center.  

Vercara’s other platforms such as our authoritative managed DNS platform, UltraDNS, and our Web Application Firewall service, UltraWAF, are protected by distributed points of presence, anycast IP networking, and by the DDoS mitigation capabilities of UltraDDoS Protect.  

While HTTP flood DDoS attacks have proven to be a highly effective technique used by DDoS attackers, the threat is manageable thanks to service providers such as Vercara.  We help our customers to operate safely on a hostile Internet.  For more information on this threat or any other attack, feel free to contact us.