A Recursive GET attack is a variant of the Excessive Verb attack, or HTTP Flood, in which attackers send huge amounts of legitimate HTTP requests to a server to overwhelm it so that it will deny service to legitimate users. These can be in the form of “GET” or “POST”. GET requests are used to retrieve static content.
Excessive verb attacks allow the attacker to aim and maintain high CPU processing loads on the victim server with disproportionately low attack packet rates. These are usually GET requests aimed at receiving large website sources. As each bot can generate a massive number of legitimate requests (over 10 per second), these kinds of attacks do not require a large number of bots to perform.
In the case of a recursive GET attack (also known as a recursive HTTP GET Flood), an attacker will identify and request multiple pages of a website and/or images, and generate HTTP GET requests for each object. This makes it seem as if a legitimate user is scrolling through these pages or images. This attack vector can be highly challenging to detect as the recursive requests of website objects look valid. It can be combined with any of the VERB attack methods, such as HEAD, PUT, OPTIONS or any other HTTPS method that aims to cause DDoS.
A random recursive GET attack is a modified version of a recursive GET. This kind of attack is mainly used on news sites or forums sites on which web pages are numerically indexed, typically in a sequential way. The attacker will insert a random number within a valid range of page reference numbers, which makes each subsequent GET statement different. As each query is different from the previous one, it also is a good emulation of legitimate user behaviour and makes detection more difficult.
One way to protect against excessive verb attacks is to set limits to the transmission band per one IP; however, this can actually help the attacker’s agenda by decreasing the website speed or making it partially unavailable to legitimate users. The other option is to install hardware analysis and cleaning tools, and/or to work with a DDoS protection service to guard against such attacks.