In a HTTP Flood, attackers send vast numbers of legitimate HTTP requests to a server. The request can either be “GET” or “POST”. The goal of this kind of DDoS attack is to force the server to allocate so many of its resources to serving the attack that it denies legitimate service to other users of the server’s resources.
GET requests are used to retrieve static content, such as images. This usually involves a low load on the server per request. POST requests involve the server performing some kind of processing, for instance, looking up items in a database, thus they usually impose a higher load on the server per request. An attacker can also use HEAD, PUT, OPTIONS or any other HTTP method to cause an outage, hence their alternative name, Excessive Verb Floods.
HTTP requests are usually GET requests and are directed to the most CPU intensive process on the targeted server. Each attacker can generate a significant amount of valid GET requests so the attacker only needs a relatively small number of attacking machines to take down a system.
HTTP Floods are difficult to detect because they appear to be legitimate traffic. One of the most effective types of mitigation technique is to combine traffic profiling which include identification of IP reputation and tracking abnormal actions.
HTTP Floods are often used on botnets (or interconnected computers) which have been taken over with Trojan malware. HTTP floods require less bandwidth to attack the targeted servers or sites, so are a fairly common form of DDoS attack. They are viewed as low-and-slow Application Layer attacks because of the relatively small amount of bandwidth they use, which eventually render the victim’s servers unresponsive.
One type of HTTP floods are Non-spoofed UDP Floods – when attackers send non-spoofed UDP packets at an extremely high packet rate. The packets are generated by bots with legitimate public IP addresses, which makes them difficult to identify as they resemble good traffic. They have the same end goal as a UDP Flood: overwhelming networks by the large amount of incoming junk UDP packets. Non-spoofed UDP Floods are particularly troublesome to identify if the bots generate traffic from behind a Network Address Translation (NAT) that also holds valid users.