Using HTTP flood hacker sends randomized HTTP queries at victim system. It is hard to deal with HTTP flood attacks because there is almost no way to identify legitimate packets from the ones sent by the hacker. Furthermore, unlike with ICMP flood attacks, you cannot block all HTTP traffic without making your web server inaccessible. The target of HTTP flood ddos attack is not just the servers TCP/IP stack but the web server running on it making the attack much more dangerous in terms of crashing the server.
How to block and prevent HTTP flood?
The most efficient way o fight HTTP flood is a technique called tarpitting. You can enable tarpitting on Linux based systems by iptables -A INPUT -s x.x.x.x -p tcp -j TARPIT . Tarpitting automatically sets connections window size to few bytes once it is established. According to TCP/IP protocol design, the connecting device will initially only send as much data to target as it takes to fill the window until the server responds. If the connecting device does not receive out response it will start sending the packets again and again over longer period of time. The point of tarpitting is not to respond again to the packets, that didn’t get the response at first time (and were thereby spoofed).
2 comments ↓
Do you have more info about it?
HTTP is TCP, so a SYN packet will be the first in the connection. Are you taking about this kind of attack or another when the attacker already has a connection and it is requesting GETs to the HTTP server? You mention spoofing that cannot be easily accomplish in TCP so I guess you are talking about SYN attacks. Am I correct?
-as
Yes, you are correct.
HTTP flood is bretty much just SYN attack that is aimed at the webserver.
Leave a Comment