[Dr.WoW] [No.17] HTTP Flood Attack and Defense Highlighted

Latest reply: May 29, 2015 07:18:56 4395 1 0 0

Now let's take a look at another typical application-layer attack: HTTP flood. HTTP flood attacks are increasing each year and should not be underestimated.

1 Attack Mechanism

To launch an HTTP flood, the attacker can use zombie hosts to send a large number of HTTP requests to the target. The requests contain uniform resource identifiers (URIs) that require resource-intensive operations, such as database operations, to exhaust the resources on the target server and make it unable to respond to normal requests.

NOTE

URI is used to define web resources, but Uniform Resource Locator (URL) is used to locate web resources. For example, www.huawei.com/abc/12345.html is a URL, but /abc/12345.html is a URI.

2 Defense Measure

To prevent HTTP flood attacks, we can use HTTP redirection. When a client requests www.huawei.com/1.html from the web server, the web server returns a message to instruct the client to request www.huawei.com/2.html to redirect the request to a new URI.
HTTP redirection is a self-healing process for web servers to redirect a request to a new URI if the originally requested URI has been obsolete so that the client can visit the desired web page, as shown in Figure 1-1.

Figure 1-1 HTTP redirection

[Dr.WoW] [No.17] HTTP Flood Attack and Defense-1325281-1 

This mechanism can be used by firewalls to verify whether the source of HTTP requests is real to prevent HTTP flood attacks.

As shown in Figure 1-2, the firewall collects statistics on HTTP requests. If the number of HTTP requests destined to a destination reaches the preset threshold during a specified period of time, the HTTP source authentication is triggered.

After HTTP source authentication is enabled, the firewall sends an HTTP redirect to the client on behalf of the web server upon receiving a request to instruct the client to request a new URI that does not exist. If the firewall does not receive a request for the new URI, the firewall considers the client false. If the firewall receives a request for the new URI, the firewall considers the client real and whitelists the IP address of the client. Then, the firewall sends another HTTP redirect to the client to instruct the client to request the original URI, that is, the URI requested by the client in the first place. All subsequent HTTP requests from the client are considered legitimate until the whitelist entry expires.

Figure 1-2 HTTP source authentication

[Dr.WoW] [No.17] HTTP Flood Attack and Defense-1325281-2

Although two HTTP redirects are used in the authentication process, the redirection is done quickly between the server and browser and will not affect user experience.

Let's see the detailed process through the following packet capture screenshots.

1.         The client requests /index.html, as shown in the following figure.

[Dr.WoW] [No.17] HTTP Flood Attack and Defense-1325281-3

2.         Upon receiving the request, the firewall replies on behalf of the web server to redirect the client to /index.html?sksbjsbmfbclwjcc, as shown in the following figure.

[Dr.WoW] [No.17] HTTP Flood Attack and Defense-1325281-4

3.         The client requests /index.html?sksbjsbmfbclwjcc, as shown in the following figure.

[Dr.WoW] [No.17] HTTP Flood Attack and Defense-1325281-5

4.         Upon receiving the request, the firewall determines that the source of the HTTP request is real and redirects the client to the originally requested URI (/index.html), as shown in the following figure.

[Dr.WoW] [No.17] HTTP Flood Attack and Defense-1325281-6

However, HTTP source authentication is not a one-fit-all solution in real world because some clients, such as set top boxes (STBs), do not support HTTP redirection. Therefore, before configuring HTTP source authentication, verify that no such clients exist on your network. Otherwise, normal services will be interrupted.

3 Commands

Table 1-1 lists the rate HTTP flood attack defense configuration commands on USG9500 V300R001, for example.

Table 1-1 HTTP flood attack defense commands

Function

Command

Enable HTTP flood attack defense.

firewall defend http-flood enable

Configure HTTP flood attack defense parameters.

firewall defend http-flood source-detect interface { interface-type interface-number | all } alert-rate alert-rate-number [ max-rate max-rate-number ]

 

Those are common DDoS attacks and related defense measures on firewalls. Although firewalls have DDoS attack defense capabilities, they are not dedicated anti-DDoS products. If you need dedicated anti-DDoS products, we have AntiDDoS1000 and AntiDDoS8000. These are world-leading anti-DDoS products and Huawei's killer products. For more information about these products, visit Huawei website and download the product documents.

 

Questions from Dr. WoW:

1.What are the three types of single-packet attacks?
2.What are the measures to prevent SYN flood attacks? What are the application scenarios of the measures?
3.What are the measures to prevent UDP flood attacks?
4.To prevent HTTP flood attacks, is each HTTP request from a source redirected?

  • x
  • convention:

user_2790689
Created May 29, 2015 07:18:56 Helpful(0) Helpful(0)

Thank you.
  • x
  • convention:

Reply

Reply
You need to log in to reply to the post Login | Register

Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Login and enjoy all the member benefits

Login and enjoy all the member benefits

Login