September 20, 2023
Cybercriminals are now leveraging attack vectors previously only available to well-funded nation-state actors.
Security professionals know the dangers associated with distributed denial-of-service attacks (DDoS). These attacks typically target the core data transmission protocols that form the foundation of every organization’s internet services.
However, these network-layer attacks are not the only type of DDoS attack that exists. Hackers can also target application-layer protocols like HTTP.
These attacks used to be difficult and expensive to carry out.
Traditionally, only well-funded nation-state threat actors could reliably leverage the infrastructure needed to carry out advanced HTTP flood attacks.
This appears to be changing, with non-nation-state-affiliated threat actors carrying out HTTP flood attacks in higher numbers. These cybercriminals presumably use DDoS-as-a-service tools developed by one or more major cybercrime syndicates.
How HTTP Flood Attacks Work
Like regular DDoS attacks that target the network layer, HTTP flood attacks leverage botnets to overwhelm target servers with frivolous requests, forcing them to stop working. Achieving this on the application layer involves considerable technical challenges. Cybercriminals must hijack virtual machines and provision them with highly randomized fingerprints while enabling them to make complex HTTP requests.
There are two primary varieties of HTTP flood attacks.
- HTTP GET attacks flood target servers with requests for images, files, or other assets. The target server is overwhelmed with processing all these requests and is forced to deny service to legitimate requests from other users.
- HTTP POST attacks solicit a targeted server’s resources by forcing it to consult assets in its persistence layer, usually a database. One way to do this is by abusing form submission tools. The attack forces the target server to handle fraudulent form data and run database commands instead of responding to legitimate requests.
In both cases, these attacks mimic the actions of legitimate human users in ways that traditional DDoS attacks do not. Targeting the application layer involves creating significantly more complex requests than, for example, a late 1990s-style Ping of Death.
Challenges to Protecting Against HTTP Flood Attacks
Mitigating attacks on the application layer presents additional challenges to organizations. Many solutions impact the usability of web-based assets and create user friction.
For example, CAPTCHA-style tests can prevent bots from abusing the HTTP protocol. However, forcing users to undergo CAPTCHA tests every time they navigate to your website doesn’t help the user experience.
However, many of these solutions are not sufficiently advanced to protect against the highly randomized fingerprinting observed in recent attacks. New techniques enable cybercriminals to blend fraudulent traffic with traffic from reputable third-party DNS resolvers like Google and Cloudflare. You can’t block every query from these addresses without damaging your web capabilities.
Add the increased bandwidth and complexity that hijacked virtual machines offer to hackers, and new “hyper-volumetric” attacks become possible. That’s how attackers reached a new record-breaking 71 million requests per second in an early 2023 attack.
New Capabilities Demand a New Approach to Detection and Response
Managed detection and response providers like Castra are in the right position to help organizations defend against increasingly sophisticated HTTP flood attacks. Instead of relying on security measures designed for highly automated network-layer attacks, Castra uses curated threat intelligence and behavioral analytics to pinpoint abusive HTTP traffic.
- Anomali ThreatStream provides real-time threat intelligence data informed by the specific security profile of the industry that the organization is a part of. This allows analysts to leverage curated data when identifying malicious traffic and avoid irrelevant threat intelligence records that don’t apply to their specific situation.
- Exbeam leverages User Entity and Behavioral Analytics (UEBA) to provide analysts with dynamic risk scoring of user and asset behaviors. This allows investigators to assess the risk associated with suspicious HTTP traffic and tie together seemingly unrelated requests to at-risk assets.
Castra provides organizations with the expertise they need to implement these technologies successfully.
Find out how your security team can leverage advanced detection and response capabilities to mitigate the risk of HTTP flood attacks.