What Is an HTTP Flood DDoS Attack?

An HTTP or HTTPS flood is a type of distributed denial-of-service (DDoS) attack that causes a server, website, or web app to slow down or crash by overwhelming it with a large number of HTTP GET or POST requests. As the requests exhaust the server’s processing capacity and bandwidth, the device will slow down or crash, denying service to legitimate users and traffic.

A DDoS attack is a type of cyberattack that targets a server, website, or network by inundating it with massive amounts of traffic, overwhelming its resources and making it unavailable to legitimate traffic and users. In contrast to a traditional denial-of-service (DoS) attack, which uses a single source to flood a target, DDoS attacks rely on a botnet. Botnets are thousands or millions of computers or IoT devices that have been infected by malware such as a Trojan horse and are under the control of a malicious actor. To execute a DDoS attack, the attacker directs the compromised devices to send large amounts of requests to the targeted server or website. Because the requests come from so many different IP addresses, DDoS attacks are difficult to detect and mitigate.

HTTP floods are an application-layer attack that exploits the HTTP internet protocol used to load web pages and send content over the internet. To communicate with the application or server, a web browser sends a GET or POST HTTP request. A GET request is designed to retrieve standard, static content like images for rendering a web page in a browser. A POST request is used for dynamic user-to-server interaction.

While other types of DDoS attacks use spoofing, malformed packets, or reflection techniques that are easier to detect, HTTP flood attacks use standard URL requests that appear to be legitimate. Since these attacks require less bandwidth than brute-force attacks, they can often go undetected for a longer time while inflicting damage on a targeted site or server. Detecting and mitigating an HTTP flood is challenging, as malicious requests are difficult to distinguish from legitimate requests.

There are two primary types of HTTP flood DDoS attacks:

HTTP GET attacks. In HTTP flood GET attack, the attacker sends a large volume of GET requests to a web server. These requests are typically for images, files, or other forms of large static content from a targeted server. As the server attempts to keep up with requests, it eventually becomes overloaded and can no longer respond to legitimate requests and valid traffic.

HTTP POST attacks. A post request usually includes data within the request that is sent to the server for processing. Post requests may include parameters that require intensive server-side processing, causing the server to exhaust its resources more quickly.

While HTTP GET attacks are easier to create, HTTP POST attacks inflict more damage.

To mitigate an HTTP flood attack, organizations can deploy a combination of cybersecurity best practices and techniques, including:

• Traffic profiling. By monitoring traffic and comparing IP addresses with data from an IP reputation database, security teams can track and block abnormal activity that may be part of an HTTP flood attack.
• Progressive security challenges. JavaScript computational challenges can test if the traffic is generated by a bot.
• Web application firewall (WAF). WAFs deploy various techniques such as CAPTCHA and crypto challenges to detect HTTP flood attacks.
• Load balancers. Load balancers may offer buffering and multiple connection management techniques that prevent HTTP GET and POST requests from impacting web server resources.
• Cloud-based DDoS protection. Deploying a cloud-based service for DDoS protection can provide access to tools to identify suspicious activity and respond quickly.
• Increase web application server connection limits. By increasing the number of concurrent HTTP connections that can be processed, organizations may reduce vulnerability to HTTP flood attacks.
• Implement rate limiting. Restricting the number of incoming requests from a given IP address may prevent DDoS attacks. However, standard rate-based detection may be ineffective at detecting HTTP floods since the volume of traffic is not above an assumed high threshold limit.

Akamai secures and delivers digital experiences for the world’s largest companies. By keeping decisions, apps, and experiences closer to users — and attacks and threats farther away — we enable our customers and their networks to be fast, smart, and secure.

Our end-to-end DDoS and DoS protection solutions serve as the first line of defense. With dedicated edge, distributed DNS, and network cloud mitigation strategies, our anti-DDoS technologies prevent collateral damage and single points of failure to provide our customers with increased resiliency, dedicated scrubbing capacity, and higher quality of mitigation.

App & API Protector provides a comprehensive set of powerful protections with customer-focused automation. While this solution offers some of the most advanced application security automation available today, it remains simple to use. A new adaptive security engine and industry-leading core technologies enable DDoS protection, API security, bot mitigation, and a WAF in an easy-to-use solution. 

Prolexic stops DDoS attacks with the fastest and most effective defense at scale. Offering a zero-second SLA for DDoS defense, Prolexic proactively reduces attack services and customizes mitigation controls to network traffic to block attacks instantly. Having a fully managed SOCC complements your existing cybersecurity programs and will help augment your time to resolution with industry-proven experiences.

Edge DNS prevents DNS outages with the largest edge platform, enabling organizations to count on guaranteed, nonstop DNS availability. A cloud-based solution, Edge DNS ensures 24/7 DNS availability while improving responsiveness and defending against the largest DDoS attacks.