Mechanisms of HTTP Flood Attack and Defense
This section describes the mechanisms of HTTP flood attack and defense.
Attack Mechanism
An attacker sends massive HTTP request packets to the target server using proxies or botnets. Attackers often choose URIs that require database operations or other resource-intensive operations to exhaust server resources. For example, portal websites are frequently attacked by HTTP flood attacks. Such attacks use URIs (such as database operation-related URIs) that extensively consume server CPU or memory resources.
Defense Mechanism
HTTP Flood Source Authentication
Source authentication is most frequently used to defend against HTTP flood attacks. This method applies to scenarios where the HTTP client uses browsers, because browsers support the complete HTTP protocol stack and can reply to redirection packets or verification codes. The FW collects statistics on HTTP request packets by destination address and enables source authentication when the rate of HTTP request packets reaches a specified threshold. Source authentication can be implemented in any of the following modes:
Basic mode (META refresh): This mode prevents access from non-browser clients. If a zombie tool does not support the complete HTTP protocol stack, it does not support automatic redirection and will fail to be authenticated. However, browsers support automatic redirection and can be authenticated. Figure 1 shows the META refresh process. This mode does not compromise user experience but provides weaker defense effect than the advanced mode.
If an HTTP proxy server is deployed on a network, the FW whitelists the IP address of the proxy server if the proxy server passes source authentication once. Zombie hosts can use this proxy server to bypass authentication. To resolve this problem, enable the proxy detection function to check whether the HTTP request is proxied. If yes, the FW obtains the real source IP address of the HTTP packet. If this IP address is authenticated, the FW whitelists this address and the IP address of the proxy server. For non-whitelisted source addresses that use the same proxy server, the FW implements source authentication to prevent HTTP flood attacks.
Advanced mode (verification code-based authentication): Some zombie tools can implement redirection or use free proxies to support redirection. As a result, source authentication in basic mode does not achieve the desired defense effect. To resolve this problem, enable advanced source authentication to push verification codes to users. The FW determines whether the HTTP requests are sent by zombies or real users, because zombies cannot respond to randomly-generated verification codes. To avoid affecting user experience, implement this mode only on abnormal sources. Figure 2 shows the procedure of verification code-based source authentication.
Verification code-based source authentication does not apply to certain mobile networks or scenarios where the STB provides VoD services, because STB clients or clients that use some mobile networks do not support verification codes. In these scenarios, enable 302 redirect mode.
302 redirect mode
The redirection function of the basic mode redirects only the entire web page, but not specific to embedded resources, such as images. If the requested web page is not hosted on the same server as the embedded resource and the server that hosts the embedded resource experiences an error, enable 302 redirect for the server hosting the embedded resource to detect whether the source is a real browser. Real browsers support automatic redirection without compromising user experience.
