I want to know what the main differences are between HTTP GET and POST flood attacks and mitigation strategies for both.
I searched a lot but I really can't find some good articles nor examples about these attacks.
I want to know what the main differences are between HTTP GET and POST flood attacks and mitigation strategies for both.
I searched a lot but I really can't find some good articles nor examples about these attacks.
When an HTTP client (say, a Web browser) talks to an HTTP server (a Web server), it sends requests which can be of several types, the two main being GET
and POST
. A GET
request is what is used for "normal links", including images; such requests are meant to retrieve a static piece of data, the URL pointing to that piece of data. When you enter a URL in the URL bar, a GET
is also done.
POST
requests are used with forms. A POST
request includes parameters, which are usually taken from the input fields on the same page.
When flooding, the attacker wants to submerge the target server under many requests, so as to saturate its computing resources. Flooding works best when the server allocates a lot of resources in response to a single request. Since POST
requests include parameters, they usually trigger relatively complex processing on the server (e.g. database accesses), which are more expensive for the server than serving a much simpler GET
. Thus, POST
-based flooding tends to be more effective than GET
-based flooding (it takes fewer requests to drown the server if the requests are POST
). On the other hand, GET
requests being much more common, it is often way easier for the attacker to enlist (involuntary) help in his flooding effort when GET
-flooding (as @Rory says, it only takes a link for an inline image on a popular site, and everybody who browses that site automatically sends a GET
request to the target server).
(Of course, any particular Web site could do a lot of complex processing on some specific GET
requests; I am only discussing average behaviour here.)
An interesting issue with HTTP flooding (for any of the HTTP request types) is that they tend to defeat many IPS (Intrusion Protection Services) because the majority of them tend to concentrate on TCP based Denial of Service attacks. You can write IPS rules to detect against HTTP flood attacks but one has to be very careful because they are hard to distinguish from real traffic in some cases.
read this wiki article about the various forms of HTTP request methods. The majority of developers I have come across don;t realise that there are other methods than POST and GET.
Really the only difference between these two is going to be the HTTP method used (GET vs POST). In terms of ease of attack there are more scenarios where a GET based attack would be practical (e.g. embedding an in-line image on a popular site which links to the target site could cause a DoS) but apart from that if you look for generic articles on HTTP DoS attacks they'll likely apply to both equally.