11

I want to know what the main differences are between HTTP GET and POST flood attacks and mitigation strategies for both.

I searched a lot but I really can't find some good articles nor examples about these attacks.

tylerl
  • 82,225
  • 25
  • 148
  • 226
user19775
  • 191
  • 2
  • 4
  • 9

3 Answers3

19

When an HTTP client (say, a Web browser) talks to an HTTP server (a Web server), it sends requests which can be of several types, the two main being GET and POST. A GET request is what is used for "normal links", including images; such requests are meant to retrieve a static piece of data, the URL pointing to that piece of data. When you enter a URL in the URL bar, a GET is also done.

POST requests are used with forms. A POST request includes parameters, which are usually taken from the input fields on the same page.

When flooding, the attacker wants to submerge the target server under many requests, so as to saturate its computing resources. Flooding works best when the server allocates a lot of resources in response to a single request. Since POST requests include parameters, they usually trigger relatively complex processing on the server (e.g. database accesses), which are more expensive for the server than serving a much simpler GET. Thus, POST-based flooding tends to be more effective than GET-based flooding (it takes fewer requests to drown the server if the requests are POST). On the other hand, GET requests being much more common, it is often way easier for the attacker to enlist (involuntary) help in his flooding effort when GET-flooding (as @Rory says, it only takes a link for an inline image on a popular site, and everybody who browses that site automatically sends a GET request to the target server).

(Of course, any particular Web site could do a lot of complex processing on some specific GET requests; I am only discussing average behaviour here.)

Thomas Pornin
  • 320,799
  • 57
  • 780
  • 949
  • Thanks for so detailed answer. So you said that with **HTTP GET FLOOD** the attacker uses the _URL_ to attack. But what does the attacker use for **HTTP POST FLOOD** ? Can you give me an example ? How does he manipulate the data sent to a page (let's say _php_ page) an alter/change its content? – user19775 Jan 18 '13 at 12:32
4

An interesting issue with HTTP flooding (for any of the HTTP request types) is that they tend to defeat many IPS (Intrusion Protection Services) because the majority of them tend to concentrate on TCP based Denial of Service attacks. You can write IPS rules to detect against HTTP flood attacks but one has to be very careful because they are hard to distinguish from real traffic in some cases.

read this wiki article about the various forms of HTTP request methods. The majority of developers I have come across don;t realise that there are other methods than POST and GET.

Callum Wilson
  • 2,533
  • 10
  • 15
  • So you say that there are (or can be) also **HTTP HEAD/PUT/DELETE/... ATTACK** ? – user19775 Jan 18 '13 at 12:33
  • it's rare but I once found the other HTTP request types switched on for a custom J2EE web application. It was a mistake in the way that one of the designers had implemented HttpServlet and had accidently switched it all on. – Callum Wilson Jan 21 '13 at 09:29
2

Really the only difference between these two is going to be the HTTP method used (GET vs POST). In terms of ease of attack there are more scenarios where a GET based attack would be practical (e.g. embedding an in-line image on a popular site which links to the target site could cause a DoS) but apart from that if you look for generic articles on HTTP DoS attacks they'll likely apply to both equally.

Rory McCune
  • 60,923
  • 14
  • 136
  • 217