DDoS attacks are a powerful tool in cybersecurity, capable of overwhelming online services and infrastructure by flooding with too much traffic, making them unavailable to users. Among the variety of DDoS attack methods, one significant threat that stands out in the cyber landscape is the DDoS Killnet HTTP flood attack.
Decoding Killnet: The Anatomy of an HTTP Layer DDoS Attack
KillNet is a hacktivist group known for employing DDoS attacks and spreading false information. The Killnet HTTP Flood attack targets web servers and apps by bombarding them with excessive HTTP requests. It utilizes the CC-attack script, which automates the process of using open proxy servers to relay attacks. The cc.py script utilizes SOCKS proxies, alongside other types, sourced from various sources, to distribute the attack’s source and conceal the attacker’s identity. Additionally, the script employs randomization to evade signature-based mitigation, making it difficult to counter.
Types of Killnet HTTP Floods Attacks
Three Types of DDoS Attacks Generated by the attack script used by KillNet are:
HTTP GET Flood Attack:
- In HTTP GET Flood attack, each packet comprises a modified URL with a randomized numerical string “/?XXXXXXXXXXXX”.
- Connection: Keep-Alive is static in all GET attack traffic.
- A dynamically generated User-Agent string is included, contributing to the attack’s adaptability and complexity.
- The number and content of the Accept headers are also randomized, selected from a predefined list.
- The Referer field is randomized from a list of URLs and always ends with the target from ‘Host:’ header.
For this type of attack, HTTP GET requests sent by the attacker appear as follows:
HTTP HEAD Flood Attack:
- Each packet in the attack contains a modified URL with a randomized numerical string appended, such as “/?XXXXXXXXXXXX”, like HTTP GET Flood attacks.
- Connection: Keep-Alive is static in all HEAD attack traffic.
- A dynamically generated User-Agent string is included in the headers.
- The number and content of the Accept headers are also randomized, selected from a predefined list.
- The Referer field in the headers is randomized from a list of URLs and always ends with the target from the ‘Host:’ header.
For this type of attack, HTTP HEAD requests sent by the attacker appear as follows:
HTTP POST Flood Attack:
- In an HTTP POST Flood attack, each packet comprises a modified URL with Path and always ends with the target from the ‘Host:’ header.
- Connection: Keep-Alive is static in all POST attack traffic.
- A dynamically generated User-Agent string is included in the headers.
- The number and content of the Accept headers are also randomized, selected from a predefined list.
- The Content-Type header specifies the type of data being sent in the request body, typically set to application/x-www-form-urlencoded, indicating URL-encoded data.
- The X-Requested-With header indicates the request as an XMLHttpRequest.
- The Referer field in the headers is random URLs with Path and the target from the ‘Host:’ header.
- POST requests include data submitted in the request body, which can be a string of 16 randomly generated bytes or customized data.
For this type of attack, HTTP POST requests sent by the attacker appear as follows:
DDoS Killnet HTTP Floods Attacks in Keysight ATI
At Keysight Technologies, our Application and Threat Intelligence (ATI) team, researchers have examined the traffic pattern of various Killnet HTTP Floods Attacks and they have published the network traffic pattern of 3 popular attacks traffic of such attack as part of BreakingPoint System’s DDoS Lab in ATI-2024-10 Strike Pack released on May 23, 2024.
Figure 4: Killnet HTTP Floods DDoS Attack coverage in BreakingPoint
Leverage Subscription Service to Stay Ahead of Attacks
Keysight’s Application and Threat Intelligence subscription provides daily malware and bi-weekly updates of the latest application protocols and vulnerabilities for use with Keysight test platforms. The ATI Research Centre continuously monitors threats as they appear in the wild. Customers of BreakingPoint now have access to attack campaigns for different advanced persistent threats, allowing BreakingPoint Customers to test their currently deployed security control’s ability to detect or block such attacks.