Everybody is aware of the HTTP requests for GET , HEAD and POST, but how about the others?
Did you even knew they existed? Be aware of these
and the purpose of the http request methods and these can be overlooked when a webserver is under going a DoS attack.
Using the "tshark -z http,stat," will give you a good ideal of the
number requests and the type of requests, if you apply this to a dst net
or host address and analysis the output, you can quickly get an ideal of the
number of GET or POST that might be indicative of a GET/POST flood type of attack.
tshark -n -q -z http,stat, -i eth7 host www.mywebserver and port 80
( sample output )
* HTTP Status Codes in reply packets
HTTP 302 Moved Temporarily
HTTP 200 OK
* List of HTTP Request methods
Typical HTTP request methods are listed below;
GET:- Used when the client is requesting a resource on the Web server.
HEAD:- Used when the client is requesting some information about a resource but not requesting the resource itself.
POST:- Used when the client is sending information or data
to the server---for example, filling out an online form (i.e. Sends a
large amount of complex data to the Web Server).
PUT:- Used when the client is sending a replacement document or uploading a new document to the Web server under the request URL.
DELETE:- Used when the client is trying to delete a document from the Web server, identified by the request URL.
TRACE:- Used when the client is asking the available proxies or intermediate servers changing the request to announce themselves.
OPTIONS:- Used when the client wants to determine other available methods to retrieve or process a document on the Web server.
CONNECT:- Used when the client wants to establish a
transparent connection to a remote host, usually to facilitate
SSL-encrypted communication (HTTPS) through an HTTP proxy.
No two methods are the same, use tshark or wireshark and the display filter "http.request.method" for proper identification
tshark -n -i eth7 dst host 126.96.36.199 and dst port 80 -R 'http.request.method==POST'
The above would be ideal to get the number of POST and from a
specific host destination to a webserver. These commands will only be
helpful against HTTP server for the obvious reason.
This blog is from
Freelance Security and Network Engineer
kfelix "at" hyperfeed.com