L7 GET

HTTP GET flood

High-volume GET requests against URLs or APIs. Targets read-heavy paths, cache layers, and connection limits on web servers, CDNs, and WAFs.

How it works

Clients open TCP connections (SYN → SYN-ACK → ACK).
For HTTPS, a TLS handshake adds CPU cost before any HTTP bytes are sent.
Repeated GET /path HTTP/1.1 requests consume worker threads and backend read capacity.
Legitimate-looking URLs make rate-based blocking harder than raw volumetric floods.

Packet flow (illustrative)

Simplified request path: TCP handshake, then HTTP GET (TLS omitted for HTTP).

Engarde node Target

→SYNseq=1000

←SYN-ACKseq=2000 ack=1001

→ACKack=2001

→GET /api/status HTTP/1.1

←HTTP/1.1 200 OK

Illustrative flow — not a live capture.

Typical pattern Many parallel GETs

Engarde metric RPS, latency, errors

Layer L7 application

What to watch in Engarde

Response time and error rate on Target Monitor during ramp-up.
Cache hit ratio changes when URLs are fixed vs. random.
WAF or rate-limit triggers in action logs.

Running this simulation

Configure target URL, duration, and intensity in Engarde DDoS. Distributed nodes generate GET traffic; Attack Monitor shows bytes/packets and concurrent connections. Stop instantly with End test.

Mitigation perspective

Combine rate limiting, caching, autoscaling, and WAF rules. Validate thresholds with controlled simulation rather than waiting for production incidents.