Attack: Is any attempt of gain unauthorized access, disrupt, steal,damage, or alter information, systems,networks or device.

In TCP/IP there are four layers these layers are as follows:

APPLICATION LAYER
TRANSPORTATION LAYER
INTERNET LAYER
NETWORK/DATA LINK LAYER

An attacker may make an attack on these layers when there is vulnerability in any layer among of these layers

ATTACKS ON APPLICATION LAYER:

In Application layer there are different attacks that can occur include http injections manipulation, SQL injection, Cross-Site scripting(XXL), Cross site request forgery and so on based on the pcap file that am using for analysis i will explain two attacks among these mentioned above.
Pcap file used is hao123-com_packet-injection.pcap

1. HTTP GET Flooding
Wireshark Filter ip.src==192.168.1.254 as shown on the screenshoot The top part of this capture shows a rapid succession of HTTP GET requests originating from 192.168.1.254 to various destinations (122.225.98.197 and 183.235.46.234)
HTTP GET flooding is a type of Denial-of-Service (DoS) or Distributed Denial-of-Service (DDoS) attack where an attacker sends a large volume of legitimate-looking HTTP GET requests to a web server. The goal is to overwhelm the server's resources (CPU, memory, bandwidth) and make it unavailable to legitimate users. These requests often target resource-intensive pages or use dynamic URLs to bypass caching.
Key Observations: Multiple consecutive frames (4, 15, 164, 167, etc.) show GET requests for various resources from www.02995.com and www.hao123.com. The rapid succession and sheer volume of these requests from a single source strongly suggest a flood.

Layer Affected: Application Layer (HTTP)

Effects of HTTP GET Flooding (Application Layer DoS Attack)

Server Resource Exhaustion
- The web server consumes CPU, memory, and I/O resources to handle each GET request (e.g., generating dynamic content, running scripts, querying databases).
- In high volumes, this leads to slow response times or complete server crashes.
Bandwidth Consumption
- Flooding with HTTP requests increases outgoing and incoming traffic, possibly exhausting available network bandwidth, affecting other services.
Service Unavailability
- Legitimate users experience timeouts, errors (e.g., 503 Service Unavailable), or complete inaccessibility to the website.
Increased Operational Costs
- Hosting providers may charge for overages in bandwidth or CPU usage.
- Incident response, forensic investigation, and mitigation increase operational overhead.
Potential Reputation Damage
- Frequent downtime affects user trust and business credibility.

Mitigation Techniques for HTTP GET Flood Attacks

1. Rate Limiting

Limit the number of requests from a single IP or session in a given time window.
Tools: mod_evasive (Apache), fail2ban, nginx rate limiting.

2. Web Application Firewall (WAF)

Detect and block abnormal traffic patterns at the application layer.
Can enforce rules like:
- Blocking IPs with too many GET requests
- Filtering known bot user-agents or malformed requests
Examples: Cloudflare WAF, AWS WAF, ModSecurity

3. CAPTCHA or JavaScript Challenges

Use techniques to differentiate humans from bots.
Show CAPTCHA or JS challenges after a threshold of requests.

4. Load Balancer with Application Layer DDoS Protection

Distribute traffic across multiple servers to absorb the load.
Some load balancers include built-in DoS protection features.

5. Anomaly Detection Systems

Use behavior analysis or machine learning to detect sudden spikes in traffic.
Block or sandbox suspicious IPs (like 192.168.1.254 in your case).

6. IP Blacklisting / Geo-blocking

Temporarily block known malicious IPs or suspicious geolocations.
Important to log and analyze traffic before blacklisting to avoid false positives.

7. Caching Static Resources

Use reverse proxies (e.g., Varnish, Squid) or CDNs (e.g., Cloudflare, Akamai) to serve cached content and reduce server processing load.

Thank you For reading
Written By M1tn1k

Attacks analysis in TCP/IP model using wireshark