The simple HTTP protocol itself has no security problems, so the protocol itself is hardly the object of attack. Servers and clients that use the HTTP protocol, as well as resources such as Web applications running on the server are the targets of the attack.
HTTP is a general-purpose pure protocol mechanism. Therefore, it has many advantages, but it is disadvantageous in terms of security. Developers need to design and develop their own and session management functions to meet the security of Web applications. And self-design means that there will be various realizations. As a result, the security level is not complete, but there are still various bugs that are easily abused by attackers behind the Web applications that are still working.
Ddos attacks are also called distributed denial of service attacks, which simply means sending a large number of requests to paralyze the server. A single attack is not lethal when a Dos attack, while a ddos attack is a flood-type collective attack. The attacker unites a large number of computers and uses the public network to launch attacks on one or more targets. It may be that the bandwidth of the server is insufficient to resist large-traffic attacks, resulting in network paralysis and heavy losses. The reason why the attack can be successful is because the defense is not enough. Therefore, if the web application DDOS defense is to be effective, it is necessary to do a good job in the development of the server side.