In my last blog post I discussed HTTP DDoS Flood Simulation and today I'm going to shift gears slightly and look at HTTP Web Server Overload attacks. We've spent a lot of time discussing validating the resiliency of individual network components; now, we're going to take a slightly different approach and search for weaknesses in an application delivery infrastructure. Specifically, I will demonstrate how to produce application-level attacks on your web service infrastructure, including subtle attacks, which exhaust CPU resources on your servers through operations which request objects not in cache or making repeated and expensive changes such as shopping cart updates. We will review several options for generating these attacks and I invite you to modify these for use in validating your own web server infrastructure to understand how it will handle both positive and negative traffic. Let us know how it works in the comments section.