Browse > Article
http://dx.doi.org/10.3837/tiis.2014.07.018

Defending HTTP Web Servers against DDoS Attacks through Busy Period-based Attack Flow Detection  

Nam, Seung Yeob (Department of Information and Communication Engineering, Yeungnam University)
Djuraev, Sirojiddin (Department of Information and Communication Engineering, Yeungnam University)
Publication Information
KSII Transactions on Internet and Information Systems (TIIS) / v.8, no.7, 2014 , pp. 2512-2531 More about this Journal
Abstract
We propose a new Distributed Denial of Service (DDoS) defense mechanism that protects http web servers from application-level DDoS attacks based on the two methodologies: whitelist-based admission control and busy period-based attack flow detection. The attack flow detection mechanism detects attach flows based on the symptom or stress at the server, since it is getting more difficult to identify bad flows only based on the incoming traffic patterns. The stress is measured by the time interval during which a given client makes the server busy, referred to as a client-induced server busy period (CSBP). We also need to protect the servers from a sudden surge of attack flows even before the malicious flows are identified by the attack flow detection mechanism. Thus, we use whitelist-based admission control mechanism additionally to control the load on the servers. We evaluate the performance of the proposed scheme via simulation and experiment. The simulation results show that our defense system can mitigate DDoS attacks effectively even under a large number of attack flows, on the order of thousands, and the experiment results show that our defense system deployed on a linux machine is sufficiently lightweight to handle packets arriving at a rate close to the link rate.
Keywords
denial-of-service (DoS) attacks; application layer DoS attack; admission control; busy period; attack flow detection; Bloom filter;
Citations & Related Records
연도 인용수 순위
  • Reference
1 D. Dagon, G. Gu, C. P. Lee, W. Lee, "A Taxonomy of Botnet Structures," in Proc. of Annual Computer Security Applications Conference (ACSAC), December 10-14, 2007.
2 R.R. Kompella, S. Singh, G. Varghese, "On Scalable Attack Detection in the Network," in Proc. of ACM Internet Measurement Conference (IMC), October 25-27, 2004.
3 T. Peng, C. Leckie, K. Ramamohanarao, "Survey of Network-Based Defense Mechanisms Countering the DoS and DDoS Problems," ACM Computing Surveys, vol. 39, no. 1, pp. 1-42, April, 2007.   DOI   ScienceOn
4 S. Kandula, D. Katabi, M. Jacob, A. W. Berger, "Botz-4-sale: surviving organized DDoS attacks that mimic flash crowds," in Proc. of Symposium on Networked Systems Design & Implementation (NSDI), May 2-4, 2005.
5 C. Estan, G. Varghese, "New Directions in Traffic Measurement and Accounting," in Proc. of ACM SIGCOMM, August 19-23, 2002.
6 Jose Nazario, BlackEnergy DDoS Bot Analysis, Technical report, Arbor Networks, October 2, 2007.
7 Z. Zhu, G. Lu, Y. Chen, Z. J. Fu, P. Roberts, K. Han, "Botnet Research Survey," in Proc. of IEEE International Computer Software and Applications Conference (COMPSAC), pp. 967-972, July 28-August 1, 2008.
8 ha.cker.org security lab, Slowloris HTTP DoS, http://ha.ckers.org/slowloris/
9 J. Mirkovic, P. Reiher, "A taxonomy of DDoS attack and DDoS defense mechanisms," SIGCOMM Computer Communication Review, vol. 34, no. 2, pp. 39-53, April, 2004.
10 A. Kuzmanovic, E. Knightly, "Low-rate TCP-targeted denial of service attacks (the shrew vs. the mice and elephants)," in Proc. of ACM SIGCOMM, pp. 75-86, August 25-29, 2003.
11 G.Macia-Fernandez, J.E.Diaz-Verdejo, P.Garcia-Teodoro, "Evaluation of a low-rate DoS attack against application servers," Computers & Security, vol. 27, no. 7-8, pp. 335-354, December, 2008.   DOI   ScienceOn
12 H. Sun, J. Lui, D. Yau, "Defending against low-rate TCP attacks: dynamic detection and protection," in Proc. of 12th IEEE International Conference on Network Protocols (ICNP), pp. 196-205, October 5-8, 2004.
13 T. Thapngam, S. Yu, W. Zhou, G. Beliakov, "Discriminating DDoS attack traffic flash crowd through packet arrival patterns," in Proc. of 1th International Workshop on Security in Computers, Networking and Communications, April 10-15, 2011.
14 S. Yu, W. Zhou, W. Jia, S. Guo, Y. Xiang, F. Tang, "Discriminating DDoS attacks from flash crowds using flow correlation coefficient," IEEE Transactions on Parallel and Distributed Systems, vol. 23, no. 6, pp. 1073-1080, June 2012.   DOI   ScienceOn
15 S. Ranjan, R. Swaminathan, M. Uysal, A. Nucci, E. Knightly, "DDoS-Shield: DDoS-resilient scheduling to counter application layer attacks," IEEE/ACM Transactions on networking, vol. 17, no. 1, pp. 26-39, February, 2009.   DOI   ScienceOn
16 Z. Tan, A. Jamdagni, X. He, P. Nanda, R. P. Liu, "A system for Denial-of-Service attack detection based on multivariate correlation analysis," IEEE Transactions on Parallel and Distributed Systems, vol. 25, no. 2, pp. 447-456, February 2014.   DOI   ScienceOn
17 G. Macia-Fernandez, R. A. Rodriguez-Gomez, J. E. Diaz-Verdejo, "Defense techniques for low-rate DoS attacks against application servers," Computer Networks, vol. 54, no. 15, pp. 2711-2727, October 28, 2010.   DOI   ScienceOn
18 M Srivatsa, A. Iyengar, J. Yin, "Mitigating application-level denial of service attacks on web servers: a client-transparent approach," ACM Transactions on the Web, vol. 2, no. 3, pp. 15:1-15:49, July 2008.
19 T. Peng, C. Leckie, K. Ramamohanarao, "Protection from Distributed Denial of Service Attack Using History-based IP Filtering," in Proc. of IEEE International Conference on Communications (ICC), pp. 482-486, May 11-15, 2003.
20 J. Jung, B. Krishnamurthy, M. Rabinovich, "Flash Crowds and Denial of Service Attacks: Characterization and Implication for CDNs and Web Sites," in Proc. of World Wide Web (WWW) Conference, May 7-11, 2002.
21 S. Y. Nam, T. Lee, "Memory-Efficient IP Filtering for Countering DDoS Attacks," in Proc. of APNOMS, September 23-25, 2009.
22 L. Fan, P. Cao, J. Almeida, A.Z. Broder, Summary cache: a scalable wide-area web cache sharing protocol, Technical Report 1361, Univ. of Wisconsin-Madison, February, 1998.
23 H. Takagi, Queueing analysis - volume 1: vacation and priority systems, Part 1, North-Holland, 1991.
24 S. Y. Nam, N. Nazarov, and T. Lee, Defending HTTP Web Servers against DDoS Attacks through Admission Control and Attack Flow Detection, Technical Report, Yeungnam University, March 8, 2012.
25 T. Peng, C. Leckie, K. Ramamohanarao, "Proactively Detecting Distributed Denial of Service Attacks Using Source IP Address Monitoring," in Proc. of Networking Conference, pp. 771-782, May 9-14, 2004.
26 Red Hat, Inc., 42.9 IPTables, http:// www.centos.org/docs/5/html/Deployment_Guide-en-US/ch-iptables.html
27 Honeynet Project and Research Alliance, Know Your Enemy: Tracking Botnets, http://www.honeynet.org
28 Linda Dailey Paulson, Hackers strengthen malicious botnets by shrinking them, http://csdl2.computer.org/comp/mags/co/2006/04/r4017.pdf
29 N. Weaver, S. Staniford, V. Paxson, "Very fast containment of scanning worms," in Proc. of the 13th Usenix Security Conference, pp. 29-44, August 9-13, 2004.