Browse > Article
http://dx.doi.org/10.13089/JKIISC.2011.21.1.39

A Novel Application-Layer DDoS Attack Detection A1gorithm based on Client Intention  

Oh, Jin-Tae (ETRI)
Park, Dong-Gue (SoonChunHyang University)
Jang, Jong-Soo (ETRI)
Ryou, Jea-Cheol (Chungnam National University)
Publication Information
Journal of the Korea Institute of Information Security & Cryptology / v.21, no.1, 2011 , pp. 39-52 More about this Journal
Abstract
An application-layer attack can effectively achieve its objective with a small amount of traffic, and detection is difficult because the traffic type is very similar to that of legitimate users. We have discovered a unique characteristic that is produced by a difference in client intention: Both a legitimate user and DDoS attacker establish a session through a 3-way handshake over the TCP/IP layer. After a connection is established, they request at least one HTTP service by a Get request packet. The legitimate HTTP user waits for the server's response. However, an attacker tries to terminate the existing session right after the Get request. These different actions can be interpreted as a difference in client intention. In this paper, we propose a detection algorithm for application layer DDoS attacks based on this difference. The proposed algorithm was simulated using traffic dump files that were taken from normal user networks and Botnet-based attack tools. The test results showed that the algorithm can detect an HTTP-Get flooding attack with almost zero false alarms.
Keywords
Application-layer DDoS attack; layer-7 attack HTTP-Get flooding; CC attack; Botnet;
Citations & Related Records
연도 인용수 순위
  • Reference
1 Supranamaya Ranjan, Ram Swaminathan, Mustafa Uysl, Antonio Nucci, and Edward Knightly, "DDoS-Shield: DDoS-Resilient Scheduling to Counter Application Layer Attacks," IEEE/ACM Transactions on networking, vol. 17, no. 1, pp. 26-39, Feb. 2009.   DOI
2 Fiona Fui-Hoon Nah, "A study on tolerable waiting time: how long are Web users willing to wait?," http://sigs.aisnet.org/sighci/bit04/BIT_Nah.pdf
3 Gil, T. M. and Poletto, M. "MULTOPS: A data-structure for bandwidth attack detection," In Proceedings of the 10th Usenix Security Symposium. 2001.
4 http://www.zdziarski.com/projects/mod evasive/
5 Jun Lv, Xing Li, and Tong Li, "Web based Application for Traffic Anomaly Detection Algorithm," Second International Conference on Internet and Web Applications and Services (ICIW'07), pp. 44-49, 2007.
6 Honeynet "Know your enemy:tracking botnets," Whitepaper. The Honeynet Project & Research Alliance. Feb. 2005. www.honeynet.org/index.html.
7 Takeshi Yatagai, Takamasa Isohara, and Iwao Sasase, "Detection of HTTP-GET flood Attack Based on Analysis of Page Access Behavior," Communications, Computers and Signal Processing, pp. 232-235, 2007.
8 Wei Zhou Lu and Shun Zheng Yu, "A HTTP Flooding Detection Method Based on Browser Behavior," IEEE Computational Intelligence and Security, 2006 International Conference on, vol. 2, pp. 1151-1154, Nov. 2006.
9 Abdelsayed, S., Glimsholt, D., Leckie, C., Ryan, S., and Shami, S. "An efficient filter for denial of service bandwidth attacks," In Proceedings of the 46th IEEE Global Telecommunications Conference (Globecom'03). pp. 1353-1357, 2003.
10 Kargl, F., Maier, J., and Weber, M. "Protecting web servers from distributed denial of service attacks," In Proceedings of the 10th International World Wide Web Conference. pp. 130-143, 2001.
11 Wang, H., Zhang, D., and Shin, K. G. "Detecting SYN flooding attacks," In Proceedings of IEEE Infocom 2002, pp. 1530-1539, 2002.
12 Tuncer, T. and Tatar,Y. "Detection SYN Flooding Attacks Using Fuzzy Logic." Proc. Int. Conf. Information Security and Assurance (ISA'08), Washington, DC, USA, pp. 321-325. Apr. 24-26, 2008.
13 http://www.topology.org/src/bwshare/README.html
14 http://www.sakura.ad.jp/tanaka/apache/module/mod access limit.tar.gz