Skip to main content
SpringerLink
Log in

Defending Web Servers Against Flash Crowd Attacks

  • Conference paper
  • First Online:
Book cover Applied Cryptography and Network Security (ACNS 2021)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 12727))

Included in the following conference series:

Abstract

A flash crowd attack (FCA) floods a service, such as a Web server, with well-formed requests, generated by numerous bots. FCA traffic is difficult to filter, since individual attack and legitimate service requests look identical. We propose robust and reliable models of human interaction with server, which can identify and block a wide variety of bots. We implement the models in a system called FRADE, and evaluate them on three Web servers with different server applications and content. Our results show that FRADE detects both naive and sophisticated bots within seconds, and successfully filters out attack traffic. FRADE significantly raises the bar for a successful attack, by forcing attackers to deploy at least three orders of magnitude larger botnets than today.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 69.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 89.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Hulk DDoS tool, May 2018. https://tinyurl.com/y49tze6w. Accessed 31 Mar 2021

  2. Classification tools, May 2019. https://tinyurl.com/y6cdav26. Accessed 31 Mar 2021

  3. Combined desktop and mobile visits to amazon.com from February 2018 to April 2019 (in millions), May 2019. https://tinyurl.com/y25d8ln8. Accessed 31 Mar 2021

  4. Most popular retail websites in the United States as of December 2019, ranked by visitors (in millions), September 2020. https://www.statista.com/statistics/271450/monthly-unique-visitors-to-us-retail-websites/. Accessed 31 Mar 2021

  5. Akrout, I., Feriani, A., Akrout, M.: Hacking google reCAPTCHA v3 using Reinforcement Learning (2019)

    Google Scholar 

  6. Arapakis, I., Bai, X., Cambazoglu, B.B.: Impact of response latency on user behavior in web search. In: Proceedings of the 37th International ACM SIGIR Conference on Research & Development in Information Retrieval, pp. 103–112. Association for Computing Machinery, New York (2014)

    Google Scholar 

  7. Barna, C., Shtern, M., Smit, M., Tzerpos, V., Litoiu, M.: Model-based adaptive DoS attack mitigation. In: Proceedings of the 7th International Symposium on Software Engineering for Adaptive and Self-Managing Systems, SEAMS 2012, pp. 119–128. IEEE Press, Piscataway (2012)

    Google Scholar 

  8. Barnett, R.: HOIC, January 2012. https://tinyurl.com/y6en34r3. Accessed 31 Mar 2021

  9. Beitollahi, H., Deconinck, G.: Tackling application-layer DDoS attacks. Procedia Comput. Sci. 10, 432–441 (2012)

    Article  Google Scholar 

  10. Bharathi, R., Sukanesh, R., Xiang, Y., Hu, J.: A PCA based framework for detection of application layer DDoS attacks. WSEAS Trans. Inf. Sci. Appl. 9(12), 389–398 (2012)

    Google Scholar 

  11. Bock, K., Patel, D., Hughey, G., Levin, D.: unCAPTCHA: a low-resource defeat of reCAPTCHA’s audio challenge. In: 11th \(\{\)USENIX\(\}\) Workshop on Offensive Technologies (\(\{\)WOOT\(\}\) 2017) (2017)

    Google Scholar 

  12. Brewer, D., Li, K., Ramaswamy, L., Pu, C.: A link obfuscation service to detect webbots. In: 2010 IEEE International Conference on Services Computing, pp. 433–440, July 2010

    Google Scholar 

  13. Cao, Y., Yang, J.: Towards making systems forget with machine unlearning. In: 2015 IEEE Symposium on Security and Privacy, pp. 463–480. IEEE (2015)

    Google Scholar 

  14. Chim, S.: Http proxy middleware, July 2016. https://tinyurl.com/y6td93p4

  15. Chu, Z., Gianvecchio, S., Koehl, A., Wang, H., Jajodia, S.: Blog or block: detecting blog bots through behavioral biometrics. Comput. Netw. 57(3), 634–646 (2013)

    Article  Google Scholar 

  16. Cid, D.: Analyzing popular layer 7 application DDoS attacks. Sucuri blog. https://tinyurl.com/y3p7mokb. Accessed 6 Dec 2020

  17. Cloudflare. How can an HTTP flood be mitigated?, March 2020. https://www.cloudflare.com/learning/ddos/http-flood-ddos-attack/. Accessed 6 Dec 2020

  18. Elsabagh, M., Fleck, D., Stavrou, A., Kaplan, M., Bowen, T.: Practical and accurate runtime application protection against DoS attacks. In: Dacier, M., Bailey, M., Polychronakis, M., Antonakakis, M. (eds.) RAID 2017. LNCS, vol. 10453, pp. 450–471. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66332-6_20

    Chapter  Google Scholar 

  19. Gavrilis, D., Chatzis, I., Dermatas, E.: Flash crowd detection using decoy hyperlinks. In: 2007 IEEE International Conference on Networking, Sensing and Control, pp. 466–470, April 2007

    Google Scholar 

  20. Google. reCAPTCHA v3. https://www.google.com/recaptcha/intro/v3.html. Accessed 31 Mar 2021

  21. Han, X., Kheir, N., Balzarotti, D.: Evaluation of deception-based web attacks detection. In: Proceedings of the 2017 Workshop on Moving Target Defense, MTD 2017, pp. 65–73. ACM, New York (2017)

    Google Scholar 

  22. Imperva. Low orbit ion cannon. https://tinyurl.com/y3wy32fo. Accessed 31 Mar 2021

  23. Imperva. 2020 cyberthreat defense report (2020). https://tinyurl.com/y5jmjuzv. Accessed 31 Mar 2021

  24. Imperva Incapsula’s. Q1 2017 global DDoS threat landscape report, May 2017. www.incapsula.com. Accessed 6 Dec 2020

  25. INDUSFACE (2019). https://tinyurl.com/y4c3ywry. Accessed 6 Dec 2020

  26. Jan, S.T., et al.: Throwing darts in the dark? Detecting bots with limited data using neural data augmentation. In: 2020 IEEE Symposium on Security and Privacy (SP), pp. 1190–1206. IEEE (2020)

    Google Scholar 

  27. Jonker, M., King, A., Krupp, J., Rossow, C., Sperotto, A., Dainotti, A.: Millions of targets under attack: a macroscopic characterization of the DoS ecosystem. In: Internet Measurement Conference (IMC), November 2017

    Google Scholar 

  28. Jung, J., Krishnamurthy, B., Rabinovich, M.: Flash crowds and denial of service attacks: characterization and implications for CDNs and web sites. In: Proceedings of the 11th International Conference on World Wide Web, WWW 2002, pp. 293–304. ACM, New York (2002)

    Google Scholar 

  29. Kandula, S., Katabi, D., Jacob, M., Berger, A.: Botz-4-sale: surviving organized DDoS attacks that mimic flash crowds. In: Proceedings of the 2nd Conference on Symposium on Networked Systems Design & Implementation, NSDI 2005, vol. 2, pp. 287–300. USENIX Association, Berkeley (2005)

    Google Scholar 

  30. Kaspersky. Report finds 18% rise in DDoS attacks in Q2 2019 (2019). https://tinyurl.com/y258rnpm. Accessed 31 Mar 2021

  31. Krishnamurthy, B., Wang, J.: On network-aware clustering of web clients. ACM SIGCOMM Comput. Commun. Rev. 30(4), 97–110 (2000)

    Article  Google Scholar 

  32. Leyden, J.: Russian serfs paid three dollars a day to break CAPTCHAs, March 2008. https://tinyurl.com/y2czs7xd. Accessed 6 Dec 2020

  33. Liao, Q., Li, H., Kang, S., Liu, C.: Application layer DDoS attack detection using cluster with label based on sparse vector decomposition and rhythm matching. Secur. Commun. Netw. 8(17), 3111–3120 (2015)

    Article  Google Scholar 

  34. Wayback Machine. Internet archive (1996). https://archive.org/web. Accessed 31 Mar 2021

  35. Meng, W., et al.: Rampart: protecting web applications from CPU-exhaustion denial-of-service attacks. In: 27th USENIX Security Symposium (USENIX Security 2018) (2018)

    Google Scholar 

  36. Mirza, M., Osindero, S.: Conditional generative adversarial nets. arXiv preprint arXiv:1411.1784 (2014)

  37. Mosberger, D., Jin, T.: Httperf: a tool for measuring web server performance. SIGMETRICS Perform. Eval. Rev. 26(3), 31–37 (1998)

    Article  Google Scholar 

  38. Najafabadi, M., Khoshgoftaar, T., Calvert, C., Kemp, C.: User behavior anomaly detection for application layer DDoS attacks. In: 2017 IEEE International Conference on Information Reuse and Integration (IRI), pp. 154–161, August 2017

    Google Scholar 

  39. Oikonomou, G., Mirkovic, J.: Modeling human behavior for defense against flash-crowd attacks. In: 2009 IEEE International Conference on Communications, pp. 1–6. IEEE (2009)

    Google Scholar 

  40. Paxson, V.: Bro: a system for detecting network intruders in real-time. In: Proceedings of the 7th Conference on USENIX Security Symposium, SSYM 1998, vol. 7, p. 3. USENIX Association, Berkeley (1998)

    Google Scholar 

  41. Radware. JS cookie challenges, March 2020. https://tinyurl.com/y2bqmtac. Accessed 6 Dec 2020

  42. Ranjan, S., Swaminathan, R., Uysal, M., Knightly, E.: DDoS-resilient scheduling to counter application layer attacks under imperfect detection. In: Proceedings IEEE INFOCOM 2006, pp. 1–13 (2006)

    Google Scholar 

  43. Selenium. Selenium webdriver (2012). https://tinyurl.com/y6a4czhe. Accessed 6 Dec 2020

  44. V. S. Services. Verisign DDoS trends report q2 2016, June 2016. https://verisign.com/. Accessed 6 Dec 2020

  45. Sivakorn, S., Polakis, I., Keromytis, A.D.: I am robot:(deep) learning to break semantic image CAPTCHAs. In: 2016 IEEE European Symposium on Security and Privacy (EuroS&P), pp. 388–403. IEEE (2016)

    Google Scholar 

  46. Spitzner, L.: Honeytokens, July 2003. https://tinyurl.com/y4gzbjqz

  47. STEEL Lab. Frade: Flash crowd attack defense (2021). https://steel.isi.edu/Projects/frade/

  48. Wang, J., Yang, X., Long, K.: Web DDoS detection schemes based on measuring user’s access behavior with large deviation. In: 2011 IEEE Global Telecommunications Conference - GLOBECOM 2011, pp. 1–5, December 2011

    Google Scholar 

  49. Wang, S., Liu, C., Gao, X., Qu, H., Xu, W.: Session-based fraud detection in online e-commerce transactions using recurrent neural networks. In: Altun, Y., et al. (eds.) ECML PKDD 2017. LNCS (LNAI), vol. 10536, pp. 241–252. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-71273-4_20

    Chapter  Google Scholar 

  50. White, B., et al.: An integrated experimental environment for distributed systems and networks. In: Proceedings of the Fifth Symposium on Operating Systems Design and Implementation, Boston, MA. USENIX Association, December 2002

    Google Scholar 

  51. Wikipedia. Curse of dimensionality. https://en.wikipedia.org/wiki/Curse_of_dimensionality/. Accessed 6 Dec 2020

  52. Wikipedia. Replay attack. https://en.wikipedia.org/wiki/Replay_attack. Accessed 31 Mar 2021

  53. Winslow, E.: Bot detection via mouse mapping, September 2009. https://tinyurl.com/y3kbgwuw

  54. Xie, Y., Yu, S.Z.: Monitoring the application-layer DDoS attacks for popular websites. IEEE/ACM Trans. Netw. 17(1), 15–25 (2009)

    Article  Google Scholar 

  55. Yatagai, T., Isohara, T., Sasase, I.: Detection of http-get flood attack based on analysis of page access behavior. In: 2007 IEEE Pacific Rim Conference on Communications, Computers and Signal Processing, pp. 232–235, August 2007

    Google Scholar 

Download references

Acknowledgment

This material is based upon work supported by the National Science Foundation under grant number 1319215.

Author information

Authors and Affiliations

  1. University of Southern California Information Sciences Institute, Marina del Rey, CA, USA

    Rajat Tandon, Abhinav Palia, Jaydeep Ramani, Brandon Paulsen, Genevieve Bartlett & Jelena Mirkovic

Authors
  1. Rajat Tandon
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Abhinav Palia
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Jaydeep Ramani
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Brandon Paulsen
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Genevieve Bartlett
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Jelena Mirkovic
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Rajat Tandon .

Editor information

Editors and Affiliations

  1. Waseda University, Tokyo, Japan

    Kazue Sako

  2. CISPA Helmholtz Center for Information Security, Saarbrücken, Germany

    Nils Ole Tippenhauer

Rights and permissions

Reprints and permissions

Copyright information

© 2021 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Tandon, R., Palia, A., Ramani, J., Paulsen, B., Bartlett, G., Mirkovic, J. (2021). Defending Web Servers Against Flash Crowd Attacks. In: Sako, K., Tippenhauer, N.O. (eds) Applied Cryptography and Network Security. ACNS 2021. Lecture Notes in Computer Science(), vol 12727. Springer, Cham. https://doi.org/10.1007/978-3-030-78375-4_14

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-78375-4_14

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-78374-7

  • Online ISBN: 978-3-030-78375-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation