Abstract
In an application-layer distributed denial of service (DDoS) attack, zombie machines send a large number of legitimate requests to the victim server. Since these requests have legitimate formats and are sent through normal TCP connections, intrusion detection systems cannot detect them. In these attacks, an adversary does not saturate the bandwidth of the victim server through inbound traffic, but through outbound traffic. The next aim of the adversary is to consume and exhaust computational resources (e.g., CPU cycles), memory resources, TCP/IP stack, resources of input/output devices, etc. This paper proposes a novel scheme which is called ConnectionScore to resist such DDoS attacks. During the attack time, any connection is scored based on history and statistical analysis which has been done during the normal condition. The bottleneck resources are retaken from those connections which take lower scores. Our analysis shows that connections established by the adversary give low scores. In fact, the ConnectionScore technique can estimate legitimacy of connections with high probability. The rate of suspicious connections being dropped is adjusted based on the current level of overload of the server and a threshold-level of free resources. To evaluate the performance of the scheme, we perform experiments in the Emulab environment using real traceroute data of the ClarkNet WWW server (http://ita.ee.lbl.gov/html/contrib/ClarkNet-HTTP.html).
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
Notes
An ISP normally changes the IP address of users every two or three days. As a result, a server can measure downtime of users who connect to the server again in <2 or 3 days.
We note that in most of ISPs a user can have a static IP address by paying some additional money.
The value of constant score can be discussed and it is possible that a server could extract a suitable value by its experience. However, we choose −1 for constant score in this paper.
These thresholds can be varied from a server to another server. They can be chosen precisely for any server based on the experience that the server gets during several days (the rate of thresholds for this work have been selected based on our case study).
The amount of \(\Updelta y\) (0.1, 0.05, 0.02, etc.) is chosen based on the response time within which the system shall be stabilized (the attack is controlled and the load of bottleneck resource returns below threshold 2). If a big value is chosen for \(\Updelta y\) (e.g., 0.15, or 0.1), the system is stabilized faster, but the percentage of false positives is increased. In contrast, if a small value is selected for \(\Updelta y\) (e.g., 0.02, or 0.05), the system is stabilized slower, but the percentage of false positive would be low.
Some websites show the most popular and most recently read pages to the public. Such websites cannot use the ConnectionScore technique for handling application-layer DDoS attacks because one of the most important attribute is revealed for the attackers. We hope the websites that want to use the ConnectionScore technique do not show such information to the public.
References
Adler M (2005) Tradeoffs in probabilistic packet marking for IP traceback. J ACM 52(2):217–244
Athanasopoulos E, Antonatos S (2006) Enhanced CAPTCHAs: using animation to tell humans and computers apart. In: Proceedings of Communications and Multimedia Security, pp 97–108
Barford P, Kline J, Plonka D, Ron A (2002) A signal analysis of network traffic anomalies. In: Proceedings of ACM SIGCOMM Internet Measurement Workshop, New York, USA, pp 71–82
Beitollahi H, Deconinck G (2012) Analyzing well-known countermeasures against distributed denial of service attacks. Elsevier J Comput Commun 35(11):1312–1332
Bernstein DJ (2011) SYN cookies. http://cr.yp.to/syncookies.html. Visited Sept 2011
Caum LO (2011) Why is CAPTCHA so annoying? http://lorenzocaum.com/blog/why-is-captcha-so-fing-annoying/
Chandra A, Gong W, Shenoy P (2003) Dynamic resource allocation for shared data centers using online measurements. In: Proceedings of Eleventh International Workshop on Quality of Service
Chen R, Park J (2007) A divide-and-conquer strategy for thwarting distributed denial-of-service attacks. IEEE Trans Parallel Distrib Syst 18(5):577–588
Chu-Hsing L, Hung-Yan L, Tang-Wei W, Ying-Hsuan C, Chien-Hua H (2013) Preserving quality of service for normal users against DDoS attacks by using double check priority queues. Springer J Ambient Intell Humaniz Comput (JAIHC) 4(2):275–282
Fallah M (2010) A puzzle-based defense strategy against flooding attacks using game theory. IEEE Trans Dependable Secur Comput 7(1):5–19
Fraser J (2010) Why you should never use a CAPTCHA. http://www.blogopreneur.com/2007/04/02/captchas-are-annoying/
Gavrilis D, Chatzis I, Dermatas E (2007) Flash crowd detection using decoy hyperlinks. In: Proceedings of IEEE International Conference on Networking, Sensing and Control
Kantardzic M (2002) Data mining: concepts, models, methods, and algorithms, 2nd edn. IEEE Press, Hoboken
Lu W, Yu S (2006) An HTTP flooding detection method based on browser behavior. In: Proceedings of the International Conference on Computational Intelligence and Security, pp 1151–1154
Mirkovic J, Reiher P (2004) A taxonomy of DDoS attack and DDoS defense mechanisms. ACM SIGCOMM Comput Commun Rev 34(2):39–54
Morein WG, Stavrou A, Cook DL, Keromytis AD, Misra V, Rubensteiny D (2003) Using graphic turing tests to counter automated DDoS attacks against web servers. In: Proceedings of the 10th ACM conference on Computer and communications security, Washington, DC, USA
Mori G, Malik J (2003) Recognizing objects in adversarial clutter: breaking a visual CAPTCHA. In: Proceedings of IEEE Computer Society Conference on Computer Vision and Pattern Recognition, Madison, Wisconsin
Oikonomou G, Mirkovic J (2009) Modeling human behaviour for defense against flash-crowd attacks. In: Proceedings of IEEE International Conference on Communications, Newark, USA, pp 1–6
Peng T, Leckie C, Ramamohanarao K (2007) Survey of network-based defense mechanisms countering the DoS and DDoS problems. ACM Comput Surv 39(1). doi: 10.1145/1216370.1216373
Podevin JF (2004) Telling humans and computers apart automatically. Commun ACM 47(2):57–60
Ranjan S, Swaminathan R, Uysal M, Knightly E (2006) DDoS-resilient scheduling to counter application layer attacks under imperfect detection. In: Proceedings of the IEEE Computer and Communications Societies, Barcelona, Spain, pp 1–13
Savage S, Wetherall D, Karlin AR, Anderson TE (2001) Network support for IP traceback. IEEE/ACM Trans Netw 9(3):226–237
Stavrou A, Rubenstein D, Sahu S (2004) A lightweight, robust P2P system to handle flash crowds. IEEE J Sel Areas Commun 22(1):6–17
Thapngam T, Yu S, Zhou W, Beliakov G (2011) Discriminating DDoS attack traffic from flash crowd through packet arrival patterns. In: Proceedings of 2011 IEEE Conference on Computer Communications Workshops, pp 969–974
The Honeynet Project (2007) Know your enemy: tracking botnets. http://old.honeynet.org/papers/kye.html
Truong HD, Turner CF, Zou CC (2011) iCAPTCHA: the next generation of CAPTCHA designed to defend against 3rd party human attacks. In: Proceedings of IEEE International Conference on Communications, Kyoto, Japan
Xie Y, Yu S (2009) A large-scale hidden semi-markov model for anomaly detection on user browsing behaviors. IEEE/ACM Trans Netw 17(1):54–65
Yatagai T, Isohara T, Sasase I (2007) Detection of HTTP-GET flood attack based on analysis of page access behavior. In: Proceedings of IEEE Pacific Rim Conference on Communications, Computers and Signal Processing, pp 232–235
Yau DY, Lui JCS, Liang F, Yam Y (2005) Defending against distributed denial-of-service attacks with max-min fair server-centric router throttles. IEEE/ACM Trans Netw 13(1):29–42
Zhou W, Wang D (2010) A dynamic-resource-allocation based flash crowd mitigation algorithm for video-on-demand network. In: Proceedings of the 3rd IEEE International Conference on Computer Science and Information Technology, pp 388–392
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Beitollahi, H., Deconinck, G. ConnectionScore: a statistical technique to resist application-layer DDoS attacks. J Ambient Intell Human Comput 5, 425–442 (2014). https://doi.org/10.1007/s12652-013-0196-5
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s12652-013-0196-5