Ddos Attacks at The Application Layer: Challenges and Research Perspectives For Safeguarding Web Applications

This article has been accepted for publication in a future issue of this journal, but has not been
fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/COMST.2018.2870658, IEEE
Communications Surveys & Tutorials
1
DDoS Attacks at the Application Layer :

Challenges and Research Perspectives for
Safeguarding Web Applications
Amit Praseed and P. Santhi Thilagam
Abstract—Distributed Denial of Service (DDoS) Attacks are of critical, personal information like credit card numbers.
some of the most devastating attacks against web applications. However, attacks on web applications also stem from business
A large number of these attacks aim to exhaust the network competition, policy disagreements as well as political and
bandwidth of the server, and are called network layer DDoS
attacks. They are volumetric attacks and rely on a large volume social issues. These attacks attempt to disrupt the services of a
of network layer packets to throttle the bandwidth. However, web application so that its services are unavailable to the users,
as time passed, network infrastructure became more robust which leads to a loss of revenue for the organization. A single
and defenses against network layer attacks also became more minute of downtime can cost the organization up to $22000
advanced. Recently, DDoS attacks have started targeting the in revenue [1]. Even more devastating is the loss of user trust
application layer. Unlike network layer attacks, these attacks
can be carried out with a relatively low attack volume. They or a decline in brand value for the organization. Users will
also utilize legitimate application layer requests, which makes it not be interested in the services offered by the organization
difficult for existing defense mechanisms to detect them. These if periodic outages leave the website unusable. These type
attacks target a wide variety of resources at the application layer of attacks, aptly named Denial of Service (DoS) Attacks, are
and can bring a server down much faster, and with much more some of the oldest attacks known but still continue to be a
stealth, than network layer DDoS attacks. Over the past decade,
research on application layer DDoS attacks has focused on a few major threat due to the way they evolve and grow.
classes of these attacks. This work attempts to explore the entire In the 18 months from January 2015 to June 2016, Arbor
spectrum of application layer DDoS attacks using critical features networks reports tracking around 1,24,000 DDoS attacks every
that aid in understanding how these attacks can be executed. week [2]. Government websites are often targets of such
defense mechanisms against the different classes of attacks are attacks, and the motivation is usually policy disagreements
also discussed with special emphasis on the features that aid in
the detection of different classes of attacks. Such a discussion is between the government and the attackers. The global hacking
expected to help researchers understand why a particular group collective Anonymous has launched DDoS attacks against a
of features are useful in detecting a particular class of attacks. number of government websites, most recently against the
Index Terms—application layer, DDoS, attacks, defenses, denial Spanish government in support of Catalan independence [3].
of service, taxonomy, detection, web applications The governments of USA [4], Ireland [5], India [6] and Brazil
[7] have also been on the receiving end of such attacks in
the past couple of years. These attacks expose the inherent
I. I NTRODUCTION
weaknesses in the government infrastructure and the lack of
Web applications have made information and services avail- security measures in place. Banking and e-commerce sites are
able to users without time or space constraints. People can also prime targets for DDoS attacks. Attacks on banking sites
now browse for information, connect with friends, buy and sell can effectively cripple the economy by blocking all online
things and perform financial transactions at the comfort of their transactions. This presents a serious issue at a time when the
homes. Large scale e-commerce companies have capitalized general public is becoming more and more inclined towards
on this trend and have made efforts to make their services buying and selling online. A number of US based banks were
available online. Not just competitive businesses, governments targeted by DDoS attacks in 2012 [11] and customers were
of a large number of countries have also extended their unable to perform transactions for hours. A similar attack
services online. With web applications powering a major share hit HSBC bank in the UK in January 2016 [10]. Bitcoin
of businesses and services, it becomes crucial for organiza- websites have also been targeted in the same light as banking
tions, business owners and individual governments to ensure websites [9], [16], often calling into question the feasibility of
that their websites (and by extension, their services) remain a currency with no physical existence.
available to users all the time. DDoS attacks are perfectly capable of disrupting internet
As web applications become increasingly important for connectivity for a large number of users, sometimes even in
businesses and financial institutions, they also become targets large parts of a country. Attacking and taking down a DNS
for malicious users. A large number of attackers are motivated server leaves a large number of websites in the dark because
by financial gain, because web applications are storehouses users become unable to resolve domain names, as evidenced
by the attack on Dyn in 2016 [12]. Taking down a part of
Amit Praseed and P. Santhi Thilagam are with the Department of Com-
puter Science and Engineering, National Institute of Technology Karnataka, the network infrastructure can block internet connectivity as
Surathkal, India, e-mail:amitpraseed@gmail. com;santhisocrates@gmail. com well, particularly if there are no alternate connection paths
1553-877X (c) 2018 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/COMST.2018.2870658, IEEE
2
TABLE I
I MPACT OF DD O S ATTACKS
Target Type of Organization Year Impact
Github [8] Hosting Service Provider Mar 2018 Github servers were taken offline
Brazilian Sports Ministry Sites [7] Government websites 2016 Sites for the Rio Olympics and associated sites went
down
Spanish Constitutional Court Web- Government website 2017 Several websites were taken down or hacked
site [3]
Bitcoin Gold [9] Cryptocurrency server Oct 2017 Cryptocurrency deals went down
HSBC [10] Banking website Jan 2016 Financial transactions were blocked for a long time
Bank of America, Chase, Wells- US based banks 2012 Financial transactions were unavailable to the general
Fargo, PNC [11] public
Dyn [12] DNS Provider Oct 2016 Websites like Twitter and Reddit went down
Valtia [13] Heating Systems Provider Oct 2016 Temperature adjustment failed in a town in Finland
Trafikverket [14] Sweden Transport Administration Oct 2017 Trains were delayed, reservations portals failed to
function
Lonestar Cell MTN [15] Internet Provider in Liberia Nov 2016 Internet was unavailable in parts of the country
in the infrastructure. The attacks on the Liberian internet Our contributions in this work are:
infrastructure were executed in this manner, and left large • To present an integrated taxonomy of application layer
portions of the country without internet [15]. DDoS attacks based on how application layer protocols
With more and more devices being powered online, it is not and features are exploited to execute attacks.
just computer systems that become affected by DDoS attacks. • To provide a comprehensive review of defenses against
Heating systems in Finland [13] and transport systems in application layer DDoS attacks with special emphasis on
Sweden came to a standstill [14] after DDoS attacks rendered the features that aid in detecting different types of attacks.
the systems inoperable. This is in line with a report from the
network security company Corero in 2017 that 51% of critical The rest of this paper is organized as follows: Section II
infrastructure organizations in the UK were ignoring the risk provides a background of the area, providing a description
of DDoS attacks [17]. Table I gives a summary of some of of network layer and application layer DDoS attacks. Section
the critical DDoS attacks in the last decade. III proposes a taxonomy of application DDoS attacks and
The reason DDoS attacks remain a major threat even after describes the different classes of attacks. Sections IV to XI
so many years is because they have grown and evolved over discuss the detection mechanisms in the literature today for
the years. The attacks initially relied on using malformed the different types of attacks, with particular emphasis on
packets or flooding the device with network layer packets. As the features that can be used to detect the attacks. Section
the infrastructure became more sophisticated and defenses at XIII-A gives an overview of tools which aid in detecting a few
the network layer became more robust against these attacks, classes of application layer DDoS attacks and section XIII-B
attackers moved on to the application layer. DDoS attacks at discusses the different datasets that researchers can use in the
the application layer have been on the rise for a few years. area. Section XIV discusses the different metrics which are
The Imperva Incapsula DDoS Threat Landscape Report 2015- commonly used in evaluating detection mechanisms.
16 [18] indicates that nearly half of the DDoS attacks were
at the application layer. The complexity of DDoS attacks at II. BACKGROUND
the application layer are also expected to grow over time.
Application layer attacks present a more sophisticated version A. Denial of Service Attacks
of DDoS attacks in the sense that they are much more similar Denial of Service (DoS) attacks are some of the oldest
to normal user traffic and hence pose a serious challenge attacks against web applications. The first reported use of
in how they can be identified. The attacks are carried out what can be considered as a DoS attack dates back to the
using legitimate user requests, which rules out the possibility late 1990s [19]. Since then they have evolved and grown
of inspecting a packet to label it as malicious or not. As a and have become one of the most common attacks against
result both network layer defenses and some of the existing web applications. The distinction between a DoS attack and a
Web Application Firewalls (WAFs) fail to detect these attacks. Distributed DoS (DDoS) attack is in the number of attackers
The fact that these attacks can be executed using multiple involved. A DoS attack typically implies a small number of
protocols at the application layer, both connection oriented attackers, sometimes even a single attacker. DDoS attacks
and connectionless, compounds the danger. are more massive and can involve hundreds or thousands
3
of attackers. These attackers need not be human attackers, and even some application layer firewalls ineffective in
and in most cases there are just a few human attackers. The detecting these attacks.
"attackers" in this scenario refer to the systems that are being • Low Traffic Volume : Contrary to network layer DDoS
controlled by the human attackers. Systems that have been attacks, where the network bandwidth becomes the bot-
infected by malware and are acting as attackers on behalf of tleneck, in application layer DDoS attacks, the server
the real attackers are called zombies or bots. Attackers usually resources become the bottleneck. Because of that, the
employ a large number of such bots to form a botnet. server can be brought down using comparatively fewer
The objective of a DDoS (or DoS) attack is to make a web requests, and hence the traffic volume is also low. Most
server unavailable to legitimate users trying to access it. This of the existing DDoS detection mechanisms rely on the
can be accomplished in multiple ways, but the core idea is large traffic volume to identify attack. That approach fails
to exhaust one or more of the resources available with the in the case of application layer DDoS attack, making most
server. These resources could include CPU or database cycles, of the existing DDoS detection mechanisms obsolete.
memory, socket connections or network bandwidth. Attackers • Targeted Strikes : Application layer DDoS attacks are
may exploit system weaknesses or protocol weaknesses to do highly targeted. The attack can be carried out on the
so, or they may simply push the server to its limits by using CPU, database, memory, or socket connections. An attack
the features provided by the web server repeatedly. which attempts to exhaust one resource will not affect the
other resources in any way, but the system as a whole
will not be able to function. As a consequence, a defense
B. Application Layer DDoS Attacks
mechanism for one resource is unlikely to be effective
A large number of DDoS attacks target the network band- for another resource.
width because of the ease with which it can be exhausted. • Resemblance to Flash Crowds : A flash crowd is a sudden
Attackers simply send a large volume of network packets to the spike in legitimate user traffic to a website, most often
server, effectively exhausting the network bandwidth. Network due to some noteworthy event or a mega sale in the case
layer protocols like UDP (User Datagram Protocol) and ICMP of e-commerce sites. An application layer DDoS attack is
(Internet Control Message Protocol) are used for this purpose. often confused with a flash crowd because both of these
As time passed, two things changed. Networks and servers events are associated with a spike in legitimate HTTP
became more robust in identifying network layer DDoS attacks requests to a site. Proper identification of a DDoS attack
and servers could afford better and increased bandwidth. An and a flash crowd is essential for any defense mechanism
enormously large volume of requests could still exhaust the because flash crowds bring valuable traffic to the website,
network bandwidth and take down a server, but it became and it would be detrimental to the website if they were
more difficult to do so. The attackers responded by moving wrongly labeled as DDoS traffic and blocked.
up the stack to the transport layer. SSL renegotiation attacks
[20] exploited the transport layer, but as time passed servers
began to defend against these attacks as well. These attacks III. TAXONOMY OF A PPLICATION L AYER DD O S ATTACKS
had a pattern that could be identified and generalized across A fair amount of work has gone into studying and clas-
platforms, and could be strictly classified as malicious. sifying DDoS attacks at the application layer. One of the
In recent years, attackers have moved up the stack one earliest surveys in the area belongs to Geneiatakis et al.
more time giving rise to a new trend called application [23]. They presented a review of vulnerabilities in the SIP
layer DDoS attacks. These attacks do not aim to throttle the (Session Initiation Protocol) protocol which could be exploited
network bandwidth, instead they attempt to exhaust server to launch a DDoS attack. However, the work was restricted
resources like CPU cycles, database cycles, memory or socket to a discussion of the avenues of attack and not the defense
connections. There has been a huge growth in the number of mechanisms against these attacks. Works by Armoogum et al.
application layer DDoS attacks in the recent years. Imperva [24] and Hussain et al. [25] further examined the area in more
Incapsula’s Global DDoS Threat Landscape Report 2017 [21] detail. They also examined the different defense mechanisms
reports that for the fourth quarter in a row, there was a that have been discussed in literature for SIP based DDoS
decrease in the number of network layer assaults along with attacks. Jensen et al. [26] presented a detailed discussion of
another spike in the number of application layer assaults. attacks on web services. They also provided details of how
Reports by Kaspersky [22] mention the fact that "the cream the SOAP (Simple Object Access Protocol) protocol could be
of cybercriminal communities are now turning to Application exploited to execute DDoS attacks. In the recent years, the
Layer DDoS attacks". focus of the research community has been more towards HTTP
Attacks carried out at the application layer have a few based DDoS attacks. Aamir & Zaidi [28] and Zargar et al. [29]
subtleties which make them unique and different from other both examined network and application layer attacks. Aamir
attacks. and Zaidi [28], restricted the discussion to flooding attacks at
• Legitimate requests : Application layer DDoS attacks pro- the application layer. Zargar et al. [29] provided a classification
ceed through legitimate HTTP packets. There is virtually of attacks that included reflection attacks, flooding attacks,
no difference between an attack request and a normal asymmetric attacks and slow DDoS attacks. The discussion on
request. The only difference resides in intent, and not defense mechanisms focused on where the solution is deployed
in content. This makes most network level packet filters and the time of action. Wang et al. [32] presented a similar
4
TABLE II
C OMPARISON OF E XISTING S URVEYS OF A PPLICATION L AYER DD O S ATTACKS
Research Work Year Area Covered Limitations

Geneiatakis et al. [23] 2006 SIP protocol vulnerabilities Discusses security vulnerabilities leading to DDoS
attacks in the SIP architecture, no discussion on
defense mechanisms
Durcekova et al. [27] 2012 GET flooding and Slow DDoS attacks Discusses only a few types of attacks, does not pro-
vide an in-depth classification of attacks or defenses
Aamir & Zaidi [28] 2013 Network and application layer attacks and defenses Limits discussion to flooding attacks, does not pro-
vide any classification
Zargar et al. [29] 2013 HTTP floods, reflection attacks, Slow Attacks Detection mechanisms are classified based on de-
ployment location and time of action, does not
consider asymmetric attacks the way previous works
do
Cambiaso et al. [30] 2013 Slow DDoS Attacks Focuses discussion of primarily slow DDoS attacks,
but refers to any application layer DDoS as slow,
does not discuss any defensive mechanisms
N. S. Vadlamani [31] 2013 HTTP floods and asymmetric attacks Discusses only attacks using HTTP protocol, but
neglects Slow DDoS attacks, also does not present a
taxonomy of attacks or defenses
Armoogum et al. [24] 2014 SIP based DDoS attacks Discusses only SIP based DDoS attacks, discusses
defense mechanisms but does not present a taxonomy
Hussain et al. [25] 2015 SIP based DDoS attacks Considers only SIP based attacks and their defense
mechanisms
Wang et al. [32] 2015 Application layer attacks and defense mechanisms Restricts the discussion to HTTP attacks, defense
mechanisms are classified only based on deployment
location
Mantas et al. [33] 2015 Application layer attacks Does not examine any defensive mechanisms
Singh et al. [34] 2017 GET flooding attacks Limits the discussion to only GET flooding attacks
and ignores other application layer attacks
classification of attacks as [29], but only classified defense In this work, application layer DDoS attacks have been
mechanisms based on point of deployment. Vadlamani [31] classified on the following features:
examined the different HTTP flooding and asymmetric attacks, • Nature of Exploitation : This feature analyzes how the
the different defenses against them, their merits and demerits. exploit is carried out by the attacker. Attackers can find
Mantas et al. [33] provided a detailed taxonomy of application weaknesses in a system to launch DDoS attacks, or they
layer DDoS attacks based on target level, exploit type, attack may exploit features in the underlying protocol. In the
methodology, attack volume and attack workload. However absence of these weaknesses, attackers can simply exploit
they did not discuss any defense mechanisms against these features provided by the web application to launch the
attacks. Singh et al. [34] provided a detailed taxonomy of attack.
GET flooding attacks based on a number of factors. They also • Protocol : Application layer DDoS attacks have been
examined the detection features that can aid in detecting these observed mainly using four different layer 7 protocols
attacks. Durcekova et al. [27] presented a review of application - HTTP, SOAP, DNS and SIP.
layer DDoS attacks, but restricted the discussion to GET • Payload Delivery : This feature focuses on how the
flooding attacks, and slow DDoS attacks. They also discussed attacker delivers his attack payload to the target system.
a brief classification of defensive tactics against these attacks. An attacker could directly send the attack requests to the
Cambiaso et al. [35] presented a taxonomy of slow DDoS target server, in which case the attack is said to be a direct
attacks, but did not present any discussion about the defenses. attack. For application layer protocols which do not rely
A comparison of the recent attempts at classifying application on a connection (eg. DNS), an attacker can request for a
layer DDoS attacks and their defensive mechanisms is given large amount of information from some server, spoofing
in Table II. the victim’s address. This launches a stream of messages
Our work is different from the existing literature reviews in to the victim which can effectively knock it offline. This
the following points: mode of attack is called reflected mode of attack.
• We provide a detailed survey of application layer DDoS • Overhead of Attack : Attackers have to expend some
attacks exploiting four major application layer protocols amount of resources in order to launch an attack. If the
- HTTP, SOAP, DNS and SIP. amount of overhead incurred by the attacker is propor-
• We present a taxonomy of application layer DDoS at- tional to the damage intended on the victim, the attack
tacks which integrates attacks exploiting the four major is said to be symmetric. However, using specially crafted
application layer protocols. requests, the attacker can reduce the overhead incurred
• We discuss the different features that can be used to detect while maintaining, or even increasing, the damage at the
different classes of application layer DDoS attacks, and victim. Such an attack is termed as an asymmetric attack.
discuss existing research works that utilize these features We have focused on those criteria which can help researchers
for attack detection. better understand the inner workings of an a DDoS attack,
5
and as such provide an understanding on how these attacks web application at risk. For example, earlier versions of the
can be defended against. Figure 1 gives the first level breakup Apache server suffered from a vulnerability due to which an
of application layer DDoS attacks. The attacks have been HTTP message with a large overlapping range header caused
classified based on the nature of exploitation into three classes. a memory exhaustion crashed the server [36]. This attack is
Each of these base classes have been examined in detail in no longer feasible, because newer versions of the server have
the following subsections. We have chosen the exploitation patched this vulnerability.
level as the root feature for the classification tree because this b) Use/reuse of vulnerable algorithms: Most web appli-
separates the tree into categories with little or no overlap. cations make use of existing algorithms for hashing or parsing
input data. A lot of the time though, this code is often reused
with little thought with regards to security. Vulnerabilities in
algorithms come to light under certain conditions and can
result in a system crash if not handled accordingly. HashDoS
[37] was an attack that exploited the use of vulnerable hashing
algorithms in web application servers that use hashing to
organize POST input parameters. In the best and average
cases, insertion, and access of items in a hash table proceed
in O(1) complexity, but in case a collision occurs, the hash
table degenerates to a linked list with O(n) complexity. An
attacker who supplies a crafted input with a large number of
POST parameters can successfully cause collisions in a large
number of scripting languages. This can cause the CPU to
spend a large amount of time working to resolve collisions
Fig. 1. Classification of Application Layer DDoS attacks based on Nature of
Exploitation
and cause a denial of service situation [38].
Another example is a coercive parsing attack on XML web
services [26]. At the receiver end, XML messages have to
be parsed before they can be processed. Deeply nested XML
A. Exploiting the System Weaknesses packets can cause a sharp increase in CPU usage. So to
A large number of web applications have security loopholes bring down a SOAP server, the attacker simply sends a SOAP
that can be exploited to launch attacks. These vulnerabilities message with a large number of opening tags till the server
can arise due to three reasons: goes down.
• Use of vulnerable software components <soapenv:Envelope xmlns:soapenv=" . . . "
• Use/reuse of vulnerable algorithms without patching xmlns: soapenc: " . . . ">
• Programmer negligence <soapenv:Body>
<x>
<x>
<x>
<x>
. . . contd .
Such a vulnerability exists only in a DOM based parser. A
DOM based parser creates an in-memory representation of
the incoming SOAP message during processing. This typically
increases the message size by a factor from 2 to 30. For large
messages, this expansion can result in memory exhaustion
as well. A stream based parser like SAX parser does not
experience such a vulnerability, because the entire document
is never loaded into the memory at a time.
Fig. 2. Taxonomy of Application Layer DDoS attacks exploiting System c) Attacks exploiting Programming Negligence: A large
Weaknesses number of web applications operate with an SQL (Structured
Query Language) back-end. For these applications, SQL injec-
A schematic diagram classifying attacks that exploit system tion is a real threat. SQL injection is usually associated with
weaknesses is given in Figure 2. injecting malicious data or leaking sensitive information. But
a) Use of vulnerable software components: No web ap- it can also be used to cause a denial of service situation. All
plication is designed and implemented from scratch. Existing the queries issued by a user make their way to the back-end
software components, like load balancers and proxies are server and get executed on the database. If an attacker can
often used as such and very little code is actually written by make the database server perform actions which leads to an
the developer. The use of software components with existing inconsistent state or even delete the entire database, the system
vulnerabilities, knowingly or unknowingly, puts the entire cannot function and leads to a denial of service. This isn’t the
6
most sophisticated way of inflicting a denial of service, but an appearance after the 2009 Iranian Presidential elections and
sometimes the simplest attacks are the most brilliant. is dubbed Slowloris. These attacks were carried out by HTTP
The question though is : how to get the database into an connections that sent GET requests to the server in extremely
inconsistent state? Let us assume the web application allows small fragments, sometimes sending individual headers one by
the users to search for an employee based on an employee one. A normal HTTP GET request is shown here:
number. The query would normally look like
GET / i n d e x . php HTTP / 1 . 1 [ CRLF ]
SELECT * FROM e m p l o y e e Pragma : no− c a c h e [ CRLF ]
WHERE EmpNo = $ i n p u t $ ; Cache − C o n t r o l : no− c a c h e [ CRLF ]
H o s t : t e s t p h p . vulnweb . com [ CRLF ]
where input is the value entered by the user. Consider the C o n n e c t i o n : Keep− a l i v e [ CRLF ]
case where the user enters an input like Accept −E n c o d i n g : g z i p , d e f l a t e [ CRLF ]
”1; DROP T ABLE employee” User −Agent : M o z i l l a / 5 . 0
( Windows NT 6 . 1 ; WOW64)
The query generated internally is AppleWebKit / 5 3 7 . 36 (KHTML, l i k e Gecko )
SELECT * FROM e m p l o y e e Chrome / 2 8 . 0 . 1 5 0 0 . 6 3 S a f a r i / 5 3 7 . 3 6 [ CRLF ]
WHERE EmpNo = 1 ; A c c e p t : * / * [CRLF ] [ CRLF]
DROP TABLE e m p l o y e e ; HTTP uses a carriage return line feed (CRLF) to denote
Since a ’;’ in all major SQL implementations acts as a next line and it uses two CRLF characters to denote a blank
delimiter between queries, the database server will execute line. Typically a blank line denotes the end of the headers
both the queries and the table employee will be dropped. Such in an HTTP request. An attacker can simply omit the double
an assault is called a piggybacked query and can be used to CRLF sequence so that the server assumes the user is not
cause a denial of service on the application. done sending headers. After sending a small fragment of the
HTTP headers, the attacker waits. HTTP defines a timeout
for all connections, which is the time for which an HTTP
B. Exploiting Protocol Features connection can remain idle without being torn down. This is
Protocols are designed to facilitate efficient communica- not a fixed number but is server dependent. Just before the
tion between different parties regardless of differences in server timeout duration is reached, the attacker sends the next
bandwidth or computing power. Attackers can use different fragment. This forces the server to maintain the connection.
features of protocols, which were originally meant for efficient If executed over multiple connections the server runs out of
communication, to launch attacks and possibly create a denial socket connections for legitimate users. The other counterpart
of service situation. HTTP and SOAP are the two major of a slow GET attack is a slow POST attack. A GET request
protocols at the application layer. A classification of those has size limitations on it due to the fact that it does not have
attacks which exploit these protocol features are represented a body. A POST request on the other hand can be arbitrarily
in Figure 3. long because it has a request body. The HTTP header specifies
1) Exploiting the HTTP Protocol: HTTP was designed to a field called Content−Length which tells the server how long
facilitate communication between a human user (using a web the message is going to be. The attacker sets the POST request
browser) and a web server. HTTP is a connection oriented to have an arbitrarily large value of Content − Length and then
protocol based on TCP, which means a TCP connection should proceeds to send data in small fragments. The server is forced
be established before communication can proceed. This con- to maintain the connection until either the connection times
nection is maintained till the end of communication. Different out or the entire message is received. After a while the server
features of HTTP have often been abused by attackers to is unable to accept any new incoming connections.
launch attacks. Slow DDoS attacks can also be launched on the HTTP
a) Request Fragmentation: HTTP was designed with response and are called Slow Read Attacks. The attacker
all users in mind, even those with a small bandwidth and sends a GET or POST request to the server and waits for
hence HTTP allows its users to fragment an HTTP message a response by advertising a small network window. The web
across multiple packets. An attacker who fragments his HTTP server assumes the user is on a low bandwidth connection and
messages into extremely small packets can keep the connection proceeds to send the HTTP response in small fragments. This
open for an arbitrarily long time. Since web applications ties up the connection until the entire data is received. If the
have a predefined limit on socket connections it can maintain attacker can establish multiple connections of this nature, it
simultaneously, an attacker who manages to keep multiple exhausts the socket connections on the server.
connections open for an infinitely long time can effectively b) Connection Refresh: The effect of maintaining a con-
force the server to decline legitimate connections. This class nection for an undefined amount of time can be achieved
of attacks are called Slow DDoS attacks and come in two by using an HTTP header field called PRAGMA [39]. The
varieties based on whether the attack is carried out using an HTTP PRAGMA header field tells the HTTP server and
HTTP request or response. any intermediate caches that the user wants a fresh copy
The attacks that make use of an HTTP request are called of the requested resource. This ensures that the request is
Slow Write attacks. The most famous slow write attack made not satisfied by any of the caches but by the web server
7
itself, ensuring that the server has to expend processing power. a) Flexible Use of Security Header: WS-Security is a
Additionally, whenever an HTTP PRAGMA is issued the security specification which extends SOAP to provide integrity
timeout for the connection is reset. Use of the PRAGMA field and confidentiality of data and specifies the different ways to
can keep connections open for an indeterminate amount of use XML signatures and encryption to ensure that data remains
time, ensuring that socket resources get tied up. It is worth safe and secure. One of the specifications is the addition of
mentioning that the PRAGMA field has no visible purpose in a security header which includes security elements such as
HTTP 1.1, but is still allowed to maintain compatibility. decryption keys. WS-Security allows considerable flexibility
c) Multiple Verbs: HTTP request methods initiate action to encrypt different parts of the message with different keys
at the server side, and for this reason they are sometimes called and possibly encrypt the keys themselves. All the keys must,
HTTP verbs. Traditionally, a single request contains of a single however, be present in the security header which is encrypted
action or verb. In such a scenario, it is rudimentary that the with the receiver’s public key. Because the specifications allow
more workload the attackers want to dump on the server, the flexibility in encrypting the message parts, the security header
more number of requests they have to send. But HTTP has can be very big, which is allowed by default. However, attack-
a somewhat lesser known feature which allows the users to ers can purposefully use oversized security headers to crash the
pack multiple verbs into a single HTTP request. This means system [26]. This is because the security header contains the
that attackers can compress multiple verbs into a single request keys necessary for decryption and must be buffered while the
and send to the server. The server is forced to perform all the message is processed. If the security header is extremely large
tasks that are requested, which is much more than a normal the server can potentially run out of memory while processing
request. The advantage this presents to the attackers is that the a few malicious packets. A more dangerous attack may be to
attack volume can be cut down to a large extent, thus helping encrypt different parts of the document with different keys and
them evade detection [29], [40]. then to encrypt the keys recursively. Such an attack destroys
d) The Push for HTTP 2.0: HTTP 1.1, which is currently the system on two fronts. On one hand the security keys must
the standard for communicating with web servers, is expected be buffered while processing the message, and if the attacker
to be phased out soon. HTTP 2.0 is poised to replace HTTP uses a deeply nested set of encrypted keys the system can
1.1 in the coming years. Most modern browsers and servers potentially run out of memory. On the other hand, each of
do provide options for users to opt for HTTP 2.0. This newer these keys should be decrypted before the system can proceed
version of HTTP provides a header compression mechanism further. Most of the encryption and decryption algorithms
to reduce the header length, and avoid message overheads. It are computationally expensive and consume a non-negligible
also allows servers the freedom to push content to the client amount of CPU time. Such an attack can thus potentially
without an explicit request to save time. It also allows clients to exhaust the CPU and the memory resources available with
send multiple concurrent requests simultaneously, on a single the server.
TCP connection and potentially all within a single packet. b) External Entity Reference: XML packets were de-
While these features have been designed to improve the signed to be compact. However, the XML language allows the
speed and efficiency of communication, there have been con- users to include a link to point to an external entity, which will
cerns over security. The feature which allows multiplexing be fetched and processed when the XML message is parsed
of requests can be used to launch flooding attacks, and even and processed. This is a simple and effective way to maintain
asymmetric attacks. Beckett and Sezer [41] demonstrated that the compactness of XML, and at the same time to allow users
HTTP 2.0 allows an attacker to carry out a much larger attack to send larger entities for processing. However, the same can
on the same hardware, with the same packet generation limita- become a point of exploitation. Attackers can potentially send
tion. Imperva also reported that the slow reading vulnerability XML messages with an External Entity Reference pointing
present in the older version of HTTP was still present in the to a large document [43]. While the message is parsed, this
newer one[42]. document is fetched. The entire XML message, of which
2) Exploiting the SOAP protocol: Just like HTTP is the the document is actually a part must reside in memory for
standard for communication for web applications, SOAP (Sim- processing to complete, and so with a few simple messages
ple Object Access Protocol) is the standard for communication the attackers can ensure the system runs out of memory. A
for web services. Web services involve communication be- well known attack of this type is called the Billion Laughs
tween web applications without any human interaction. This Attack [44], and defines nested entities within an XML Data
necessitates the use of a universal language which can be used Type Definition (DTD) document to create a memory bomb.
on all platforms and is easily processed by servers. Readability This attack causes the parser to generate an abnormally large
and ease of use tends to take a back seat because of the payload, potentially overloading the application and causing a
lack of human interaction. XML and JSON are the two most denial of service.
commonly used notations which have universal acceptance,
and of these XML takes precedence because of its reach. The
SOAP protocol is primarily based on XML messages for this C. Exploiting System Features
reason. The SOAP protocol also has security extensions which DDoS attacks are simple and easy to launch in the sense that
enable safe and secure transmission of XML data. However, they do not rely on the existence of a flaw or a vulnerability in
sometimes the flexibility offered by SOAP allows malicious the web application. DDoS attacks can exploit a vulnerability
users to take advantage and force the server to do more work. or weakness in the server if one exists, but they do not need
8
Fig. 3. Taxonomy of Application Layer DDoS attacks exploiting Protocol Features
to. Every web server has a finite amount of resources at its number of attack requests to the target web server, so that it
disposal - CPU, memory, database or socket connections. If is unable to process legitimate client requests. However, while
attackers can exhaust these resources by sending requests that network layer DDoS attacks utilize network layer protocols
they do not intend to use, the server has no resources available like ICMP, attacks at the application layer rely on protocols
for serving legitimate demands from normal users. This makes like HTTP, SOAP, DNS or SIP. A point of difference is that
the website unavailable for legitimate users. The most striking attacks at the application layer do not need to throttle the
fact about these attacks is that even the most secure servers are server bandwidth to cause a denial of service situation. A
vulnerable to these attacks. These attacks can proceed through single HTTP request makes the server perform more work
the use of different protocols at the application layer - HTTP, than a packet at the network layer. So the server resources
SOAP, DNS or SIP. Of these HTTP and SOAP work with become the new bottleneck in this situation and get exhausted
an underlying TCP connection which is connection oriented, much before the bandwidth of the server gets throttled.
while SIP and DNS work with the connectionless UDP proto- HTTP flooding [45] is the most common application layer
col. Attacks exploiting server features can be broadly classified DDoS attack which utilizes the HTTP protocol. This is largely
into direct and reflected attacks. A detailed taxonomy of this due to the ease with which this attack can be executed. The
class of attacks is given in Figure 5. simplest way of executing this attack is to repeatedly send
1) Direct Attacks: Direct attacks involve the attacker send- requests to any one URL on the target web application. More
ing malicious requests directly to the victim server. If the often than not, it is the home page or login page that is
attacker sends a large enough number of requests to the attacked. However, a repeated stream of requests to the same
server, the server will be unable to process them and will URL can be easily identified and blacklisted by the server
crash. However, in the process the attacker needs to perform administrator. So the next line of attack is to continuously
significant work in itself by sending these requests. Such send requests to random URLs in the web application. This
attacks are said to be symmetric. The objective of the attacker works in the same way as the earlier attack, but cannot be
is to bring down a server by using as few resources as possible. detected that easily. Tools like Low Orbit Ion Cannon(LOIC)
It is possible to make a server do more work by carefully or other stress testing tools can easily be used to launch an
crafting requests or by sending a particular stream of requests HTTP flood. The fact that these tools can be easily downloaded
instead of random requests. Such attacks reduce the load on off the internet makes it much more dangerous.
the attacker while maximizing the load on the target server. SOAP or XML flooding [46] works in the same way as
Such attacks are said to be asymmetric in nature. HTTP flooding but is targeted at web services.
a) Symmetric DDoS Attacks: Symmetric DDoS attacks DNS is perhaps the most important protocol in the applica-
are in many ways similar to network layer DDoS attacks. tion layer because it aids in address resolution. A DNS server
The similarity lies in the fact that like network layer DDoS works by translating a domain name to the corresponding IP
attacks, symmetric DDoS attacks also work by sending a large address. The fact that DNS operates on the UDP protocol
9
makes it an open target for attacks because anyone can openly the SIP infrastructure resources like the proxy or registrar
query a DNS server at any time. Attackers can easily take servers [23]. The major issue here is that after every INVITE
down a DNS server by sending a large number of queries or REGISTER message, the connection is maintained by the
to the DNS server. After a point of time, the DNS server server for a few minutes. This is to allow users to respond with
cannot accept any new queries and effectively goes offline an authentication or proceed to the next stage of connection
[47]. This presents a much more serious problem than a single establishment. If the attacker sends a large number of such
web server crashing. If a single web server goes down only messages, it can effectively tie up the callee or the SIP servers
that organization is affected. But when a DNS server goes from accepting new connections.
down a large number of users are effectively cut off from a b) Asymmetric DDoS Attacks: All the symmetric attacks
large part of the Internet because the address to IP resolution against the victims also consume a significant amount of re-
is the first step in accessing any web application. The attacks sources for the attacker. The objective of the attacker is always
on Dyn DNS service in 2016 are a prime example [12]. When to maximize the damage to the victim while minimizing the
the services of Dyn went down, a large number of popular resources that have to be employed for the attack. This is
websites including twitter and Reddit went offline for hours. where asymmetric attacks come into play. Symmetric attacks
VoIP (Voice over Internet Protocol) is a new avenue of can be launched and executed without much thought, but
communication which offers the services provided by a Public asymmetric attacks need careful planning behind them. The
Switched Telephone Network over the internet. Falling data idea, however, is the same - to send legitimate requests so
costs make it much more affordable for users to use VoIP that it ties up the resources at the target server. The difference
as a means of communication nowadays. Session Initiation lies in the type of requests used while executing the attack.
Protocol (SIP) is the most popular protocol used in VoIP. A SIP If one special request can make the web server perform more
architecture consists of a caller, a registrar, a location server, work than usual, it is intuitive to try and send this request
proxy server and the callee. The caller and callee are uniquely repeatedly. This will bring down the server faster, using fewer
identified by their IP and URI. When a caller connects to the requests and at the same time reduces traffic volume which in
network, they register with the registrar server. The location turn evades detection.
server maintains a record of the location of the user agents Assume we have a web server that connects to a database
by means of their IP. A proxy server is meant to forward server. The web server gives the users to search for jobs
the call from the caller to the callee. When a caller places a based on some search queries. To make the search better, the
call to the callee, the caller sends a SIP INVITE message to server employs pattern matching so that the database returns
the callee via the proxy server. The proxy server contacts the all jobs which have the words the user wants in any scenario.
callee and at the same time sends back a TRYING message to The internal query would look something like:
the caller. When the callee receives the call, it starts ringing.
This is indicated by a RINGING status message. When the
SELECT TOP 10 JobPK , J o b D e s c r i p t i o n
callee accepts the call, the callee sends a 200 OK message
FROM JOBS a s j
which is responded to by an ACK message from the caller.
WHERE J o b D e s c r i p t i o n LIKE ’%ASP%’
This establishes the connection by means of a three way
ORDER BY JobPK
handshake. The users can terminate the connection by means
of a BYE message which is followed by an ACK. A brief This query will typically return the result in under a second.
representation of the SIP architecture and the different avenues Note that the search term the user enters is "ASP". However,
of attack is given in Figure 4. There are multiple avenues for if the user enters a more complex search term, the query gets
04/09/2018 draw.io complicated. Consider a slight variation of this query as given
below
Response
Proxy Server
flood
SELECT TOP 10 JobPK , J o b D e s c r i p t i o n
Registration FROM JOBS a s j
Request Information
INVITE
Proxy
Location WHERE J o b D e s c r i p t i o n LIKE
Server
Server ’%_ [ ^ | ? $ %" * [(Z * m1_=]−%RT$ ) | [ { 3 4 } \ ? _ ] | |
INVITE
%TY− 3 ( * . >?_ ! ] _%’
INVITE flood
REGISTER flood ORDER BY JobPK
User
Agent Registration This query performs a complex comparison using regular
Registrar
expressions on the tuples and is likely to tie up the database
User
Agent for some time, possibly minutes.
We refer to the class of requests that do not put exces-
sive load on the server as low workload requests, and the
Fig. 4. Avenues of Attack on SIP Architecture requests which do have to perform significant computation as
high workload requests (In reality though, there is no such
flooding in such a scenario. Flooding can be carried out by distinction, and classifying requests based on the workload
INVITE messages, BYE messages or REGISTER messages. is purely situational). Assuming that a high workload request
Also, the attack can be launched against the callee or against performs twice the computation that a low workload request
chrome-extension://pebppomjfocnoigkeepgbmcifnnlndla/index.html 1/1
10
Fig. 5. Taxonomy of Application Layer DDoS attacks exploiting System Features
does, it would take just half the amount of requests to exhaust the radar of the defenses imposed by the web application.
a server. And often times in a real server, the difference isn’t Asymmetric attacks on DNS servers are relatively rare but
a factor of two, it can be much bigger. The attackers greatly not unheard of. These attacks focus on open recursive DNS
benefit from sending high workload requests to the web server servers. DNS servers can function as recursive or iterative
because it can bring the server down with fewer resources. This servers. The two types of servers are identical except when
attack is termed as an asymmetric workload attack. However, they encounter a query to which they do not possess an IP
sending high workload requests continuously may raise the address resolution. An iterative DNS server will find out the
suspicion for the web administrator. This can lead to the address of the DNS server which might potentially have the
connection being closed or blacklisted. A workaround for this resolution and send this address over to the client. It is the
is to not use a single connection to deliver multiple high client’s responsibility to query the server and obtain the IP
workload requests. Instead, the high workload requests are address. A recursive server on the other hand takes the burden
distributed across multiple connections, each one delivering a of resolution onto itself and queries the next DNS server till
small number of requests. In the worst case, each connection it obtains a resolution. It responds with the final IP address
may deliver one single high workload request. This attack is resolution. An attacker might use this information to their
called a Repeated One Shot attack [48], and has a two-fold advantage and query the server with domain names that are
effect on the server. On one hand it makes the web server to hard to resolve. In the worst case, the attacker can query the
perform more computations and expend more resources. On server with non-existent domain names so the server will work
the other hand, it ties up socket connections which cannot be for a considerable amount of time with no results.
released until the server has processed the requests.
2) Reflected Attacks: For protocols working with an un-
Asymmetric attacks can also be executed in the same way derlying UDP connection, address spoofing is a viable option
using SOAP requests as well. The trick is to choose SOAP for attackers and opens up the possibility of a reflected attack
messages that will force the server to perform computation (Figure 6). In such an attack, a malicious user spoofs the IP
intensive tasks. There is another factor that comes into play for of the target server. Then it proceeds to request the service
SOAP messages and that is memory. SOAP or XML messages of either a DNS server or a SIP server pretending to be the
need to be buffered in memory before they can be processed. victim. The DNS or SIP servers process the request and send
Unusually large SOAP or XML messages can exhaust memory the response to the victim directly. If the attacker sends a
quickly. To avoid this, many servers will have a size restriction large number of requests to the DNS or SIP server, the victim
imposed on the XML packets that it receives. To overcome server is flooded with a stream of responses which can render
this restriction, attackers can send packets that just satisfy it unable to process normal client requests. This mode of attack
the packet size restriction over multiple connections. Since offers two advantages for attackers. One, the attackers do not
all of the packets need to be buffered it has the same effect need to send direct requests to the server which means that
as sending a single large packet but this technique flies under they cannot be identified easily. This mode of attack hides
11
04/09/2018 draw.io
Associated with this defensive tactic is the question of

Malicious
Application Layer
Requests which users should be served with the challenge-response
mechanism. The easiest solution is to deploy the challenge-
Target Server
response mechanism for all the users who want to access your
Attack Botnet
Direct Attack system. This is, however, a relatively inefficient solution. User
puzzles significantly reduce the user experience when visiting
Target Server a website. Users do not want to be burdened by having to
Spoofed Requests
solve a puzzle every time they visit a website. The next step
Reflected (possibly
amplified)
would be to deliver the puzzles to only a fraction of the users.
Responses
Attack Botnet
SENTRY [52] uses a moderator module which supplies a
DNS Server
challenge to a fraction of the requests it encounters. There are
Reflected Attack
provisions within the defense mechanism to sample requests
based on the associated workload. Additionally, the complexity
Fig. 6. Direct and Reflected Attacks
chrome-extension://pebppomjfocnoigkeepgbmcifnnlndla/index.html
of the challenge is also proportional to the workload of the
1/1
request. However, the users who will be supplied with the

puzzle are completely random. Another line of thought is that
the attackers from detection mechanisms. Second, a small, but it is better to serve a challenge only to users who appear
well chosen DNS request can generate a large response. This to be suspicious. This raises the additional question of how
means the attacker needs to expend less resources to flood the to determine suspicious users. Sivabalan & Radcliffe [53]
target server. The increase in response size compared to the proposed a way of detecting suspicious users based on the
request is different for different protocols and is called the pages viewed and their viewing times. As long as the server
amplification factor. Hence, reflected attacks are also called load remained within limits, no user is served with a puzzle
amplification attacks. DNS amplification attacks are the most in their solution. When the server load crosses a threshold,
prominent attacks in this category and present an extremely they served suspicious users with AYAHs. This presents a
difficult challenge. Reflected SIP attacks, even though techni- calibration mechanism for their signature generation because
cally possible, have not been reported in literature widely. if a user with a suspicious signature successfully solves the
AYAH, the user is vindicated along with the other users who
have a similar signature. On the other hand, repeated failures
IV. D EFENDING AGAINST DD O S ATTACKS AT THE
to solve the AYAH results in blocking of the users.
A PPLICATION L AYER
Similar defense mechanisms are used in web services as
The increased sophistication that goes into executing an well. Suriadi et al. [54] used a hash-based computation-bound
application layer DDoS attack makes it comparatively difficult puzzle, in which a client is required to find a partial preimage
to defend against these attacks. In general, there are two in a cryptographic hash function. They proposed a mechanism
approaches to defend against these attacks - blocking auto- to include the puzzle and solution inside the SOAP header.
mated requests using user puzzles, or to employ a detection They also used a nonce mechanism to ensure the client does
mechanism to identify and block malicious users. not replay the solution from some other sources. Karnwal et al.
[55] used a similar idea to detect HTTP DDoS attacks against
web services. Their work also focuses on other attacks like
A. Blocking DDoS Attacks using User Puzzles coercive parsing.
The primary cause of a denial of service attack is that While puzzle based mechanisms like CAPTCHAs and
attackers are able to send automated requests to the web AYAHs do work in preventing denial of service attacks, they
server. This is accomplished through the use of botnets or also reduce the user experience. Hence, most of the research
using simple DDoS tools or scripts freely available on the focus is on other approaches to solve the problem.
internet. So the most basic line of defense against any sort of
DDoS attack is to restrict automated requests from entering B. Detecting Application Layer DDoS Attacks
the system. A simple way to achieve this through the use Detecting application layer DDoS attacks presents a signif-
of user puzzles. A user puzzle is any challenge that can be icant challenge because of their low traffic volume and the
completed easily by a human user, but considerably difficult use of legitimate requests. Except in the case of SOAP based
to complete for an automated system. Simple examples of user attacks, it is almost impossible to detect an attack simply by
puzzles are CAPTCHAs(Completely Automated Public Turing examining an individual request. Rather, the complex inter-
test to tell Computers and Humans Apart) and AYAHs(Are relationships among a number of requests need to be modeled
You A Human). Although these puzzles can be broken by bots and studied to successfully identify an attack at the application
through the use of suitable image processing algorithms [49], layer. In general, attack detection can proceed in four different
[50], [51] , this simple line of defense against DDoS attacks ways:
still works very well. This is because a majority of the DDoS 1) Template matching of individual requests
attacks are simple attacks executed using available tools and 2) By tracking requests
do not possess the computing power required to crack these 3) By analyzing the request stream dynamics
challenges. 4) By analyzing the request stream semantics
12
1) Template Matching: SOAP based DDoS attacks often idea and execution of the two attacks are similar - the target
aim at misusing the flexibility provided by the different changes from SQL databases to XML documents or databases.
security specifications. A common defense mechanism against Again, the detection mechanisms are similar to that of SQL
these attacks is to specify stringent requirements that the in- injection and a significant amount of work has already gone
coming requests should obey, such as proper level of nesting or into the area [61], [62].
use of external entities. This is called schema hardening [26]. Vulnerable algorithms pose another threat to web applica-
Schema hardening has to be followed by proper verification tions and attacks like HashDoS and coercive parsing attacks
of the schema requirements in the incoming packets. In other which exploit weaknesses in hashing and parsing algorithms
words, by matching each incoming request against a template, provide ample proof for that. However, despite being a legit-
SOAP or XML based DDoS attacks can be averted to a large imate threat, these attacks can be mitigated quite efficiently
extent. by taking necessary precautions. For example, the HashDoS
2) Request Tracking: Request tracking goes one step ahead attack was ineffective on hash tables implemented using Perl
of inspecting individual requests and matching them to a set because Perl used a randomized hashing algorithm which con-
template. Request tracking refers to schemes which monitor siderably reduced the chance of collisions. Similarly coercive
how many requests (or responses) have been received (or sent parsing attacks can be eliminated completely by using a DOM
out) and possibly identifying correlations between them. Such (Document Object Model) based parsing algorithm.
mechanisms have been employed considerably in the detection A web application is made up of a large number of
of slow DDoS attacks, and attacks that rely on an underlying components like the web server, load balancer, or proxies.
UDP connection. Any of these components could have vulnerabilities that
3) Analyzing Request Stream Dynamics: Request dynamics lead to a denial of service attack. An earlier version of the
analyzes a request stream "by the numbers". Such an analysis Apache server was vulnerable to a Range Header attack. When
is concerned more about statistics rather than about finding presented with a large overlapping range of range values in
meaning in the stream of requests. This refers to the features the header, the system CPU utilization peaked and even led
like number and type of requests, request rate, source IP to the system crashing. However, system vulnerabilities are
distribution etc. This layer of observation focuses on the low considerably rare because of an open and active development
level details of a request stream and does not focus on how a community and constant update of software components. The
user views and accesses a web application. These mechanisms recent versions of Apache are not vulnerable to this attack as
find extensive use in detecting HTTP flooding attacks. a result of proper patches being deployed.
4) Analyzing Request Stream Sematics: These detection Attacks which exploit system vulnerabilities have already
mechanisms try to encapsulate features which represent how received considerable attention while addressing areas in com-
a user accesses the web application. A normal user does not puter security other than DDoS attacks. The inclusion of
consciously know about or manipulate his request rate or this class of attacks in the taxonomy of application layer
his session rate. These users are only concerned about the DDoS attacks is for the sake of completeness because these
different resources or web pages that they need to access vulnerabilities, though not strictly under the purview of DDoS
and the order in which they need to access them. This layer, attacks, can still be used to launched DDoS attacks. Instead
therefore, analyzes the different pages the users have requested of delving deep into these vulnerabilities, we choose to focus
and the sequence in which users request web pages. In other more on the other two classes of vulnerabilities - those
words, these detection mechanisms attempt to find an under- exploiting protocol features and system features - because they
lying meaning behind the incoming request stream. Detection have received considerably less attention and they form the
mechanisms that focus on semantics are used extensively in bulk of application layer DDoS attacks.
detecting HTTP flooding attacks, as well as HTTP asymmetric
attacks. VI. D EFENDING AGAINST HTTP P ROTOCOL
V ULNERABILITIES
V. D EFENDING AGAINST DD O S ATTACKS EXPLOITING Slow DDoS attacks are the major class of attacks that
S YSTEM V ULNERABILITIES exploit the HTTP protocol. Cambiaso et al. [35] created a
detailed taxonomy of slow DDoS attacks. Their classification
Denial of service attacks can be launched exploiting a mul- however, clubs asymmetric attacks and attacks like HashDoS
titude of vulnerabilities in web applications. A large number of attacks into the category of slow DDoS. The rationale behind
these vulnerabilities are caused by programmer negligence and that classification was that the request rate in these attacks are
lead to opportunities for attacks like SQL or XML injection. much less than that in normal flooding.
SQL injection attempts to inject malicious queries into the
database system of the web application. In the context of
DDoS attacks, the attacks aim to put the database in an erratic A. Preventing Slow DDoS Attacks
state which prevents the system from executing. There are a There are comparatively fewer research works done on
large number of mechanisms available to defend against SQL detecting and defending against slow DDoS attacks. However,
injection, and considerable amount of research work has gone these attacks can be mitigated by following some preventive
into this area as well [56], [57], [58], [59], [60]. Closely related mechanisms such as lowering the timeout value of the server,
to SQL injection is the vulnerability of XML injection. The installing suitable Apache security modules, setting up proper
13
TABLE III
D ETECTION M ECHANISMS FOR S LOW DD O S ATTACKS
Type of Research Features Used Detection Mechanism Strengths Limitations

Attack Work
Addressed
Slow DDoS Shtern et al. Workload, CPU, utiliza- Comparing with baseline Provides an illusion Only works on an
attacks [63] tion, CPU time, disk uti- metrics that the attack is SDI
lization, disk time, waiting working for attackers
time, and throughput
Slow DDoS Mongelli et Request signal, mutual in- Fourier Analysis Detects even slow Time complexity per
attacks al. [64] formation read attacks observation horizon
tends to be more than
the duration of the
horizon
Slowloris Tripathi et Probability of complete Hellinger distance of Low complexity Able to detect only
and Slow al. [65] and incomplete GET and probability distributions slow GET and POST
POST POST requests attacks
Slowloris, Dantas et al. Number of packets re- Adaptive Selective Verifi- Low complexity The mechanism
HTTP [39] ceived per request for each cation chooses a connection
PRAGMA connection to drop at random, so
and HTTP there is a chance a
POST legitimate connection
attacks could be dropped
HTTP flood- Katkar et al. Duration, server error rate, Naive Bayes Low complexity Does not work for
ing and Slow [66] request rate etc. complex cases
DDoS
HTTP flood- Oshima et al. Request rate Short term Entropy Low complexity Based solely on re-
ing and Slow [67] quest rate
DDoS
IPTables or IDS rules [68]. Parks et al. [69] conducted sim- to a "shark tank" where they would be analyzed further.
ulations that validate the effectiveness of slow DDoS attacks. However, their approach works only if the infrastructure is
They observed that the timeout feature in the web application software defined and cannot be used in other cases. The work
is effective in reducing the magnitude of the attack but cannot of Giralte et al. [70] is one of the few works that seem to be
stop the attack from happening. able to detect both HTTP attacks (symmetric and asymmetric)
along with Slowloris attacks. Mongelli et al. [64] performed
B. Detecting Slow DDoS Attacks Fourier transform analysis on the incoming packet stream
Slow DDoS attacks are usually detected by employing a to identify slow DDoS attacks. Katkar et al. [66] was able
request tracking mechanism to keep track of the incomplete to identify slow read and post attacks using a Naive Bayes
requests in the system at any point in time. Some works have classifier. Oshima et al. [67] proposed a method of using
also used an analysis of request rate (request dynamics) to request entropy to identify slow DDoS attacks.
identify malicious attackers. Multiple verb HTTP attacks are not featured prominently in
1) Detection Mechanisms which employ Request Tracking: literature because the attack is not well documented. However,
Tripathi et al. [65] proposed that each connection be asso- it seems plausible that deep packet inspection can evade these
ciated with a vector denoting the percentage of complete or attacks.
incomplete GET and POST requests. At any instant of time, if Slow DDoS attacks are stealthy DDoS attacks that can take
the percentages go beyond a learned threshold, the connection down a server with minimal resources. However, defending
is detected as suspicious. They proposed the use of Hellinger against these attacks poses a familiar double edged sword. Re-
distance to perform the distance calculation. Dantas et al. [39] ducing timeout values and limiting the number of connections
proposed maintaining a record of the number of bytes received continue being the basic line of defense against slow DDoS
for each request in each connection on the server. In this case, attacks, but these measures can lead to legitimate users with
if the server runs out of connections, it can randomly choose low bandwidths being forced to relinquishing their connections
to either drop the incoming connection or to drop an existing prematurely. Learning general user behavior continues to be
connection taking into consideration the number of received the best defensive option but even with this option, false
and sent bytes. Their approach defends against slow GET, positives continue to come up. A summary of the detection
POST and PRAGMA attacks. mechanisms employed against slow DDoS attacks is featured
2) Detection Mechanisms which Analyze the Request Rate: in Table III.
Shtern et al. [63] proposed a defense mechanism against slow
DDoS attacks based on Software Defined Infrastructure(SDI). VII. D EFENDING AGAINST XML BASED ATTACKS
SDI is a setup where the network infrastructure is virtualized DDoS attacks against web services pose a serious threat to
and the connections and routing tables can be modified on the financial sector because a number of payment gateways
the fly using software controls. This provides a great deal of operate using web services. SOAP and JSON are two of the
flexibility. Their approach was to direct suspicious connections data interchange formats used in web services, with SOAP
14
TABLE IV
D ETECTION M ECHANISMS FOR XML DD O S ATTACKS
Research Features Used Detection Mechanism Strengths Limitations

Work
Vissers et al. Gaussian models, defined Statistical thresholds Deals with a large num- Was not tested on a rep-
[71] by means and standard ber of XML based at- resented dataset
deviations of several tacks
features, such as content-
length, number of
elements, nesting depth,
longest element, attribute
and namespace
Chonka et al. XML features like size, Neural network, along with a Doesn’t just identify the Developed to work for
[72] rate, nesting traceback mechanism to iden- attack, but can recon- both HTTP and XML
tify the source struct the path to the at- DoS but shows large
tacker as well variability when oper-
ated using a common set
of features
Padmanab- Inspection of header and Patricia Trie representation Detects a wide variety of Requires packet inspec-
huni et al. body contents XML DoS attacks tion which is expensive
[73]
Ficco & Rak Level of nesting in SOAP Statistical distributions Efficient and fast Works only for deeply
[74] messages nested DoS attacks
being the most common and JSON slowly emerging as the B. Detecting XML Denial of Service Attacks
standard. Hence, a lot of the research work on web services
has focused on SOAP. However, majority of these research Vissers et al. [71] proposed a defense mechanism which
works focus on how these attacks can be prevented. incorporates a lot of the suggestions given by Jensen. They
developed a mechanism to defend against HTTP and XML
denial of service attacks. These two attacks can go hand-
A. Preventing XML Denial of Service Attacks in-hand in the case of web services because HTTP is often
Jensen et al. [26] presented a detailed description of all pos- used as the delivery mechanism for SOAP or XML messages.
sible attacks on web services, not just denial of service attacks. Their approach learns a normal user profile, represented by
They also propose a number of countermeasures for preventing Gaussian models, of several features, such as content length,
these attacks. Most important and the most basic among these number of elements, nesting depth, longest element, attribute
is schema hardening and proper schema validation. Every web and namespace. There is a two stage filtering process in this
service has a particular schema which describes the structure system. In the first stage, the HTTP filter is examined and any
of an incoming message. This is usually described in the abnormalities in content length are ruled out. If the message
WSDL (Web Service Description Language). A lot of the time, passes the first stage of processing, the second stage actually
validation of the incoming message is not performed against parses the messages and cross-verifies the information with
this schema due to performance reasons. However, performing that present in the HTTP header. Parsing is carried out using
such a validation can reduce the incidence of attacks to a large an SAX parser which eliminates the vulnerabilities related to
extent. The second part of the solution is schema hardening. memory and CPU. Padmanabhuni et al. [73] proposed a solu-
Schema hardening involves imposing restrictions (on input tion involving header and body inspection to detect XML DoS
size, level of nesting etc.) on the input fields. Additionally this attacks, but suggested using a more compact representation of
could include removing private functions from the WSDL. the schema for faster processing. They selected the Patricia
Attacks which rely on oversized security headers or crypto- Trie representation for this purpose.
graphic functions rely on the fact that there is virtually no limit Ficco & Rak [74] analyzed the level of nested XML tags in
to the number of levels of nesting that can be performed on normal SOAP messages, and created a statistical distribution
the encryption keys or the size of the security header. This can of the same. If the incoming messages do not abide by the
be overcome by including a strict WS-SecurityPolicy which distribution, they are classified as suspicious. If these messages
restricts the size of the security header and the nesting of are accompanied by an anomalous CPU usage profile as well,
encryption. the request is blocked and the system is restored to its usual
The major issue with XML and SOAP messages is that state.
even if the system preprocesses them before execution, they Chonka et al. [72] used a backpropogation neural network
still need to be parsed and stored beforehand. The use of a on on XML features to identify XML DDoS attacks. They
tree like representation used in DOM parsers necessitates that also introduced a CTB (Cloud Trace Back) mechanism which
the entire XML message be present in memory for processing. marks the requests reaching the cloud server. This is carried
This is basically the root of all attacks in XML. A solution for out using a reverse proxy server. This marking enables the
this is to use an event driven processing model using an SAX cloud server to trace back the connections and block them in
parser. This enables the system to identify an invalid message case of an attack.
and abort processing immediately. XML and SOAP form the backbone of web services which
15
power financial services and payment gateways. A DDoS on statistical features to identify attacks. In another work,
attack targeting these systems could cause a large part of the [78], the same authors applied deep learning on these same
economy to freeze. XML flooding attacks are not represented statistical features. The authors employed a stacked auto-
in literature but the techniques used to detect HTTP flooding encoder to extract latent features from the basic statistical
could very well be extended to XML as well. What is of features and used logistic regression on these features. Johnson
considerable importance is how XML and SOAP features et al. [79], [80] used a multilayer perceptron (MLP) with the
can be exploited to launch DDoS attacks. Apart from packet weights trained by a genetic algorithm. In [79] the training
inspection, there are not many defense mechanisms available features were HTTP GET count, entropy and variance, while
for these attacks. To a large extent these attacks can be in [80] the features used were number of HTTP count, number
prevented by employing proper schema validation and schema of the IP addresses, constant mapping function and fixed
checking. Table IV gives a summary of detection mechanisms frame length. Chwalinski et. al. [81], [82] used the number
for XML DDoS attacks. of requests per resource for each user as the deciding feature
and performed K-means clustering to group users into different
VIII. D EFENDING AGAINST HTTP F LOODING ATTACKS clusters. They applied likelihood analysis and Bayes factors to
HTTP flooding attacks are similar to network layer flooding determine if an incoming connection can be attributed to an
attacks in the sense that they rely on a large stream of requests existing cluster or not. A connection that cannot be attributed
to exhaust the server resources. However the most obvious to any cluster is deemed as malicious. Oo et al. [83] extracted
difference is that they rely on HTTP requests instead of features like number of packets, number of bytes, average
network packets. Even though application layer floods proceed packet size, packet rate, byte rate, time-interval variance and
through the use of legitimate user requests, the overall nature packet-size variance from connections. If all of these features
of a malicious request stream still differs from a legitimate fall within limits then the connection is most likely benign and
flow. Detecting application layer floods essentially aims to is accepted. If all of these values fall outside acceptable limits,
identify these differences. This is usually done by analyzing the connection is most probably malicious and is blocked.
request dynamics, request semantics or both. The various In other cases, where some of these features fall within the
research works in the area differ according to the statistical specified range and others do not, they employed an HsMM
features used, and the machine learning technique employed. (Hidden semi Markov Model) to efficiently model and classify
the connection. Lee et al. [84] used Principal Component
Analysis (PCA) to reduce the feature dimension and then
A. Detection Mechanisms based on Request Dynamics performed clustering.
Since a spike in request rate is one of the biggest tell- Entropy is a much used measure to determine whether a
tale signs of a DDoS attack, one line of research focuses stream of requests is malicious or not. A normal user sends
on predicting the expected request rate at each instant and requests which are varying in size, speed and intent. A stream
scrutinizing the incoming request stream using this knowledge. of attack requests on the other hand will be more uniform
However, request rate alone is often not a good indicator of an and have similar requests repeated at regular intervals. As a
attack, because sophisticated attacks can maintain the illusion result, an attack stream will have lower entropy than normal
of a normal request rate while launching attacks. In such cases, user requests. Devi & Yogesh [85] used this information along
statistics like request entropy can be used. with trust values of users to detect attacks. Zhou et al. [86] also
1) Traffic Estimation: Wen et al. [75] uses traffic estimation used model entropy but their work was meant for identifying
as the basis for detecting attacks. Their system estimates the attack streams in backbone web traffic. Zhao et al. [87] used
expected traffic from historical data using a Kalman filter. two measures - Entropy of URL per IP (EUPI) and Entropy
If a significant deviation is witnessed from the expected of IP per URL (EIPU) for identifying flooding attacks. During
traffic value, this indicates either an attack or a flash crowd. a random flooding attack or a fixed URL flooding attack,
The source IP distribution provides additional evidence to EUPI would increase, thus indicating an attack. EIPU helped
determine if the flood is actually an attack or not. Ni et in distinguishing attacks and flash crowds.
al. [76] used an Adaptive Auto Regressive (AAR) Model
to model network traffic. The estimated value is smoothed
with a Kalman filter. They introduced a feature called HRPI B. Detection Mechanisms based on Request Semantics
(HTTP Requests Per IP) as the classification variable. The Request semantics can be further refined to consist of two
classification is performed using a Support Vector Machine classes. Mechanisms that rely on the composition of requests
(SVM). in a request stream, without any consideration to the sequence
2) Request Statistics: There are a large number of statistical are much easier to use because of the reduction in data
features that have been used in detecting HTTP floods apart that needs to be analyzed. Mechanisms that rely on request
from just the request rate. Some of these features include sequence on the other hand tend to be more complex but on
the request timestamp, IP address, header fields, user agents, the whole tend to be more accurate because they can model
number of 200 OK responses, number of error responses normal human behaviour much more accurately.
and so on. Most research works use a combination of these 1) Request Composition: Devi & Yogesh [89] constructed
features for detecting attacks. Yadav & Selvakumar [77] used an access matrix using features like HTTP request rate, HTTP
Principal Component Analysis (PCA) and logistic regression session rate, server documents that are accessed and duration
16
TABLE V
D ETECTION A PPROACHES FOR HTTP F LOODING ATTACKS
Research Features Used Detection Approach Strengths Limitations

Work
Traffic Estimation
Wen et al. Request rate, dispersion of IP addresses (Kalman filter followed Low complexity, works Uses only traffic rate as a
[75] by mess extent) for flash crowds measure
Traffic Estimation
Ni et al. HTTP requests per source IP per time(HRPI) (Kalman filter followed Works for flash crowds Works assuming traffic
[76] by SVM) follows a regular pattern
Chwalinski Number of requests per resource for a user Clustering followed by Addresses attack behavior Does not work for short
et al. [81] Bayes classification imitating human behavior attacking sequences
Chwalinksi Number of requests per resource for a user Clustering followed by Addresses attack behavior Does not work for short
et al. [82] Likelihood analysis imitating human behavior attacking sequences
Ye et al. IP, reply size, reply code, session details, reply Clustering Addresses random flood- Only tested for random
[88] size, object popularity, transition probability, ing attack GET flooding
request rate
Lee et al. Number of user requests, average number of Clustering Better detection rate than Only tested for flooding
[84] requests, user interest value, proportion of HsMM for request flood- attacks, higher false posi-
pages requested, intensity of most frequently ing attacks tive rate
visited page, followed by PCA
Devi & Yo- HTTP request rate, HTTP session rate, server Access matrix, reduced by Works for flash crowds Request sequence is ig-
gesh [89] documents that are accessed and duration of SVD and ICA, compared nored while constructing
user’s access with incoming request fea- the access matrix
tures
Devi & Yo- Request Rate Entropy of Request Rate Low complexity Not a suitable candidate
gesh [85] for detecting sophisticated
attacks
Beitollahi Request and download rate, uptime, downtime, Assign scores based on de- Low computational com- Attackers can change the
& browsing behaviour-pages, access rate, popu- viation from learned value plexity page popularity by meek
Deconinck larity, hyperlink fraction click, depth- source attacks in which case they
[90] IP distribution, arrival distribution report a false negative of
over 6%
Zhou et al. Average frequency of resources Statistical models, followed Worked for flash crowds Not a client side system,
[86] by request IP entropy instead designed for back-
bone web traffic
Yadav 17 features PCA followed by logistic Low computational com- Needs normal and attack
& Sel- regression plexity dataset
vakumar
[77]
Yadav 17 features, then used a stacked auto-encoder Logistic Regression Offloads the decision of Needs normal and attack
& Sel- for deep learning of features which feature to use from dataset
vakumar the user
[78]
Ndibwile Java Script to eliminate bots, request rate, Decision trees Gives attackers an illusion Needs two additional
et al. [91] interval the attack is working servers
Oikonomou Number of sessions, average pause between Decision trees for request Detects flash crowds Using average path prob-
& sessions, average number of requests per ses- dynamics, average path ability disguises some at-
Mirkovic sion, and average request inter-arrival rate per probability for semantics tackers
[92] session, probability graph, decoys
Johnson HTTP GET count, entropy and variance Perceptron, with Genetic Provides a high detection Takes a long time to con-
Singh et Algorithm to adjust weights rate and low false positive verge to a reasonable fit-
al. [79] rate for flooding attacks ness value for the weights
Singh & HTTP count, number of the IP addresses, Perceptron, with Genetic Provides a high detection Takes a long time to con-
De [80] constant mapping function Algorithm to adjust weights rate and low false positive verge to a reasonable fit-
rate for flooding attacks ness value for the weights
Oo et al. Number of packets and bytes, packet size, Statistical range, followed Does not use HsMM for Not suitable for sophisti-
[83] Packet rate, byte rate, Time-interval and by HsMM simple detection cases cated attacks
Packet-size variance
Zhao et al. Entropy of URL per IP (EUPI) and Entropy of Statistical models and en- Works well in distinguish- Does not work for attacks
[87] IP per URL (EIPU) tropy threshold ing flash crowds leveraging attack work-
load
Beckett et Number of databases opened and closed, num- Decision Tree Novel approach to miti- Does not take into account
al. [93] ber of database queries, and commits, total and gate DDoS attacks target- database query workload
average query time,average number of queries ting back-end systems
per database open
17
of user’s access. Singular Value Decomposition (SVD) is network flooding volume, the high volume HTTP floods can
applied followed by Independent Component Analysis(ICA) clog the firewalls, thus creating a new bottleneck.
for dimensionality reduction. The incoming connection is
assigned a suspicion score based on how much deviation IX. D EFENDING AGAINST A SYMMETRIC HTTP ATTACKS
it exhibits from the output of the ICA module. Instead of Compared to HTTP flooding attacks, asymmetric attacks are
blocking the connection if it does not match the learned much harder to detect. This is because of the fact that HTTP
model, this approach schedules the request accordingly. A floods are marked by a sharp change in many features which
request which matches with the learned model will have a can lead to its identification. Asymmetric attacks on the other
low suspicion score and consequently will be scheduled for hand can be executed without raising too many red flags and
execution faster. A request with a high suspicion score will be hence evades detection to a large extent. However, there are
scheduled much later. Beitollahi & Deconinck [90] follows a certain warning signs that can signal an asymmetric attack in
similar approach. The system constructs the CDF (Cumulative process. Every web application has a set of normal users who
Distribution Function) for each of the observed features in the browse the web application in a certain way. This means that
normal user sessions. For an incoming connection, it assigns regular users often follow certain paths in the website more
a suspicion score for each feature based on how likely it is often than others. In other words, certain request sequences
to have the observed value according to the CDF. The final are more likely than others. Apart from that, normal users
suspicion score is the sum of the individual suspicion scores take time to browse the web application. Between every pair
for all the features. of requests issued, there is an associated time gap, often called
Beckett et al. [93] presented a novel approach to detect "think time" because this is when the user processes the web
DDoS attacks targetting database systems by observing fea- response and decides what to do next. These two features are
tures like the number of databases opened or closed, total and often not followed in the case of a request sequence submitted
average query time etc. They used a decision tree classifier to by a bot. This forms the basis of identifying an asymmetric
identify malicious users based on these features. attack.
2) Request Sequence: Ye et al. [88] uses average transition In other words, request dynamics are unlikely to be of any
probability and page popularity as features for clustering. use in detecting asymmetric attacks. All existing detection
They used Euclidean distance and Ward’s linkage to match mechanisms use request semantics in some form. A summary
an incoming connection into a cluster. Ndibwile et al. [91] of the same can be found in Table VI.
proposed the use of three servers - a bait server, a decoy
server and a real server - for the detection of attacks. They A. Detection Mechanisms based on Request Composition
proposed that all traffic be directed to the bait server initially.
From there, proven benign traffic is directed to the real server Ranjan et al. [48] was one of the earliest works to take
while suspicious traffic is routed to the decoy server. At into account the workload profile of a user into account for
the decoy server, traffic is authenticated using decision trees detecting DDoS attacks. The idea was that normal users are
trained using known attack generation tools. Oikonomou & not likely to send high workload requests continuously to
Mirkovic [92] used dynamics, semantics and decoys to weed the server. Their request profiles would contain interleaved
out attackers. Dynamics refers to features like number of low, medium and high workload requests, while the request
sessions, average pause between sessions, average number of sequence of an attacker would have a stream of high and
requests per session, and average request inter arrival rate per medium workload requests. They analyzed session and request
session. Decision trees were used for classifying the incoming inter arrival distribution, along with client workload profile to
connections. Semantics is modeled by creating a probability assign suspicion scores to users. Based on the deviation of
graph of the website. The probability of a path is defined as each feature from the legitimate user profile, they assigned
the average of the probabilities of all the edges in the path. suspicion scores to individual users. The connections were
Finally, they used decoys which are invisible links or images scheduled according to the suspicion scores.
embedded in the web page. These links are invisible to normal
users and hence do not show up in the traces for normal users. B. Detection Mechanisms based on Request Sequence
However, the links are still parsed by bots and can be used to Most of the existing works use attack-free user traces to
identify them. learn how a user accesses the website. Based on this learned
Table V gives an overview of the different research works, model, they calculate the normality of the observed request
the features and detection mechanisms used, along with ad- sequence, which denotes the probability that the incoming user
vantages and disadvantages where applicable. sequence was generated by a legitimate user.
HTTP flooding attacks are the most common application Xu et al. [94] modeled the user behavior in a web applica-
layer DDoS attacks. It is often possible to identify a flooding tion as a probabilistic graph. For each incoming connection,
attack by observing the characteristics of the request stream. they observed the stream of requests and predict the future
This is the reason most of the application layer firewalls can request sequence. The similarity between the predicted and
provide a great level of defense against HTTP floods. However, observed stream of future requests is used to identify malicious
systems are far from immune to flooding attacks. Even at the users. Giralte et al. [70] presented a three stage detection
application layer, attack volume is on the rise for flooding mechanism which utilizes statistical features, request sequence
attacks. Though still many orders of magnitude less than the and request sequence similarity for detecting attacks.
18
TABLE VI
D ETECTION M ECHANISMS FOR A SYMMETRIC HTTP ATTACKS
Research Features Used Detection Strengths Limitations

Work Mechanism
Xie & Yu Request sequence and probability, HsMM (number of Allows for online up- High complexity of
[95] objects requested from server inline requests is date M-Algorithm, does
taken as duration) not consider dwell
time of users as
duration
Xie & Yu Page popularity at different times, HsMM Allows for online up- High complexity of
[96] modeled as a stochastic process, date detection algorithm
PCA and ICA for dimensionality
reduction
Xu et al. [94] Page request sequence Random Walk Low computational Unable to model
Graph(Predict the complexity complex user
next sequence behaviour
of requests and
matches them
with the observed
requests using Jacobi
coefficients)
Wang et al. Click ratio(page popularity) both Large Deviation The- Outperformed Click ratio masks re-
[97] for website and individual users, orem detection techniques quest sequence, and
also transition probability matrix that employ transition hence cannot be used
for users and the website probabilities to detect sophisticated
attacks
Huang et al. Page popularity at different times, HsMM Able to identify at- Higher complexity
[98] modeled as a stochastic process, tacks occurring along due to the use of
clustering to reduce dimension with a flash crowd HsMM
Giralte et al. Number of GET requests, mean statistics and graphs Detects multiple cate- Does not consider
[70] and standard deviation of GET re- gories of attacks, easy cases where the
quests, mean and standard devia- to integrate attackers may cycle
tion of flows per user, mean and randomly among high
standard deviation of POST re- workload states
quests, flows per minute per user,
request per minute per user, request
timing in the cache
Emami-Taba Request rate, workload Game Automatic update of Only tested for simple
et al. [99] Theory(Minmax- payoff tables as the cases of these attacks
Q algorithm) attacker changes strat-
egy
Ranjan et al. Request and session inter-arrival Statistical Low computational Considers the
[48] rate, workload profile similarity distributions and complexity, histogram of
probability, KL comprehensive workload profile,
divergence, suspicion so request sequence
score, scheduling is not considered
The defense and offense involved in defending against reduce the dimensions of the data.
DDoS attacks is strikingly similar to a game between the
attacker and the web administrator. Emami-Taba et al. [99] C. Detection Mechanisms by Observing a Change in Page
used Game Theory to develop a set of payoff tables to model Popularity
the attack scenario and used the min-max algorithm to identify
There is another approach to detect an application layer at-
attackers.
tack which relies not on observing the request stream directly,
Xie & Yu [95] were the first to use an HsMM for the but rather observing the effect of the request stream. Every
purpose of detecting denial of service attacks at the application website has a set of "hot" pages, i. e. pages which are visited
layer. Their work constructed the HsMM from system traces more often than others. Generalizing this observation, every
and approximated the think time associated with a page as the page in a website has a probability with which a user accesses
number of inline requests the page makes. This can be seen it, which denotes how popular the page is. An attack, which
as an approximation of page loading time. They constructed does not follow normal user patterns, tends to disrupt this
a normal distribution of the likelihoods of the observed page popularity in haphazard ways. This provides an indirect
sequences which is called Original Likelihood Distribution indication of attack.
(OLD). The amount of deviation from the OLD is taken to Wang et al. [97] assumes each user accessing the website
be the abnormality of an observed request sequence made by has an a priori click ratio which denoted the popularity of
a user. A similar approach was also taken by Meng et al. [100]. the web pages. The idea is that when a web application is
Huang et al. [98] also modeled page popularity of a website under attack, the click ratio deviates from the a priori one,
using an HsMM. They clustered the available data sets into and this is used as the means of identification. This work uses
clusters before using the features to construct an HsMM to large deviation theory to identify how probable a deviation
19
from the a priori click ratio is. They also modeled the click provided an enhanced privacy and security. While this attack
ratio by means of an HsMM and employed Large Deviation does make it harder to execute an attack on a DNS server,
theory to measure the probability of deviation. Another work it still leaves the door open for connection oriented attacks,
by Xie and Yu [96] constructed an HsMM modeling the similar to HTTP attacks.
document popularity of a web site. However, they observed
that algorithms for building and operating HsMM become B. Detecting Attacks on DNS Servers
considerably complex when using high dimensional data.
The major issue in detecting an attack on a DNS server is
Hence to reduce the dimensionality of the input data they
determining if the incoming request is legitimate or not. Guo et
used traditional dimensionality reduction algorithms of PCA
al. [107] suggested incorporating cookies into DNS messages
and ICA (Independent Component Analysis).
as a way of identifying if the incoming request is spoofed or
HsMM proves to be extremely efficient in detecting asym-
not. Rastegari et al. [108] developed a detection mechanism for
metric as well as flooding attacks, but they do have some
attacks on a DNS server using neural networks. Their approach
drawbacks. The detection principle involves calculating the
trains neural networks using features like throughput, average
probability of the observed sequence at each instant of time.
packet size and packet loss to identify attacks.
This algorithm however, is complex and thus the overall
system load will be more. In some cases, simple statistical
calculations prove more efficient than using an HsMM. XI. D EFENDING AGAINST SIP ATTACKS
Asymmetric HTTP DDoS attacks are extremely severe be- Considerable work has gone into studying and defending
cause of their similarity to normal human behaviour. Defenses against SIP flooding attacks. Some of these approaches sug-
relying on request rate and request statistics will fail to gested subtle changes in the message structure of SIP while
detect these attacks, and by extension they make existing others attempt to detect attacks against SIP end users and
web application firewalls obsolete. Identifying these attacks proxy servers.
is a complex procedure which involves learning normal user
behaviour and weeding out connections that show unnatural A. Preventing SIP DDoS Attacks
behaviour. However, most of the techniques used for detecting
Hussain & Nait-Abdesselam [118] suggested including a
these attacks rely on an HsMM. While being highly effective,
field called Critical Number(CN) in the REGISTER message.
an HsMM has a large computation cost associated with it,
Every user agent must register with the registrar server before
which makes it a questionable choice for run time detection. It
they can receive a call and the CN essentially denotes the
may also happen that the defense system becomes a bottleneck
maximum number of simultaneous calls they can receive.
that attackers can exploit.
The proxy server will forward a call to a callee only if the
X. D EFENDING AGAINST DNS ATTACKS callee is capable of handling the call. This approach however
works only by protecting the callee. The proxy server or
Denial of Service attacks on DNS servers are the most
registrar server are still wide open to attacks. Defending the
difficult to detect and are the most devastating. The reason they
proxy server however comes with issues of its own. Chen
are so difficult to detect is that DNS relies on UDP messages
[109] proposed a finite state machine to keep track of the
which means that there is no concept of a connection. This
SIP state and ensure it doesn’t go into an unidentified state.
essentially eliminates the possibility of pin-pointing malicious
However, this mechanism has to be deployed before every
users and blocking them. The best that can be done is that
proxy server which is not cost effective. An ideal solution
the DNS server identify malicious messages and not waste
would be deployed at the client side which will be much more
any processing power in serving those requests. A summary
cost efficient.
of the detection techniques can be found in Table VII.
A. Mitigation Approaches B. Detecting SIP DDoS Attacks

Some research has gone into suggesting changes in how There are multiple strategies that have been adopted to
the DNS servers maintain records which could potentially identify attacks on the client side. A basic defense can employ
help in mitigating attacks on DNS servers. Pappas et al. request tracking and correlation of the SIP messages. Other
[104] suggested that DNS caches be modified to cache the works have also relied on analyzing the request rate (request
infrastructure records for longer periods of time. This can dynamics) and modelling the SIP connection as a whole
help mitigate the effect of denial of service attacks on a DNS (request semantics).
server because the caching servers can still function in such 1) Correlating SIP Messages: One consideration is that
a situation. Ballani & Francis [105] went one step further to during an attack free execution, there is always a strict
suggest that DNS servers cache even stale data which can be of correlation between the SIP INVITE messages, the response
some use in case of a DNS outage. These solutions, though, messages and the acknowledgments. In an ideal case of
do not prevent attacks on DNS servers, and are difficult to course, for each INVITE message there will be exactly one
successfully implement. response and one ACK. However, due to network delays and
Zhu et al. [106] suggested negotiating a connection using retransmissions this is not always the case. Geneiatakis et
TLS (Transport Layer Security) protocol for DNS commu- al. [110] proposed the use of bloom filters to check whether
nication as well. They called this extension T-DNS, which the number of INVITE requests, responses and ACKs were
20
TABLE VII
D ETECTION M ECHANISMS FOR DNS DD O S ATTACKS

Work
Sun et al. DNS requests and re- Correlation between requests Deployable at leaf Possibility of false nega-
[101] sponses and responses maintained us- routers tives due to network er-
ing a bloom filter rors and retransmissions
Khan et al. DNS requests and re- Chaos Theory Lightweight, does not Accuracy of only 66%
[102] sponses need to be trained offline
Kam- DNS request and response Request and response match- Easy to implement Not very scalable
bourakis matching ing
et al. [103]
TABLE VIII
D ETECTION M ECHANISMS FOR SIP F LOODING ATTACKS

Work
Chen [109] SIP transaction model FSM, there is an upper bound Does not require modi- Cannot detect
on how many times a user can fication of existing SIP malformed and spoofed
go to an invalid state in the software messages, is not that
FSM effective in the case of
flooding, but works well
for error messages
Geneiatakis Request rate and type Matches invite and ACK mes- Negligible detection Possibility of false neg-
et al. [110] sages, raises an alarm if there time atives
is an anomaly
Sengar et al. Number of SIP messages Hellinger distance Fast Fails for low rate attacks
[111] of each time in unit time
Tang & Request rate Multi Resolution Analysis us- Works for stealthy SIP Depends only on request
Cheng [112] ing DWT floods rate
Allawi et al. Request rate, percentage Comparing with thresholds Simple Unlikely to work for all
[113] of served requests per sec- types of attacks
ond, mean value of server
request/response delays
Tang et al. Rate and timing of IN- Hellinger distance between Detects attacks spanning Fails to detect stealthy
[114] VITE, OK, ACK, BYE sketch data multiple attributes attacks
Golait & SIP message timings and PCDTA Detects all kinds of at- Requires a separate
Hubballi rate tacks on SIP model for each
[115] connection so memory
requirement is linear
Kumar & Hash Computation Effi- Statistical analysis to deter- Works for low rate at- Considers only the
Thilagam ciency (HCE), Successful mine attitude of the server tacks REGISTER request
[116] URI Binding Efficiency
(SUBE) and Registration
Drop Efficiency (RDE)
Semerci et SIP message count and se- Statistical distance measure Works on the fly and Susceptible to slowly
al.[117] quence (Mahalanobis distance) to does not require any pre- rising attack volume
identify deviation from vious data for building a
normal state model
within the specified limits. Here they allowed the number of indicates an attack.
responses and ACKs to be double the number of INVITE
requests to account for network losses. Sengar et al. [111] 2) SIP Request Rate: Tang & Cheng [112] proposed a
identified that similar correlations exist between TCPs SYN, method to detect SIP flooding attacks when the attack volume
ACK and FIN messages as well. They used Hellinger distance does not experience a sudden spike, but rather follows a
to identify if the system was under attack. The data learned gradual increase. Most of the existing defenses would not
from the first n time slots were used to identify any malicious work under these circumstances. The authors proposed the
behavior in the next slot. If the slot proves to be benign, that use of Multi Resolution Analysis (MRA) and decomposed
slot is also incorporated into the learning data set. This is the wavelet into two signals - detail signal and approximation
one way to identify and cope with any on the fly variations. signal. The idea was that when the system is under attack,
Kumar and Thilagam [116] proposed a different way of the energy of the detail signal would rise sharply even if the
correlating SIP messages. They calculated three features - attack volume rises slowly. Allawi et al. [113] monitored three
Hash Computation Efficiency (HCE), Successful URI Binding features in the SIP communication - request rate, percentage
Efficiency (SUBE) and Registration Drop Efficiency (RDE) of requests served and average response time. The values of
from the SIP REGISTER messages. These values are used these parameters during the testing phase were compared with
to capture the general attitude of the server which in turn thresholds identified during the learning phase to identify an
attack. Tang et al. [114] used sketch data distributions of four
21
features. Each sketch data is essentially a hash table for the data (orphan pairs) be immediately classified as suspicious and
SIP attribute values. The training data set was used to generate discarded. Sun et al. [101] used a similar approach by storing
a sketch distribution which was compared with the sketch the outgoing DNS requests using a bloom filter. If the number
distribution generated during testing. It uses Hellinger distance of responses coming in is greater than the number of requests,
to measure similarity. this signifies an attack. Any response which does not match
3) Modeling the SIP connection: Golait & Hubballi [115] the request information stored is discarded. Khan et al. [102]
modeled the SIP system using a Probabilistic Counting De- used chaos theory to identify the incoming DNS stream as
terministic Timed Automata (PCDTA). If the system follows malicious or not.
the automata from the start state to a final state with the path DDoS attacks against DNS extremely hard to detect and
probability greater than than a predetermined threshold, the at the same time extremely devastating as well because it
connection is not anomalous. If the system enters a deadlock or can potentially affect a large number of other sites and can
enters an error state, the operation is deemed to be anomalous. even disrupt internet temporarily. The use of UDP which
Flooding attacks can be detected by using a counter associated is a connectionless protocol essentially makes this a very
with a transition and slow attacks can be identified by the promising line of attack for attackers.
timing probability. Semerci et al.[117] monitored the SIP
message history of users per time interval. They assigned each XIII. T OOLS AND DATASETS RELATED TO A PPLICATION
user a vector denoting the user’s behaviour and the server had a L AYER DD O S ATTACKS
state vector to denote the state of the server, which was nothing A. Tools for Defending Against Application Layer DDoS At-
but the summary of all user activity. Any significant deviation tacks
from the state vector of the server represents an attack.
Specially designed application layer firewalls are necessary
Table VIII presents a summary of the different ways in
to detect application layer DDoS attacks, because these attacks
which SIP flooding attacks have been detected in literature.
can only be detected through inspecting HTTP requests and
SIP powers a major share of the VoIP communication.
identifying patterns in the request flow. There are open source
Unfortunately, SIP also offers a wide variety of points where
and commercial firewalls available that are able to detect and
a denial of service attack can be executed. Detecting these
block these attacks, but these tools still focus on the primitive
attacks by observing merely the traffic flow volume may result
application layer DDoS attacks. A comparison of some of the
in false positives, and hence sophisticated techniques which
commercial defense tools are given in Table IX. There are
model the SIP architecture and detect anomalies are needed.
a few open source DDoS defense tools available but they
However, the performance and efficacy of these techniques
lack in strength and diversity. Apache provides a module
have to be considered to ensure it can operate in real time.
mod_evasive which can be configured to block connections
Also, SIP provides multiple points of attack, all of which must
with predefined rules. For example, it could be set to block
be secured to ensure that the entire system works perfectly.
connections which send requests over a particular threshold
XII. D EFENDING AGAINST R EFLECTED ATTACKS rate, or attempt to open too many connections. HAProxy is an
open source load balancer which can be configured to block
Reflected attacks present a significant challenge in situations
malicious users in the same way. It can also detect a TCP
where the underlying transport layer protocol is connection-
SYN flood and Slowloris attacks. Radware has deployed an
less. This type of attack allows the attackers the opportunity
open source DDoS defense system called Opendaylight, but it
to remain hidden while simultaneously employ an asymmetric
depends on an SDI to operate. Google has a DDoS defense
attack on the victim. In cases where the response messages
mechanism called Project Shield, which allows websites to
reflected on to the victim is much larger than the request
route their traffic through Google servers, where the traffic
messages sent by the attacker, the attack is called an ampli-
will be filtered.
fication attack. SIP reflection attacks have not been reported
While the existing defense mechanisms do work well for
in literature much, and the majority of reflected attacks are
the common application layer DDoS attacks like HTTP floods,
accounted for by reflected DNS attacks. As a result, we focus
they rely on predefined rules and do not consider normal user
our attention on reflected DNS attacks only.
behaviour for detecting attacks. As a result, asymmetric attacks
Almost all works that attempt to defend against reflected
are likely to fly under the radar of these defenses.
DDoS attacks at the application layer attempt to employ
some sort of request tracking mechanism. They attempt to
identify some correlation between the number of requests and B. Datasets for Application Layer DDoS
responses and hence try to separate legitimate users from There is a dearth of datasets available for training and testing
malicious ones. The type of correlation identified, and the application layer DDoS defense mechanisms. While there are
mechanism used to perform the correlation are what separate a wealth of network traces available, there are comparatively
the different works in the area. few application layer traces available, and most of the available
Kambourakis et al. [103] presented a simple solution to datasets are old. There are a number of sources of attack free
DNS amplification attacks. They proposed that when a DNS HTTP traces provided by the Internet Traffic Archives. Some
amplification attack takes place, the targeted DNS server of these datasets are:
receives responses without having previously sent out the cor- • WorldCup98 - 1. 3 billion Web requests recorded at
responding request. Their approach simply requires that such servers for the 1998 World Cup.
22
TABLE IX
C OMPARISON OF C OMMERCIAL A PPLICATION L AYER DD O S D EFENSE T OOLS
Firewall Designer Slow Attacks Flooding DNS Protection XML Attacks

Imperva X X X
Corero X X
Akamai X X
Cloudflare X X
Arbor X
Sucuri X X X
Fortiddos X X
F5 X X X X
•EPA-HTTP - a day of HTTP logs from a busy WWW • SIPp-DD : SIPp is a SIP traffic generation tool, which
server. has been leveraged by the work of Stanek & Kenkl [121]
• SDSC-HTTP - a day of HTTP logs from a busy WWW to develop SIPp-DD. This tool is capable of generating
server. SIP flooding attacks.
• Calgary-HTTP - a year of HTTP logs from a CS depart-
mental WWW server. XIV. N ECESSARY F EATURES FOR D EFENSE M ECHANISMS
• ClarkNet-HTTP - two weeks of HTTP logs from a busy
DDoS detection mechanisms have to work efficiently and
Internet service provider WWW server.
must be capable of detecting and blocking attacks at runtime.
• NASA-HTTP - two months of HTTP logs from a busy
The following features are crucial for a DDoS detection
WWW server.
mechanism:
• Saskatchewan-HTTP - seven months of HTTP logs from
• Scalability: As the number of users (malicious and legit-
a University WWW server.
However, most of these datasets date back to the late 1990s imate) rises, the load on the detection mechanism also
or early 2000s. Shiravi et al. [119] recognized this problem rises. If the detection mechanism is unable to scale up to
and generated a dataset that has been used in some of the meet the growing demand, it becomes a bottleneck that
recent research works featuring HTTP GET flood attacks the attackers can exploit. Any DDoS defense mechanism
[120]. There are a few datasets which describe a DDoS attack must be able to detect and block attackers in the least
which are given below. possible time. Apart from that the mechanism should be
able to handle a large number of users and not crumble
• CAIDA : Contains approximately one hour of
under the load of the attack.
anonymized traffic traces from a DDoS attack on
• Detection Speed : The detection mechanism must be
August 4, 2007.
capable of evaluating a connection swiftly to avoid delay.
• DARPA : DARPA contains DDoS datasets of varying
A long delay in turn leads to a longer response time which
complexity of attack, but the dataset is from the year
degrades the user experience.
2000. Apart from that, analyses on the dataset have led
• Low computation overhead : The detection mechanism
some researchers to suggest it does not resemble real
works in parallel with the web server and must use as
network data.
little computational resources as possible. This is in line
However, these datasets are not very reliable and so most of
with the above point where the existence of a firewalls
the research works have relied upon generated attack traces
should not in any way degrade the quality of service. A
using existing DDoS attack generation tools. Some of these
high computation overhead also means that the firewall
attack tools are listed below.
can be used as a bottleneck by the attackers and thus
• Low Orbit Ion Cannon : LOIC is a simple tool which can
presents a new avenue of attack.
be used to generate TCP, UDP or HTTP floods.
• Detection Accuracy: Detection accuracy can be measured
• HULK: HULK generates a random flood attack capable
using two factors : detection rate and false negatives. De-
of bypassing proxies and evade detection.
tection rate denotes how much of the attack connections
• DDoSim: DDoSim is a tool which generates an HTTP or
the firewall recognized. False negative rate denotes the
TCP flood with either valid or invalid requests.
opposite, i. e. how much of the incoming attack traffic
• R-U-D-Y: R-U-D-Y which stands for ’aRe yoU Dead
did the firewall pass on to the web server.
Yet’, is used to generate a low POST attack on a web
Let Nt denote the total number of attack vectors used
server.
during testing. Let Nr be the total number of connections
• Tor’s Hammer: Tor’s Hammer is another attack tool which
reported as malicious, and Nd be the number of connec-
uses the slow POST attack.
tions correctly reported as malicious.
• Pyloris: It is a python script used to test for connection
exhaustion DoS vulnerabilities in HTTP, FTP, SMTP, Nd
DetectionRate(DR) = (1)
IMAP, and Telnet. Nt
• Golden Eye: Golden Eye is a stress testing tool for HTTP Nt − Nd
protocol. FalseNegativeRate(F N R) = (2)
Nt
23
• Must not penalize legitimate users : This is a very [11] A. Networks, Leading US Banks targeted in DDoS Attacks,
important consideration for any organization. A DDoS 2012. [Online]. Available: https://nakedsecurity.sophos.com/2012/09/
27/banks-targeted-ddos-attacks/
attack system which labels legitimate users as malicious [12] Dyn, Dyn Analysis Summary Of Friday October 21 Attack, 2016.
takes away valuable business from the organization. False [Online]. Available: https://dyn.com/blog/dyn-analysis-summary-of-
Positive Rate is used to calculate the degree to which a friday-october-21-attack/
[13] I. Times, Hackers leave Finnish residents cold after
detection system classifies legitimate users as malicious. DDoS attack knocks out heating systems, 2016. [Online].
Available: http://www.ibtimes.co.uk/hackers-leave-finnish-residents-
Nr − Nd
FalsePositiveRate(FPR) = (3) cold-after-ddos-attack-knocks-out-heating-systems-1590639
Nr [14] SCMagazine, DDoS attacks delay trains, stymie trans-
portation services in Sweden, 2017. [Online]. Avail-
able: https://www.scmagazine.com/ddos-attacks-delay-trains-stymie-
XV. C ONCLUSION transportation-services-in-sweden/article/700227/
[15] Guardian, Massive cyber-attack grinds Liberia’s internet to a halt,
In this work, a detailed description and taxonomy of 2016. [Online]. Available: https://www.theguardian.com/technology/
application layer distributed denial of service attacks has 2016/nov/03/cyberattack-internet-liberia-ddos-hack-botnet
been presented to aid researchers in better understanding and [16] Forbes, Bitcoin Hit By Massive DDoS Attack As Tensions Rise, 2014.
[Online]. Available: https://www.forbes.com/sites/leoking/2014/02/12/
dealing with the dangers that these attacks present. A review bitcoin-hit-by-massive-ddos-attack-as-tensions-rise/
of the existing research directions and defense mechanisms [17] Guardian, Critical infrastructure not ready for DDoS
has also been presented to bring out the different features attacks: FOI data report, 2017. [Online]. Avail-
able: https://www.scmagazineuk.com/critical-infrastructure-not-ready-
used for detecting these attacks, and the different methods of for-ddos-attacks-foi-data-report/article/684838/
detection. Even though a reasonable amount of work has gone [18] Incapsula, DDoS Threat Landscape Report 2015-16, 2016. [Online].
into detecting and defending against application layer denial Available: https://lp.incapsula.com/rs/804-TEY-921/images/2015-16%
20DDoS%20Threat%20Landscape%20Report.pdf
of service attacks, they still remain a major threat because of [19] L. Garber, “Denial-of-service attacks rip the internet,” Computer,
the difficulty in adopting the defenses. We hope that this work vol. 33, no. 4, pp. 12–17, 2000.
will open doors for further discussion and research into this [20] I. Ristic. (2011) Tls renegotiation and denial of service attacks.
[Online]. Available: https://blog.qualys.com/ssllabs/2011/10/31/tls-
area. renegotiation-and-denial-of-service-attacks
[21] Incapsula, Global DDoS Threat Landscape Q1 2017, 2017.
[Online]. Available: https://www.incapsula.com/ddos-report/ddos-
ACKNOWLEDGMENTS report-q1-2017.html
[22] Kaspersky, Kaspersky DDoS Intelligence Report for Q1 2016,
This work is supported by the Ministry of Electronics and 2016. [Online]. Available: https://securelist.com/kaspersky-ddos-
Information Technology (MeitY), Government of India and intelligence-report-for-q1-2016/74550/
is part of the R&D project entitled "Development of Tool [23] D. Geneiatakis, T. Dagiuklas, G. Kambourakis, C. Lambrinoudakis,
S. Gritzalis, K. S. Ehlert, and D. Sisalem, “Survey of security vulner-
for Detection of Application Layer DDoS Attacks on Web abilities in session initiation protocol,” IEEE Communications Surveys
Applications" during the period 2017-2019. & Tutorials, vol. 8, no. 3, pp. 68–81, 2006.
[24] S. Armoogum and N. Mohamudally, “Survey of practical security
frameworks for defending sip based voip systems against dos/ddos
R EFERENCES attacks,” in IST-Africa Conference Proceedings, 2014. IEEE, 2014,
pp. 1–11.
[1] Radware, Cyber Security on the Offense - A [25] I. Hussain, S. Djahel, Z. Zhang, and F. Naït-Abdesselam, “A compre-
Study of IT Security Experts, 2012. [Online]. Avail- hensive study of flooding attack consequences and countermeasures
able: https://security.radware.com/uploadedfiles/resourcesa ndc ontent/ in session initiation protocol (sip),” Security and Communication
attackt ools/cybersecurityontheoffense.pdf Networks, vol. 8, no. 18, pp. 4436–4451, 2015.
[2] A. Networks, 2016 DDoS Attack Statistics, 2016. [Online]. [26] M. Jensen, N. Gruschka, and R. Herkenhöner, “A survey of attacks on
Available: https://www.arbornetworks.com/arbor-networks-releases- web services,” Computer Science-Research and Development, vol. 24,
global-ddos-attack-data-for-1h-2016 no. 4, pp. 185–197, 2009.
[3] I. S. Magazine, Anonymous Attacks Spanish Government Sites, [27] V. Durcekova, L. Schwartz, and N. Shahmehri, “Sophisticated denial
2017. [Online]. Available: https://www.infosecurity-magazine.com/ of service attacks aimed at application layer,” in 2012 ELEKTRO, May
news/anonymous-attacks-spanish/ 2012, pp. 55–60.
[4] Incapsula, Analysis of Vikingdom DDoS Attacks on U.S. Government [28] M. Aamir and M. A. Zaidi, “A survey on ddos attack and defense strate-
Sites, 2015. [Online]. Available: https://www.incapsula.com/blog/ gies: from traditional schemes to current techniques,” Interdisciplinary
vikingdom-ddos-attacks-us-government.html Information Sciences, vol. 19, no. 2, pp. 173–200, 2013.
[5] Silicon, Irish Government Websites Taken Down By DDoS Attacks, [29] S. T. Zargar, J. Joshi, and D. Tipper, “A survey of defense mechanisms
2017. [Online]. Available: http://www.silicon.co.uk/e-regulation/irish- against distributed denial of service (ddos) flooding attacks,” IEEE
government-websites-ddos-184428 communications surveys & tutorials, vol. 15, no. 4, pp. 2046–2069,
[6] Register, Anonymous turns its DDoS cannons on India, 2013.
2012. [Online]. Available: https://www.theregister.co.uk/2012/05/18/ [30] E. Cambiaso, G. Papaleo, G. Chiola, and M. Aiello, “Slow dos
anonymousd dosi ndias ites/ attacks: definition and categorisation,” International Journal of Trust
[7] Corero, DDoS Attacks Plague Olympic & Brazilian Government Management in Computing and Communications, vol. 1, no. 3-4, pp.
Websites, 2016. [Online]. Available: https://www.corero.com/blog/749- 300–319, 2013.
ddos-attacks-plague-olympic--brazilian-government-websites.html [31] N. S. Vadlamani, “A survey on detection and defense of application
[8] Register, Gits club GitHub code tub with record-breaking 1.35Tbps layer ddos attacks,” 2017.
DDoS drub, 2018. [Online]. Available: https://www.theregister.co.uk/ [32] Y. Wang, L. Liu, B. Sun, and Y. Li, “A survey of defense mechanisms
2018/03/01/githubd dosb iggeste ver/ against application layer distributed denial of service attacks,” in
[9] Coindesk, Bitcoin Gold Website Down Following DDoS Attack, 2017. Software Engineering and Service Science (ICSESS), 2015 6th IEEE
[Online]. Available: https://www.coindesk.com/bitcoin-gold-website- International Conference on. IEEE, 2015, pp. 1034–1037.
following-massive-ddos-attack/ [33] G. Mantas, N. Stakhanova, H. Gonzalez, H. H. Jazi, and A. A.
[10] Guardian, HSBC suffers Online Banking Cyber Attack, 2016. Ghorbani, “Application-layer denial of service attacks: taxonomy and
[Online]. Available: https://www.theguardian.com/money/2016/jan/29/ survey,” International Journal of Information and Computer Security,
hsbc-online-banking-cyber-attack vol. 7, no. 2-4, pp. 216–239, 2015.
24
[34] K. Singh, P. Singh, and K. Kumar, “Application layer http-get flood [58] S. Boyd and A. Keromytis, “Sqlrand: Preventing sql injection attacks,”
ddos attacks: Research landscape and challenges,” Computers & Secu- in Applied Cryptography and Network Security. Springer, 2004, pp.
rity, vol. 65, pp. 344–372, 2017. 292–302.
[35] E. Cambiaso, G. Papaleo, and M. Aiello, “Taxonomy of slow dos [59] R. Chandrashekhar, M. Mardithaya, S. Thilagam, and D. Saha, “Sql
attacks to web applications,” Recent Trends in Computer Networks and injection attack mechanisms and prevention techniques,” in Interna-
Distributed Systems Security, pp. 195–204, 2012. tional Conference on Advanced Computing, Networking and Security.
[36] Apache, Apache HTTPD Security ADVISORY, 2011. [Online]. Springer, 2011, pp. 524–533.
Available: https://httpd.apache.org/security/CVE-2011-3192.txt [60] W. G. Halfond, J. Viegas, and A. Orso, “A classification of sql-injection
[37] CCC, Effective Denial of Service Attacks against Web Application attacks and countermeasures,” in Proceedings of the IEEE International
Platforms, 2011. [Online]. Available: https://events.ccc.de/congress/ Symposium on Secure Software Engineering, vol. 1. IEEE, 2006, pp.
2011/Fahrplan/events/4680.en.html 13–15.
[38] S. A. Crosby and D. S. Wallach, “Denial of service via algorithmic [61] N. Palsetia, G. Deepa, F. A. Khan, P. S. Thilagam, and A. R. Pais,
complexity attacks.” in USENIX Security Symposium, 2003, pp. 29– “Securing native xml database-driven web applications from xquery
44. injection vulnerabilities,” Journal of Systems and Software, vol. 122,
[39] Y. G. Dantas, V. Nigam, and I. E. Fonseca, “A selective defense for pp. 93–109, 2016.
application layer ddos attacks,” in Intelligence and Security Informatics [62] G. Deepa, P. S. Thilagam, F. A. Khan, A. Praseed, A. R. Pais, and
Conference (JISIC), 2014 IEEE Joint. IEEE, 2014, pp. 75–82. N. Palsetia, “Black-box detection of xquery injection and parameter
[40] DDoS-Guard, Single Request HTTP Flood (Multiple VERB tampering vulnerabilities in web applications,” International Journal
Single Request), 2014. [Online]. Available: https://ddos-guard.net/ of Information Security, pp. 1–16, 2017.
en/terminology/single-request-http-flood-multiple-verb-single-request [63] M. Shtern, R. Sandel, M. Litoiu, C. Bachalo, and V. Theodorou,
[41] D. Beckett and S. Sezer, “Http/2 cannon: Experimental analysis on “Towards mitigation of low and slow application ddos attacks,” in
http/1 and http/2 request flood ddos attacks,” in Emerging Security Cloud Engineering (IC2E), 2014 IEEE International Conference on.
Technologies (EST), 2017 Seventh International Conference on. IEEE, IEEE, 2014, pp. 604–609.
2017, pp. 108–113. [64] M. Mongelli, M. Aiello, E. Cambiaso, and G. Papaleo, “Detection of
[42] Imperva. (2016) Http/2: In-depth analysis of the top four flaws dos attacks through fourier transform and mutual information,” in 2015
of the next generation web protocol. [Online]. Available: https: IEEE International Conference on Communications (ICC), June 2015,
//www.imperva.com/docs/ImpervaH IIH TTP2.pdf pp. 7204–7209.
[43] OWASP, XML External Entity (XXE) Processing, [65] N. Tripathi, N. Hubballi, and Y. Singh, “How secure are web servers?
2017. [Online]. Available: https://www.owasp.org/index.php/ an empirical study of slow http dos attacks and detection,” in 2016
XMLE xternalE ntity( XXE)P rocessing 11th International Conference on Availability, Reliability and Security
[44] T. D. Morgan and O. A. Ibrahim, “Xml schema, dtd, and entity attacks: (ARES), Aug 2016, pp. 454–463.
A compendium of known techniques,” Online, http://www. vsecurity. [66] V. Katkar, A. Zinjade, S. Dalvi, T. Bafna, and R. Mahajan, “Detection
com/download/papers/XMLDTDEntityAttacks. pdf, 2014. of dos/ddos attack against http servers using naive bayesian,” in 2015
International Conference on Computing Communication Control and
[45] Cloudflare, HTTP Flood Attack, 2014. [Online]. Available: https:
Automation, Feb 2015, pp. 280–285.
//www.cloudflare.com/learning/ddos/http-flood-ddos-attack/
[67] S. Oshima, T. Nakashima, and T. Sueyoshi, “Early dos/ddos detec-
[46] WS-Attacks.org, XML Flooding, 2010. [Online]. Available: http:
tion method using short-term statistics,” in Complex, Intelligent and
//www.ws-attacks.org/XMLF looding
Software Intensive Systems (CISIS), 2010 International Conference on.
[47] Incapsula, DNS Flooding, 2010. [Online]. Available: https: IEEE, 2010, pp. 168–173.
//www.incapsula.com/ddos/attack-glossary/dns-flood.html [68] D. Moustis and P. Kotzanikolaou, “Evaluating security controls against
[48] S. Ranjan, R. Swaminathan, M. Uysal, A. Nucci, and E. Knightly, http-based ddos attacks,” in IISA 2013, July 2013, pp. 1–6.
“Ddos-shield: Ddos-resilient scheduling to counter application layer [69] J. Park, K. Iwai, H. Tanaka, and T. Kurokawa, “Analysis of slow read
attacks,” IEEE/ACM on Networking (TON), vol. 17, no. 1, pp. 26–39, dos attack,” in Information Theory and its Applications (ISITA), 2014
2009. International Symposium on. IEEE, 2014, pp. 60–64.
[49] G. Mori and J. Malik, “Recognizing objects in adversarial clutter: [70] L. C. Giralte, C. Conde, I. M. De Diego, and E. Cabello, “Detecting
Breaking a visual captcha,” in Computer Vision and Pattern Recog- denial of service by modelling web-server behaviour,” Computers &
nition, 2003. Proceedings. 2003 IEEE Computer Society Conference Electrical Engineering, vol. 39, no. 7, pp. 2252–2262, 2013.
on, vol. 1. IEEE, 2003, pp. I–I. [71] T. Vissers, T. S. Somasundaram, L. Pieters, K. Govindarajan, and
[50] J. Yan and A. S. El Ahmad, “Breaking visual captchas with naive P. Hellinckx, “Ddos defense system for web services in a cloud
pattern recognition algorithms,” in Computer Security Applications environment,” Future Generation Computer Systems, vol. 37, pp. 37–
Conference, 2007. ACSAC 2007. Twenty-Third Annual. IEEE, 2007, 45, 2014.
pp. 279–291. [72] A. Chonka, Y. Xiang, W. Zhou, and A. Bonti, “Cloud security defence
[51] S. Sivakorn, J. Polakis, and A. D. Keromytis, “IâĂŹm not a human: to protect cloud computing against http-dos and xml-dos attacks,”
Breaking the google recaptcha,” Black Hat,(i), pp. 1–12, 2016. Journal of Network and Computer Applications, vol. 34, no. 4, pp.
[52] H. Zhang, A. Taha, R. Trapero, J. Luna, and N. Suri, “Sentry: 1097–1107, 2011.
A novel approach for mitigating application layer ddos threats,” in [73] S. Padmanabhuni, V. Singh, K. S. Kumar, and A. Chatterjee, “Pre-
Trustcom/BigDataSE/IâĂŃ SPA, 2016 IEEE. IEEE, 2016, pp. 465– venting service oriented denial of service (presodos): A proposed
472. approach,” in Web Services, 2006. ICWS’06. International Conference
[53] S. Sivabalan and P. Radcliffe, “A novel framework to detect and block on. IEEE, 2006, pp. 577–584.
ddos attack at the application layer,” in TENCON Spring Conference, [74] M. Ficco and M. Rak, “Intrusion tolerant approach for denial of service
2013 IEEE. IEEE, 2013, pp. 578–582. attacks to web services,” in Data Compression, Communications and
[54] S. Suriadi, D. Stebila, A. Clark, and H. Liu, “Defending web services Processing (CCP), 2011 First International Conference on. IEEE,
against denial of service attacks using client puzzles,” in Web Services 2011, pp. 285–292.
(ICWS), 2011 IEEE International Conference on. IEEE, 2011, pp. [75] S. Wen, W. Jia, W. Zhou, W. Zhou, and C. Xu, “Cald: Surviving various
25–32. application-layer ddos attacks that mimic flash crowd,” in network and
[55] T. Karnwal, T. Sivakumar, and G. Aghila, “A comber approach to system security (nss), 2010 4th international conference on. IEEE,
protect cloud computing against xml ddos and http ddos attack,” in 2010, pp. 247–254.
Electrical, Electronics and Computer Science (SCEECS), 2012 IEEE [76] T. Ni, X. Gu, H. Wang, and Y. Li, “Real-time detection of application-
Students’ Conference on. IEEE, 2012, pp. 1–5. layer ddos attack using time series analysis,” Journal of Control Science
[56] W. G. Halfond and A. Orso, “Amnesia: analysis and monitoring and Engineering, vol. 2013, p. 4, 2013.
for neutralizing sql-injection attacks,” in Proceedings of the 20th [77] S. Yadav and S. Selvakumar, “Detection of application layer ddos attack
IEEE/ACM international Conference on Automated software engineer- by modeling user behavior using logistic regression,” in Reliability,
ing. ACM, 2005, pp. 174–183. Infocom Technologies and Optimization (ICRITO)(Trends and Future
[57] G. Buehrer, B. W. Weide, and P. A. Sivilotti, “Using parse tree Directions), 2015 4th International Conference on. IEEE, 2015, pp.
validation to prevent sql injection attacks,” in Proceedings of the 1–6.
5th international workshop on Software engineering and middleware. [78] S. Yadav and S. Subramanian, “Detection of application layer ddos
ACM, 2005, pp. 106–113. attack by feature learning using stacked autoencoder,” in Computa-
25
tional Techniques in Information and Communication Technologies [100] B. Meng, W. Andi, X. Jian, and Z. Fucai, “Ddos attack detection
(ICCTICT), 2016 International Conference on. IEEE, 2016, pp. 361– system based on analysis of users’ behaviors for application layer,”
366. in Computational Science and Engineering (CSE) and Embedded and
[79] K. Johnson Singh, K. Thongam, and T. De, “Entropy-based application Ubiquitous Computing (EUC), 2017 IEEE International Conference
layer ddos attack detection using artificial neural networks,” Entropy, on, vol. 1. IEEE, 2017, pp. 596–599.
vol. 18, no. 10, p. 350, 2016. [101] C. Sun, B. Liu, and L. Shi, “Efficient and low-cost hardware defense
[80] K. J. Singh and T. De, “Mlp-ga based algorithm to detect application against dns amplification attacks,” in Global Telecommunications Con-
layer ddos attack,” Journal of Information Security and Applications, ference, 2008. IEEE GLOBECOM 2008. IEEE. IEEE, 2008, pp. 1–5.
vol. 36, pp. 145–153, 2017. [102] M. S. Khan, K. Ferens, and W. Kinsner, “A chaotic measure for cogni-
[81] P. Chwalinski, R. Belavkin, and X. Cheng, “Detection of application tive machine classification of distributed denial of service attacks,” in
layer ddos attacks with clustering and bayes factors,” in Systems, Cognitive Informatics & Cognitive Computing (ICCI* CC), 2014 IEEE
Man, and Cybernetics (SMC), 2013 IEEE International Conference 13th International Conference on. IEEE, 2014, pp. 100–108.
on. IEEE, 2013, pp. 156–161. [103] G. Kambourakis, T. Moschos, D. Geneiatakis, and S. Gritzalis, “Detect-
[82] ——, “Detection of application layer ddos attack with clustering and ing dns amplification attacks,” in International Workshop on Critical
likelihood analysis,” in Globecom Workshops (GC Wkshps), 2013 Information Infrastructures Security. Springer, 2007, pp. 185–196.
IEEE. IEEE, 2013, pp. 217–222. [104] V. Pappas, D. Massey, and L. Zhang, “Enhancing dns resilience against
[83] K. K. Oo, K. Z. Ye, H. Tun, K. Z. Lin, and E. Portnov, “Enhance- denial of service attacks,” in Dependable Systems and Networks, 2007.
ment of preventing application layer based on ddos attacks by using DSN’07. 37th Annual IEEE/IFIP International Conference on. IEEE,
hidden semi-markov model,” in Genetic and Evolutionary Computing. 2007, pp. 450–459.
Springer, 2016, pp. 125–135. [105] H. Ballani and P. Francis, “A simple approach to dns dos mitigation,”
[84] S. Lee, G. Kim, and S. Kim, “Sequence-order-independent network 2016.
profiling for detecting application layer ddos attacks,” EURASIP Jour- [106] L. Zhu, Z. Hu, J. Heidemann, D. Wessels, A. Mankin, and N. Somaiya,
nal on Wireless Communications and Networking, vol. 2011, no. 1, “T-dns: Connection-oriented dns to improve privacy and security,” ACM
p. 50, 2011. SIGCOMM Computer Communication Review, vol. 44, no. 4, pp. 379–
[85] S. R. Devi and P. Yogesh, “Detection of application layer ddos attacks 380, 2015.
using information theory based metrics,” CS & IT-CSCP, vol. 10, pp. [107] F. Guo, J. Chen, and T.-c. Chiueh, “Spoof detection for preventing dos
213–223, 2012. attacks against dns servers,” in Distributed Computing Systems, 2006.
[86] W. Zhou, W. Jia, S. Wen, Y. Xiang, and W. Zhou, “Detection and ICDCS 2006. 26th IEEE International Conference on. IEEE, 2006,
defense of application-layer ddos attacks in backbone web traffic,” pp. 37–37.
Future Generation Computer Systems, vol. 38, pp. 36–46, 2014. [108] S. Rastegari, M. I. Saripan, and M. F. A. Rasid, “Detection of denial
[87] Y. Zhao, W. Zhang, Y. Feng, and B. Yu, “A classification detection of service attacks against domain name system using neural networks,”
algorithm based on joint entropy vector against application-layer ddos arXiv preprint arXiv:0912.1815, 2009.
attack,” Security and Communication Networks, vol. 2018, 2018. [109] E. Y. Chen, “Detecting dos attacks on sip systems,” in VoIP Manage-
[88] C. Ye, K. Zheng, and C. She, “Application layer ddos detection using ment and Security, 2006. 1st IEEE Workshop on. IEEE, 2006, pp.
clustering analysis,” in Computer Science and Network Technology 53–58.
(ICCSNT), 2012 2nd International Conference on. IEEE, 2012, pp. [110] D. Geneiatakis, N. Vrakas, and C. Lambrinoudakis, “Utilizing bloom
1038–1041. filters for detecting flooding attacks against sip based services,” com-
[89] S. R. Devi and P. Yogesh, “An effective approach to counter application puters & security, vol. 28, no. 7, pp. 578–591, 2009.
layer ddos attacks,” in Computing Communication & Networking Tech- [111] H. Sengar, H. Wang, D. Wijesekera, and S. Jajodia, “Fast detection of
nologies (ICCCNT), 2012 Third International Conference on. IEEE, denial-of-service attacks on ip telephony,” in Quality of Service, 2006.
2012, pp. 1–4. IWQoS 2006. 14th IEEE International Workshop on. IEEE, 2006, pp.
[90] H. Beitollahi and G. Deconinck, “Connectionscore: a statistical tech- 199–208.
nique to resist application-layer ddos attacks,” Journal of Ambient [112] J. Tang and Y. Cheng, “Quick detection of stealthy sip flooding attacks
Intelligence and Humanized Computing, vol. 5, no. 3, pp. 425–442, in voip networks,” in Communications (ICC), 2011 IEEE International
2014. Conference on. IEEE, 2011, pp. 1–5.
[91] J. D. Ndibwile, A. Govardhan, K. Okada, and Y. Kadobayashi, “Web [113] D. Allawi, A. A. Rohiem, A. El-moghazy, and A. Ghalwash, “New
server protection against application layer ddos attacks using machine algorithm for sip flooding attack detection,” International Journal of
learning and traffic authentication,” in Computer Software and Applica- Computer Science and Telecommunications, p. 3, 2013.
tions Conference (COMPSAC), 2015 IEEE 39th Annual, vol. 3. IEEE, [114] J. Tang, Y. Cheng, Y. Hao, and W. Song, “Sip flooding attack
2015, pp. 261–267. detection with a multi-dimensional sketch design,” IEEE Transactions
[92] G. Oikonomou and J. Mirkovic, “Modeling human behavior for defense on Dependable and Secure Computing, vol. 11, no. 6, pp. 582–595,
against flash-crowd attacks,” in Communications, 2009. ICC’09. IEEE 2014.
International Conference on. IEEE, 2009, pp. 1–6. [115] D. Golait and N. Hubballi, “Detecting anomalous behavior in voip
[93] D. Beckett, S. Sezer, and J. McCanny, “New sensing technique for systems: A discrete event system modeling,” IEEE Transactions on
detecting application layer ddos attacks targeting back-end database Information Forensics and Security, vol. 12, no. 3, pp. 730–745, 2017.
resources,” in 2017 IEEE International Conference on Communications [116] A. Kumar and S. Tilagam, “A novel approach for evaluating and de-
(ICC), May 2017, pp. 1–7. tecting low rate sip flooding attack,” International Journal of Computer
[94] C. Xu, G. Zhao, G. Xie, and S. Yu, “Detection on application layer Applications, vol. 26, no. 1, pp. 31–36, 2011.
ddos using random walk model,” in Communications (ICC), 2014 IEEE [117] M. Semerci, A. T. Cemgil, and B. Sankur, “An intelligent cyber security
International Conference on. IEEE, 2014, pp. 707–712. system against ddos attacks in sip networks,” Computer Networks, vol.
[95] Y. Xie and S.-Z. Yu, “A large-scale hidden semi-markov model for 136, pp. 137–154, 2018.
anomaly detection on user browsing behaviors,” IEEE/ACM Transac- [118] I. Hussain and F. Naït-Abdesselam, “Strategy based proxy to secure
tions on Networking (TON), vol. 17, no. 1, pp. 54–65, 2009. user agent from flooding attack in sip,” in Wireless Communications
[96] ——, “Monitoring the application-layer ddos attacks for popular web- and Mobile Computing Conference (IWCMC), 2011 7th International.
sites,” IEEE/ACM Transactions on Networking (TON), vol. 17, no. 1, IEEE, 2011, pp. 430–435.
pp. 15–25, 2009. [119] A. Shiravi, H. Shiravi, M. Tavallaee, and A. A. Ghorbani, “Toward
[97] J. Wang, X. Yang, and K. Long, “Web ddos detection schemes developing a systematic approach to generate benchmark datasets for
based on measuring user’s access behavior with large deviation,” in intrusion detection,” Computers and Security, vol. 31, no. 3, pp. 357 –
Global Telecommunications Conference (GLOBECOM 2011), 2011 374, 2012. [Online]. Available: http://www.sciencedirect.com/science/
IEEE. IEEE, 2011, pp. 1–5. article/pii/S0167404811001672
[98] C. Huang, J. Wang, G. Wu, and J. Chen, “Mining web user behaviors to [120] H. H. Jazi, H. Gonzalez, N. Stakhanova, and A. A. Ghorbani, “De-
detect application layer ddos attacks.” JSW, vol. 9, no. 4, pp. 985–990, tecting http-based application layer dos attacks on web servers in the
2014. presence of sampling,” Computer Networks, vol. 121, pp. 25–36, 2017.
[99] M. Emami-Taba, M. Amoui, and L. Tahvildari, “Strategy-aware mit- [121] J. Stanek and L. Kencl, “Sipp-dd: Sip ddos flood-attack simulation
igation using markov games for dynamic application-layer attacks,” tool,” in Computer Communications and Networks (ICCCN), 2011
in High Assurance Systems Engineering (HASE), 2015 IEEE 16th Proceedings of 20th International Conference on. IEEE, 2011, pp.
International Symposium on. IEEE, 2015, pp. 134–141. 1–7.
26
Amit Praseed received his B. Tech de-

gree in Computer Science and Engineer-
ing in 2014 from College of Engineering
Trivandrum, Kerala, India. He received
his M. Tech degree in Computer Science
and Engineering - Information Security
in 2016 from National Institute of Tech-
nology (NIT) Karnataka, Surathkal, India
and is currently working towards the Ph. D. degree in Com-
puter Science at NITK. His research interests include Web
Security and Information Security.
P. Santhi Thilagam received her B.
E. degree in Computer Science and Engi-
neering from Thiagarajar College of En-
gineering, Madurai, M.E. degree in Com-
puter Science and Engineering from Anna
University, Chennai, India, in 2000 and
Ph.D. degree in Computer Science and
Engineering from National Institute of
Technology (NIT) Karnataka, Surathkal,
India in 2008. Since October 1996, she
has been with the Department of Computer Science and
Engineering, NITK Surathkal, where she was an Assistant
Professor, and became an Associate Professor in 2009. Since
2018, she is working as a Professor at NITK Surathkal.
Her current research interests include Cloud Computing, Dis-
tributed Data Mining and Web Security. She was the recipient
of the BITES best Ph.D. Thesis award for the year 2009 in
Computer Science and Engineering Category.

Ddos Attacks at The Application Layer: Challenges and Research Perspectives For Safeguarding Web Applications

Uploaded by

Copyright:

Available Formats

Ddos Attacks at The Application Layer: Challenges and Research Perspectives For Safeguarding Web Applications

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Ddos Attacks at The Application Layer: Challenges and Research Perspectives For Safeguarding Web Applications

Uploaded by

Copyright:

Available Formats

This article has been accepted for publication in a future issue of this journal, but has not been

DDoS Attacks at the Application Layer :

Target Type of Organization Year Impact

Research Work Year Area Covered Limitations

Fig. 3. Taxonomy of Application Layer DDoS attacks exploiting Protocol Features

Fig. 5. Taxonomy of Application Layer DDoS attacks exploiting System Features

Associated with this defensive tactic is the question of

request. However, the users who will be supplied with the

Type of Research Features Used Detection Mechanism Strengths Limitations

Research Features Used Detection Mechanism Strengths Limitations

Research Features Used Detection Approach Strengths Limitations

Research Features Used Detection Strengths Limitations

A. Mitigation Approaches B. Detecting SIP DDoS Attacks

Research Features Used Detection Mechanism Strengths Limitations

Research Features Used Detection Mechanism Strengths Limitations

Firewall Designer Slow Attacks Flooding DNS Protection XML Attacks

Amit Praseed received his B. Tech de-

You might also like