1

A taxonomy of DDoS attack and DDoS defense [1]

mechanisms

Full Text: PDF Get this Article

Authors: Jelena Mirkovic University of Delaware, Newark, DE

Peter Reiher UCLA, Los Angeles, CA

Published in:

Newsletter
ACM SIGCOMM Computer Communication Review Homepage archive
Volume 34 Issue 2, April 2004
Pages 39-53

2 DDoS attacks and defense mechanisms: [2]

classification and state-of-the-art

Christos Douligeris, ,

Aikaterini Mitrokotsa

Attacking DDoS at the source [3]

Network Protocols, 2002. Proceedings. 10th IEEE International Conference on
4 https://conference.apnic.net/data/37/breakingthebank.pdf [4]
5 Distributed Denial of Service: [5]
Taxonomies of Attacks, Tools and Countermeasures
http://citeseerx.ist.psu.edu/viewdoc/download?
doi=10.1.1.133.4566&rep=rep1&type=pdf
6 http://cseweb.ucsd.edu/~snoeren/papers/spie-ton.pdf [6]
Single-Packet IP Traceback
7 Systematic mapping studies in software engineering [7]

http://www.rbsv.eu/courses/rmtw/mtrl/SM.pdf
8 https://www.owasp.org/images/4/43/Layer_7_DDOS.pdf [8]
9 http://resources.infosecinstitute.com/layer-seven-ddos-attacks/ [9]

2002 In 2002, Jung et al. [9] offered enhancement to Content [10]

Jung et Distribution Networks (CDNs) in order to distinguish a DDoS
al. [10] attack from a flash crowd. The authors identified two key
properties associated with a flash eventthere is an increase
in number of clients in flash event as compared to DDoS
 attack where the traffic is generated from a small set of IP
clusters; largely the old set of IP clusters are responsible for
traffic generation in case of flash event whereas new IP
clusters are formed during a DDoS attack. However, these
properties do not necessarily always differentiate an attack
and flash event.

Hopper et al. [10] proposed graphical puzzle based bots [11]

2003 detection schemes in 2003. The clients are asked to solve
Hopper CAPTCHA before allowing any resource access. These types
et al. of defense schemes are considered to be annoying for a
[11] regular user. Further, presence of web proxies poses a major
challenge to these schemes.

Yen et al. [12] proposed statistical based approach in which [12]

the server maintains the users recent request history. The
proposed system is divided into three phases. Initially, a user
2005 is considered as suspicious based on the frequency of
Yen et repetitions in its request pattern. Then the requested objects
al. [12] are identified based on which the attackers are distinguished
from legitimate users. The system assumes that the attacker
is more likely to repeat its request pattern which does not
hold much with new stealthy bots being designed nowadays.

Ranjan et al. [13] proposed a counter mechanism based on [13]

deviation of a user session characteristics from the
legitimate behaviour. A suspicion value is assigned to each
2006
user session proportional to the deviation in terms of session
Ranjan
arrival, request arrival and workload characteristics. The
et al.
scheduler then decides when are where to serve sessions
[13]
based on their suspicion measures. As attacker can easily
mimic the underlying statistical behaviour, the proposed
system can easily be evaded.

Yatagai et al. [14] implemented an application-layer DDoS [14]

attack detection scheme based on the users webpage
request sequence. IP addresses of users are identified which
2007
exhibit similar browsing patterns. Other parameter
Yatagai
considered by the detection scheme is the viewing time of
et al.
each page that is expected to correlate with the information
[14]
present on a webpage. However, the proposed detection
parameters are not enough to characterise the normal user
behaviour as a bot can easily mimic these behaviours.

Yu et al. [15] proposed a mechanism that integrates [15]

detection and encouragement scheme into a Defense and
Offense Wall (DOW) model. The detection module relies on
mean request workload and mean request interval to detect
2007 the application-layer DDoS attacks. The encouragement
Yu et system requests the users to increase their session rate
al. [15] which increases the probability of their requests being
served by the web server. The proposed defense mechanism
provides a high resource consuming solution to identify the
attack traffic which limits its applicability in real world
scenario.

2008 Srivatsa et al.[16] integrated admission and congestion [16]

Srivats control mechanisms to defend against application-layer
a et al. DDoS attack. They used Javascript on the users browser to
[16] embed a 16 bit value known as authenticator in the port
 number field of TCP header. Based on this value the attack
packets are filtered at the network layer of victim. Different
users are given different bandwidth in terms of the priority
level assigned based on their request rates. The challenging
server deployed to authenticate the requests can itself
become the attack victim.

Xie et al. [17]proposed an approach to model the sequence [17]

order of legitimate page requests and characterise the
legitimate and suspicious browsing behaviour based on
Hidden semi Markov Model (HsMM). The deviation of entropy
2009 from the defined threshold limits identifies the presence of
Xie et bots. The authors assumed that the bots do not follow the
al. [17] hyperlinks present on a webpage, instead they use URLs to
access the new webpages. This assumption may not hold in
case of stealthy bots as they can easily follow hyperlinks.
Moreover, the proposed algorithm demands substantial
amount of computational resources for real time detection.

Mirkovic et al. [18] proposed a method to characterise users [18]

legitimate behaviour based on request dynamics like request
inter-arrival time, etc. and content access priority like
request sequence, etc. The deviation of current user session
2009
from predefined legitimate behaviour characterizes it as an
Mirkovi
attack. The authors also used various human deception
c et al.
techniques like invisible forms, tiny hotspots, invisible text,
[18]
layering and invisible images to identify possible bots.
However, presence of web proxies and caches limit the use
of request dynamics used by the proposed scheme for
efficient traffic characterization.

Yu et al. [19] proposed a trust based system to prioritize the [19]

requests received by the server. Depending on the users
connection history, four different trust values are assigned to
2009 the user; long-term trust, short-term trust, misusing trust
Yu et and negative trust. These values collectively known as a
al. [19] license are stored on the client side in form of cookies. The
trust based scheduler then decides to accept or reject the
connection based on the values received in a license
provided by the user.

Wen et al. [20] proposed an architectural extension to [20]

distinguish surge from recursive and repeated application-
layer DDoS attacks based on entropy of incoming source and
target webpages. The system initially detects for an anomaly
2010
against normal behaviour modelled using static
Wen et
autoregressive model and kalman filter. To reduce
al. [20]
computational overheads, the attack characterization
module is triggered only in case of an anomaly identified by
the front end sensor. However, this makes the system
susceptible to slowly increasing DDoS attacks.

2010 Du et al. [21] proposed a credit based attack detection [21]

Du et system called OverCourt. Every user is assigned a credit
al. [21] value based on the amount of packets exchanged with
server. The system punishes the users that deviate from
normal behaviour by lowering their credit points and
dropping connections while giving precedence to well
behaving users by allowing them to migrate to protected
 channel. This scheme however requires maintaining a per-
flow state of its users which might cause an overhead on the
server itself.

Xuan et al. [22] proposed a statistical detection approach [22]

based on group testing. A group of users is tested as a whole
2010 for its abnormality. The average response time of the
Xuan requests is used to evaluate the group test result which is
et al. either positive or negative. This decides the probability of the
[22] presence of suspicious elements in a group. However, agroup
testing based scheme will also punish legitimate users
present in a suspected group.

Das et al. [23] identified different application-layer DDoS [23]

attacks using three different detection modules. The value of
HTTP request arrival rate calculated in a HTTP window
2011
signals one of the given scenarios- random flooding, shrew
Das et
flooding and flash crowd. The detection accuracy is
al. [23]
influenced by the presence of web proxies and
caches.Additionally, a stealthy attacker can easily defy the
proposed detection logic.

Ankali et al.[24]proposed two attack detection mechanisms [24]

for HTTP and FTP based on HsMM. They extracted various
features like request rate, page viewing time and requested
2011 sequence to model legitimate behaviour. The complete
Ankali system is divided into three modules- login, anomaly
et al. detection and prevention. Initially, a user is provided access
[24] to the resources only if it is having valid username and
password. Second module identifies behavioural anomaly if
any in a user session. Finally, the attack is prevented by
blocking the service to suspected users.

Choi et al.[25] proposed a detection mechanism that used [25]

support vector machine to classify normal and attack traffic.
The detection is based on the traffic characteristics collected
2011
during a specified monitoring period. This monitoring period
Choi et
is divided into number of timeslots during which only a single
al. [25]
HTTP GET request is allowed to be served. The normal and
attack profiles are modelled using parameters extracted from
each timeslot in a single monitoring period.

Yu et al.[26] assumed the network traffic to possess a strong [26]

similarity/correlation. The theoretical proof of the
discrimination algorithm used to identify similarities amongst
2012
suspicious flows is given by the authors. The flow correlation
Yu et
coefficient was used to differentiate a flash crowd from
al. [26]
application-layer DDoS attacks. However, this system
overloads the server by introducing complex computational
effort which bound its implementation in real time scenarios.

Ye et al.[27] proposed a time and sequence independent [27]

hierarchical clustering based detection scheme to
2012 differentiate a legitimate and suspicious browsing behaviour.
Ye et They used four different user session features- object size,
al. [27] request rate, object popularity and transition probability.
Despite that, the detection scheme fails to identify attack
traces in case of flash crowds.
 Sivabalan et al.[28] proposed a detection system in which [28]
the server load level is divided into three parts using two
threshold values- low load threshold and high load threshold.
CAPTCHAs (Completely Automated Public Turing test to tell
2013 Computers and Humans Apart) and AYAHs (Are You A
Sivabal Human) are occasionally generated during a session to
an et create user signatures before and during a session. The
al. [28] signature and server load level decides one of the following
action to be taken against suspected user; no blocking and
delay, delay suspicious clients or block suspicious clients. An
occasional use of AHAY will delay attack detection and its
frequent use will discomfort the client.

Wang et al.[30] proposed a detection mechanism based on [29]

entropy of HTTP GET requests per source IP. It utilized the
fact that the source IP clusters are more distributed in case
of flash crowd as compared to DDoS attack. It can
2013 differentiate flash crowd from possible application-layer
Wang DDoS attacks. Kalman filter is used to model various time
et al. dependent parameters associated with adaptive
[29] autoregressive model. The HTTP GET requests are classified
using SVM (State Vector Machine) trained by AAR (Adaptive
Auto Regressive) parameters. The adaptive behaviour of the
system allows the detection mechanism to work even in case
of varying traffic conditions.

Wang et al.[31] extended their previous work [32] to support [30]

the modelling of legitimate behaviour even from noisy
2013 datasets i.e., web traces mixed with traffic from web bots.
Wang The authors used density based clustering to identify web
et al. crawler traces in the training dataset. Anomaly based
[30] detection system proposed in this work characterizes the
normal user browsing behaviour in terms of session length
and varying webpage popularity.

Giralte et al.[33]represented the legitimate user behaviour in [31]

terms of layer 4 and layer 7 parameters like number of GET
requests, GETs mean, mean of flows per user, standard
2013
deviation of flows per user, etc. A three stage model was
Giralte
designed to detect variety of application-layer DDoS attacks
et al.
wherein each stage was able to capture some of the attacks.
[31]
The proposed scheme is able to distinguish legitimate web
bots and attacking web bots based on their access path
patterns.

Xie et al.[34] proposed a HsMM based detection scheme for [32]

the attacks being redirected to the victim server by the use
of web proxies that directly connect to server. The authors
2013
identified the dominant/visible and recessive/invisible
Xie et
features of proxy-to-server aggregated traffic. The traffic
al. [32]
directed towards the server is compared against this model
to determine the judgement index that will be used for
service acceptance or rejection decisions.

2013 Xie et al.[35] proposed a scheme that primarily detects web [33]
Xie et proxy based DDoS attacks using Hidden semi Markov Model.
al. [33] The authors captured temporal and spatial localities to
model web proxies access behaviour using the server logs.
The scheme offers traffic intensity and web content
 independent defence approach against proxy based attacks.
However with the increase in number of users, the model is
likely to give expensive results.

Wang et al.[38] proposed a dynamic popularity based DDoS [34]

2014 detection scheme based on their previous work [32]. Large
Wang deviation principle characterizes the difference in expected
et al. and actual popularity of webpages. The system efficiently
[34] detects random and perfect knowledge DDoS attacks but is
inadequate in defending single and multi DDoS URL attacks.

In 2014, Zhou et al.[39] extended their previous work [20] to [35]

sustain under heavy backbone traffic conditions. To
implement live detection, they used a real time frequency
2014
vector based on targets resource requests. Attack detection
Zhou
module is only triggered in case of an anomaly detected by
et al.
the front end sensor which reduced the probability of
[35]
frequent computations. Mess extent or entropy differentiates
flash crowd from various possible application-layer DDoS
attacks.

In 2014, Xu et al.[40] proposed a scheme to detect [36]

asymmetric application-layer DDoS attacks. They captured
user browsing sequence patterns based on extended random
walk model. The proposed scheme predicts the possible
2014
future request sequence for a user based on the legitimate
Xu et
request sequence model. The scheme is able to identify
al. [36]
individual attacker based on its deviation from the expected
behaviour. However, itsrestrained ability indetecting attacks
based on high workload requests only makes it vulnerable to
other type of application-layer DDoS attacks.
[37]

[38]

[39]

References

[1] J. Mirkovic and P. Reiher, A taxonomy of DDoS attack and DDoS defense
mechanisms, SIGCOMM Comput. Commun. Rev., vol. 34, no. 2, pp. 39
53, Apr. 2004.
[2] C. Douligeris and A. Mitrokotsa, DDoS attacks and defense mechanisms:
classification and state-of-the-art, Comput. Netw., vol. 44, no. 5, pp.
643666, Apr. 2004.
[3] J. M. Gregory, G. Prier, and P. Reiher, Attacking DDoS at the source, in
In Proceedings of the IEEE International Conference on Network
Protocols, 2002.
[4] Roland Dobbins, Breaking the Bank, 2015.
[5] S. M. Specht and R. B. Lee, Distributed Denial of Service: Taxonomies of
Attacks, Tools, and Countermeasures., in ISCA PDCS, 2004, pp. 543
550.
[6] A. C. Snoeren, C. Partridge, L. A. Sanchez, C. E. Jones, F. Tchakountio, B.
Schwartz, S. T. Kent, and W. T. Strayer, Single-packet IP traceback,
IEEE/ACM Transactions on Networking, vol. 10, no. 6, pp. 721734, 2002.
[7] Barbara Kitchenham and Stuart Charters, Guidelines for performing
Systematic Literature Reviews in Software Engineering, School of
Computer Science and Mathematics, Keele University, EBSE-2007-01, Jul.
2007.
[8] Wong Onn Chee and Tom Brennan, H.....t.....t....p....p....o....s....t, 2010.
[9] Layer Seven DDoS Attacks, InfoSec Institute. [Online]. Available:
http://resources.infosecinstitute.com/layer-seven-ddos-attacks/.
[Accessed: 05-Sep-2014].
[10] J. Jung, B. Krishnamurthy, and M. Rabinovich, Flash Crowds and Denial
of Service Attacks: Characterization and Implications for CDNs and Web
Sites, in Proceedings of the 11th International Conference on World
Wide Web, New York, NY, USA, 2002, pp. 293304.
[11] L. von Ahn, M. Blum, N. J. Hopper, and J. Langford, CAPTCHA: Using Hard
AI Problems for Security, in Advances in Cryptology EUROCRYPT
2003, E. Biham, Ed. Springer Berlin Heidelberg, 2003, pp. 294311.
[12] W. Yen and M.-F. Lee, Defending application DDoS with constraint
random request attacks, in Communications, 2005 Asia-Pacific
Conference on, 2005, pp. 620624.
[13] S. Ranjan, R. Swaminathan, M. Uysal, and E. Knightly, DDoS-Resilient
Scheduling to Counter Application Layer Attacks Under Imperfect
Detection, in INFOCOM 2006. 25th IEEE International Conference on
Computer Communications. Proceedings, 2006, pp. 113.
[14] T. Yatagai, T. Isohara, and I. Sasase, Detection of HTTP-GET flood Attack
Based on Analysis of Page Access Behavior, in IEEE Pacific Rim
Conference on Communications, Computers and Signal Processing,
2007. PacRim 2007, 2007, pp. 232235.
[15] J. Yu, Z. Li, H. Chen, and X. Chen, A Detection and Offense Mechanism to
Defend Against Application Layer DDoS Attacks, in Third International
Conference on Networking and Services, 2007. ICNS, 2007, pp. 5454.
[16] M. Srivatsa, A. Iyengar, J. Yin, and L. Liu, Mitigating application-level
denial of service attacks on Web servers: A client-transparent approach,
ACM Trans. Web, vol. 2, no. 3, pp. 15:115:49, Jul. 2008.
[17] Y. Xie and S. Yu, A Large-Scale Hidden Semi-Markov Model for Anomaly
Detection on User Browsing Behaviors, IEEE/ACM Transactions on
Networking, vol. 17, no. 1, pp. 5465, Feb. 2009.
[18] G. Oikonomou and J. Mirkovic, Modeling Human Behavior for Defense
Against Flash-crowd Attacks, in Proceedings of the 2009 IEEE
International Conference on Communications, Piscataway, NJ, USA, 2009,
pp. 625630.
[19] J. Yu, C. Fang, L. Lu, and Z. Li, Mitigating application layer distributed
denial of service attacks via effective trust management, IET
communications, vol. 4, no. 16, pp. 19521962, 2010.
[20] S. Wen, W. Jia, W. Zhou, W. Zhou, and C. Xu, CALD: Surviving Various
Application-Layer DDoS Attacks That Mimic Flash Crowd, in 2010 4th
International Conference on Network and System Security (NSS), 2010,
pp. 247254.
[21] P. Du and A. Nakao, OverCourt: DDoS mitigation through credit-based
traffic segregation and path migration, Computer Communications, vol.
33, no. 18, pp. 21642175, Dec. 2010.
[22] Y. Xuan, I. Shin, M. T. Thai, and T. Znati, Detecting Application Denial-of-
Service Attacks: A Group-Testing-Based Approach, IEEE Transactions on
Parallel and Distributed Systems, vol. 21, no. 8, pp. 12031216, Aug.
2010.
[23] D. Das, U. Sharma, and D. K. Bhattacharyya, Detection of HTTP Flooding
Attacks in Multiple Scenarios, in Proceedings of the 2011 International
Conference on Communication, Computing & Security, New York,
NY, USA, 2011, pp. 517522.
[24] S. B. Ankali and D. V. Ashoka, Detection architecture of application layer
DDoS attack for internet, Int. J. Advanced Networking and Applications,
vol. 3, no. 01, pp. 984990, 2011.
[25] Y. S. Choi, J. T. Oh, J. S. Jang, and I. K. Kim, Timeslot Monitoring Model for
application layer DDoS attack detection, in 2011 6th International
Conference on Computer Sciences and Convergence Information
Technology (ICCIT), 2011, pp. 677679.
[26] S. Yu, W. Zhou, W. Jia, S. Guo, Y. Xiang, and F. Tang, Discriminating DDoS
Attacks from Flash Crowds Using Flow Correlation Coefficient, IEEE
Transactions on Parallel and Distributed Systems, vol. 23, no. 6, pp.
10731080, Jun. 2012.
[27] C. Ye, K. Zheng, and C. She, Application layer ddos detection using
clustering analysis, in 2012 2nd International Conference on Computer
Science and Network Technology (ICCSNT), 2012, pp. 10381041.
[28] S. Sivabalan and P. J. Radcliffe, A novel framework to detect and block
DDoS attack at the application layer, in 2013 IEEE TENCON Spring
Conference, 2013, pp. 578582.
[29] T. Ni, X. Gu, H. Wang, and Y. Li, Real-Time Detection of Application-Layer
DDoS Attack Using Time Series Analysis, Journal of Control Science and
Engineering, vol. 2013, p. e821315, Sep. 2013.
[30] J. Wang, M. Zhang, X. Yang, K. Long, and C. Zhou, HTTP-sCAN: Detecting
HTTP-flooding attaCk by modeling multi-features of web browsing
behavior from noisy dataset, in 2013 19th Asia-Pacific Conference on
Communications (APCC), 2013, pp. 677682.
[31] L. C. Giralte, C. Conde, I. M. de Diego, and E. Cabello, Detecting denial
of service by modelling web-server behaviour, Computers & Electrical
Engineering, vol. 39, no. 7, pp. 22522262, Oct. 2013.
[32] Y. Xie, S. Tang, X. Huang, C. Tang, and X. Liu, Detecting latent attack
behavior from aggregated Web traffic, Computer Communications, vol.
36, no. 8, pp. 895907, May 2013.
[33] Y. Xie, S. Tang, Y. Xiang, and J. Hu, Resisting Web Proxy-Based HTTP
Attacks by Temporal and Spatial Locality Behavior, IEEE Transactions on
Parallel and Distributed Systems, vol. 24, no. 7, pp. 14011410, 2013.
[34] J. Wang, X. Yang, M. Zhang, K. Long, and J. Xu, HTTP-SoLDiER: An HTTP-
flooding attack detection scheme with the large deviation principle, Sci.
China Inf. Sci., pp. 115, Apr. 2014.
[35] W. Zhou, W. Jia, S. Wen, Y. Xiang, and W. Zhou, Detection and defense of
application-layer DDoS attacks in backbone web traffic, Future
Generation Computer Systems, vol. 38, pp. 3646, Sep. 2014.
[36] C. Xu, G. Zhao, G. Xie, and S. Yu, Detection on application layer DDoS
using random walk model, in 2014 IEEE International Conference on
Communications (ICC), 2014, pp. 707712.
[37] S. Yu, S. Guo, and I. Stojmenovic, Fool Me If You Can: Mimicking Attacks
and Anti-attacks in Cyberspace, IEEE Transactions on Computers, vol.
99, no. PrePrints, p. 1, 2013.
[38] Y. Xie and S. Yu, Monitoring the Application-Layer DDoS Attacks for
Popular Websites, IEEE/ACM Transactions on Networking, vol. 17, no. 1,
pp. 1525, Feb. 2009.
[39] A. Bhandari, K. Kumar, and A. L. Sangal, Performance Metrics for
Defense Framework against Distributed Denial of Service Attacks, IJNS,
vol. 6, 2014.
[1] J. Mirkovic and P. Reiher, A taxonomy of DDoS attack and DDoS
defense mechanisms, SIGCOMM Comput. Commun. Rev., vol. 34, no. 2, pp.
3953, Apr. 2004.

[2] C. Douligeris and A. Mitrokotsa, DDoS attacks and defense

mechanisms: classification and state-of-the-art, Comput. Netw., vol. 44, no.
5, pp. 643666, Apr. 2004.

[3] J. M. Gregory, G. Prier, and P. Reiher, Attacking DDoS at the source, in

In Proceedings of the IEEE International Conference on Network Protocols,
2002.

[4] Roland Dobbins, Breaking the Bank, 2015.

[5] S. M. Specht and R. B. Lee, Distributed Denial of Service: Taxonomies

of Attacks, Tools, and Countermeasures., in ISCA PDCS, 2004, pp. 543550.

[6] A. C. Snoeren, C. Partridge, L. A. Sanchez, C. E. Jones, F. Tchakountio, B.

Schwartz, S. T. Kent, and W. T. Strayer, Single-packet IP traceback,
IEEE/ACM Transactions on Networking, vol. 10, no. 6, pp. 721734, 2002.

[7] Barbara Kitchenham and Stuart Charters, Guidelines for performing

Systematic Literature Reviews in Software Engineering, School of Computer
Science and Mathematics, Keele University, EBSE-2007-01, Jul. 2007.

[8] Wong Onn Chee and Tom Brennan, H.....t.....t....p....p....o....s....t,

2010.

[9] Layer Seven DDoS Attacks, InfoSec Institute. [Online]. Available:

http://resources.infosecinstitute.com/layer-seven-ddos-attacks/. [Accessed:
05-Sep-2014].

[10] J. Jung, B. Krishnamurthy, and M. Rabinovich, Flash Crowds and Denial

of Service Attacks: Characterization and Implications for CDNs and Web
Sites, in Proceedings of the 11th International Conference on World Wide
Web, New York, NY, USA, 2002, pp. 293304.

[11] L. von Ahn, M. Blum, N. J. Hopper, and J. Langford, CAPTCHA: Using

Hard AI Problems for Security, in Advances in Cryptology EUROCRYPT
2003, E. Biham, Ed. Springer Berlin Heidelberg, 2003, pp. 294311.

[12] W. Yen and M.-F. Lee, Defending application DDoS with constraint
random request attacks, in Communications, 2005 Asia-Pacific Conference
on, 2005, pp. 620624.

[13] S. Ranjan, R. Swaminathan, M. Uysal, and E. Knightly, DDoS-Resilient

Scheduling to Counter Application Layer Attacks Under Imperfect Detection,
in INFOCOM 2006. 25th IEEE International Conference on Computer
Communications. Proceedings, 2006, pp. 113.
[14] T. Yatagai, T. Isohara, and I. Sasase, Detection of HTTP-GET flood
Attack Based on Analysis of Page Access Behavior, in IEEE Pacific Rim
Conference on Communications, Computers and Signal Processing, 2007.
PacRim 2007, 2007, pp. 232235.

[15] J. Yu, Z. Li, H. Chen, and X. Chen, A Detection and Offense Mechanism
to Defend Against Application Layer DDoS Attacks, in Third International
Conference on Networking and Services, 2007. ICNS, 2007, pp. 5454.

[16] M. Srivatsa, A. Iyengar, J. Yin, and L. Liu, Mitigating application-level

denial of service attacks on Web servers: A client-transparent approach,
ACM Trans. Web, vol. 2, no. 3, pp. 15:115:49, Jul. 2008.

[17] Y. Xie and S. Yu, A Large-Scale Hidden Semi-Markov Model for Anomaly
Detection on User Browsing Behaviors, IEEE/ACM Transactions on
Networking, vol. 17, no. 1, pp. 5465, Feb. 2009.

[18] G. Oikonomou and J. Mirkovic, Modeling Human Behavior for Defense

Against Flash-crowd Attacks, in Proceedings of the 2009 IEEE International
Conference on Communications, Piscataway, NJ, USA, 2009, pp. 625630.

[19] J. Yu, C. Fang, L. Lu, and Z. Li, Mitigating application layer distributed
denial of service attacks via effective trust management, IET
communications, vol. 4, no. 16, pp. 19521962, 2010.

[20] S. Wen, W. Jia, W. Zhou, W. Zhou, and C. Xu, CALD: Surviving Various
Application-Layer DDoS Attacks That Mimic Flash Crowd, in 2010 4th
International Conference on Network and System Security (NSS), 2010, pp.
247254.

[21] P. Du and A. Nakao, OverCourt: DDoS mitigation through credit-based

traffic segregation and path migration, Computer Communications, vol. 33,
no. 18, pp. 21642175, Dec. 2010.

[22] Y. Xuan, I. Shin, M. T. Thai, and T. Znati, Detecting Application Denial-

of-Service Attacks: A Group-Testing-Based Approach, IEEE Transactions on
Parallel and Distributed Systems, vol. 21, no. 8, pp. 12031216, Aug. 2010.

[23] D. Das, U. Sharma, and D. K. Bhattacharyya, Detection of HTTP

Flooding Attacks in Multiple Scenarios, in Proceedings of the 2011
International Conference on Communication, Computing & Security, New
York, NY, USA, 2011, pp. 517522.

[24] S. B. Ankali and D. V. Ashoka, Detection architecture of application

layer DDoS attack for internet, Int. J. Advanced Networking and Applications,
vol. 3, no. 01, pp. 984990, 2011.

[25] Y. S. Choi, J. T. Oh, J. S. Jang, and I. K. Kim, Timeslot Monitoring Model

for application layer DDoS attack detection, in 2011 6th International
Conference on Computer Sciences and Convergence Information Technology
(ICCIT), 2011, pp. 677679.
[26] S. Yu, W. Zhou, W. Jia, S. Guo, Y. Xiang, and F. Tang, Discriminating
DDoS Attacks from Flash Crowds Using Flow Correlation Coefficient, IEEE
Transactions on Parallel and Distributed Systems, vol. 23, no. 6, pp. 1073
1080, Jun. 2012.

[27] C. Ye, K. Zheng, and C. She, Application layer ddos detection using
clustering analysis, in 2012 2nd International Conference on Computer
Science and Network Technology (ICCSNT), 2012, pp. 10381041.

[28] S. Sivabalan and P. J. Radcliffe, A novel framework to detect and block

DDoS attack at the application layer, in 2013 IEEE TENCON Spring
Conference, 2013, pp. 578582.

[29] T. Ni, X. Gu, H. Wang, and Y. Li, Real-Time Detection of Application-

Layer DDoS Attack Using Time Series Analysis, Journal of Control Science
and Engineering, vol. 2013, p. e821315, Sep. 2013.

[30] J. Wang, M. Zhang, X. Yang, K. Long, and C. Zhou, HTTP-sCAN:

Detecting HTTP-flooding attaCk by modeling multi-features of web browsing
behavior from noisy dataset, in 2013 19th Asia-Pacific Conference on
Communications (APCC), 2013, pp. 677682.

[31] L. C. Giralte, C. Conde, I. M. de Diego, and E. Cabello, Detecting denial

of service by modelling web-server behaviour, Computers & Electrical
Engineering, vol. 39, no. 7, pp. 22522262, Oct. 2013.

[32] Y. Xie, S. Tang, X. Huang, C. Tang, and X. Liu, Detecting latent attack
behavior from aggregated Web traffic, Computer Communications, vol. 36,
no. 8, pp. 895907, May 2013.

[33] Y. Xie, S. Tang, Y. Xiang, and J. Hu, Resisting Web Proxy-Based HTTP
Attacks by Temporal and Spatial Locality Behavior, IEEE Transactions on
Parallel and Distributed Systems, vol. 24, no. 7, pp. 14011410, 2013.

[34] J. Wang, X. Yang, M. Zhang, K. Long, and J. Xu, HTTP-SoLDiER: An

HTTP-flooding attack detection scheme with the large deviation principle,
Sci. China Inf. Sci., pp. 115, Apr. 2014.

[35] W. Zhou, W. Jia, S. Wen, Y. Xiang, and W. Zhou, Detection and defense
of application-layer DDoS attacks in backbone web traffic, Future Generation
Computer Systems, vol. 38, pp. 3646, Sep. 2014.

[36] C. Xu, G. Zhao, G. Xie, and S. Yu, Detection on application layer DDoS
using random walk model, in 2014 IEEE International Conference on
Communications (ICC), 2014, pp. 707712.

[37] S. Yu, S. Guo, and I. Stojmenovic, Fool Me If You Can: Mimicking

Attacks and Anti-attacks in Cyberspace, IEEE Transactions on Computers,
vol. 99, no. PrePrints, p. 1, 2013.
[38] Y. Xie and S. Yu, Monitoring the Application-Layer DDoS Attacks for
Popular Websites, IEEE/ACM Transactions on Networking, vol. 17, no. 1, pp.
1525, Feb. 2009.

[39] A. Bhandari, K. Kumar, and A. L. Sangal, Performance Metrics for

Defense Framework against Distributed Denial of Service Attacks, IJNS, vol.
6, 2014.

[1] J. Mirkovic and P. Reiher, A taxonomy of DDoS attack and DDoS defense
mechanisms, SIGCOMM Comput. Commun. Rev., vol. 34, no. 2, pp. 39
53, 2004.
[2] C. Douligeris and A. Mitrokotsa, DDoS attacks and defense mechanisms:
classification and state-of-the-art, Computuer Networks, vol. 44, no. 5,
pp. 643666, 2004.
[3] J. M. Gregory, G. Prier, and P. Reiher, Attacking DDoS at the source, In
Proceedings of the IEEE International Conference on Network Protocols,
2002, pp. 312-321.
[4] Roland Dobbins, Breaking the Bank, 2015 [Online]. Available:
https://conference.apnic.net/data/37/breakingthebank.pdf.
[5] S. M. Specht and R. B. Lee, Distributed Denial of Service: Taxonomies of
Attacks, Tools, and Countermeasures., In Proceedings of the ISCA PDCS,
2004, pp. 543550.
[6] A. C. Snoeren, C. Partridge, L. A. Sanchez, C. E. Jones, F. Tchakountio, B.
Schwartz, S. T. Kent, and W. T. Strayer, Single-packet IP traceback,
IEEE/ACM Transactions on Networking, vol. 10, no. 6, pp. 721734, 2002.
[7] Barbara Kitchenham and Stuart Charters, Guidelines for performing
Systematic Literature Reviews in Software Engineering, School of
Computer Science and Mathematics, Keele University, Jul. 2007.
[8] Wong Onn Chee and Tom Brennan, H.....t.....t....p....p....o....s....t, 2010
[Online]. Available:
https://www.owasp.org/images/4/43/Layer_7_DDOS.pdf.
[9] Layer Seven DDoS Attacks, InfoSec Institute, 2015 [Online]. Available:
http://resources.infosecinstitute.com/layer-seven-ddos-attacks/.
[10] J. Jung, B. Krishnamurthy, and M. Rabinovich, Flash Crowds and Denial
of Service Attacks: Characterization and Implications for CDNs and Web
Sites, In Proceedings of the 11th International Conference on World
Wide Web, 2002, pp. 293304.
[11] L. von Ahn, M. Blum, N. J. Hopper, and J. Langford, CAPTCHA: Using Hard
AI Problems for Security, in Advances in Cryptology EUROCRYPT
2003, E. Biham, Ed. Springer Berlin Heidelberg, 2003, pp. 294311.
[12] W. Yen and M.-F. Lee, Defending application DDoS with constraint
random request attacks, In Proceedings of the Asia-Pacific Conference
on Communications, 2005, pp. 620624.
[13] S. Ranjan, R. Swaminathan, M. Uysal, and E. Knightly, DDoS-Resilient
Scheduling to Counter Application Layer Attacks Under Imperfect
Detection, In Proceedings of the 25th IEEE International Conference on
Computer Communications, 2006, pp. 113.
[14] T. Yatagai, T. Isohara, and I. Sasase, Detection of HTTP-GET flood Attack
Based on Analysis of Page Access Behavior, In Proceedings of the IEEE
Pacific Rim Conference on Communications, Computers and Signal
Processing, 2007, pp. 232235.
[15] J. Yu, Z. Li, H. Chen, and X. Chen, A Detection and Offense Mechanism to
Defend Against Application Layer DDoS Attacks, In Proceedings of the
International Conference on Networking and Services, 2007, pp. 5454.
[16] M. Srivatsa, A. Iyengar, J. Yin, and L. Liu, Mitigating application-level
denial of service attacks on Web servers: A client-transparent approach,
ACM Trans. Web, vol. 2, no. 3, pp. 15:115:49, Jul. 2008.
[17] Y. Xie and S. Yu, A Large-Scale Hidden Semi-Markov Model for Anomaly
Detection on User Browsing Behaviors, IEEE/ACM Transactions on
Networking, vol. 17, no. 1, pp. 5465, 2009.
[18] G. Oikonomou and J. Mirkovic, Modeling Human Behavior for Defense
Against Flash-crowd Attacks, In Proceedings of the IEEE International
Conference on Communications, 2009, pp. 625630.
[19] J. Yu, C. Fang, L. Lu, and Z. Li, Mitigating application layer distributed
denial of service attacks via effective trust management, IET
communications, vol. 4, no. 16, pp. 19521962, 2010.
[20] S. Wen, W. Jia, W. Zhou, W. Zhou, and C. Xu, CALD: Surviving Various
Application-Layer DDoS Attacks That Mimic Flash Crowd, In Proceedings
of the International Conference on Network and System Security, 2010,
pp. 247254.
[21] P. Du and A. Nakao, OverCourt: DDoS mitigation through credit-based
traffic segregation and path migration, Computer Communications, vol.
33, no. 18, pp. 21642175, 2010.
[22] Y. Xuan, I. Shin, M. T. Thai, and T. Znati, Detecting Application Denial-of-
Service Attacks: A Group-Testing-Based Approach, IEEE Transactions on
Parallel and Distributed Systems, vol. 21, no. 8, pp. 12031216, 2010.
[23] D. Das, U. Sharma, and D. K. Bhattacharyya, Detection of HTTP Flooding
Attacks in Multiple Scenarios, In Proceedings of the International
Conference on Communication, Computing & Security, 2011, pp. 517
522.
[24] S. B. Ankali and D. V. Ashoka, Detection architecture of application layer
DDoS attack for internet, Int. J. Advanced Networking and Applications,
vol. 3, no. 01, pp. 984990, 2011.
[25] Y. S. Choi, J. T. Oh, J. S. Jang, and I. K. Kim, Timeslot Monitoring Model for
application layer DDoS attack detection, In Proceedings of the
International Conference on Computer Sciences and Convergence
Information Technology, 2011, pp. 677679.
[26] S. Yu, W. Zhou, W. Jia, S. Guo, Y. Xiang, and F. Tang, Discriminating DDoS
Attacks from Flash Crowds Using Flow Correlation Coefficient, IEEE
Transactions on Parallel and Distributed Systems, vol. 23, no. 6, pp.
10731080, 2012.
[27] C. Ye, K. Zheng, and C. She, Application layer ddos detection using
clustering analysis, In Proceedings of the International Conference on
Computer Science and Network Technology, 2012, pp. 10381041.
[28] S. Sivabalan and P. J. Radcliffe, A novel framework to detect and block
DDoS attack at the application layer, In Proceedings of the IEEE
TENCON Spring Conference, 2013, pp. 578582.
[29] T. Ni, X. Gu, H. Wang, and Y. Li, Real-Time Detection of Application-Layer
DDoS Attack Using Time Series Analysis, Journal of Control Science and
Engineering, vol. 2013, id. 821315.
[30] J. Wang, M. Zhang, X. Yang, K. Long, and C. Zhou, HTTP-sCAN: Detecting
HTTP-flooding attaCk by modeling multi-features of web browsing
behavior from noisy dataset, In Proceedings of the Asia-Pacific
Conference on Communications, 2013, pp. 677682.
[31] L. C. Giralte, C. Conde, I. M. de Diego, and E. Cabello, Detecting denial
of service by modelling web-server behaviour, Computers & Electrical
Engineering, vol. 39, no. 7, pp. 22522262, 2013.
[32] Y. Xie, S. Tang, X. Huang, C. Tang, and X. Liu, Detecting latent attack
behavior from aggregated Web traffic, Computer Communications, vol.
36, no. 8, pp. 895907, 2013.
[33] Y. Xie, S. Tang, Y. Xiang, and J. Hu, Resisting Web Proxy-Based HTTP
Attacks by Temporal and Spatial Locality Behavior, IEEE Transactions on
Parallel and Distributed Systems, vol. 24, no. 7, pp. 14011410, 2013.
[34] J. Wang, X. Yang, M. Zhang, K. Long, and J. Xu, HTTP-SoLDiER: An HTTP-
flooding attack detection scheme with the large deviation principle, Sci.
China Inf. Sci., pp. 115, 2014.
[35] W. Zhou, W. Jia, S. Wen, Y. Xiang, and W. Zhou, Detection and defense of
application-layer DDoS attacks in backbone web traffic, Future
Generation Computer Systems, vol. 38, pp. 3646, 2014.
[36] C. Xu, G. Zhao, G. Xie, and S. Yu, Detection on application layer DDoS
using random walk model, In Proceedings of the IEEE International
Conference on Communications (ICC), 2014, pp. 707712.
[37] S. Yu, S. Guo, and I. Stojmenovic, Fool Me If You Can: Mimicking Attacks
and Anti-attacks in Cyberspace, IEEE Transactions on Computers, vol.
64, no. 1, 2013, pp.139-151.
[38] Y. Xie and S. Yu, Monitoring the Application-Layer DDoS Attacks for
Popular Websites, IEEE/ACM Transactions on Networking, vol. 17, no. 1,
pp. 1525, 2009.
[39] A. Bhandari, K. Kumar, and A. L. Sangal, Performance Metrics for
Defense Framework against Distributed Denial of Service Attacks,
International Journal of Network Security, vol. 6, 2014.