Denial-of-Service attacks on web servers take many forms. In this paper, we look at a new breed of application-level attacks. An attacker compromises a large number of dummy clients (by means of a worm, virus or Trojan horse) and causes the clients to ﬂood the web server with well-formed HTTP requests that download large ﬁles or generate complex database queries. Such requests cause the web server to expend costly server resources like sockets, disk bandwidth, database sub-system bandwidth and worker processes on these dummy users. As a result, performance seen by legitimate users will degrade, eventually leading to denial of service. These attacks are hard to counter as the malicious requests are indistinguishable from legitimate requests at the server. Further, the dummy requests arrive from a large number of geographically distributed machines; thus, they cannot be ﬁltered on source IP addresses or arrival patterns. Prior work has looked at network/transport level DDoS attacks such as SYN ﬂood and bandwidth attacks  and proposed a few solutions , . We assume that a subset of these solutions protect a web server from both SYN ﬂood and bandwidth attacks and focus on application-level attacks.