Beyond SYNFloods: Guarding Web Server Resources from DDoS Attacks

Denial-of-Service attacks on web servers take many forms. In this paper, we look at a new breed of application-level attacks. An attacker compromises a large number of dummy clients (by means of a worm, virus or Trojan horse) and causes the clients to flood the web server with well-formed HTTP requests that download large files or generate complex database queries. Such requests cause the web server to expend costly server resources like sockets, disk bandwidth, database sub-system bandwidth and worker processes on these dummy users. As a result, performance seen by legitimate users will degrade, eventually leading to denial of service. These attacks are hard to counter as the malicious requests are indistinguishable from legitimate requests at the server. Further, the dummy requests arrive from a large number of geographically distributed machines; thus, they cannot be filtered on source IP addresses or arrival patterns. Prior work has looked at network/transport level DDoS attacks such as SYN flood and bandwidth attacks [1] and proposed a few solutions [2], [3]. We assume that a subset of these solutions protect a web server from both SYN flood and bandwidth attacks and focus on application-level attacks.