This paper examines one detection method and two mitigation strategies for distributed denial-of-service (DDoS) attacks on web applications and networks. It reviews change-point detection using joint-entropy analysis for identifying DDoS traffic, signature-based mitigation with SNORT and firewall rules, and adaptive model-driven dynamic firewall approaches. The paper synthesizes research on how attackers exploit network vulnerabilities while organizations implement hybrid detection and response mechanisms to reduce false positives and protect critical infrastructure from coordinated flooding attacks.
The Internet remains a critical subject due to increasing attacks based on major universal communication infrastructures. This study identifies one detection approach and two mitigation strategies to demonstrate that distributed denial-of-service (DDoS) attacks are becoming common in daily business operations.
One of the commonly identified attacks includes denial of service (DoS). These attacks degrade network quality of service in unpredictable ways. Detection methods for distributed denial-of-service include information distance detection, change-point detection, wavelet analysis, and activity profiling. The change-point detection method is based on features specific to DDoS attacks; however, it remains vulnerable to external hackers who mimic these features to fool detection systems (Rahmani, Sahli & Kamoun, 2012).
The open architecture of the Internet allows hackers to spoof IP address sources due to attack packets and the distribution of real IP addresses, which work against source address algorithms for distribution-based detection. Attackers change the logical values of attack packets based on real distances between victims and zombies to counter hop-count detection methods. These events become difficult to detect in real time by observing traffic, especially when observed networks carry large amounts of traffic that drown out malicious packets.
A significant challenge is distinguishing legitimate traffic spikes from DDoS attacks. Attackers may mimic the behavior of flash crowds—sudden increases in legitimate traffic. For instance, fans access official websites during important sports matches, or users check news websites during breaking news events. DDoS attacks and flash crowds exhibit similar behaviors, and the change-point detection method allows users to differentiate between them effectively (Rahmani, Sahli & Kamoun, 2012). Without accurate discrimination, systems risk raising false alarms. Further, attackers may mimic traffic features from flash crowds to disable detectors and create false negatives (Carl, Kesidis, Brooks, & Rai, 2006).
Change-point detection is applicable to many network types, including wireless area networks, local area networks, and high-speed links. For high-speed lines, constraints on connections can be determined using central limit theorems. For low-speed networks, the approach uses gamma distribution instead. The method requires access to IP headers of all packets, extracting only timestamps and source and destination IP addresses (Rahmani, Sahli & Kamoun, 2012). Joint-entropy calculation is affected by the size and number of overall connections; knowledge of these parameters allows full definition of traffic volume granularities.
The detection scheme does not allow complete detection of all attacks. Volume-based schemes may produce false negatives in short-term DDoS attacks that do not significantly impact connection distribution or traffic volume. Results demonstrate that the approach achieves greater accuracy compared to other entropy-based methods, particularly for low-rate and intelligence attacks. The scheme requires access only to IP headers for each packet and practical implementation on real-time high-speed links (Rahmani, Sahli & Kamoun, 2012). However, when attack traffic distribution resembles legitimate traffic, attack detection becomes impossible. Additionally, interpreting thresholds that account for both high-rate and low-rate attacks remains difficult.
DDoS attacks are distributed, coordinated attempts at large-scale network flooding with packets that victim networks cannot handle. Victims lose the ability to provide services to legitimate users, and network performance deteriorates significantly. These attacks exhaust resources including memory, bandwidth, and computing power. Systems suffering from attacks and service inadequacies are called "primary victims," while systems used to originate attacks are "secondary victims" (Tripathi, Gupta, Mishra, & Veluru, 2013).
For DDoS attacks, attackers select compromised machines with security vulnerabilities. Networks of compromised machines are known as botnets. Botnets receive instructions to execute damaging commands while consuming resources on victim systems. Attacks are launched using approaches aimed at sending malicious packets with viruses and worms within running applications, called vulnerability attacks (Tripathi, Gupta, Mishra, & Veluru, 2013). The more common method exhausts victim system resources through depletion of input-output bandwidth, CPU, database bandwidth, and memory.
DDoS mitigation mechanisms are classified by primary criteria. Mitigation timing involves passive detection, achieved through analysis of logs after attackers complete their mission, or proactive detection prior to attacks targeting machines or disrupting services. Based on mitigation activity, categorization allows for signature-based involvement using prior knowledge of attack signatures. SNORT mitigation techniques are widely used in developing preventative concepts and implementation policies (Carl, Kesidis, Brooks, & Rai, 2006).
Anomaly-based schemes treat incoming traffic as violations of normal profiles. To mitigate DDoS attacks effectively, it is important to understand overall normal host behaviors and identify deviations. A significant challenge for anomaly-based intrusion mitigation systems is difficulty processing large data amounts characterizing various normal traffic behaviors. Consequently, legitimate traffic may be misclassified as attack traffic, resulting in false positives (Tripathi, Gupta, Mishra, & Veluru, 2013).
The Dynamic Firewall decides whether requests overload web applications, creates rules identifying handled requests (Decision Engine), and processes incoming traffic based on rules (Reverse Proxy). Reverse Proxy acts as a simple HTTP request context-aware router that redirects legitimate requests to the web application and suspicious requests to Analyzers (Tripathi, Gupta, Mishra, & Veluru, 2013). Proxy routing follows a rule-based philosophy through regular firewall configuration, with rules modified through autonomic runtimes of the Decision Engine. Analyzers test legitimacy of suspicious traffic identified within the rules, using tests to differentiate between automated and human agents, such as CAPTCHA.
This section discusses the Dynamic Firewall component as an effective approach to DDoS mitigation. The strategy involves development of adaptive algorithm architecture and model-based approaches focused on DDoS attack mitigation applicable to web application levels. Dynamic Firewall components are added to standard web application stacks, with requests routed through firewalls. HTTP request arrival triggers reverse proxies that process requests based on established rules. The decision engine applies performance models for application monitoring and statistical anomaly detection (Barna, Shtern, Tzerpos & Litoiu, 2014).
The scheme monitors application data to adapt and create updates, removing or adding rules based on attack presence or absence. Rules classify requests as regular or suspicious. Regular traffic is maintained on the web application, while suspicious traffic is forwarded to Analysis components that challenge end users with CAPTCHA tests to verify legitimacy.
This approach extends previous work through introduction of hybrid mitigation strategies combining statistical anomaly detection with model-based adaptive algorithms. Experimental demonstrations show the strengths of hybrid approaches compared to previous methods relying solely on statistical anomaly detection (Barna, Shtern, Tzerpos & Litoiu, 2014). Extended approaches are less sensitive to tuning complexities of DDoS attacks where previous approaches lack correct detection. Experiments comparing complex statistical approaches to anomaly detection empirically demonstrate that careful tuning of statistical models is effective for constrained situations. However, this creates a sensitive dependency requiring tuning to protect against unknown attacks.
The adaptive model-based technique applies mathematical queuing theories and creates abstract views that do not rely on external definitions or baselines for unknown attacks. DDoS attacks that overload computer resources challenge defense systems. Experts argue that possible solutions include improving security within Internet hosts to prevent attackers from launching DDoS attacks. Defense scheme examples include source-end approaches like D-WARD. However, source-end defense mechanisms face implementation challenges and principal doubts regarding wide deployment (Barna, Shtern, Tzerpos, & Litoiu, 2014). Victim-side defenses are more feasible alternatives. Available DDoS mitigation tools augmented with load monitoring schemes prevent clients from consuming excessive bandwidth. Other approaches include QoS regulations and cryptographic approaches, though these face challenges including computational expenses for traffic filtering and susceptibility of defense tools themselves to DDoS (Carl, Kesidis, Brooks, & Rai, 2006). Current mitigation approaches represent a variety of partial solutions rather than complete DDoS prevention.
This paper describes novel approaches for mitigating and detecting attacks on HTTP web applications. Web applications comprise all resources necessary to run user-facing components, including application servers, database servers, and HTTP servers (Barna, Shtern, Tzerpos & Litoiu, 2014). Protection requires deployment of a Dynamic Firewall that is application-aware and processes all incoming requests using adaptive, well-managed rules. Requests are evaluated as regular traffic presented to applications, or suspicious traffic forwarded to Analyzer components for challenge-response tests. The outcomes determine whether suspicious traffic remains legitimate for application use.
Requests analyzed at high granularity are grouped into request classes and representations based on browsing behavior and application procedures. Requests are considered suspicious if they cause web application overload. Adaptive DDoS mitigation requires understanding baseline system behavior in normal, non-attack situations (Barna, Shtern, Tzerpos & Litoiu, 2014). Dynamic Firewall generates this understanding through continuous monitoring of normal application load. Gathered measurements create performance profiles for web applications, calculating the basis for aggregated metrics including request arrival rate, response time, and CPU utilization. The profile format and contents are determined per-application to best capture normal system behavior. Web application performance profiles are constructed automatically within permissible ranges of values that can be hand-tuned by administrators to establish performance metric ranges.
You’re 99% through this paper. Sign up to read the full paper.
Sign Up Now — Instant Access Already a member? Log inAlways verify citation format against your institution’s current style guide requirements.