Open Access Open Access  Restricted Access Subscription or Fee Access

Detecting the DDOS Attacks in Application Layer

R. Rathika, B. Dharanya, K. Kiruthika Devi


Distributed Denial of Service (DDoS) attacks is flattering ever more challenging with the vast resources and techniques increasingly available to attackers. Distributed Denial of Service (DDoS) attacks constitutes one of the most important threats and among the hardest security problems in today's Internet of particular concern are Distributed Denial of Service (DDoS) attacks, whose collision can be proportionally severe. In this paper, consider sophisticated attacks that are protocol-compliant, non-intrusive, and utilize legitimate application-layer requests to overwhelm system resources. I have characterize application-layer resource attacks as either request flooding, asymmetric, or repeated one-shot, on the basis of the application workload parameters that they exploit. To protect servers from these attacks, propose a counter-mechanism that consists of a suspicion assignment mechanism and a DDoS-resilient scheduler, DDoS Shield. In contrast to prior work, our distrust mechanism assigns a continuous valued vs. binary measure to each client session, and the scheduler utilizes these values to determine if and when to schedule a session’s requests. Using tested experiments on a web application, demonstrate the strength of these resource attacks and evaluate the efficiency of our counter-mechanism. For instance, affect an asymmetric attack which overwhelms the server resources, increasing the response time of legitimate clients from 0.1 seconds to 10 seconds. Under the same attack scenario, DDoS Shield limits the effects of false-negatives and false-positives and improves the victims’ performance to 0.8 seconds.


Distributed Denial of Service Attack (DDos), Web Application, Application Layer

Full Text:



K. Poulsen, “FBI Busts Alleged DDoS Mafia,” 2004.[Online].Available:

“Incident Note IN-2004-01 W32/Novarg. A Virus,” CERT, 2004. [Online]. Available: IN-2004-01.html

S. Kandula, D. Katabi, M. Jacob, and A. W. Berger, “Botz-4-Sale: Surviving Organized DDoS Attacks that Mimic Flash Crowds,”MIT, Tech. Rep. TR-969, 2004

I. Ari, B. Hong, E. L. Miller, S. A. Brandt, and D. D. E. Long, “Modeling, Analysis and Simulation of Flash Crowds on the Internet,” Storage Systems Research Center Jack Baskin School of Engineering University of California, Santa Cruz Santa Cruz, CA, Tech. Rep. UCSC-CRL-03-15, Feb. 28, 2004 [Online]. Available:, 95064

J. Jung, B. Krishnamurthy, and M. Rabinovich, “Flash crowds and denial of service attacks: Characterization and implications for CDNs and web sites,” in Proc. 11th IEEE Int. World Wide Web Conf., May 2002, pp. 252–262.

Y. Xie and S. Yu, “A detection approach of user behaviors based on HsMM,” in Proc. 19th Int. Teletraffic Congress (ITC19), Beijing, China, Aug. 29–Sep. 2 2005, pp. 451–460.

Y. Xie and S. Yu, “A novel model for detecting application layer DDoS attacks,” in Proc. 1st IEEE Int. Multi-Symp. Comput. Computat. Sci. (IMSCCS|06), Hangzhou, China, Jun. 20–24, 2006, vol. 2, pp. 56–63.

S.-Z. Yu and H. Kobayashi, “An efficient forward-backward algorithm for an explicit duration hidden Markov model,” IEEE Signal Process. Lett., vol. 10, no. 1, pp. 11–14, Jan. 2003.

L. I. Smith, A Tutorial on Principal Components Analysis [EB/OL], 2003 [Online]. Available: notes/ pca.pdf

A. Hyvärinen, “Survey on independent component analysis,” Neural Comput. Surveys, vol. 2, pp. 94–128, 1999.

A. Hyvärinen, “Fast and robust fixed-point algorithms for independent component analysis,” IEEE Trans. Neural Netw., vol. 10, no. 3, pp. 626–634, Jun. 1999.

J. B. D. Cabrera, L. Lewis, X. Qin, W. Lee, R. K. Prasanth, B. Ravichandran, and R. K. Mehra, “Proactive detection of distributed denial of service attacks using MIB traffic variables a feasibility study,” in Proc. IEEE/IFIP Int. Symp. Integr. Netw. Manag., May 2001, pp. 609–622.

J. Yuan and K. Mills, “Monitoring the macroscopic effect of DDoS flooding attacks,” IEEE Trans. Dependable and Secure Computing, vol. 2, no. 4, pp. 324–335, Oct.-Dec. 2005.

J. Mirkovic, G. Prier, and P. Reiher, “Attacking DDoS at the source,” in Proc. Int. Conf. Network Protocols, 2002, pp. 312–321.

T. Peng and K. R. M. C. Leckie, “Protection from distributed denial of service attacks using history-based IP filtering,” in Proc. IEEE Int Conf. Commun., May 2003, vol. 1, pp. 482–486.

B. Xiao, W. Chen, Y. He, and E. H.-M. Sha, “An active detecting method against SYN flooding attack,” in Proc. 11th Int. Conf. Parallel Distrib. Syst., Jul. 20–22, 2005, vol. 1, pp. 709–715.

H.Wang, D. Zhang, and K. G. Shin, “Detecting SYN flooding attacks,” in Proc. IEEE INFOCOM, 2002, vol. 3, pp. 1530–1539.

L. Limwiwatkul and A. Rungsawangr, “Distributed denial of service detection using TCP/IP header and traffic measurement analysis,” in Proc. Int. Symp. Commun. Inf. Technol., Sappoo, Japan, Oct. 26–29, 2004, pp. 605–610.

S. Noh, C. Lee, K. Choi, and G. Jung, “Detecting Distributed Denial of Service (DDoS) attacks through inductive learning,” Lecture Notes in Computer Science, vol. 2690, pp. 286–295, 2003.

S. Ranjan, R. Swaminathan, M. Uysal, and E. Knightly, “DDoS-resilient scheduling to counter application layer attacks under imperfect detection,” in Proc. IEEE INFOCOM, Apr. 2006.

W. Yen and M.-F. Lee, “Defending application DDoS with constraint random request attacks,” in Proc. Asia-Pacific Conf. Commun., Perth, Western Australia, Oct. 3–5, 2005, pp. 620–624.


  • There are currently no refbacks.

Creative Commons License
This work is licensed under a Creative Commons Attribution 3.0 License.