A Middleware System for Protecting Against Application Level Denial of Service Attacks

  • Mudhakar Srivatsa
  • Arun Iyengar
  • Jian Yin
  • Ling Liu
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4290)


Recently, we have seen increasing numbers of denial of service (DoS) attacks against online services and web applications either for extortion reasons, or for impairing and even disabling the competition. These DoS attacks have increasingly targeted the application level. Application level DoS attacks emulate the same request syntax and network level traffic characteristics as those of legitimate clients, thereby making the attacks much harder to be detected and countered. Moreover, such attacks usually target bottleneck resources such as disk bandwidth, database bandwidth, and CPU resources. In this paper we propose server-side middleware to counter application level DoS attacks. The key idea behind our technique is to adaptively vary a client’s priority level, and the relative amount of resources devoted to this client, in response to the client’s past requests in a way that incorporates application level semantics. Application specific knowledge is used to evaluate the cost and the utility of each request and the likelihood that a sequence of requests are sent by a malicious client. Based on the evaluations, a client’s priority level is increased or decreased accordingly. A client’s priority level is used by the server side firewall to throttle the client’s request rate, thereby ensuring that more server side resources are allocated to the legitimate clients. We present a detailed implementation of our approach on the Linux kernel and evaluate it using two sample applications: Apache HTTPD micro-benchmarks and TPCW. Our experiments show that our approach incurs low performance overhead and is resilient to application level DoS attacks.


Priority Level Network Address Translation High Priority Level Legitimate Client Good Client 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Netfilter/IPTables project homepage,
  2. 2.
    Apache. Apache HTTP server,
  3. 3.
    Apache. Apache tomcat servlet/JSP container,
  4. 4.
    Bernstein, D.J.: SYN cookies (2005),
  5. 5.
    Cardellini, V., Casalicchio, E., Colajanni, M., Mambelli, M.: Enhancing a web server cluster with quality of service mechanisms. In: Proceedings of 21st IEEE IPCCC (2002)Google Scholar
  6. 6.
    CERT. Incident note IN-2004-01 W32/Novarg. A virus (2004)Google Scholar
  7. 7.
    Chandra, S., Ellis, C.S., Vahdat, A.: Application-level differentiated multimedia web services using quality aware transcoding. In: Proceedings of IEEE special issue on QoS in the Internet (2000)Google Scholar
  8. 8.
    Chen, H., Iyengar, A.: A tiered system for serving differentiated content. In: Proceedings of World Wide Web: Internet and Web Information Systems, vol. 6(4) (December 2003)Google Scholar
  9. 9.
    Cherkasova, L., Phaal, P.: Session based admission control: a mechanism for web QoS. In: Proceedings of IEEE Transactions on Computers (2002)Google Scholar
  10. 10.
    Crosby, S.A., Wallach, D.S.: Denial of service via algorithmic complexity attacks. In: Proceedings of 12th USENIX Security Symposium, pp. 29–44 (2003)Google Scholar
  11. 11.
    Dwork, C., Naor, M.: Pricing via Processing or Combatting Junk Mail. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 139–147. Springer, Heidelberg (1993)CrossRefGoogle Scholar
  12. 12.
    Egevang, K., Francis, P.: RFC 1631: The IP network address translator (NAT) (1994),
  13. 13.
    Ferguson, R., Senie, D.: RFC 2267: Network ingress filtering: Defeating denial of service attacks which employ ip source address spoofing (1998),
  14. 14.
    FireFox. Mozilla firefox web browser (2005),
  15. 15.
    fox, A., Gribble, S. D., Chawathe, Y., Brewer, E.A., gauthier, P.: Cluster-based scalable network services. In: Proceedings of 16th ACM SOSP (1997)Google Scholar
  16. 16.
    Google. Google mail,
  17. 17.
    Google. Google maps,
  18. 18.
  19. 19.
  20. 20.
    IBM. DB2 universal database (2005),
  21. 21.
    Iyengar, A., Ramaswamy, L., Schroeder, B.: Techniques for efficiently serving and caching dynamic web content. In: Tang, X., Xu, J., Chanson, S. (eds.) Web Content Delivery. Springer, Heidelberg (2005)Google Scholar
  22. 22.
    Juels, A., Brainard, J.: Client puzzle: A cryptographic defense against connection depletion attacks. In: Proceedings of NDSS (1999)Google Scholar
  23. 23.
    Jung, J., Krishnamurthy, B., rabinovich, M.: Flash crowds and denial of service attacks: Characterization and implications for cdns and web sites. In: Proceedings of 10th WWW Conference (2002)Google Scholar
  24. 24.
    Kandula, S., Katabi, D., Jacob, M., Berger, A.: Botz-4-sale: Surviving organized DDoS attacks that mimic flash crowds. In: Proceedings of 2nd USENIX NSDI (2005)Google Scholar
  25. 25.
    Kent, S.: RFC 2401: Secure architecture for the internet protocol (1998),
  26. 26.
    Keromytis, A., Misra, V., Rubenstein, D.: SOS: Secure overlay services. In: Proceedings of the ACM SIGCOMM (2002)Google Scholar
  27. 27.
    Krawczyk, H., Bellare, M., Canetti, R.: HMAC: Keyed-hashing for message authentication (1997),
  28. 28.
    Leyden, J.: East european gangs in online protection racket,
  29. 29.
    Netscape. Javascript language specification,
  30. 30.
    OpenSSL: Openssl,
  31. 31.
    PHARM. Java TPCW implementation distribution (2000),
  32. 32.
    Poulsen, K.: FBI busts alleged DDoS mafia (2004),
  33. 33.
    Savage, S., Wetherall, D., Karlin, A., Anderson, T.: Practical network support for IP traceback. In: Proceedings of ACM SIGCOMM (2000)Google Scholar
  34. 34.
    Siris, V.A., Papagalou, F.: Application of anomaly detection algorithms for detecting SYN flooding attacks. In: Proceedings of IEEE Globecom (2004)Google Scholar
  35. 35.
    Stoica, I., Shenker, S., Zhang, H.: Core-stateless fair queuing: A scalable architecture to approximate fair bandwidth allocations in high speed networks. In: Proceedings of SIGCOMM (1998)Google Scholar
  36. 36.
    Stubblefield, A., Dean, D.: Using client puzzles to protect tls. In: Proceedings of 10th USENIX Security Symposium (2001)Google Scholar
  37. 37.
    TPC: TPCW: Transactional e-commerce benchmark (2000),
  38. 38.
  39. 39.
    Wang, X., Reiter, M.K.: Defending against denial-of-service attacks with puzzle auctions. In: Proceedings of IEEE Symposium on Security and Privacy (2003)Google Scholar
  40. 40.
    Wang, X., Reiter, M.K.: Mitigating bandwidth exhaustion attacks using congestion puzzles. In: Proceedings of 11th ACM CCS (2004)Google Scholar
  41. 41.
    Waters, B., Juels, A., Halderman, A., Felten, E.W.: New client puzzle outsourcing techniques for dos resistance. In: Proceedings of 11th ACM CCS (2004)Google Scholar
  42. 42.
    Wei, C.K.: AJAX: Asynchronous Java + XML (2005),
  43. 43.
    Wikipedia. Comparison of web browsers,
  44. 44.
    Yang, B., Garcia-Molina, H.: Improving search in peer-to-peer networks. In: Proceedings of 22nd IEEE ICDCS (2002)Google Scholar
  45. 45.
    Yang, X., Wetherall, D., Anderson, T.: A DoS-limiting network architecture. In: Proceedings of ACM SIGCOMM (2005)Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2006

Authors and Affiliations

  • Mudhakar Srivatsa
    • 1
  • Arun Iyengar
    • 2
  • Jian Yin
    • 2
  • Ling Liu
    • 1
  1. 1.College of Computing, Georgia Institute of TechnologyAtlantaUSA
  2. 2.IBM T. J. Watson Research CenterYorktown HeightsUSA

Personalised recommendations