Defending Web Servers Against Flash Crowd Attacks

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 12727)


A flash crowd attack (FCA) floods a service, such as a Web server, with well-formed requests, generated by numerous bots. FCA traffic is difficult to filter, since individual attack and legitimate service requests look identical. We propose robust and reliable models of human interaction with server, which can identify and block a wide variety of bots. We implement the models in a system called FRADE, and evaluate them on three Web servers with different server applications and content. Our results show that FRADE detects both naive and sophisticated bots within seconds, and successfully filters out attack traffic. FRADE significantly raises the bar for a successful attack, by forcing attackers to deploy at least three orders of magnitude larger botnets than today.



This material is based upon work supported by the National Science Foundation under grant number 1319215.


  1. 1.
    Hulk DDoS tool, May 2018. Accessed 31 Mar 2021
  2. 2.
    Classification tools, May 2019. Accessed 31 Mar 2021
  3. 3.
    Combined desktop and mobile visits to from February 2018 to April 2019 (in millions), May 2019. Accessed 31 Mar 2021
  4. 4.
    Most popular retail websites in the United States as of December 2019, ranked by visitors (in millions), September 2020. Accessed 31 Mar 2021
  5. 5.
    Akrout, I., Feriani, A., Akrout, M.: Hacking google reCAPTCHA v3 using Reinforcement Learning (2019)Google Scholar
  6. 6.
    Arapakis, I., Bai, X., Cambazoglu, B.B.: Impact of response latency on user behavior in web search. In: Proceedings of the 37th International ACM SIGIR Conference on Research & Development in Information Retrieval, pp. 103–112. Association for Computing Machinery, New York (2014)Google Scholar
  7. 7.
    Barna, C., Shtern, M., Smit, M., Tzerpos, V., Litoiu, M.: Model-based adaptive DoS attack mitigation. In: Proceedings of the 7th International Symposium on Software Engineering for Adaptive and Self-Managing Systems, SEAMS 2012, pp. 119–128. IEEE Press, Piscataway (2012)Google Scholar
  8. 8.
    Barnett, R.: HOIC, January 2012. Accessed 31 Mar 2021
  9. 9.
    Beitollahi, H., Deconinck, G.: Tackling application-layer DDoS attacks. Procedia Comput. Sci. 10, 432–441 (2012)CrossRefGoogle Scholar
  10. 10.
    Bharathi, R., Sukanesh, R., Xiang, Y., Hu, J.: A PCA based framework for detection of application layer DDoS attacks. WSEAS Trans. Inf. Sci. Appl. 9(12), 389–398 (2012)Google Scholar
  11. 11.
    Bock, K., Patel, D., Hughey, G., Levin, D.: unCAPTCHA: a low-resource defeat of reCAPTCHA’s audio challenge. In: 11th \(\{\)USENIX\(\}\) Workshop on Offensive Technologies (\(\{\)WOOT\(\}\) 2017) (2017)Google Scholar
  12. 12.
    Brewer, D., Li, K., Ramaswamy, L., Pu, C.: A link obfuscation service to detect webbots. In: 2010 IEEE International Conference on Services Computing, pp. 433–440, July 2010Google Scholar
  13. 13.
    Cao, Y., Yang, J.: Towards making systems forget with machine unlearning. In: 2015 IEEE Symposium on Security and Privacy, pp. 463–480. IEEE (2015)Google Scholar
  14. 14.
    Chim, S.: Http proxy middleware, July 2016.
  15. 15.
    Chu, Z., Gianvecchio, S., Koehl, A., Wang, H., Jajodia, S.: Blog or block: detecting blog bots through behavioral biometrics. Comput. Netw. 57(3), 634–646 (2013)CrossRefGoogle Scholar
  16. 16.
    Cid, D.: Analyzing popular layer 7 application DDoS attacks. Sucuri blog. Accessed 6 Dec 2020
  17. 17.
    Cloudflare. How can an HTTP flood be mitigated?, March 2020. Accessed 6 Dec 2020
  18. 18.
    Elsabagh, M., Fleck, D., Stavrou, A., Kaplan, M., Bowen, T.: Practical and accurate runtime application protection against DoS attacks. In: Dacier, M., Bailey, M., Polychronakis, M., Antonakakis, M. (eds.) RAID 2017. LNCS, vol. 10453, pp. 450–471. Springer, Cham (2017). Scholar
  19. 19.
    Gavrilis, D., Chatzis, I., Dermatas, E.: Flash crowd detection using decoy hyperlinks. In: 2007 IEEE International Conference on Networking, Sensing and Control, pp. 466–470, April 2007Google Scholar
  20. 20.
    Google. reCAPTCHA v3. Accessed 31 Mar 2021
  21. 21.
    Han, X., Kheir, N., Balzarotti, D.: Evaluation of deception-based web attacks detection. In: Proceedings of the 2017 Workshop on Moving Target Defense, MTD 2017, pp. 65–73. ACM, New York (2017)Google Scholar
  22. 22.
    Imperva. Low orbit ion cannon. Accessed 31 Mar 2021
  23. 23.
    Imperva. 2020 cyberthreat defense report (2020). Accessed 31 Mar 2021
  24. 24.
    Imperva Incapsula’s. Q1 2017 global DDoS threat landscape report, May 2017. Accessed 6 Dec 2020
  25. 25.
    INDUSFACE (2019). Accessed 6 Dec 2020
  26. 26.
    Jan, S.T., et al.: Throwing darts in the dark? Detecting bots with limited data using neural data augmentation. In: 2020 IEEE Symposium on Security and Privacy (SP), pp. 1190–1206. IEEE (2020)Google Scholar
  27. 27.
    Jonker, M., King, A., Krupp, J., Rossow, C., Sperotto, A., Dainotti, A.: Millions of targets under attack: a macroscopic characterization of the DoS ecosystem. In: Internet Measurement Conference (IMC), November 2017Google Scholar
  28. 28.
    Jung, J., Krishnamurthy, B., Rabinovich, M.: Flash crowds and denial of service attacks: characterization and implications for CDNs and web sites. In: Proceedings of the 11th International Conference on World Wide Web, WWW 2002, pp. 293–304. ACM, New York (2002)Google Scholar
  29. 29.
    Kandula, S., Katabi, D., Jacob, M., Berger, A.: Botz-4-sale: surviving organized DDoS attacks that mimic flash crowds. In: Proceedings of the 2nd Conference on Symposium on Networked Systems Design & Implementation, NSDI 2005, vol. 2, pp. 287–300. USENIX Association, Berkeley (2005)Google Scholar
  30. 30.
    Kaspersky. Report finds 18% rise in DDoS attacks in Q2 2019 (2019). Accessed 31 Mar 2021
  31. 31.
    Krishnamurthy, B., Wang, J.: On network-aware clustering of web clients. ACM SIGCOMM Comput. Commun. Rev. 30(4), 97–110 (2000)CrossRefGoogle Scholar
  32. 32.
    Leyden, J.: Russian serfs paid three dollars a day to break CAPTCHAs, March 2008. Accessed 6 Dec 2020
  33. 33.
    Liao, Q., Li, H., Kang, S., Liu, C.: Application layer DDoS attack detection using cluster with label based on sparse vector decomposition and rhythm matching. Secur. Commun. Netw. 8(17), 3111–3120 (2015)CrossRefGoogle Scholar
  34. 34.
    Wayback Machine. Internet archive (1996). Accessed 31 Mar 2021
  35. 35.
    Meng, W., et al.: Rampart: protecting web applications from CPU-exhaustion denial-of-service attacks. In: 27th USENIX Security Symposium (USENIX Security 2018) (2018)Google Scholar
  36. 36.
    Mirza, M., Osindero, S.: Conditional generative adversarial nets. arXiv preprint arXiv:1411.1784 (2014)
  37. 37.
    Mosberger, D., Jin, T.: Httperf: a tool for measuring web server performance. SIGMETRICS Perform. Eval. Rev. 26(3), 31–37 (1998)CrossRefGoogle Scholar
  38. 38.
    Najafabadi, M., Khoshgoftaar, T., Calvert, C., Kemp, C.: User behavior anomaly detection for application layer DDoS attacks. In: 2017 IEEE International Conference on Information Reuse and Integration (IRI), pp. 154–161, August 2017Google Scholar
  39. 39.
    Oikonomou, G., Mirkovic, J.: Modeling human behavior for defense against flash-crowd attacks. In: 2009 IEEE International Conference on Communications, pp. 1–6. IEEE (2009)Google Scholar
  40. 40.
    Paxson, V.: Bro: a system for detecting network intruders in real-time. In: Proceedings of the 7th Conference on USENIX Security Symposium, SSYM 1998, vol. 7, p. 3. USENIX Association, Berkeley (1998)Google Scholar
  41. 41.
    Radware. JS cookie challenges, March 2020. Accessed 6 Dec 2020
  42. 42.
    Ranjan, S., Swaminathan, R., Uysal, M., Knightly, E.: DDoS-resilient scheduling to counter application layer attacks under imperfect detection. In: Proceedings IEEE INFOCOM 2006, pp. 1–13 (2006)Google Scholar
  43. 43.
    Selenium. Selenium webdriver (2012). Accessed 6 Dec 2020
  44. 44.
    V. S. Services. Verisign DDoS trends report q2 2016, June 2016. Accessed 6 Dec 2020
  45. 45.
    Sivakorn, S., Polakis, I., Keromytis, A.D.: I am robot:(deep) learning to break semantic image CAPTCHAs. In: 2016 IEEE European Symposium on Security and Privacy (EuroS&P), pp. 388–403. IEEE (2016)Google Scholar
  46. 46.
    Spitzner, L.: Honeytokens, July 2003.
  47. 47.
    STEEL Lab. Frade: Flash crowd attack defense (2021).
  48. 48.
    Wang, J., Yang, X., Long, K.: Web DDoS detection schemes based on measuring user’s access behavior with large deviation. In: 2011 IEEE Global Telecommunications Conference - GLOBECOM 2011, pp. 1–5, December 2011Google Scholar
  49. 49.
    Wang, S., Liu, C., Gao, X., Qu, H., Xu, W.: Session-based fraud detection in online e-commerce transactions using recurrent neural networks. In: Altun, Y., et al. (eds.) ECML PKDD 2017. LNCS (LNAI), vol. 10536, pp. 241–252. Springer, Cham (2017). Scholar
  50. 50.
    White, B., et al.: An integrated experimental environment for distributed systems and networks. In: Proceedings of the Fifth Symposium on Operating Systems Design and Implementation, Boston, MA. USENIX Association, December 2002Google Scholar
  51. 51.
    Wikipedia. Curse of dimensionality. Accessed 6 Dec 2020
  52. 52.
    Wikipedia. Replay attack. Accessed 31 Mar 2021
  53. 53.
    Winslow, E.: Bot detection via mouse mapping, September 2009.
  54. 54.
    Xie, Y., Yu, S.Z.: Monitoring the application-layer DDoS attacks for popular websites. IEEE/ACM Trans. Netw. 17(1), 15–25 (2009)CrossRefGoogle Scholar
  55. 55.
    Yatagai, T., Isohara, T., Sasase, I.: Detection of http-get flood attack based on analysis of page access behavior. In: 2007 IEEE Pacific Rim Conference on Communications, Computers and Signal Processing, pp. 232–235, August 2007Google Scholar

Copyright information

© Springer Nature Switzerland AG 2021

Authors and Affiliations

  1. 1.University of Southern California Information Sciences InstituteMarina del ReyUSA

Personalised recommendations