AIGG Threshold Based HTTP GET Flooding Attack Detection

  • Yang-seo Choi
  • Ik-Kyun Kim
  • Jin-Tae Oh
  • Jong-Soo Jang
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7690)


Distributed denial-of-service (DDoS) attacks still pose unpredictable threats to the Internet infrastructure and Internet-based businesses. As the attackers focus on economic gain, the HTTP GET Flooding attacks against the business web servers become one of the most frequently attempted attacks. Furthermore, the attack is becoming more sophisticated. In order to detect those attacks, several algorithms are developed. However, even though the developed technologies can detect the sophisticated attacks some of them need lots of system resources [12,13]. Sometimes due to the time consuming processes the whole performance of DDoS defense systems is degraded and it becomes another problem. For that, we propose a simple threshold based HTTP GET flooding attack detection algorithm. The threshold is generated from the characteristics of HTTP GET Request behaviors. In this algorithm, based on the defined monitoring period (MP) and Time Slot (TS), we calculate the Average Inter-GET_Request_Packet_Exist_TS-Gap (AIGG). The AIGG is used for threshold extraction. For effective detection, the optimized MP, TS and the threshold value, are extracted. In addition, the proposed algorithm doesn’t need to analyze every HTTP GET request packet so it needs less CPU resources than the algorithms which have to analyze all the request packets.


DDoS Attack HTTP GET Flooding Attack Detection Network Security 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Arbor Networks ASERT Team: South Korea and US DDoS Attacks. ARBOR Networks (July 10, 2009)Google Scholar
  2. 2.
    Youm, H.Y.: Korea’s experience of massive DDoS attacks from Botnet, ITU-T SG 17, Geneva (April 12, 2011),
  3. 3.
    Monthly Internet Incidents Trends and Analysis, 2011. vol.12, Korea Internet & Security Agency (January 2012)Google Scholar
  4. 4.
    Mirkovic, J., Reiher, P.: A taxonomy of DDoS attack and DDoS defense mechanisms. ACM SIGCOMM Computer Communication 34(2), 39–53 (2004)CrossRefGoogle Scholar
  5. 5.
    Mirkovic, J., Prier, G., Reiher, P.: Attacking DDoS at the Source. In: Proceedings of ICNP 2002, Paris, France, pp. 312–321 (November 2002)Google Scholar
  6. 6.
    Tupakula, U., Varadharajan, V.: A Practical Method to Counteract Denial of Service Attacks. In: Proceedings of ACSC 2003, Adelaide, Australia, pp. 275–284 (2003)Google Scholar
  7. 7.
    Lu, L., Chan, M., Chang, E.: Analysis of a General Probabilistic Packet Marking Model for IP Traceback. In: Proceedings of ASIACCS 2008 (2008)Google Scholar
  8. 8.
    Stone, R.: CenterTrack: An IP Overlay Network for Tracking DoS Floods. In: Proceeding of 9th Usenix Security Symposium (2002)Google Scholar
  9. 9.
    Chen, Y., Hwang, K., Ku, W.: Collaborative Detection of DDoS Attacks over Multiple Network Domains. IEEE Transations on Parallel and Distributed Systems (2007)Google Scholar
  10. 10.
    Yatagai, T., Isohara, T., Sasase, I.: Detection of HTTP-GET flood Attack Based on Analysis of Page Access Behavior. In: Proceeding of PACRIM 2007, pp. 232–235 (2007)Google Scholar
  11. 11.
    Lu, W.Z., Yu, S.Z.: An HTTP Flooding Detection Method Based on Browser Behavior. In: International Conference on IEEE Computational Intelligence and Security 2006, vol. 2, pp. 1151–1154 (November 2006)Google Scholar
  12. 12.
    Xie, Y., Yu, S.: A Large-Scale Hidden Semi-Markov Model for Anomaly Detection on User Browsing Behaviors. IEEE/ACM Transactions on Networking (2009)Google Scholar
  13. 13.
    Ranjan, S., Swaminathan, R., Uysal, M., et al.: DDoS-Shield: DDoS-Resilient Scheduling to Counter Application Layer Attacks. IEEE/ACM Transactions on Networking 7(1), 26–39 (2009)CrossRefGoogle Scholar
  14. 14.
    Sen, J.: A Robust Mechanism for Defending Distributed Denial of Service Attacks On Web Servers. International Journal of Network Security & Its Applications (IJNSA) 3(2) (March 2011)Google Scholar
  15. 15.
    Das, D., Sharma, U., Bhattacharyya, D.K.: Detection of HTTP Flooding Attacks in Multiple Scenarios. In: Proceedings of the 2011 International Conference on Communication, Computing & Security (ICCCS 2011), pp. 517–522 (2011)Google Scholar
  16. 16.
    Liang, J., Naoumov, N., Ross, K.W.: The Index Poisoning Attack in P2P File Sharing Systems. In: Proceedings of INFOCOM 2006 (2006)Google Scholar
  17. 17.
    Yu, J., Fang, C., Lu, L., Li, Z.: A Lightweight Mechanism to Mitigate Application Layer DDoS Attacks. In: The 4th International ICST Conference on Scalable Information Systems (INFOSCALE 2009), Hong Kong, China, June 10-11 (2009)Google Scholar
  18. 18.
    Xie, Y., Yu, S.: Monitoring the Application-Layer DDoS Attacks for Popular Websites. IEEE/ACM Transactions on Networking (2009)Google Scholar
  19. 19.
    Nazario, J.: BlackEnergy DDoS Bot Anaysis. ARBOR Networks (October 2007)Google Scholar
  20. 20.
    Han, K., Im, E.: A Study on the Analysis of Netbot and Design of Detection Framework. In: Proceedings of JWIS 2009 (2009)Google Scholar
  21. 21.
    Electronics and Communications Research Institute (ETRI),
  22. 22.
  23. 23.
  24. 24.
    Universal HTTP Denial-of-Service,Hybrid Security,

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Yang-seo Choi
    • 1
  • Ik-Kyun Kim
    • 1
  • Jin-Tae Oh
    • 1
  • Jong-Soo Jang
    • 1
  1. 1.Cyber Security-Convergence Research DepartmentETRIDaejeonSouth Korea

Personalised recommendations