CALD : surviving various application-layer DDoS attacks that mimic flash crowd Wen, Sheng, Jia, Weijia, Zhou, Wei, Zhou, Wanlei and Xu, Chuan 2010, CALD : surviving various application-layer DDoS attacks that mimic flash crowd, in NSS 2010 : Proceedings of the 4th International Conference on Network and System Security, IEEE, Piscataway, N.J., pp. 247-254, doi: 10.1109/NSS.2010.69. Attached Files Name Description MIMEType Size Downloads zhou-caldsurviving-2010.pdf Published version application/pdf 294.77KB 1538 Title CALD : surviving various application-layer DDoS attacks that mimic flash crowd Author(s) Wen, Sheng Jia, Weijia Zhou, Wei Zhou, Wanlei Xu, Chuan Conference name International Conference on Network and System Security (4th : 2010 : Melbourne, Vic.) Conference location Melbourne, Vic. Conference dates 1-3 Sep. 2010 Title of proceedings NSS 2010 : Proceedings of the 4th International Conference on Network and System Security Editor(s) Xiang, Yang orcid.org/0000-0001-5252-0831 Samarati, Pierangela Hu, Jiankun Zhou, Wanlei Sadeghi, Ahmad-Reza Publication date 2010 Conference series Network and System Security International Conference Start page 247 End page 254 Total pages 8 Publisher IEEE Place of publication Piscataway, N.J. Keyword(s) DDoS application-layer Kalman Filter information theory Summary Distributed denial of service (DDoS) attack is a continuous critical threat to the Internet. Derived from the low layers, new application-layer-based DDoS attacks utilizing legitimate HTTP requests to overwhelm victim resources are more undetectable. The case may be more serious when suchattacks mimic or occur during the flash crowd event of a popular Website. In this paper, we present the design and implementation of CALD, an architectural extension to protect Web servers against various DDoS attacks that masquerade as flash crowds. CALD provides real-time detection using mess tests but is different from other systems that use resembling methods. First, CALD uses a front-end sensor to monitor thetraffic that may contain various DDoS attacks or flash crowds. Intense pulse in the traffic means possible existence of anomalies because this is the basic property of DDoS attacks and flash crowds. Once abnormal traffic is identified, the sensor sends ATTENTION signal to activate the attack detection module. Second, CALD dynamically records the average frequency of each source IP and check the total mess extent. Theoretically, the mess extent of DDoS attacks is larger than the one of flash crowds. Thus, with some parameters from the attack detection module, the filter is capable of letting the legitimate requests through but the attack traffic stopped. Third, CALD may divide the security modules away from the Web servers. As a result, it keeps maximum performance on the kernel web services, regardless of the harassment from DDoS. In the experiments, the records from www.sina.com and www.taobao.com have proved the value of CALD. Notes This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright. In most cases, these works may not be reposted without the explicit permission of the copyright holder. ISBN 9780769541594 Language eng DOI 10.1109/NSS.2010.69 Field of Research 080503 Networking and Communications Socio Economic Objective 970108 Expanding Knowledge in the Information and Computing Sciences HERDC Research category E1 Full written paper - refereed HERDC collection year 2010 Copyright notice ©2010, by The Institute of Electrical and Electronics Engineers, Inc. All rights reserved Free to Read? Yes Persistent URL http://hdl.handle.net/10536/DRO/DU:30033643 Document type: Conference Paper Collections: Faculty of Science, Engineering and Built Environment School of Information Technology Open Access Collection Related Links Link Description Connect to conference website Go to link with your DU access privileges   Connect to published version (restricted access) Go to link with your DU access privileges     Unless expressly stated otherwise, the copyright for items in DRO is owned by the author, with all rights reserved. Every reasonable effort has been made to ensure that permission has been obtained for items included in DRO. If you believe that your rights have been infringed by this repository, please contact drosupport@deakin.edu.au. Versions Version Filter Type Fri, 25 Mar 2011, 15:28:33 EST Tue, 29 Mar 2011, 13:34:11 EST Wed, 30 Mar 2011, 09:26:08 EST Tue, 12 Apr 2011, 14:34:42 EST Fri, 15 Apr 2011, 12:43:24 EST Tue, 19 Apr 2011, 12:21:15 EST Tue, 19 Apr 2011, 12:25:24 EST Tue, 19 Apr 2011, 12:26:01 EST Tue, 19 Apr 2011, 12:26:53 EST Tue, 19 Apr 2011, 12:28:42 EST Tue, 19 Apr 2011, 12:29:35 EST Tue, 19 Apr 2011, 12:36:42 EST Tue, 19 Apr 2011, 12:37:36 EST Fri, 16 Mar 2012, 18:47:17 EST Wed, 02 Jul 2014, 15:19:51 EST Fri, 17 Oct 2014, 10:43:01 EST Wed, 21 Oct 2015, 13:57:31 EST Tue, 05 Dec 2017, 10:48:35 EST Fri, 07 Sep 2018, 15:21:15 EST Filtered Full Citation counts:   Cited 0 times in TR Web of Science Cited 32 times in Scopus Search Google Scholar Access Statistics: 885 Abstract Views, 1548 File Downloads  -  Detailed Statistics Created: Fri, 25 Mar 2011, 15:28:25 EST by Sandra Dunoon