Main Article Content
Distributed Denial of Service (DDoS) attack, which aims to make a service unavailable to legitimate clients, has become a severe threat to the Internet security. Traditional DDoS attacks mainly abuse the network bandwidth around the Internet subsystems and degrade the quality of service by generating congestions at the network. Consequently, several network-based defense methods have tried to detect these attacks by controlling traffic volume or differentiating traffic patterns at the intermediate routers. However, with the boost in network bandwidth and application service types, recently, the target of DDoS attacks has shifted from network to server resources and application procedures themselves, forming a new application DDoS attack.
As stated in, by exploiting flaws in application design and implementation, application DDoS attacks exhibit three advantages over traditional DDoS attacks which help evade normal detections: malicious traffic is always indistinguishable from normal traffic, adopting automated script to avoid the need for a large amount of “zombie” machines or bandwidth to launch the attack, much harder to be traced due to multiple redirections at proxies. According to these characteristics, the malicious traffic can be classified into legitimate-like requests of two cases: 1) at a high inter arrival rate and 2) consuming more service resources.
The identification of attackers can be much faster if we can find them out by testing the clients in group instead of one by one. Thus, the key problem is how to group clients and assign them to different server machines in a sophisticated way, so that if any server is found under attack, we can immediately identify and filter the attackers out of its client set. Apparently, this problem resembles the group testing (GT) theory Therefore; we apply GT theory to this network security issue and propose Modern Cracking algorithms and protocols to achieve high detection performance in terms of short detection latency and low false positive/negative rate. Since the detections are me rely based on the status of service resources usage of the victim servers, no individually signature-based authentications or data classifications are required; thus, it may overcome the limitations of the current solutions.