A Robust Mechanism for Defending Distributed Denial OF Service Attacks on Web Servers

Distributed Denial of Service (DDoS) attacks have emerged as a popular means of causing mass targeted service disruptions, often for extended periods of time. The relative ease and low costs of launching such attacks, supplemented by the current inadequate sate of any viable defense mechanism, have made them one of the top threats to the Internet community today. Since the increasing popularity of web-based applications has led to several critical services being provided over the Internet, it is imperative to monitor the network traffic so as to prevent malicious attackers from depleting the resources of the network and denying services to legitimate users. This paper first presents a brief discussion on some of the important types of DDoS attacks that currently exist and some existing mechanisms to combat these attacks. It then points out the major drawbacks of the currently existing defense mechanisms and proposes a new mechanism for protecting a web-server against a DDoS attack. In the proposed mechanism, incoming traffic to the server is continuously monitored and any abnormal rise in the inbound traffic is immediately detected. The detection algorithm is based on a statistical analysis of the inbound traffic on the server and a robust hypothesis testing framework. Simulations carried out on the proposed mechanism have produced results that demonstrate effectiveness of the proposed defense mechanism against DDoS attacks.

💡 Research Summary

**
The paper addresses the pressing problem of defending web servers against Distributed Denial‑of‑Service (DDoS) attacks, which have become inexpensive, highly effective means of disrupting online services. After a brief overview of common DDoS vectors—SYN floods, UDP/ICMP floods, HTTP floods, SIP floods, and reflector‑based amplification attacks such as DNS amplification—the authors critique existing mitigation techniques (protocol hardening, ingress filtering, IP traceback, packet marking, push‑back, MULTOPS, D‑WARD, etc.). They argue that most of these solutions either require widespread router cooperation, suffer from high false‑positive rates, or degrade legitimate traffic.

The core contribution is a two‑tiered detection framework that operates entirely on the victim server. The first tier, an “approximate module,” uses lightweight statistics (moving averages, standard deviations) to flag sudden spikes in inbound traffic with minimal computational overhead. When a potential anomaly is detected, the second tier, a “precise module,” reconstructs the full traffic distribution over a short observation window and applies rigorous statistical hypothesis testing—specifically the Kolmogorov‑Smirnov (K‑S) test or χ² test—against a baseline model derived from normal traffic. The null hypothesis assumes the current traffic follows the established normal distribution; rejection at a predefined significance level (e.g., α = 0.01) triggers an attack alarm.

The detection algorithm is tightly coupled with a mitigation component that temporarily blocks offending IP addresses or subnets while preserving ongoing legitimate sessions. The blocking policy is dynamic: it is lifted automatically once the server’s load returns to baseline, ensuring that legitimate users experience minimal disruption. The authors emphasize that the system does not interfere with normal traffic during the detection phase, a feature they claim is lacking in many commercial products.

To evaluate the approach, the authors built a simulation environment using NS‑2. They modeled a web server receiving legitimate traffic and injected three representative attacks: a 10 Mbps SYN flood, a 20 Mbps HTTP flood, and a 50 Mbps DNS amplification attack. Results show that the approximate module alone detects anomalies within an average of 0.8 seconds, while the combined approximate‑plus‑precise configuration adds only 0.5 seconds of latency (total ~1.3 seconds) but boosts detection accuracy to over 95 % and keeps false‑positive rates below 2 %. After mitigation, the server’s average response time for legitimate sessions fell back to under 150 ms, and CPU utilization remained stable, indicating that the defense does not impose prohibitive processing overhead.

The paper also discusses limitations. All experiments are simulation‑based; real‑world deployment would need to contend with packet loss, routing variability, and multi‑gigabit traffic volumes that could strain the precise module’s computational demands. The selection of statistical thresholds and significance levels is left to the operator, with no automated tuning mechanism presented. Moreover, sophisticated botnets that mimic legitimate traffic patterns could evade detection, suggesting a need for complementary machine‑learning techniques.

In conclusion, the authors present a novel, server‑centric DDoS defense that combines fast, low‑cost anomaly spotting with statistically rigorous verification. By modularizing the detection pipeline, the system can adapt its resource consumption to current load conditions, offering a practical trade‑off between speed and accuracy. Future work is proposed to validate the approach on live traffic, automate parameter optimization, and explore hybrid models that integrate the presented statistical tests with anomaly‑learning algorithms. This research contributes a valuable perspective to the ongoing effort to protect critical web services from ever‑evolving DDoS threats.