Botnet-based Distributed Denial of Service (DDoS) Attacks on Web Servers: Classification and Art

Botnets are prevailing mechanisms for the facilitation of the distributed denial of service (DDoS) attacks on computer networks or applications. Currently, Botnet-based DDoS attacks on the application layer are latest and most problematic trends in network security threats. Botnet-based DDoS attacks on the application layer limits resources, curtails revenue, and yields customer dissatisfaction, among others. DDoS attacks are among the most difficult problems to resolve online, especially, when the target is the Web server. In this paper, we present a comprehensive study to show the danger of Botnet-based DDoS attacks on application layer, especially on the Web server and the increased incidents of such attacks that has evidently increased recently. Botnet-based DDoS attacks incidents and revenue losses of famous companies and government websites are also described. This provides better understanding of the problem, current solution space, and future research scope to defend against such attacks efficiently.

💡 Research Summary

The paper provides a comprehensive examination of botnet‑driven Distributed Denial of Service (DDoS) attacks that target the application layer, with a particular focus on web servers. It begins by contrasting traditional network‑layer floods (e.g., SYN, UDP) with modern attacks that exploit HTTP, HTTPS, DNS, SMTP and other high‑level protocols. The authors describe three principal botnet architectures: centralized command‑and‑control (C&C) servers, peer‑to‑peer (P2P) networks, and the rapidly expanding Internet‑of‑Things (IoT) botnets that leverage low‑cost, poorly secured devices.

Next, the paper classifies application‑layer DDoS attacks into three categories. Volume‑based attacks generate massive numbers of legitimate‑looking GET or POST requests to exhaust server processing capacity. Protocol‑based attacks abuse features of modern protocols—such as HTTP/2 multiplexing, TLS handshakes, or TCP connection‑state management—to deplete session resources. Hybrid attacks combine both approaches, creating traffic patterns that are difficult for signature‑based defenses to recognize. The authors devote special attention to “slow” attacks (e.g., Slowloris, Slow POST, RUDY) that keep connections open with minimal data transfer, thereby monopolizing web‑server worker threads or processes.

Through a case‑study analysis of twelve high‑profile incidents between 2016 and 2020, the authors demonstrate the real‑world impact of these threats. Eight of the incidents were identified as botnet‑based application‑layer attacks, with an average downtime of four hours and an estimated average revenue loss of roughly ten million US dollars per event. Financial institutions and e‑commerce platforms suffered the greatest damage, often because the attackers employed Mirai‑derived IoT botnets capable of mobilizing hundreds of thousands of IP addresses. The paper also highlights the danger of amplification techniques (DNS, NTP reflection) when combined with application‑layer traffic, noting that peak traffic volumes can exceed several tens of gigabits per second, overwhelming even cloud‑based mitigation services.

The defensive landscape is surveyed next. Existing countermeasures include traffic normalization, rate limiting, CAPTCHA challenges, dynamic IP blacklisting, and machine‑learning‑driven anomaly detection. While these techniques provide some protection, the authors argue that they suffer from scalability constraints and false‑positive rates that can penalize legitimate users. Rate limiting, for instance, may inadvertently block bursty but legitimate traffic, and ML models can be blind to novel attack variants if training data are not continuously refreshed. The use of Content Delivery Networks (CDNs) for mitigation is discussed, with the caveat that CDNs increase operational costs and may introduce additional latency.

Finally, the paper outlines a research agenda aimed at closing the identified gaps. First, the development of distributed AI detection frameworks that aggregate telemetry from edge sensors worldwide to enable real‑time learning of emerging patterns. Second, protocol‑level hardening, such as restricting TLS 1.3 0‑RTT sessions and tightening HTTP/2 flow‑control mechanisms, to reduce the attack surface. Third, the establishment of legal and policy mechanisms for coordinated international botnet takedowns and information‑sharing platforms. The authors contend that a multi‑layered strategy—combining technical, operational, and regulatory measures—is essential to mitigate the evolving threat of botnet‑based application‑layer DDoS attacks and to preserve the availability of critical web services.