Defending Web Servers Against Flash Crowd Attacks

Flash Crowd Attacks (FCAs) are DDoS attacks that flood victim services, such as Web servers, with well-formed requests, generated by numerous bots. It is hard to detect and filter such attacks because both legitimate and attack requests look identical. In our previous work [1], we proposed models of how human users interact with Web servers, and also showed in simulation that these models can detect naive FCA attacks. We significantly extend these proposed models to make them more robust, simpler, and applicable to a wider variety of FCA attacks in this paper. We implement the models in a system called FRADE, and evaluate it on three Web servers with different server applications and different content. We show that FRADE can detect both naive and sophisticated bots within seconds and successfully filters out attack traffic. Therefore, FRADE significantly raises the bar for a successful attack by requiring attackers to deploy botnets that are at least three orders of magnitude larger than the botnets today.