This paper presents a new mechanism for delivering Qual-
ity of Service (QoS) guarantees for web-based applications
in the face of Distributed Denial of Service (DDoS) attacks. It accomplishes this by scheduling incoming requests based
on a valuation/cost analysis to prioritize and service these requests in a more e±cient manner. This research di®ers
from previous works by collaborating with the web server's
Operating System (OS) through the use of probes, which
provide active feedback of application resource state. Other heuristics that have proven successful in DDoS detection and prevention are also employed in an extensible framework to
facilitate site-speci¯c customization. The e±cacy of this so- lution is demonstrated by showing its ability to mitigate sev- eral types of application-level DDoS attacks on laboratory
test-beds representing commonly deployed web application
Distributed Denial of Service is a threat that has been re-
searched and addressed signi¯cantly at the network com-
munication level. Previous research in this area has pro-
duced many techniques [5, 1] to detect and protect against
DDoS. Initial attacks were focused on architectural weak-
nesses in the Internet's communication protocols. In re-
sponse, commercial o®erings that directly integrate into ded- icated ¯rewall appliances have been developed to combat
network layer threats [16, 17, 26] 1 such as TCP SYN,
UDP, and ICMP Flood attacks. With an average of more
than 5000 Denial of Service attacks per day  1 and the
association of criminal o®enses to these activities  1 , DDoS continues to be a signi¯cant problem.
As DDoS detection and defense evolve  1 , attacks have
migrated from the network level to the application layer.
1These numeric references are incorrect. Add web-based
references to bib
Contemporary web sites deliver dynamic, personalized con-
tent that is database-driven. CPU cycles and I/O band-
width are now becoming performance limiting factors .
As such, they have become targets of attack. The diversi¯-
cation of the services provided at the application layer make it more challenging to build new defenses. Attackers now are accessing the public facing web site in attempting to abuse
its internal system resources, through seemingly transparent behavior at the network layer . It is no longer su±cient to provide DDoS protection solely through the network en-
try point [7, 4, 2]. Although credible technological solutions have been proposed to prevent DDoS through the Internet
backbone, they have not been implemented to any e®ective
extent due to lack of su±cient ¯nancial incentive . It is incumbent upon the end-resource provider to protect itself
from hostile adversaries.
Our solution requires no Internet Service Provider (ISP) in- volvement and reuses many resource feedback technologies
that already exist in most enterprise infrastructures. To pro- vide protection, our solution caches incoming requests at a
proxy and valuates each request. Requests are then sched-
uled for execution based on their perceived cost or threat.
For DDoS detection, usage patterns are collected over time
and provide a baseline to compare current request behav-
ior against nominal behavior in order to valuate potential
threat. Where this research di®ers from existing e®orts [7, 4, 2] is through the costing evaluation algorithms. This solu- tion contains probes that monitor system resources, making
use of SNMP, WMI, and other existing diagnostic protocols.
These real-time metrics are used to adapt the costing evalu- ation algorithm to the systems current state. Metrics infor- mation is collected from the system's resources themselves
to provide a closed loop system, helping to ensure reliable
service delivery. In this fashion, resources can be dynami-
cally provisioned without changing the scheduling valuation
model. As an extra bene¯t, such a...