Mitigating HTTP Flooding Attacks with Meta-data Analysis

The rise of Distributed Denial of Service (DDoS) attacks has posed a dire threat to cloud computing services in recent years. First, it is getting increasingly difficult to discriminate legitimate traffic from malicious traffic since both are legal at the application-protocol level. Second, DDoS attacks have tremendous impacts on virtual machine performance due to the over-subscribed sharing nature of a cloud data center. To prevent the most serious HTTP GET flooding attacks, we propose a meta-data based monitoring approach, in which the behavior of malicious HTTP requests is captured through real-time and big-data analysis. The proposed DDoS defense system can provide continued service to legitimate clients even when the attacking line-rate is as high as 9Gbps. An intelligent probe is first used to extract the meta-data about an HTTP connection, which can be thought of as (IP, URL) (Uniform Resource Locators). Then, a real-time big-data analyzing technique is applied on top of the meta-data to identify the IP addresses whose HTTP request frequency significantly surpasses the norm. The blacklist, consisting of these IP addresses, is further aggregated, enabling inline devices (firewalls and load balancers) to apply rate-limiting rules to mitigate the attacks. Our findings show that the performance of the meta-data based detection system is one order of magnitude better than the previous approach.