Real time detection and response of distributed denial of service attacks for web services

Student thesis: Doctoral Thesis


DDoS attacks is a major threat that targets companies and organizations on a daily basis, as reported in the 2012 Information Security Breaches Survey, with the most common target being Web Services. Additionally, the raise of the activism group “Anonymous” and the availability and easiness of DDoS tools in the Internet made this dangerous attacks very popular and reachable for the masses. According to Arbor Networks a DDoS attack can last anywhere between 2 and 6 hours. From the companies prospective, the downtime of their web services, as a result of such an attack, lead companies into loosing valuable profit and customers.

In this dissertation a method for DDoS detection by constructing a fuzzy estimator on the mean packet inter arrival times is proposed. The problem is divided into two challenges, the first being the actual detection of the DDoS event taking place and the second being the identification of the offending IP addresses. Strict real time constraints were imposed for the first challenge and more relaxed constraints for the identification of addresses. Through empirical evaluation it is confirmed that the detection can be completed within improved real time limits and that by using fuzzy estimators instead of crisp statistical descriptors the shortcomings posed by assumptions on the model distribution of the traffic can be avoided. In addition, results under a 3 second detection window were obtained. To overcome the problem of IP Spoofing in a DDoS attack a new method was introduced using Fuzzy Logic called Fuzzy Hybrid Spoofed Detector(FHSD). This method distinguishes the spoofed IPs packets reaching a web server from legitimate packets by analyzing the hops, which the packets pass through, the User Agent and by utilizing OS passive fingerprinting. In order to proof the proposed method’s efficiency a program was developed that uses our technique and it was tested by using the BoNeSi DDoS emulator. The results showed that the proposed method can successfully identify the spoofed IPs and mitigate a DDoS attack in a small amount of time and with low use of resources.

Finally, an on scene digital investigation on computers was conducted, which were part of the Botnet that attacked our infrastructures. In order to achieve that, three open source triage tools were put to the test. In an attempt to identify common issues, strengths and limitations they were evaluated both in terms of efficiency and compliance to published forensic principles. The results showed that due to the increased complexity and wide variety of system configurations, the tested triage tools should be made more adaptable, either dynamically or manually (depending on the case and context) instead of maintaining a monolithic functionality.
Date of Award2013
Original languageEnglish
Awarding Institution
  • Democritus University of Thrace
SupervisorAlexandros S. Karakos (Supervisor)


  • DDoS
  • Malware
  • Fuzzy
  • Digital Forensics
  • IP Spoofing

Cite this