The threat of distributed denial-of-service (DDoS) attacks has increased in recent years. In particular, the slow HTTP POST attack overwhelms web servers by maintaining slow connections with small payloads. Previous research has addressed this threat by monitoring the number of simultaneous connections and using programmable P4 switches. However, these approaches have shown limitations when facing distributed attacks from multiple IP addresses. In this study, we developed an improved defense method that monitors both the number of simultaneous connections and the payload size to more effectively identify a slow HTTP POST DDoS attack by capturing its characteristics. Experimental comparisons with existing methods demonstrated that connection-based monitoring alone is insufficient against distributed attacks, whereas our new method achieves better performance. Ultimately, implementing this method on a P4 switch is expected to reduce server load by blocking malicious traffic before it reaches the server, thereby enhancing the robustness of the entire system.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Slow HTTP POST DDoS Attack Prevention Method that Monitors Payload Size and Number of Connections

  • Yuya Ozaki,
  • Shotaro Usuzaki,
  • Kentaro Aburada,
  • Hisaaki Yamaba,
  • Mirang Park,
  • Naonobu Okazaki

摘要

The threat of distributed denial-of-service (DDoS) attacks has increased in recent years. In particular, the slow HTTP POST attack overwhelms web servers by maintaining slow connections with small payloads. Previous research has addressed this threat by monitoring the number of simultaneous connections and using programmable P4 switches. However, these approaches have shown limitations when facing distributed attacks from multiple IP addresses. In this study, we developed an improved defense method that monitors both the number of simultaneous connections and the payload size to more effectively identify a slow HTTP POST DDoS attack by capturing its characteristics. Experimental comparisons with existing methods demonstrated that connection-based monitoring alone is insufficient against distributed attacks, whereas our new method achieves better performance. Ultimately, implementing this method on a P4 switch is expected to reduce server load by blocking malicious traffic before it reaches the server, thereby enhancing the robustness of the entire system.