Abstract:

Flash-crowd attacks are the most vicious form of distributed denial of service (DDoS). They flood the victim with service requests generated from numerous bots. Attack requests are identical in content to those generated by legitimate, human users, and bots send at a low rate to appear non-aggressive --- these features defeat many existing DDoS defenses. We propose defenses against flash-crowd attacks via human behavior modeling, which differentiate bots from human users. Current approaches to human-vs-bot differentiation, such as graphical puzzles, are insufficient and annoying to users, whereas our defenses are highly effective and transparent to humans. We have developed three types of human behavior models: a) request dynamics models learn several features of human interaction dynamics, and detect bots that exhibit higher aggressiveness in one or more of these features, b) request sequence models learn visit and transitional probabilities of user requests; they detect bots that generate valid but low-probability sequences, and c) deception techniques embed human-invisible objects into server replies, and flag users that visit them as bots. Our techniques raise the bar for a successful attack to a botnet size that is accessible to less than 5%, and sometimes less than 1%, of attackers today.