Distributed Denial of Service (DDoS) attacks are a major source of concern for Web properties. DDoS usually refers to an attempt to prevent or hinder access to a server by its regular users by sending an excessive number of requests to exhaust the server's resources such as bandwidth and/or processing power. A DDoS attack resulting in painfully slow responses to clients or even refusing their accesses, may be exploited by extortionists trying to get paid for not interrupting services, business competitors expecting to gain an edge in the market or political enemies trying to stir chaos.
It is rather difficult to estimate the financial implications of ongoing DDoS activities. An indirect indication is the amount of money corporations are willing to spend on DDoS prevention measures. According to findings of one of the most well-known analyst firm: (see http://www.infonetics.com/pr/2012/1H12-DDoS-Prevention-Appliances-Market-Highlights.asp)
1. Global DDoS prevention appliance revenue is expected to reach $272 million in 2012, up 29% from 2011.
2. The overall DDoS prevention appliance market is forecast to top $485 million in 2016.
Since more and more efficient DDoS defense mechanisms and tools are proposed and installed on routers and firewalls, the traditional network layer DDoS attacks (such as SYN flooding, ping of death and Smurf) are much easier to be detected and defended against. Increasingly, they are giving way to sophisticated application layer attacks.
Application layer DDoS attack is a DDoS attack that sends out requests following the communication protocol and thus these requests are indistinguishable from legitimate requests in the network layer. An application layer DDoS attack may be of one or a combination of the following types: (1) session flooding attack sends session connection requests at a rate higher than legitimate users; (2) request flooding attack sends sessions that contain more requests than normal sessions; and (3) asymmetric attack sends sessions with more high-workload requests (see Jie Yu, Chengfang Fang, Liming Lu, Zhoujun Li: A Lightweight Mechanism to Mitigate Application Layer DDoS Attacks. Infoscale 2009: 175-191.)
An efficient defense mechanism tries to minimize the fraction of the rejection of requests from legitimate users over the total number of requests from legitimate users (called the False Rejection Rate or FRR). Similarly, a False Acceptance Rate (FAR) should be as small as possible. Although a DDoS defense mechanism should reduce both FRR and FAR, reducing FRR is more important for the business and public relations reasons. That is, a server would rather maximally accommodate the legitimate user sessions, even if a small number of attacker sessions is allowed through.
Furthermore, the defense mechanism must be lightweight, to prevent itself from being the target of DDoS attacks. It is also preferred that the defense mechanism is independent of the details of the services, as then it can be deployed at any server without modification as discussed in the paper by Fang et al. cited above.