Internet enabled clients, such as smart phones, personal computers, tablets, gaming systems and the like have become prevalent in recent years. Given the proliferation of Internet enabled clients and far-reaching Internet access, more and more users access online content hosted by servers. The vast majority of users access online content from hosts for legitimate reasons. However, there are illegitimate users who try to take down the hosts of online content with malicious clients, whether to simply deny services to other users or for more nefarious purposes. In many instances, the illegitimate users infect the non-malicious clients of other users with malware such that an increasing number of malicious clients engage in illegitimate activities from disparate locations.
One method of attacking a host is a Distributed Denial of Service (DDoS) attack. A commonly employed type of DDoS attack is an application layer DDoS attack. This is a dangerous DDoS attack type targeting the application layer (layer 7) of a host in the Open Systems Interconnection (OSI) model. An example application layer DDoS attack may maliciously over-exercise functions or features at the application layer of a host with the intention to disable those functions or features. The malicious over-exercising of functions or features of the host decreases the amount of processing resources the host can make available for legitimate user activities. Over time this causes all processing to grind to a virtual halt. By way of example, if a host receives, on average, 100 requests per second and can handle a maximum of 1,000 requests per second, a DDoS attack generating 10,000+ malicious requests per second prevents host processing resources from effectively addressing those requests due to overwhelming demand. Example host computing resources that effectively are drained causing processing activity to grind to towards a halt during an application layer DDoS attack. Hosting computing resources affected may include, for example, compute resources for dynamically generated web content, database resources, search index resources, ecommerce components, and/or application programming interface (API) endpoints.
Current techniques for mitigating the effects of DDoS attacks on legitimate user access to the host generate a high number of false positives when they attempt to distinguish between malicious and non-malicious clients at the time of attack. False positives are instances where a non-malicious client is falsely categorized or identified as a malicious client. As an example, under some current techniques, all clients attempting to access a particular feature of the host that is under attack may be categorized as malicious (e.g., denied access to the host) during the attack period. While this technique potentially prevents clients accessing other features of the host from being affected by the attack, malicious and non-malicious clients alike are denied access to attacked features during the attack period. As a result, selectively attacking features of the host such as a checkout feature of an ecommerce site can effectively shut down legitimate user progress through the site. In turn, this causes numerous negative effects, including, for example, negatively impacting user experiences such as response times, reducing commercial transactions through the ecommerce site, and/or discouraging future site access due to negative publicity.