Distributed Denial-of-Service (DDoS) attacks attempt to bring down or otherwise degrade performance of one or more network accessible machines (i.e., servers). DDoS attacks involve a set of machines, also known as bots, launching a distributed attack against a specific machine or a set of machines providing some content or service. The basic premise of any DDoS attack is to flood a target server with so many messages or requests (e.g., content requests, connection establishment request, etc.) that the target server's resources become overwhelmed, leading to the target server being unable to respond to valid messages or requests it receives from valid users.
DDoS attacks can be performed at different layers of the Open Systems Interconnection (OSI) model. An application layer or layer 7 DDoS attack involves rapidly issuing content or service requests to the server with the intent of overwhelming the server resources.
Such layer 7 attacks are difficult to stop because the bots attempt to blend in with valid user requests and because of the distributed nature of the attack. Simply blocking one of the bots does not stop the other bots from issuing requests. Also, the target server experiences a relatively large resource impact for each bot attack that is successful. In response to each successful bot attack, the target server establishes and maintains a connection to that bot and further consumes resources in sending the requested content or services to the bot.
DDoS mitigation involves the ability to distinguish actual user requests from requests issued by bots. Since bots are typically created for the sole purpose of connecting to the target server and requesting content or services from the target server, one manner of distinguishing bots from actual users is to require the party requesting content or service from the target server to perform some task in order to validate itself as a valid user prior to the target server responding with the requested content or service.
CAPTCHA based techniques are one way to distinguish between valid users and bots. CAPTCHA techniques require some intelligence on the part of the requesting party to formulate a response to an image before the party is granted access to the requested content or service. However, CAPTCHA based techniques suffer from several shortcomings. First, CAPTCHA is invasive. CAPTCHA interrupts the requesting party's desired action and forces the requesting party to perform some action before the requesting party is permitted to continue with the desired action. Such interruption significantly degrades the end user experience and introduces significant delay. Second, since CAPTCHA is essentially a methodology based on optical character recognition, sophisticated bots can be programmed to identify and provide the correct answer in order to continue the DDoS attack. A bot having the necessary sophistication to thwart CAPTCHA at one target site can likely do the same at all other sites relying on CAPTCHA based techniques. As a result, CAPTCHA is, at best, a stop-gap technique for preventing DDoS attacks with the knowledge that one day such techniques can become entirely ineffective.
Accordingly, there is a need for improved techniques for DDoS mitigation. Specifically, there is a need for mitigation techniques that are not intrusive for the valid user, do not introduce noticeable delay to the overall user experience, and accurately distinguish bots from valid users. There is further a need for the mitigation techniques to be dynamic and responsive in face of increasing bot sophistication.