A methodology for selecting hardware performance counters for supporting non-intrusive diagnostic of flood DDoS attacks on web servers

Abstract

Web server outages caused by a Distributed Denial of Service (DDoS) attacks have increased considerably over the years. Intrusion Detection Systems (IDS) are not sufficient to detect threats in the system, even when used in conjunction with Intrusion Prevention Systems (IPS) and even considering the use of data sets containing information about typical situations and attacks on the system’s service. Performing analyzes with a very dense amount of observed variables can cost a significant amount of host resources. Furthermore, these data sets are at risk of not representing the system’s behavior properly, and they cannot always be shared as they may contain confidential information in the diagnostic data. This paper presents a non-intrusive diagnostic methodology to select hardware performance counters in HTTP flood DDoS attacks on enterprise-level web servers, combining methods and techniques from different segments. The proposed approach uses low-level resource appliances such as Hardware Performance Counters (HPCs) for diagnosis, creating behavioral profiles in the face of attacks and usual service usage. The proposed strategy supports delivering reliable diagnoses with accurate characterization without third-party data sets. With the proposed methodology, we were able to reduce HPCs by 26%, compared to the initial group.