User Activity Based Application-Layer DoS/DDoS Attack Defense Algorithm

Abstract

In application-layer DoS/DDoS attacks, malicious users attack the victim server by sending lots of legitimate requesting packages, which overwhelm the server bottleneck resources. Normal user’s request thus may not be satisfied. The traditional intrusion detection systems for network-layer cannot effectively identify this attack, and recent researches on this kind of attack are mainly for Web servers. This paper proposed a new defense algorithm based on user activity for topic-based Pub/Sub communication servers in mobile push notification systems. Users consuming system bottleneck resources the most can get high scores and thus are considered overactive. With some resource retaken strategy, overactive users’ connections will be dropped according to system performance level. Therefore, the system can get rid of latent threatens. Experiments indicated that this algorithm can identify normal and abnormal users well.