Design And Implementation Of A Web Server Defense System Against Slow HTTP Connection Attacks

As a platform to provide many kinds of information services for Internet users,a web server is often vulnerable to deliberate attackers.Among the threats to web servers,DDoS(Distributed Denial of Service)often becomes one of the most preferred and successful method by hackers.In recent years,DDoS attack methods are continuously evolving.While flooding attack relying on "brute force" has been frequently used in the past,various ways of co-attack have appeared and the targets have gradually shifted to the application level.With the miniaturization of botnets,slow attack using small flows at application level has been one kind of important DDoS attack means.The slow HTTP connection attack discussed in this paper is one of typical methods of them.Hence,efficiency means to respond to such attacks are of great importance for the security of web servers.At the beginning of this paper,background and related research work concerning slow HTTP connection attack and relevant work of DDoS detection and defense are introduced.A web server defense system against slow HTTP connection attack is designed from four aspects: adjusting the configuration of a web server,using firewall of network layer,using web application firewall and reacting according to attack detection results.Secondly,based on the clustering analysis method,we introduced a slow HTTP connection attack detection method,called as DSHCA.DSHCA detects slow HTTP connection attacks by extracting multiple flow characteristics of network flow and distinguishing the differences in flow properties between normal connections and the attacking connections.At last,a prototype system implementation of the DSHCA method is introduced and the effectiveness of various strategies in the system is evaluated.According to the experiment results,the designed multi-level integrated defense system can effectively decrease the influence of slow HTTP connection attacks on web servers and the DSHCA method can accurately recognize abnormal flows injected by different type of slow HTTP connection attacks.