A Framework for Capturing HTTP GET DDoS Attacks on a Live Network Environment  
Author Chad Calvert
Co-Author(s) Clifford Kemp; Taghi M. Khoshgoftaar; Maryam M. Najafabadi
Abstract With the emergence of stronger protection mechanisms put in place to thwart network layer DDoS attacks, attackers are looking for attack variants that can better circumvent detection. By focusing on the application layer, attackers can mask their intrusions as legitimate requests with the true intent of overwhelming a service’s available resources. In this work, we perform penetration testing on a live production network to capture and analyze distributed HTTP GET flood attack behavior. Data was collected using web server logs from a student resource web server. By performing our attacks on a real-world, live production environment, the impact that our attacks have on our network is more representative of a real-world attack scenario. Our tests encompass a variety of attack scenarios which represent approaches that are seen in real-world attacks, as well as more intelligent attack variants which aim to better mimic normal user behavior. This is done by analyzing the embedded resources that are requested when a normal user requests a web page, and web scraping to automatically request resources accessible within a web server. We outline both our experimental procedure for implementing each attack variation, as well as our collection framework for capturing the attack data.
Keywords Application Layer DDoS Attacks, Data Collection, HTTP GET flood
    Article #:  23-136
Proceedings of the 23rd ISSAT International Conference on Reliability and Quality in Design
August 3-5, 2017 - Chicago, Illinois, U.S.A.