Abstract:  

Distributed denial of service (DDoS) attacks constitute an ever growing threat to the internet due to the scale of these attacks and the difficulty of mitigating them. In this paper, we propose a CDN-based DDoS protection service to counter attacks targeting application layer of web servers. Theses attacks mimic flash crowd events by using large size botnets to generate high volume requests to get certain object(s) from the target. The proposed scheme, called Hideme, leverages the already-deployed, highly available, and distributed massive infrastructure of CDNs to provide protection against DDoS attacks. A website subscribing to this service can hide behind the DDoS protection provider when it becomes under attack. To achieve this goal, Hideme combines the idea of using CAPTCHA by CDN edge servers to distinguish humans from bots and the idea of migration to a secret IP address during the attack period. We evaluate the proposed scheme through extensive experiments over Planetlab. Our results show that the proposed scheme exhibits better performance in terms of effective download throughput while blocking malicious requests.