DDoS protection as a service: hiding behind the giants

Distributed denial of service DDoS attacks constitute an ever growing threat to the internet due to the scale of these attacks and the difficulty of mitigating them. In this paper, we propose a CDN-based DDoS protection service to counter attacks targeting application layer of web servers. These attacks mimic flash crowd events by using large size botnets to generate high volume requests to get certain objects from the target. The proposed scheme, called Hideme, leverages the already-deployed, highly available, and distributed massive infrastructure of CDNs to provide protection against DDoS attacks. A website subscribing to this service can hide behind the DDoS protection provider when it becomes under attack. To achieve this goal, Hideme combines the idea of using CAPTCHA by CDN edge servers to distinguish humans from bots and the idea of migration to a secret IP address during the attack period. We evaluate the proposed scheme through extensive experiments over Planetlab. Our results show that the proposed scheme exhibits better performance in terms of effective download throughput while blocking malicious requests.