Slow HTTP POST DDoS Attack Prevention Method that Monitors Payload Size and Number of Connections
摘要
The threat of distributed denial-of-service (DDoS) attacks has increased in recent years. In particular, the slow HTTP POST attack overwhelms web servers by maintaining slow connections with small payloads. Previous research has addressed this threat by monitoring the number of simultaneous connections and using programmable P4 switches. However, these approaches have shown limitations when facing distributed attacks from multiple IP addresses. In this study, we developed an improved defense method that monitors both the number of simultaneous connections and the payload size to more effectively identify a slow HTTP POST DDoS attack by capturing its characteristics. Experimental comparisons with existing methods demonstrated that connection-based monitoring alone is insufficient against distributed attacks, whereas our new method achieves better performance. Ultimately, implementing this method on a P4 switch is expected to reduce server load by blocking malicious traffic before it reaches the server, thereby enhancing the robustness of the entire system.