Research Output

Analysis and development of a prototype for the detection and mitigation of HTTP based distributed denial of service attacks.

  T Administrators are constantly faced with threats as a result of the Internet (West, M. 2008). There is a huge range of solutions on the market today to assist and defend against such threats, but they are either costly or complicated to set up and configure properly. The assaults circulating on the Internet at this very
moment range from malicious viruses designed to destroy or corrupt data to technologically advanced robot networks with intelligent coding that allows them to intercommunicate with each other, and send back captured private data like bank account numbers and credit card details to the owner of the malware
(Hoeflin, D. et al. 2007).

Distributed Denial of Service attacks are getting more and more advanced as a result of sophisticated malware being released into the wild. As a result, new methods of mitigating these attacks need to be designed and developed. This thesis aimed to read similar related work done and gain an in-depth examination of DDoS taxonomy, bot nets, malware and mitigation methods. The thesis also
attempted to take this research and use it in a prototype system that could potentially be used in a real environment to detect and mitigate an active DDoS attack on a server.

The main aim of this thesis was to analyse current Distributed Denial of Service botnets, malware and taxonomies to determine the best prototype to design and develop that could detect and mitigate an attack on a server. A human verification prototype was developed and implemented that would require user input to validate the visitor to a site was a real person. This system would only trigger if the visitor sent too many requests for the site per minute. If the visitor failed to validate, the system firewalls their IP address.
This thesis and prototype, although slightly inefficient at high load levels, could potentially help to mitigate a medium-scale DDoS attack on a website. The prototype does indeed detect a user that exceeds the threshold set, and it does then forward them on for verification. The prototype also then creates entries that simulate the IP address of that user being blocked at a firewall level. However, the prototype fails to appreciate any false positives that may occur. If a user was to exceed the threshold and then fail validation, their IP address would be firewalled on the server permanently.

  • Type:


  • Publication Status:


  • Library of Congress:

    QA75 Electronic computers. Computer science

  • Dewey Decimal Classification:

    005.8 Data security


Gilbertson, S. Analysis and development of a prototype for the detection and mitigation of HTTP based distributed denial of service attacks. (Thesis). Edinburgh Napier University. Retrieved from


Distributed denial of service; malware; intruder detection systems; bot nets; taxonomies; firewalls; IP authentication;

Available Documents