{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,7]],"date-time":"2026-02-07T22:58:36Z","timestamp":1770505116491,"version":"3.49.0"},"reference-count":49,"publisher":"Association for Computing Machinery (ACM)","issue":"3","license":[{"start":{"date-parts":[[2008,7,1]],"date-time":"2008-07-01T00:00:00Z","timestamp":1214870400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Trans. Web"],"published-print":{"date-parts":[[2008,7]]},"abstract":"<jats:p>Recently, we have seen increasing numbers of denial of service (DoS) attacks against online services and Web applications either for extortion reasons or for impairing and even disabling the competition. These DoS attacks have increasingly targeted the application level. Application-level DoS attacks emulate the same request syntax and network-level traffic characteristics as those of legitimate clients, thereby making the attacks much harder to detect and counter. Moreover, such attacks often target bottleneck resources such as disk bandwidth, database bandwidth, and CPU resources. In this article, we propose handling DoS attacks by using a twofold mechanism. First, we perform admission control to limit the number of concurrent clients served by the online service. Admission control is based on port hiding that renders the online service invisible to unauthorized clients by hiding the port number on which the service accepts incoming requests. Second, we perform congestion control on admitted clients to allocate more resources to good clients. Congestion control is achieved by adaptively setting a client's priority level in response to the client's requests in a way that can incorporate application-level semantics. We present a detailed evaluation of the proposed solution using two sample applications: Apache HTTPD and the TPCW benchmark (running on Apache Tomcat and IBM DB2). Our experiments show that the proposed solution incurs low performance overhead and is resilient to DoS attacks.<\/jats:p>","DOI":"10.1145\/1377488.1377489","type":"journal-article","created":{"date-parts":[[2008,7,8]],"date-time":"2008-07-08T16:02:15Z","timestamp":1215532935000},"page":"1-49","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":41,"title":["Mitigating application-level denial of service attacks on Web servers"],"prefix":"10.1145","volume":"2","author":[{"given":"Mudhakar","family":"Srivatsa","sequence":"first","affiliation":[{"name":"IBM T. J. Watson Research Center, Yorktown, NY"}]},{"given":"Arun","family":"Iyengar","sequence":"additional","affiliation":[{"name":"IBM T. J. Watson Research Center, Yorktown, NY"}]},{"given":"Jian","family":"Yin","sequence":"additional","affiliation":[{"name":"IBM T. J. Watson Research Center, Yorktown, NY"}]},{"given":"Ling","family":"Liu","sequence":"additional","affiliation":[{"name":"Georgia Institute of Technology, Atlanta, GA"}]}],"member":"320","published-online":{"date-parts":[[2008,7,8]]},"reference":[{"key":"e_1_2_1_1_1","unstructured":"Apache. 2004. Apache tomcat servlet\/JSP container. http:\/\/jakarta.apache.org\/tomcat.]]  Apache. 2004. Apache tomcat servlet\/JSP container. http:\/\/jakarta.apache.org\/tomcat.]]"},{"key":"e_1_2_1_2_1","unstructured":"Apache. 2005a. Apache HTTP server. http:\/\/httpd.apache.org.]]  Apache. 2005a. Apache HTTP server. http:\/\/httpd.apache.org.]]"},{"key":"e_1_2_1_3_1","unstructured":"Apache. 2005b. Introduction to server side includes. http:\/\/httpd.apache.org\/docs\/howto\/ssi.html.]]  Apache. 2005b. Introduction to server side includes. http:\/\/httpd.apache.org\/docs\/howto\/ssi.html.]]"},{"key":"e_1_2_1_4_1","unstructured":"Bernstein D. J. 2005. SYN cookies. http:\/\/cr.yp.to\/syncookies.html.]]  Bernstein D. J. 2005. SYN cookies. http:\/\/cr.yp.to\/syncookies.html.]]"},{"key":"e_1_2_1_5_1","unstructured":"Black D. RFC 2983: Differentiated services and tunnels. http:\/\/www.faqs.org\/rfcs\/rfc2983.html.]]   Black D. RFC 2983: Differentiated services and tunnels. http:\/\/www.faqs.org\/rfcs\/rfc2983.html.]]"},{"key":"e_1_2_1_6_1","doi-asserted-by":"publisher","DOI":"10.1109\/IPCCC.2002.995152"},{"key":"e_1_2_1_7_1","unstructured":"CERT. 2004. Incident note IN-2004-01 W32\/Novarg.A virus.]]  CERT. 2004. Incident note IN-2004-01 W32\/Novarg.A virus.]]"},{"key":"e_1_2_1_8_1","volume-title":"Proc. IEEE (Special Issue on QoS in the Internet).]]","author":"Chandra S."},{"key":"e_1_2_1_9_1","doi-asserted-by":"publisher","DOI":"10.1109\/TC.2002.1009151"},{"key":"e_1_2_1_10_1","volume-title":"Proceedings of 12th USENIX Security Symposium. 29--44","author":"Crosby S. A."},{"key":"e_1_2_1_11_1","unstructured":"DARPA. 1981. RFC 793: Transmission control protocol. http:\/\/www.faqs.org\/rfcs\/rfc793.html.]]  DARPA. 1981. RFC 793: Transmission control protocol. http:\/\/www.faqs.org\/rfcs\/rfc793.html.]]"},{"key":"e_1_2_1_12_1","unstructured":"Dierks T. and Allen C. RFC 2246: The TLS protocol. http:\/\/www.ietf.org\/rfc\/rfc2246.txt.]]  Dierks T. and Allen C. RFC 2246: The TLS protocol. http:\/\/www.ietf.org\/rfc\/rfc2246.txt.]]"},{"key":"e_1_2_1_13_1","doi-asserted-by":"crossref","unstructured":"Egevang K. and Francis P. 1994. RFC 1631: The IP network address translator (NAT). http:\/\/www.faqs.org\/rfcs\/rfc1631.html.]]   Egevang K. and Francis P. 1994. RFC 1631: The IP network address translator (NAT). http:\/\/www.faqs.org\/rfcs\/rfc1631.html.]]","DOI":"10.17487\/rfc1631"},{"key":"e_1_2_1_14_1","doi-asserted-by":"crossref","unstructured":"Ferguson R. and Senie D. 1998. RFC 2267: Network ingress filtering: Defeating denial of service attacks which employ IP source address spoofing. http:\/\/www.faqs.org\/rfcs\/rfc2267.html.]]   Ferguson R. and Senie D. 1998. RFC 2267: Network ingress filtering: Defeating denial of service attacks which employ IP source address spoofing. http:\/\/www.faqs.org\/rfcs\/rfc2267.html.]]","DOI":"10.17487\/rfc2267"},{"key":"e_1_2_1_15_1","unstructured":"FIPS. Data encryption standard (DES). http:\/\/www.itl.nist.gov\/fipspubs\/fip46-2.htm.]]  FIPS. Data encryption standard (DES). http:\/\/www.itl.nist.gov\/fipspubs\/fip46-2.htm.]]"},{"key":"e_1_2_1_16_1","unstructured":"FireFox. 2005. Mozilla firefox Web browser. http:\/\/www.mozilla.org\/products\/firefox.]]  FireFox. 2005. Mozilla firefox Web browser. http:\/\/www.mozilla.org\/products\/firefox.]]"},{"key":"e_1_2_1_17_1","unstructured":"Google. Google mail. http:\/\/mail.google.com\/.]]  Google. Google mail. http:\/\/mail.google.com\/.]]"},{"key":"e_1_2_1_18_1","unstructured":"Google. Google maps. http:\/\/maps.google.com\/.]]  Google. Google maps. http:\/\/maps.google.com\/.]]"},{"key":"e_1_2_1_19_1","unstructured":"Halfbakery. Stateless TCP\/IP server. http:\/\/www.halfbakery.com\/idea\/Stateless_20TCP_2fIP_20server.]]  Halfbakery. Stateless TCP\/IP server. http:\/\/www.halfbakery.com\/idea\/Stateless_20TCP_2fIP_20server.]]"},{"key":"e_1_2_1_20_1","doi-asserted-by":"crossref","unstructured":"Harkins D. and Carrel D. 1998. RFC 2409: The Internet key exchange (IKE). http:\/\/www.faqs.org\/rfcs\/rfc2409.html.]]   Harkins D. and Carrel D. 1998. RFC 2409: The Internet key exchange (IKE). http:\/\/www.faqs.org\/rfcs\/rfc2409.html.]]","DOI":"10.17487\/rfc2409"},{"key":"e_1_2_1_21_1","unstructured":"IBM. 2005. DB2 universal database. http:\/\/www-306.ibm.com\/software\/data\/db2.]]  IBM. 2005. DB2 universal database. http:\/\/www-306.ibm.com\/software\/data\/db2.]]"},{"key":"e_1_2_1_22_1","unstructured":"Iyengar A. Ramaswamy L. and Schroeder B. 2005. Web content delivery. In Techniques for Efficiently Serving and Caching Dynamic Web Content X. Tang J. Xu and S. Chanson Ed. Springer.]]  Iyengar A. Ramaswamy L. and Schroeder B. 2005. Web content delivery. In Techniques for Efficiently Serving and Caching Dynamic Web Content X. Tang J. Xu and S. Chanson Ed. Springer.]]"},{"key":"e_1_2_1_23_1","volume-title":"Proceedings of Networks and Distributed Systems Security Symposium (NDSS).]]","author":"Juels A."},{"key":"e_1_2_1_24_1","doi-asserted-by":"publisher","DOI":"10.1145\/511446.511485"},{"key":"e_1_2_1_25_1","volume-title":"Proceedings of 2nd USENIX Symposium on Networked Systems Design and Implementation (NSDI).]]","author":"Kandula S."},{"key":"e_1_2_1_26_1","unstructured":"Kent S. 1998. RFC 2401: Secure architecture for the Internet protocol. http:\/\/www.ietf.org\/rfc\/rfc2401.txt.]]   Kent S. 1998. RFC 2401: Secure architecture for the Internet protocol. http:\/\/www.ietf.org\/rfc\/rfc2401.txt.]]"},{"key":"e_1_2_1_27_1","unstructured":"Leyden J. 2003. East European gangs in online protection racket. www.theregister.co.uk\/2003\/11\/12\/east-european-gangs-in-online\/.]]  Leyden J. 2003. East European gangs in online protection racket. www.theregister.co.uk\/2003\/11\/12\/east-european-gangs-in-online\/.]]"},{"key":"e_1_2_1_28_1","unstructured":"NetFilter. Netfilter\/IPTables project homepage. http:\/\/www.netfilter.org\/.]]  NetFilter. Netfilter\/IPTables project homepage. http:\/\/www.netfilter.org\/.]]"},{"key":"e_1_2_1_29_1","unstructured":"Netscape. Javascript language specification. http:\/\/wp.netscape.com\/eng\/javascript\/.]]  Netscape. Javascript language specification. http:\/\/wp.netscape.com\/eng\/javascript\/.]]"},{"key":"e_1_2_1_30_1","unstructured":"Nichols K. Blake S. Baker F. and Black D. RFC 2474: Definition of the differentiated services field (DS field) in the IPv4 and IPv6 headers. http:\/\/www.faqs.org\/rfcs\/rfc2474.html.]]   Nichols K. Blake S. Baker F. and Black D. RFC 2474: Definition of the differentiated services field (DS field) in the IPv4 and IPv6 headers. http:\/\/www.faqs.org\/rfcs\/rfc2474.html.]]"},{"key":"e_1_2_1_31_1","unstructured":"NIST. AES: Advanced encryption standard. http:\/\/csrc.nist.gov\/CryptoToolkit\/aes\/.]]  NIST. AES: Advanced encryption standard. http:\/\/csrc.nist.gov\/CryptoToolkit\/aes\/.]]"},{"key":"e_1_2_1_32_1","unstructured":"OpenSSL. Openssl. http:\/\/www.openssl.org\/.]]  OpenSSL. Openssl. http:\/\/www.openssl.org\/.]]"},{"key":"e_1_2_1_33_1","unstructured":"PHARM. 2000. Java TPCW implementation distribution. http:\/\/www.ece.wisc.edu\/~pharm\/tpcw.shtml.]]  PHARM. 2000. Java TPCW implementation distribution. http:\/\/www.ece.wisc.edu\/~pharm\/tpcw.shtml.]]"},{"key":"e_1_2_1_34_1","unstructured":"Poulsen K. 2004. FBI busts alleged ddos mafia. www.securityfocus.com\/news\/9411.]]  Poulsen K. 2004. FBI busts alleged ddos mafia. www.securityfocus.com\/news\/9411.]]"},{"key":"e_1_2_1_35_1","doi-asserted-by":"publisher","DOI":"10.1145\/347059.347560"},{"key":"e_1_2_1_36_1","unstructured":"SHA1. 2001. US secure hash algorithm I. http:\/\/www.ietf.org\/rfc\/rfc3174.txt.]]  SHA1. 2001. US secure hash algorithm I. http:\/\/www.ietf.org\/rfc\/rfc3174.txt.]]"},{"key":"e_1_2_1_37_1","volume-title":"Proceedings of IEEE Global Telecommunications Conference (GLOBECOM).]]","author":"Siris V. A."},{"key":"e_1_2_1_38_1","doi-asserted-by":"publisher","DOI":"10.1109\/SRDS.2006.6"},{"key":"e_1_2_1_39_1","doi-asserted-by":"publisher","DOI":"10.1007\/11925071_14"},{"key":"e_1_2_1_40_1","doi-asserted-by":"publisher","DOI":"10.1145\/285237.285273"},{"key":"e_1_2_1_41_1","volume-title":"Proceedings of the USENIX Security Symposium.]]","author":"Stubblefield A."},{"key":"e_1_2_1_42_1","volume-title":"TPCW: Transactional e-commerce benchmark","author":"TPC.","year":"2000"},{"key":"e_1_2_1_43_1","doi-asserted-by":"publisher","DOI":"10.1145\/1030083.1030118"},{"key":"e_1_2_1_44_1","doi-asserted-by":"publisher","DOI":"10.1145\/1030083.1030117"},{"key":"e_1_2_1_45_1","volume-title":"AJAX: Asynchronous Java + XML","author":"Wei C. K.","year":"2005"},{"key":"e_1_2_1_46_1","doi-asserted-by":"publisher","DOI":"10.1109\/TC.2003.1176986"},{"key":"e_1_2_1_47_1","volume-title":"Proceedings of the IEEE 22nd International Conference on Distributed Computer Systems (ICDCS'03)","author":"Yang B."},{"key":"e_1_2_1_48_1","doi-asserted-by":"publisher","DOI":"10.1145\/1080091.1080120"},{"key":"e_1_2_1_49_1","volume-title":"Proceedings of the USENIX Security Symposium.]]","author":"Yin H."}],"container-title":["ACM Transactions on the Web"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/1377488.1377489","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/1377488.1377489","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,18]],"date-time":"2025-06-18T13:57:55Z","timestamp":1750255075000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/1377488.1377489"}},"subtitle":["A client-transparent approach"],"short-title":[],"issued":{"date-parts":[[2008,7]]},"references-count":49,"journal-issue":{"issue":"3","published-print":{"date-parts":[[2008,7]]}},"alternative-id":["10.1145\/1377488.1377489"],"URL":"https:\/\/doi.org\/10.1145\/1377488.1377489","relation":{},"ISSN":["1559-1131","1559-114X"],"issn-type":[{"value":"1559-1131","type":"print"},{"value":"1559-114X","type":"electronic"}],"subject":[],"published":{"date-parts":[[2008,7]]},"assertion":[{"value":"2007-09-01","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2008-02-01","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2008-07-08","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}