Select your localized edition:

Close ×

More Ways to Connect

Discover one of our 28 local entrepreneurial communities »

Be the first to know as we launch in new countries and markets around the globe.

Interested in bringing MIT Technology Review to your local market?

MIT Technology ReviewMIT Technology Review - logo


Unsupported browser: Your browser does not meet modern web standards. See how it scores »

{ action.text }

Denying Attacks
A two-layer system stops intelligent denial-of-service attacks

Source: “Mitigating Application-Level Denial of Service Attacks on Web Servers: A Client-Transparent Approach”
Mudhakar Srivatsa et al.
Transactions on the Web, July 2008: 15

Results: Researchers at IBM’s T. J. Watson Research Center and Georgia Tech have developed new security software that minimizes the effects of a type of attack that ties up websites with automated requests, preventing people from using them. The software is tailored to websites that host applications, such as word-­processing and ­interactive-shopping programs.

Why it matters: Denial-of-service attacks can shut down websites, potentially costing millions in revenue. They’re particularly difficult to prevent on websites that host applications, since the automated requests can look very similar to requests from real website users. Distinguishing legitimate users from attackers usually requires cumbersome and inconvenient procedures for logging in to a site. The new software avoids this requirement.

Methods: The researchers wrote algorithms for two filtering systems that prevent attacks. The first limits the total number of requests to the website; the second gives priority to certain users on the basis of what they do on the site. For example, a user who frequently hits the “buy” button will be given higher priority, while users making a quick succession of demanding requests–for example, to download many large image files–will be given a low ­priority. Would-be attackers would tend to make more requests that use up a lot of bandwidth, memory, or processing power but would not perform valuable actions such as making purchases, so they would be flagged; their access to the site would be reduced and eventually cut off.

Next steps: To use the system, programmers must categorize the activities of a website’s users and assign values to each activity. The researchers’ system currently provides an interface that allows programmers to do this. They plan to improve the interface, developing tools to help programmers make the necessary judgments.

0 comments about this story. Start the discussion »

Credit: Mingoo Seok

Tagged: Computing, Communications, software, chips, information technology, low power

Reprints and Permissions | Send feedback to the editor

From the Archives


Introducing MIT Technology Review Insider.

Already a Magazine subscriber?

You're automatically an Insider. It's easy to activate or upgrade your account.

Activate Your Account

Become an Insider

It's the new way to subscribe. Get even more of the tech news, research, and discoveries you crave.

Sign Up

Learn More

Find out why MIT Technology Review Insider is for you and explore your options.

Show Me