Sanjay B Ankali and Chandrakant Umarani 10 International Journal of Scientific Research in Computer Science (IJSRCS) Vol. 1, Issue. 2, Sep. 2013 DDoS Detection Of Refresh Attacks For HTTP And FTP Sanjay B Ankali and Chandrakant Umarani ABSTRACT : In recent days Internet is more prone to DDoS attacks. Over the time, researchers proposed many solutions to prevent the DDOS attack from different OSI layers, on the other hand none have seen proper deployment and there were very a small number of researches on layer Seven. This paper designs two independent architectures for HTTP and FTP which uses refresh habits of web searchers (F5 attacks). A forward algorithm is resulting for the online implementation of the model based on the M-algorithm in order to reduce the computational amount introduced by the model’s large state space. Keywords - Application-layer, distributed denial of service (DDoS), Denial of Service (DOS), FTP and HTTP. I. INTRODUCTION The name “availability” means that the information, the computing systems and the security controls are all accessible and operable in committed state at some random point of time. Threat to the Internet availability is a big question which is hampering the growth and continued existence of e-business and other Internet based applications. The Internet like any other product is also prone to failures. Internet failures can be accidental or intentional. The Internet design concentrates mainly on providing functionality though a little concentration has been given on designing strategies for controlling accidental failures. On the other hand, intentional attacks by malicious users/hackers/crackers have no answer in the original Internet design. A Denial of Service (DoS) is such an intentional attempt by malicious users/attackers to completely disrupt or degrade availability of service/resource to genuine/authorized users [1]. Some well- known DoS attacks are SYN Flood, teardrop, smurf, ping of death, land, finger bom, black holes, octopus, snork, ARP Cache poisoning and the misdirection. DoS attacks exploit weaknesses in Internet protocols, applications, operating systems and protocol implementation in operating systems. Distributed Denial of Service (DDoS) attacks degrade or completely disrupt services to genuine users by expending communication and/or computational resources of the target. Mirkovic et al. [2] described DDoS attacks as amplified form of DoS attacks, where attackers direct hundreds or even thousands of compromised hosts called zombies against a single target. These zombie hosts are innocently recruited from the millions of unprotected computers accessing the Internet through high-bandwidth and always available connections. Sanjay B Ankali and Chandrakant Umarani are working as Assistant Professor, Department of Computer Science & Engg, KLECET,Chikodi, India, Emails: sanjay.ankali@yahoo.com, sanjaybankali@gmail.com , chandrakantumrani@gmail.com DDoS attack has caused severe damage to servers and will cause even greater threats to the development of new Internet services. Conventionally, DDoS attacks are carried out at the network layer, such as ICMP flooding, SYN flooding and UDP flooding, which are called Net DDoS attack. This paper proposed different schemes (e.g., network measure or anomaly detection) to protect the network and equipment from bandwidth attacks, it is not as easy as in the past for attackers to launch the DDoS attacks based on network layer. When the simple Net-DDoS attacks fail, attackers shift their distasteful strategies to application-layer attacks and establish a more sophisticated type of DDoS attacks. To circumvent detection, they attack the victim Web servers by HTTP GET requests (e.g., HTTP Flooding) and pulling large image files from the victim server in overwhelming numbers. In another case, attackers run a massive number of queries through the victim’s search engine or database query to bring the server down [1]. Such attacks are called application-layer DDoS (App-DDoS) attacks. The MyDoom worm [3] and the CyberSlam [4] are all instances of this type attack Surfers. II. LITERATURE SURVEY Long-ago the research has been done to detect the DDOS attack from three different layers of OSI namely network layer, Transmission layer and Application layer but the work done on layer 7 is very fewer because the attacks where very little in past, the techniques are highlighted below. 1) Client Puzzle Protocol Client Puzzle Protocol (CPP) is an algorithm for use in Internet communication, whose goal is to make abuse of server resources infeasible. The idea of the CPP is to necessitate all clients connecting to a server to correctly solve a mathematical puzzle before establishing a connection, if the server is under attack. After solving the puzzle, the client would return the solution to the server, which the server would quickly confirm, or reject and drop the connection. The puzzle is made simple and easily solvable but requires at least a minimal amount of computation on the client side. Genuine users would experience just a negligible computational cost but abuse would be deterred: those clients that try to simultaneously establish a large numbers of connections would be unable to do so because of the computational cost (time delay). This method holds promise in fighting some types of spam as well as other attacks like Denial of Service. 2) Intrusion Detection System Intrusion detection is the process of monitoring the events occurring in a computer system or network and analyzing them for signs of probable incidents, which are violations or