Mitigating Denial of Service Attack Using Captcha Mechanism

Mitigating Denial of Service attack using CAPTCHA mechanism

Mahendra Mehra, Mayank Agarwal, Ashish Mangal, Deven Shah
Sardar Patel Institute of Technology - Mumbai, India,                 mahendra488@gmail.com,mayank265@gmail.com, ashish.mangal@yahoo.com, devenshahin@yahoo.com

Abstract—Denial of Service (DoS henceforth) attack is performed solely with the intention to deny the legitimate users to access services. Since DoS attack is usually performed by means of bots, automated software. These bots send a large number of fake requests to the server which exceeds server buffer capacity which results in DoS attack. In this paper we propose an idea to prevent DoS attack on web-sites which ask for user credentials before it allows them to access resources. Our approach is based on CAPTCHA verification. We verify CAPTCHA submitted by user before allowing the access to credentials page. The CAPTCHA would consist of variety of patterns that would be distinct in nature and are randomly generated during each visit to the web-page. Most of the current web sites use a common methodology to generate all its CAPTCHAs. The bots usually take advantage of this approach since bots are able to decipher those CAPTCHAs. A set of distinct CAPTCHA patterns prevents bots to decipher it and consequently helps to reduce the generation of illicit traffic. This preserves the server bandwidth to allow the legitimate users to access the site.

Keywords-Denial of Service; CAPTCHA; Spam; Bot; Turing Test; Traffic

1.  Introduction [pic 1]

The number of DoS [1] and Distributed Denial of Service (DDoS) attacks on the Internet has increased substantially in the last several years. The user expects that the sservice providers routinely avoid, administer and alleviate these types of attacks which occur daily on their networks.  Our paper discusses the most common types of DoS attacks seen on the Internet. We also propose methods that service providers can use to prevent DoS attack. DoS attacks have become more powerful in the last several years as the level of attack automation has increased.   A lot of precompiled and ready to use programs allow beginners to launch relatively large scale attacks with ease. Internet robots (or bots) are automated software agents or scripts that perform specific tasks without the continuous involvement of human operators. The enormous expansion of the Web has made Internet bots indispensable tools for various tasks, such as crawl Web sites to populate search engines, indexes for faster search results, or to perform repetitive tasks such as check URL validity etc.  Unfortunately, malicious users also use robots for wrong intentions. These include, infect machines with malicious code to flood Web sites with enormous requests, generate huge traffic, buffer overflows etc. In this paper; we identify human-generated Web traffic and separate it from robot-generated traffic by means of CAPTCHA [2] [3]. With this information, we can implement a number of policies, such as limit the number of fake request generated and sent to a website with the help of malicious bots. We therefore emphasize on the use of CAPTCHA [4] in order to detect and prevent DoS attack at the initial stage itself. Our paper is organized as follows: In Section 2, we explain the concept of DoS and its types. In Section 3, we talk about CAPTCHA and the various form of its implementation. In Section 4, we describe our concept to prevent DoS using CAPTCHA. In Section 5, we discuss the advantages of CAPTCHA approach and how CAPTCHAs can be made more sophisticated for bots to decode. Section 6, concludes our paper.