1

Automated Detection and Mitigation of DDoS

Attacks Web Applications
1st Monika Battula 2nd Shanmukh Sai Korada
Information Technology Information Technology
Gayatri Vidya Parishad College of Engineering Autonomous Gayatri Vidya Parishad College of Engineering Autonomous
Visakhapatnam, India Visakhapatnam, India
[email protected] [email protected]

3rd Raju Jonnada 4th Dr K SandhyaRani Kundra

Information Technology Information Technology
Gayatri Vidya Parishad College of Engineering Autonomous Gayatri Vidya Parishad College of Engineering Autonomous
Visakhapatnam, India Visakhapatnam, India
[email protected] [email protected]

 to track, and highly advanced. The innovation in attack

Abstract—Distributed Denial-of-Service (DDoS) attacks pose a strategies, such as low-and-slow attacks, amplification attacks,
serious web application security threat to the cloud deployment and adaptive DDoS techniques based on artificial intelligence,
due to network resource exhaustion with malicious traffic, has nullified traditional methods of mitigation. Furthermore,
leading to service availability outages. Though several mitigation
strategies exist, building an automated and real-time detection
the fact that legitimate traffic bursts and attack bursts are
system with low computational overhead is still challenging. similar is the biggest challenge to real-time detection and
Furthermore, testing new defense systems demands good cloud response.
security architecture and real-time attack scenarios. In this In response to these difficulties, this paper introduces a
paper, we initially investigate current cloud security flexible and holistic framework for DDoS detection and
architectures and propose an optimized DDoS detection and mitigation that employs real-time traffic inspection, anomaly
mitigation system. Second, we build an intelligent security tool
that uses real-time traffic observation and machine learning-
detection through machine learning, and adaptive mitigation
based anomaly detection using classification algorithms. Third, actions. The proposed system is implemented to:
we implement an adaptive mitigation system that dynamically Monitor network traffic incessantly to observe anomalous
scales and reroutes traffic to provide high availability during behaviors. Identify traffic behavior utilizing sophisticated
attack times. Lastly, we test our proposed system under attack machine learning techniques to recognize legitimate traffic as
simulation scenarios and prove its efficiency in detection, well as patterns of attacks.
mitigation, and recovery from DDoS attacks without sacrificing
Dynamically counter DDoS attacks by smartly scaling
optimal cloud performance.
Index Terms—DDoS Attacks, Cloud Security, Network Security, resources, redirecting malicious traffic, and using automated
Anomaly Detection, Mitigation Strategies, Traffic Analysis, recovery processes.
Cloud Computing, High availability systems. In addition, we emulate actual attack situations to test the
efficacy of our system and prove its high detection rate, low
I. INTRODUCTION computational overhead, and quick response time. Using
With the swift growth of cloud computing and web intelligent detection and adaptive defense mechanisms, this
applications, maintaining cybersecurity and service work seeks to contribute to the improvement of cybersecurity
availability has emerged as a major challenge. Of all the cyber resilience in contemporary cloud-based systems.
threats, Distributed Denial-of-Service (DDoS) attacks are one
of the most enduring and intrusive security threats, which can The remainder of this paper is organized as follows: Section II
bring down network infrastructures, interrupt online services, presents a survey of current DDoS detection and mitigation
and incur enormous financial losses. DDoS attacks overwhelm methods. Section III outlines our proposed framework and
target servers with enormous amounts of malicious traffic, approach. Section IV discusses the experimental setup, attack
making them unavailable to legitimate users and severely simulations, and performance metrics. Section V presents the
affecting system reliability. DDoS attacks are usually results and performance analysis, and Section VI concludes
perpetrated by botnets—large networks of infected devices the paper with major findings and future work directions.
spread across the world—which are extremely scalable, hard abbreviations..
 2

II. AVAILABLE DATASETS

In order to create automated DDoS detection and mitigation benign and attack traffic, and therefore it is a great dataset for
mechanisms, researchers need high-quality data that reflects ML-based classification models in cybersecurity research.
realistic attack patterns and network activities of real-world These datasets all play distinct roles in DDoS attack detection
DDoS attacks. A variety of datasets are created to assist and defense. The CICDDoS2019 dataset is broad and
research in the area, among which are CICDDoS2019, DDoS generally usable for multi-vector attack analysis, while the
SDN Dataset, and APA-DDoS Dataset, each providing distinct DDoS SDN dataset is specific to SDN-based security studies.
features answering different questions concerning DDoS The APA-DDoS dataset is designed for TCP-layer attack
detection and mitigation. detection and hence has specialized use in targeted intrusion
detection and TCP-based attack mitigation studies. Choosing
The CICDDoS2019 dataset, created by the Canadian Institute the right dataset is instrumental in creating and validating
for Cybersecurity (CIC), offers a rich and labeled dataset for strong cybersecurity models, and all of these datasets play
DDoS research. It consists of several reflective types of DDoS their part in helping real-time adaptive security solutions
attacks, including PortMap, NetBIOS, LDAP, MSSQL, UDP, tackle emerging DDoS threats. Future studies would do well
UDP-Lag, SYN, NTP, DNS, and SNMP. The dataset consists to investigate the application of AI-powered mitigation
of 80 network traffic features mined using CICFlowMeter, techniques in enhancing defensive processes in contemporary
recording both benign and attack traffic to mimic real-world cloud-based systems.
scenarios. It is commonly applied in DDoS detection models
based on machine learning, providing useful information III. PROPOSED FRAMEWORK AND APPROACH
about network behavior. The dataset can be downloaded from For emulating real-world DDoS attack scenarios, the system
the Canadian Institute for Cybersecurity website and made employs hping3 to create large amounts of malicious traffic
available to researchers and developers of DDoS mitigation against the web servers. A Nginx server is set up as a load
techniques. balancer that sends traffic based on a round-robin algorithm so
that legitimate traffic is evenly distributed among backend
The DDoS SDN dataset, accessible on Kaggle, is mainly servers. As Nginx itself can be a target, extra security features
meant for Software-Defined Networking (SDN) networks, like rate limiting and failover are added to increase resilience.
where dynamic network control systems are employed to A. Attack Simulation
neutralize DDoS attacks. It comprises 104,345 network flow The For emulating real-world DDoS attack scenarios,
records with 23 extracted features that offer insights into the system employs hping3 to create large amounts of
malicious activity and traffic anomalies. The dataset is malicious traffic against the web servers. An Nginx server is
organized for machine learning usage with a target variable set up as a load balancer that sends traffic based on a round-
that marks normal and malicious traffic, allowing supervised robin algorithm so that legitimate traffic is evenly distributed
learning techniques. The dataset contains statistical flow-based among backend servers. As Nginx itself can be a target, extra
features like packet count, byte count, flow duration, and security features like rate limiting and failover are added to
protocol types, which are suitable for network-based anomaly increase resilience
detection in SDN architectures. Researchers can use this
B. Traffic Capturing
dataset to fine-tune traffic engineering techniques and improve
next-generation network security mechanisms. The Nginx load balancer always keeps track of incoming
network traffic with tcpdump, saving packets in .pcap files.
The APA-DDoS dataset, also available on Kaggle, is designed The traffic that is captured is saved in a special directory
for the study of TCP-based flooding attacks, especially ACK (pcaps), with each file capped at 5MB for the sake of
Flooding and PUSH-ACK Flooding. The dataset is designed processing efficiency.
for high-traffic volume simulation, enabling researchers to C. Traffic Analysis and Detection
investigate network-layer attacks and create intrusion A Python script worker installed on the Nginx server
detection systems (IDS) for TCP-based attacks. The APA- continuously checks for the pcaps directory, downloading the
DDoS dataset is designed to fill gaps in current datasets by
newly created .pcap files and sending them to the detection
covering certain attack scenarios that are poorly represented in server for real-time analysis.
classical DDoS datasets. It offers a sharp separation between
 3

Figure 1: System Architecture

identify new attacks. This configuration provides a strong

D. Detection Server
testing of the performance of the suggested model in
The detection server is developed with FastAPI and takes identifying known as well as unknown attacks.
.pcap files to process. The pyflowmeter tool is used to extract
network flow features, creating a dataset of around 80 traffic IV. ANALYSIS
features. The extracted features are fed into a trained Random
Forest machine learning model, which identifies DDoS attack A. Data Summary and Visualization
patterns and determines malicious IP addresses showing The function cat_summary provides a detailed analysis
anomalous behavior. The detection server then sends a list of
detected attacking IPs back to the Python worker for Label Label Ratio
mitigation. Syn 47246 40.426114
E. Mitigation Mechanism Benign 40980 35.064602
The Python worker on the Nginx server takes immediate UDP 17795 15.226320
mitigation actions upon receipt of the attacking IPs list. The MSSQL 8434 7.216565
system utilizes iptables to block the discovered malicious IPs LDAP 1885 1.612903
to prevent attack traffic from reaching the web servers. Further NetBIOS 475 0.406434
security configurations are implemented to keep the Nginx UDPLag 55 0.047061
load balancer from direct attacks. Figure 2: Data Summary
F. System Architecture
This architecture is intended to identify and neutralize DDoS of categorical variables in a dataset. It first displays the count
attacks by monitoring network traffic and blocking malicious and percentage distribution of unique values in the specified
IPs in real-time. It incorporates machine learning for smart column. If plot=True, it generates two visualizations: A
threat detection and provides security through automated
count plot showing the frequency distribution and a pie chart
filtering and blocking processes.
representing the percentage distribution of each category. The
IV. DATASET count plot helps identify the most and least frequent
categories, while the pie chart provides a proportional
The following 12 attacks were launched during the training overview. The function is applied iteratively to all categorical
phase: NTP, DNS, LDAP, MSSQL, NetBIOS, SNMP, columns in cat_cols, offering a comprehensive summary
SSDP, UDP, UDP-Lag, WebDDoS, SYN, and TFTP. But on and visualization of the dataset’s categorical features.
the testing side, only 7 attacks were launched: PortScan,
NetBIOS, LDAP, MSSQL, UDP, UDP-Lag, and SYN. B. Model Training and Evaluation
Surprisingly, PortScan was solely launched during the testing The train_model function trains and evaluates multiple
phase and hence is considered an unseen or unknown attack machine learning classifiers including Random Forest, K-
for testing the capability of the model to generalize and Nearest Neighbors (KNN), Extra Trees, and Multi-Layer
 4

Perceptron (MLP). It trains each model on X_train and in them, which are probably TCP flag columns like SYN,
y_train, then predicts on X_test to compute performance ACK, FIN, RST, PSH, and URG. These flags are used to
metrics: accuracy, precision, recall, F1-score, ROC AUC identify various kinds of network activity, such as normal
score, and cross-validation score. Additionally, it plots ROC communication and possible cyber-attacks. To examine the
curves for each model and class, helping visualize distribution of the flags, the script loops through each flag
classification performance. A summary DataFrame is created column and creates count plots with seaborn. The plots show
the number of each flag by attack type (label). This
to compare model results, and the scores are displayed using a
visualization allows patterns in flag usage between normal and
heatmap for better interpretation. This function provides a
malicious traffic to be discerned. For instance, an unusually
streamlined and visual approach to selecting the best-
high frequency of SYN flags with no matching ACK
performing model. responses would reveal a SYN flood attack, whereas an
overwhelming number of RST flags might reveal a disruption
of ongoing connections. Through packet flag distributions
being analysed, the model is able to capture anomalies
distinguishing between good and DDoS attack traffic and
enhance classification accuracy and real-time detection of
threats. The distribution of FIN flags, as given in Figure 4,
reveals the closure of a connection. The figure proposes that
benign traffic has a tremendous number of FIN flags, but
attack traffic changes in distribution as some attack vectors
have drastically smaller occurrences. The SYN flag
distribution, critical in the creation of TCP connections, is
pointed out in Figure 5. Benign traffic will have a greater SYN
flag number, but some attacks like Denial-of-Service (DoS)
attacks could have more SYN flags because of SYN flooding.
In the same way, Figure 6 shows the distribution of ACK flag
counts, where benign traffic has a majority of ACK flags to
Figure 3: ROC Curve ensure packet acknowledgment. But there are some categories
of attacks that show less occurrence of ACK flags, which may
be indicative of connection hijacking or partial handshakes.
Figure 7 discusses the distribution of RST flag counts, which
C. Packet Flags and Attack Patterns are used to reset TCP connections. In attack traffic, the RST
Packet flags are essential indicators of network traffic patterns flag count is occasionally higher, which may be indicative of
and are an important factor in identifying DDoS attacks. attempts to destroy active connections or avoid detection
The script takes all column names in the data that have "flag_" systems.Looking ahead, Figure 8 is the PSH flag count

Figure 12:Packet Flags and Attack Patterns

 5

distribution that mandates the immediate transmission of data.

Benign traffic contains a high number of PSH flags, while
some categories of attacks contain fewer, indicating the
possibility of modification of packet-handling processes by
attackers. Figure 9 depicts the URG flag count distribution,
which makes some packets of high priority. Yet, URG flags
are rarely seen in network traffic, and attack traffic does not
reflect consistent usage.Figure 10 provides the distribution of
ECE flag counts in congestion control. The information from
the data indicates that benign traffic has a larger number of
ECE flags, while attack traffic shows smaller counts, which
may reflect varying congestion management techniques.
Finally, Figure 11 shows the distribution of CWE (Congestion
Window Reduced) flag counts, which is another congestion Figure14: Accuracy Score for Models
control method. Benign traffic exhibits a much greater
prevalence of CWE flags, whereas attack traffic illustrates a
lower frequency, perhaps reflecting diverse reactions to
congestion states in malicious network.
E. Grafana
These visualizations together reveal unique patterns in TCP
flag usage, providing essential insights for intrusion detection Grafana is a powerful open-source visualization platform
systems (IDS) and network security analysis. The used for monitoring and analyzing real-time network traffic
identification of these distributions assists in detecting and attack patterns. It allows security analysts to build
network anomalies, suspected attacks, and anomalies in interactive and customizable dashboards that provide rich
normal TCP behavior, enabling better threat mitigation insights into various metrics, such as traffic flow, anomaly
strategies. detection, and system performance. With support for multiple
data sources like Prometheus, InfluxDB, and Elasticsearch,
Grafana makes it easy to aggregate and correlate data.
In the field of cybersecurity, Grafana plays a central role in
identifying potential threats by graphically representing key
indicators such as unusual spikes in SYN requests, changes in
TCP flag distributions, and unusual bandwidth usage. Security
teams are empowered to set up alerts based on predefined
Figure 13:Testing Scores of models thresholds, thus making proactive threat detection and
response possible. With the ability to display real-time and
D. Accuracy historical data, Grafana allows organizations to track attack
trends over time, analyze patterns, and optimize incident
The accuracy scores of various machine learning response plans.
models, rendered in a plot using Matplotlib, extract the Model In addition, its simplicity and ability to support multiple
and Accuracy columns out of the scores DataFrame into the plugins make it an effective tool for system performance
variables models and accuracy, ooutes a color map using analysis, network monitoring, and forensic analysis. With the
cm.viridis for better visual representation, so that each model can help of Grafana's dynamic visualizations, security experts can
be distinguished by color according to its position in the dataset. effectively pull relevant insights into network activity, thereby
Then, it uses a for loop to create a plot where each point is a improving overall security and threat mitigation processes.
marker='o' for each model's accuracy score, with the
corresponding color from the color map, and a line connecting F. UML Diagrams
the accuracy points has been drawn using a soft blue explanation a) Class Diagram:
(#7393B3), indicating an accuracy trend through models. The The DDoS Detection System is crafted to
plot is assigned a suitable title, and axes are labeled with the y- effectively handle network traffic while pinpointing and
axis range between 0.98-1 for better observation of its accuracy. addressing potential cyber threats. The Class Diagram
The x-axis labels are rotated by 45 degrees for better readability, showcases the main components and their
and the grid is added for better visualization. The legend is interconnections within the system. The NginxServer
assigned to each model separately, while equally assuring unique serves as the main gateway, managing incoming traffic
entries in it, thanks to the duplicates filtering function. Lastly, and distributing requests. The WebServer takes care of
plt.tight_layout() is called for spacing, and plt.show() is called to client requests and channels traffic for deeper analysis.
display the plot: thus, it is an effective visual showing the models The PythonWorker is vital for traffic analysis, capturing
in the goodness of fit based on their accuracies
 6

The Sequence Diagram offers a detailed

visualization of the DDoS detection and mitigation
process. A User Request is initially sent to the
NginxServer, which then forwards it to the
WebServer, distributing traffic using a round-robin
method. The Python Worker captures network traffic
and saves it in PCAP format for further examination.
Figure 15: Class Diagram
The DetectionServer analyzes these files to
identify malicious IPs. If a threat is detected, the
NginxServer promptly acts to block the attacker,
ensuring network security and stability. This
workflow effectively maintains normal traffic flow
and processing packet data in PCAP format. The Detection
while proactively addressing potential cyber threats
Server is tasked with spotting anomalies and potential threats
in real time.
by examining network patterns to identify DDoS attacks. This
setup guarantees an efficient and secure distributed system for
detecting and mitigating threats.
b) Use Case Diagram
The Use Case Diagram outlines how various
actors engage with the system. The System is
accountable for capturing and distributing traffic,
analyzing network behavior, detecting DDoS attacks,
and mitigating threats. A Normal User interacts with
the web server for legitimate purposes, while an
Attacker tries to simulate an attack to overwhelm the
system. This diagram emphasizes the key
functionalities required to monitor traffic, identify
malicious activities, and ensure uninterrupted service
for legitimate users.

Figure 17: Sequence Diagram

V. CONCLUSION
The Smart DDoS Detection and Mitigation System offers a
sophisticated and effective way to tackle DDoS attacks, which
are a major cybersecurity concern. By utilizing real-time
traffic monitoring, machine learning for detection, and
automated responses, the system guarantees high availability
and strong security for web applications. Its intelligent
detection capabilities allow for the proactive identification and
blocking of malicious IPs, reducing the chances of service
interruptions, downtime, and financial losses.
With its modular and scalable design, the system can
seamlessly adapt to cloud and on-premises infrastructures,
making it a versatile solution for various deployment
environments. The emphasis on automation and minimal
human intervention enhances operational efficiency, enabling
organizations to respond swiftly to emerging cyber threats.
This comprehensive approach significantly strengthens the
security posture of businesses, ensuring resilience against
Figure 16: Use Case Diagram
evolving attack patterns while maintaining uninterrupted
c) service
S for legitimate users.
equence Diagram
 7

VI .ACKNOWLEDGEMENT
This work was supported by Dr. SandhyaRani
Kundra Associate Professor of department of Information
Technology contributed towards the Project for building
application. This support is greatly appreciated.

VII .REFERENCES
[1] Dr. Mahdi Rabbani, “Enhancing Generalizability in DDoS Attack
De- tection Systems through Transfer Learning and Ensemble
Learning Ap- proaches,” https://www.unb.ca/cic/datasets/ddos-
2019.html?utm source.

[2] Aiken Kazin, PhD student in Mathematics, Almaty, Kazakhstan,

https://www.kaggle.com/datasets/aikenkazin/ddos-sdn-dataset.
[3] Iman Sharafaldin, Arash Habibi Lashkari, Saqib Hakak, and Ali
A. Ghorbani, “Developing Realistic Distributed Denial of
Service (DDoS) Attack Dataset and Taxonomy,” iIEEE 53rd
International Carnahan Conference on Security Technology,
Chennai, India, 2019.
[4] L. Breiman, “Random forests,” Machine learning, vol. 45, no. 1, pp.
5– 32, 2001.
[5] Asha Varma Songa & Ganesh Reddy Karri , “An integrated SDN
framework for early detection DDoS attacks in cloud computing
,”Journal of cloud computing 13, Article Number: 64(2024).
[6] J. Nazario, “DDoS attack evolution,” Network Security, vol.
2008, no. 7, pp. 7–10, 2008
[7] S. M. Specht and R. B. Lee, “Distributed denial of service
Taxonomies of attacks, tools, and countermeasures,” in
Proceedings of the 17 th International Conference on Parallel and
Distributed Computing Systems, 2004, pp. 543–550.
[8] J. Lemon, “Resisting SYN flood DoS attacks with a SYN cache,”
in Proceedings of the BSD Conference 2002 on BSD Conference,
2002, p.10.
[9] U M Shahil, Deekshitha,Nuzga Anam M, Mustafa Basthikodi,”
DDoS Attack in Cloud Computing and its Preventions,” J ETIR
vol 6, Issue 5 , 2019.
[10] Thakkar, A.; Lohiya, R. A review of the advancement in
intrusion detection datasets. Procedia Comput. Sci. 2020, 167,
636–645.
[11] Shiravi, A.; Shiravi, H.; Tavallaee, M.; Ghorbani, A.A. Toward
developing a systematic approach to generate benchmark datasets
for intrusion detection. Comput. Secur. 2012, 31, 357–374.
[12] Cloudflare DDoS Reports. Available online:
https://radar.cloudflare.com/reports?q=DDoS (accessed on 8
September 2023).
[13] 2022 in Review: DDoS Attack Trends and Insights. Available
online:https://www.microsoft.com/enus/security/blog/2023/02/21
/2022-in-review-ddos-attack-trends-and-insights/ (accessed on 8
September 2023).
[14] K. Adamova, D. Schatzmann, P. Bernhard and P. Smith,
"Network Anomaly Detection in the cloud: The Challenges of
Virtual Service Migration", 2014 IEEE International Conference
on Communications (ICC), pp. 3770-3775, 2014.
[15] R. Chalse, A. Katara, A. Selokar and R. Talmale, "Inter cloud
data transfer security".
[16] S. Dubey, S. Bhajia and D. Tridevi, "Security Issues In Cloud
Computing and Countermeasures", International Journal of
Innovative Science Engineering Technology pp, pp. 1-8, 2014.
[17] R. Rao and P. Prakash, "Improving Security for data migration in
cloud computing using randomized encryption technique", IOSR
Journal of Computer Engineering, vol. 11, pp. 39-42, 2013.