1. Introduction(heading 1)
For many years, distributed denial of service (DDoS) attack has caused severe damage to victims and still constitutes one of the major threats in current internet. A popular form of DDoS today is the application-layer floods that overwhelm the Web server with a large number of GET requests. To circumvent detection, the attackers increasingly move away from pure bandwidth floods to stealthy DDoS attacks that masquerade as flash crowds. The successful cases in the early history included MyDoom [1], Code Red [2] and FBI case involving DDoS-for-hire [3]. In recent years, we frequently heard the news and complaint about application-layer DDoS harassment [4]–[7]. In fact, the situation is much worse than we can expect because the botnet is booming. The China CCTV program ‘Economy Half Hour’ broadcast that the botnet has formed an industry chain and the capital concerned went beyond 10 billion Chinese Yuan in 2009 [8]. Although it is not just DDoS attacks that are associated with botnet, current DDoS attacks are mainly launched by it. For an investigation into DDoS crime, the BBC program ‘Click’ brought a medium sized Website and demonstrated only 60 broadband connections were enough to make this Website unusable [9]. The experts in the TV show also said that the high-traffic sites were potential victims for application-layer DDoS attacks. The criminals got into contact with the Websites and threatened them in DDoS attacks. All kinds of high-traffic Websites that generate lots of revenue relied on the Websites to be online, so a lot of the Websites paid up to avoid the DDoS attacks.