Mitigating Browser-based DDoS Attacks using CORP.

On March 27, 2015, Github witnessed a massive DDoS attack, the largest in Github's history till date. In this incident, browsers and users were used as vectors to launch the attack. In this paper, we analyse such browser-based DDoS attacks and simulate them in a lab environment. Existing browser security policies like Same Origin Policy (SOP), Content Security Policy (CSP) do not mitigate these attacks by design. In this paper we observe that CORP (Cross Origin Request Policy), a browser security policy, can be used to mitigate these attacks. CORP enables a server to control cross-origin interactions initiated by a browser. The browser intercepts the cross-origin requests and blocks unwanted requests by the server. This takes the load off the server to mitigate the attack.