Abstract
We present a new class of low-volume application layer DDoS attack–Very Short Intermittent DDoS (VSI-DDoS). Such attack sends intermittent bursts (tens of milliseconds duration) of legitimate HTTP requests to the target website with the goal of degrading the quality of service (QoS) of the system and damaging the long-term business of the service provider. VSI-DDoS attacks can be especially stealthy since they can significantly impair the target system performance while the average usage rate of all the system resources is at a moderate level, making it hard to pinpoint the root-cause of performance degradation. We develop a framework to effectively launch VSI-DDoS attacks, which includes three phases: the profiling phase in which appropriate HTTP requests are selected to launch the attack, the training phase in which a typical Service Level Agreement (e.g., \(95^{th}\) percentile response time <1 s) is used to train the attack parameters, and the attacking phase in which attacking scripts are generated and deployed to distributed bots to launch the actual attack. To evaluate such VSI-DDoS attacks, we conduct extensive experiments using a representative benchmark web application under realistic cloud scaling settings and equipped with some popular state-of-the-art IDS/IPS systems (e.g., Snort), and find that our attacks are able to effectively cause the long-tail latency problem of the benchmark website while escaping the radar of those DDoS defense tools.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
Low utilization is to rule out the queueing effect inside the target system.
- 2.
Short L leads to high instant request rate \(V\text {/}L\), OS kernel may not be able to handle packets promptly due to high overhead of interrupt handling [18].
References
Amazon Auto Scaling. https://aws.amazon.com/documentation/autoscaling
Amazon CloudWatch Concepts. http://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/cloudwatch_concepts.html
ASA Threat Detection Functionality and Configuration. http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113685-asa-threat-detection.html
Kaspersky DDoS Intelligence Report for Q1 2017. https://usa.kaspersky.com/about/press-releases/2017_kaspersky-lab-report-on-ddos-attacks-in-q1-2017-the-lull-before-the-storm
NSFCloud. https://www.cloudlab.us
RUBBoS. http://jmob.ow2.org/rubbos.html
Snort. https://www.snort.org/
Snort: The World’s Most Widely Deployed IPS Technology. http://www.cisco.com/c/en/us/products/collateral/security/brief_c17-733286.html
Snort.AD. http://www.anomalydetection.info/?,32
Application DDoS Mitigation. Palo Alto Networks, Inc. (2014)
Clavister DoS and DDos Protection. Clavister, Inc. (2014)
Baset, S.A.: Cloud SLAs: present and future. ACM SIGOPS Oper. Syst. Rev. 46(2), 57–66 (2012)
Curtis, K., Bodík, P., Armbrust, M., Fox, A., Franklin, M., Jordan, M., Patterson, D.: Determining SLO violations at compile time (2010)
Dean, J., Barroso, L.A.: The tail at scale. Commun. ACM 56(2), 74–80 (2013)
Fayaz, S.K., Tobioka, Y., Sekar, V., Bailey, M.: Bohatei: flexible and elastic DDoS defense. In: USENIX Security (2015)
Gu, G., Zhang, J., Lee, W.: Botsniffer: detecting botnet command and control channels in network traffic. In: NDSS (2008)
Guirguis, M., Bestavros, A., Matta, I.: Exploiting the transients of adaptation for RoQ attacks on internet resources. In: IEEE ICNP (2004)
Herzberg, A., Shulman, H.: Socket overloading for fun and cache-poisoning. In: ACM ACSAC (2013)
IETF: RFC 6298. https://tools.ietf.org/search/rfc6298/
Jeon, M., He, Y., Kim, H., Elnikety, S., Rixner, S., Cox, A.L.: TPC: target-driven parallelism combining prediction and correction to reduce tail latency in interactive services. In: ACM ASPLOS (2016)
Jung, J., Krishnamurthy, B., Rabinovich, M.: Flash crowds and denial of service attacks: characterization and implications for CDNs and web sites. In: WWW (2002)
Kang, M.S., Lee, S.B., Gligor, V.D.: The crossfire attack. In: IEEE S&P (2013)
Ke, Y.M., Chen, C.W., Hsiao, H.C., Perrig, A., Sekar, V.: CICADAS: congesting the internet with coordinated and decentralized pulsating attacks. In: AsiaCCS (2016)
Kohavi, R., Longbotham, R.: Online experiments: lessons learned. Computer 40(9) (2007)
Kuzmanovic, A., Knightly, E.W.: Low-rate TCP-targeted denial of service attacks: the shrew vs. the mice and elephants. In: ACM SIGCOMM (2003)
Li, J., Sharma, N.K., Ports, D.R., Gribble, S.D.: Tales of the tail: hardware, OS, and application-level sources of tail latency. In: ACM SoCC (2014)
Luo, X., Chang, R.K.: On a new class of pulsing denial-of-service attacks and the defense. In: NDSS (2005)
Mantas, G., Stakhanova, N., Gonzalez, H., Jazi, H.H., Ghorbani, A.A.: Application-layer denial of service attacks: taxonomy and survey. Int. J. Inf. Comput. Secur. 7(2–4), 216–239 (2015)
Mathew, S.: Caching HTTP POST Requests&Responses. http://www.ebaytechblog.com/2012/08/20/caching-http-post-requests-and-responses
Mirkovic, J., Reiher, P.: A taxonomy of DDoS attack and DDoS defense mechanisms. ACM SIGCOMM Comput. Commun. Rev. 34(2), 39–53 (2004)
Moore, D., Shannon, C., Brown, D.J., Voelker, G.M., Savage, S.: Inferring internet denial-of-service activity. In: USENIX Security (2001)
Oikonomou, G., Mirkovic, J.: Modeling human behavior for defense against flash-crowd attacks. In: IEEE ICC (2009)
Ramamurthy, P., Sekar, V., Akella, A., Krishnamurthy, B., Shaikh, A.: Remote profiling of resource constraints of web servers using mini-flash crowds. In: USENIX ATC (2008)
Ranjan, S., Swaminathan, R., Uysal, M., Nucci, A., Knightly, E.: DDos-shield: DDos-resilient scheduling to counter application layer attacks. IEEE/ACM Trans. Netw. (TON) 17(1), 26–39 (2009)
Wang, Q., Kanemasa, Y., Li, J., Jayasinghe, D., Shimizu, T., Matsubara, M., Kawaba, M., Pu, C.: Detecting transient bottlenecks in n-tier applications through fine-grained analysis. In: ICDCS (2013)
Wang, Q., Kanemasa, Y., Li, J., Lai, C., Cho, C., Nomura, Y., Pu, C.: Lightning in the cloud: a study of very short bottlenecks on n-tier web application performance. In: USENIX TRIOS (2014)
Xie, Y., Yu, S.Z.: Monitoring the application-layer DDoS attacks for popular websites. IEEE/ACM Trans. Netw. (TON) 17(1), 15–25 (2009)
Zargar, S.T., Joshi, J., Tipper, D.: A survey of defense mechanisms against distributed denial of service (DDoS) flooding attacks. IEEE Commun. Surv. Tutor. 15(4), 2046–2069 (2013)
Zhang, Y., Mao, Z.M., Wang, J.: Low-rate TCP-targeted dos attack disrupts internet routing. In: NDSS (2007)
Acknowledgement
This research has been partially funded by National Science Foundation by CISE’s CNS (1566443, 1566388), Louisiana Board of Regents under grant LEQSF (2015-18)-RD-A-11, and gifts, grants, or contracts from Fujitsu. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation or other funding agencies and companies mentioned above.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Shan, H., Wang, Q., Yan, Q. (2018). Very Short Intermittent DDoS Attacks in an Unsaturated System. In: Lin, X., Ghorbani, A., Ren, K., Zhu, S., Zhang, A. (eds) Security and Privacy in Communication Networks. SecureComm 2017. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 238. Springer, Cham. https://doi.org/10.1007/978-3-319-78813-5_3
Download citation
DOI: https://doi.org/10.1007/978-3-319-78813-5_3
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-78812-8
Online ISBN: 978-3-319-78813-5
eBook Packages: Computer ScienceComputer Science (R0)