SDN-Assisted Network-Based Mitigation of Slow DDoS Attacks
Slow-running attacks against network applications are often not easy to detect, as the attackers behave according to the specification. The servers of many network applications are not prepared for such attacks, either due to missing countermeasures or because their default configurations ignores such attacks. The pressure to secure network services against such attacks is shifting more and more from the service operators to the network operators of the servers under attack. Recent technologies such as software-defined networking offer the flexibility and extensibility to analyze and influence network flows without the assistance of the target operator.
Based on our previous work on a network-based mitigation, we have extended a framework to detect and mitigate slow-running DDoS attacks within the network infrastructure, but without requiring access to servers under attack. We developed and evaluated several identification schemes to identify attackers in the network solely based on network traffic information. We showed that by measuring the packet rate and the uniformity of the packet distances, a reliable identificator can be built, given a training period of the deployment network.
KeywordsDDoS mitigation Slow-running DDoS attacks Slow HTTP Network-based mitigation Software-defined networking
We like to thank the Student Union of Electrical Engineering (Fachbereichsvertretung Elektrotechnik) at Ulm University and Philipp Hinz in particular for providing the necessary data. This work was supported in the bwNET100G+ project by the Ministry of Science, Research and the Arts Baden-Württemberg (MWK). The authors alone are responsible for the content of this paper.
- 1.Slowloris HTTP DoS, Jun 2009. http://ha.ckers.org/slowloris/. Accessed 16 Dec 2017 via web.archive.org
- 2.Fayaz, S.K., Tobioka, Y., Sekar, V., Bailey, M.: Bohatei: flexible and elastic DDoS defense. In 24th USENIX Security Symposium (USENIX Security 15), pp. 817–832. USENIX Association, Washington (2015)Google Scholar
- 3.Fielding, R., et al.: Hypertext Transfer Protocol - HTTP/1.1. RFC 2616 (Draft Standard), June 1999Google Scholar
- 4.Hirakawa, T., Ogura, K., Bista, B.B., Takata, T.: A defense method against distributed slow HTTP DoS attack. In: 2016 19th International Conference on Network-Based Information Systems (NBiS), pp. 152–158. IEEE (2016)Google Scholar
- 5.Hong, K., Kim, Y., Choi, H., Park, J.: SDN-assisted slow HTTP DDoS attack defense method. IEEE Commun. Lett. PP(99), 1 (2017)Google Scholar
- 6.Jonker, M., Sperotto, A., van Rijswijk-Deij, R., Sadre, R., Pras, A.: Measuring the adoption of DDoS protection services. In: ACM IMC, pp. 279–285. ACM, New York (2016)Google Scholar
- 7.Lukaseder, T., Hunt, A., Stehle, C., Wagner, D., van der Heijden, R., Kargl, F.: An extensible host-agnostic framework for SDN-assisted DDoS-mitigation. In: IEEE LCN, pp. 619–622, October 2017Google Scholar
- 8.Lukaseder, T., Maile, L., Kargl,F.: SDN-assisted network-based mitigation of slow HTTP attacks. In: 1. KuVS Fachgespräch Network Softwarization - From Research to Application. Universitätsbibliothek Tübingen (2017)Google Scholar
- 9.Moustis, D., Kotzanikolaou, P.: Evaluating security controls against HTTP-based DDoS attacks. In: Fourth International Conference on Information Intelligence Systems and Applications (IISA) (2013)Google Scholar
- 10.Park, J., Iwai, K., Tanaka, H., Kurokawa, T.: Analysis of slow read DoS attack. In: 2014 International Symposium on Information Theory and its Applications, pp. 60–64, October 2014Google Scholar
- 12.Tripathi, N., Hubballi, N., Singh,Y.: How secure are web servers? An empirical study of slow HTTP DoS attacks and detection. In: ARES, pp. 454–463. IEEE (2016)Google Scholar
- 13.Voron, J.-B., Démoulins, C., Kordon,F.: Adaptable intrusion detection systems dedicated to concurrent programs: a petri net-based approach, pp. 57–66. IEEE Computer Society, Washington (2010)Google Scholar
- 14.Zdrnja, B.: Slowloris and Iranian DDoS attacks, Jun 2009. https://isc.sans.edu/diary/6622. Accessed 16 Dec 2017