SDN-Assisted Network-Based Mitigation of Slow DDoS Attacks

  • Thomas LukasederEmail author
  • Lisa Maile
  • Benjamin Erb
  • Frank Kargl
Conference paper
Part of the Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering book series (LNICST, volume 255)


Slow-running attacks against network applications are often not easy to detect, as the attackers behave according to the specification. The servers of many network applications are not prepared for such attacks, either due to missing countermeasures or because their default configurations ignores such attacks. The pressure to secure network services against such attacks is shifting more and more from the service operators to the network operators of the servers under attack. Recent technologies such as software-defined networking offer the flexibility and extensibility to analyze and influence network flows without the assistance of the target operator.

Based on our previous work on a network-based mitigation, we have extended a framework to detect and mitigate slow-running DDoS attacks within the network infrastructure, but without requiring access to servers under attack. We developed and evaluated several identification schemes to identify attackers in the network solely based on network traffic information. We showed that by measuring the packet rate and the uniformity of the packet distances, a reliable identificator can be built, given a training period of the deployment network.


DDoS mitigation Slow-running DDoS attacks Slow HTTP Network-based mitigation Software-defined networking 



We like to thank the Student Union of Electrical Engineering (Fachbereichsvertretung Elektrotechnik) at Ulm University and Philipp Hinz in particular for providing the necessary data. This work was supported in the bwNET100G+ project by the Ministry of Science, Research and the Arts Baden-Württemberg (MWK). The authors alone are responsible for the content of this paper.


  1. 1.
    Slowloris HTTP DoS, Jun 2009. Accessed 16 Dec 2017 via
  2. 2.
    Fayaz, S.K., Tobioka, Y., Sekar, V., Bailey, M.: Bohatei: flexible and elastic DDoS defense. In 24th USENIX Security Symposium (USENIX Security 15), pp. 817–832. USENIX Association, Washington (2015)Google Scholar
  3. 3.
    Fielding, R., et al.: Hypertext Transfer Protocol - HTTP/1.1. RFC 2616 (Draft Standard), June 1999Google Scholar
  4. 4.
    Hirakawa, T., Ogura, K., Bista, B.B., Takata, T.: A defense method against distributed slow HTTP DoS attack. In: 2016 19th International Conference on Network-Based Information Systems (NBiS), pp. 152–158. IEEE (2016)Google Scholar
  5. 5.
    Hong, K., Kim, Y., Choi, H., Park, J.: SDN-assisted slow HTTP DDoS attack defense method. IEEE Commun. Lett. PP(99), 1 (2017)Google Scholar
  6. 6.
    Jonker, M., Sperotto, A., van Rijswijk-Deij, R., Sadre, R., Pras, A.: Measuring the adoption of DDoS protection services. In: ACM IMC, pp. 279–285. ACM, New York (2016)Google Scholar
  7. 7.
    Lukaseder, T., Hunt, A., Stehle, C., Wagner, D., van der Heijden, R., Kargl, F.: An extensible host-agnostic framework for SDN-assisted DDoS-mitigation. In: IEEE LCN, pp. 619–622, October 2017Google Scholar
  8. 8.
    Lukaseder, T., Maile, L., Kargl,F.: SDN-assisted network-based mitigation of slow HTTP attacks. In: 1. KuVS Fachgespräch Network Softwarization - From Research to Application. Universitätsbibliothek Tübingen (2017)Google Scholar
  9. 9.
    Moustis, D., Kotzanikolaou, P.: Evaluating security controls against HTTP-based DDoS attacks. In: Fourth International Conference on Information Intelligence Systems and Applications (IISA) (2013)Google Scholar
  10. 10.
    Park, J., Iwai, K., Tanaka, H., Kurokawa, T.: Analysis of slow read DoS attack. In: 2014 International Symposium on Information Theory and its Applications, pp. 60–64, October 2014Google Scholar
  11. 11.
    Tayama, S., Tanaka, H.: Analysis of slow read DoS attack and communication environment. In: Kim, K.J., Joukov, N. (eds.) ICMWT 2017. LNEE, vol. 425, pp. 350–359. Springer, Singapore (2018). Scholar
  12. 12.
    Tripathi, N., Hubballi, N., Singh,Y.: How secure are web servers? An empirical study of slow HTTP DoS attacks and detection. In: ARES, pp. 454–463. IEEE (2016)Google Scholar
  13. 13.
    Voron, J.-B., Démoulins, C., Kordon,F.: Adaptable intrusion detection systems dedicated to concurrent programs: a petri net-based approach, pp. 57–66. IEEE Computer Society, Washington (2010)Google Scholar
  14. 14.
    Zdrnja, B.: Slowloris and Iranian DDoS attacks, Jun 2009. Accessed 16 Dec 2017

Copyright information

© ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering 2018

Authors and Affiliations

  • Thomas Lukaseder
    • 1
    Email author
  • Lisa Maile
    • 1
  • Benjamin Erb
    • 1
  • Frank Kargl
    • 1
  1. 1.Institute of Distributed SystemsUlm UniversityUlmGermany

Personalised recommendations