Low Rate DoS Attack to Monoprocess Servers

  • Gabriel Maciá-Fernández
  • Jesús E. Díaz-Verdejo
  • Pedro García-Teodoro
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3934)


In this work, we present a vulnerability in monoprocess or monothreaded servers that allows the execution of DoS attacks with the peculiarity that they are generated by low rate traffic. This feature makes the attack less vulnerable to detection by current IDS systems, which usually expect high rate traffic. The intruder can take advantage of some knowledge about the inter-output times in the server to build the attack. We have simulated and tested it in a real environment, obtaining worrying conclusions due to the efficiency achieved by the attack, with low effort from the attacker.


Service Time Real Environment Intrusion Detection System Round Trip Time Service Queue 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Williams, M.: Ebay, amazon, buy.com hit by attacks, 02/09/00. IDG News Service (2000), http://www.nwfusion.com/news/2000/0209attack.html
  2. 2.
    Mirkovic, J., Reiher, P.: A taxonomy of DDoS attack and DDoS defense mechanisms. ACM SIGCOMM Computer Communication Review 34(2) (April 2004)Google Scholar
  3. 3.
    CERT Coordination Center, Denial of Service attacks, Available from: http://www.cert.org/tech_tips/denial_of_service
  4. 4.
    Computer Security Institute and Federal Bureau of Investigation, CSI/FBI Computer crime and security survey 2001, CSI (March 2001), Available from : http://www.gocsi.com
  5. 5.
    : Inferring Internet Denial of Service activity. In: Proceedings of the USENIX Security Symposium, Washington, DC, USA, pp. 9–22 (2001)Google Scholar
  6. 6.
    Ferguson, P., Senie, D.: Network ingress filtering: defeating Denial of Service attacks which employ IP source address spoofing, in RFC 2827 (2001)Google Scholar
  7. 7.
    Global Incident analysis Center - Special Notice - Egress filtering. Available from: http://www.sans.org/y2k/egress.htm
  8. 8.
    Geng, X., Whinston, A.B.: Defeating Distributed Denial of Service attacks. IEEE IT Professional 2(4), 36–42 (2000)CrossRefGoogle Scholar
  9. 9.
    Weiler, N.: Honeypots for Distributed Denial of Service. In: Proceedings of the Eleventh IEEE International Workshops Enabling Technologies: Infrastructure for Collaborative Enterprises 2002, Pitsburgh, PA, USA, June 2002, pp. 109–114 (2002)Google Scholar
  10. 10.
    Axelsson, S.: Intrusion detection systems: a survey and taxonomy. Department of Computer Engineering, Chalmers University, Goteborg, Sweden. Technical Report 99-15 (March 2000)Google Scholar
  11. 11.
    Talpade, R.R., Kim, G., Khurana, S.: NOMAD: Traffic-based network monitoring framework for anomaly detection. In: Proceedings of the Fourth IEEE Symposium on Computers and Communications (1998)Google Scholar
  12. 12.
    Cabrera, J.B.D., Lewis, L., Qin, X., Lee, W., Prasanth, R.K., Ravichandran, B., Mehra, R.K.: Proactive detection of Distributed Denial of Service Attacks using MIB traffic variables - a feasibility study. In: Proceedings of the 7th IFIP/IEEE Internation Symposium on Integrated Network Management, Seattle, WA, May 14-18 (2001)Google Scholar
  13. 13.
    Mirkovic, J., Prier, G., Reiher, P.: Attacking DDoS at the source. In: Proceedings of ICNP 2002, Paris, France, pp. 312–321 (2002)Google Scholar
  14. 14.
    DDoS attacks and defense mechanisms: classification and state-of-the-art, in Computer Networks 44, 643-646 (2004)Google Scholar
  15. 15.
    Kuzmanovic, A., Knightly, E.: Low Rate TCP-targeted Denial of Service Attacks (The Shrew vs. the Mice and Elephants). In: Proc. ACM SIGCOMM 2003, August 2003, pp. 75–86 (2003)Google Scholar
  16. 16.
    Sun, H., Lui, J.C.S., Yau, D.K.Y.: Defending Against Low-Rate TCP Attacks: Dynamic Detection and Protection. In: Proc. IEEE Conference on Network Protocols (ICNP 2004), October 2004, pp. 196–205 (2004)Google Scholar
  17. 17.
    Yang, G., Gerla, M., Sanadidi, M.Y.: Randomization: Defense Against Low-rate TCP-targeted Denial-of-Service Attacks. In: Proc. IEEE Symposium on Computers and Communications, July 2004, pp. 345–350 (2004)Google Scholar
  18. 18.
    Shevtekar, A., Anantharam, K., Ansari, N.: Low Rate TCP Denial-of-Service Attack Detection at Edge Routers. IEEE Communications Letters 9(4), 363–365 (2005)CrossRefGoogle Scholar
  19. 19.
    SANS Institute. NAPTHA: A new type of Denial of Service Attack (December 2000), http://rr.sans.org/threats/naptha2.php
  20. 20.
    Martin, R.R.: Basic Traffic Analysis. Prentice-Hall Inc., Englewood Cliffs (1993)Google Scholar
  21. 21.
  22. 22.
    Network Simulator 2, Available at: http://www.isi.edu/nsnam/ns/

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Gabriel Maciá-Fernández
    • 1
  • Jesús E. Díaz-Verdejo
    • 1
  • Pedro García-Teodoro
    • 1
  1. 1.Dpt. of Signal TheoryTelematics and Communications – University of GranadaGranadaSpain

Personalised recommendations