Abstract
Hypertext Transfer Protocol (HTTP) is vulnerable to slow rate Denial of Service (DoS) attacks. Here an adversary deliberately reads and sends data slowly thereby prolonging the connection duration. Multiple such slow connections will cripple the web server and prevent servicing legitimate requests. The simplest detection methods which use x number of malicious requests in y window period can be easily evaded. In this paper, we identify few behavioral parameters whose values change when such attacks are launched. We also identify the relationship between these parameters by estimating the correlation between them. Using these parameters and their correlation, we describe a detection method. In this detection method, evaluation is done based on the number of messages sent to prolong the connection. A very high number of such messages is a direct indication of an attack. When the number of such messages are in a range below this threshold, such intervals are verified with other behavioral parameters for detecting attacks. This two stage detection method will make the evasion harder for an adversary. We evaluate the proposed method with experiments done in a testbed and a live web sever and show that it has good detection performance.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Akamai. https://www.akamai.com/us/en/products/security/kona-ddos-defender.jsp. Accessed 25 July 2021
Aqil, A., et al.: Detection of stealthy TCP-based dos attacks. In: MILCOM 2015–2015 IEEE Military Communications Conference, pp. 348–353 (2015)
Calvert, C., Kemp, C., Khoshgoftaar, T.M., Najafabadi, M.M.: Detecting slow http post dos attacks using NetFlow features. In: FLAIRS 2019: Proceedings of the Thirty-Second International Florida Artificial Intelligence Research Society Conference, pp. 387–390 (2019)
Cao, X.: Model Selection Based on Expected Squared Hellinger Distance. Colorado State University (2007)
CLOUDFLARE. https://www.cloudflare.com/en-in/learning/ddos/application-layer-ddos-attack/. Accessed 25 July 2021
Core: (2019). https://httpd.apache.org/docs/2.4/mod/core.html. Accessed 8 Aug 2021
CURL. https://curl.se/docs/httpscripting.html. Accessed 25 July 2021
Dantas, Y.G., Nigam, V., Fonseca, I.E.: A selective defense for application layer DDoS attacks. In: JISIC 2014: Proceedings of the IEEE Joint Intelligence and Security Informatics Conference, pp. 75–82 (2014)
Eid, M.S.A., Aida, H.: Secure double-layered defense against HTTP-DDoS attacks. In: COMPSAC 2017: Proceedings of the 41st Annual Computer Software and Applications Conference, vol. 2, pp. 572–577 (2017)
EID, M.S.A., Aida, H.: Trustworthy DDoS defense: design, proof of concept implementation and testing. IEICE Trans. Inf. Syst. D(8), 1738–1750 (2017)
Golait, D., Hubballi, N.: Detecting anomalous behavior in VoIP systems: a discrete event system modeling. IEEE Trans. Inf. Forensics Secur. 12(3), 730–745 (2017)
Hubballi, N., Tripathi, N.: A closer look into DHCP starvation attack in wireless networks. Comput. Secur. 65(C), 387–404 (2017)
IMPERVA. https://www.imperva.com/learn/ddos/dns-flood/. Accessed 08 Aug 2021
Jia, Q., Wang, H., Fleck, D., Li, F., Stavrou, A., Powell, W.: Catch me if you can: a cloud-enabled DDoS defense. In: DSN 2014: Proceedings of the 44th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, pp. 264–275 (2014)
Apache JMeter. https://jmeter.apache.org/. Accessed 25 July 2021
Lukaseder, T., Hunt, A., Stehle, C., Wagner, D., Van Der Heijden, R., Kargl, F.: An extensible host-agnostic framework for SDN-assisted DDoS-mitigation. In: LCN 2017: Proceedings of the 42nd Conference on Local Computer Networks, pp. 619–622 (2017)
mod_antiloris (2013). https://sourceforge.net/projects/mod-antiloris/. Accessed 8 Aug 2021
mod_limitipconn (2002). http://dominia.org/djao/limitipconn.html. Accessed 8 Aug 2021
mod_reqtimeout (2019). https://httpd.apache.org/docs/trunk/mod/mod_reqtimeout.html. Accessed 8 Aug 2021
Radware. https://www.radware.com/security/ddos-knowledge-center/ddos-attack-types/common-ddos-attack-tools/. Accessed 25 July 2021
Tripathi, N., Hubballi, N.: Slow rate denial of service attacks against HTTP/2 and detection. Comput. Secur. 72(C), 255–272 (2018)
Tripathi, N., Hubballi, N.: Application layer denial-of-service attacks and defense mechanisms: a survey. ACM Comput. Surv. 54(4), 1–33 (2021)
Tripathi, N., Hubballi, N.: Preventing time synchronization in NTP broadcast mode. Comput. Secur. 102, 102–135 (2021)
Tshark. https://tshark.dev/setup/install/. Accessed 8 Aug 2021
Yin, D., Zhang, L., Yang, K.: A DDoS attack detection and mitigation with software-defined internet of things framework. IEEE Access 6, 24694–24705 (2018)
Acknowledgement
This work is financially supported by funding through SPARC project via grant number “SPARC/2018-2019/P448” by Government of India. Authors thankfully acknowledge the funding received.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
Sood, S., Saikia, M., Hubballi, N. (2021). WiP: Slow Rate HTTP Attack Detection with Behavioral Parameters. In: Tripathy, S., Shyamasundar, R.K., Ranjan, R. (eds) Information Systems Security. ICISS 2021. Lecture Notes in Computer Science(), vol 13146. Springer, Cham. https://doi.org/10.1007/978-3-030-92571-0_2
Download citation
DOI: https://doi.org/10.1007/978-3-030-92571-0_2
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-92570-3
Online ISBN: 978-3-030-92571-0
eBook Packages: Computer ScienceComputer Science (R0)