Abstract
Slow-running attacks against network applications are often not easy to detect, as the attackers behave according to the specification. The servers of many network applications are not prepared for such attacks, either due to missing countermeasures or because their default configurations ignores such attacks. The pressure to secure network services against such attacks is shifting more and more from the service operators to the network operators of the servers under attack. Recent technologies such as software-defined networking offer the flexibility and extensibility to analyze and influence network flows without the assistance of the target operator.
Based on our previous work on a network-based mitigation, we have extended a framework to detect and mitigate slow-running DDoS attacks within the network infrastructure, but without requiring access to servers under attack. We developed and evaluated several identification schemes to identify attackers in the network solely based on network traffic information. We showed that by measuring the packet rate and the uniformity of the packet distances, a reliable identificator can be built, given a training period of the deployment network.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Slowloris HTTP DoS, Jun 2009. http://ha.ckers.org/slowloris/. Accessed 16 Dec 2017 via web.archive.org
Fayaz, S.K., Tobioka, Y., Sekar, V., Bailey, M.: Bohatei: flexible and elastic DDoS defense. In 24th USENIX Security Symposium (USENIX Security 15), pp. 817–832. USENIX Association, Washington (2015)
Fielding, R., et al.: Hypertext Transfer Protocol - HTTP/1.1. RFC 2616 (Draft Standard), June 1999
Hirakawa, T., Ogura, K., Bista, B.B., Takata, T.: A defense method against distributed slow HTTP DoS attack. In: 2016 19th International Conference on Network-Based Information Systems (NBiS), pp. 152–158. IEEE (2016)
Hong, K., Kim, Y., Choi, H., Park, J.: SDN-assisted slow HTTP DDoS attack defense method. IEEE Commun. Lett. PP(99), 1 (2017)
Jonker, M., Sperotto, A., van Rijswijk-Deij, R., Sadre, R., Pras, A.: Measuring the adoption of DDoS protection services. In: ACM IMC, pp. 279–285. ACM, New York (2016)
Lukaseder, T., Hunt, A., Stehle, C., Wagner, D., van der Heijden, R., Kargl, F.: An extensible host-agnostic framework for SDN-assisted DDoS-mitigation. In: IEEE LCN, pp. 619–622, October 2017
Lukaseder, T., Maile, L., Kargl,F.: SDN-assisted network-based mitigation of slow HTTP attacks. In: 1. KuVS Fachgespräch Network Softwarization - From Research to Application. Universitätsbibliothek Tübingen (2017)
Moustis, D., Kotzanikolaou, P.: Evaluating security controls against HTTP-based DDoS attacks. In: Fourth International Conference on Information Intelligence Systems and Applications (IISA) (2013)
Park, J., Iwai, K., Tanaka, H., Kurokawa, T.: Analysis of slow read DoS attack. In: 2014 International Symposium on Information Theory and its Applications, pp. 60–64, October 2014
Tayama, S., Tanaka, H.: Analysis of slow read DoS attack and communication environment. In: Kim, K.J., Joukov, N. (eds.) ICMWT 2017. LNEE, vol. 425, pp. 350–359. Springer, Singapore (2018). https://doi.org/10.1007/978-981-10-5281-1_38
Tripathi, N., Hubballi, N., Singh,Y.: How secure are web servers? An empirical study of slow HTTP DoS attacks and detection. In: ARES, pp. 454–463. IEEE (2016)
Voron, J.-B., Démoulins, C., Kordon,F.: Adaptable intrusion detection systems dedicated to concurrent programs: a petri net-based approach, pp. 57–66. IEEE Computer Society, Washington (2010)
Zdrnja, B.: Slowloris and Iranian DDoS attacks, Jun 2009. https://isc.sans.edu/diary/6622. Accessed 16 Dec 2017
Acknowledgment
We like to thank the Student Union of Electrical Engineering (Fachbereichsvertretung Elektrotechnik) at Ulm University and Philipp Hinz in particular for providing the necessary data. This work was supported in the bwNET100G+ project by the Ministry of Science, Research and the Arts Baden-Württemberg (MWK). The authors alone are responsible for the content of this paper.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Lukaseder, T., Maile, L., Erb, B., Kargl, F. (2018). SDN-Assisted Network-Based Mitigation of Slow DDoS Attacks. In: Beyah, R., Chang, B., Li, Y., Zhu, S. (eds) Security and Privacy in Communication Networks. SecureComm 2018. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 255. Springer, Cham. https://doi.org/10.1007/978-3-030-01704-0_6
Download citation
DOI: https://doi.org/10.1007/978-3-030-01704-0_6
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-01703-3
Online ISBN: 978-3-030-01704-0
eBook Packages: Computer ScienceComputer Science (R0)