Abstract
Software Denial-of-Service (DoS) attacks use maliciously crafted inputs aiming to exhaust available resources of the target software. These application-level DoS attacks have become even more prevalent due to the increasing code complexity and modular nature of Internet services that are deployed in cloud environments, where resources are shared and not always guaranteed. To make matters worse, many code testing and verification techniques cannot cope with the code size and diversity present in most services used to deliver the majority of everyday Internet applications. In this paper, we propose Cogo, a practical system for early DoS detection and mitigation of software DoS attacks. Unlike prior solutions, Cogo builds behavioral models of network I/O events in linear time and employs Probabilistic Finite Automata (PFA) models to recognize future resource exhaustion states. Our tracing of events spans then entire code stack from userland to kernel. In many cases, we can block attacks far before impacting legitimate live sessions. We demonstrate the effectiveness and performance of Cogo using commercial-grade testbeds of two large and popular Internet services: Apache and the VoIP OpenSIPS servers. Cogo required less than 12 min of training time to achieve high accuracy: less than \(0.0194\%\) false positives rate, while detecting a wide range of resource exhaustion attacks less than seven seconds into the attacks. Finally, Cogo had only two to three percent per-session overhead.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
By building on Radmin, Cogo inherits other monitoring sensors from Radmin such as CPU and memory sensors.
- 2.
Market share of operating systems by category: https://en.wikipedia.org/wiki/Usage_share_of_operating_systems.
- 3.
For Microsoft Windows, kernel tracing can be implemented using the Event Tracing for Windows (ETW) kernel-mode API: https://msdn.microsoft.com/en-us/windows/hardware/drivers/devtest/adding-event-tracing-to-kernel-mode-drivers.
- 4.
We use “measurements” to refer to encoded measurements in the rest of this paper.
- 5.
We found that non-overlapping subsequences were sufficient for large-scale deployments. However, it may be desired to overlap subsequences to maximize fidelity of very small datasets.
- 6.
The Linux kernel manpage for namespaces is available at: http://man7.org/linux/man-pages/man7/namespaces.7.html.
- 7.
More advanced remediation policies can be used, such as blocking offending source IPs, rate limiting, or protocol-specific recovery. We opted for process termination for simplicity as remediation is not the focus of Cogo.
References
myths of ddos attacks. http://blog.radware.com/security/2012/02/4-massive-myths-of-ddos/
The apache http server project. https://httpd.apache.org/
Application layer DoS attack simulator. http://github.com/shekyan/slowhttptest
Are you ready for slow reading? https://blog.qualys.com/securitylabs/2012/01/05/slow-read
Availability overrides security. http://hrfuture.net/performance-and-productivity/availability-over-rides-cloud-security-concerns.php?Itemid=169
Httperf - http performance measurement tool. http://linux.die.net/man/1/httperf
Mobile users favor productivity over security. http://www.infoworld.com/article/2686762/security/mobile-users-favor-productivity-over-security-as-they-should.html
OpenSIPS: the new breed of communication engine. https://www.opensips.org/
Sipp: traffic generator proxy for the sip protocol. http://sipp.sourceforge.net/
Slow-Rate Attack. https://security.radware.com/ddos-knowledge-center/ddospedia/slow-rate-attack/
Slowloris - apache server vulnerabilities. https://security.radware.com/ddos-knowledge-center/ddospedia/slowloris/
When the lights went out: Ukraine cybersecurity threat briefing. https://www.boozallen.com/insights/2016/09/ukraine-cybersecurity-threat-briefing/
Denial of service attacks: A comprehensive guide to trends, techniques, and technologies. ADC Monthly Web Attacks Analysis 12 (2012)
Ahrenholz, J.: Comparison of core network emulation platforms. In: Military Communications Conference (2010)
Aiello, W., Bellovin, S.M., Blaze, M., Ioannidis, J., Reingold, O., Canetti, R., Keromytis, A.D.: Efficient, DoS-resistant, secure key exchange for internet protocols. In: 9th ACM Conference on Computer and Communications Security (2002)
Antunes, J., Neves, N.F., Veríssimo, P.J.: Detection and prediction of resource-exhaustion vulnerabilities. In: International Symposium on Software Reliability Engineering (2008)
Apostolico, A., Bejerano, G.: Optimal amnesic probabilistic automata. J. Comput. Biol. 7(3–4), 381–393 (2000)
Burnim, J., Juvekar, S., Sen, K.: Wise: automated test generation for worst-case complexity. In: 31st International Conference on Software Engineering (2009)
Chang, R.M., et al.: Inputs of coma: static detection of denial-of-service vulnerabilities. In: 22nd Computer Security Foundations Symposium (2009)
Chee, W.O., Brennan, T.: Layer-7 ddos. (2010). https://www.owasp.org/images/4/43/Layer_7_DDOS.pdf
Choi, H.K., Limb, J.O.: A behavioral model of web traffic. In: 7th International Conference on Network Protocols (1999)
Crosby, S., Wallach, D.: Algorithmic dos. In: van Tilborg, H.C.A., Jajodia, S. (eds.) Encyclopedia of Cryptography and Security, pp. 32–33. Springer, USA (2011)
Desnoyers, M.: Using the linux kernel tracepoints. https://www.kernel.org/doc/Documentation/trace/tracepoints.txt
Elsabagh, M., Barbará, D., Fleck, D., Stavrou, A.: Radmin: early detection of application-level resource exhaustion and starvation attacks. In: 18th International Conference on Research in Attacks, Intrusions and Defenses (2015)
Gray, R.M., Neuhoff, D.L.: Quantization. IEEE Trans. Inform. Theory 44(6), 2325–2383 (1998)
Groza, B., Minea, M.: Formal modelling and automatic detection of resource exhaustion attacks. In: Symposium on Information, Computer and Communications Security (2011)
Gulavani, B.S., Gulwani, S.: A numerical abstract domain based on expression abstraction and max operator with application in timing analysis. In: Computer Aided Verification, pp. 370–384 (2008)
Hilt, V., Eric, N., Charles, S., Ahmed, A.: Design considerations for session initiation protocol (SIP) overload control (2011). https://tools.ietf.org/html/rfc6357
Kostadinov, D.: Layer-7 ddos attacks: detection and mitig. InfoSec Institute (2013)
Luk, C.K., Cohn, R., Muth, R., Patil, H., Klauser, A., Lowney, G., Wallace, S., Reddi, V.J., Hazelwood, K.: Pin: building customized program analysis tools with dynamic instrumentation. In: Proceedings of the 2005 ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI 2005, pp. 190–200. ACM, New York (2005). http://doi.acm.org/10.1145/1065010.1065034
Nethercote, N., Seward, J.: Valgrind: a framework for heavyweight dynamic binary instrumentation. In: ACM Sigplan Notices, vol. 42, pp. 89–100. ACM (2007)
Rosenberg, J., et al.: SIP: Session initiation protocol (2002). https://www.ietf.org/rfc/rfc3261.txt
Ruiz-Alvarez, A., Hazelwood, K.: Evaluating the impact of dynamic binary translation systems on hardware cache performance. In: International Symposium on Workload Characterization (2008)
Uh, G.R., Cohn, R., Yadavalli, B., Peri, R., Ayyagari, R.: Analyzing dynamic binary instrumentation overhead. In: Workshop on Binary Instrumentation and Application (2007)
Ukkonen, E.: Online construction of suffix trees. Algorithmica 14(3), 249–260 (1995)
Zargar, S.T., Joshi, J., Tipper, D.: A survey of defense mechanisms against distributed denial of service (ddos) flooding attacks. IEEE Commun. Surv. Tutorials 15(4), 2046–2069 (2013)
Zheng, L., Myers, A.C.: End-to-end availability policies and noninterference. In: 18th IEEE Workshop Computer Security Foundations (2005)
Acknowledgments
We thank the anonymous reviewers for their insightful comments and suggestions. This material is based upon work supported in part by the National Science Foundation (NSF) SaTC award 1421747, the National Institute of Standards and Technology (NIST) award 60NANB16D285, and the Defense Advanced Research Projects Agency (DARPA) contract no. HR0011-16-C-0061 in conjunction with Vencore Labs. Opinions, findings, conclusions, and recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the NSF, NIST, DARPA or the US Government.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
1 Electronic supplementary material
Below is the link to the electronic supplementary material.
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Elsabagh, M., Fleck, D., Stavrou, A., Kaplan, M., Bowen, T. (2017). Practical and Accurate Runtime Application Protection Against DoS Attacks. In: Dacier, M., Bailey, M., Polychronakis, M., Antonakakis, M. (eds) Research in Attacks, Intrusions, and Defenses. RAID 2017. Lecture Notes in Computer Science(), vol 10453. Springer, Cham. https://doi.org/10.1007/978-3-319-66332-6_20
Download citation
DOI: https://doi.org/10.1007/978-3-319-66332-6_20
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-66331-9
Online ISBN: 978-3-319-66332-6
eBook Packages: Computer ScienceComputer Science (R0)