skip to main content
10.1145/3133956.3133968acmconferencesArticle/Chapter ViewAbstractPublication PagesccsConference Proceedingsconference-collections
research-article
Public Access

Tail Attacks on Web Applications

Published: 30 October 2017 Publication History

Abstract

As the extension of Distributed Denial-of-Service (DDoS) attacks to application layer in recent years, researchers pay much interest in these new variants due to a low-volume and intermittent pattern with a higher level of stealthiness, invaliding the state-of-the-art DDoS detection/defense mechanisms. We describe a new type of low-volume application layer DDoS attack--Tail Attacks on Web Applications. Such attack exploits a newly identified system vulnerability of n-tier web applications (millibottlenecks with sub-second duration and resource contention with strong dependencies among distributed nodes) with the goal of causing the long-tail latency problem of the target web application (e.g., 95th percentile response time > 1 second) and damaging the long-term business of the service provider, while all the system resources are far from saturation, making it difficult to trace the cause of performance degradation.
We present a modified queueing network model to analyze the impact of our attacks in n-tier architecture systems, and numerically solve the optimal attack parameters. We adopt a feedback control-theoretic (e.g., Kalman filter) framework that allows attackers to fit the dynamics of background requests or system state by dynamically adjusting attack parameters. To evaluate the practicality of such attacks, we conduct extensive validation through not only analytical, numerical, and simulation results but also real cloud production setting experiments via a representative benchmark website equipped with state-of-the-art DDoS defense tools. We further proposed a solution to detect and defense the proposed attacks, involving three stages: fine-grained monitoring, identifying bursts, and blocking bots.

Supplemental Material

MP4 File

References

[1]
Akamai 2016. Akamai QUARTERLY SECURITY REPORTS. https://www.akamai.com/us/en/about/our-thinking/state-of-the-internet-report/global-state-of-the-internet-security-ddos-attack-reports.jsp. (2016).
[2]
Amazon 2017. Amazon Auto Scaling. https://aws.amazon.com/documentation/autoscaling. (2017).
[3]
Amazon 2017. Amazon EC2. https://aws.amazon.com/ec2/. (2017).
[4]
Amazon 2017. Amazon Elastic Load Balancing. https://aws.amazon.com/elasticloadbalancing/. (2017).
[5]
Chris Baraniuk. 2016. DDoS: Website-crippling cyber-attacks to rise in 2016. http://www.bbc.com/news/technology-35376327/. (2016).
[6]
Salman A Baset. 2012. Cloud SLAs: present and future. ACM SIGOPS Operating Systems Review Vol. 46, 2 (2012), 57--66.
[7]
Marco Bertoli, Giuliano Casale, and Giuseppe Serazzri. 2006. Java modelling tools: an open source suite for queueing network modelling andworkload analysis Proceedings of the 3rd International Conference on Quantitative Evaluation of Systems (QEST'06). IEEE, Riverside, CA, USA, 119--120.
[8]
Enrico Cambiaso, Gianluca Papaleo, and Maurizio Aiello. 2012. Taxonomy of slow DoS attacks to web applications. Proceedings of International Conference on Security in Computer Networks and Distributed Systems (SNDS). Springer, Trivandrum, India, 195--204.
[9]
Cisco 2017. Snort. https://www.snort.org/. (2017).
[10]
Kristal Curtis, Peter Bodík, Michael Armbrust, Armando Fox, Mike Franklin, Michael Jordan, and David Patterson 2010. Determining SLO Violations at Compile Time.
[11]
Jeffrey Dean and Luiz André Barroso 2013. The tail at scale. Commun. ACM Vol. 56, 2 (2013), 74--80.
[12]
Mina Guirguis, Azer Bestavros, and Ibrahim Matta. 2004. Exploiting the transients of adaptation for RoQ attacks on Internet resources Proceedings of the 12th IEEE International Conference on Network Protocols (ICNP'04). IEEE, Berlin, Germany, 184--195.
[13]
Robert "RSnake" Hansen. 2017. Slowloris HTTP DoS. https://web.archive.org/web/20090822001255/http://ha.ckers.org/slowloris/. (2017).
[14]
Amir Herzberg and Haya Shulman 2013. Socket overloading for fun and cache-poisoning. In Proceedings of the 29th Annual Computer Security Applications Conference. ACM, New Orleans, LA, USA, 189--198.
[15]
Sabrina Hiller. 2015. Precise to the millisecond: NTP services in the "Internet of Things". https://www.retarus.com/blog/en/precise-to-the-millisecond-ntp-services-in-the-internet-of-things/. (2015).
[16]
IETF 2017. RFC 6298. https://tools.ietf.org/search/rfc6298/. (2017).
[17]
Deepal Jayasinghe, Simon Malkowski, Qingyang Wang, Jack Li, Pengcheng Xiong, and Calton Pu. 2011. Variations in performance and scalability when migrating n-tier applications to different clouds. In Proceedings of the IEEE International Conference on Cloud Computing (CLOUD'11). IEEE, Washington DC, USA, 73--80.
[18]
Myeongjae Jeon, Yuxiong He, Hwanju Kim, Sameh Elnikety, Scott Rixner, and Alan L Cox. 2016. TPC: Target-Driven Parallelism Combining Prediction and Correction to Reduce Tail Latency in Interactive Services. In Proceedings of the 21st International Conference on Architectural Support for Programming Languages and Operating Systems. ACM, Atlanta, GA, USA, 129--141.
[19]
Jaeyeon Jung, Balachander Krishnamurthy, and Michael Rabinovich. 2002. Flash crowds and denial of service attacks: Characterization and implications for CDNs and web sites. In Proceedings of the 11th International Conference on World Wide Web. ACM, Honolulu, Hawaii, USA, 293--304.
[20]
Rudolph Emil Kalman et almbox. 1960. A new approach to linear filtering and prediction problems. Journal of basic Engineering Vol. 82, 1 (1960), 35--45.
[21]
Min Suk Kang, Soo Bum Lee, and Virgil D Gligor. 2013. The crossfire attack Proceedings of the IEEE Symposium on Security and Privacy (S&P'13). IEEE, San Francisco, CA, USA, 127--141.
[22]
Yu-Ming Ke, Chih-Wei Chen, Hsu-Chun Hsiao, Adrian Perrig, and Vyas Sekar 2016. CICADAS: Congesting the Internet with Coordinated and Decentralized Pulsating Attacks Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security. ACM, Xi'an, China, 699--710.
[23]
Leonard Kleinrock. 1976. Queueing systems, volume 2: Computer applications. Vol. Vol. 66. John Wiley and Sons, New York.
[24]
Ron Kohavi and Roger Longbotham 2007. Online experiments: Lessons learned. IEEE Computer Society Vol. 40, 9 (2007).
[25]
Aleksandar Kuzmanovic and Edward W Knightly 2003. Low-rate TCP-targeted denial of service attacks: the shrew vs. the mice and elephants Proceedings of the 2003 conference on Applications, technologies, architectures, and protocols for computer communications (SIGCOMM'03). ACM, Karlsruhe, Germany, 75--86.
[26]
Chien-An Lai, Josh Kimball, Tao Zhu, Qingyang Wang, and Calton Pu 2017. milliScope: a Fine-Grained Monitoring Framework for Performance Debugging of n-Tier Web Services Proceedings of the IEEE 37th International Conference on Distributed Computing Systems (ICDCS'17). IEEE, Atlanta, GA, USA, 92--102.
[27]
Xiapu Luo and Rocky KC Chang 2005. On a New Class of Pulsing Denial-of-Service Attacks and the Defense Proceedings of Network and Distributed System Security Symposium (NDSS'05). San Diego, CA, USA.
[28]
Gabriel Maciá-Fernández, Jesús E Díaz-Verdejo, Pedro Garc;ía-Teodoro, and Francisco de Toro-Negro. 2007. LoRDAS: A low-rate DoS attack against application servers Proceedings of International Workshop on Critical Information Infrastructures Security. Springer, Málaga, Spain, 197--209.
[29]
Microsoft. 2017. Microsoft Azure. https://azure.microsoft.com/en-us/?v=17.14. (2017).
[30]
Jelena Mirkovic and Peter Reiher 2004. A taxonomy of DDoS attack and DDoS defense mechanisms. ACM SIGCOMM Computer Communication Review Vol. 34, 2 (2004), 39--53.
[31]
NSF 2017. CloudLab. https://www.cloudlab.us. (2017).
[32]
Brian J Odelson, Murali R Rajamani, and James B Rawlings. 2006. A new autocovariance least-squares method for estimating noise covariances. Automatica, Vol. 42, 2 (2006), 303--308.
[33]
Georgios Oikonomou and Jelena Mirkovic 2009. Modeling human behavior for defense against flash-crowd attacks Proceedings of the IEEE International Conference on Communications (ICC'09). IEEE, Dresden, Germany, 1--6.
[34]
OW2 2017. RUBBoS. http://jmob.ow2.org/rubbos.html. (2017).
[35]
Tao Peng, Christopher Leckie, and Kotagiri Ramamohanarao. 2007. Survey of network-based defense mechanisms countering the DoS and DDoS problems. ACM Computing Surveys (CSUR) Vol. 39, 1 (2007), 3.
[36]
PhantomJS. 2017. PhantomJS. http://phantomjs.org/. (2017).
[37]
Pratap Ramamurthy, Vyas Sekar, Aditya Akella, Balachander Krishnamurthy, and Anees Shaikh. 2008. Remote Profiling of Resource Constraints of Web Servers Using Mini-Flash Crowds. Proceedings of 2008 USENIX Annual Technical Conference. Boston, MA, USA, 185--198.
[38]
Supranamaya Ranjan, Ram Swaminathan, Mustafa Uysal, Antonio Nucci, and Edward Knightly. 2009. DDoS-shield: DDoS-resilient scheduling to counter application layer attacks. IEEE/ACM Transactions on Networking (TON) Vol. 17, 1 (2009), 26--39.
[39]
Ryan Rasti, Mukul Murthy, Nicholas Weaver, and Vern Paxson. 2015. Temporal lensing and its application in pulsing denial-of-service attacks Proceedings of the IEEE Symposium on Security and Privacy (S&P'15). IEEE, San Jose, CA, USA, 187--198.
[40]
Huasong Shan, Qingyang Wang, and Qiben Yan 2017. Very Short Intermittent DDoS Attacks in an Unsaturated System Proceedings of the 13th International Conference on Security and Privacy in Communication Systems. Springer, Niagara Falls, Canada.
[41]
Qingyang Wang, Yasuhiko Kanemasa, Jack Li, Deepal Jayasinghe, Toshihiro Shimizu, Masazumi Matsubara, Motoyuki Kawaba, and Calton Pu. 2013. Detecting transient bottlenecks in n-tier applications through fine-grained analysis Proceedings of the IEEE 33th International Conference on Distributed Computing Systems (ICDCS'13). IEEE, Philadelphia, PA, USA, 31--40.
[42]
Qingyang Wang, Yasuhiko Kanemasa, Jack Li, Chien-An Lai, Chien-An Cho, Yuji Nomura, and Calton Pu 2014. Lightning in the cloud: A study of very short bottlenecks on n-tier web application performance. In Proceedings of USENIX Conference on Timely Results in Operating Systems. Broomfield, CO, USA.
[43]
Qingyang Wang, Chien-An Lai, Yasuhiko Kanemasa, Shungeng Zhang, and Calton Pu 2017. A Study of Long-Tail Latency in n-Tier Systems: RPC vs. Asynchronous Invocations Proceedings of the IEEE 37th International Conference on Distributed Computing Systems (ICDCS'17). IEEE, Atlanta, GA, USA, 207--217.
[44]
Yi Xie and Shun-Zheng Yu 2009. Monitoring the application-layer DDoS attacks for popular websites. IEEE/ACM Transactions on Networking (TON) Vol. 17, 1 (2009), 15--25.
[45]
Ying Xuan, Incheol Shin, My T Thai, and Taieb Znati. 2010. Detecting application denial-of-service attacks: A group-testing-based approach. IEEE Transactions on parallel and distributed systems, Vol. 21, 8 (2010), 1203--1216.
[46]
Chengxu Ye and Kesong Zheng 2011. Detection of application layer distributed denial of service Proceedings of the IEEE International Conference on Computer Science and Network Technology, Vol. Vol. 1. IEEE, Harbin, China, 310--314.
[47]
Jie Yu, Zhoujun Li, Huowang Chen, and Xiaoming Chen. 2007. A detection and offense mechanism to defend against application layer DDoS attacks Proceedings of the IEEE 3rd International Conference on Networking and Services (ICNS'07). IEEE, Athens, Greece, 54--54.
[48]
Saman Taghavi Zargar, James Joshi, and David Tipper. 2013. A survey of defense mechanisms against distributed denial of service (DDoS) flooding attacks. IEEE communications surveys & tutorials Vol. 15, 4 (2013), 2046--2069.
[49]
Ying Zhang, Zhuoqing Morley Mao, and Jia Wang. 2007. Low-Rate TCP-Targeted DoS Attack Disrupts Internet Routing. Proceedings of Network and Distributed System Security Symposium (NDSS'07). San Diego, CA, USA.

Cited By

View all
  • (2024)Sync-Millibottleneck Attack on Microservices Cloud ArchitectureProceedings of the 19th ACM Asia Conference on Computer and Communications Security10.1145/3634737.3644991(799-813)Online publication date: 1-Jul-2024
  • (2024)DNSBomb: A New Practical-and-Powerful Pulsing DoS Attack Exploiting DNS Queries-and-Responses2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00264(4478-4496)Online publication date: 19-May-2024
  • (2024)Secure Storage of Crypto Wallet Seed Phrase Using ECC and Splitting TechniqueIEEE Open Journal of the Computer Society10.1109/OJCS.2024.33987945(278-289)Online publication date: 2024
  • Show More Cited By

Index Terms

  1. Tail Attacks on Web Applications

    Recommendations

    Comments

    Information & Contributors

    Information

    Published In

    cover image ACM Conferences
    CCS '17: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security
    October 2017
    2682 pages
    ISBN:9781450349468
    DOI:10.1145/3133956
    Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

    Sponsors

    Publisher

    Association for Computing Machinery

    New York, NY, United States

    Publication History

    Published: 30 October 2017

    Permissions

    Request permissions for this article.

    Check for updates

    Author Tags

    1. ddos attack
    2. long-tail latency
    3. milli-bottleneck
    4. n-tier systems
    5. pulsating attack
    6. web attack

    Qualifiers

    • Research-article

    Funding Sources

    Conference

    CCS '17
    Sponsor:

    Acceptance Rates

    CCS '17 Paper Acceptance Rate 151 of 836 submissions, 18%;
    Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

    Upcoming Conference

    CCS '25

    Contributors

    Other Metrics

    Bibliometrics & Citations

    Bibliometrics

    Article Metrics

    • Downloads (Last 12 months)140
    • Downloads (Last 6 weeks)18
    Reflects downloads up to 17 Feb 2025

    Other Metrics

    Citations

    Cited By

    View all
    • (2024)Sync-Millibottleneck Attack on Microservices Cloud ArchitectureProceedings of the 19th ACM Asia Conference on Computer and Communications Security10.1145/3634737.3644991(799-813)Online publication date: 1-Jul-2024
    • (2024)DNSBomb: A New Practical-and-Powerful Pulsing DoS Attack Exploiting DNS Queries-and-Responses2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00264(4478-4496)Online publication date: 19-May-2024
    • (2024)Secure Storage of Crypto Wallet Seed Phrase Using ECC and Splitting TechniqueIEEE Open Journal of the Computer Society10.1109/OJCS.2024.33987945(278-289)Online publication date: 2024
    • (2024)Grunt Attack: Exploiting Execution Dependencies in Microservices2024 54th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)10.1109/DSN58291.2024.00025(115-128)Online publication date: 24-Jun-2024
    • (2024)DDoS Mitigation Dilemma Exposed: A Two-Wave Attack with Collateral Damage of MillionsSecurity and Privacy in Communication Networks10.1007/978-3-031-64954-7_2(25-44)Online publication date: 15-Oct-2024
    • (2023)Temporal CDN-convex lensProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620583(6185-6202)Online publication date: 9-Aug-2023
    • (2023)Redundancy Planning for Cost Efficient Resilience to Cyber AttacksIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2022.315146220:2(1154-1168)Online publication date: 1-Mar-2023
    • (2023)Differential Aggregation against General Colluding Attackers2023 IEEE 39th International Conference on Data Engineering (ICDE)10.1109/ICDE55515.2023.00169(2180-2193)Online publication date: Apr-2023
    • (2023)A comprehensive survey on DDoS defense systemsComputer Networks: The International Journal of Computer and Telecommunications Networking10.1016/j.comnet.2023.109895233:COnline publication date: 1-Sep-2023
    • (2021)Enabling Performant, Flexible and Cost-Efficient DDoS Defense With Programmable SwitchesIEEE/ACM Transactions on Networking10.1109/TNET.2021.306262129:4(1509-1526)Online publication date: 26-Mar-2021
    • Show More Cited By

    View Options

    View options

    PDF

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader

    Login options

    Figures

    Tables

    Media

    Share

    Share

    Share this Publication link

    Share on social media