Low-rate denial-of-service (LRD) attacks are often hard to detect at the network level as they consume little bandwidth. Both the legitimate traffic and the attack traffic look alike. Moreover, the attack traffic often appears to comply with transport protocol, and application protocol semantics. It is the intricacies in the payloads and the dynamics of the attack traffic that induces denial-of-service on servers, when processed by specific hardware and software.
We propose Leader, a novel approach for application-agnostic and attack-agnostic detection and mitigation of LRD attacks. Leader operates by learning normal patterns of network, application and system-level resources when processing legitimate external requests. During the learning phase, Leader uses elliptic envelope to learn the sequence of kernel level function calls executed by net/socket.c and resource consumption per call, for legitimate user connections. During the classification phase, Leader uses learned models to identify abnormal resource usage patterns. Leader then blacklist client IP addresses responsible for these patterns. We implement and evaluate Leader for Web server protection against LRD attacks. Our results show that Leader correctly identifies over 99% of malicious IPs, and over 97.5% of legitimate user IPs across the five different LRD attacks used in our evaluation. Also, on the average, Leader can successfully identify and blacklist a stealthy attacker in 5 to 18 seconds and an aggressive attacker in 4 to 12 seconds.
The main novelty of Leader lies in its approach to build models of resource usage for each incoming network connection. In order to do so, our new approach captures sequences of resource-use events -- which we dub connection life stages (Fig. 3) -- in a temporal and relational manner for each incoming service request. Connection life stages are built from multiple, complementary observations collected at the (1) network level, (2) OS level and (3) application level. Connection life stages are then clustered into resource-use profiles for each application. Leader learns baseline profiles during no-attack periods, using a machine learning approach based on elliptic envelope. When an attack is detected, Leader uses its baseline profiles to detect anomalous resource-use patterns and links them back to the incoming responsible connections. Sources of these incoming connections are then blacklisted to mitigate the attack.
While our design of Leader is application-agnostic and attack-agnostic, in this paper we focus on building and evaluating Leader for the protection of Web servers against LDR attacks. We implement Leader using SystemTap to probe individual connections at socket function call level. For each function call to net/socket.c, Leader collects and maintains information about the connection, its temporal resource consumption, call sequences and call frequencies. Leader operates in two phases: the learning phase and the classification phase. During the learning phase it learns these resource usage patterns by legitimate users' connections, as a baseline model. During the classification phase, it terminates connections and blacklists clients whose connections consume resources in a way that deviates from Leader's models.
We test Leader in emulated experiments on the Emulab testbed using two different Web servers. We mirrored Imgur and Wikipedia. Imgur runs on apache2, while we setup Wikipedia on nginx. We replay human user traffic collected using Amazon MTurk workers. We evaluate Leader using both aggressive LRD attacks as well as stealthy LRD attacks on five different LRD variants: Slowloris attack (SL), Hash Collision Attack (HC), Regular Expression Denial of Service Attack (ReDoS), LRD using preg_replace() PHP Function Exploitation (PHPEx) and Security Vulnerability - Infinite recursive calls denial of service (IRC). While the stealthy LRD attackers seep in the server at a slow rate, the aggressive LRD attackers bombard the server with multiple concurrent connections, with an attempt to quickly exhaust resources.
Our results show that Leader is capable of handling many variants of LRD attacks, while being trained only with legitimate traffic. In our evaluation Leader achieved the aggregate accuracy of over 99% in identifying the attacker IP addresses and an aggregate accuracy of over 97.5% in identifying the legitimate user IP addresses across the five different LRD attacks. On the average, Leader can successfully identify and blacklist a stealthy attacker in 5 to 18 seconds and an aggressive attacker in 4 to 12 seconds. Leader has a minimal run time overhead with an aggregate latency of less than 0.5%.