Security and Privacy in Communication Networks. 13th International Conference, SecureComm 2017, Niagara Falls, ON, Canada, October 22–25, 2017, Proceedings

Research Article

Very Short Intermittent DDoS Attacks in an Unsaturated System

  • @INPROCEEDINGS{10.1007/978-3-319-78813-5_3,
        author={Huasong Shan and Qingyang Wang and Qiben Yan},
        title={Very Short Intermittent DDoS Attacks in an Unsaturated System},
        proceedings={Security and Privacy in Communication Networks. 13th International Conference, SecureComm 2017, Niagara Falls, ON, Canada, October 22--25, 2017, Proceedings},
        proceedings_a={SECURECOMM},
        year={2018},
        month={4},
        keywords={Long-tail latency Performance bottleneck n-tier systems Pulsating attack Web attack DDoS attack},
        doi={10.1007/978-3-319-78813-5_3}
    }
    
  • Huasong Shan
    Qingyang Wang
    Qiben Yan
    Year: 2018
    Very Short Intermittent DDoS Attacks in an Unsaturated System
    SECURECOMM
    Springer
    DOI: 10.1007/978-3-319-78813-5_3
Huasong Shan1,*, Qingyang Wang1,*, Qiben Yan2,*
  • 1: Louisiana State University
  • 2: University of Nebraska-Lincoln
*Contact email: hshan1@lsu.edu, qwang26@lsu.edu, qyan@cse.unl.edu

Abstract

We present a new class of low-volume application layer DDoS attack–Very Short Intermittent DDoS (VSI-DDoS). Such attack sends intermittent bursts (tens of milliseconds duration) of legitimate HTTP requests to the target website with the goal of degrading the quality of service (QoS) of the system and damaging the long-term business of the service provider. VSI-DDoS attacks can be especially stealthy since they can significantly impair the target system performance while the average usage rate of all the system resources is at a moderate level, making it hard to pinpoint the root-cause of performance degradation. We develop a framework to effectively launch VSI-DDoS attacks, which includes three phases: the profiling phase in which appropriate HTTP requests are selected to launch the attack, the training phase in which a typical Service Level Agreement (e.g., percentile response time <1 s) is used to train the attack parameters, and the attacking phase in which attacking scripts are generated and deployed to distributed bots to launch the actual attack. To evaluate such VSI-DDoS attacks, we conduct extensive experiments using a representative benchmark web application under realistic cloud scaling settings and equipped with some popular state-of-the-art IDS/IPS systems (e.g., Snort), and find that our attacks are able to effectively cause the long-tail latency problem of the benchmark website while escaping the radar of those DDoS defense tools.