Slow DoS attack

Last updated

The term slow DoS attack (SDA) was introduced in 2013, [1] to clearly define a specific category of denial-of-service attacks which make use of low-bandwidth rate to accomplish their purpose. Similar terms can be found in literature, such as:

Contents

Particularly, in order to reduce bandwidth, a slow DoS attack often acts at the application layer of the ISO/OSI stack (e.g. in case of timeout exploiting threats [4] ), although this is not a requirement. [5] Such layer is however easier to exploit in order to successfully attack a victim even by sending it few bytes of malicious requests.

The purpose of a slow DoS attack is (often, but not always [4] ) to cause unavailability of a network service, by seizing all the connections the daemon is able to concurrently manage, at the application layer. Under such condition, any new incoming connection, even from potentially legitimate clients, will not be accepted by the daemon, hence leading to a denial of service. In addition, once a connection is established/sized by the attacker, the adversary would keep it alive as long as possible (hence, avoiding connection closures, which could potentially free-up resources for legitimate clients). In order to keep connections alive, reducing at the same time the attack bandwidth, considering a single connection, data are sent to the target service only at specific times, by exploiting the so-called Wait Timeout parameter, [1] scheduling a periodic data sending activity (at the application layer): once the timeout expires, a specific payload (depending on the attack type and the approach used by the malicious user) is sent to the targeted daemon. While at lower layers of the ISO/OSI stack, timeouts may be relatively short, in this case, it may assume particularly long values, in the order of minutes.

Exploited parameters

According to Cambiaso et al, [1] slow DoS attacks exploit one or more parameters characteristics of TCP-based connections. Such parameters are exploited to keep connections alive longer than expected by preserving the attack bandwidth, hence seizing the server resources for long times, by at the same time reducing attack resources.

See also

Related Research Articles

The Internet protocol suite, commonly known as TCP/IP, is a framework for organizing the set of communication protocols used in the Internet and similar computer networks according to functional criteria. The foundational protocols in the suite are the Transmission Control Protocol (TCP), the User Datagram Protocol (UDP), and the Internet Protocol (IP). Early versions of this networking model were known as the Department of Defense (DoD) model because the research and development were funded by the United States Department of Defense through DARPA.

<span class="mw-page-title-main">OSI model</span> Model of communication of seven abstraction layers

The Open Systems Interconnection model is a conceptual model from the International Organization for Standardization (ISO) that "provides a common basis for the coordination of standards development for the purpose of systems interconnection." In the OSI reference model, the communications between systems are split into seven different abstraction layers: Physical, Data Link, Network, Transport, Session, Presentation, and Application.

The Transmission Control Protocol (TCP) is one of the main protocols of the Internet protocol suite. It originated in the initial network implementation in which it complemented the Internet Protocol (IP). Therefore, the entire suite is commonly referred to as TCP/IP. TCP provides reliable, ordered, and error-checked delivery of a stream of octets (bytes) between applications running on hosts communicating via an IP network. Major internet applications such as the World Wide Web, email, remote administration, and file transfer rely on TCP, which is part of the Transport Layer of the TCP/IP suite. SSL/TLS often runs on top of TCP.

<span class="mw-page-title-main">Denial-of-service attack</span> Type of cyber-attack

In computing, a denial-of-service attack is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to a network. Denial of service is typically accomplished by flooding the targeted machine or resource with superfluous requests in an attempt to overload systems and prevent some or all legitimate requests from being fulfilled. The range of attacks varies widely, spanning from inundating a server with millions of requests to slow its performance, overwhelming a server with a substantial amount of invalid data, to submitting requests with an illegitimate IP address.

In the seven-layer OSI model of computer networking, the session layer is layer 5.

<span class="mw-page-title-main">Transport layer</span> Layer in the OSI and TCP/IP models providing host-to-host communication services for applications

In computer networking, the transport layer is a conceptual division of methods in the layered architecture of protocols in the network stack in the Internet protocol suite and the OSI model. The protocols of this layer provide end-to-end communication services for applications. It provides services such as connection-oriented communication, reliability, flow control, and multiplexing.

Network congestion in data networking and queueing theory is the reduced quality of service that occurs when a network node or link is carrying more data than it can handle. Typical effects include queueing delay, packet loss or the blocking of new connections. A consequence of congestion is that an incremental increase in offered load leads either only to a small increase or even a decrease in network throughput.

The Common Management Information Protocol (CMIP) is the OSI specified network management protocol.

In computer networking, port knocking is a method of externally opening ports on a firewall by generating a connection attempt on a set of prespecified closed ports. Once a correct sequence of connection attempts is received, the firewall rules are dynamically modified to allow the host which sent the connection attempts to connect over specific port(s). A variant called single packet authorization (SPA) exists, where only a single "knock" is needed, consisting of an encrypted packet.

The ISODE software, more formally the ISO Development Environment, was an implementation of the OSI upper layer protocols, from transport layer to application layer, which was used in the Internet research community to experiment with implementation and deployment of OSI during the late 1980s and early 1990s.

The Open Systems Interconnection protocols are a family of information exchange standards developed jointly by the ISO and the ITU-T. The standardization process began in 1977.

In computer networks, a tunneling protocol is a communication protocol which allows for the movement of data from one network to another. It can, for example, allow private network communications to be sent across a public network, or for one network protocol to be carried over an incompatible network, through a process called encapsulation.

<span class="mw-page-title-main">Link aggregation</span> Using multiple network connections in parallel to increase capacity and reliability

In computer networking, link aggregation is the combining of multiple network connections in parallel by any of several methods. Link aggregation increases total throughput beyond what a single connection could sustain, and provides redundancy where all but one of the physical links may fail without losing connectivity. A link aggregation group (LAG) is the combined collection of physical ports.

Sockstress is a method of attacking servers and other devices that accept TCP connections on the Internet and other TCP-based networks. This method depletes local resources in order to crash a service or an entire machine, essentially functioning as a denial-of-service attack.

<span class="mw-page-title-main">Slowloris (computer security)</span> Software for executing a denial-of-service attack

Slowloris is a type of denial of service attack tool which allows a single machine to take down another machine's web server with minimal bandwidth and side effects on unrelated services and ports.

A communication protocol is a system of rules that allows two or more entities of a communications system to transmit information via any variation of a physical quantity. The protocol defines the rules, syntax, semantics, and synchronization of communication and possible error recovery methods. Protocols may be implemented by hardware, software, or a combination of both.

Security service is a service, provided by a layer of communicating open systems, which ensures adequate security of the systems or of data transfers as defined by ITU-T X.800 Recommendation.
X.800 and ISO 7498-2 are technically aligned. This model is widely recognized

MQTT is a lightweight, publish-subscribe, machine to machine network protocol for message queue/message queuing service. It is designed for connections with remote locations that have devices with resource constraints or limited network bandwidth, such as in the Internet of Things (IoT). It must run over a transport protocol that provides ordered, lossless, bi-directional connections—typically, TCP/IP, but also possibly over QUIC It is an open OASIS standard and an ISO recommendation.

The Open Smart Grid Protocol (OSGP) is a family of specifications published by the European Telecommunications Standards Institute (ETSI) used in conjunction with the ISO/IEC 14908 control networking standard for smart grid applications. OSGP is optimized to provide reliable and efficient delivery of command and control information for smart meters, direct load control modules, solar panels, gateways, and other smart grid devices. With over 5 million OSGP based smart meters and devices deployed worldwide it is one of the most widely used smart meter and smart grid device networking standards.

<span class="mw-page-title-main">Slowdroid</span> Experimental denial of service attack

SlowDroid is the first denial of service attack which allows a single mobile device to take down a network server requiring minimal bandwidth. The attack has been created for research purposes by Enrico Cambiaso and Maurizio Aiello for the IEIIT Institute of the National Research Council of Italy and released as an Android application.

References

  1. 1 2 3 Cambiaso, Enrico; Papaleo, Gianluca; Chiola, Giovanni; Aiello, Maurizio (2013). "Slow DoS attacks: definition and categorisation". International Journal of Trust Management in Computing and Communications. 1 (3/4): 300–319. doi:10.1504/IJTMCC.2013.056440. hdl: 11567/571723 .
  2. Mantas, Georgios; Stakhanova, Natalia; Gonzales, Hugo; Hadian Jazi, Hossein; Ghorbani, Ali A. (2015). "Application-layer denial of service attacks: taxonomy and survey" (PDF). International Journal of Information and Computer Security. 7 (2–4): 216–239. doi:10.1504/IJICS.2015.073028. S2CID   3384390.
  3. Wu, Zhijun; Zhang, Liyuan; Yue, Meng (2015). "Low-Rate DoS Attacks Detection Based on Network Multifractal". IEEE Transactions on Dependable and Secure Computing. 13 (5): 559–567. doi:10.1109/TDSC.2015.2443807. S2CID   14728946.
  4. 1 2 Cambiaso, Enrico; Papaleo, Gianluca; Chiola, Giovanni; Aiello, Maurizio (2015). "Designing and modeling the slow next DoS attack". Computational Intelligence in Security for Information Systems Conference (CISIS 2015). 249-259. Springer.
  5. Cambiaso, Enrico; Chiola, Giovanni; Aiello, Maurizio (2019). "Introducing the SlowDrop Attack". Computer Networks. 150: 234–249. doi: 10.1016/j.comnet.2019.01.007 . hdl: 11567/942438 . S2CID   60442737.