The Impact of Application Layer Denial of
Service Attacks
Hugo Gonzalez, Marc Antoine Gosselin-Lavigne,
Natalia Stakhanova, Ali A. Ghorbani
Information Security Centre of Excellence
University of New Brunswick
hugo.gonzalez,ma.gl,natalia,[email protected]
Abstract
A recent escalation of application layer Denial of Service attacks (DoS) on the Internet has quickly shifted the focus of the research community from traditional network-based denial of service. As a result, new varieties of attacks were explored: slow-rate and low-rate application layer DoS attacks. In this chapter, after a brief introduction of application layer DoS attacks, we discuss the characteristics of the newly proposed application layer attacks and illustrate their impact on modern web servers.
Keywords: Denial-of-Service attack, application layer attack, low-rate denial-of-service, slow-rate denial-of-service
1 Introduction
The frequency and power of Denial-of-Service (DoS) attacks have marked the first quarter of 2013 as the worst quarter for DoS attacks in history averaging 58percent increase compared to 2012 [17]. Leveraging botnets and high-speed
network technologies, modern DoS attacks exceed the scale of 100 Gbps becom-ing a major threat on the Internet [17]. Being one of the oldest type of attacks
on the Internet, DoS attacks are known for their disruptiveness and ability to deplete the computing resources and/or bandwidth of their victims in a matter of minutes. In spite of being trivial in execution, DoS attacks are often easily detectable mostly due to dynamic and voluminous attack rates. As a result, the recent years have seen a growing trend towards new, stealthy, and more sophis-ticated application layer DoS attacks aiming to avoid detection while bringing the same level of impact as traditional flooding DoS attacks.
Application layer attacks, as opposed to traditional flooding DoS attacks mostly focusing on bandwidth consumption, target specific characteristics and vul-nerabilities of application layer protocols (e.g. HTTP, DNS). From an industry perspective, the application layer attacks most commonly seen in the wild were broadly divided into several categories [2]: request flooding, protocol requests
sent at high rates aiming to deplete session resources; asymmetric, large work load requests sent at normal rates aiming to consume server’s resources; hy-brid, combination large work load requests sent at high rates; and exploit-based, attacks targeting application protocol vulnerabilities.
From the academic side, two other categories of application layer DoS attacks were proposed: slow-rate and low-rate attacks. Low-rate application layer DoS attacks appeared as an extension of a TCP-based low-rate attack initially intro-duced by [8]. A low-rate attack is an intelligent variation of a traditional DoS
attack that aims to elude detection by sending seemingly legitimate packets at a low rate. Difficult to detect and mitigate, this attack effectively results in the ex-haustion of resources, and consequently, service unavailability. A slow-rate DoS attacks, on the other hand, evade detection by transmitting packets at a slow speed. With the latest escalation of application-layer DoS attacks, the research
community has focused its attention on defence and mitigation techniques for these two types of attacks.
There have been a number of studies focusing specifically on defence techniques for slow-rate and low-rate attacks [23,24,30,10,13,11,9]. In spite of the
vari-ability of studies and recent escalation of application-layer DoS attacks, none of the reports seem to indicate the wide use of these attacks in the wild which raises questions on the viability of these attacks in modern network environ-ments.
In this chapter we explore the impact of application layer DoS attacks on mod-ern web servers. We study the performance of slow and low-rate application level attack on several popular web servers including Ngix, Apache, Microsoft IIS and Tomcat. Through our experiments we illustrate the infeasibility of low-rate application level attack on modern servers and discuss necessary conditions for an attack to have at least minimal impact.
2 Related Work
The recent escalation of application-layer DoS attacks have attracted a signif-icant interest of a research community. Since application-layer attacks usually do not manifest themselves at the network level, they avoid traditional network-based detection mechanisms. As such, security community focused on special-ized application-layer DoS attacks detection mechanisms. These research ef-forts can be broadly divided into several groups: application-based, puzzle-based approaches and network traffic characteristics based.
Application-based techniques are generally geared toward legitimate and thus expected characteristics of an application behavior. These approaches include detection of deviations from normal behavior of users browsing web pages [25, 29,28], monitoring characteristics of HTTP sessions [19,18], monitoring a
num-ber of clients requests [27], and analyzing popularity of certain websites [26].
In many of these approaches, rate-limiting serves as a primary defence mecha-nism.
Puzzle-based methods are similar to these approaches. However, instead of monitoring characteristics of particular applications, puzzle-based methods, as the name suggests, offer a puzzle to solve and detect potential DoS attack by the ability of the client at the IP addresses to solve it or by their reaction to the offered puzzle. One of these techniques is the detection of attacks using CAPTCHA puzzle [14]. Although this technique may offer a simple approach
to attack detection and mitigation, a number of studies showed its ineffective-ness [15,3].
Monitoring characteristics of network traffic for application-layer DoS detection has been suggested by [7] and has been employed for differentiation of flash
crown and true DoS attacks. The approach has also found its application in several studies in a form of IP address monitoring [16,4].
Most of these studies deal with general type application-layer denial-of-service attacks. With the introduction of low-rate application-layer DoS attack [10], a
number of research efforts were focused on various detection and mitigation techniques [24, 10, 13, 11, 9]. Most of these techniques focus specifically on
characteristics of incoming network traffic aiming to reveal/prevent patterns specific to low-rate DoS attacks. As such Tang [24] developed a CUSUM-based
approach that monitors packet arrival rate. Macia-Fernandez et al proposed to modify the implementation of application servers in terms of their processing of incoming requests [13].
3 Application layer Denial of Service attacks
With a focus on resource exhaustion, denial of service attacks spawn a broad spectrum of variants capable of depleting resources at any layer of traditional TCP/IP architecture. Historically, low layer attacks targeting network and trans-port layers were prevalent on the networks mostly due to simplicity in execution
Figure 1: Slow send attack model. Figure 2: Slow read attack model.
and their effectiveness. However, with a fast development of network infras-tructures simple attacks became less effective. Nowadays, DoS attacks feature a new category of application layer attacks that specifically target and affect user applications without affecting network resources.
To clarify the diversity of application-layer DDoS attacks, we adopt the follow-ing categorization1
:
• Request flooding attack that sends protocol requests at high rates aiming to deplete session resources.
• Asymmetric attack that relies on large work load requests sent at normal rates aiming to consume the server’s resources.
• Hybrid attack that presents a combination of large work load requests sent at high rates.
• Exploit-based attack that targets application protocol vulnerabilities. One example of this is an Apache webserver specific attack, Apache Range Header attack [1], that sends a legitimate HTTP request indicating a very
large overlapping range causing a server to exhaust memory denying ser-vice to legitimate clients.
• Low-rate attack was initially introduced by Macia-Fernandez et al in [10].
An advanced version with mathematical formalism was provided in [9].
An attack consists of ON/OFF sequences of attack messages aiming to keep the service queue of a victim application full of requests causing le-gitimate requests to be discarded and thus effectively resulting in a denial-of-service attack. The key idea of this attack is in its intelligent execution: attack messages (to avoid causing a flooding DoS) should be sent at the instants at which available positions appear in a service queue. Algo-rithms for estimation of such instances were suggested in [11,12]. Such
intelligent scheduling allows attacks to fly under the radar of intrusion detection system while effectively causing a denial-of-service for a partic-ular application. A graphical representation of the attack model is given in Figure3.
1
Figure 3: Low rate attack model.
• Slow-rate attack. As opposed to a low-rate attack, a slow-rate DoS at-tack exploits one of the common properties of application-layer protocols: reserving resources until after the completion of a connection. In this con-text, transmitting packets at a slow speed allows the attack to exhaust the server’s resources causing a denial-of-service. Similar to a low-rate attack, a slow-rate attack allows to selectively attack targeted applications with a single computer leaving the rest of unrelated services intact. The most prominent slow-rate attacks targeting HTTP protocol are:
– Slow send is an attack that aims to tie up server resources by slowly sending legitimate incomplete HTTP requests causing a victim server to reserve resources for open connections waiting for their comple-tion (Figure1). There are several known implementations of this at-tack: a more general variation offering partial HTTP requests (GET/-HEAD/POST) implemented in a slowloris tool [21] and a slow HTTP
POST that sends HTTP POST payload at a slow pace (e.g., 1byte/ 1 min) implemented in RUDY [20] and OWASP HTTP POST [5].
– Slow readis a variation of an attack that starts with a legitimate HTTP request from an attacker to a victim server followed by a slow con-sumption of the HTTP response sent by a victim e.g., Slow READ [22]
(Figure2).
4 Model
A generic web server could be viewed as a module responsible for providing requested content to clients. The mechanism of handling clients’ requests by a server is generally defined by its architecture. Modern servers favor the follow-ing two architectures:
• Thread-based architecture: allocates a new threat (and corresponding re-sources) for each client request. Although the model is favored for the ease of implementation, the amount of resources required for threads is often viewed as a major limiting factor.
• Event-based architecture: In the event driven model, a single event is ca-pable to attending several requests simultaneously. The coordination be-tween requests and events is provided through a controller responsible for ensuring prompt execution of requests.
Although there is a lot of debate on which model is preferred, many modern web servers employ a hybrid model that incorporates a mixture of threads and events.
Assumptions In our study the following assumptions were made:
• Attacker: we assume that an attacker is non-oblivious, i.e., he understand the attack, knows exactly when and how much traffic to send to max-imize the attack damage. The main premise of slow and low-rate DoS attacks is their ability to impact a service without significant resources on an attacker side. Although limiting attacker resources would satisfy this condition, we decided to allow for more powerful presence and as-sume that resources available at an attacker’s disposal are equivalent to resources of a victim server.
• Connection: we assume a steady, non interrupted connection.
Figure 4: An example of time stamps collected by the monitor on the client side to access a loss of server responsiveness (Loss).
Metrics Since the impact of application level attacks is often invisible at the lower network layers, traditional network evaluation metrics based on estima-tion of link congesestima-tion, packet loss [6], and response time are not practical for
evaluation of application-layer denial of service attack’s impact. These metrics are mostly focused on detailing network transmission performance and thus do not fully reflect impact on a higher level service availability.
For our study we define a performance metric Loss to assess responsiveness of a web server. Loss of a web server is defined as a percentage of client’s HTTP requests r left uncompleted during a period of time P. Formally, Loss is defined as follows:
Loss= ∑
P i=1ri
P (1)
Figure4illustrates Loss calculation process.
5 Experiments
Environment setup In our experimentation, we employed a virtual environ-ment setup shown in Figure 5. The software and hardware specifications, as well as parameters employed in our experimentation study are given in Tables1 and2.
Table 1: Software and hardware specifications of the testing environment.
Host processor Intel Core i5-3570k
Window web server OS Windows Server 2008 R2 SP1 64 bit
Linux web server OS Ubuntu 12.04.2 32bit
Attacker OS Debian 6.0.7 64 bit
IIS v.7.5 Apache Windows v.2.4.4 32 bit Linux v.2.2.22 (32 bit) Nginx Windows v.1.2.7 Linux v.1.1.19 Tomcat Windows v. 7.0.37 Linux v.7.0.37 Number of threads = 150 Linux-enhanced Number of threads = 550 pollerThreadCount = 800
Figure 5: Environment setup.
In this study, we specifically focused on the three variations of application layer DoS attack: low-rate, slow send and slow read. Both low-rate and slow send require a knowledge of web server’s request timeout to determine the instants at which attack requests should be sent. Assuming the worst-case scenario, an exact value of a timeout is known to an attacker. Although the default timeouts as configuration parameters were available to us, our experimentation revealed their inaccuracy. As a result in our study we employed experimentally determined timeout values given in Table2.
Slow read attack required the presence a simple webpage to mimic a slow con-sumption of the HTTP response on attacker side. Slow read was executed to read a 10KB webpage per thread at a rate of one byte per second.
Results Table3presents the web servers performance results under application-layer DoS attacks. As the results show, the resilience of servers varies depending on the attack and the server. In general, slow read attack was the least success-ful among evaluated servers with an exception of Tomcat that suffers heavily. Such attack success can be primarily attributed to Tomcat’s original design as a servlet container rather than as a classic web server. The server depends on the Java Virtual Machine and its default configuration significantly limits its available resources making it vulnerable to these types of attack. In spite of these limitations, Tomcat is commonly employed as a stand-alone web server
Table 2: Experimentation settings.
P 5min
ti 10sec
Request timeout settings: Experimental (default value)
Apache 113sec (120 sec)
IIS 114sec (120 sec)
Nginx 62sec (60 sec)
Tomcat 36sec (30 sec)
Table 3: Web servers performance under application layer DoS attacks.
Server Low-rate Slow send Slow read Apache Linux Events 17% loss 10% loss 0% loss
Apache Linux Pre-fork 27% loss 27% loss 7% loss
Apache Linux Worker 30% loss 33% loss 3% loss
Apache Windows 90% loss 90% loss 3% loss
IIS 0% loss 0% loss 0% loss
Nginx Linux 10% loss 10% loss 0% loss
Nginx Windows 0% loss 0% loss 0% loss
Tomcat Linux - Default 43% loss 43% loss 100% loss
Tomcat Linux - Enhanced 0% loss 0% loss 100% loss
Tomcat Windows 60% loss 60% loss 10% loss
and servlet server at the same time.
Tomcat shows similar performance in Slow send attack which significantly im-proves with enhanced configuration. The other server that shows a decreased performance under Slow send attack is the Windows version of Apache. Other versions of Apache also exhibit some insignificant loss in the beginning of an attack, but are able to quickly recover. The effectiveness of low-rate attack is very similar to the impact of Slow send attacks.
One noticeable trend that our results show is the high dependence of an attack effectiveness on the underlying implementation of a web server rather than their configuration. On Linux, various configurations of Apache seem to be resilient. However, in general they do show some insignificant loss. While IIS and Nginx seem to be almost immune to these types of application layer attacks.
6 Discussion
Slow-rate and low-rate attacks were designed as stealthy attacks to cause denial-of-service for a targeted server application using few resources on the attacker’s side. With this in mind, the important characteristics of these attacks are their invisibility to traditional (network-layer based) detectors and as a consequence their ability to leave unrelated services intact.
While, as been shown theoretically [9], these attacks are effective variations of
traditional DoS attacks, our experiments reveal the resilience of some modern web servers to these types of attacks. Our results show that these types of attacks can still be successful on some targets. However this is dependent on the target being susceptible to said attacks. Attacks that are even more specific, such as attacks targeting specific user visible components, e.g. a search component in a content management system, may be more successful than current slow-rate and low-rate DoS attacks.
The current design of the low-rate and slow-rate attacks relies on specific im-plementations of a server. More close analysis of our results shows a correlation between resiliency of a web server to attacks and its ability to quickly recover.
That is, servers that are more resilient, i.e., allow for more simultaneous con-nections and essentially are able to handle more requests at a time, quickly make up for low or slow-rate messages, minimizing or completely eliminating the impact of attacks. Potential countermeasures to mitigate these attacks can include an increase in a number of connections that a server is able to handle or a limitation of a number of simultaneous connections that a client can have at the same time. While the latter measure is easily evadable with a distributed version of an attack, the first one calls for changes in a server’s implementa-tion. At current the most feasible solution seems to be a careful selection of web servers. Based on our results, IIS or Ngnix as a general web server, potentially with Tomcat as a servlet provider seems to be the most resilient option.
7 Conclusions
In this study we explored the impact of application layer srate and low-rate DoS attacks on four modern web servers. Our experiments revealed the resilience of modern web servers to these types of attacks. We found that it is difficult to attack a server using slow-rate and low-rate attacks mainly due to the design and implementation of the web servers. These types of attacks seem to be tailored to specific implementations rather than general web servers. This fact limits the applicability of attacks and consequently brings the need for mitigation strategy that should be addressing flows in selected web server implementations rather than focusing on attacks themselves.
Exhausting the resources of a web server in a targeted manner is not trivial, but it is possible if flaws in the implementation or configuration of the web server are discovered. We see two main ways to effectively perform a slow-rate attack on a web server: attack the software implementation or configuration in a targeted manner, or attack the user space applications on top of the web server. We expect that the future of DoS attacks will continue to focus mainly on clas-sical flooding attacks. We also expect that the future of slow-rate and low-rate DoS attacks will lie in areas such as misconfigured web servers and content management systems.
References
[1] Apache Range Attack (2011). Apache httpd security advisory. http://httpd.apache.org/security/CVE-2011-3192.txt.
[2] Arbor Networks (2012). The growing threat of application-layer ddos at-tacks.
[3] Beitollahi, H. and G. Deconinck (2012, June). Review: Analyzing well-known countermeasures against distributed denial of service attacks. Com-put. Commun. 35(11), 1312–1332.
[4] Bhatia, S., D. Schmidt, and G. Mohay (2012). Ensemble-based ddos detection and mitigation model. In Proceedings of the Fifth International Conference on Security of Information and Networks, pp. 79–86. ACM.
[5] Brenann, T. (2010). Owasp http post tool.
https://www.owasp.org/index.php/OWASP_HTTP_Post_Tool.
[6] Guirguis, M., A. Bestavros, and I. Matta (2006). On the impact of low-rate attacks. . . . International Conference on 00(c), 2316–2321.
[7] Jung, J., B. Krishnamurthy, and M. Rabinovich (2002). Flash crowds and denial of service attacks: characterization and implications for cdns and web sites. In Proceedings of the 11th international conference on World Wide Web, WWW ’02, New York, NY, USA, pp. 293–304. ACM.
[8] Kuzmanovic, A. and E. W. Knightly (2003). Low-Rate TCP-Targeted Denial of Service Attacks (The Shrew vs. the Mice and Elephants). In Proceedings of the ACM SIGCOMM, pp. 75–86.
[9] Macia-Fernandez, G., J. Diaz-Verdejo, and P. Garcia-Teodoro (2009). Mathe-matical model for low-rate dos attacks against application servers. Information Forensics and Security, IEEE Transactions on 4(3), 519–529.
[10] Maciá-Fernández, G., J. E. Díaz-Verdejo, and P. García-Teodoro (2006). As-sessment of a vulnerability in iterative servers enabling low-rate dos attacks. In Proceedings of the 11th European conference on Research in Computer Security, ESORICS’06, Berlin, Heidelberg, pp. 512–526. Springer-Verlag.
[11] Maciá-Fernández, G., J. E. Díaz-Verdejo, and P. García-Teodoro (2007, March). Evaluation of a low-rate dos attack against iterative servers. Comput. Netw. 51(4), 1013–1030.
[12] Maciá-Fernández, G., J. E. Díaz-Verdejo, P. García-Teodoro, and F. de Toro-Negro (2008). LoRDAS: a low-rate dos attack against application servers. In Proceedings of the Second international conference on Critical Information In-frastructures Security, CRITIS’07, Berlin, Heidelberg, pp. 197–209. Springer-Verlag.
[13] Maciá-Fernández, G., R. A. Rodríguez-Gómez, and J. E. Díaz-Verdejo (2010, October). Defense techniques for low-rate dos attacks against application servers. Comput. Netw. 54(15), 2711–2727.
[14] Mehra, M., M. Agarwal, R. Pawar, and D. Shah (2011). Mitigating denial of service attack using captcha mechanism. In Proceedings of the International Conference & Workshop on Emerging Trends in Technology, ICWET ’11, New York, NY, USA, pp. 284–287. ACM.
[15] Mori, G. and J. Malik (2003). Recognizing objects in adversarial clutter: Breaking a visual captcha. In CVPR, Volume 1, pp. 134–141.
[16] Nam, S. Y. and T. Lee (2009). Memory-efficient ip filtering for counter-ing ddos attacks. In Proceedcounter-ings of the 12th Asia-Pacific network operations and management conference on Management enabling the future internet for changing business and new computing services, APNOMS’09, Berlin, Heidelberg, pp. 301– 310. Springer-Verlag.
[17] Prolexic (2013, Q1). Quaterly global ddos attack report. http://www.prolexic.com/knowledge-center-ddos-attack-report-2013-q1.html.
[18] Ranjan, S. and et al. (2006). Ddos-resilient scheduling to counter applica-tion layer attacks under imperfect detecapplica-tion. In In Proceedings of IEEE INFO-COM, pp. 23–29.
[19] Ranjan, S., R. Swaminathan, M. Uysal, A. Nucci, and E. Knightly (2009, February). Ddos-shield: Ddos-resilient scheduling to counter application layer attacks. IEEE/ACM Trans. Netw. 17(1), 26–39.
[20] Raz, R. (2010). Universal http dos - are you dead yet? http://chaptersinwebsecurity.blogspot.ca/2010/11/universal-http-dos-are-you-dead-yet.html.
[21] RSnake (2009). Slowloris HTTP DoS.
[22] Shekyan, S. (2012). Are you ready for slow reading? https://community.qualys.com/blogs/securitylabs/ 2012 /01/05/slow-read.
[23] Srivatsa, M., A. Iyengar, J. Yin, and L. Liu (2008, July). Mitigat-ing application-level denial of service attacks on web servers: A client-transparent approach. ACM Trans. Web 2(3), 15:1–15:49.
[24] Tang, Y. (2012). Countermeasures on application level low-rate denial-of-service attack. In Proceedings of the 14th international conference on Infor-mation and Communications Security, ICICS’12, Berlin, Heidelberg, pp. 70–80. Springer-Verlag.
[25] Xie, Y. and S. zheng Yu (2006). A novel model for detecting application layer ddos attacks. In Computer and Computational Sciences, 2006. IMSCCS ’06. First International Multi-Symposiums on, Volume 2, pp. 56–63.
[26] Xie, Y. and S. zheng Yu (2009). Monitoring the application-layer ddos at-tacks for popular websites. Networking, IEEE/ACM Transactions on 17(1), 15– 25.
[27] Xuan, Y., I. Shin, M. Thai, and T. Znati (2010). Detecting application denial-of-service attacks: A group-testing-based approach. Parallel and Distributed Systems, IEEE Transactions on 21(8), 1203–1216.
[28] Ye, C. and K. Zheng (2011). Detection of application layer distributed de-nial of service. In Computer Science and Network Technology (ICCSNT), 2011 International Conference on, Volume 1, pp. 310–314.
[29] Yu, J., Z. Li, H. Chen, and X. Chen (2007). A detection and offense mech-anism to defend against application layer ddos attacks. In Networking and Services, 2007. ICNS. Third International Conference on, pp. 54–54.
[30] Zhang, C., Z. Cai, W. Chen, X. Luo, and J. Yin (2012, October). Flow level detection and filtering of low-rate ddos. Comput. Netw. 56(15), 3417–3431.
Hugo Gonzalez: is a PhD student at the Information Security Centre of Excel-lence, University of New Brunswick, Canada. He is a Faculty Member of the Polytechnic University of San Luis Potosi, Mexico.
Marc Antoine Gosselin-Lavigne: is currently working towards his B.S degree in the Faculty of Computer Science, University of New Brunswick, Canada.
Natalia Stakhanova: received her PhD degree from the Iowa State University, USA and has an extensive expertise in intrusion detection, cyber security, and malware analysis. Dr. Stakhanova has published over 30 journal, conference pa-pers and reports and was the recipient of the Nokia Best Student Paper Award at The IEEE International Conference on Advanced Information Networking and Applications (AINA). She has developed a number of technologies that have been adopted by high-tech companies and has two patents in the field of computer security.
Ali A. Ghorbani: is currently a professor and a dean with the University of New Brunswick (UNB), where he is the director of Information Security Center of Excellence, and is also the coordinator of the Privacy, Security and Trust net-work annual conference. He holds a UNB Research Scholar position and is the coeditor-in-chief of the Computational Intelligence: An International Journal, and an associate editor of the International Journal of Information Technology and Web Engineering. His current research interests include web intelligence, network security, complex adaptive systems, critical infrastructure protection, and trust and security assurance. He is a member of the Association for Com-puting Machinery, the IEEE Computer Society, the IEEE, and the Canadian So-ciety for Computational Studies of Intelligence.
