Article Preview
TopIntroduction
As more and more services, including critical infrastructure, power grid, e-commerce, and transportation systems, are on-line enabled, attack on the availability of these services can have a catastrophic impact on our day to day life. Denial of Service (DoS) attack is a common attack target on the infrastructure and services. DoS is an attack on the availability of resources or system operations. In a DoS attack, a single attacker injects the attack traffic to overwhelm the target resources. A sophisticated version of DoS is called Distributed Denial of Service (DDoS). In DDoS, two or more attackers, like bot-net or compromised hosts, inject the attack traffic to a single target to disrupt or delay the services to the genuine users. Nowadays, DDoS attacks target the critical infrastructure, power grid, cloud infrastructure (Agrawal & Tapaswi, 2019), health care (Latif et al., 2014), IoT (Kolias et al., 2017), smart cities (Lee et al., 2019), media and entertainment services.
Based on the volume and duration of traffic, DoS attacks can be classified as High volume DoS (HDoS) and slow DoS (SDoS). HDoS targets the network infrastructure, including servers, routers, and switches, by sending a large volume of attack traffic generated using Network layer or Transport layer protocols. Compared to the normal traffic rate, the volume of HDoS traffic is enormous, and it has reached up to Terabytes/seconds rate (Institute & Akamai, 2017). Hence, HDoS can be detected by monitoring and analyzing the bandwidth usage and traffic volume.
In SDoS, the attacker sends partial requests to the server at a very low rate. The server needs to hold the resources for a longer period to process these requests, which subsequently blocks access to a legitimate user. In comparison to HDoS attacks, these attacks target the application layer and consume lesser network bandwidth. The slow DoS traffic and normal traffic have similar traffic volume and transmission speed. Hence, compared to the HDoS traffic, it is difficult to identify the SDoS traffic from normal traffic. The three main challenges to detect SDoS attack from legitimate traffic are (Hoque et al., 2015):
- •
It uses valid connections during the attack.
- •
Need a lesser number of connections to launch the attack.
- •
Independent of the capabilities of the hardware of the host, SDoS attacks can overwhelm the resources.
By considering these challenges, adversaries are targeting HTTP servers to conduct slow DoS attacks. As HTTP is one of the prominent application layer protocols used in the Internet, slow DoS on HTTP server may have a large scale impact.
Researchers have analyzed the possibility of slow DoS attack on popular HTTP servers. A study on four different popular HTTP servers for their vulnerability against slow HTTP DoS attacks is discussed in (Tripathi et al., 2016). They observed that the slow HTTP DoS attacks are still a threat for many popular web servers. A study on web servers' queue scheduling policies against application layer DoS using simulators is presented (Kumar & Bhandari, 2017). Various surveys on the DoS and application layer DoS are available in the literature. Praseed et al. (Praseed & Thilagam, 2018) survey the application layer DDoS attacks. The survey concludes that application layer DoS is a significant security concern due to the difficulty in adopting the defense mechanisms against it. A survey on devising new techniques for countering HTTP-GET flood DDoS attacks is discussed in (Singh et al., 2017). A review of different detection methods for application layer DDoS is presented in (Jaafar et al., 2019). Various types of DoS attacks and preventive mechanisms against them are surveyed in (Nagesh et al., 2017).