The proliferation of low security internet of things devices has widened the range of weapons that malevolent users can utilize in order to attack legitimate services in new ways. In the recent years, apart from very large volumetric distributed denial of service attacks, low and slow attacks initiated from intelligent bot networks have been detected to target multiple hosts in a network in a timely fashion. However, even if the attacks seem to be “innocent” at the beginning, they generate huge traffic in the network without practically been detected by the traditional DDoS attack detection methods. In this chapter, an advanced pattern detection method is presented that is able to collect and classify in real time all the incoming traffic and detect a developing slow and low DDoS attack by monitoring the traffic in all the hosts of the network. The experimental analysis on a real dataset provides useful insights about the effectiveness of the method by identifying not only the main source of attack but also secondary sources that produce low traffic, targeting though multiple hosts.
TopIntroduction
Distributed Denial of Service (DDoS) attacks tend to be one of the major security threats against information system infrastructure. In the first half of 2018 according to Netscout took place more than 2.8 billion attacks with escalated metrics such as volume and maximum size (Modi, 2018). This is mainly attributed to the rapid deployment of Internet of Things (IoT) devices in various application fields such as automotive applications, industrial sites, consumer places, smart cities, etc. The latest reports estimate the active IoT devices to 27 billion in 2018 and project them to 125 billion by 2030 (HIS Markit, 2017). These devices can be smart TVs, watches, security cameras, printers, washing machines, smart vehicles, autonomous sensors, etc. which most of the times are connected directly to the Internet. According to security experts (Bhattacharya, 2018 and OWASP, 2016), there is a large number of potential vulnerabilities in IoT devices ranging from insecure or misconfigured web servers, insufficient authentication mechanisms that communicate the user credentials in text to insufficient configuration with default passwords, etc. As a result, while the number of the devices is increasing and as more and more types of devices are Internet-connected, the possibility of a device high jacking is also increasing. From 2014, there are reports of exploiting vulnerabilities in routers, VoIP gateways, network printers and surveillance cameras in order to realize DDoS attacks against legitimate services (Kührer et al., 2014). The following years, several DDoS attacks were reported to have been initiated by bot networks constituted by IoT devices. On September 2016, an attack that created traffic of over 600 Gbps and was attributed to an IoT botnet created by Mirai malware was unleashed against Brian Krebs’s security blog (Bertino and Islam, 2017). At the same time, another attack was reported against a French webhost called OVH at 1.1 or more Tbps (US CERT, 2017). Later in the same year, Dyn Service Provider in the US experienced a very large DDoS attack of more than 1 Tbps which again is attributed to the infected from Mirai malware IoT devices (Arbor Networks, 2016). In 2017, several more DDoS attacks took place in companies from different business domains interrupting their services for several hours. In August 2017, Dreamhost one of the biggest web hosting companies suffered a DDoS attack targeting their DNS servers making the hosted by the company websites inaccessible for four hours (Blake, 2017) while in October 2017 a DDoS attack put offline the UK National Lottery’s website during the Saturday’s draws when a lot of people were ready to play in the lottery (Cluley, 2017). Another victim, on November 2017, was the US newspaper Boston Globe that suffered from a two-day DDoS attack which made their websites inaccessible for most of the period of both days (Bray, 2017). The DDoS attacks have continued in 2018 culminating with the largest known so far DDoS attack against GitHub with peak at 1.35Tbps which was successfully mitigated after 10 minutes of service unavailability moving the traffic to the infrastructure of an edge computing provider Akamai (Kottler, 2018). The consequences of such attacks in the cloud infrastructure are not only catastrophic to the attacked services but they may also affect other services that are not in the spot due to the possible migrations of the virtual machines of these other services during the attack (Somani, Gaur and Sanghi, 2015). In GitHub, for example, the intermission of operation affected several other companies that use GitHub as their code repository and thus during the attack they were not able to run their businesses. Apart from individual companies, several governmental services have also been targeted by DDoS attacks. Several such incidents have been reported in the past in several countries such as Georgia, Estonia, Ukraine, Syria, UK, USA, etc. (Loukas and Oke, 2010) where multiple governmental services become unavailable during the DDoS attacks. A more recent attack on November 2016 in Liberia targeted two Internet Service Providers that operate the only fiber Internet cable that connects the country to the Internet (Kolkman, 2016). The specific attack which interrupted country’s connection to the Internet was attributed to a mirai enabled botnet that was tested by its creators (Whittaker, 2016). According to security researchers (Zeifman and Saeed, 2015), online game servers are frequently the target of DDoS attacks mainly because some players get emotionally involved when frustrated and see DDoS attack as a means for revenge or to hinder other players to continue their play. Such attacks have been recorded over the years as for example in 2015 against Blizzard WoW.