|
Low-rate denial-of-service (LRD) attacks deny access to services by depleting some limited resource at the end host or a network device. This makes the device unable to process legitimate clients' traffic. LRD attacks are very challenging to detect and handle at the network level, since they are very low-rate. It makes the attack traffic a needle in a haystack of legitimate traffic. On the other hand, detecting LRD at the application would require changes to many applications, and would only be effective against specific attack variants. All online services are vulnerable to distributed denial-of-service (DDoS) attacks, and LRD attacks are especially challenging to handle today, because they can be launched from smaller botnets and at lower rates than flooding attacks. This project designs and builds an LRD defense, called Leader, which is application-agnostic and can handle both current and future attack variants with the same mechanism. Leader makes all online services robust against LRD attacks by helping the services smartly manage their resources and identify and neutralize misuse attempts. This in turn improves the security of the entire Internet, as well as the security of our critical infrastructure. Where full mitigation is not possible, the planned approach raises the bar for attackers, by forcing them to recruit large botnets. The project will generate lecture modules and practical exercises to be used in current courses and shared publicly.
Leader defense builds profiles that describe how external requests, clients, applications and the entire device use system resources. These profiles, called "connection life stages" contain information about the type and the amount of the resource used, the order in which the use occurs and the time that each chunk of resource is being held. Leader compares instantaneous profiles to baseline profiles at connection, client, application and device level to detect denial of service and identify the resources being affected. Leader further uses connection life stages to perform anomaly detection, which is used for attack diagnostics and mitigation. In rare cases when the profiles do not show anomalous use of resources, or cannot attribute it to specific connections or clients, Leader resorts to offline binary analysis of affected applications. This analysis helps understand how code paths in the application use system resources, and identify possible code changes to increase robustness to LRD attacks. Leader's combination of system, network and application-level monitoring of the patterns of resource use, and the accounting of resource usage per each external service request, is a unique, novel feature. Leader defense is implemented as an operating system (OS) module, and thus protects the deploying device against all LRD attacks at the OS and the application level.
|
SaTC: CORE: Small: Hardening Systems Against Low-Rate DDoS Attacks