Leader: Defense Against Exploit-Based Denial-of-Service Attacks on Web Applications
Authors: 
Rajat Tandon, Haoda Wang, Nicolaas Weideman, Shushan Arakelyan, Genevieve Bartlett, Christophe Hauser, 
Jelena MirkovicAuthors Info & Claims
Rajat Tandon, Haoda Wang, Nicolaas Weideman, Shushan Arakelyan, Genevieve Bartlett, Christophe Hauser, Jelena MirkovicAuthors Info & ClaimsPages 744 - 758
Abstract
Exploit-based denial-of-service attacks (exDoS) are challenging to detect and mitigate. Rather than flooding the network with excessive traffic, these attacks generate low rates of application requests that exploit some vulnerability and tie up a scarce key resource. It is impractical to design defenses for each variant of exDoS attacks separately. This approach does not scale, since new vulnerabilities can be discovered in existing applications, and new applications can be deployed with yet unknown vulnerabilities.
We propose Leader, an attack-agnostic defense against exDoS attacks. Leader monitors fine-grained resource usage per application on the host it protects, and per each external request to that application. Over time, Leader learns the time-based patterns of legitimate user’s usage of resources for each application and models them using elliptic envelope. During attacks, Leader uses these models to identify application clients that use resources in an abnormal manner, and blocks them.
We implement and evaluate Leader for Web application’s protection against exDoS attacks. Our results show that Leader correctly identifies around 99% of attack IPs, and around 99% of legitimate IPs across six different exDoS attacks used in our evaluation. On the average, Leader can identify and block an attacker after six requests. Leader has a small run time cost, adding less than 0.5% to page loading time.
References
[1]
Akamai. 2020. State of the Internet Reports. https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/soti-security-a-year-in-review-report-2019.pdf, Accessed: July 6th, 2021.
[2]
Akamai. 2021. State of the Internet Reports. https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/soti-security-a-year-in-review-report-2020.pdf, Accessed: July 6th, 2021.
[3]
Zhihao Bai, Ke Wang, Hang Zhu, Yinzhi Cao, and Xin Jin. 2021. Runtime Recovery of Web Applications under Zero-Day ReDoS Attacks. In 2021 IEEE Symposium on Security and Privacy (SP). IEEE, 1575–1588.
[4]
Efe Barlas, Xin Du, and James C Davis. 2022. Exploiting input sanitization for regex denial of service. In Proceedings of the 44th International Conference on Software Engineering. 883–895.
[5]
Andreea Bendovschi. 2015. Cyber-attacks–trends, patterns and security countermeasures. Procedia Economics and Finance 28 (2015), 24–31.
[6]
Yinzhi Cao and Junfeng Yang. 2015. Towards making systems forget with machine unlearning. In 2015 IEEE Symposium on Security and Privacy. IEEE, 463–480.
[7]
Richard Chang, Guofei Jiang, Franjo Ivancic, Sriram Sankaranarayanan, and Vitaly Shmatikov. 2009. Inputs of coma: Static detection of denial-of-service vulnerabilities. In 2009 22nd IEEE Computer Security Foundations Symposium. IEEE, 186–199.
[8]
Hyoung-Kee Choi and John O Limb. 1999. A behavioral model of web traffic. In Proceedings. Seventh International Conference on Network Protocols. IEEE, 327–334.
[9]
Jongseok Choi, Jong-gyu Park, Shinwook Heo, Namje Park, and Howon Kim. 2016. Slowloris DoS Countermeasure over WebSocket. In International Workshop on Information Security Applications. Springer, 42–53.
[10]
CloudFlare. 2022. DDoS Attack Trends for 2022 Q1. https://blog.cloudflare.com/ddos-attack-trends-for-2022-q1/, Accessed: July 6th, 2022.
[11]
Roy De Maesschalck, Delphine Jouan-Rimbaud, and Désiré L Massart. 2000. The mahalanobis distance. Chemometrics and intelligent laboratory systems 50, 1 (2000), 1–18.
[12]
Anderson Bergamini de Neira, Burak Kantarci, and Michele Nogueira. 2023. Distributed denial of service attack prediction: Challenges, open issues and opportunities. Computer Networks 222 (2023), 109553.
[13]
Henri Maxime Demoulin, Isaac Pedisich, Nikos Vasilakis, Vincent Liu, Boon Thau Loo, and Linh Thi Xuan Phan. 2019. Detecting asymmetric application-layer denial-of-service attacks in-flight with finelame. In 2019 USENIX Annual Technical Conference (USENIX ATC 19). 693–708.
[14]
Henri Maxime Demoulin, Tavish Vaidya, Isaac Pedisich, Bob DiMaiolo, Jingyu Qian, Chirag Shah, Yuankai Zhang, Ang Chen, Andreas Haeberlen, Boon Thau Loo, 2018. Dedos: Defusing dos with dispersion oriented software. In Proceedings of the 34th Annual Computer Security Applications Conference. 712–722.
[15]
Mohamed Elsabagh, Dan Fleck, Angelos Stavrou, Michael Kaplan, and Thomas Bowen. 2017. Practical and accurate runtime application protection against dos attacks. In International Symposium on Research in Attacks, Intrusions, and Defenses. Springer, 450–471.
[16]
Exploit Database. 2012. Hashtables Denial of Service. https://www.exploit-db.com/exploits/18296, Accessed: July 6th, 2021.
[17]
NR Fitri, AHS Budi, I Kustiawan, and SE Suwono. 2020. Low interaction honeypot as the defense mechanism against Slowloris attack on the web server. In IOP Conference Series: Materials Science and Engineering, Vol. 850. IOP Publishing, 012037.
[18]
Mohamad Gebai and Michel R Dagenais. 2018. Survey and analysis of kernel and userspace tracers on Linux: Design, implementation, and overhead. ACM Computing Surveys (CSUR) 51, 2 (2018), 1–33.
[19]
Hacking with PHP. 2015. Denial of service. http://www.hackingwithphp.com/17/1/9/denial-of-service, Accessed: July 6th, 2021.
[20]
Nazrul Hoque, Dhruba K Bhattacharyya, and Jugal K Kalita. 2016. A novel measure for low-rate and high-rate DDoS attack detection using multivariate data analysis. In 2016 8th International Conference on Communication Systems and Networks (COMSNETS). IEEE, 1–2.
[21]
[21] Imperva. 2020. https://tinyurl.com/y5jmjuzv, Accessed: July 6th, 2021.
[22]
[22] INDUSFACE. 2019. https://tinyurl.com/y4c3ywry, Accessed: July 6th, 2021.
[23]
Mattijs Jonker, Anna Sperotto, Roland van Rijswijk-Deij, Ramin Sadre, and Aiko Pras. 2016. Measuring the adoption of DDoS protection services. In Proceedings of the 2016 Internet Measurement Conference. 279–285.
[24]
[24] Kaspersky. 2019. https://tinyurl.com/y258rnpm, Accessed: July 6th, 2021.
[25]
Kaspersky lab. 2018. Denial of service: How Businesses Evaluate the threat of DDoS attacks. https://tinyurl.com/ybnmogg3, Accessed: July 6th, 2021.
[26]
[26] The Security Ledger. 2018. https://tinyurl.com/yysvu859, Accessed: July 6th, 2021.
[27]
Kun-Lun Li, Hou-Kuan Huang, Sheng-Feng Tian, and Wei Xu. 2003. Improving one-class SVM for anomaly detection. In Proceedings of the 2003 international conference on machine learning and cybernetics (IEEE Cat. No. 03EX693), Vol. 5. IEEE, 3077–3081.
[28]
Lukas Martinelli. [n. d.]. Simulate Hash Collision Attack on a PHP Server. https://github.com/lukasmartinelli/php-dos-attack.
[29]
Wei Meng. 2018. Rampart’s code. https://github.com/cuhk-seclab/rampart, Accessed: July 6th, 2021. (2018).
[30]
Wei Meng, Chenxiong Qian, Shuang Hao, Kevin Borgolte, Giovanni Vigna, Christopher Kruegel, and Wenke Lee. 2018. Rampart: protecting web applications from CPU-exhaustion denial-of-service attacks. In 27th { USENIX} Security Symposium ({ USENIX} Security 18). 393–410.
[31]
David Mosberger and Tai Jin. 1998. Httperf & Mdash;a Tool for Measuring Web Server Performance. SIGMETRICS Perform. Eval. Rev. 26, 3 (Dec. 1998), 31–37. https://doi.org/10.1145/306225.306235
[32]
Nicolas Niclausse. 2017. Tsung 1.7.0 released. http://tsung.erlang-projects.org/, Accessed: July 6th, 2021.
[33]
Georgios Oikonomou and Jelena Mirkovic. 2009. Modeling human behavior for defense against flash-crowd attacks. In 2009 IEEE International Conference on Communications. IEEE, 1–6.
[34]
Oswaldo Olivo, Isil Dillig, and Calvin Lin. 2015. Detecting and exploiting second order denial-of-service vulnerabilities in web applications. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. 616–628.
[35]
Theofilos Petsios, Jason Zhao, Angelos D Keromytis, and Suman Jana. 2017. Slowfuzz: Automated domain-independent detection of algorithmic complexity vulnerabilities. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. 2155–2168.
[36]
Red Hat. 2019. Introduction to eBPF in Red Hat Enterprise Linux 7. https://www.redhat.com/en/blog/introduction-ebpf-red-hat-enterprise-linux-7, Accessed: July 6th, 2021.
[37]
Marc Roig, Marisa Catalan, and Bernat Gastón. 2019. Ensembled Outlier Detection using Multi-Variable Correlation in WSN through Unsupervised Learning Techniques. In IoTBDS. 38–48.
[38]
Peter J Rousseeuw and Katrien Van Driessen. 1999. A fast algorithm for the minimum covariance determinant estimator. Technometrics 41, 3 (1999), 212–223.
[39]
Peter J Rousseeuw and Katrien Van Driessen. 1999. A fast algorithm for the minimum covariance determinant estimator. Technometrics 41, 3 (1999), 212–223.
[40]
Scikit learn. 2018. EllipticEnvelope. https://scikit-learn.org/stable/modules/generated/sklearn.covariance.EllipticEnvelope.html, Accessed: July 6th, 2021. (2018).
[41]
Selenium. 2012. Selenium Webdriver. https://tinyurl.com/y6a4czhe, Accessed: July 6th, 2021.
[42]
Mark Shtern, Roni Sandel, Marin Litoiu, Chris Bachalo, and Vasileios Theodorou. 2014. Towards mitigation of low and slow application ddos attacks. In 2014 IEEE International Conference on Cloud Engineering. IEEE, 604–609.
[43]
JacobMisirian SplittyDev. [n. d.]. Python implementation of a slowloris DoS tool. https://github.com/ProjectMayhem/PySlowLoris.
[44]
Cristian-Alexandru Staicu and Michael Pradel. 2018. Freezing the Web: A Study of ReDoS Vulnerabilities in JavaScript-based Web Servers. In 27th USENIX Security Symposium (USENIX Security 18). 361–376.
[45]
Statista. 2018. Most popular retail websites in the United States as of December 2017, ranked by visitors (in millions). https://www.statista.com/statistics/271450/monthly-unique-visitors-to-us-retail-websites/, Accessed: July 6th, 2021.
[46]
Statista. 2019. Combined desktop and mobile visits to Amazon.com from February 2018 to April 2019 (in millions). https://www.statista.com/statistics/623566/web-visits-to-amazoncom/, Accessed: July 6th, 2021.
[47]
Stack Status. 2016. Outage postmortem. https://stackstatus.tumblr.com/post/147710624694/outage-postmortem-july-20-2016, Accessed: July 6th, 2021.
[48]
SystemTap. [n. d.]. SystemTap. https://sourceware.org/systemtap/.
[49]
Liran Tal. 2019. The state of open source security report. https://res.cloudinary.com/snyk/image/upload/v1551172581/The-State-Of-Open-Source-Security-Report-2019-Snyk.pdf.
[50]
Rajat Tandon. 2020. A survey of distributed denial of service attacks and defenses. arXiv preprint arXiv:2008.01345 (2020).
[51]
Rajat Tandon, Pithayuth Charnsethikul, Michalis Kallitsis, and Jelena Mirkovic. 2022. AMON-SENSS: Scalable and Accurate Detection of Volumetric DDoS Attacks at ISPs. In GLOBECOM 2022-2022 IEEE Global Communications Conference. IEEE, 3399–3404.
[52]
Rajat Tandon, Jelena Mirkovic, and Pithayuth Charnsethikul. 2020. Quantifying cloud misbehavior. In 2020 IEEE 9th International Conference on Cloud Networking (CloudNet). IEEE, 1–8.
[53]
Rajat Tandon, Abhinav Palia, Jaydeep Ramani, Brandon Paulsen, Genevieve Bartlett, and Jelena Mirkovic. 2021. Defending web servers against flash crowd attacks. In International Conference on Applied Cryptography and Network Security. Springer, 338–361.
[54]
The Open Web Application Security Project (OWASP). 2018. Regular expression Denial of Service - ReDoS. https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS, Accessed: July 6th, 2021.
[55]
Marino Urso. 2020. High performance eBPF probe for Alternate Marking performance monitoring. Ph. D. Dissertation. Politecnico di Torino.
[56]
Vickie Li. 2018. Preg_replace() PHP Function Exploitation. https://www.yeahhub.com/code-execution-preg_replace-php-function-exploitation/, Accessed: July 6th, 2021.
[57]
Nicolaas Weideman, Haoda Wang, Tyler Kann, Spencer Zahabizadeh, Wei-Cheng Wu, Rajat Tandon, Jelena Mirkovic, and Christophe Hauser. 2022. Harm-DoS: Hash Algorithm Replacement for Mitigating Denial-of-Service Vulnerabilities in Binary Executables. In Proceedings of the 25th International Symposium on Research in Attacks, Intrusions and Defenses. 276–291.
[58]
Brian White, Jay Lepreau, Leigh Stoller, Robert Ricci, Shashi Guruprasad, Mac Newbold, Mike Hibler, Chad Barb, and Abhijeet Joglekar. 2002. An integrated experimental environment for distributed systems and networks. ACM SIGOPS Operating Systems Review 36, SI (2002), 255–270.
[59]
Wikipedia. 2018. Curse of dimensionality. https://en.wikipedia.org/wiki/Curse_of_dimensionality, Accessed: July 6th, 2021.
[60]
Wikipedia. 2018. Flask. https://en.wikipedia.org/wiki/Flask_(web_framework), Accessed: July 6th, 2021.
[61]
Wikipedia. 2018. Log rotation. https://en.wikipedia.org/wiki/Log_rotation/, Accessed: July 6th, 2021.
[62]
Wikipedia. 2018. Slowloris. https://en.wikipedia.org/wiki/slowloris_(computer_security), Accessed: July 6th, 2021. (2018).
[63]
Yang Xiang, Ke Li, and Wanlei Zhou. 2011. Low-rate DDoS attacks detection and traceback by using new information metrics. IEEE transactions on information forensics and security 6, 2 (2011), 426–437.
Index Terms
- Leader: Defense Against Exploit-Based Denial-of-Service Attacks on Web Applications
Recommendations
Mitigating denial of service attacks: a tutorial
This tutorial describes what Denial of Service (DOS) attacks are. how they can be carried out in IP networks, and how one can defend against them. Distributed DoS (DDoS) attacks are included here as a subset of DoS attacks. A DoS attack has two phases: ...
Surviving Distributed Denial-of-Service Attacks
A series of distributed denial-of-service (DDoS) attacks were launched against computer systems and services in the US and South Korea beginning July 4th. A DDoS attack is an attempt to make a computer service unavailable to its intended users. The ...
Application Layer Denial-of-Service Attacks and Defense Mechanisms: A Survey
Application layer Denial-of-Service (DoS) attacks are generated by exploiting vulnerabilities of the protocol implementation or its design. Unlike volumetric DoS attacks, these are stealthy in nature and target a specific application running on the ...
Comments
Information & Contributors
Information
Published In
October 2023
769 pages
ISBN:9798400707650
DOI:10.1145/3607199
Copyright © 2023 Owner/Author.
This work is licensed under a Creative Commons Attribution International 4.0 License.
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 16 October 2023
Check for updates
Author Tags
Qualifiers
- Research-article
- Research
- Refereed limited
Funding Sources
Conference
RAID 2023
RAID 2023: The 26th International Symposium on Research in Attacks, Intrusions and Defenses
October 16 - 18, 2023
Hong Kong, China
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 308Total Downloads
- Downloads (Last 12 months)308
- Downloads (Last 6 weeks)44
Reflects downloads up to 27 Jul 2024
Other Metrics
Citations
View Options
View options
View or Download as a PDF file.
PDFeReader
View online with eReader.
eReaderHTML Format
View this article in HTML Format.
HTML FormatGet Access
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in