论文信息 - Hands-on denial of service lab exercises using SlowLoris and RUDY

Hands-on denial of service lab exercises using SlowLoris and RUDY

This paper presents an interactive exercise based on offensive denial of service techniques used by hackers. The goals of the exercise are to teach how a large class of denial of service (DoS) attacks work. Students will see that it is not necessary to use distributed DoS. Moreover, using virtualization, we created an exercise that was easy for faculty to use. We tested it on a class of computer science undergraduates, and while it was well-received by the students and easy for the faculty member, we learned some important lessons about designing hands-on exercises. In addition to teaching students about DoS attacks and how to defend against them, this exercise also requires students to look carefully at the HTTP protocol. In the following laboratory exercise, students learn offensive techniques in a context that prompts them to think critically about what makes networks secure and how they can be made more secure. The exercise involves the use of two newer but well-known denial of service attacks: 'SlowLoris' and 'R-U-Dead-Yet?' (RUDY). The students perform these attacks through a Java-based graphical interface, to make the lab more accessible. While carrying out the attacks, the students answer questions designed to improve their analytical skills and to better their understanding of TCP, HTTP, and application-layer security considerations.

[1] Kyle King,et al. Design and Implementation of a Multi-Use Attack-Defend Computer Security Lab , 2006, Proceedings of the 39th Annual Hawaii International Conference on System Sciences (HICSS'06).

[2] Felix C. Freiling,et al. Is attack better than defense?: teaching information security the right way , 2006, InfoSecCD '06.

[3] Michael Walfish,et al. DDoS defense by offense , 2006, SIGCOMM 2006.

[4] Sonia Fahmy,et al. DDoS Benchmarks and Experimenter's Workbench for the DETER Testbed , 2007, 2007 3rd International Conference on Testbeds and Research Infrastructure for the Development of Networks and Communities.

[5] Stephen D. Burd,et al. Replicating and Sharing Computer Security Laboratory Environments , 2009 .

[6] H. Tavani,et al. Ethics and technology : controversies, questions, and strategies for ethical computing , 2010 .

[7] Zouheir Trabelsi. Hands-on lab exercises implementation of DoS and MiM attacks using ARP cache poisoning , 2011, InfoSecCD.

[8] Vincent Nestler. Principles of Computer Security: CompTIA Security+and Beyond Lab Manual , 2011 .