Slowloris DoS Countermeasure over WebSocket

We evaluate security of WebSocket, one of HTML5 APIs, in the view of L7 DoS attack and design the countermeasure against Slowloris attack which is known as difficult to be detected by IDS and IPS. It is easy to disable services based on WebSocket by sending partial request packets slowly. The server no longer provide the service since Slowloris attack makes request buffer full. For the solution, we design a dual-buffer based countermeasure. The main features of countermeasure are separation of buffer according to status of connections and request acceptance without limitation. In this countermeasure, we propose structure of request buffer free from fullness by employing circular buffer. The connections after handshake process move out to another buffer not to be affected from the request attack. In our construction, when the request buffer is full, the oldest request would be overwritten with a new request. Finally, our proposal allows the benign requests to be successful during Slowloris attack. Our construction could be also applied to other applications including HTTP, FTP and etc.

[1]  Gary Anthes,et al.  HTML5 leads a web revolution , 2012, Commun. ACM.

[2]  Jussi-Pekka Erkkilä WebSocket Security Analysis , 2012 .

[3]  Maurizio Aiello,et al.  Taxonomy of Slow DoS Attacks to Web Applications , 2012, SNDS.

[4]  Steve McGregory,et al.  Preparing for the next DDoS attack , 2013, Netw. Secur..

[5]  Cristina Conde,et al.  Detecting denial of service by modelling web-server behaviour , 2013, Comput. Electr. Eng..

[6]  Kumar Sourav,et al.  DDoS detection and defense: client termination approach , 2012, CUBE.

[7]  Symeon Papavassiliou,et al.  Network intrusion and fault detection: a statistical anomaly approach , 2002, IEEE Commun. Mag..

[8]  Thomer M. Gil,et al.  MULTOPS: A Data-Structure for Bandwidth Attack Detection , 2001, USENIX Security Symposium.

[9]  Seungwook Min,et al.  DDoS Detection Algorithm Using the Bidirectional Session , 2011, CN.

[10]  M. Abliz Internet Denial of Service Attacks and Defense Mechanisms , 2011 .

[11]  Alfonso Valdes,et al.  Next-generation Intrusion Detection Expert System (NIDES)A Summary , 1997 .

[12]  Balachander Krishnamurthy,et al.  Flash crowds and denial of service attacks: characterization and implications for CDNs and web sites , 2002, WWW.

[13]  Jongsoo Jang,et al.  AIGG Threshold Based HTTP GET Flooding Attack Detection , 2012, WISA.

[14]  Dave Raggett,et al.  Raggett on HTML 4 (2nd ed.) , 1998 .

[15]  Simon Heron Denial of service: motivations and trends , 2010, Netw. Secur..

[16]  Shunzheng Yu,et al.  Monitoring the Application-Layer DDoS Attacks for Popular Websites , 2009, IEEE/ACM Transactions on Networking.

[17]  Kotagiri Ramamohanarao,et al.  Survey of network-based defense mechanisms countering the DoS and DDoS problems , 2007, CSUR.

[18]  Shunzheng Yu,et al.  A Novel Model for Detecting Application Layer DDoS Attacks , 2006, First International Multi-Symposiums on Computer and Computational Sciences (IMSCCS'06).

[19]  Christopher Krügel,et al.  Using Decision Trees to Improve Signature-Based Intrusion Detection , 2003, RAID.

[20]  Kang G. Shin,et al.  Detecting SYN flooding attacks , 2002, Proceedings.Twenty-First Annual Joint Conference of the IEEE Computer and Communications Societies.

[21]  Paul S. Wang Dynamic Web Programming and HTML5 , 2012 .