The detection and prevention of low-rate DoS attacks

• Main Authors: Chen,Che-Feng, 陳哲鋒
• Other Authors: Lai,Yi-Pong
• Format: Others
• Language: zh-TW
• Published: 2013
• Online Access: http://ndltd.ncl.edu.tw/handle/03361065215645788942

碩士 === 國防大學理工學院 === 資訊工程碩士班 === 101 === The number of internet user increase in these years. According to the survey report of 2012 Internet Worlds Stats, the global online population is nearly up to 2.1 billion, compared to 1.15 billion people in 2007.It is about twice the growth. As the number of Internet population is doubling, information security incidents also are increasing. The Kaspersky Lab report said the Internet attacks in the past month (2013/4/6 ~ 2013/5/4) is about four million. That is a long-term job for IT staff to keep the network secure but not offence the network convenience. In Kaspersky Lab's data, denial of service attacks is about 70 % of all. The attacking target is to run out the servers’ resources. Therefore legal users cannot access servers normally. That result from attackers send a large number of packets. Defenders check the packet contents and observe flow change rate to figure out the attacks. The attackers then evolve into another type of attacks, named Low-Rate DoS. They use few packets to achieve the effect of denial of service attacks, which is different from traditional attacks sending a large number of packets in a short time. The attacks send “enough” packets to fill the buffer of service servers or “complex” packets to consume the computation power of service servers. There are many defense methods on low rate attacking proposed for making legal users access the server resources. Actually attacker can send requests to consume a lot of resources of the system, so legal users need waiting for a long time to get the response from servers. That is a kind of denial of service attacks. This thesis proposes the defense methods by observing the frequency of the user accessing times. Furthermore, we introduce the concept of priority to further obstruct the distributed low rate attacks. The maximum waiting time is assumed as the user response time tolerated. If the responding time exceeds the tolerate response time, the denial of service attacks achieve. According to the current network information magazine, the human maximum tolerate request time is 8 seconds. Without using the proposed defense methods, only 1.8% legal users can access servers. With the proposed defense mechanism, legal users access rate increases to 96.6%. It is about 50 times in increase.