Enrico Cambiaso

Slow DoS attacks: definition and categorisation

Denial of service (DoS) attacks evolved and consolidated as severe security threats to network servers, not only for internet service providers but also for governments. Earlier DoS attacks involved high-bandwidth flood-based approaches exploiting vulnerabilities of networking and transport protocol layers. Subsequently, distributed DoS attacks have been introduced amplifying not only the overall attack bandwidth but also the attack source, thus eluding simple counter measures based on source filtering. Current low bit-rate approaches, instead, exploit vulnerabilities of application layer protocols to accomplish DoS or DDoS attacks. Slow DoS attacks like, e.g., slowloris are particularly dangerous because they can bring down a well equipped server using small attacker’s bandwidth, hence they can effectively run on low performance hosts, such as routers, game consoles, or mobile phones. In this paper, we study slow DoS attacks, analysing in detail the current threats and presenting a proper definition and categorisation for such attacks. Hopefully, our work will provide a useful framework for the study of this field, for the analysis of network vulnerabilities, and for the proposal of innovative intrusion detection methodologies.

Taxonomy of Slow DoS Attacks to Web Applications

In the last years, Denial of Service (DoS) attacks have been widely spreaded becoming a more than ever relevant threat to network security.

Are mobile botnets a possible threat? The case of SlowBot Net

In virtue of the large-scale diffusion of smartphones and tablets, a possible exploitation of such devices to execute cyber-attacks should be evaluated. This scenario is rarely considered by cyber-criminals, since mobile devices commonly represent a target of attacks, instead of an exploitable resource. In this paper we analyze the possibility to execute distributed denial of service attacks from mobile phones. We introduce SlowBot Net, a botnet infrastructure designed to involve mobile agents, and we compare it with Low-Orbit Ion Cannon (also called LOIC), a well-known botnet adopted by cyber-hacktivists on the Internet. Results prove that SlowBot Net requires fewer resources to the attacker and it is effectively deployable on mobile nodes. Since research related to mobile botnets is still immature, the proposed work should be considered a valuable resource enriching the cyber-security field.

An on-line intrusion detection approach to identify low-rate DoS attacks

This paper addresses the problem of detection of “Slow” Denial of Service attacks. The problem is particularly challenging in virtue of the reduced amount of bandwidth generated by the attacks. A novel detection method is presented, which analyzes specific spectral features of traffic over small time horizons. No packet inspection is required. Extrapolated data refer to real traffic traces, elaborated over the Local Area Network of our Institute. Different kinds of attacks have been considered as well. The results show how the proposed method is reliable and applicable in many other contexts.

SlowReq: A Weapon for Cyberwarfare Operations. Characteristics, Limits, Performance, Remediations

In the last years, with the advent of the Internet, cyberwarfare operations moved from the battlefield to the cyberspace, locally or remotely executing sabotage or espionage operations in order to weaken the enemy. Among the technologies and methods used during cyberwarfare actions, Denial of Service attacks are executed to reduce the availability of a particular service on a network. In this paper we present a Denial of Service tool that belongs to the Slow DoS Attacks category. We describe in detail the attack functioning and we compare the proposed threat with a similar one known as slowloris, showing the enhancements provided by the proposed tool.

A similarity based approach for application DoS attacks detection

The ability to identify anomalous traffic patterns is a central issue for network managers: primarily lots of problems could arise from network attacks, such as viruses and tunneling tools. In this paper we present a detection algorithm able to extract information analyzing features of the network traffic containing attacks. The algorithm exploits statistical methodologies for traffic categorization. To assess the practical usability of the proposed algorithms we have tested its application in a case of abuse of resources through an application DoS attack known as slowloris. We have obtained an excellent reliability both analyzing single samples of traffic (100% of anomalies detection, with 1% probability of false positives) and processing multiple samples, through an average measurement (100% of anomalies detection, with a distance between traffics of 5.29 σ, providing an extremely low false positive error rate).

Mobile Botnets Development: Issues and Solutions

Due to their limited capabilities, mobile devices have rarely been adopted as attack vectors. In this paper, we consider the execution of coordinated and distributed attacks perpetrated by mobile devices (mobile botnet). We first describe current botnets architectures, analyzing their strengths and weaknesses. Then, we identify problems deriving from the development of a mobile botnet. Appropriate solutions to such problems have been proposed, thus providing an important resource during design and development stages of a mobile botnet. ⎯

Detection of DoS attacks through Fourier transform and mutual information

Due to their recent appearance and the reduced requirements in terms of network bandwidth, Slow Denial of Service Attacks detection represents a particularly challenging problem. This paper presents a novel detection method, analyzing spectral features of the network traffic over small time horizons. The proposed method has been validated by extrapolating data referred to real traffic traces, elaborated over the Local Area Network of our research institute. We have considered different kinds of attacks and results show how the proposed approach is reliable and applicable also in other cybersecurity contexts.

Understanding DDoS Attacks from Mobile Devices

The recent proliferation of smartphones and tablets leads to consider such devices as means for the execution of cyber-attacks. This scenario has rarely been considered earlier, since mobile devices always represented a target for cyber-criminals, rather than a vector to exploit. In this paper we introduce an innovative mobile bot net infrastructure, composed by mobile agents, for the execution of denial of service attacks. We prove that the chance of involving mobile bots is possible, comparing the proposed infrastructure to Low-Orbit Ion Cannon (LOIC), a well-known system in this context. Results show that in virtue of reduced resource consumption the proposed system is particularly addicted to the mobile environment. The idea of a mobile bot net is unexplored until now, therefore, the proposed system represents an important step in the mobile and cyber security field.

Measuring the Energy Consumption of Cyber Security

The Internet is a core tool for developing commercial and social relationships. As a consequence, cyber security must be properly assessed, for instance, to face new and sophisticated threats. To deliver large-scale services, proper countermeasures characterized by a non-negligible energetic impact have to be pursued. From this perspective, this article proposes to investigate the energy required by the most popular cryptographic algorithms. The collected measures are used to model relationships between power drains and size of the key or offered load via a black box approach. Results can also be used to prevent classical traffic analysis campaigns.