Maurizio Aiello

Slow DoS attacks: definition and categorisation

Denial of service (DoS) attacks evolved and consolidated as severe security threats to network servers, not only for internet service providers but also for governments. Earlier DoS attacks involved high-bandwidth flood-based approaches exploiting vulnerabilities of networking and transport protocol layers. Subsequently, distributed DoS attacks have been introduced amplifying not only the overall attack bandwidth but also the attack source, thus eluding simple counter measures based on source filtering. Current low bit-rate approaches, instead, exploit vulnerabilities of application layer protocols to accomplish DoS or DDoS attacks. Slow DoS attacks like, e.g., slowloris are particularly dangerous because they can bring down a well equipped server using small attacker’s bandwidth, hence they can effectively run on low performance hosts, such as routers, game consoles, or mobile phones. In this paper, we study slow DoS attacks, analysing in detail the current threats and presenting a proper definition and categorisation for such attacks. Hopefully, our work will provide a useful framework for the study of this field, for the analysis of network vulnerabilities, and for the proposal of innovative intrusion detection methodologies.

Taxonomy of Slow DoS Attacks to Web Applications

In the last years, Denial of Service (DoS) attacks have been widely spreaded becoming a more than ever relevant threat to network security.

Are mobile botnets a possible threat? The case of SlowBot Net

In virtue of the large-scale diffusion of smartphones and tablets, a possible exploitation of such devices to execute cyber-attacks should be evaluated. This scenario is rarely considered by cyber-criminals, since mobile devices commonly represent a target of attacks, instead of an exploitable resource. In this paper we analyze the possibility to execute distributed denial of service attacks from mobile phones. We introduce SlowBot Net, a botnet infrastructure designed to involve mobile agents, and we compare it with Low-Orbit Ion Cannon (also called LOIC), a well-known botnet adopted by cyber-hacktivists on the Internet. Results prove that SlowBot Net requires fewer resources to the attacker and it is effectively deployable on mobile nodes. Since research related to mobile botnets is still immature, the proposed work should be considered a valuable resource enriching the cyber-security field.

An on-line intrusion detection approach to identify low-rate DoS attacks

This paper addresses the problem of detection of “Slow” Denial of Service attacks. The problem is particularly challenging in virtue of the reduced amount of bandwidth generated by the attacks. A novel detection method is presented, which analyzes specific spectral features of traffic over small time horizons. No packet inspection is required. Extrapolated data refer to real traffic traces, elaborated over the Local Area Network of our Institute. Different kinds of attacks have been considered as well. The results show how the proposed method is reliable and applicable in many other contexts.

SlowReq: A Weapon for Cyberwarfare Operations. Characteristics, Limits, Performance, Remediations

In the last years, with the advent of the Internet, cyberwarfare operations moved from the battlefield to the cyberspace, locally or remotely executing sabotage or espionage operations in order to weaken the enemy. Among the technologies and methods used during cyberwarfare actions, Denial of Service attacks are executed to reduce the availability of a particular service on a network. In this paper we present a Denial of Service tool that belongs to the Slow DoS Attacks category. We describe in detail the attack functioning and we compare the proposed threat with a similar one known as slowloris, showing the enhancements provided by the proposed tool.

A comparative performance evaluation of DNS tunneling tools

DNS Tunnels are built through proper tools that allow embedding data on DNS queries and response. Each tool has its own approach to the building tunnels in DNS that differently affects the network performance. In this paper, we propose a brief architectural analysis of the current state-of-the-art of DNS Tunneling tools. Then, wepropose the first comparative analysis of such tools in term of performance, as a first step towardsthe possibility to relateeach tool with a proper behavior of DNS traffic. To this aim, we define an assessment of the toolsin three different network configurationswith three different performance metrics. We finallysummarize the most interesting results and provide some considerations on the performance of each tool.

A similarity based approach for application DoS attacks detection

The ability to identify anomalous traffic patterns is a central issue for network managers: primarily lots of problems could arise from network attacks, such as viruses and tunneling tools. In this paper we present a detection algorithm able to extract information analyzing features of the network traffic containing attacks. The algorithm exploits statistical methodologies for traffic categorization. To assess the practical usability of the proposed algorithms we have tested its application in a case of abuse of resources through an application DoS attack known as slowloris. We have obtained an excellent reliability both analyzing single samples of traffic (100% of anomalies detection, with 1% probability of false positives) and processing multiple samples, through an average measurement (100% of anomalies detection, with a distance between traffics of 5.29 σ, providing an extremely low false positive error rate).

Mobile Botnets Development: Issues and Solutions

Due to their limited capabilities, mobile devices have rarely been adopted as attack vectors. In this paper, we consider the execution of coordinated and distributed attacks perpetrated by mobile devices (mobile botnet). We first describe current botnets architectures, analyzing their strengths and weaknesses. Then, we identify problems deriving from the development of a mobile botnet. Appropriate solutions to such problems have been proposed, thus providing an important resource during design and development stages of a mobile botnet. ⎯

A novel scaffold geometry for chondral applications: Theoretical model and in vivo validation

A theoretical model of the 3D scaffold internal architecture has been implemented with the aim to predict the effects of some geometrical parameters on total porosity, Young modulus, buckling resistance and permeability of the graft. This model has been adopted to produce porous poly‐caprolacton based grafts for chondral tissue engineering applications, best tuning mechanical and functional features of the scaffolds. Material prototypes were produced with an internal geometry with parallel oriented cylindrical pores of 200 μm of radius (r) and an interpore distance/pores radius (d/r) ratio of 1. The scaffolds have been then extensively characterized; progenitor cells were then used to test their capability to support cartilaginous matrix deposition in an ectopic model. Scaffold prototypes fulfill both the chemical‐physical requirements, in terms of Youngs modulus and permeability, and the functional needs, such as surface area per volume and total porosity, for an enhanced cellular colonization and matrix deposition. Moreover, the grafts showed interesting chondrogenic potential in vivo, besides offering adequate mechanical performances in vitro, thus becoming a promising candidate for chondral tissues repair. Finally, a very good agreement was found between the prediction of the theoretical model and the experimental data. Many assumption of this theoretical model, hereby applied to cartilage, may be transposed to other tissue engineering applications, such as bone substitutes. Biotechnol. Bioeng. 2014;111: 2107–2119.

Detection of DoS attacks through Fourier transform and mutual information

Due to their recent appearance and the reduced requirements in terms of network bandwidth, Slow Denial of Service Attacks detection represents a particularly challenging problem. This paper presents a novel detection method, analyzing spectral features of the network traffic over small time horizons. The proposed method has been validated by extrapolating data referred to real traffic traces, elaborated over the Local Area Network of our research institute. We have considered different kinds of attacks and results show how the proposed approach is reliable and applicable also in other cybersecurity contexts.