CloudZombie: Launching and Detecting Slow-Read Distributed Denial of Service Attacks from the Cloud

Abstract

As the Cloud is becoming more ubiquitous and less expensive to utilize, a new class of denial of service attacks is emerging. These attacks employ the Cloud to launch denial of service attacks against a target outside the Cloud. Slow-read denial of service can be one of those attacks. It is a new type of application-layer denial of service attacks that exploits vulnerabilities in the HTTP protocol in order to make services inaccessible for legitimate users on a target machine. This attack is difficult to detect by conventional intrusion detection systems, as it generates legitimate and complete packets in all networking layers and in a slow rate. The attack exhausts the target's resources such as Web server connection pool and generally needs much less bandwidth compared to traditional volumetric attacks. The Cloud is an ideal platform to launch slow-read attack, since virtual machines on the Cloud can be easily exploited as a botnet for the purpose of this attack. We show how this new phenomenon, CloudZombie, can happen by remotely launching slow-read attacks from the Cloud. We also present a new approach to detect slow-read attacks. Our method uses Random Forests to build classifiers based on which the incoming slow-read traffic can be detected at the destination. High performance and low error rates of our approach indicate its efficiency to detect the attack.

DOI: 10.1109/CIT/IUCC/DASC/PICOM.2015.261

13 Figures and Tables

Cite this paper

@article{Shafieian2015CloudZombieLA, title={CloudZombie: Launching and Detecting Slow-Read Distributed Denial of Service Attacks from the Cloud}, author={Saeed Shafieian and Mohammad Zulkernine and Anwar Haque}, journal={2015 IEEE International Conference on Computer and Information Technology; Ubiquitous Computing and Communications; Dependable, Autonomic and Secure Computing; Pervasive Intelligence and Computing}, year={2015}, pages={1733-1740} }