Mitigating Low-volume DoS Attacks with Data-driven Resource Accounting
Low-volume Denial-of-Service (μDoS) attacks have been demonstrated to fundamentally bypass traditional DoS mitigation schemes based on the flow and volume of network packets. In this paper, we propose a data-driven approach, called ROKI, that accurately tracks internal resource utilization and allocation associated with each packet (or session), making it possible to tame resource exhaustion caused by μDoS attacks. Since ROKI focuses on capturing the symptom of DoS, it can effectively mitigate previously unknown μDoS attacks. To enable a finer-grain resource tracking, ROKI provided in concept the accounting capabilities to each packet itself, so we called data-driven: it monitors resource utilization at the link, network, transport layers in the kernel, as well as application layers, and attributes back to the associated packet. Given the resource usages of each packet, ROKI can reclaim (or prevent) the system resources from malicious packets (or attackers) whenever it encounters system-wide resource exhaustion. To provide lightweight resource tracking, ROKI carefully multiplexes hardware performance counters whenever necessary. Our evaluation shows that ROKI's approach is indeed effective in mitigating real-world μDoS attacks with negligible performance overheads - incurring 3 throttled.
READ FULL TEXT