Predicting the Impact of Denial of Service Attacks

Denial-of-service (DoS) attacks have become a major threat to current systems and networks in the Internet. Yet the existing infrastructure is rarely tested for potential damage caused by (D)DoS attacks because no method exist to audit a productive system without flooding and thus risking system outages and resulting losses. Having a method that does (D)DoS attack auditing without requiring the observation of the system under massive load is however crucial when testing critical infrastructure in a productive environment. We present a novel auditing method to externally assess and predict the impact of (D)DoS attacks on web servers based on low strength (D)DoS attack measurements. The developed method reduces the required probe traffic and relies on pre-established (D)DoS attack models to infer the impact of similar attacks at a stronger attack strength. To model the impact of (D)DoS attacks a multitude of server-internal as well as server-external metrics has been analyzed to identify those metrics, that characterize the state of the server and can be measured externally without requiring privileged access to the system and its network. The presented auditing method is evaluated for multiple current and common (D)DoS attacks using extensive measurements, analyzing the influence caused by variations in the intermediate network as well as in software and hardware on the web server. Calculating the error rate between prediction and actual measurements the accuracy of the method is verified resulting in an expected error rate of 10% at a limited attack strength of 30% of the strength causing a DoS. Additionally as a prototype an audit framework was developed, which implements the presented auditing method and allows anyone to asses the impact of a (D)DoS attack on a web server in the Internet.