How to Build a Dam: Fighting Application-Level DoS Attacks

The Internet has become a fertile ground for hostile activity. One of the simplest yet most effective attacks that can be launched over the network is a denial of service (DoS) attack. The most trivial form of a DoS attack floods the target with packets, causing congestion and consuming all available network resources. In order to employ massive attack power, the attacker usually launches a distributed denial of service (DDoS) attack, in which several subordinate hosts flood the target in concert. Traditionally, DoS attacks were performed at the network level. As a result, various network-level solutions have emerged. One type of readily available and cheap solution uses an existing firewall or router to perform ratelimiting of traffic and filtering of packets according to header fields like address and port number. Since most reasonable networks already contain the necessary hardware regardless of DoS attacks, this solution is very appealing. However, these solutions have limited effectiveness. Spoofing of headers that match the filtering criteria can be easily performed, and although rate-limiting stops networks from being overwhelmed, it indiscriminately discards messages. Another type of solution uses expensive devices proposed by commercial companies. These solutions rely on additional, costly hardware and software that perform complex computations to track incoming packets and decide on an action to take. Indeed, such solutions can identify and isolate the DoS attack much better than the simple solutions presented above. However, complex and expensive systems are not suitable for most organizations. As network-level DoS defenses are becoming more readily available, we can identify a shift of trends in the attackers’ strategy. Since applications tend to perform much more computations per packet than a network-level mechanism does, less traffic is needed to cause the application to exhaust all CPU resources and fail to handle valid requests. Hence, an easy application-level DoS attack is in effect. Another testament for this important problem was given in 1999 by The Committee on Information Systems and Trustworthiness. The committee declared that defending