Introducing the SlowDrop Attack

In network security, Denial of Service (DoS) attacks target network systems with the aim of making them unreachable. Last generation threats are particularly dangerous because they can be carried out with very low resource consumption by the attacker. In this paper we propose SlowDrop, an attack characterized by a legitimate-like behavior and able to target different protocols and server systems. The proposed attack is the first slow DoS threat targeting Microsoft IIS, until now unexploited from other similar attacks. We properly describe the attack, analyzing its ability to target arbitrary systems on different scenarios, by including both wired and wireless connections, and comparing the proposed attack to similar threats. The obtained results show that by executing targeted attacks, SlowDrop is successful both against conventional servers and Microsoft IIS, which is closed source and required us the execution of so called \u201cnetwork level reverse engineering\u201d activities. Due to its ability to successfully target different servers on different scenarios, the attack should be considered an important achievement in the slow DoS field

SlowDrop attack detection

Diplomová práca je zameraná na detekciu slow DoS útoku pomenovaného SlowDrop. Útok sa snaží napodobniť legitimného užívateľa s pomalým internetovým pripojením a nevykazuje žiadnu výraznú signatúru, preto je útok náročné detekovať. Diplomová práca vychádza z práce Ing. Mazánka, v ktorej bol vytvorený skript SlowDrop útoku. V teoretickej rovine je popísaná problematika DoS útokov vo všeobecnosti, ale aj konkrétne. Ďalej sú v práci navrhnuté metódy riešenia problematiky detekcie SlowDrop útoku. Metódy sú následne detailne opísané a odskúšané v simulačnom prostredí. Praktická časť opisuje analýzu dát, detekciu pomocou signatúr, detekciu anomálií pomocou neurónových sietí a detekčný skript. Vo všetkých praktických častiach sú detailne popísané použité technológie a postupy riešení. Takisto je uvedená konkrétna implementácia riešenia a dosiahnuté výsledky. Na záver sú jednotlivé výsledky zhodnotené, porovnávané jednotlivo, ale aj medzi sebou. Zo získaných výsledkov vyplýva, že útok je detekovateľný pomocou neurónovej siete a vytvoreného detekčného skriptu.The diploma thesis is focused on the detection of a slow DoS attack named SlowDrop. The attack tries to imitate a legitimate person with a slow internet connection and does not show a new strong signature, so the attack is difficult to detect. The diploma thesis is based on the work of Ing. Mazanek in which the SlowDrop attack script was created. At the theoretical level, the issue of DoS attacks is described in general, but also in particular. Furthermore, the work develops methods for solving the problem of SlowDrop attack detection. The methods are then defined in detail and tested in a simulation environment. The practical part describes data analysis, signature detection, anomaly detection using neural networks and a detection script. In all practical parts, the used technologies and solution procedures are described in detail. The specific implementation of the solution and the achieved results are also presented. Finally, the individual results are evaluated, compared individually, but also among themselves. The obtained results show that the attack is detectable using a neural network and by created detection script.