The global community now relies heavily on the Internet, making reliable Internet access a prerequisite for societal and economic development. When it comes to potential threats to online infrastructure, distributed denial-of-service (DDoS) attacks are among the most concerning.
Since DOS attackers employ a broad variety of techniques to achieve their goals, categorising these attacks accurately is a challenging task. Classification according to 1 is shown below.
We're especially curious about categorization. “EW: Exploited Weakness to Deny Service”
According to this a DOS can be categorized into following types.
EW-2: Brute-Force
Brute-force attacks are performed by initiating a vast amount of seemingly legitimate transactions. Since an intermediate network can usually deliver higher traffic volume than the victim network can handle, a high number of attack packets exhausts the victim’s resources.
EW-1: Semantic
Semantic attacks exploit a specific feature or implementation bug of some protocol or application installed at the victim in order to consume excess amounts of its resources.
The most common and classical practice for ddos is to flood the target application with numerous requests(EW-2), but These attacks may usually already be detected by sophisticated network-layer defence mechanisms. Most recently, DoS attacks have grown in complexity. Rather than relying on volume, attackers now use highly targeted and application-specific payloads to overwhelm their targets(EW-1). This article will be focusing on the second category since detection of such attacks are almost impossible with the traditional systems. TCP SYN attacks and ReDOS attacks are the most common in this category.
It is possible for us to find solutions for any one of such attacks for a specific environment. For instance we can detect ReDOS attacks to a python application from the application layer itself. But building a general purpose solution is difficult and almost impossible to achieve in the application layer. These days, most servers use Linux's containerization technologies, thus it's important that our solution is compatible with containers.
CODA 2 is an effort that aims to achieve these goals. And it ensures to
- Works with applications written in any language
- Supports monitoring containers while remaining invisible to them
- Does not require familiarity with the app's source code.
CODA Models the CPU time consumed by legitimate connections within the application. When a new connection is established, CODA monitors the CPU time consumed by this connection and detects attacks through statistical methods. For Tracing it uses eBPF, A general-purpose execution engine in Linux kernel that can run sandboxed programs in an operating system kernel. The performance overhead introduced by CODA compared to the baseline performance of the tested servers is not high, adding about 0.7-5 milliseconds of latency. CODA is capable of detecting semantic DOS attacks with astonishing accuracy and impressively minimal performance overhead. Since it follows a context independent approach for detection, it can detect a wide variety of CPU-Exhaustion DOS attacks. The framework is far from perfect, as pointed out by the authors, since it measures the cpu-time based on the accept and close system calls, it cannot find cpu-time of UDP requests. Also the framework is using eBPF for implementation and hence it’s not possible for the system to work in other operating systems.
References
M. Zhan, Y. Li, H. Yang, G. Yu, B. Li and W. Wang, "Coda: Runtime Detection of Application-Layer CPU-Exhaustion DoS Attacks in Containers," in IEEE Transactions on Services Computing, 2022, doi: 10.1109/TSC.2022.3194266.
Jelena Mirkovic and Peter Reiher. 2004. A taxonomy of DDoS attack and DDoS defense mechanisms. SIGCOMM Comput. Commun. Rev. 34, 2 (April 2004), 39–53. https://doi.org/10.1145/997150.9971
Top comments (0)