Mitigating Low-volume DoS Attacks with Data-driven Resource Accounting

TL;DR

This paper introduces ROKI, a data-driven resource accounting system that effectively mitigates low-volume DoS attacks by accurately tracking resource usage per packet across multiple layers, with minimal performance impact.

Contribution

ROKI provides a novel, fine-grained resource tracking method that attributes resource usage to individual packets, enabling effective mitigation of unknown {}DoS attacks.

Findings

ROKI effectively mitigates real-world {}DoS attacks.

System overhead is minimal, with only 3-4% throughput and latency impact.

Resource tracking is accurate across link, network, transport, and application layers.

Abstract

Low-volume Denial-of-Service ({\mu}DoS) attacks have been demonstrated to fundamentally bypass traditional DoS mitigation schemes based on the flow and volume of network packets. In this paper, we propose a data-driven approach, called ROKI, that accurately tracks internal resource utilization and allocation associated with each packet (or session), making it possible to tame resource exhaustion caused by {\mu}DoS attacks. Since ROKI focuses on capturing the symptom of DoS, it can effectively mitigate previously unknown {\mu}DoS attacks. To enable a finer-grain resource tracking, ROKI provided in concept the accounting capabilities to each packet itself, so we called data-driven: it monitors resource utilization at the link, network, transport layers in the kernel, as well as application layers, and attributes back to the associated packet. Given the resource usages of each packet, ROKI can reclaim (or prevent) the system resources from malicious packets (or attackers) whenever it encounters system-wide resource exhaustion. To provide lightweight resource tracking, ROKI carefully multiplexes hardware performance counters whenever necessary. Our evaluation shows that ROKI's approach is indeed effective in mitigating real-world {\mu}DoS attacks with negligible performance overheads - incurring 3%-4% throughput and latency overheads on average when the system is throttled.