Catch Me If You Can: A New Low-Rate DDoS Attack Strategy Disguised by Feint

TL;DR

This paper introduces a novel low-rate DDoS attack strategy called F-LDDoS that disguises malicious traffic as benign, making detection and mitigation more challenging, and demonstrates its increased effectiveness and stealthiness through experiments.

Contribution

The paper proposes a new Feint-based LDDoS attack method that enhances stealth and attack impact, highlighting vulnerabilities in existing defense mechanisms.

Findings

F-LDDoS degrades TCP bandwidth 6.7%-14% more than baseline LDDoS.

F-LDDoS reduces traffic similarity, increasing attack stealth.

F-LDDoS increases packet arrival uncertainty, complicating detection.

Abstract

While collaborative systems provide convenience to our lives, they also face many security threats. One of them is the Low-rate Distributed Denial-of-Service (LDDoS) attack, which is a worthy concern. Unlike volumetric DDoS attacks that continuously send large volumes of traffic, LDDoS attacks are more stealthy and difficult to be detected owing to their low-volume feature. Due to its stealthiness and harmfulness, LDDoS has become one of the most destructive attacks in cloud computing. Although a few LDDoS attack detection and defense methods have been proposed, we observe that sophisticated LDDoS attacks (being more stealthy) can bypass some of the existing LDDoS defense methods. To verify our security observation, we proposed a new Feint-based LDDoS (F-LDDoS) attack strategy. In this strategy, we divide a Pulse Interval into a Feinting Interval and an Attack Interval. Unlike the previous LDDoS attacks, the bots also send traffic randomly in the Feinting Interval, thus disguise themselves as benign users during the F-LDDoS attack. In this way, although the victim detects that it is under an LDDoS attack, it is difficult to locate the attack sources and apply mitigation solutions. Experimental results show that F-LDDoS attack can degrade TCP bandwidth 6.7%-14% more than the baseline LDDoS attack. Besides, F-LDDoS also reduces the similarities between bot traffic and aggregated attack traffic, and increases the uncertainty of packet arrival. These results mean that the proposed F-LDDoS is more effective and more stealthy than normal LDDoS attacks. Finally, we discuss the countermeasures of F-LDDoS to draw the attention of defenders and improve the defense methods.