Novel application layer denial of service attacks and detection

Abstract

Application layer Denial of Service (DoS) attacks exploit either aws in protocol speci cation or implementation errors to render the application unusable for other legitimate users. These attacks can be generated with minimal number of specially crafted requests. Thus it is important to scrutinize application layer protocols for potential speci cation and implementation aws. In this thesis, we study four appli- cation layer protocols namely Dynamic Host Con guration Protocol (DHCP), Hyper- text Transfer Protocol (HTTP/1.1), its successor HTTP/2 and Network Time Protocol (NTP) for potential aws. We describe new attacks against these protocols and also various detection methods to detect such attacks.Dynamic Host Con guration Protocol (DHCP) is used for automatic con guration of IP address. This protocol is vulnerable to an attack known as starvation attack, which prevents clients from acquiring IP address. In our rst contribution, we high- light some of the practical di culties in generating this attack in wireless networks. Subsequently, we propose a new starvation attack (with three variants) which we name as \Induced DHCP Starvation Attack ". This attack can be launched both in wired and wireless networks. We test various state-of-the-art security features available with modern network switches to counter starvation attack, and show that these security features can not mitigate this new attack. We also propose few anomaly detection methods to detect this attack.Hypertext Transfer Protocol (HTTP) is a predominantly popular web communica- tion protocol. We perform an empirical evaluation of four popular web servers against known Slow HTTP DoS attacks of HTTP/1.1 to conclude that majority of them are vulnerable. We extend this study with testing of 100 sample websites chosen from four di erent categories and furnish the vulnerability assessment report. Subsequently, we propose an anomaly detection system to detect these attacks. We propose ve new Slow Rate DoS attacks against HTTP/2 protocol. These attacks require sending specially crafted requests to a HTTP/2 server. We test the proposed attacks against di erent web servers and show that all of them are vulnerableto at least one attack. We also propose an anomaly detection system which uses chi- square test using a set of feature statistics derived from HTTP/2 tra c to detect these attacks. Clock synchronization among computers is important as inconsistencies in time can a ect various core Internet services. Network Time Protocol (NTP) is used to synchronize clocks among computers. We propose an attack against NTPs broadcast mode that can prevent a NTP client con gured in authenticated/unauthenticated broadcast or multicast mode from synchronizing its clock with the servers clock. This attack requires sending spoofed NTP packets from an adversary, hence we propose a method to detect spoofed packets in order to detect this new attack. Spoofed NTP packets are identi ed by noticing inconsistencies in the Time-To-Live values of received NTP packets.