WiP: Slow Rate HTTP Attack Detection with Behavioral Parameters

Abstract

Hypertext Transfer Protocol (HTTP) is vulnerable to slow rate Denial of Service (DoS) attacks. Here an adversary deliberately reads and sends data slowly thereby prolonging the connection duration. Multiple such slow connections will cripple the web server and prevent servicing legitimate requests. The simplest detection methods which use x number of malicious requests in y window period can be easily evaded. In this paper, we identify few behavioral parameters whose values change when such attacks are launched. We also identify the relationship between these parameters by estimating the correlation between them. Using these parameters and their correlation, we describe a detection method. In this detection method, evaluation is done based on the number of messages sent to prolong the connection. A very high number of such messages is a direct indication of an attack. When the number of such messages are in a range below this threshold, such intervals are verified with other behavioral parameters for detecting attacks. This two stage detection method will make the evasion harder for an adversary. We evaluate the proposed method with experiments done in a testbed and a live web sever and show that it has good detection performance. © 2021, Springer Nature Switzerland AG.