Slowly going down: A Machine Intelligence Approach to Low Volume DDOS attacks

Melissa Kilby & Patrick Dwyer


You’re running an Apache web server and server performance begins to degrade. The client requests are legitimate, not malformed - is it a routine surge of benign low bandwidth users, or a test run of a low and slow attack that could rapidly ramp up and severely impact your actual clients?

What is a meaningful attack against your Apache server if your clients are not obviously and heavily impacted? Rather than focusing on detection alone, we seek to explore Machine Learning (ML) methods to determine when an attack is actually impactful and detrimental to operations.

DDOS attacks are a simplistic but highly effective attack vector against servers. Despite their frequency and the level of knowledge about various types of DDOS attacks, there is currently no effective detection or mitigation against low-volume, low-bandwidth attacks.New variations such as the pulse wave attack, beyond existing known types such as sockstress, killapache, blacknurse, or shrew complicate mitigation efforts. Targeting the application layer by saturating the connection pool with many slow and partial HTTP requests, user experience is silently impacted. Our testbed simulates normal client behavior, and various forms of attack from goloris (slowloris), apache kill, and sockstress attacks that impact user experience. A network of sensors at the OS state, user impact, network traffic, and application function call levels generate a disparate set of data as the basis for our multi-layered ML modeling approach. The various layers of the behavioral model combine supervised ML, time series analysis, and signal processing techniques in a cascade. Initial binary classifications determine whether the application as a whole is under attack, and locates malicious processes. Subsequent model layers separate connections that originate from illegitimate clients and refine determination of the type of attack.


Disclaimer: This research was developed with funding from the Defense Advanced Research Projects Agency (DARPA). The views, opinions and/or findings expressed are those of the author and should not be interpreted as representing the official views or policies of the Department of Defense or the U.S. Government.Distribution Statement A: Approved for Public Release, Distribution Unlimited