The recent escalation of application-layer denial of service (DoS) attacks has attracted a significant interest of the security research community. Since application-layer DoS attacks usually do not manifest themselves at the network level, they avoid traditional network-layer-based detection. Therefore, the security community has focused on specialised application-layer DoS attacks detection and mitigation mechanisms. However, the deployment of reliable and efficient defence mechanisms against these attacks requires the comprehensive understanding of the existing application-layer DoS attacks supported by a unified terminology. Thus, in this paper we address this issue and devise a taxonomy of application-layer DoS attacks. By devising the proposed taxonomy, we intend to give researchers a better understanding of these attacks and provide a foundation for organising research efforts within this specific field.
The frequency and power of denial-of-service (DoS) attacks have marked the first quarter of 2013 as the worst quarter for DoS attacks in history (Prolexic, 2013). Leveraging botnets and high-speed network technologies, modern DoS attacks exceed the scale of 100 Gbps becoming a major threat on the internet (Prolexic, 2013). Being one of the oldest type of attacks, DoS attacks are known for their disruptiveness and ability to deplete the computing resources and/or bandwidth of their victims in a matter of minutes. In spite of being trivial in execution, they are easily detectable mostly due to their dynamic and voluminous attack rates. As a result, the recent years have seen a growing trend towards more sophisticated application-layer DoS attacks.
As opposed to traditional DoS attacks, application layer DoS attacks are perceived as stealthy, sophisticated and undetectable at the network layer (Xie and Yu, 2009). Focusing on specific characteristics and vulnerabilities of application layer protocols, application layer DoS attacks are capable of inflicting the same level of impact as traditional flooding DoS attacks at a much lower cost.
With the latest escalation of application-layer DoS attacks, the research community has focused its attention on defence and mitigation techniques for this type of attacks. Since effective defences require a comprehensive understanding of the existing application-layer DoS attacks, several existing studies in the field attempted to provide some classification of these attacks.
5 Conclusions and future work
This paper presents a taxonomy of the existing application-layer DoS attacks accompanied with representative examples, derived from both industry and academia, in order to provide a foundation for organising research efforts in the field of application-layer DoS attacks. The incentive behind this effort has been the necessity for a comprehensive understanding of the existing application-layer DoS attacks, supported by a unified terminology, that will enable the advanced deployment of reliable and efficient defence mechanisms against these of attacks. This is essential due to the fact that the detection and mitigation of these attacks remain challenging issues. They are stealthier and more sophisticated compared to network-layer DoS attacks resulting in flying under the radar of traditional network-layer-based intrusion detection systems.
Furthermore, by devising the proposed taxonomy, a number of key features of application-layer DoS attacks is defined to characterise the variability of these attacks. The defined features describe the general steps of an attack (i.e., reconnaissance and execution), the attack characteristics and the attack effect on the targeted system. These features comprise a roadmap for researchers to navigate through the diversity of the application-layer DoS attacks and thus form a foundation of the proposed taxonomy.
As future work, we plan to define a set of proper metrics for the extracted features. The defined metrics will be essential for evaluating potential defence mechanisms against known application-layer DoS attacks. Moreover, the defined metrics can be used as parameters in the study of attacks that have not yet appeared but can be potential threats in the future. Finally, the set of the defined metrics can be used in the design and deployment of defence mechanisms against the new application-layer DoS attacks.