The Effects of Filtering Malicious Traffic under DoS Attacks

摘要

Denial-of-Service (DoS) attacks typically generate huge amount of adverse traffic to a target server and make the server unavailable for services. Several works had put lots of efforts to find novel and effective techniques to detect and prevent such attacks. However, most studies were conducted using offline data or via simulation. Only a few studies address the issues of server survivability when under DoS attacks and perform real experiments to measure the effectiveness of filtering such malicious traffic since capturing and analyzing real attacking traffic on die fly would be an enormous task.This paper proposes a model to measure the effectiveness of filtering malicious traffic while actual attacks aim at a target server. The model performs a simple anomaly detection using the rates of input traffic which is classified into normal, suspicious and malicious traffic based on the pre-defined threshold values. If the input traffic is regarded as suspicious or malicious, the model will substantially drop part of the input traffic to an acceptable level so that only the small amount of traffic is allowed to pass and reach the target server. As a result, the server survives the attacks.We implemented the proposed model in Snort In-line on which we modified the traffic analysis module for classifying input traffic. We also added a new traffic control module for dropping malicious traffic. In the experiments, we generated real attacks on a web server with various attacking rates and filtering rates, and measured the timeout of the target server while a normal client periodically accessed the server. The timeout of the server indicates the server survivability and in turn tells us the effectiveness of filtering rates applied. The experimental results show that if the filtering rate is higher, the server will have the longer timeout In addition, if the attacking rate is higher, the W server will crash faster, or have the shorter timeout In conclusion, the proposed work shows the effectiveness of traffic filtering to the survivability of a target server.