Skip to Main Content
Low rate DoS attacks are emerging threats to the TCP traffic, and the VoIP traffic in the Internet. They are hard to detect as they intelligently send attack traffic inside the network to evade current router based congestion control mechanisms. We propose a practical attack model in which botnets that can pose a serious threat to the Internet are considered. Under this model, an attacker can scatter bots across the Internet to launch the low rate DoS attack, thus essentially orchestrating the low rate DoS attack that uses random and continuous IP address spoofing, but with valid legitimate IP addresses. It is difficult to detect and mitigate such an attack. We propose a low rate DoS attack detection algorithm, which relies on the core characteristic of the low rate DoS attack in introducing high rate traffic for short periods, and then uses a proactive test based differentiation technique to filter the attack packets. The proactive test was originally proposed to defend DDoS attacks and low rate DoS attacks which tend to ignore the normal operation of network protocols, but it is tailored here to differentiate the legitimate traffic from the low rate DoS attack traffic instigated by botnets. It leverages on the conformity of legitimate flows, which obey the network protocols. It mainly differentiates legitimate connections by checking their responses to the proactive tests which include puzzles for distinguishing botnets from human users. We finally evaluate and demonstrate the performance of the proposed low rate DoS attack detection and mitigation algorithm on the real Internet traces.