Researchers' Goal: Mitigate DDoS Attacks Within 10 Seconds

DDoS , Risk Management , Technology

Georgia Tech Developing Process for Fighting Low-Volume Attacks Researchers' Goal: Mitigate DDoS Attacks Within 10 Seconds

The distributed denial-of-service attacks that grab headlines often employ botnets that flood targeted servers with an overwhelming number of packets that deplete systems resources and render a website inaccessible.

See Also: Vulnerability Management with Analytics and Intelligence

But low-volume DDoS attacks, which are far more common and often go unnoticed, can often be just as disruptive. These attacks use less bandwidth, are often shorter in duration and may be designed to distract a security team from the aftershocks of follow-on attacks. Sometimes low-level DDoS attacks are launched through a single computer - not requiring a botnet - and are imperceptible.

Help in battling these low-volume attacks may be on the way. The U.S. military's Defense Advanced Research Projects Agency, as part of its Extreme DDoS Defense program, has awarded researchers at Georgia Institute of Technology's College of Computing a $2.9 million grant to develop a process to identify and defend against these attacks.

DDoS Attacks Unnoticed

Organizations targeted by low-volume DDoS attacks often "aren't even aware that their sites are being attacked, because the attacks can be perceived as only annoying 'noise' in the IT background," Dave Larson, chief operating officer at Coreco, a provider of DDoS protection solutions, writes in a blog. "The attacks are not large enough to get the attention of IT security staff."

A low-level DDoS attack "drags down a network's speed, and in a carrier network they can be supersaturating to a small customer downstream," Larson explains. "More importantly, low-level DDoS attacks often serve as a smokescreen for a more damaging attack."

Trent Brunson, Georgia Tech Research Institute research scientist, explains the workings of a common type of low-level DDoS attack, known as 'Slowloris.'

A survey by the information security research firm Neustar published earlier this year found that 54 percent of DDoS attacks were found to be relatively small, at less than 5 Gbps, yet 43 percent of all DDoS attacks leave behind malware.

Resolving a 25-Year-Old Problem

The goal of Georgia Tech researchers is to create a precise and timely detection method that identifies low-volume DDoS attacks by how they subtly change the resource consumption of a computer.

"This has been a 25-year problem with no practical solution," says Georgia Tech Assistant Professor Taesoo Kim, lead principal investigator for the study.

The researchers say they believe they can devise a method to mitigate the threat, with little to no degradation of system performance, and write a new signature for it inside the hardware within 10 seconds so a network interface card would recognize it again. "This effectively puts an anti-virus patch into your hardware in real time," Kim says.

Researchers involved in Georgia Tech's ROKI project say they initially will establish a baseline of resource consumption. Next, they'll develop continuous analysis algorithms to compare a packet's effect on system performance against historical consumption under similar scenarios. Then, they hope to demonstrate a new path-reconstruction engine that will produce a sequence of instructions to nullify an attack and encode the finding into the network interface card to stop current and future attack traffic.

Achieving Timeliness and Precision

Wenke Lee, co-director of Georgia Tech's Institute for Information Security and Privacy, says ROKI has the potential to achieve timeliness and precision in mitigating DDoS threats. "We don't need to know what an attack looks like, just that it deviates from the baseline," he says. "Existing defenses against low-volume DDoS attacks lack precision and they cannot create a response in a timely manner. This will."

Georgia Tech researchers say they intend to deliver a prototype to demonstrate their core idea by fall 2017. The project is expected to be completed in 2019, when field exercises to demonstrate methods to mitigate previously unknown DDoS attacks should occur.