CloudZombie: Launching and Detecting Slow-Read Distributed Denial of Service Attacks from the Cloud

As the Cloud is becoming more ubiquitous and less expensive to utilize, a new class of denial of service attacks is emerging. These attacks employ the Cloud to launch denial of service attacks against a target outside the Cloud. Slow-read denial of service can be one of those attacks. It is a new type of application-layer denial of service attacks that exploits vulnerabilities in the HTTP protocol in order to make services inaccessible for legitimate users on a target machine. This attack is difficult to detect by conventional intrusion detection systems, as it generates legitimate and complete packets in all networking layers and in a slow rate. The attack exhausts the target´s resources such as Web server connection pool and generally needs much less bandwidth compared to traditional volumetric attacks. The Cloud is an ideal platform to launch slow-read attack, since virtual machines on the Cloud can be easily exploited as a botnet for the purpose of this attack. We show how this new phenomenon, CloudZombie, can happen by remotely launching slow-read attacks from the Cloud. We also present a new approach to detect slow-read attacks. Our method uses Random Forests to build classifiers based on which the incoming slow-read traffic can be detected at the destination. High performance and low error rates of our approach indicate its efficiency to detect the attack.