An Accurate and Real-Time Detection Method for Concealed Slow HTTP DoS in Backbone Network

Slow HTTP DoS (SHD) is a type of DoS attack based on HTTP/HTTPS. SHD traffic at the application layer may be encrypted. Besides, the interval between packets can reach tens of seconds or more due to its slow sending rate. Therefore, SHD is concealed for detection. The methods for detecting high-speed DoS are not suitable for detecting the attack, making detection for SHD a challenging problem. Some existing SHD detection methods are complex and computationally intensive, making it hard to meet the demand for real-time in backbone networks. In addition, most of these methods are based on bidirectional traffic and do not consider the asymmetry of routing on the Internet. In this paper, based on the traffic characteristics of the most common types of SHD, we extract several representative features from unidirectional flows. These features can still work well under sampling and asymmetric routing scenarios. We also use Slow HTTP DoS Sketch to record the features quickly and accurately. In experiments that used public backbone datasets as background traffic, the results show that even with a large number of unidirectional flows and a sampling rate of 1/64, our method can still accurately detect SHD traffic within 2 min.