Slowloris Attack Detection Using Adaptive Timeout-Based Approach

Distributed Denial of Service (DDoS) attacks have become a critical threat to the Web with the increase in web-based transactions and application services offered by the Internet. With the vast resources and techniques readily available to the attackers, countering them has become more challenging. They are usually carried out at the network layer. Unlike traditional network-layer attacks, application-layer DDoS attacks can be more effective. It utilizes legitimate HTTP requests to inundate victim resources that are undetectable. Many methods exist in the literature to protect systems from IP and TCP layer DDoS attacks that do not work when encountering application-layer DDoS attacks. Most network-layer DDoS attacks are flooding attacks, but application-layer DDoS attacks can be flooding or protocol-specific vulnerability attacks. Various protocol-specific vulnerability attacks cannot be detected by traditional detection methods as they are designed to detect flooding attacks. One such attack is the slowloris attack. It targets web servers by exploiting an HTTP protocol vulnerability. In this paper, we propose a slowloris attack detection based on an adaptive timeout-based approach that contains two modules: a suspect determination module and an attacker verification module. The determination module determines suspects and sends them to the verification module, which verifies a suspect as an attacker. We have designed a detection algorithm that detects an attacker's IP address before it consumes all the resources. The experimental results substantiate its efficacy with low false alarms and high detection accuracy.(c) 2024 ISC. All rights reserved.