Leader: Defense Against Exploit-Based Denial-of-Service Attacks on Web Applications

Exploit-based denial-of-service attacks (exDoS) are challenging to detect and mitigate. Rather than flooding the network with excessive traffic, these attacks generate low rates of application requests that exploit some vulnerability and tie up a scarce key resource. It is impractical to design defenses for each variant of exDoS attacks separately. This approach does not scale, since new vulnerabilities can be discovered in existing applications, and new applications can be deployed with yet unknown vulnerabilities. We propose Leader, an attack-agnostic defense against exDoS attacks. Leader monitors fine-grained resource usage per application on the host it protects, and per each external request to that application. Over time, Leader learns the time-based patterns of legitimate user’s usage of resources for each application and models them using elliptic envelope. During attacks, Leader uses these models to identify application clients that use resources in an abnormal manner, and blocks them. We implement and evaluate Leader for Web application’s protection against exDoS attacks. Our results show that Leader correctly identifies around 99% of attack IPs, and around 99% of legitimate IPs across six different exDoS attacks used in our evaluation. On the average, Leader can identify and block an attacker after six requests. Leader has a small run time cost, adding less than 0.5% to page loading time.