Unveiling the Stealthy Threat: Low-Rate Denial of Service (LDoS) Attacks (2024)

What is Open Access?

Open Access is an initiative that aims to make scientific research freely available to all. To date our community has made over 100 million downloads. It’s based on principles of collaboration, unobstructed discovery, and, most importantly, scientific progression. As PhD students, we found it difficult to access the research we needed, so we decided to create a new Open Access publisher that levels the playing field for scientists across the world. How? By making research easy to access, and puts the academic needs of the researchers before the business interests of publishers.

Our Authors and Editors

We are a community of more than 103,000 authors and editors from 3,291 institutions spanning 160 countries, including Nobel Prize winners and some of the world’s most-cited researchers. Publishing on IntechOpen allows authors to earn citations and find new collaborators, meaning more people see your work not only from your own field of study, but from other related fields too.

Content Alerts

Brief introduction to this section that descibes Open Access especially from an IntechOpen perspective

How it Works Manage preferences

Contact

Want to get in touch? Contact our London head office or media team here

Careers

Our team is growing all the time, so we’re always on the lookout for smart people who want to help us reshape the world of scientific publishing.

Home > Books > Key Issues in Network Protocols and Security [Working Title]

Unveiling the Stealthy Threat: Low-Rate Denial of Service (LDoS) Attacks (2)Open access peer-reviewed chapter - ONLINE FIRST

Written By

Danial Yousef

Submitted: 15 September 2024 Reviewed: 19 September 2024 Published: 25 November 2024

DOI: 10.5772/intechopen.1007425

Unveiling the Stealthy Threat: Low-Rate Denial of Service (LDoS) Attacks (3)

Key Issues in Network Protocols and Security

Edited by Mamata Rath

From the Edited Volume

Key Issues in Network Protocols and Security [Working Title]

Dr. Mamata Rath and Dr. Tusharkanta Samal

Chapter metrics overview

3 Chapter Downloads

View Full Metrics

Abstract

This chapter discusses Low-Rate Denial of Service (LDoS) attacks, which differ from traditional Denial of Service (DoS) attacks by subtly exploiting the internet’s Transmission Control Protocol (TCP) to degrade network performance. LDoS attacks send small amounts of traffic at strategic times, making them hard to detect, especially if the timing is random. The chapter explains these attacks and their detection methods, from early frequency domain analysis to advanced machine learning and Software-Defined Networking (SDN) techniques. It aims to provide a comprehensive understanding of LDoS attacks, their mechanisms, and detection strategies, highlighting the ongoing efforts to combat this critical cybersecurity challenge.

Keywords

  • low-rate denial of service (LDoS)
  • non-periodic LDoS
  • network security
  • TCP congestion control
  • adaptive flow
  • cyberattack
  • degradation of quality (DoQ)
  • DoS
  • TCP

Author Information

Show +

  • Danial Yousef*

    • Tishreen University, Latakia, Syria

*Address all correspondence to: jo.danial.yousef@gmail.com

1. Introduction

In today’s interconnected digital ecosystem, networks support critical infrastructure in all sectors, which requires their resilience. However, this ubiquitous dependence also attracts malicious actors, including Denial-of-Service (DoS) attacks constitute a dominant threat. As countermeasures against conventional DoS attacks have been developed, a more treacherous variant has emerged: the Low-Rate Denial of Service (LDoS) attack [1, 2, 3]. LDoS attacks specifically exploit the Transmission Control Protocol (TCP) by manipulating congestion control mechanisms to degrade the quality of service while maintaining low-rate traffic patterns. Unlike high-rate of DoS attacks that flood traffic networks, LDoS attacks operate through strategically-timed, periodic burst patterns that exploit TCP’s congestion avoidance algorithms, allowing them to maintain a low average transmission rate. This methodology allows LDoS attacks to avoid detection, cause significant disturbances by minimal means, and influence a diverse range of targets. By mimicking normal network fluctuations, these attacks can circumvent conventional intrusion detection systems, which is a major challenge for network administrators and cybersecurity professionals. To ensure the integrity and availability of network services in our increasingly interconnected global infrastructure, it is necessary to expand the mechanisms, branches, and mitigation strategies for LDoS attacks.

Advertisement

2. DoS vs. LDoS: A tale of two attacks

2.1 Traditional DoS attacks

Denial-of-Service (DoS) attacks, a long-standing threat in the cybersecurity landscape, operate according to the principle of overwhelming a target system with a huge influx of traffic. This flood of data, which often comes from multiple compromised devices (forming a botnet), is intended to exploit the means of the purpose, which makes it unable to respond to legitimate requests [4].

Imagine a popular e-commerce website suddenly flooded with millions of access requests during a major sales event. The server, unable to process the large volume, crashes, making the website inaccessible to real customers. This scenario illustrates the disruptive force of a DoS attack. The impact is immediate and clear, often resulting in complete service interruption and significant financial losses.

Key characteristics of traditional DoS attacks include:

  • High volume of traffic

  • Continuous and sustained attack pattern

  • Easily detectable due to sudden, massive spikes in network activity

  • Often requires substantial resources (e.g., large botnets) to execute effectively

2.2 LDoS attacks: A stealthier approach

However, LDoS attacks have a fundamentally different approach. Instead of brute force, they use a stealthier strategy aimed at the mechanisms designed to ensure a smooth and efficient data flow in the TCP protocol. Instead of a continuous torrent of traffic, LDoS attacks utilize short, high-intensity outbursts of traffic carefully timed to exploit vulnerabilities in TCP’s adaptive flow management mechanisms.

These bursts trigger the slow start phase in TCP’s congestion control, effectively throttling the target system’s throughput. The effectiveness of this approach lies in its subtlety—the attack traffic often resembles legitimate network congestion [1, 5], making it extremely difficult to detect and mitigate.

Key features of LDoS attacks include:

  • Low overall traffic volume

  • Intermittent, precisely timed traffic bursts

  • Exploitation of TCP’s congestion control mechanisms

  • Gradual degradation of service quality rather than immediate outage

  • Difficult to distinguish from normal network fluctuations

As detection and mitigation techniques for traditional DoS attacks have improved, attackers have shifted their focus to these subtler, low-rate attacks that mimic legitimate user traffic [3]. This evolution in attack strategy highlights the ongoing cat-and-mouse game between cybersecurity professionals and malicious actors.

Figure 1 below illustrates the time model of a general LDoS attack, showcasing the key parameters: R (burst rate), L (burst length), and T (total attack period).

Unveiling the Stealthy Threat: Low-Rate Denial of Service (LDoS) Attacks (4)

Understanding the distinctions between DoS and LDoS attacks is crucial for developing effective defense strategies. While traditional DoS mitigation techniques focus on handling high volumes of traffic, defending against LDoS attacks requires a more nuanced approach that can detect and respond to subtle manipulations of network protocols.

The key differences between DoS and LDoS attacks can be summarized in Table 1 as follows:

FeatureDoS attackLDoS attack
Traffic volumeHighLow
Traffic patternContinuousIntermittent bursts
TargetSystem resourcesTCP flow management mechanisms
DetectionRelatively easyDifficult
ImpactInstant disruptionGradual degradation

Table 1.

Comparison of DoS and LDoS.

While a traditional DoS attack is akin to unleashing a tidal wave of traffic to overwhelm the target, an LDoS attack operates with the precision of a skilled sniper, carefully timing its shots to exploit weaknesses in network protocols [5].

The evolution from high-volume, easily detectable DoS attacks to stealthy, low-rate LDoS attacks highlights the constant adaptation of cyber threats. As security measures improve to counter known attack vectors, malicious actors refine their techniques, seeking new vulnerabilities to exploit. The rise of LDoS emphasizes the need for a deeper understanding of network protocols and the development of more sophisticated detection and mitigation strategies.

Advertisement

3. TCP’s adaptive flow management: A power turned weakness

The Transmission Control Protocol (TCP) is the backbone of reliable data transfer across the Internet. Adaptive flow management mechanisms, in particular congestion control and retransmission timeouts, are designed to optimize data flow and ensure fair allocation of resources in dynamic network environments [7]. These mechanisms rely on a sophisticated feedback loop, allowing TCP senders to adjust their transmission rates based on network conditions and recipient feedback.

3.1 TCP’s congestion control comprises two main phases: Slow start and congestion avoidance

3.1.1 Slow start

The Slow Start phase initializes the connection by exponentially increasing the congestion window (CWND). This rapid growth continues until either the slow starting threshold is reached or package loss is detected [8].

3.1.2 Congestion avoidance

Once the slow start threshold is exceeded, TCP enters the Congestion Avoidance phase. Here, the CWND grows linearly, adding approximately one segment per round-trip time (RTT). This cautious approach aims to probe for additional available bandwidth while avoiding network congestion. The growth rate in this phase is much slower than in Slow Start, allowing for a more stable network utilization [9].

Figure 2 plots congestion window size (CWND) progression and RTT versus time for TCP Reno (one of the TCP congestion control techniques).

Unveiling the Stealthy Threat: Low-Rate Denial of Service (LDoS) Attacks (5)

3.2 Retransmission timeouts (RTO)

To ensure reliable data delivery, TCP employs a retransmission mechanism based on acknowledgments (ACKs) from the receiver. If an ACK is not received within a specific timeframe (the RTO), the sender assumes packet loss and retransmits the data. The RTO is dynamically adjusted based on observed network conditions, balancing timely retransmissions with network stability.

This adaptive RTO mechanism ensures that TCP can respond appropriately to varying network conditions [11], but it also introduces a vulnerability that LDoS attacks can exploit.

LDoS attacks manipulate TCP’s congestion control algorithms by injecting carefully timed, short-lived traffic bursts. These bursts create a false perception of network congestion, triggering TCP’s defensive mechanisms unnecessarily.

The key vulnerabilities include:

  • Slow start manipulation: By causing packet loss during the Slow Start phase, attackers can force TCP to reduce its sending rate dramatically.

  • RTO exploitation: Carefully timed attack bursts can cause RTT spikes, leading to increased RTOs and unnecessary retransmissions.

  • Congestion window reduction: Induced packet losses cause TCP to reduce its congestion window, limiting throughput even when the network is not genuinely congested.

3.2.1 Consequences of LDoS exploitation

The exploitation of these TCP mechanisms can lead to:

  • Significant reduction in transmission rate

  • Premature and frequent entry into the Slow Start phase

  • Increased RTO, delaying subsequent transmissions

  • Drastically degraded throughput

  • Reduced overall system performance

  • Impaired service quality for legitimate users

TCP’s performance can be quantified using Eq. (1):

Throughput=CWND.MSSRTTE1

Where CWND is the congestion window size, MSS is the Maximum Segment Size, and RTT is the round-trip time.

This equation illustrates how LDoS attacks, by manipulating CWND and RTT, can significantly impact TCP throughput without generating high-volume traffic.

3.3 Analogy: The café conversation: Understanding LDoS attacks

Imagine Alice and Bob having a discussion at a café. As they converse, an unidentified person at a nearby table periodically interjects with brief comments or sudden sound, then quickly returns to their own activities. These interruptions are precisely timed and short-lived, making it challenging to pinpoint their source.

Alice and Bob pause their conversation each time to address these interruptions. They repeat themselves, wait for the noise to subside, or struggle to recall their last point. However, the interruptions are so well-timed and intermittent that they cannot identify the source.

In this analogy, the interfering person is like the LDoS attacker, and Alice and Bob’s reactions are like TCP’s congestion control algorithms. Their conversation never flows smoothly because they are always reacting to the fake interruptions, but it is challenging to pinpoint who is causing the disruptions!

Consequently, as we have seen, while TCP’s adaptive flow management mechanisms are crucial for maintaining network stability and efficiency, they also introduce vulnerabilities that can be exploited by sophisticated attacks [10]. Ongoing research in this area focuses on developing more robust congestion control algorithms and improved detection methods for LDoS attacks, aiming to enhance TCP’s resilience in the face of evolving network threats.

While TCP’s adaptive flow management mechanisms are crucial for maintaining network stability and efficiency, they also introduce vulnerabilities that can be exploited by sophisticated LDoS attacks [12].

Advertisement

4. Hallmarks of an LDoS attack

While the distinction between DoS and LDoS attacks seems clear, identifying an attack as LDoS specifically requires careful consideration. Several key factors help classify an attack as LDoS.

First, the volume of attack traffic is significantly lower than what is necessary to satisfy the target’s bandwidth, which generally represents only 10–20% of normal network traffic [5, 13]. This low-volume approach is designed to evade traditional DoS detection systems that focus on high traffic spikes.

Secondly, the traffic pattern in LDoS attacks often shows short, high-intensity bursts at calculated intervals, mimicking the behavior of legitimate bursty protocols like UDP. Attackers frequently employ UDP in these attacks due to its connectionless nature and the ease of generating bursty traffic. These bursts are strategically timed to exploit vulnerabilities in TCP’s congestion control mechanisms or retransmission timeouts, taking the form of pulse waves. Importantly, the total duration of these bursts (L) should be between 1/5 and 1/6 [5, 13] of the overall attack period (T).

Finally, the primary purpose of LDoS attacks is the mechanisms of TCP flow management. The goal is to disrupt throughput without causing a complete service outage, resulting in a degradation of quality (DoQ) for legitimate users. Recognizing these characteristics is crucial for accurately classifying an attack as LDoS and implementing appropriate countermeasures.

Advertisement

5. Non-periodic LDoS: Adding randomness to the attack

Traditional LDoS attacks often follow a predictable pattern with regular intervals between attack bursts. This predictability makes them somewhat easier to detect and potentially mitigate. However, attackers are constantly evolving their techniques, and non-periodic LDoS attacks have emerged as a more sophisticated and elusive threat [6].

Non-periodic LDoS attacks break the regularity of traditional attacks by introducing randomness into the attack parameters. Instead of fixed intervals, the attacker uses random values for the duration of the attack bursts (L), the time between bursts (T), and the data rate (R). This randomness makes it incredibly challenging to detect and mitigate the attack, as it becomes virtually impossible to predict the next attack burst.

These attacks are modeled with the three parameters R, L, and T. While traditional LDoS attacks use fixed values for these parameters, non-periodic LDoS attacks introduce variability by employing random values for R, L, and T. However, this randomness is not entirely arbitrary; it is calculated to remain within the boundaries of the LDoS criteria.

Attackers carefully adjust the ranges of these random values to ensure the attack still maintains a low traffic volume, targets TCP mechanisms effectively, and causes a noticeable DoQ without triggering. This calculated randomness makes them much harder to detect. As attackers aim for “the ideal attack”—maximum impact with minimal cost—LDoS attacks have become increasingly sophisticated and challenging to detect due to their low rate and variable nature. By introducing this element of calculated randomness, attackers further enhance the stealthiness of their attacks, making them even more difficult to be detected and mitigated.

Advertisement

6. Detecting LDoS attacks: A historical perspective and emerging techniques

The struggle against LDoS attacks has evolved over time and reflects the constant arms race between attackers and defenders. While early detection methods were often based on traditional network monitoring and analysis, the emergence of advanced LDoS techniques has stimulated the need for more advanced and adaptive solutions. This chapter examines the historical evolution of LDoS detection methods, tracing their strengths and limitations, before exploring the promising possibilities of emerging technologies such as SDN and machine learning.

Here are some of the methods that have been used to detect LDoS attacks and that the researchers have already proposed, let us dive into some of these methods:

6.1 Frequency domain analysis (Spectral signatures)

Frequency domain analysis leveraged the power of Fourier transforms to identify periodic patterns in network traffic, which could indicate the presence of traditional LDoS attacks [14]. By analyzing the frequency spectrum of network traffic, this method could potentially detect recurring bursts of attack traffic.

6.2 Machine learning (ML) and deep learning (DL) (Intelligent detection)

Machine learning (ML) and deep learning (DL) offered a significant leap forward in LDoS detection. These techniques leverage algorithms that can learn from data to identify complex patterns and anomalies in network traffic.

6.2.1 Supervised learning

Supervised learning algorithms require labeled datasets, where each data point is tagged with whether it represents an LDoS attack or legitimate traffic. These algorithms are trained on this labeled data to develop models that can classify new traffic as LDoS or not [3, 13]. While supervised learning offers promising results, its effectiveness depends heavily on the quality and representativeness of the training dataset. Obtaining sufficient labeled data can be challenging, especially for rare or novel LDoS attack types.

6.2.2 Unsupervised learning

Unsupervised learning techniques, on the other hand, do not require labeled datasets. Instead, they focus on identifying unusual patterns or outliers in the network traffic data [15]. These algorithms can be particularly effective in detecting unknown LDoS attacks that have not been previously encountered. However, unsupervised learning requires careful configuration and tuning to avoid false positives and ensure that the identified anomalies are truly indicative of malicious activity.

6.3 SDN-specific defenses (A new frontier)

Software-Defined Networking (SDN) emerged as a revolutionary approach to network management, offering a centralized control plane for managing network resources and security policies. SDN’s centralized architecture and global network visibility provide significant advantages for detecting and mitigating LDoS attacks [16].

  • Centralized visibility: SDN’s centralized controller provides a comprehensive view of network traffic across the entire network, enabling it to detect and analyze LDoS attacks more effectively. The centralized nature of SDN allows for real-time monitoring of traffic patterns and the identification of anomalies that may be missed by traditional distributed network management systems.

  • Adaptive security policies: SDN enables the implementation of adaptive security policies that can respond to changing network conditions and detect LDoS attacks. By leveraging SDN’s flexibility, security policies can be automatically modified to counter emerging LDoS threats; for example, it is possible to open or change the port that is orienting the traffic at any time, enhancing the resilience of the network.

The evolution of LDoS attacks demands a continuous adaptation of detection strategies. While traditional methods have proven useful, the emergence of non-periodic attacks and the complexity of modern network environments necessitate the adoption of more sophisticated techniques. SDN, with its centralized control and dynamic capabilities, offers a promising platform for combating LDoS attacks effectively. By leveraging machine learning, advanced analytics, and adaptive security policies, SDN can provide a robust and resilient defense against this stealthy threat, safeguarding the integrity and availability of critical network infrastructure, and research in this field continues to evolve.

Advertisement

7. Conclusion

Low-rate denial of service (LDoS) attacks pose a significant challenge in cybersecurity, exploiting TCP’s congestion control mechanisms while evading traditional detection methods. These attacks, particularly non-periodic variants, maintain low average transmission rates, rendering conventional volume-based detection ineffective. Our analysis underscores the need for advanced, adaptive defense strategies. Emerging technologies such as software-defined networking (SDN) and machine learning (ML) offer promising solutions. SDN’s centralized control and global network visibility, combined with ML’s pattern recognition capabilities, present a potent approach for combating LDoS threats. However, the dynamic nature of cyber threats necessitates ongoing innovation. Future research should focus on developing resilient TCP implementations, enhancing ML models for improved detection of non-periodic attacks, and exploring quantum computing applications in network security. Additionally, investigating the implications of emerging network paradigms like 5G is crucial. An interdisciplinary approach, integrating expertise in network protocols, statistical analysis, and adaptive security policies, is essential for ensuring the resilience of our digital infrastructure against these evolving threats.

References

  1. 1. Rios VD, Inácio PR, Magoni D, Freire MM. Detection and mitigation of low-rate denial-of-service attacks: A survey. IEEE Access. 2022;10:76648-76668. DOI: 10.1109/ACCESS.2022.3191430
  2. 2. Kuzmanovic A, Knightly EW. Low-rate TCP-targeted denial of service attacks: The shrew vs. the mice and elephants. In: Proceedings of the 2003 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications. 2003. pp. 75-86. DOI: 10.1145/863955.863966
  3. 3. Zhan S, Tang D, Man J, Dai R, Wang X. Low-rate dos attacks detection based on MAF-ADM. Sensors. 2019;20(1):189. DOI: 10.3390/s20010189
  4. 4. Kumari K, Mrunalini M. Detecting denial of service attacks using machine learning algorithms. Journal of Big Data. 2022;9(1):56. DOI: 10.1186/s40537-022-00616-0
  5. 5. Zhijun W, Wenjing L, Liang L, Meng Y. Low-rate DoS attacks, detection, defense, and challenges: A survey. IEEE Access. 2020;8:43920-43943. DOI: 10.1109/ACCESS.2020.2976609
  6. 6. Yousef D, Maala B, Skvortsova M, Pokamestov P. Detection of non-periodic low-rate denial of service attacks in software defined networks using machine learning. International Journal of Information Technology (Springer). 2024;16(4):2161-2175. DOI: 10.1007/s41870-023-01634-8. Available from: https://link.springer.com/article/10.1007/s41870-023-01634-8
  7. 7. Afanasyev A, Tilley N, Reiher P, Kleinrock L. Host-to-host congestion control for TCP. IEEE Communications Surveys and Tutorials. 2010;12(3):304-342. DOI: 10.1109/SURV.2010.042710.00114
  8. 8. Sarolahti P, Kuznetsov A. Congestion Control in Linux TCP. In: USENIX Annual Technical Conference, FREENIX Track. 2002. pp. 49-62
  9. 9. Ha S, Rhee I, Xu L. CUBIC: A new TCP-friendly high-speed TCP variant. ACM SIGOPS Operating Systems Review. 2008;42(5):64-74. DOI: 10.1145/1400097.1400105
  10. 10. Al-Saadi R, Armitage G, But J, Branch P. A survey of delay-based and hybrid TCP congestion control algorithms. IEEE Communications Surveys and Tutorials (IEEE). 2019;21(4):3609-3638. DOI: 10.1109/COMST.2019.2904994. Available from: https://ieeexplore.ieee.org/abstract/document/8668433
  11. 11. Paxson V, Allman M, Chu J, Sargent M. Computing TCP's Retransmission Timer. 2011. 2011. DOI: 10.17487/RFC6298
  12. 12. Tang D, Chen J, Wang X, Zhang S, Yan Y. A new detection method for LDoS attacks based on data mining. Future Generation Computer Systems. 2022;128:73-87. DOI: 10.1016/j.future.2021.09.039
  13. 13. Tang D, Tang L, Dai R, Chen J, Li X, Rodrigues JJ. MF-Adaboost: LDoS attack detection based on multi-features and improved Adaboost. Future Generation Computer Systems. 2020;106:347-359. DOI: 10.1016/j.future.2019.12.034
  14. 14. Brynielsson J, Sharma R. Detectability of low-rate HTTP server DoS attacks using spectral analysis. In: Proceedings of the 2015 IEEE/ACM International Conference on Advances in Social Networks Analysis and Mining. 2015. pp. 954-961. DOI: 10.1145/2808797.2808810
  15. 15. Tang D, Dai R, Tang L, Li X. Low-rate DoS attack detection based on two-step cluster analysis and UTR analysis. Human-Centric Computing and Information Sciences. 2020;10(1):6. DOI: 10.1186/s13673-020-0210-9
  16. 16. Xie R, Xu M, Cao J, Li Q. SoftGuard: Defend against the low-rate TCP attack in SDN. In: Proceedings of the 2019 IEEE International Conference on Communications (ICC). Piscataway, NJ, USA: IEEE; 2019. pp. 1-6. DOI: 10.1109/ICC.2019.8761806. Available from: https://ieeexplore.ieee.org/abstract/document/8761806

Written By

Danial Yousef

Submitted: 15 September 2024 Reviewed: 19 September 2024 Published: 25 November 2024

© The Author(s). Licensee IntechOpen. This content is distributed under the terms of the Creative Commons 4.0 International License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

Unveiling the Stealthy Threat: Low-Rate Denial of Service (LDoS) Attacks (2024)
Top Articles
Latest Posts
Recommended Articles
Article information

Author: Sen. Emmett Berge

Last Updated:

Views: 6279

Rating: 5 / 5 (80 voted)

Reviews: 95% of readers found this page helpful

Author information

Name: Sen. Emmett Berge

Birthday: 1993-06-17

Address: 787 Elvis Divide, Port Brice, OH 24507-6802

Phone: +9779049645255

Job: Senior Healthcare Specialist

Hobby: Cycling, Model building, Kitesurfing, Origami, Lapidary, Dance, Basketball

Introduction: My name is Sen. Emmett Berge, I am a funny, vast, charming, courageous, enthusiastic, jolly, famous person who loves writing and wants to share my knowledge and understanding with you.