Document Type : Research Article


1 Numaligarh Refinery Limited, Numaligarh, Assam, India

2 Department of Computer Science and Engineering, Tezpur University, Assam, India


Distributed Denial of Service (DDoS) attacks have become a critical threat to the Web with the increase in web-based transactions and application services offered by the Internet. With the vast resources and techniques easily available to the attackers countering them has become more challenging. They are usually carried out at the network layer. Unlike traditional network-layer attacks, application-layer DDoS attacks can be more effective. It utilizes legitimate HTTP requests to inundate victim resources that are undetectable. Many methods exist in the literature to protect systems from IP and TCP layer DDoS attacks that do not work when encountering application-layer DDoS attacks. Most network-layer DDoS attacks are flooding attacks, but application-layer DDoS attacks can be flooding attacks or protocol-specific vulnerability attacks. Various protocol-specific vulnerability attacks cannot be detected by traditional detection methods as they are designed to detect flooding attacks. One such attack is the slowloris attack. It targets web servers by exploiting an HTTP protocol vulnerability. In this paper, we propose a slowloris attack detection based on an adaptive timeout-based approach that contains two modules: a suspect determination module and an attacker verification module. The determination module determines suspects and sends them to the verification module, which verifies a suspect as an attacker. We have designed a detection algorithm that detects an attacker's IP address before it consumes all the resources. The experimental results substantiate its efficacy with low false alarms and high detection accuracy.


[1] S Prabha and R Anitha. Mitigation of application traffic ddos attacks with trust and am based hmm models. International Journal of Computer Applications, 6:26–34, 2010.
[2] P J Criscuolo. Distributed denial of service, tribe flood network 2000, and stacheldraht. CIAC-2319, Department of Energy Computer Incident Advisory Capability (CIAC), UCRL-ID-136939, Rev. 1., Lawrence Livermore National Laboratory, 1, 2000.
[3] V Durcekova, L Schwartz, and N Shahmehri. Sophisticated denial of service attacks aimed at application layer. In ELEKTRO, pages 55–60. IEEE, 2012.
[4] X Xu, X Guo, and S Zhu. A queuing analysis for low-rate dos attacks against application servers. In IEEE International Conference on Wireless Communications, Networking and Information Security, pages 500–504. IEEE, 2010.
[5] J Mirkovic and P Reiher. A taxonomy of ddos attack and ddos defense mechanisms. ACM SIGCOMM Computer Communications Review, 34:39–53, 2004.
[6] C Douligeris and A Mitrokotsa. Ddos attacks and defense mechanisms: classification and state-of-the-art. Computer Networks, 44:643–666, 2004.
[7] T Peng, C Leckie, and K Ramamohanarao. Survey of network-based defense mechanisms countering the dos and ddos problems. ACM Computing Survey, 39:3–es, 2007.
[8] RioRey. Taxonomy of ddos attacks. 2022.
[9] S Ranjan, R Swaminathan, M Uysal, and E Knightly. Ddos-resilient scheduling to counter application layer attacks under imperfect detection. In Proceedings IEEE INFOCOM 2006. 25TH IEEE International Conference on Computer Communications, pages 1–13. IEEE, 2006.
[10] Wallarm. What is slowloris attack. 2022.
[11] R Barnett. (updated) modsecurity advanced topic of the week: Mitigating slow http dos attacks. TrustWave, 2011.
[12] K J Higgins. Researchers to demonstrate new attack that exploits http. DarkReading, 2010.
[13] S Shekyan. Are you ready for slow reading? Qualys, 2012.
[14] J Pelline. Mydoom downs sco site. CNET, 2004.
[15] S Pillai. Slowloris http dos attack and prevention./ROOT.IN, 2013.
[16] R Papadie and I Apostol. Analyzing websites protection mechanisms against ddos attacks. In 9th International Conference on Electronics, Computers and Artificial Intelligence (ECAI), pages 1–6. IEEE, 2007.
[17] R K Sharma, B Issac, and H K Kalita. Intrusion detection and response system inspired by the defense mechanism of plants. IEEE Access, 7:52427–52439, 2019.
[18] V Jyothi, X Wang, S K Addepalli, and R Karri. Brain: Behavior based adaptive intrusion detection in networks: Using hardware performance counters to detect ddos attacks. In 29th International Conference on VLSI Design and 2016 15th
International Conference on Embedded Systems(VLSID), pages 587–588. IEEE, 2016.
[19] S Sivabalan and P J Radcliffe. Feasibility of eliminating idps devices from a web server farm. International Journal of Network Security, 20:433–438, 2018.
[20] R Giunta, F Messina, G Pappalardo, and E Tramontana. Augmenting a web server with qos by means of an aspectoriented architecture. In 2012 IEEE 21st International Workshop on Enabling Technologies: Infrastructure for Collaborative Enterprises, pages 179–184. IEEE, 2012.
[21] T Shorey, D Subbaiah, A Goyal, A Sakxena, and A K Mishra. Performance comparison and analysis of slowloris, goldeneye and xerxes ddos attack tools. In 2018 International Conference on Advances in Computing, Communications and Informatics (ICACCI), pages 318–322. IEEE, 2018.
[22] E Damon, J Dale, E Laron, J Mache, N Land, and R Weiss. Hands-on denial of service lab exercises using slowloris and rudy. In Proceedings of the 2012 Information Security Curriculum Development Conference, pages 21–29. ACM, 2012.
[23] N Sultana, S Bose, and B T Loo. An extensible evaluation system for dos research. In 2019 11th International Conference on Communication Systems & Networks (COMSNETS), pages 344–351. IEEE, 2019.
[24] W Park and S Ahn. Performance comparison and detection analysis in snort and suricata environment. Wireless Personal Communication, 94:241—-252, 2017.
[25] D J Day and B M Burns. A performance analysis of snort and suricata network intrusion detection and prevention engines. In Proceedings of the Fifth International Conference on Digital Society, pages 187—-192. IARIA, 2011.
[26] T E de Sousa Ara´ujo, F M Matos, and J A Moreira. Intrusion detection systems’ performance for distributed denial-of-service attack. In 2017 CHILEAN Conference on Electrical, Electronics Engineering, Information and Communication Technologies (CHILECON), pages 1–6. IEEE, 2017.
[27] V da Silva Faria, J A Gon¸calves, C A M da Silva, G de Brito Vieira, and D M Mascarenhas. Sdtow: A slowloris detecting tool for wmns. Information, 11:544, 2020.
[28] H Kim, B Kim, D Kim, I K Kim, and T M Chung. Implementation of gesnic for web server protection against http get flooding attacks. In International Workshop on Information Security Applications. WISA 2012. Lecture Notes in Computer Science, pages 285–295. Springer, 2012.
[29] M Sikora, T Gerlich, and L Malina. On detection and mitigation of slow rate denial of service attacks. In Proceedings of the 2019 11th International Congress on Ultra Modern Telecommunications and Control Systems and Workshops(ICUMT), pages 1–5. IEEE, 2019.
[30] J Kim and H S Kim. Intrusion detection based on spatiotemporal characterization of cyberattacks. Electronics, 9:460, 2020.
[31] K J Singh and T De. Mlp-ga based algorithm to detect application layer ddos attack. Journal of Information Security Applications, 36:145–153, 2017.
[32] Y M Swe, P P Aung, and A S Hlaing. A slow ddos attack detection mechanism using feature weighing and ranking. In Proceedings of the 11th Annual International Conference on Industrial Engineering and Operations Management, pages
4500–4509. IEOM Society International, 2021.
[33] A Al-Harbi and R Jabeur. An efficient method for detection of ddos attacks on the web using deep learning algorithms. International Journal of Advanced Trends in Computer Science and Engineering, 10:2821–2829, 2021.
[34] P Velan and T Jirsik. On the impact of flow monitoring configuration. In Proceedings of the NOMS 2020—2020 IEEE/IFIP Network Operations and Management Symposium, pages 1–7. IEEE, 2020.
[35] C Kemp, C Calvert, T M Khoshgoftaar, and J L Leevy. An approach to application-layer dos detection. Journal of Big Data, 10:1–30, 2023.
[36] Y Fu, X Duan, K Wang, and B Li. Low-rate denial of service attack detection method based on time-frequency characteristics. Journal of Cloud Computing: Advances, Systems and Applications, 11:1–19, 2022.
[37] V Sundar. What is slowloris ddos attack and how does it work? Indusface, 2023.
[38] G Yaltirakli. Slowloris 0.2.6. low bandwidth dos tool. Github, 2023.