Live Baiting for Service-Level DoS Attackers

Denial-of-service (DoS) attacks remain a challenging problem in the Internet. By making resources unavailable to intended legitimate clients, DoS attacks have resulted in significant loss of time and money for many organizations, thus, many DoS defense mechanisms have been proposed. In this paper we propose live baiting, a novel approach for detecting the identities of DoS attackers. Live baiting leverages group-testing theory, which aims at discovering defective members in a population using the minimum number of dasiadasiatestspsilapsila. This leverage allows live baiting to detect attackers using low state overhead without requiring models of legitimate requests nor anomalous behavior. The amount of state needed by live baiting is in the order of number of attackers not number of clients. This saving allows live baiting to scale to large services with millions of clients. We analyzed the coverage, effectiveness (detection time, false positive and false negative probabilities), and efficiency (memory, message overhead, and computational complexity) of our approach. We validated our analysis using NS-2 simulations modeled after real Web traces.