Mitigating Low-volume DoS Attacks with Data-driven Resource Accounting

Low-volume Denial-of-Service ({\mu}DoS) attacks have been demonstrated to fundamentally bypass traditional DoS mitigation schemes based on the flow and volume of network packets. In this paper, we propose a data-driven approach, called ROKI, that accurately tracks internal resource utilization and allocation associated with each packet (or session), making it possible to tame resource exhaustion caused by {\mu}DoS attacks. Since ROKI focuses on capturing the symptom of DoS, it can effectively mitigate previously unknown {\mu}DoS attacks. To enable a finer-grain resource tracking, ROKI provided in concept the accounting capabilities to each packet itself, so we called data-driven: it monitors resource utilization at the link, network, transport layers in the kernel, as well as application layers, and attributes back to the associated packet. Given the resource usages of each packet, ROKI can reclaim (or prevent) the system resources from malicious packets (or attackers) whenever it encounters system-wide resource exhaustion. To provide lightweight resource tracking, ROKI carefully multiplexes hardware performance counters whenever necessary. Our evaluation shows that ROKI's approach is indeed effective in mitigating real-world {\mu}DoS attacks with negligible performance overheads - incurring 3%-4% throughput and latency overheads on average when the system is throttled.