Coda: Runtime Detection of Application-Layer CPU-Exhaustion DoS Attacks in Containers

Abstract

Denial of service (DoS) attacks have increasingly exploited vulnerabilities in algorithms or implementation methods in application-layer programs. In this type of attack, called CPU-exhaustion DoS attack, a few well-crafted requests may consume a lot of server resources, which is essentially different from traditional volumetric DoS attacks. Due to the lack of recognizable patterns, the traditional network-layer defense mechanism is usually unable to detect such sophisticated DoS attacks. In this paper, we propose <small>Coda</small>, a framework for detecting application-layer CPU-exhaustion DoS attacks in containers. <small>Coda</small> monitors the CPU time consumed by each connection and uses statistical methods to detect attacks. It traces system calls and other related information from the container based on Linux eBPF at the host level. Some specific system calls are used to indicate the establishment and closure of the connection, which in turn indicate the start/end of the request processing. After triggering these specific system calls, <small>Coda</small> starts/ends monitoring the CPU time consumed by a connection. An attack can be detected when the CPU time consumed by an attack connection is statistically different from that consumed by a legitimate connection. <small>Coda</small> has the following key advantages. First, it works with programs built in different programming languages. Second, it remains agnostic to the source code of protected programs. Third, it supports monitoring the container and is transparent to the container. Through evaluation of real-world attacks, we demonstrate that <small>Coda</small> can accurately detect ongoing application-layer CPU-exhaustion DoS attacks with low additional overhead.