Hands-on denial of service lab exercises using SlowLoris and RUDY

  • Authors:

  • Evan Damon;Julian Dale;Evaristo Laron;Jens Mache;Nathan Land;Richard Weiss

  • Affiliations:

  • Lewis & Clark College, Portland, OR;Lewis & Clark College, Portland, OR;Lewis & Clark College, Portland, OR;Lewis & Clark College, Portland, OR;Renesys Corp., Hanover, NH;Evergreen State College, Olympia, WA

  • Venue:
  • Proceedings of the 2012 Information Security Curriculum Development Conference
  • Year:
  • 2012

Quantified Score

Hi-index 0.00

Visualization

Abstract

This paper presents an interactive exercise based on offensive denial of service techniques used by hackers. The goals of the exercise are to teach how a large class of denial of service (DoS) attacks work. Students will see that it is not necessary to use distributed DoS. Moreover, using virtualization, we created an exercise that was easy for faculty to use. We tested it on a class of computer science undergraduates, and while it was well-received by the students and easy for the faculty member, we learned some important lessons about designing hands-on exercises. In addition to teaching students about DoS attacks and how to defend against them, this exercise also requires students to look carefully at the HTTP protocol. In the following laboratory exercise, students learn offensive techniques in a context that prompts them to think critically about what makes networks secure and how they can be made more secure. The exercise involves the use of two newer but well-known denial of service attacks: 'SlowLoris' and 'R-U-Dead-Yet?' (RUDY). The students perform these attacks through a Java-based graphical interface, to make the lab more accessible. While carrying out the attacks, the students answer questions designed to improve their analytical skills and to better their understanding of TCP, HTTP, and application-layer security considerations.