Wei Wei,Yabo Dong,Dongming Lu,Guang Jin,Honglan Lao

DOI: https://doi.org/10.1007/11760146_23

2006-01-01

Abstract:Low-rate TCP-targeted Denial-of-Service (DoS) attack (shrew) is a new kind of DoS attack which is based on TCP’s Retransmission Timeout (RTO) mechanism and can severely reduce the throughput of TCP traffic on victim. The paper proposes a novel mechanism which consists of effective detection and response methods. Through analyzing sampled attack traffic, we find that there is a stable difference between attack and legitimate traffic in frequency field, especially in low frequency. We use Sum of Low Frequency Power spectrum (SLFP) for detection. In our algorithm the destination IP address is used as flow label and SLFP is applied to every flow traversing edge router. If shrew is found, all flows to the destination are processed by Aggregated Flows Balance (AFB) at a proper upstream router. Simulation shows that attack traffics are restrained and TCP traffics can obtain enough bandwidth. The result indicates that our mechanism is effective and deployable.

WEI Wei,DONG Ya-bo,LU Dong-ming,JIN Guang

DOI: https://doi.org/10.3785/j.issn.1008-973x.2008.05.007

2008-01-01

Abstract:Low rate TCP-targeted denial of service(DoS) attack makes use of time-out and retransmission mechanism in transmission control protocol(TCP) and could severely decrease the throughput of legitimate TCP traffic.With its attacking traffic pattern,obvious difference was found between the power spectrum density(PSD) of legitimate and attack traffic samples.The statistical characteristic of this difference in history data was analyzed,and a detection method using the summation of low frequency was proposed.Meanwhile,based on the methods of leak bucket and the increasing of routing buffer,a response method was provided,which uses leak bucket periodically for smoothing the flow and uses buffer for holding extra traffic to send in next period,and its reasonable resource requirement was proved.Simulations show that for more general attack scenarios than the existing methods,the detection method has very low positive and negative false ratio,and the response method can depress attack flows more effectively than the previous methods and maintain the legitimate throughput in a normal level while the previous methods failed.

Dalia Nashat,Xiaohong Jiang,Susumu Horiguchi

DOI: https://doi.org/10.1109/icebe.2008.18

2008-01-01

Abstract:The TCP SYN flooding attack is the most prevalent type of DDoS attacks that exhaust network resources. A router based detection scheme has been proposed to detect the SYN flooding agents based on the assumption that the SYN packets from the agent and the SYN/ACK packets from the victimpsilas server pass through different leaf routers. In the current IP spoofing techniques, however, the attacker can spoof a random address from any subnetwork, so the SYN packets from the agent and the SYN/ACK packets from the server may pass through the same leaf router. Therefore, a more general and flexible detection scheme is highly desirable for the efficient detection of these flooding agents under any type of IP spoofing. In this paper, we propose such a scheme to detect the flooding agents by considering all the possible kinds of IP spoofing. The proposed scheme is based on the TCP SYN-SYN/ACK protocol pair with the consideration of packet header information (both sequence and Ack. numbers). The Counting Bloom Filter is used to classify all the incoming SYN/ACK packets to the sub network into two streams, the first SYN/ACK packets (SYN/ACKf ) and the retransmission SYN/ACK packets (SYN/ACKr), to make our scheme generally applicable and the Cumulative Sum algorithm is applied to avoid the dependence of detection on sites and access patterns. Compared to the old detection scheme without the consideration of IP spoofing techniques, the proposed new scheme can significantly improve the accuracy in detecting the SYN flooding agents, as verified by extensive simulation results based on different IP spoofing techniques.

A. Pavlidis,Marinos Dimolianis,B. Maglaris

DOI: https://doi.org/10.1109/ICIN51074.2021.9385540

2021-03-01

Abstract:Distributed Denial of Service (DDoS) attacks are widely used by malicious actors to disrupt network infrastructures/services. A common attack is TCP SYN Flood that attempts to exhaust memory and processing resources. Typical mitigation mechanisms, i.e. SYN cookies require significant processing resources and generate large rates of backscatter traffic to block them. In this paper, we propose a detection and mitigation schema that focuses on generating and optimizing signature-based rules. To that end, network traffic is monitored and appropriate packet-level data are processed to form signatures i.e. unique combinations of packet field values. These are fed to machine learning models that classify them to malicious/benign. Malicious signatures corresponding to specific destinations identify potential victims. TCP traffic to victims is redirected to high-performance programmable XDPenabled firewalls that filter off ending traffic according to signatures classified as malicious. To enhance mitigation performance malicious signatures are subjected to a reduction process, formulated as a multi-objective optimization problem. Minimization objectives are (i) the number of malicious signatures and (ii) collateral damage on benign traffic. We evaluate our approach in terms of detection accuracy and packet filtering performance employing traces from production environments and high rate generated attack traffic. We showcase that our approach achieves high detection accuracy, significantly reduces the number of filtering rules and outperforms the SYN cookies mechanism in high-speed traffic scenarios.

Computer Science,Engineering

Nashat, D.,Xiaohong Jiang,Horiguchi, S.

DOI: https://doi.org/10.1109/HSPR.2008.4734440

2008-01-01

Abstract:The TCP SYN flooding attack is the most prevalent type of DDoS attacks that exhaust network resources. The current detection schemes only work well for the detection of high-rate flooding sources. It is notable, however, that in the current DDoS attacks, the flooding rate is usually distributed among many low-rate flooding agents to make the detection more difficult. Therefore, a more sensitive and fast detection scheme is highly desirable for the efficient detection of these low-rate flooding sources. In this paper, we focus on the low-rate agent and propose a router-based detection scheme for it. The proposed scheme is based on the TCP SYN-SYN/ACK protocol pair with the consideration of packet header information (both sequence and Ack. numbers). To make our scheme more sensitive and generally applicable, the counting bloom filter is used to avoid the effect of SYN/ACK retransmission and the change point detection method is applied to avoid the dependence of detection on sites and access patterns. Extensive trace-driven simulation has been conducted to demonstrate the efficiency of the proposed scheme in terms of its detection probability and also average detection time.

Boyang Zhou,Gaoning Pan,Chunming Wu,Kai Zhu,Wei Ruan

DOI: https://doi.org/10.1007/s11432-019-9921-7

2020-01-01

Science China Information Sciences

Abstract:Dear editor, Recently, crossfire attack has been witnessed as a new distributed denial-of-service (DDoS) weapon that can effectively cut off the data connections between the chosen target area (wd) of servers and the end hosts (H).The attack is launched by a network of bot (botnet) to drain bandwidth of persistent routes (PRs) in the indirect and lowrate data flooding towards the decoys that are located in upstream to the target, where the PRs are probed by the adversary who sends Internet control message protocol (ICMP) packets with different time-to-live (TTL) values, e.g., using traceroute [1].Such flooding is hard to be detected by firewalls or IDSes.

Changhua Sun,Jindou Fan,Bin Liu

DOI: https://doi.org/10.1109/CHINACOM.2007.4469411

2007-01-01

Abstract:We propose a more robust scheme to detect SYN flooding attacks. Existing methods for detecting SYN flooding are based on the protocol behavior of TCP SYN-FIN (RST) or SYN-ACK pairs, as normally the number of SYN packets is equal to that of FIN (added with RST) packets, or ACK packets in the handshake. When SYN flood starts, there will be more SYN packets. However, the attacker can avoid the detection by sending the FIN or RST packets (ACK packets) in conjunction with the SYN packets. To make the detection scheme more robust, we record the flow information of SYN packets in a counting Bloom Filter, and count the FIN (RST) packets according to the Bloom Filter. In addition, the Change Point Detection method based on a non-parametric Cumulative Sum algorithm is applied to make the detection mechanism much more generally applicable. Through trace-driven simulations, we show our detection scheme is more efficient and robust in detecting various SYN flooding attacks. More importantly, our scheme can be easily deployed at ISP's edge routers.

Changhua Sun,Chengchen Hu,Yi Tang,Bin Liu

DOI: https://doi.org/10.1109/icccn.2009.5235270

2009-01-01

Abstract:SYN flood attacks still dominate distributed denial of service attacks. It is a great challenge to accurately detect the SYN flood attacks in high speed networks. An intelligent attacker would evade the public detection methods by suitably spoofing the attack to pretend to be benign. Keeping per-flow or per-connection state could eliminate such a spoofing, but meanwhile, it also consumes extremely huge resources. We propose a more accurate and fast SYN flood detection method, named SACK2, which could detect all kinds of SYN flood attacks with limited implementation costs. SACK2 exploits the behavior of the SYN/ACK-CliACK pair to identify the victim server and the TCP port being attacked, where a SYN/ACK packet is sent by a server when receiving a connection request and a CliACK packet is the ACK packet sent by the client to complete the three-way handshake. We utilize the space efficient data structure, counting Bloom filter, to recognize the CliACK packet. Comprehensive experiments demonstrate that, SACK2 is the fastest and most accurate detection method compared with related methods which also leverage the packet pair's behavior. The memory cost of SACK2 for a 10 Gbps link is 364 KB and can be easily accommodated in modern routers.

Changhua Sun,Jindou Fan,Lei Shi,Bin Liu

2007-01-01

Abstract:Distributed Denial-of-Service (DDoS) attack remains a serious problem on the Internet today, as it takes advantage of the lack of authenticity in the IP protocol, destination oriented routing, and stateless nature of the Internet. Among various DDoS attacks, the TCP SYN flooding [1] is the most commonly-used one. It exploits TCP’s three-way handshake mechanism and TCP’s limitation in maintaining half-open connections. When a server receives a SYN packet, it returns a SYN/ACK packet and allocates resources (typically backlog queue in the system memory) to track the TCP state. Then the server would wait until either the half-open connection completes or the TCP connection times out. In the SYN flooding attack, the server will receive a large number of SYN packets but never receive the final ACK packets to complete the three-way handshake. Then the victim server’s backlog queue can be easily exhausted, causing all the new incoming SYN requests to be dropped. Furthermore, many other system resources, such as CPU and network bandwidth used to retransmit the SYN/ACK packets, are occupied. The most viable techniques [2] up-to-date to defend SYN floods include SYN cache [3] and SYN cookies [4]. SYN cache is to allocate minimal state when the initial request is received, and only allocate all the resources when the connection is completed. If the backlog queue is full, the oldest entry is removed. SYN cookies allocate no state for half-open connections. Instead, they encode most of the states and encrypt them into the sequence number transmitted in the SYN/ACK packet. The ACK packet that completes the handshake can be used to reconstruct the state to be put into the backlog queue. One problem with SYN cookies is not able to encode all the TCP options, and the other is that TCP protocol with SYN cookies would never retransmit the unacknowledged SYN/ACK packet. In addition, both of them do not handle application data piggybacked on the SYN segment, i.e., incompatible with Transactional TCP (T/TCP)

Ding Pengfule,Tian Zhihong,Zhang Hongli,Wang Yong,Zhang Liang,Guo Sanchuan

DOI: https://doi.org/10.1109/dsc.2016.108

2016-01-01

Abstract:The extensive use of Internet technology has brought great convenience to modern society, however, more and more severe problems regarding to network security have also emerged at the same time. Especially the DDoS attacks, represented by SYN Flood, pose massive threats to the network security. This paper discusses an algorithm which could detect SYN Flood attack quickly under large scale network: the adaptive threshold algorithm. Then we propose "Slow detection, Fast recovery" mechanism on basis of adaptive threshold algorithm. Finally, we implement the attack detection and defense algorithms in dual-stack firewall, and test the validity and performance respectively. The results indicate that the methods of detecting and defending SYN Flood proposed by this paper can improve the system efficiency substantially when firewall is attacked, while consuming only a small amount of extra memory.

Mehdi Ebady Manna,Angela Amphawan

DOI: https://doi.org/10.48550/arXiv.1202.1761

2012-02-09

Abstract:Denial of Service (DoS) is a security threat which compromises the confidentiality of information stored in Local Area Networks (LANs) due to unauthorized access by spoofed IP addresses. SYN Flooding is a type of DoS which is harmful to network as the flooding of packets may delay other users from accessing the server and in severe cases, the server may need to be shut down, wasting valuable resources, especially in critical real-time services such as in e-commerce and the medical field. The objective of this paper is to review the state-of-the art of detection mechanisms for SYN flooding. The detection schemes for SYN Flooding attacks have been classified broadly into three categories - detection schemes based on the router data structure, detection schemes based on statistical analysis of the packet flow and detection schemes based on artificial intelligence. The advantages and disadvantages for various detection schemes under each category have been critically examined. The performance measures of the categories have also been compared.

Cryptography and Security

Changhua Sun,Chengchen Hu,Yachao Zhou,Xin Xiao,Bin Liu

DOI: https://doi.org/10.1109/INFCOMW.2009.5072099

2009-01-01

Abstract:We propose to use the SYN/ACK-CliACK pair's behavior to detect the various SYN flood attacks more accurately. The SYN/ACK packets carry the full information of the TCP connections and it is impossible for the attacker to evade the detection by spoofing the control packets. Moreover, we use a space efficient data structure, counting Bloom filter, to recognize the CliACK packet and the memory cost is 2 MB even for 10 Gbps link speeds. We need to fully compare our scheme with the existing detection mechanisms in future.

C. Sun,C. Hu,B. Liu

DOI: https://doi.org/10.1049/iet-ifs.2010.0158

2012-01-01

IET Information Security

Abstract:SYN flood attacks still dominate distributed denial of service attacks. It is a great challenge to accurately detect the SYN flood attacks which utilise skillful spoofs to evade traditional detection methods. An intelligent attacker would evade the public detection methods by suitably spoofing the attack to appear benign. Keeping per-flow or per-connection state could eliminate such a spoofing, but meanwhile, it is very difficult to be implemented in practice. A more accurate and fast SYN flood detection method, named SACK2, is proposed to deal with all kinds of SYN flood attacks with limited implementation costs. SACK2 exploits the behaviour of the SYN/ACK-CliACK pair to identify the victim server and the TCP port being attacked, where a SYN/ACK packet is sent by a server when receiving a connection request and a CliACK packet is the ACK packet sent by the client to complete the three-way handshake. It also utilises the space efficient data structure, counting Bloom filter, to recognise the CliACK packet. The memory cost of SACK2 for a 10 Gbps link is 364 KB and can be easily accommodated in modern routers. SACK2 can report the start of the attack in less than one detection period, and the end of the attack less than two detection periods. It is also demonstrated that SACK2 is the most accurate detection method through comprehensive experiments.

Chun-Hao Yang,Jhen-Ping Wu,Fang-Yi Lee,Ting-Yu Lin,Meng-Hsun Tsai

DOI: https://doi.org/10.3390/s23083817

2023-04-07

Abstract:Software-defined networking (SDN) is a new network architecture that provides programmable networks, more efficient network management, and centralized control than traditional networks. The TCP SYN flooding attack is one of the most aggressive network attacks that can seriously degrade network performance. This paper proposes detection and mitigation modules against SYN flooding attacks in SDN. We combine those modules, which have evolved from the cuckoo hashing method and innovative whitelist, to get better performance compared to current methods Our approach reduces the traffic through the switch and improves detection accuracy, also the required register size is reduced by half for the same accuracy.

Yi Shi,Xinyu Yang

DOI: https://doi.org/10.1007/11596981_54

2005-01-01

Abstract:Flooding-based distributed denial-of-service (DDoS) attack presents a very serious threat to the stability of the Internet. In this paper, we propose a novel global defense architecture to protect the entire Internet from DDoS attacks. This architecture includes all the three parts of defense during the DDoS attack: detection, filtering and traceback, and we use different agents distributed in routers or hosts to fulfill these tasks. The superiority of the architecture that makes it more effective includes: (i) the attack detection algorithm as well as attack filtering and traceback algorithm are both network traffic-based algorithms; (ii) our traceback algorithm itself also can mitigate the effects of the attacks. Our proposed scheme is implemented through simulations of detecting and defending SYN Flooding attack, which is an example of DDoS attack. The results show that such architecture is much effective because the performance of detection algorithm and traceback algorithm are both better.

Saman Taghavi Zargar,James Joshi,David Tipper

DOI: https://doi.org/10.1109/surv.2013.031413.00127

2013-01-01

Abstract:Distributed Denial of Service (DDoS) flooding attacks are one of the biggest concerns for security professionals. DDoS flooding attacks are typically explicit attempts to disrupt legitimate users' access to services. Attackers usually gain access to a large number of computers by exploiting their vulnerabilities to set up attack armies (i.e., Botnets). Once an attack army has been set up, an attacker can invoke a coordinated, large-scale attack against one or more targets. Developing a comprehensive defense mechanism against identified and anticipated DDoS flooding attacks is a desired goal of the intrusion detection and prevention research community. However, the development of such a mechanism requires a comprehensive understanding of the problem and the techniques that have been used thus far in preventing, detecting, and responding to various DDoS flooding attacks. In this paper, we explore the scope of the DDoS flooding attack problem and attempts to combat it. We categorize the DDoS flooding attacks and classify existing countermeasures based on where and when they prevent, detect, and respond to the DDoS flooding attacks. Moreover, we highlight the need for a comprehensive distributed and collaborative defense approach. Our primary intention for this work is to stimulate the research community into developing creative, effective, efficient, and comprehensive prevention, detection, and response mechanisms that address the DDoS flooding problem before, during and after an actual attack.

computer science, information systems,telecommunications

Prashant Kumar,Meenakshi Tripathi,Ajay Nehra,Mauro Conti,Chhagan Lal

DOI: https://doi.org/10.1109/tnsm.2018.2861741

2018-12-01

IEEE Transactions on Network and Service Management

Abstract:Software defined networking (SDN) is an emerging network paradigm which emphasizes the separation of the control plane from the data plane. This decoupling provides several advantages such as flexibility, programmability, and centralized control. However, SDN also introduces new vulnerabilities due to the required communication between data plane and control plane. Examples of threats that leverage such vulnerabilities are the control plane saturation and switch buffer overflow attacks. These attacks can be launched by flooding the TCP SYN packets from data plane (i.e., switches) to the control plane. This paper presents SAFETY, a novel solution for the early detection and mitigation of TCP SYN flooding. SAFETY harnesses the programming and wide visibility approach of SDN with entropy method to determine the randomness of the flow data. The entropy information includes destination IP and few attributes of TCP flags. To show the feasibility and effectiveness of SAFETY, we implement it as an extension module in Floodlight controller and evaluate it under different conditional scenarios. We run a thorough evaluation of our implementation through extensive emulation via Mininet. The experimental results show that when compared to the state-of-the-art, SAFETY brings a significant improvement (13%) regarding processing delay experienced by a legitimate node. Other parameters such as CPU utilization at the controller and attack detection time are also examined and shows improvement in various scenarios.

computer science, information systems

B. B. Gupta,R. C. Joshi,Manoj Misra

DOI: https://doi.org/10.48550/arXiv.1204.5592

2012-04-25

Abstract:Denial of service (DoS) attacks and more particularly the distributed ones (DDoS) are one of the latest threat and pose a grave danger to users, organizations and infrastructures of the Internet. Several schemes have been proposed on how to detect some of these attacks, but they suffer from a range of problems, some of them being impractical and others not being effective against these attacks. This paper reports the design principles and evaluation results of our proposed framework that autonomously detects and accurately characterizes a wide range of flooding DDoS attacks in ISP network. Attacks are detected by the constant monitoring of propagation of abrupt traffic changes inside ISP network. For this, a newly designed flow-volume based approach (FVBA) is used to construct profile of the traffic normally seen in the network, and identify anomalies whenever traffic goes out of profile. Consideration of varying tolerance factors make proposed detection system scalable to the varying network conditions and attack loads in real time. Six-sigma method is used to identify threshold values accurately for malicious flows characterization. FVBA has been extensively evaluated in a controlled test-bed environment. Detection thresholds and efficiency is justified using receiver operating characteristics (ROC) curve. For validation, KDD 99, a publicly available benchmark dataset is used. The results show that our proposed system gives a drastic improvement in terms of detection and false alarm rate.

Cryptography and Security

Ancy Sherin Jose,Latha R Nair,Varghese Paul

DOI: https://doi.org/10.47059/revistageintec.v11i4.2411

2021-07-29

Revista Gestão Inovação e Tecnologias

Abstract:Distributed Denial of Service Attack (DDoS) has emerged as a major threat to cyber space. A DDoS attack aims at exhausting the resources of the victim causing financial and reputational damages to it. The availability of free software make launching of DDoS attacks easy. The difficulty in differentiating a DDoS traffic from a legitimate traffic burst such as a flash crowd makes DDoS difficult to be identified. A wide range of techniques have been used in conventional networks to detect and mitigate DDoS attacks. Though the advent of Software Defined Networking (SDN) makes a network easy to be managed even SDN is vulnerable to DDoS attacks. In this case, the controller of the SDN gets overloaded with the incoming packets from the switches. In fact, a solution based on security analytics can be put in place to ward off this threat as a proactive security measure using the flow level statistics available from the SDN. Compared to the packet analysis used in traditional networks which is resource expensive the flow level statistics is relatively inexpensive. This paper focuses on the design and implementation of an attack detection system for detecting the flooding DDoS attacks TCP SYN flooding attacks, HTTP request flooding attacks, UDP flooding attacks and ICMP flooding attacks over SDN network traffic. The system uses various classification algorithms to classify a traffic into normal or attack. The feature sets for classification were arrived at using a feature selection module with ANOVA (Analysis of Variance) F-Test statistical method. Performance evaluation of each of the classifiers was carried out for the three feature sets obtained from the feature selection module using various performance measures and the results have been tabulated. The feature set which gives the best performance in detecting malicious traffic has been identified.

Loïc D. Tsobdjou,Samuel Pierre,Alejandro Quintero,Loic D. Tsobdjou

DOI: https://doi.org/10.1109/tnsm.2022.3142254

2022-01-01

IEEE Transactions on Network and Service Management

Abstract:Distributed denial of service attacks are cyber-attacks that target the availability of servers. As a result, legitimate users no longer have access to the service. This can have a negative impact on an organization, such as lack of reputation and economic losses. Therefore, it is important to design defense mechanisms against these attacks. There are systems for detecting distributed denial of service attacks in the literature, which still have various shortcomings. Some of these systems detect the presence of attack traffic without identifying the attack packets or flows. Others use static thresholds and therefore cannot adapt to changes in legitimate traffic. In this paper, we propose an online system that aims to detect flooding attacks in a short timeframe and a client–server environment. The proposed detection system consists of five modules, namely features extraction and connections construction, suspicious activity detection, attack connections detection, alert generation and threshold update. The suspicious activity detection module calculates the normalized Shannon entropy by considering the source Internet Protocol address as a random variable. Suspicious activity is detected when the computed entropy is below a threshold. The threshold calculation is based on Chebyshev’s theorem. We propose a dynamic threshold algorithm to track changes in legitimate traffic. We evaluate the proposed system through simulations and using a publicly available dataset. Compared to other similar works, the proposed detection system has a better performance in terms of detection rate, false positive rate, precision and overall accuracy.

computer science, information systems