Yi Shen,Chunming Wu,Dezhang Kong,Mingliang Yang

DOI: https://doi.org/10.1109/icc40277.2020.9149276

2020-01-01

Abstract:Distributed Denial of Service (DDoS) attack is one of the most severe threats to the current network security. As a new network architecture, Software-Defined Networking (SDN) draws notable attention from both industry and academia. The characteristics of SDN such as centralized management and flow-based traffic monitoring make it an ideal platform to defend against DDoS attacks. When designing a network intrusion detection system (NIDS) in SDN, how to obtain fine-grained flow information with minimal overhead to the SDN architecture is a problem to be solved. In this paper, we propose TPDD, a two-phase DDoS detection system to detect DDoS attacks in SDN. In the first phase, we utilize the characteristics of SDN to collect coarse-grained flow information from the core switches and locate the potential victim. Then we monitor the edge switches located close to the potential victim to obtain finer-grained traffic information in the second phase. The collection method of each phase fully considers the impact on the bandwidth between the controller and switches. Without modifying the existing flow rules, the collection module can obtain sufficient information about traffic. By using entropy-based and machine learning-based methods, the detection module can effectively detect anomalies and identify whether the potential victim marked in the first phase is the target of attacks. Experimental results show that TPDD can effectively detect DDoS attacks with little overhead.

Qing LI,LeJun CHI,ZhaoXin ZHANG

DOI: https://doi.org/10.5815/ijwmt.2011.02.05

2011-01-01

International Journal of Wireless and Microwave Technologies

Abstract:Due to the rapid spread of botnets, distributed denial of service attacks have become more and more frequent and fatal.In order to detect and defend DDoS attack, many researches have been done, such as using NS2 to simulate such attacks.However, the major bottlenecks in large-scale network simulation are the memory usage and simulation time.In this paper, we present a novel approach to simulate DDoS attack, called Analytical Packet Forwarding Model (APFM), which simplifies the procedure of packet forwarding based on computation.The experimental results show that our model ensures the authenticity of the overall simulation procedure and simulation results, compared to NS2.The most significant contribution of APFM is that it significantly reduced the memory usage and simulation time.

Huaping Hu,Jing Zhang,Bo Liu,Lin Chen

DOI: https://doi.org/10.1109/iccit.2010.5711129

2010-01-01

Abstract:Low-rate denial-of-service attack is a novel category of DDoS attacks. The paper defines defense performance as metric to analyze whether the degree of distribution of attack sources impacts the LDoS attack greatly. From the result of simulation on NS2, the deeper degree of distributed, the better defense performance of Droptail (passive queue management), and the worse defense performance of RED (active queue management). And we also analyze the factors which may have impacts on the attack.

Ziming Zhao,Zhuotao Liu,Huan Chen,Fan Zhang,Zhuoxue Song,Zhaoxuan Li

DOI: https://doi.org/10.1109/tdsc.2023.3349180

2024-01-01

Abstract:Defending against Distributed Denial of Service (DDoS) attacks is a fundamental problem in the Internet. Over the past few decades, the research and industry communities have proposed a variety of solutions, from adding incremental capabilities to the existing Internet routing stack, to clean-slate future Internet architectures, and to widely deployed commercial DDoS prevention services. Yet a recent interview with over 100 security practitioners in multiple sectors reveals that existing solutions are still insufficient against , due to either unenforceable protocol deployment or non-comprehensive traffic filters. This seemingly endless arms race with attackers probably means that we need a fundamental paradigm shift. In this paper, we propose a new DDoS prevention paradigm named preference-driven and in-network enforced traffic shaping , aiming to explore the novel DDoS prevention norms that focus on delivering victim-preferred traffic rather than consistently chasing after the DDoS attacks. Towards this end, we propose DFNet, a novel DDoS prevention system that provides reliable delivery of victim-preferred traffic without full knowledge of DDoS attacks. At a very high level, the core innovative design of DFNet embraces the advances in Machine Learning (ML) and new network dataplane primitives, by encoding the victim's traffic preference (in the form of complex ML models) into dataplane packet scheduling algorithms such that the victim-preferred traffic is forwarded with priority at line-speed, regardless of the attacker strategy. We implement a prototype of DFNet in 11,560 lines of code, and extensively evaluate it on our testbed. The results show that a single instance of DFNet can forward 99.93% of victim-desired traffic when facing previously unseen attacks, while imposing less than 0.1% forwarding overhead on a dataplane with 80 Gbps upstream links and a 40 Gbps bottleneck.

Xin-lei Li,Kang-feng Zheng,Yi-xian Yang

DOI: https://doi.org/10.1109/CIS.2008.190

2008-01-01

Abstract:Due to the rapid spread of botnets distributed denial of service attacks have become more and more frequent and fatal. Many researches have been done in the virtual environment to detect and defend such attacks. But a data flow is essentially needed to verify these researches in a real environment. This paper proposes a simulation platform of distributed denial of service attacks based on network processor. The fractal Brownian motion model is introduced to generate attack flow with the characteristic of self-similarity. A transmission control mechanism based on micro-engine is presented to reduce the error of output data flow’s Hurst parameter. Experiment results show that the model can generate a high speed self-similar attack flow with controllable Hurst parameter, and different kinds of traffic in the flow can be accurately transmitted as configured.

Yongliang Zhao,Rongheng Lin,Hua Zou,Wei Zeng

DOI: https://doi.org/10.1109/icct56141.2022.10073469

2022-01-01

Abstract:As a software-defined network emulation software, Mininet can emulate networks with limited resources on a single host. When studying the DDoS attack and protection, Mininet can be used to emulate network topology and implement the DDoS attack and defense simulation through Mininet. This work made the design and implementation of the DDoS attack and defense simulation subsystem based on Mininet. The DDoS attack and corresponding defense were deployed in the system, and the system can simulate DDoS attack and defense. The implementation of this system provided a reference for constructing a network attack and defense simulation system based on Mininet.

Ming Li,Jun Li,Wei Zhao

DOI: https://doi.org/10.1109/ICICSE.2008.14

2008-01-01

Abstract:Distributed denial-of-service (DDOS) attacking remains a great threat to the Internet. The literature regarding qualitative descriptions of DDOS attacking is rich. However, quantitative descriptions are rarely reported. This paper aims at providing our results of five experiments in this regard for flood attacking in the simulation environment with NS2. The results in this paper indicate that the bandwidth may be more easily flooded by UDP-type attacking than by TCP-type one. In addition, by introducing the concepts of attack time and attack intensity, we show that attack time mainly relates to attack intensity. Furthermore, we give the quantitative evidence to show that buffer size plays a role in dealing with attack traffic.

Kai Bu,Zhixin Sun

DOI: https://doi.org/10.1109/ICYCS.2008.324

2008-01-01

Abstract:The emergence of Distributed Denial of Service (DDoS) attack increases the destructive force of Denial of Service (DoS) attack drastically. Besides bringing more terrible threats, the attack from far and near and the employment of internet protocol (IP) spoofing make the abnormal traffic detection harder and harder. This paper proposes a mechanism defined as AMHI (Address Matching and Hash Inspection) and a method based on it for DDoS attacks detection and defense. Through the simulation experiment, the Address Matching and backup Hash Inspection operations to the suspicious traffic implemented on router interface for local subnet can detect and defend DDoS attacks effectively even when using IP Spoofing. In addition, this method can also decrease a mass of statistical work for the routers, and to some extent ease the pressure of heavy traffic caused by attacks.

Xi Ling,Jiongchi Yu,Ziming Zhao,Zhihao Zhou,Haitao Xu,Binbin Chen,Fan Zhang

DOI: https://doi.org/10.1007/978-3-031-54773-7_12

2024-01-01

Abstract:With the proliferation of Internet development, Distributed Denial of Service (DDoS) attacks are on the rise. As rule-based traffic analysis frameworks and Deep Packet Inspection (DPI) defense measures can effectively thwart many DDoS attacks, attackers keep exploring various attack surfaces and traffic amplification strategies to nullify the defense. In this paper, we propose DDoSMiner, an automated framework for DDoS attack characterization and vulnerability mining. DDoSMiner analyzes system call patterns of the TCP-based DDoS attack family, then generates Attack Call Flow Graph (ACFG) by discerning the differences between DDoS attack traffic and benign traffic. Furthermore, DDoSMiner identifies and extracts drop nodes and pivotal TCP states from the distinctive characteristics of attack traffic, then passes to the symbolic execution framework for exploring variants of the DDoS attack. We collectively analyze six types of TCP-based DDoS attacks, construct the corresponding ACFG, and identify a set of attack traffic variants. The attack traffic variants are evaluated on the widely used Network Intrusion Detection System (NIDS) Snort with three popular rule sets. The result shows that DDoSMiner indeed discovers the new DDoS attack trace, and the corresponding attack traffic can bypass all three defense toolkits.

Zhang jing,Hu huaping,Liu bo,Xiao fengtao,Chen xin

DOI: https://doi.org/10.3969/j.issn.1674-9456.2010.07.011

2010-01-01

Abstract:Because of the present architecture of Internet and the lack mechanism of certifi cation making DDoS attacks occurs very easy. And the fast development of botnet has been offered powerful tool for DDoS attacks. DDoS attack is one of major threat of network security, so how to defend DDoS attacks become a hot point of network security research. Based on the model of DDoS attacks and analyzing the reason of attacks’ occur, we introduce the defense technology of DDoS attacks from four aspects: attack prevention, attack detection, attack response and attack source tracking. In the last, we suggest the worthy research points.

Tianfang Yu,Lanlan Rui,Xuesong Qiu

DOI: https://doi.org/10.1155/2021/5097267

IF: 1.968

2021-01-01

Security and Communication Networks

Abstract:In traditional networks, DDoS attacks are often launched in the network layer or the transport layer. Researchers had explored this problem in depth and put forward plenty of solutions. However, these solutions are only suitable for scenarios such as a single link or victim side network and could not analyse traffic distribution from the angle of the global network. Also, the TCP/IP network architecture lacks abilities to quickly conduct resource deployment and traffic scheduling. When DDoS attacks occur, victims usually could not respond in time. With the superiorities of centralized control mode and global topological view, Software-Defined Networking (SDN) provides a new way to get over the above issues. In this paper, we adopt a combination of diverse technologies to design SDNDefender, a SDN-based DDoS detection and defense mechanism, which is composed of two core components aiming to counter the most popular DDoS attacks including IP spoofing attack and TCP SYN flood attack. We carry out quantitative simulation experiments for evaluating SDNDefender from many metrics. The experimental results show that in contrast to other DDoS defense algorithms, SDNDefender not only efficiently validates spoofed packets and withstands well-known attacks but also defends unknown attacks according to the target’s available resources. Besides, SDNDefender could significantly reduce TCP half-open connections and improve detection accuracy, alleviating attack influences that exhaust the server’s resources and network bandwidth.

Jin Wang,Liping Wang

DOI: https://doi.org/10.3390/s22218287

IF: 3.9

2022-10-29

Sensors

Abstract:With the development of Software Defined Networking (SDN), its security is becoming increasingly important. Since SDN has the characteristics of centralized management and programmable, attackers can easily take advantage of the security vulnerabilities of SDN to carry out distributed denial of service (DDoS) attacks, which will cause the memory of controllers and switches to be occupied, network bandwidth and server resources to be exhausted, affecting the use of normal users. To solve this problem, this paper designs and implements an online attack detection and mitigation SDN defense system. The SDN defense system consists of two modules: anomaly detection module and mitigation module. The anomaly detection model uses a lightweight hybrid deep learning method—Convolutional Neural Network and Extreme Learning Machine (CNN-ELM) for anomaly detection of traffic. The mitigation model uses IP traceback to locate the attacker and effectively filters out abnormal traffic by sending flow rule commands from the controller. Finally, we evaluate the SDN defense system. The experimental results show that the SDN defense system can accurately identify and effectively mitigate DDoS attack flows in real-time.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Muhai Li,Ming Li

DOI: https://doi.org/10.1155/2010/570940

IF: 1.43

2010-01-01

Mathematical Problems in Engineering

Abstract:In various network attacks, the Distributed Denial-of-Service (DDoS) attack is a severe threat. In order to deal with this kind of attack in time, it is necessary to establish a special type of defense system to change strategy dynamically against attacks. In this paper, we introduce an adaptive approach, which is used for defending against DDoS attacks, based on normal traffic analysis. The approach can check DDoS attacks and adaptively adjust its configurations according to the network condition and attack severity. In order to insure the common users to visit the victim server that is being attacked, we provide a nonlinear traffic control formula for the system. Our simulation test indicates that the nonlinear control approach can prevent the malicious attack packets effectively while making legitimate traffic flows arrive at the victim.

jing zhang,bo liu,huaping hu,lin chen,tianzuo wang

DOI: https://doi.org/10.1007/978-3-642-27334-6_9

2012-01-01

Abstract:The Quiet DDoS attack was proposed in 2009 by Amey and Nirwan. It launches certain number of TCP flows to reduce the transferring ability of normal TCP flows by using botnet. By the simulation experiments on the NS2 platform, we analyze the factors and their impacts on the attack in detail. According to the results of simulation, we give some suggestion to counter the Quiet DDoS attack.

Hu Youzhi,Lu Yuliang

DOI: https://doi.org/10.3969/j.issn.1627-9730.2006.04.021

2006-01-01

Abstract:DDoS is a very effective network attack technique,which is called the "supreme weapen" of hachers.The defense against DDoS attacks is very difficult as the attacks often occurs suddenly and the zombies distribute widely.This paper analyses the characteristics of DDos attacks,and then brings forward a defense system.

Rudong Zhao,Songjie Wei,Milin Ren

DOI: https://doi.org/10.1109/ctceec.2017.8455172

2017-01-01

Abstract:This paper proposes a Distributed Denial of Service (DDoS) attack detection and defense system based on Software Defined Networks (SDN) architecture. The system is composed of a monitoring module, a detection module and a reaction module. The monitoring module is designed to raise alerts by analyzing Packet_In messages. It detects and reports anomalies to the detection module for further evaluation, which overcomes the disadvantages of slow response and large overhead of periodic trigger detection. The reaction module can trace back attack traffic flows to quickly and accurately identify malicious hosts. The use of a SDN controller brings in a global view of the network topology in the monitoring and detection procedures for the access layer switch and reduces the processing range. This paper extends the OpenFlow protocol so that a flow entry can record and track the flow path information, which improves the efficiency and accuracy of attack traffic traceability. Simulation experiments show that the proposed scheme has a relatively faster response to DDoS attack with less processing pressure imposed on the controller.

HU Bin,DAI Kun-yu,TU Xiao-ying

DOI: https://doi.org/10.19304/j.cnki.issn1000-7180.2010.07.012

2010-01-01

Abstract:DDoS attack is a widespread use of attack which difficult to defend,based on autonomous system router traffic authentication technologies can effectively resist such attacks. We proposed to improve the autonomous system of two certification systems according to some of these technology shortcomings,to meet the data transmission efficiency and security requirements. Through the introduction of state of the current data transfer rate and life cycle of the relationship to expand the scope of its defensive attack,such as flood DDoS attacks,semi-open connections DDoS attacks.

Jianmin Zhang,Yi Chen,Naizheng Jin,Lianquan Hou,Qianzhi Zhang

DOI: https://doi.org/10.1109/pesgm.2017.8274254

2017-01-01

Abstract:Due to DoS (Denial of Service) as the most serious cyber attack for digital substation, a modeling of data flow with different properties as periodic, random, sudden response is firstly introduced, followed by a simulation modeling of DoS attack based on the SYN-Flood principle; the module design and simulation implementation scheme based on OPNET platform has been proposed in detail. The simulation scenario is selected as the star network where the station layer server is under the SYN_flood attack, and the case studies are made for wide-band of 10BaseT and 100BaseT data link. The simulation results give the performances of the station layer server before and after SYN_flood attack, and the attack consequences are long stay at a high CPU utilization, time delay increasing of TCP connection, and the increasing of link throughput to exhaust the link band, etc., in which the attempts of DoS are exposed to make the station layer server disable to response the normal business request, i.e., to deny the service.

Luo Zhen,Pei Changxing,Zhu Changhua

DOI: https://doi.org/10.3969/j.issn.1007-7820.2006.12.020

2006-01-01

Abstract:This paper makes a systematic analysis of the implementation theory of DDoS(Distributed Denial of Service) attack, presents the tools commonly used to start a DDOS and proposes a detailed and feasible policy which can defend the DDOS based on the method of DDOS. The major properties of the popular and typical detection and response system of DDOS is given. Finally the future research on the defense of DDoS is presented.

LI Jun,LI Ming

DOI: https://doi.org/10.3969/j.issn.1000-3428.2006.18.047

2006-01-01

Abstract:One of the most important fields in network security is the defense against DDoS attacks, in which many methods are introduced in literature, namely DWARD, IP trace, packet classification, anomaly traffic detection. Every current method has its advantages and disadvantages. With the idea of classification defense, this paper presents an integrated scheme which has synthesized two complete defending systems against DDoS attacks. The integrated system has more powerful functions in fighting against DDoS attacks. The good performances of the new system for fighting against DDoS attacks are listed as fellow: low false alarm probability, high speed of response, slight affection to the normal traffic.