pingping lin,xiaosong zhang

DOI: https://doi.org/10.1142/9789812799524_0074

2008-01-01

Abstract:Give a simple but practical scheme for detecting and defending against Distributed Denial of Service (DDoS), especially for Highly Distributed Denial of Service (HDDoS) attacks by monitoring the increase of new IP addresses. Unlike previous proposals, this proposal includes three modules: detecting, filtering, and illegal-packets analyzing. To improve the detection accuracy, we also proposed a simple but robust algorithm: sliding window algorithm. In the filtering module, a filter performs its tasks only during attacks. While the attack-packets-analyzing module uses a trap to analyze attack packets, perfects the defense system. Simulation results demonstrate the effectiveness of the proposed scheme under varieties of DDoS attack scenarios.

Muhai Li,Ming Li

2008-01-01

Abstract:Distribution denial-of-service (DDoS) constitutes one of the major threats and among the hardest security problems in today's Internet. However, DDoS detection techniques, such as signature-based detection, anomaly-based detection, and wavelet-based signal analysis, face the considerable challenge of determining network-based flooding attacks from sudden increases in legitimate activity or flash events. In this paper, we study the basic characteristic of network traffic, and propose a method for meeting the challenge. By taking full advantage of known traffic in normal state, we design a detection algorithm for dealing with DDoS attacks. We have carried out experiments with actual data to evaluate the algorithm. The results show that it can recognize DDoS attacks.

Muhai Li,Ming Li

DOI: https://doi.org/10.1155/2010/570940

IF: 1.43

2010-01-01

Mathematical Problems in Engineering

Abstract:In various network attacks, the Distributed Denial-of-Service (DDoS) attack is a severe threat. In order to deal with this kind of attack in time, it is necessary to establish a special type of defense system to change strategy dynamically against attacks. In this paper, we introduce an adaptive approach, which is used for defending against DDoS attacks, based on normal traffic analysis. The approach can check DDoS attacks and adaptively adjust its configurations according to the network condition and attack severity. In order to insure the common users to visit the victim server that is being attacked, we provide a nonlinear traffic control formula for the system. Our simulation test indicates that the nonlinear control approach can prevent the malicious attack packets effectively while making legitimate traffic flows arrive at the victim.

Xi Ling,Jiongchi Yu,Ziming Zhao,Zhihao Zhou,Haitao Xu,Binbin Chen,Fan Zhang

DOI: https://doi.org/10.1007/978-3-031-54773-7_12

2024-01-01

Abstract:With the proliferation of Internet development, Distributed Denial of Service (DDoS) attacks are on the rise. As rule-based traffic analysis frameworks and Deep Packet Inspection (DPI) defense measures can effectively thwart many DDoS attacks, attackers keep exploring various attack surfaces and traffic amplification strategies to nullify the defense. In this paper, we propose DDoSMiner, an automated framework for DDoS attack characterization and vulnerability mining. DDoSMiner analyzes system call patterns of the TCP-based DDoS attack family, then generates Attack Call Flow Graph (ACFG) by discerning the differences between DDoS attack traffic and benign traffic. Furthermore, DDoSMiner identifies and extracts drop nodes and pivotal TCP states from the distinctive characteristics of attack traffic, then passes to the symbolic execution framework for exploring variants of the DDoS attack. We collectively analyze six types of TCP-based DDoS attacks, construct the corresponding ACFG, and identify a set of attack traffic variants. The attack traffic variants are evaluated on the widely used Network Intrusion Detection System (NIDS) Snort with three popular rule sets. The result shows that DDoSMiner indeed discovers the new DDoS attack trace, and the corresponding attack traffic can bypass all three defense toolkits.

Dalia Nashat,Xiaohong Jiang,Michitaka Kameyama

DOI: https://doi.org/10.1587/transcom.e93.b.1113

2010-01-01

IEICE Transactions on Communications

Abstract:The Distributed Denial of Service attack (DDoS) is one of the major threats to network security that exhausts network bandwidth and resources. Recently, an efficient approach Live Baiting was proposed for detecting the identities of DDoS attackers in web service using low state overhead without requiring either the models of legitimate requests nor anomalous behavior. However, Live Baiting has two limitations. First, the detection algorithm adopted in Live Baiting starts with a suspects list containing all clients, which leads to a high false positive probability especially for large web service with a huge number of clients. Second, Live Baiting adopts a fixed threshold based on the expected number of requests in each bucket during the detection interval without the consideration of daily and weekly traffic variations. In order to address the above limitations, we first distinguish the clients activities (Active and Non-Active clients during the detection interval) in the detection process and then further propose a new adaptive threshold based on the Change Point Detection method, such that we can improve the false positive probability and avoid the dependence of detection on sites and access patterns. Extensive trace-driven simulation has been conducted on real Web trace to demonstrate the detection efficiency of the proposed scheme in comparison with the Live Baiting detection scheme.

Jie Yu,Zhoujun Li,Huowang Chen,Xiaoming Chen

DOI: https://doi.org/10.1109/icns.2007.5

2007-01-01

Abstract:Application layer DDoS attacks, which are legitimate in packets and protocols, gradually become a pressing problem for commerce, politics and military. We build an attack model and characterize layer-7 attacks into three classes: session flooding attacks, request flooding attacks and asymmetric attacks. We proposed a mechanism named as DOW (defense and offense wall), which defends against layer-7 attacks using combination of detection technology and currency technology. An anomaly dete-ction method based on K-means clustering is introduced to detect and filter request flooding attacks and asymmetric attacks. To defend against session-flooding attacks, we propose an encouragement model that uses client's session rate as currency. Detection model drops suspicious sessions, while currency model encourages more legitimate sessions. By collaboration of these two models, normal clients could gain higher service rate and lower delay of response time.

LI Mu-hai,LI Ming,WU Xin-xing,LI Xu-hong

DOI: https://doi.org/10.3969/j.issn.1002-137X.2009.01.073

2009-01-01

Computer Science

Abstract:This paper presented a run-time model that can efficiently detect network attacks.The model resolves the problem that classic method can’t distinguish anomalies from attacks.Combining the characteristics of normal traffic,an efficient measure and algorithm which can detect DDoS attacks were given.The algorithm not only has simple structure,high speed to meet the needs of real-time detection,but also can take full advantage of known information,and has more strong anti-jamming capability.The actual test results indicate that this model can be used to achieve real-time detection of DDoS attacks.

Dongqi Wang,Zhu Yufu,Jia Jie

DOI: https://doi.org/10.1109/iccsit.2010.5564969

2010-01-01

Abstract:It is becoming increasing difficult to implement an effective DDoS Defense System, because (1) the raising sophistication of DDoS attack requires more complex analysis to detect, (2) internet traffic grows bigger and bigger which needs more powerful system to monitor. Taking advantages of the great improvement in multi-core technology, a multi-core based DDoS detection system (MIFDDS) is proposed in this work. MIFDDS was the redesign of the IP flow based DDoS detection system (IFDDS) [1]. In MIFDDS, multi-core methodology was used to achieve high detecting efficiency. Experimental results show that: MIFDDS maintained the good detection precision of IFDDS and increased detecting speed; MIFDDS consumed more RAM but not too much; MIFDDS also improved CPU's efficiency.

LI Jun,LI Ming

DOI: https://doi.org/10.3969/j.issn.1000-3428.2006.18.047

2006-01-01

Abstract:One of the most important fields in network security is the defense against DDoS attacks, in which many methods are introduced in literature, namely DWARD, IP trace, packet classification, anomaly traffic detection. Every current method has its advantages and disadvantages. With the idea of classification defense, this paper presents an integrated scheme which has synthesized two complete defending systems against DDoS attacks. The integrated system has more powerful functions in fighting against DDoS attacks. The good performances of the new system for fighting against DDoS attacks are listed as fellow: low false alarm probability, high speed of response, slight affection to the normal traffic.

LI Gang,HUA Bei,YANG Xing-liang

DOI: https://doi.org/10.3969/j.issn.1006-9348.2006.11.037

2006-01-01

Abstract:This paper proposes a router collaborating based adaptive detection and defending mechanism against DDoS.Through link congestion detection and packet dropping rate analysis,this mechanism can disclose the attack timely and construct the attack signatures accordingly.Then it is able to apply rate-limiting to the packets matching such signatures,and at the same time forward the attack signatures and rate-limiting request hop-by-hop to retrace the attack source using pushback protocol.During this process,rate-limiting is also employed on the intermediate routers,thus this algorithm not only manages to alleviate the link congestion and quench DDoS attack in a short period,but also protects normal network traffic to the utmost degree.And the simulation result on NS2 shows that the algorithm satisfactorily meets our expectation in attack-quenching and normal traffic protection.

Muhai Li,Ming Li,Xiuying Jiang

DOI: https://doi.org/10.5555/1457999.1458004

2008-01-01

Abstract:With the proliferation of Internet applications and network-centric services, network and system security issues are more important than before. In the past few years, cyber attacks, including distributed denial-of-service (DDoS) attacks, have a significant increase on the Internet, resulting in degraded confidence and trusts in the use of Internet. However, the present DDoS attack detection techniques face a problem that they cannot distinguish flooding attacks from abrupt changes of legitimate activity. In this paper, we give a model for detecting DDoS attacks based on network traffic feature to solve the problem above. In order to apply the model conveniently, we design its implementation algorithm. By using actual data to evaluate the algorithm, the evaluation result shows that it can identify DDoS attacks.

Yi Shi,Xinyu Yang

DOI: https://doi.org/10.1007/11596981_54

2005-01-01

Abstract:Flooding-based distributed denial-of-service (DDoS) attack presents a very serious threat to the stability of the Internet. In this paper, we propose a novel global defense architecture to protect the entire Internet from DDoS attacks. This architecture includes all the three parts of defense during the DDoS attack: detection, filtering and traceback, and we use different agents distributed in routers or hosts to fulfill these tasks. The superiority of the architecture that makes it more effective includes: (i) the attack detection algorithm as well as attack filtering and traceback algorithm are both network traffic-based algorithms; (ii) our traceback algorithm itself also can mitigate the effects of the attacks. Our proposed scheme is implemented through simulations of detecting and defending SYN Flooding attack, which is an example of DDoS attack. The results show that such architecture is much effective because the performance of detection algorithm and traceback algorithm are both better.

Jieren Cheng,Jianping Yin,Yun Liu,Zhiping Cai,Chengkun Wu

DOI: https://doi.org/10.1109/incos.2009.34

2009-01-01

Abstract:Distributed denial-of-service (DDoS) attacks present serious threats to servers in the Internet. We argue that the difference of the goals, manners and results of the interaction behaviors of normal flows and attack flows, which show different characteristics on IP addresses and ports. IAI (IP Address Interaction Feature) algorithm is proposed based on the addresses interaction, abrupt traffic change, addresses many-to-one dissymmetry, distributed source IP addresses and concentrated target addresses. The IAI is designed to describe the essential characteristics of network flow states. Furthermore, a support vector machine (SVM) classifier, which is trained by IAI time series from normal flow and attack flow, is applied to classify the state of current network flows and identify the DDoS attacks. The experiment results show that, IAI can reflect the different characteristics of DDoS attack flows and normal flows; the IAI-based detection scheme can distinguish between normal flows and abnormal flows with DDoS attack flows effectively, and help to identify fast and accurate attack flows when the attacking traffic is hidden among a relatively large volume of normal flows or close to the attacking sources, and it has higher detection and lower false alarm rate compared with related works.

Jieren Cheng,Jianping Yin,Yun Liu,Zhiping Cai,Min Li

DOI: https://doi.org/10.1007/978-3-642-02270-8_22

2009-01-01

Abstract:Distributed denial of service (DDoS) attack is one of the major threats to the current Internet. After analyzing the characteristics of DDoS attacks and the existing Algorithms to detect DDoS attacks, this paper proposes a novel detecting algorithm for DDoS attacks based on IP address features value (IAFV). IAFV is designed to reflect the essential DDoS attacks characteristics, such as the abrupt traffic change, flow dissymmetry, distributed source IP addresses and concentrated target IP addresses. IAFV time series can be used to characterize the essential change features of network flows. Furthermore, a trained support vector machine (SVM) classifier is applied to identify the DDoS attacks. The experimental results on the MIT data set show that our algorithm can detect DDoS attacks accurately and reduce the false alarm rate drastically.

Xin Xu,Yongqiang Sun,Zunguo Huang

DOI: https://doi.org/10.1007/978-3-540-71549-8_17

2007-01-01

Abstract:In recent years, distributed denial of service (DDoS) attacks have brought increasing threats to the Internet since attack traffic caused by DDoS attacks can consume lots of bandwidth or computing resources on the Internet and the availability of DDoS attack tools has become more and more easy. However, due to the similarity between DDoS attack traffic and transient bursts of normal traffic, it is very difficult to detect DDoS attacks accurately and quickly. In this paper, a novel DDoS detection approach based on Hidden Markov Models (HMMs) and cooperative reinforcement learning is proposed, where a distributed cooperation detection scheme using source IP address monitoring is employed. To realize earlier detection of DDoS attacks, the detectors are distributed in the mediate network nodes or near the sources of DDoS attacks and HMMs are used to establish a profile for normal traffic based on the frequencies of new IP addresses. A cooperative reinforcement learning algorithm is proposed to compute optimized strategies of information exchange among the distributed multiple detectors so that the detection accuracies can be improved without much load on information communications among the detectors. Simulation results on distributed detection of DDoS attacks generated by TFN2K tools illustrate the effectiveness of the proposed method.

Youqiong Zhuang,Hua Wu,Songtao Liu,Guang Cheng,Xiaoyan Hu

DOI: https://doi.org/10.23919/apnoms56106.2022.9919987

2022-01-01

Abstract:As the scale of Distributed Denial of Service (DDoS) flooding attacks has increased significantly, many detection methods have applied sketch data structures to compress the IP traffic for storage saving. However, due to the large IP address space, these methods need to flush the sketch frequently to reduce the hash collisions. Besides, few of them can be applied to detect attacks in the high-speed network where sampling is usually adopted. This paper proposes a hierarchical system named HDS for efficient and continuous DDoS flooding attack detection in high-speed networks. Rather than directly processing the IP traffic, HDS uses sketches to track sampled traffic at different levels of aggregation: interface level, area level, and host level. Then traffic classifiers are trained for each level for attack detection. The main advantage of our approach is that each detection level only tracks a small set of traffic, which can identify the attack victim fastly and hardly causes hash collisions. Experimental results on the real-world 10Gbps network traffic datasets show that HDS can effectively detect various DDoS flooding attacks with high accuracy and identify the victim within an average of 10s when the sampling rate exceeds 1/2048.

Qing LI,LeJun CHI,ZhaoXin ZHANG

DOI: https://doi.org/10.5815/ijwmt.2011.02.05

2011-01-01

International Journal of Wireless and Microwave Technologies

Abstract:Due to the rapid spread of botnets, distributed denial of service attacks have become more and more frequent and fatal.In order to detect and defend DDoS attack, many researches have been done, such as using NS2 to simulate such attacks.However, the major bottlenecks in large-scale network simulation are the memory usage and simulation time.In this paper, we present a novel approach to simulate DDoS attack, called Analytical Packet Forwarding Model (APFM), which simplifies the procedure of packet forwarding based on computation.The experimental results show that our model ensures the authenticity of the overall simulation procedure and simulation results, compared to NS2.The most significant contribution of APFM is that it significantly reduced the memory usage and simulation time.

Shi Jingyan,Wu Kun,Zeng Qingkai,Lü Zhijun

DOI: https://doi.org/10.3969/j.issn.1000-386X.2006.12.010

2006-01-01

Abstract:The existing methods for DDoS attacks prevention usually require the protected system to analyze the attack stream to find out the attackers.But the attack stream is easy to be hidden in the common stream,which makes all of these methods inefficient.A prevention method based on interaction activity is proposed under these circumstances.During the period of attacks,server communicats with the suspicious clients to determine the attackers.The prevention method is combined with the application environment,and a prevention model is established which consists of system monitor,attacker identification,access control and so on.Then the model is deployed in Apache Web server to testify the high performance of the method.

Xin Wang,Xiaobo Ma,Jian Qu

DOI: https://doi.org/10.1109/dsa52907.2021.00026

2021-01-01

Abstract:In recent years, a new type of DDoS attacks against backbone routing links have appeared. They paralyze the communication network of a large area by directly congesting the key routing links concerning the network accessibility of the area. This new type of DDoS attacks make it difficult for traditional countermeasures to take effect. This paper proposes and implements an attack detection method based on non-cooperative active measurement. Experiments show that our detection method can efficiently perceive changes of network link performance and assist in identifying such new DDoS attacks. In our testbed, the network anomaly detection accuracy can reach 93.7%.

Wu Zhijun,Duan Haixin,Li Xing

DOI: https://doi.org/10.1007/s11767-005-0027-8

2006-01-01

Journal of Electronics (China)

Abstract:An approach of defending against Distributed Denial of Service (DDoS) attack based on flow model and flow detection is presented. The proposed approach can protect targets from DDoS attacking, and allow targets to provide good service to legitimate traffic under DDoS attacking, with fast reaction. This approach adopts the technique of dynamic comb filter, yields a low level of false positives of less than 1.5%, drops similar percentage of good traffic, about 1%, and passes neglectable percentage of attack bandwidth to the victim, less than 1.5%. The prototype of commercial product, D-fighter, is developed by implementing this proposed approach on Intel network processor platform IXP1200.