HUANG Lei,WU Chun-ming,JIANG Ming,ZHANG Dong

2010-01-01

Abstract:This paper proposes a new active queue management algorithm named REDu that excavates in depth the essential differences between non-adaptive and adaptive flows.Taking use of information like CHOKe Hit and RED Drop,this algorithm preselects non-adaptive flows and utilizes a heat increasing and decreasing mechanism to compute heat,a new kind of partial flow state,achieving the detection and punishment of non-adaptive flows.Simulation results based on ns-2 show that,compared with several other active queue management algorithms,REDu can detect and punish non-adaptive flows more precisely,bring more adequate protection to adaptive flows and improve network robustness significantly.

Wei Wei,Yabo Dong,Dongming Lu,Guang Jin,Honglan Lao

DOI: https://doi.org/10.1007/11760146_23

2006-01-01

Abstract:Low-rate TCP-targeted Denial-of-Service (DoS) attack (shrew) is a new kind of DoS attack which is based on TCP’s Retransmission Timeout (RTO) mechanism and can severely reduce the throughput of TCP traffic on victim. The paper proposes a novel mechanism which consists of effective detection and response methods. Through analyzing sampled attack traffic, we find that there is a stable difference between attack and legitimate traffic in frequency field, especially in low frequency. We use Sum of Low Frequency Power spectrum (SLFP) for detection. In our algorithm the destination IP address is used as flow label and SLFP is applied to every flow traversing edge router. If shrew is found, all flows to the destination are processed by Aggregated Flows Balance (AFB) at a proper upstream router. Simulation shows that attack traffics are restrained and TCP traffics can obtain enough bandwidth. The result indicates that our mechanism is effective and deployable.

Xinyue Jiang,Risheng Deng,Dong Zhang,Chunming Wu

DOI: https://doi.org/10.1109/iThings-GreenCom-CPSCom-SmartData-Cybermatics53846.2021.00035

2021-01-01

Abstract:The large-scale distributed network has exposed increasing attack surfaces to cyber attackers. In this paper, we present a refined network measurement mechanism, called DDoS Collaborative Mitigation Mechanism (DDoSCCM). Based on former achievements in the programmable network, our work aims at capturing the characters of abnormal traffic and presenting an antedating reaction, constrained by limited resources of the switching ASIC. In-band Network Telemetry (INT) technique achieves real-time monitoring of the network by utilizing the device data acquisition on the data plane. Our work helps the network operator not only to learn the status of the network but also to issue an appropriate mitigation strategy faster and more accurately. DDoSCCM aims at delegating both detection and mitigation processes to the programmable switch. Consequently, the theoretical analysis and experimental results show that DDoSCCM can meet practical requirements and have a certain application value.

Yi Shen,Chunming Wu,Dezhang Kong,Qiumei Cheng

DOI: https://doi.org/10.3390/app13127210

2023-01-01

Applied Sciences

Abstract:Software-defined networking (SDN) enables dynamic management and flexible network control by employing reactive rule installation. Due to high power consumption and cost, current OpenFlow switches only support a limited number of flow rules, which is a major limitation for deploying massive fine-grained policies. This bottleneck can be exploited by attackers to launch saturation attacks to overflow the flow table. Moreover, flow table overflow can occur in the absence of malicious attackers. To cope with this, researchers have developed many proposals to relieve the load under benign conditions. Among them, the dynamic timeout mechanism is one of the most effective solutions. We notice that when the SDN controller adopts dynamic timeouts, existing flow table saturation attacks can fail, or even expose the attackers, due to inaccurate inferring results. In this paper, we extract the common features of dynamic timeout strategies and propose an advanced flow table saturation attack. We explore the definition of flow rule lifetime and use a timing-based side-channel to infer the timeout of flow rules. Moreover, we leverage the dynamic timeout mechanisms to proactively interfere with the decision of timeout values and perform an attack. We conduct extensive experiments in various settings to demonstrate its effectiveness. We also notice that some replacement strategies work differently when the controller assigns dynamic timeouts. The experiment results show that the attack can incur significant network performance degradation and carry out the attack in a stealthy manner.

Xi Sun,Xiang Chen,Di Wang,Zhengyan Zhou,Xinyue Jiang,Wenhai Wang,Chunming Wu,Haifeng Zhou

DOI: https://doi.org/10.1109/secon58729.2023.10287419

2023-01-01

Abstract:How to satisfy the latency and reliability requirements of flow data transfer is an essential problem. To address this problem, we propose RFT, a framework that aims to satisfy the user-specified latency and reliability requirements of flow data transfer, especially in the situation where the network resources are insufficient. Firstly, we formulate the problem of satisfying the user-specified latency and reliability requirements of data transfer via mixed integer linear programming (MILP), and a heuristic algorithm is then designed to solve it in a polynomialtime. Secondly, to satisfy these requirements under insufficient network resources, we proposed a greedy-based algorithm used to select the minimum number of links added to the network, which can be deployed with low cost, especially in production networks such as data centers. Finally, we have implemented RFT on a 64$\times$100 Gbps Intel Barefoot Tofino switch. Our experimental results indicate that RFT satisfies the user-specified latency and reliability requirements in all test cases at acceptable costs, even when the network resources are insufficient.

Dezhang Kong,Chunming Wu,Yi Shen,Xiang Chen,Hongyan Liu,Dong Zhang

DOI: https://doi.org/10.1109/globecom48099.2022.10001437

2022-01-01

Abstract:One of the most important components of Software-Defined Networking (SDN) is the flow table. It receives flow rules from the controller and uses them to handle network traffic. However, a flow table can only store a few thousand flow rules, which makes it an attractive target for table overflow attacks. These attacks force the controller to populate the flow table with a large number of meaningless flow rules, which prevents normal flows from finding matching rules and therefore having to be reported to the controller. It results in a significant latency overhead, degrading the performance of the whole network. In this paper, we present a key characteristic of table overflow attacks: even though attackers can change some critical attack parameters (e.g., attack speed) to avoid detection, proactive flows from the attacked port always occupy a stable proportion in the flow table regardless of the attack form. In light of this finding, we propose TableGuard, a novel security mechanism that uses the proactive flow rule number as the detection metric and applies a statistical approach to help filter malicious flows. The experiments demonstrate that TableGuard can mitigate both high-rate and low-rate table overflow attacks. Compared with existing defenses, TableGuard has the best mitigation performance and the minimal overhead on normal flows.

FU Yong-sheng,LI Shan-ping

DOI: https://doi.org/10.3785/j.issn.1008-973x.2011.09.002

2011-01-01

Abstract:In wireless Ad Hoc networks,when a couple of flows pass through a single relaying node,the severe contention for the bandwidth between flows may block the communication between source nodes and destination nodes and starve the flows with lower priority.Most of the existing flow control schemes depend on the passive timeout message for flow block and starvation.To address this issue,a threshold based distributed flow control(TDFC) scheme was proposed based on setting the blocking threshold for blocking detection.In TDFC,the packets of greedy data flows are blocked by the relaying nodes.Thus,greedy behaviors can be suppressed effectively.Each relaying node sets the block threshold for each flow and then the communication congestion can be detected immediately.In addition,by comparison with IEEE 802.11 EDCA,TDFC can implement the fairness between flows,reduce the flow block and improve the network throughput by 20%.

Yi Shen,Chunming Wu,Dezhang Kong,Mingliang Yang

DOI: https://doi.org/10.1109/icc40277.2020.9149276

2020-01-01

Abstract:Distributed Denial of Service (DDoS) attack is one of the most severe threats to the current network security. As a new network architecture, Software-Defined Networking (SDN) draws notable attention from both industry and academia. The characteristics of SDN such as centralized management and flow-based traffic monitoring make it an ideal platform to defend against DDoS attacks. When designing a network intrusion detection system (NIDS) in SDN, how to obtain fine-grained flow information with minimal overhead to the SDN architecture is a problem to be solved. In this paper, we propose TPDD, a two-phase DDoS detection system to detect DDoS attacks in SDN. In the first phase, we utilize the characteristics of SDN to collect coarse-grained flow information from the core switches and locate the potential victim. Then we monitor the edge switches located close to the potential victim to obtain finer-grained traffic information in the second phase. The collection method of each phase fully considers the impact on the bandwidth between the controller and switches. Without modifying the existing flow rules, the collection module can obtain sufficient information about traffic. By using entropy-based and machine learning-based methods, the detection module can effectively detect anomalies and identify whether the potential victim marked in the first phase is the target of attacks. Experimental results show that TPDD can effectively detect DDoS attacks with little overhead.

M Jiang,CM Wu,ML Zhu

IF: 1.019

2004-01-01

Chinese Journal of Electronics

Abstract:To address the problems of TCP (Transport control protocol) end-to-end congestion control mechanism, the IETF (Internet engineering task force) advocates deploying active queue management mechanisms in the network. RED is a popular AQM algorithm. It uses average queue size to detect the incipient network congestion. RED can effectively resolve the problems of traditional Drop-Tail. However, there are still some problems with RED. RED is too sensitive to its parameters and the changes of the number of active TCP connections. On the other hand, the congestion notification sending rate of RED algorithm is determined by max(p) and the value of maxp is fixed. As a result, these will lead to queue size oscillation which causes queuing delay and jitter. This paper proposes a new adaptive AQM algorithm named "MRED" (Modified RED). Our goal is to stabilized the queue size in a wide variety of traffic scenarios. MRED can adjust the value of max(p) to the changes of the traffic load so that the congestion notification can be sent to sufficient TCP sources to mitigate the congestion level. Simulation results indicate that MRED can effectively avoid the queue overflow and stabilize the queue occupation independent of the number of active TCP connections thus resulting in a more predictable packet delay in the network.

Dezhang Kong,Xiang Chen,Chunming Wu,Yi Shen,Zhengyan Zhou,Qiumei Cheng,Xuan Liu,Mingliang Yang,Yubing Qiu,Dong Zhang,Muhammad Khurram Khan

DOI: https://doi.org/10.1109/tifs.2024.3472477

IF: 7.231

2024-10-15

IEEE Transactions on Information Forensics and Security

Abstract:The flow table is a critical component of Software-Defined Networking (SDN). However, flow tables' limited capacity makes them highly vulnerable to flow table overflow attacks (FTOAs). Due to the low attack cost and highly flexible attack forms, it is hard to eradicate FTOAs. This paper addresses three unsolved problems for table security and proposes a robust defense accordingly. First, we reveal that the existing defenses with fixed defense speeds will cause severe packet loss when handling diverse traffic. We prove that deleting multiple rules can efficiently solve this problem and give a rigorous derivation to calculate the suitable deletion number according to the environment. Second, we illustrate that abnormal table occupancy squeezing is a constant characteristic of FTOAs regardless of attack forms. It can be used to identify attacked ports accurately in different scenarios. Third, we mathematically prove that random deletion can guarantee the continuous decrease of malicious flow rules after confirming attacked ports. It achieves fast speed and robust effectiveness in different environments. Based on these findings, we design rDefender, a robust and lightweight defense prototype. We evaluate its effect by designing diverse, powerful attacks and using real-world datasets and topology. The results demonstrate that it achieves the best overall performance compared to six existing mainstream defenses, providing stable security for switch flow tables.

computer science, theory & methods,engineering, electrical & electronic

hui wang,xiaohui lin,kaiyu zhou,nin xie,l i hui

DOI: https://doi.org/10.4236/ijcns.2009.21009

2009-01-01

Abstract:Internet routers generally see packets from a fast flow more often than a slow flow. This suggests that network fairness may be improved without per-flow information. In this paper, we propose a scheme using Most Recently Used List (MRUL)-a list storing statistics of limited active flows that sorted in most recently seen first mode-to improve the fairness of RED. Based on the list, our proposed scheme jointly considers the identification and punish of the fast and unresponsive fast flows, and the protection of slow flows. Its performance improvements are demonstrated with extensive simulations. Different from the previous proposals, the complexity of our proposed scheme is proportional to the size of the MRUL list but not coupled with the queue buffer size or the number of active flows, so it is scalable and suitable for various routers. In addition, another issue we address in this paper is queue management in RED. Specifically, we replace the linear packet dropping function in RED by a judicially designed nonlinear quadratic function, while original RED remains unchanged. We call this new scheme Nonlinear RED, or NLRED. The underlying idea is that, with the proposed nonlinear packet dropping function, packet dropping becomes gentler than RED at light traffic load but more aggressive at heavy load. As a result, at light traffic load, NLRED encourages the router to operate in a range of average queue sizes rather than a fixed one. When the load is heavy and the average queue size approaches the pre-determined maximum threshold (i.e. the queue size may soon get out of control), NLRED allows more aggressive packet dropping to back off from it. Simulations demonstrate that NLRED achieves a higher and more stable throughput than RED and REM. Since NLRED is fully compatible with RED, we can easily upgrade/replace the existing RED implementations by NLRED.

Yuan Cao,Lijuan Han,Xiaojin Zhao,Xiaofang Pan

DOI: https://doi.org/10.48550/arXiv.1903.06394

2019-03-15

Abstract:Because of the open nature of the Wireless Sensor Networks (WSN), the Denial of the Service (DoS) becomes one of the most serious threats to the stability of the resourceconstrained sensor nodes. In this paper, we develop AccFlow which is an incrementally deployable Software-Defined Networking based protocol that is able to serve as a countermeasure against the low-rate TCP DoS attack. The main idea of AccFlow is to make the attacking flows accountable for the congestion by dropping their packets according to their loss rates. The larger their loss rates, the more aggressively AccFlow drops their packets. Through extensive simulations, we demonstrate that AccFlow can effectively defend against the low-rate TCP DoS attack even if attackers vary their strategies by attacking at different scales and data rates. Furthermore, while AccFlow is designed to solve the low-rate TCP DoS attack, we demonstrate that AccFlow can also effectively defend against general DoS attacks which do not rely on the TCP retransmission timeout mechanism but cause denial of service to legitimate users by consistently exhausting the network resources. Finally, we consider the scalability of AccFlow and its deployment in real networks.

Cryptography and Security

Dongping Zhao,Deyun Zhang,Jiuxing Cao,Weibin Zheng,Zhiping An

DOI: https://doi.org/10.1007/11576235_35

2005-01-01

Abstract:One weakness of the RED algorithm typical of routers is that at any given time, it imposes the same loss probability on all flows, regardless of their QoS. In this paper, we propose an improved packet discard algorithm based on RED for real-time multimedia service, which does its endeavor to avoid dropping packets from the same flow continuously in terms of instantaneous loss rate and short-time average loss rate. It traces the concerned flow's state whenever every packet's arrival and then dynamically adjusts the packet drops to achieve a given loss rate. When network is congested, it drops all packets of certain invalid flows mandatorily to avoid a majority of applications being invalidated simultaneously because of packet loss. Our evaluation results indicate that the proposed algorithm provides better QoS for real-time multimedia service, whether network is congested or not.

Ying Zeng,Yong Wang,Yuming Liu

DOI: https://doi.org/10.1109/access.2024.3383877

IF: 3.9

2024-04-09

IEEE Access

Abstract:In Software-Defined Networks (SDN), the ternary content addressable memory (TCAM) capacity in switches is limited, making them vulnerable to low-rate flow table overflow attacks. Most existing research in this field has not focused on the influence of flow entry eviction mechanisms on the effectiveness of such attacks. This paper proposes an adaptive low-rate flow table overflow attack (ALFO), which can adopt corresponding attack modes under different flow entry eviction mechanisms, significantly degrading network service quality. Due to the different features of ALFO under different attack modes, the existing attack detection methods are ineffective in this attack. Therefore, this paper proposes a detection and mitigation framework, which is called adaptive low-rate flow table overflow attack guard framework (ALFO-Guard). It extracts flow features from flow entry information in the switch and aggregates them into a current-time graph model. Then, combining graph neural networks, it performs graph anomaly detection and flow entry classification to identify attack flow entries. Finally, the attack can be eliminated by deleting the identified attack flow entries and blocking the attack flows. The effectiveness of ALFO and ALFO-Guard is validated through extensive experiments, and the experimental results demonstrate that ALFO-Guard can effectively defend against ALFO.

computer science, information systems,telecommunications,engineering, electrical & electronic

Nashat, D.,Xiaohong Jiang,Horiguchi, S.

DOI: https://doi.org/10.1109/HSPR.2008.4734440

2008-01-01

Abstract:The TCP SYN flooding attack is the most prevalent type of DDoS attacks that exhaust network resources. The current detection schemes only work well for the detection of high-rate flooding sources. It is notable, however, that in the current DDoS attacks, the flooding rate is usually distributed among many low-rate flooding agents to make the detection more difficult. Therefore, a more sensitive and fast detection scheme is highly desirable for the efficient detection of these low-rate flooding sources. In this paper, we focus on the low-rate agent and propose a router-based detection scheme for it. The proposed scheme is based on the TCP SYN-SYN/ACK protocol pair with the consideration of packet header information (both sequence and Ack. numbers). To make our scheme more sensitive and generally applicable, the counting bloom filter is used to avoid the effect of SYN/ACK retransmission and the change point detection method is applied to avoid the dependence of detection on sites and access patterns. Extensive trace-driven simulation has been conducted to demonstrate the efficiency of the proposed scheme in terms of its detection probability and also average detection time.

Yan Gao,Zhichun Li,Yan Chen

DOI: https://doi.org/10.1109/icdcs.2006.6

2006-01-01

Abstract:Global-scale attacks like viruses and worms are increasing in frequency, severity and sophistication, making it critical to detect outbursts at routers/gateways instead of end hosts. In this paper we leverage data streaming techniques such as the reversible sketch to obtain HiFIND, a High-speed Flow-level Intrusion Detection system. In contrast to existing intrusion detection systems, HiFIND I ) is scalable to flow-level detection on high-speed networks; 2) zs DoS resilient; 3) can distinguish SYN flooding and various port scans (mostly for worm propagation) for effective mitigation; 4 ) enables aggregate detection over multiple routers/gateways; and 5) separates anomalies to limit false positives in detection. Both theoretical analysis and evaluation with several router traces show that HiFIND achieves these properties. To the best of our knowledge, HiFIND is the first online DoS resilient flow-level intrusion detection system for high-speed networks (approximately 10s of Gigabit/second), even for the worst case trafic of 40-byte-packet streams with each packet forming a flow.

Xuan-Bo Huang,Kai-Ping Xue,Yi-Tao Xing,Ding-Wen Hu,Ruidong Li,Qi-Bin Sun

DOI: https://doi.org/10.1007/s11390-022-1495-0

IF: 1.871

2022-01-01

Journal of Computer Science and Technology

Abstract:Software-defined networking (SDN) decouples the data and control planes. However, attackers can lead catastrophic results to the whole network using manipulated flooding packets, called the data-to-control-plane saturation attacks. The existing methods, using centralized mitigation policies and ignoring the buffered attack flows, involve extra network entities and make benign traffic suffer from long network recovery delays. For these purposes, we propose LFSDM, a saturation attack detection and mitigation system, which solves these challenges by leveraging three new techniques: 1) using linear discriminant analysis (LDA) and extracting a novel feature called control channel occupation rate (CCOR) to detect the attacks, 2) adopting the distributed mitigation agents to reduce the number of involved network entities and, 3) cleaning up the buffered attack flows to enable fast recovery. Experiments show that our system can detect the attacks timely and accurately. More importantly, compared with the previous work, we save 81% of the network recovery delay under attacks ranging from 1 000 to 4 000 packets per second (PPS) on average, and 87% of the network recovery delay under higher attack rates with PPS ranging from 5 000 to 30 000.

Chengchen Hu,Bin Liu

DOI: https://doi.org/10.1109/AINA.2004.1283842

2004-01-01

Abstract:Prior survey of RED algorithm deployment on multi-queuesystem with shared buffer was unfair and sensitiveto congestion level by statically setting the parameters. Inthis paper, our goal is to deploy the Random EarlyDetection (RED) algorithm in routers on shared bufferand solve these problems. A novel buffer managementscheme that dynamically adjusts the parameters of REDnamed RED-ODT is proposed. Simulations underuniform traffic load and nonuniform traffic load are given,the results of which ascertain and demonstrate thesuperiority of the proposed scheme in terms of low packetdrop ratio, satisfying buffer utilization and fairness.Simulation also shows that RED-ODT is insensitive tocongestion level.

Changhua Sun,Jindou Fan,Bin Liu

DOI: https://doi.org/10.1109/CHINACOM.2007.4469411

2007-01-01

Abstract:We propose a more robust scheme to detect SYN flooding attacks. Existing methods for detecting SYN flooding are based on the protocol behavior of TCP SYN-FIN (RST) or SYN-ACK pairs, as normally the number of SYN packets is equal to that of FIN (added with RST) packets, or ACK packets in the handshake. When SYN flood starts, there will be more SYN packets. However, the attacker can avoid the detection by sending the FIN or RST packets (ACK packets) in conjunction with the SYN packets. To make the detection scheme more robust, we record the flow information of SYN packets in a counting Bloom Filter, and count the FIN (RST) packets according to the Bloom Filter. In addition, the Change Point Detection method based on a non-parametric Cumulative Sum algorithm is applied to make the detection mechanism much more generally applicable. Through trace-driven simulations, we show our detection scheme is more efficient and robust in detecting various SYN flooding attacks. More importantly, our scheme can be easily deployed at ISP's edge routers.

Gao Shang,Peng Zhe,Xiao Bin,Hu Aiqun,Ren Kui

DOI: https://doi.org/10.1109/infocom.2017.8057009

2017-01-01

Abstract:The separated control and data planes in software-defined networking (SDN) with high programmability introduce a more flexible way to manage and control network traffic. However, SDN will experience long packet delay and high packet loss rate when the communication link between two planes is jammed by SDN-aimed DoS attacks with massive table-miss packets. In this paper, we propose FloodDefender, an efficient and protocol-independent defense framework for SDN/OpenFlow networks to mitigate DoS attacks. It stands between the controller platform and other controller apps, and can protect both the data and control plane resources by leveraging three new techniques: table-miss engineering to prevent the communication bandwidth from being exhausted; packet filter to identify attack traffic and save computational resources of the control plane; and flow rule management to eliminate most of useless flow entries in the switch flow table. All designs of FloodDefender conform to the OpenFlow policy, requiring no additional devices. We implement a prototype of FloodDefender and evaluate its performance in both software and hardware environments. Experimental results show that FloodDefender can efficiently mitigate the SDN-aimed DoS attacks, incurring less than 0.5% CPU computation to handle attack traffic, only 18ms packet delay and 5% packet loss rate under attacks.