Shuangke Wu,Yanjiao Chen,Minghui Li,Xiangyang Luo,Zhe Liu,Lan Liu

DOI: https://doi.org/10.1109/tnet.2020.2973410

2020-01-01

Abstract:Mining pools have become dominant in today's bitcoin mining network, where miners can pool their powers together for reduced variance of block mining and steadier stream of potential income. Along with the continuous evolvement of mining pools are the increasingly intense competitions among them. Recent empirical studies have shown that the distributed denial-of-service (DDoS) attack is one of the most common ways for competing mining pools to sabotage the rivals and earn illegitimate rewards. Existing efforts have been made on using static game models to analyze the interactions between mining pools, and derive the Nash Equilibrium and optimal attacking strategies in a one-time static context. To better understand the impact of such DDoS attacks, in this paper, we take a starkly different approach, and for the first time address the dynamics in mining pool attacks. Specifically, we start by formulating the interactive competition among mining pools as a general-sum stochastic game. Then we propose an efficient Nash learning algorithm to obtain the near optimal attacking strategy that maximizes the expected long-term utility. Our theoretical analysis and extensive experimental results both show that the proposed strategy outperforms the baseline myopic learning algorithm, which only aims at maximizing the revenue in the current time stage. These findings, together with our proposed stochastic game model and learning algorithm, are expected to provide more practical guidelines for mining pools to survive and thrive in the highly-competitive bitcoin ecosystem.

ZH Tian,BX Fang,XC Yun

DOI: https://doi.org/10.1109/wi.2004.50

2005-01-01

Abstract:Flash crowd events (FCEs) and malicious traffic including DDoS and worm attacks present a real threat to the stability of Web services. In this paper, we design a practical defense system that can provide some needed relief from the two types of events and protect the availability of Web services. A novel method of dynamic bandwidth arbitration using Generalized Vickrey auction based on microeconomics is proposed. By adopting this approach, not only the availability of Web services is improved but also the total utility of users can be maximized. Initial simulations have shown that this mechanism is promising direction to control both FCEs and malicious traffic. The presentation in this paper is a first step towards a more rigorous evaluation.

魏蔚,董亚波,鲁东明

DOI: https://doi.org/10.3785/j.issn.1008-973x.2010.02.010

2010-01-01

Abstract:Distributed denial of service(DDoS)attack was defended by distributed filtering.Distributed defense was restricted inside autonomous system(AS),which was a suitable bound for defense.Both bandwidth and processing capability of victim were considered.The filtering threshold was dynamically adjusted in AS edge according to the throughput of victim in support vector machine(SVM)-based multi-resource max-min fairness(SMMF)algorithm.Then SMMF achieved multi-resource max-min fairness and was much effective.Simulation results demonstrate that attacking traffic can be depressed in a common scenario and the legitimate throughput can be kept in a normal level when current methods fail.A realiza-tion of filters on PC-based router indicates that only a very small amount of memory is needed and the packet throughput is still normal when thousands of filters are installed.

Wei Wei,Yabo Dong,Dongming Lu,Guang Jin,Honglan Lao

DOI: https://doi.org/10.1007/11760146_23

2006-01-01

Abstract:Low-rate TCP-targeted Denial-of-Service (DoS) attack (shrew) is a new kind of DoS attack which is based on TCP’s Retransmission Timeout (RTO) mechanism and can severely reduce the throughput of TCP traffic on victim. The paper proposes a novel mechanism which consists of effective detection and response methods. Through analyzing sampled attack traffic, we find that there is a stable difference between attack and legitimate traffic in frequency field, especially in low frequency. We use Sum of Low Frequency Power spectrum (SLFP) for detection. In our algorithm the destination IP address is used as flow label and SLFP is applied to every flow traversing edge router. If shrew is found, all flows to the destination are processed by Aggregated Flows Balance (AFB) at a proper upstream router. Simulation shows that attack traffics are restrained and TCP traffics can obtain enough bandwidth. The result indicates that our mechanism is effective and deployable.

Peikai Li,Yun Liu,Huanhai Xin,Xichen Jiang

DOI: https://doi.org/10.1109/tii.2017.2788868

IF: 12.3

2018-01-01

IEEE Transactions on Industrial Informatics

Abstract:As distributed generators (DGs) rapidly integrate into current power systems, new methods to effectively manage them need to be developed. Toward this end, a large number of geographically dispersed DGs are generally aggregated into a virtual power plant (VPP). Then, distributed control schemes are used to achieve optimal economic dispatch of the VPP by maintaining equal incremental costs of DGs while the aggregated DG power matches the dispatch command. Often, one of the drawbacks of distributed schemes is that they are susceptible to communication failures and cyber-attacks (i.e., noncolluding and colluding attacks). In order to mitigate this problem, an attack-robust distributed economic dispatch strategy is proposed where we assume that every DG can monitor the behavior of its in-neighbors and has the network connectivity information. The proposed strategy detects the misbehaving DGs residing in the network and gradually isolates them so that the remaining well-behaving DGs could still accomplish the economic dispatch. The effectiveness of the proposed strategy is illustrated through simulations on the IEEE 123-bus test system.

Wei Wei,Yabo Dong,Dongming Lu,Guang Jin

DOI: https://doi.org/10.1109/ICCIS.2008.4670732

2008-01-01

Abstract:Distributed defense of DDoS (Distributed Denial of Service) attack has been extensively researched in recent years and control-based defense is a hopeful way. However, existed methods only deal with bandwidth protection. The paper takes defense of DDoS flood as a kind of Processing and Bandwidth Resources allocation and solves it using control theory. Our defense mechanism FFDRF (Feedback Filtering with Dual-Resource Fairness) sets up filters in edge routers of AS and adjusts the filtering thresholds through feedback between these routers and the victim. The simulation results show that FFDRF can make the legitimate traffic keep high survival rate while is stable and converges quickly even in case of heterogeneous flow sources and link conditions. Compared with level-k max-min fairness defense, FFDRF is more effective against CPU-consuming flood. And an implementation of FFDRF in a linux router indicates that FFDRF is feasible in real-life routers. © 2008 IEEE.

WEI Wei,DONG Ya-bo,LU Dong-ming,JIN Guang

DOI: https://doi.org/10.3785/j.issn.1008-973x.2008.05.007

2008-01-01

Abstract:Low rate TCP-targeted denial of service(DoS) attack makes use of time-out and retransmission mechanism in transmission control protocol(TCP) and could severely decrease the throughput of legitimate TCP traffic.With its attacking traffic pattern,obvious difference was found between the power spectrum density(PSD) of legitimate and attack traffic samples.The statistical characteristic of this difference in history data was analyzed,and a detection method using the summation of low frequency was proposed.Meanwhile,based on the methods of leak bucket and the increasing of routing buffer,a response method was provided,which uses leak bucket periodically for smoothing the flow and uses buffer for holding extra traffic to send in next period,and its reasonable resource requirement was proved.Simulations show that for more general attack scenarios than the existing methods,the detection method has very low positive and negative false ratio,and the response method can depress attack flows more effectively than the previous methods and maintain the legitimate throughput in a normal level while the previous methods failed.

ZHANG Shao-jun,LI Jian-hua,CHEN Xiu-zhen,HU Wei

DOI: https://doi.org/10.3321/j.issn:1006-2467.2008.02.009

2008-01-01

Abstract:As one of the most notorious network attacks,distributed denial-of-service(DDoS) attack is famous for its easiness to launch and difficulty to defend.DDoS attack was regarded as a multistage game of incomplete information with observable actions and its extensive form was given out.It is pointed out that to attain the game's perfect Bayes equilibrium,the problem of computing and modifying the belief value of each player's type must be solved.As a practice of this viewpoint,a method of filtering attack stream according to its package rate and source address distribution characteristic was proposed.Finally, simulation was given out to demonstrate the effectiveness of the method.

Kai Bu,Zhixin Sun

DOI: https://doi.org/10.1109/ICYCS.2008.324

2008-01-01

Abstract:The emergence of Distributed Denial of Service (DDoS) attack increases the destructive force of Denial of Service (DoS) attack drastically. Besides bringing more terrible threats, the attack from far and near and the employment of internet protocol (IP) spoofing make the abnormal traffic detection harder and harder. This paper proposes a mechanism defined as AMHI (Address Matching and Hash Inspection) and a method based on it for DDoS attacks detection and defense. Through the simulation experiment, the Address Matching and backup Hash Inspection operations to the suspicious traffic implemented on router interface for local subnet can detect and defend DDoS attacks effectively even when using IP Spoofing. In addition, this method can also decrease a mass of statistical work for the routers, and to some extent ease the pressure of heavy traffic caused by attacks.

Ziming Zhao,Zhuotao Liu,Huan Chen,Fan Zhang,Zhuoxue Song,Zhaoxuan Li

DOI: https://doi.org/10.1109/tdsc.2023.3349180

2024-01-01

Abstract:Defending against Distributed Denial of Service (DDoS) attacks is a fundamental problem in the Internet. Over the past few decades, the research and industry communities have proposed a variety of solutions, from adding incremental capabilities to the existing Internet routing stack, to clean-slate future Internet architectures, and to widely deployed commercial DDoS prevention services. Yet a recent interview with over 100 security practitioners in multiple sectors reveals that existing solutions are still insufficient against , due to either unenforceable protocol deployment or non-comprehensive traffic filters. This seemingly endless arms race with attackers probably means that we need a fundamental paradigm shift. In this paper, we propose a new DDoS prevention paradigm named preference-driven and in-network enforced traffic shaping , aiming to explore the novel DDoS prevention norms that focus on delivering victim-preferred traffic rather than consistently chasing after the DDoS attacks. Towards this end, we propose DFNet, a novel DDoS prevention system that provides reliable delivery of victim-preferred traffic without full knowledge of DDoS attacks. At a very high level, the core innovative design of DFNet embraces the advances in Machine Learning (ML) and new network dataplane primitives, by encoding the victim's traffic preference (in the form of complex ML models) into dataplane packet scheduling algorithms such that the victim-preferred traffic is forwarded with priority at line-speed, regardless of the attacker strategy. We implement a prototype of DFNet in 11,560 lines of code, and extensively evaluate it on our testbed. The results show that a single instance of DFNet can forward 99.93% of victim-desired traffic when facing previously unseen attacks, while imposing less than 0.1% forwarding overhead on a dataplane with 80 Gbps upstream links and a 40 Gbps bottleneck.

Wencong You,Lei Jiao,Jun Li,Ruiting Zhou

DOI: https://doi.org/10.1109/infocom41043.2020.9155493

2020-01-01

Abstract:While both Internet Service Providers (ISPs) and third-party Security Service Providers (SSPs) offer Distributed Denial-of-Service (DDoS) mitigation services through cloud-based scrubbing centers, it is often beneficial for ISPs to outsource part of the traffic scrubbing to SSPs to achieve less economic cost and better network performance. To explore this potential, we design an online auction mechanism, featured by the challenge of the switching cost of using different winning bids over time. Formulating the social cost minimization as a nonconvex integer program, we firstly relax it and design an online algorithm that breaks it into a series of modified single-shot problems and solves each of them in polynomial time, without requiring knowledge of future inputs; then, we design a randomized rounding algorithm to convert the fractional decisions into integers without violating any constraints; and finally, we design the payment for each bid based on its winning probability. We rigorously prove that our mechanism achieves a parameterized-constant competitive ratio for the long-term social cost, with truthfulness and individual rationality in expectation. We also exhibit its superior practical performance via evaluations driven by real-world data traces.

肖军,云晓春,张永铮

DOI: https://doi.org/10.3724/sp.j.1016.2010.01713

2010-01-01

Chinese Journal of Computers

Abstract:Mitigating Distributed Denial-of-Service(DDoS)attacks becomes more challenging with increasing available resources and techniques for attackers.Current network-layer security devices fail to counter application-layer DDoS(App-DDoS)attacks for the normal traffic feature on the network layer.In this paper,to handle App-DDoS attacks,a novel defense model is proposed.App-DDoS attack is divided into 5 types based on the attack URL generating way.Based on the differences between normal sessions and attack sessions,the paper proposes the session behavior suspicion parameters and the session suspicion model,which can be used to differentiate normal sessions from App-DDoS sessions accurately.The model is combined with 3 forwarding policies,including First-Come First-Serve(FCFS),Low Suspicion First(LSF)and Round Robin respectively to defend against 5 types of App-DDoS attacks.Simulation result with real Web trace shows that these forwarding policies perform well when the forwarding rate equals to the maximum normal request arrival rate,and FCFS and Round Robin perform better than LSF on the normal request response delay.

LI Gang,HUA Bei,YANG Xing-liang

DOI: https://doi.org/10.3969/j.issn.1006-9348.2006.11.037

2006-01-01

Abstract:This paper proposes a router collaborating based adaptive detection and defending mechanism against DDoS.Through link congestion detection and packet dropping rate analysis,this mechanism can disclose the attack timely and construct the attack signatures accordingly.Then it is able to apply rate-limiting to the packets matching such signatures,and at the same time forward the attack signatures and rate-limiting request hop-by-hop to retrace the attack source using pushback protocol.During this process,rate-limiting is also employed on the intermediate routers,thus this algorithm not only manages to alleviate the link congestion and quench DDoS attack in a short period,but also protects normal network traffic to the utmost degree.And the simulation result on NS2 shows that the algorithm satisfactorily meets our expectation in attack-quenching and normal traffic protection.

Huafeng Bian,Xiaobo Ma,Pengyu Pan

DOI: https://doi.org/10.1109/dsa52907.2021.00043

2021-01-01

Abstract:DoS attacks are currently one of the main security issues threatening the Internet. The harm caused by DDoS attacks and effective countermeasures have been research hot topics in the field of network security. However, how DDoS attacks affect different congest control mechanisms has not been investigated. In this paper, through theoretical analysis of congestion control algorithms in the TCP/IP protocol, we analyze the performance and fairness of multiple congestion control algorithms in the DDoS environment. Experiments show that the Cubic algorithm can make full use of network bandwidth and has good fairness under DDoS attacks. This finding is of great significance for further understanding of DDoS attacks and effective countermeasures.

pingping lin,xiaosong zhang

DOI: https://doi.org/10.1142/9789812799524_0074

2008-01-01

Abstract:Give a simple but practical scheme for detecting and defending against Distributed Denial of Service (DDoS), especially for Highly Distributed Denial of Service (HDDoS) attacks by monitoring the increase of new IP addresses. Unlike previous proposals, this proposal includes three modules: detecting, filtering, and illegal-packets analyzing. To improve the detection accuracy, we also proposed a simple but robust algorithm: sliding window algorithm. In the filtering module, a filter performs its tasks only during attacks. While the attack-packets-analyzing module uses a trap to analyze attack packets, perfects the defense system. Simulation results demonstrate the effectiveness of the proposed scheme under varieties of DDoS attack scenarios.

Yinan Jing,Xueping Wang,Xiaochun Xiao,Gendu Zhang

DOI: https://doi.org/10.1007/11839569_45

2006-01-01

Abstract:Distributed denial-of-service attack is one of major threats to Internet today. Rate limit algorithm with max-min fairness is an effective countermeasure to defeat flooding-style DDoS attacks under the assumption that attackers are more aggressive than legitimate users. However, under a “meek” DDoS attack where such an assumption is no longer valid, it will fail to protect legitimate traffic effectively. In order to improve the survival ratio of legitimate packets, an IP traceback based rate limit algorithm is proposed. Simulation results show that it could not only mitigate the DDoS attack effect, but also improve the throughput of legitimate traffic even under a meek attack.

Yuan Cao,Yuan Gao,Rongjun Tan,Qingbang Han,Zhuotao Liu

DOI: https://doi.org/10.1109/ACCESS.2018.2877710

IF: 3.9

2018-01-01

IEEE Access

Abstract:Defending against distributed denial of service (DDoS) attacks in the Internet is a fundamental problem. One practical approach to addressing DDoS attacks is to redirect all destination (e.g., via DNS or BGP) to a third-party, DDoS protection-as-a-service provider (e.g., Cloudflare and Akamai), which is well provisioned and equipped with proprietary filtering mechanisms to remove attack traffic before passing the remaining traffic to the destination. Although such an approach is appealing, as it requires no modification to the existing Internet infrastructure and can scale to handle very large attacks, recent industrial interviews with more than 100 interviewees from over 10 industry segments reveal that this approach alone is not sufficient, especially for large organizations (e.g., Web hosting companies and government) that cannot afford to allow third-parity security-service providers to terminate their network connections. Instead, these organizations have to rely on their ISPs to filter attack traffic. In this paper, we discuss the challenges faced by the ISPs in order to disrupt the Internet security-service market and sketch our solutions, powered by smart contracts.

Shibo Luo,Jun Wu,Jianhua Li,Bei Pei

DOI: https://doi.org/10.1109/FCST.2015.11

2015-01-01

Abstract:Distributed Denial of Service (DDoS) attack is a major threat to Internet based killer applications, such as independent news web sites, e-business and online games. Detecting and blocking such clever attacks has become difficult. Software-Defined Networks (SDN) has emerged as a future communication network architecture which decouples network control and forwarding. It has some particular features such as central control and programmability to combat against DDoS attack. In this paper, we survey DDoS attacks and existing defense mechanisms, and draw a conclusion of the needs of defense mechanism for successful combating against DDoS. Then, we analyze the particular features of SDN and conclude it is conducive to countermeasure DDoS attack. According the analysis, we construct a defense mechanism for DDoS in SDN. At last, we illustrate how this mechanism could combat against DDoS attacks through a working example.

Xiao Liu,Zhao Huang,Quan Wang,Yin Chen,Yuan Cao

DOI: https://doi.org/10.3390/electronics13020398

IF: 2.9

2024-01-19

Electronics

Abstract:A Distributed Denial of Service (DDoS) attack is a prevalent issue in the blockchain network layer, causing significant revenue loss for honest mining pools. This paper introduces a novel method, the Repeated Game-based DDoS attack mitigation (RGD), to address this problem. Unlike traditional methods such as game theory and machine learning-based detection, the RGD method can effectively reflect the changes in mining revenue and strategies under different network-strength environments. In particular, we abstract the problem of DDoS mining pool revenue loss into a game revenue model and propose the subgame perfect equilibrium (SPE) approach to solve the optimal payoffs and pool strategies in various network environments. Furthermore, we address the returns of mining pools in an infinitely repeated game environment using the Two-Stage Repeated Game (TSRG) method, where the strategy varies with different network environments. The Matlab experimental simulation results indicate that as the network environment improves, the optimal mining strategies of mining pools are gradually shifting from honest strategies to launching DDoS attacks against each other. The RGD method can effectively represent the impact of changes in the network environment on the mining pool's strategy selection and optimal revenue. Consequently, with the changing network environment, the optimal revenue of the mining pool only increases by 10% of the revenue loss during a DDoS attack.

engineering, electrical & electronic,computer science, information systems,physics, applied

Xiaolin Chen,Hui Deng,Feng Wang,Mu Mu,Sanglu Lu

DOI: https://doi.org/10.1109/ICYCS.2008.509

2008-01-01

Abstract:In application-level DDoS attacks, attackers mimic legitimate client behavior by sending proper-looking requests via bots. The previous DDoS solutions focus on bandwidth flooding attacks, and have encountered significant difficulty in deployment. This paper presents a deployable architecture that counts the application-level DDoS attacks against Web servers by combining overlay and IP anycast. In this architecture, when a protected Web server is under attacks, the traffic to the server will be redirected to an overlay via IP anycast. The overlay nodes provide effective protection to the server by the distributed filter, the distributed traffic control, and also by building a temporary collaborative edge Web cache. We demonstrate that this novel architecture has strong incentives to deploy and is able to be deployed by a single ISP without any modifications to implementation of routers and end host. We then discuss its properties and design challenges.