Dalia Nashat,Xiaohong Jiang,Susumu Horiguchi

DOI: https://doi.org/10.1109/icebe.2008.18

2008-01-01

Abstract:The TCP SYN flooding attack is the most prevalent type of DDoS attacks that exhaust network resources. A router based detection scheme has been proposed to detect the SYN flooding agents based on the assumption that the SYN packets from the agent and the SYN/ACK packets from the victimpsilas server pass through different leaf routers. In the current IP spoofing techniques, however, the attacker can spoof a random address from any subnetwork, so the SYN packets from the agent and the SYN/ACK packets from the server may pass through the same leaf router. Therefore, a more general and flexible detection scheme is highly desirable for the efficient detection of these flooding agents under any type of IP spoofing. In this paper, we propose such a scheme to detect the flooding agents by considering all the possible kinds of IP spoofing. The proposed scheme is based on the TCP SYN-SYN/ACK protocol pair with the consideration of packet header information (both sequence and Ack. numbers). The Counting Bloom Filter is used to classify all the incoming SYN/ACK packets to the sub network into two streams, the first SYN/ACK packets (SYN/ACKf ) and the retransmission SYN/ACK packets (SYN/ACKr), to make our scheme generally applicable and the Cumulative Sum algorithm is applied to avoid the dependence of detection on sites and access patterns. Compared to the old detection scheme without the consideration of IP spoofing techniques, the proposed new scheme can significantly improve the accuracy in detecting the SYN flooding agents, as verified by extensive simulation results based on different IP spoofing techniques.

Changhua Sun,Chengchen Hu,Yachao Zhou,Xin Xiao,Bin Liu

DOI: https://doi.org/10.1109/INFCOMW.2009.5072099

2009-01-01

Abstract:We propose to use the SYN/ACK-CliACK pair's behavior to detect the various SYN flood attacks more accurately. The SYN/ACK packets carry the full information of the TCP connections and it is impossible for the attacker to evade the detection by spoofing the control packets. Moreover, we use a space efficient data structure, counting Bloom filter, to recognize the CliACK packet and the memory cost is 2 MB even for 10 Gbps link speeds. We need to fully compare our scheme with the existing detection mechanisms in future.

Nashat, D.,Xiaohong Jiang,Horiguchi, S.

DOI: https://doi.org/10.1109/HSPR.2008.4734440

2008-01-01

Abstract:The TCP SYN flooding attack is the most prevalent type of DDoS attacks that exhaust network resources. The current detection schemes only work well for the detection of high-rate flooding sources. It is notable, however, that in the current DDoS attacks, the flooding rate is usually distributed among many low-rate flooding agents to make the detection more difficult. Therefore, a more sensitive and fast detection scheme is highly desirable for the efficient detection of these low-rate flooding sources. In this paper, we focus on the low-rate agent and propose a router-based detection scheme for it. The proposed scheme is based on the TCP SYN-SYN/ACK protocol pair with the consideration of packet header information (both sequence and Ack. numbers). To make our scheme more sensitive and generally applicable, the counting bloom filter is used to avoid the effect of SYN/ACK retransmission and the change point detection method is applied to avoid the dependence of detection on sites and access patterns. Extensive trace-driven simulation has been conducted to demonstrate the efficiency of the proposed scheme in terms of its detection probability and also average detection time.

Wei Wei,Yabo Dong,Dongming Lu,Guang Jin,Honglan Lao

DOI: https://doi.org/10.1007/11760146_23

2006-01-01

Abstract:Low-rate TCP-targeted Denial-of-Service (DoS) attack (shrew) is a new kind of DoS attack which is based on TCP’s Retransmission Timeout (RTO) mechanism and can severely reduce the throughput of TCP traffic on victim. The paper proposes a novel mechanism which consists of effective detection and response methods. Through analyzing sampled attack traffic, we find that there is a stable difference between attack and legitimate traffic in frequency field, especially in low frequency. We use Sum of Low Frequency Power spectrum (SLFP) for detection. In our algorithm the destination IP address is used as flow label and SLFP is applied to every flow traversing edge router. If shrew is found, all flows to the destination are processed by Aggregated Flows Balance (AFB) at a proper upstream router. Simulation shows that attack traffics are restrained and TCP traffics can obtain enough bandwidth. The result indicates that our mechanism is effective and deployable.

WEI Wei,DONG Ya-bo,LU Dong-ming,JIN Guang

DOI: https://doi.org/10.3785/j.issn.1008-973x.2008.05.007

2008-01-01

Abstract:Low rate TCP-targeted denial of service(DoS) attack makes use of time-out and retransmission mechanism in transmission control protocol(TCP) and could severely decrease the throughput of legitimate TCP traffic.With its attacking traffic pattern,obvious difference was found between the power spectrum density(PSD) of legitimate and attack traffic samples.The statistical characteristic of this difference in history data was analyzed,and a detection method using the summation of low frequency was proposed.Meanwhile,based on the methods of leak bucket and the increasing of routing buffer,a response method was provided,which uses leak bucket periodically for smoothing the flow and uses buffer for holding extra traffic to send in next period,and its reasonable resource requirement was proved.Simulations show that for more general attack scenarios than the existing methods,the detection method has very low positive and negative false ratio,and the response method can depress attack flows more effectively than the previous methods and maintain the legitimate throughput in a normal level while the previous methods failed.

Changhua Sun,Jindou Fan,Lei Shi,Bin Liu

2007-01-01

Abstract:Distributed Denial-of-Service (DDoS) attack remains a serious problem on the Internet today, as it takes advantage of the lack of authenticity in the IP protocol, destination oriented routing, and stateless nature of the Internet. Among various DDoS attacks, the TCP SYN flooding [1] is the most commonly-used one. It exploits TCP’s three-way handshake mechanism and TCP’s limitation in maintaining half-open connections. When a server receives a SYN packet, it returns a SYN/ACK packet and allocates resources (typically backlog queue in the system memory) to track the TCP state. Then the server would wait until either the half-open connection completes or the TCP connection times out. In the SYN flooding attack, the server will receive a large number of SYN packets but never receive the final ACK packets to complete the three-way handshake. Then the victim server’s backlog queue can be easily exhausted, causing all the new incoming SYN requests to be dropped. Furthermore, many other system resources, such as CPU and network bandwidth used to retransmit the SYN/ACK packets, are occupied. The most viable techniques [2] up-to-date to defend SYN floods include SYN cache [3] and SYN cookies [4]. SYN cache is to allocate minimal state when the initial request is received, and only allocate all the resources when the connection is completed. If the backlog queue is full, the oldest entry is removed. SYN cookies allocate no state for half-open connections. Instead, they encode most of the states and encrypt them into the sequence number transmitted in the SYN/ACK packet. The ACK packet that completes the handshake can be used to reconstruct the state to be put into the backlog queue. One problem with SYN cookies is not able to encode all the TCP options, and the other is that TCP protocol with SYN cookies would never retransmit the unacknowledged SYN/ACK packet. In addition, both of them do not handle application data piggybacked on the SYN segment, i.e., incompatible with Transactional TCP (T/TCP)

严芬,王佳佳,陈轶群,殷新春,黄皓

DOI: https://doi.org/10.3969/j.issn.1002-137x.2008.09.019

2008-01-01

Computer Science

Abstract:An efficient light-weight method for defending against DDoS attacks at the source-end is designed.We use Bloom Filter to pick up the Abstract of packets,and then use change point computation technology to detect abnormity.The method can not only detect the existence of SYN Flooding attacks,but also avoid the false alarm of normal congestion.In experiment environment,DARPA data is replayed and the result shows that our method obtains more accurate detection result with less computation than other similar methods.

Junchi Xing,Jingling Cai,Boyang Zhou,Chunming Wu

DOI: https://doi.org/10.1109/iscc47284.2019.8969595

2019-01-01

Abstract:Recently, link flooding attacks (LFA) have been observed as a serious threat for cutting off the Internet connectivity through congesting critical links. A LFA typically utilizes legitimate and low-rate flows, which makes it extremely hard to be detected and, subsequently, to be mitigated. In this paper, we present LF-Shield, that is a deep convolutional neural network (ConvNet) based countermeasure to accurately detect and efficiently mitigate LFAs using software-defined network (SDN) paradigm. LF-Shield can identify malicious bots that launch LFA flows by extracting end-hosts' traffic features and afterwards, classifying the type of end-hosts based on deep ConvNet. Then, LF-Shield mitigates LFAs without affecting legitimate end-hosts through blocking the classified malicious bots and limiting the bandwidths of inactive or newly-accessed end-hosts. A LF-Shield prototype is implemented for evaluating its performance by several experiments. The experimental results demonstrate that LF-Shield can identify malicious bots with an accuracy of 96.4% and mitigate LFAs with the 93.1% reduction in link degradation ratio, with negligible impact on legitimate end-hosts.

Chun-Hao Yang,Jhen-Ping Wu,Fang-Yi Lee,Ting-Yu Lin,Meng-Hsun Tsai

DOI: https://doi.org/10.3390/s23083817

2023-04-07

Abstract:Software-defined networking (SDN) is a new network architecture that provides programmable networks, more efficient network management, and centralized control than traditional networks. The TCP SYN flooding attack is one of the most aggressive network attacks that can seriously degrade network performance. This paper proposes detection and mitigation modules against SYN flooding attacks in SDN. We combine those modules, which have evolved from the cuckoo hashing method and innovative whitelist, to get better performance compared to current methods Our approach reduces the traffic through the switch and improves detection accuracy, also the required register size is reduced by half for the same accuracy.

Chenxi Li,Jiahai Yang,Ziyu Wang,Fuliang Li,Yang Yang

DOI: https://doi.org/10.1109/GLOCOM.2015.7417159

2015-01-01

Abstract:DDoS flooding attack is one of the top threats to the Internet. However, due to the fast development of the Internet, current detection algorithms are already inadequate to meet the growth of network traffic. In this paper, we propose a lightweight algorithm. We first observe the real Internet traffic, and find that flows of DDoS flooding attack traffic are persistent and synchronous while most flows of normal traffic are short-lived and non-synchronous. According to this difference, we propose our detection algorithm. We label the alarms firstly and then confirm the attack. Our algorithm is lightweight and sensitive to the ongoing attack. However, randomly spoofing the IP address of the attack source to different IP addresses can hide the synchronization of attack flows. Thus, we add a spoofing IP detection algorithm called hop-count filter (HCF) to our algorithm to strengthen the robustness. At last, we evaluate our detection algorithm based on the real Internet traffic from CAIDA. Results show that our detection algorithm has a high accuracy (93.3%), no false positive in attack confirmation and just 1.1% false positive rate in labeling alarms. In addition, we analyze the challenges we may face when dealing with distributed LDoS attack.

Boyang Zhou,Gaoning Pan,Chunming Wu,Kai Zhu,Wei Ruan

DOI: https://doi.org/10.1007/s11432-019-9921-7

2020-01-01

Science China Information Sciences

Abstract:Dear editor, Recently, crossfire attack has been witnessed as a new distributed denial-of-service (DDoS) weapon that can effectively cut off the data connections between the chosen target area (wd) of servers and the end hosts (H).The attack is launched by a network of bot (botnet) to drain bandwidth of persistent routes (PRs) in the indirect and lowrate data flooding towards the decoys that are located in upstream to the target, where the PRs are probed by the adversary who sends Internet control message protocol (ICMP) packets with different time-to-live (TTL) values, e.g., using traceroute [1].Such flooding is hard to be detected by firewalls or IDSes.

Saravanan Kumarasamy,A. Gowrishankar

DOI: https://doi.org/10.48550/arXiv.1201.2103

2012-01-11

Abstract:Distributed denial-of-service attacks on public servers have recently become a serious problem. To assure that network services will not be interrupted and more effective defense mechanisms to protect against malicious traffic, especially SYN floods. One problem in detecting SYN flood traffic is that server nodes or firewalls cannot distinguish the SYN packets of normal TCP connections from those of a SYN flood attack. Another problem is single-point defenses (e.g. firewalls) lack the scalability needed to handle an increase in the attack traffic. We have designed a new defense mechanism to detect the SYN flood attacks. First, we introduce a mechanism for detecting SYN flood traffic more accurately by taking into consideration the time variation of arrival traffic. We investigate the statistics regarding the arrival rates of both normal TCP SYN packets and SYN flood attack packets. We then describe a new detection mechanism based on these statistics. Through the trace driven approach defense nodes which receive the alert messages can identify legitimate traffic and block malicious traffic by delegating SYN/ACK packets.

Cryptography and Security

Ding Pengfule,Tian Zhihong,Zhang Hongli,Wang Yong,Zhang Liang,Guo Sanchuan

DOI: https://doi.org/10.1109/dsc.2016.108

2016-01-01

Abstract:The extensive use of Internet technology has brought great convenience to modern society, however, more and more severe problems regarding to network security have also emerged at the same time. Especially the DDoS attacks, represented by SYN Flood, pose massive threats to the network security. This paper discusses an algorithm which could detect SYN Flood attack quickly under large scale network: the adaptive threshold algorithm. Then we propose "Slow detection, Fast recovery" mechanism on basis of adaptive threshold algorithm. Finally, we implement the attack detection and defense algorithms in dual-stack firewall, and test the validity and performance respectively. The results indicate that the methods of detecting and defending SYN Flood proposed by this paper can improve the system efficiency substantially when firewall is attacked, while consuming only a small amount of extra memory.

严芬,王佳佳,殷新春,黄皓

DOI: https://doi.org/10.3969/j.issn.1002-137x.2008.12.028

2008-01-01

Computer Science

Abstract:An efficient light-weight method for defending against DDoS attacks at the source end was designed.The Bloom Filter was used to pick up the amount of doubtful new source IP of network packets.Then,on line VTP technology was used to detect abnormity.Our method can not only detect the existence of DDoS attacks on line,but also avoid the false alarm of normal break.According to experiments,the method can find out the DDoS intrusion against the large scale network,which does not arouse the sharp changes of the network traffic.

Zhichun Li,Yan Gao,Yan Chen

DOI: https://doi.org/10.1016/j.comnet.2009.10.016

IF: 5.493

2009-01-01

Computer Networks

Abstract:Global-scale attacks like worms and botnets are increasing in frequency, severity and sophistication, making it critical to detect outbursts at routers/gateways instead of end hosts. In this paper, leveraging data streaming techniques such as the reversible sketch, we design HiFIND, a High-speed Flow-level Intrusion Detection system. In contrast to existing intrusion detection systems, HiFIND: (i) is scalable to flow-level detection on high-speed networks; (ii) is DoS resilient; (iii) can distinguish SYN flooding and various port scans (mostly for worm propagation) for effective mitigation; (iv) enables aggregate detection over multiple routers/gateways; and (v) separates anomalies to limit false positives in detection. Both theoretical analysis and evaluation with several router traces show that HiFIND achieves these properties. To the best of our knowledge, HiFIND is the first online DoS resilient flow-level intrusion detection system for high-speed networks (e.g. OC192), even for the worst-case traffic of 40-byte-packet streams with each packet forming a flow.

Xuan-Bo Huang,Kai-Ping Xue,Yi-Tao Xing,Ding-Wen Hu,Ruidong Li,Qi-Bin Sun

DOI: https://doi.org/10.1007/s11390-022-1495-0

IF: 1.871

2022-01-01

Journal of Computer Science and Technology

Abstract:Software-defined networking (SDN) decouples the data and control planes. However, attackers can lead catastrophic results to the whole network using manipulated flooding packets, called the data-to-control-plane saturation attacks. The existing methods, using centralized mitigation policies and ignoring the buffered attack flows, involve extra network entities and make benign traffic suffer from long network recovery delays. For these purposes, we propose LFSDM, a saturation attack detection and mitigation system, which solves these challenges by leveraging three new techniques: 1) using linear discriminant analysis (LDA) and extracting a novel feature called control channel occupation rate (CCOR) to detect the attacks, 2) adopting the distributed mitigation agents to reduce the number of involved network entities and, 3) cleaning up the buffered attack flows to enable fast recovery. Experiments show that our system can detect the attacks timely and accurately. More importantly, compared with the previous work, we save 81% of the network recovery delay under attacks ranging from 1 000 to 4 000 packets per second (PPS) on average, and 87% of the network recovery delay under higher attack rates with PPS ranging from 5 000 to 30 000.

A. Pavlidis,Marinos Dimolianis,B. Maglaris

DOI: https://doi.org/10.1109/ICIN51074.2021.9385540

2021-03-01

Abstract:Distributed Denial of Service (DDoS) attacks are widely used by malicious actors to disrupt network infrastructures/services. A common attack is TCP SYN Flood that attempts to exhaust memory and processing resources. Typical mitigation mechanisms, i.e. SYN cookies require significant processing resources and generate large rates of backscatter traffic to block them. In this paper, we propose a detection and mitigation schema that focuses on generating and optimizing signature-based rules. To that end, network traffic is monitored and appropriate packet-level data are processed to form signatures i.e. unique combinations of packet field values. These are fed to machine learning models that classify them to malicious/benign. Malicious signatures corresponding to specific destinations identify potential victims. TCP traffic to victims is redirected to high-performance programmable XDPenabled firewalls that filter off ending traffic according to signatures classified as malicious. To enhance mitigation performance malicious signatures are subjected to a reduction process, formulated as a multi-objective optimization problem. Minimization objectives are (i) the number of malicious signatures and (ii) collateral damage on benign traffic. We evaluate our approach in terms of detection accuracy and packet filtering performance employing traces from production environments and high rate generated attack traffic. We showcase that our approach achieves high detection accuracy, significantly reduces the number of filtering rules and outperforms the SYN cookies mechanism in high-speed traffic scenarios.

Computer Science,Engineering

Yan Gao,Zhichun Li,Yan Chen

DOI: https://doi.org/10.1109/icdcs.2006.6

2006-01-01

Abstract:Global-scale attacks like viruses and worms are increasing in frequency, severity and sophistication, making it critical to detect outbursts at routers/gateways instead of end hosts. In this paper we leverage data streaming techniques such as the reversible sketch to obtain HiFIND, a High-speed Flow-level Intrusion Detection system. In contrast to existing intrusion detection systems, HiFIND I ) is scalable to flow-level detection on high-speed networks; 2) zs DoS resilient; 3) can distinguish SYN flooding and various port scans (mostly for worm propagation) for effective mitigation; 4 ) enables aggregate detection over multiple routers/gateways; and 5) separates anomalies to limit false positives in detection. Both theoretical analysis and evaluation with several router traces show that HiFIND achieves these properties. To the best of our knowledge, HiFIND is the first online DoS resilient flow-level intrusion detection system for high-speed networks (approximately 10s of Gigabit/second), even for the worst case trafic of 40-byte-packet streams with each packet forming a flow.

Xianliang Jiang,Jiangang Yang,Guang Jin,Wei

DOI: https://doi.org/10.1109/lcomm.2013.022713.122652

IF: 3.5529

2013-01-01

IEEE Communications Letters

Abstract:In traditional Active Queue Management algorithms, e.g. RED, each flow, defined with the source and destination IP address of packets, fairly contends for the cache of bottleneck queues. However a malicious flow cannot be identified. And it enables potential network-layer attacks, e.g. the flooding Denial-of-Service (DoS) attack and the low-rate DoS attack. In this letter, we propose a new scheme using the flows trust values to defend against DoS attacks. Different from previous schemes, it employs the flow trust to safeguard legitimate flows. A router monitors network flows and calculates flows trust values, which are used for the relevant queue management. Malicious flows would be with lower trust values while legitimate flows would be with higher ones. Simulation results show that the scheme improves the throughput and delay in DoS attacking scenarios comparing with existing queue management algorithms. We consider the scheme is practical and effective to secure networks.

Mehdi Ebady Manna,Angela Amphawan

DOI: https://doi.org/10.48550/arXiv.1202.1761

2012-02-09

Abstract:Denial of Service (DoS) is a security threat which compromises the confidentiality of information stored in Local Area Networks (LANs) due to unauthorized access by spoofed IP addresses. SYN Flooding is a type of DoS which is harmful to network as the flooding of packets may delay other users from accessing the server and in severe cases, the server may need to be shut down, wasting valuable resources, especially in critical real-time services such as in e-commerce and the medical field. The objective of this paper is to review the state-of-the art of detection mechanisms for SYN flooding. The detection schemes for SYN Flooding attacks have been classified broadly into three categories - detection schemes based on the router data structure, detection schemes based on statistical analysis of the packet flow and detection schemes based on artificial intelligence. The advantages and disadvantages for various detection schemes under each category have been critically examined. The performance measures of the categories have also been compared.

Cryptography and Security