Yi Shen,Chunming Wu,Dezhang Kong,Mingliang Yang

DOI: https://doi.org/10.1109/icc40277.2020.9149276

2020-01-01

Abstract:Distributed Denial of Service (DDoS) attack is one of the most severe threats to the current network security. As a new network architecture, Software-Defined Networking (SDN) draws notable attention from both industry and academia. The characteristics of SDN such as centralized management and flow-based traffic monitoring make it an ideal platform to defend against DDoS attacks. When designing a network intrusion detection system (NIDS) in SDN, how to obtain fine-grained flow information with minimal overhead to the SDN architecture is a problem to be solved. In this paper, we propose TPDD, a two-phase DDoS detection system to detect DDoS attacks in SDN. In the first phase, we utilize the characteristics of SDN to collect coarse-grained flow information from the core switches and locate the potential victim. Then we monitor the edge switches located close to the potential victim to obtain finer-grained traffic information in the second phase. The collection method of each phase fully considers the impact on the bandwidth between the controller and switches. Without modifying the existing flow rules, the collection module can obtain sufficient information about traffic. By using entropy-based and machine learning-based methods, the detection module can effectively detect anomalies and identify whether the potential victim marked in the first phase is the target of attacks. Experimental results show that TPDD can effectively detect DDoS attacks with little overhead.

Tingxin Sun,Jiayi Cai,Kaiwei Guo,Dong Zhang,Xiang Chen,Chunming Wu

DOI: https://doi.org/10.1109/globecom54140.2023.10437875

2023-01-01

Abstract:In Internet Service Provider (ISP) networks, Amplified Reflection DDoS (AR-DDoS) attack is one of the main attack categories, which launches gigabytes of traffic with little effort and minimal cost. Thus, the mitigation of AR-DDoS attacks has been considered as a crucial part. In particular, such mitigation requires full coverage (i.e., mitigating AR-DDoS attacks launched from any location) and low overhead (i.e., mitigation should avoid high latency that degrades user experience). However, existing solutions suffer from either limited coverage or high overhead. In this paper, we propose Aigis, a distributed framework that offers full-coverage and low-overhead mitigation of AR-DDoS attacks. Our key idea is to co-design top-of-rack (ToR) switches and end-hosts, which offers line-rate packet processing performance and fine-grained view inherently, to jointly execute endpoint verification. Specifically, Aigis selectively offloads mitigation operations between ToR switches and end-hosts and implements a network-wide epoch synchronization mechanism to guarantee reliable verification. It efficiently coordinates ToR switches and end-hosts to execute the entire mitigation task. We have implemented Aigis on a testbed comprising 32x100 Gbps Tofino switches. Testbed experiments indicate that Aigis achieves complete full coverage and orders of magnitude lower host-side overhead compared to existing solutions.

Xiang Chen,Hongyan Liu,Tingxin Sun,Qun Huang,Dong Zhang,Xuan Liu,Boyang Zhou,Haifeng Zhou,Chunming Wu

DOI: https://doi.org/10.1109/infocom53939.2023.10229080

2023-01-01

Abstract:To date, security researchers evaluate their solutions of mitigating denial-of-service (DDoS) attacks via kernel-based or kernel-bypassing testing tools. However, kernel-based tools exhibit poor scalability in attack traffic generation while kernel-bypassing tools result in unacceptable monetary cost. We propose Excalibur, a scalable and low-cost testing framework for DDoS defense solutions. The key idea is to leverage the programmable switch to perform testing tasks with Tbps-level scalability and low cost. Specifically, Excalibur coordinates both a server and a programmable switch to jointly perform testing tasks. It realizes flexible attack traffic generation, which requires a large number of resources, in the server while using the switch to increase the sending rate of attack traffic to Tbps-level. Our experiments on a 64×100Gbps Tofino switch show that Excalibur achieves orders-of-magnitude higher scalability and lower cost than existing tools.

Xiang Chen,Hongyan Liu,Qun Huang,Dong Zhang,Haifeng Zhou,Chunming Wu,Xuan Liu

DOI: https://doi.org/10.1109/tnet.2023.3281449

2024-01-01

Abstract:To date, security researchers evaluate their solutions of mitigating distributed denial-of-service (DDoS) attacks via kernel-based or kernel-bypassing testing tools. However, kernelbased tools exhibit poor scalability in attack traffic generation while kernel-bypassing tools incur unacceptable monetary cost. We propose Excalibur, a scalable and low-cost testing framework for evaluating DDoS defense solutions. The key idea is to leverage the emerging programmable switch to empower testing tasks with Tbps-level scalability and low cost. Specifically, Excalibur offers intent-based primitives to enable academic researchers to customize testing tasks on demand. Moreover, in view of switch resource limitations, Excalibur coordinates both a server and a programmable switch to jointly perform testing tasks. It realizes flexible attack traffic generation, which requires a large number of resources, in the server while using the switch to increase the sending rate of attack traffic to Tbps-level. We have implemented Excalibur on a 64 x 100 Gbps Tofino switch. Our experiments on a 64 x 100 Gbps Tofino switch show that Excalibur achieves orders-of-magnitude higher scalability and lower cost than existing tools.

魏蔚,董亚波,鲁东明

DOI: https://doi.org/10.3785/j.issn.1008-973x.2010.02.010

2010-01-01

Abstract:Distributed denial of service(DDoS)attack was defended by distributed filtering.Distributed defense was restricted inside autonomous system(AS),which was a suitable bound for defense.Both bandwidth and processing capability of victim were considered.The filtering threshold was dynamically adjusted in AS edge according to the throughput of victim in support vector machine(SVM)-based multi-resource max-min fairness(SMMF)algorithm.Then SMMF achieved multi-resource max-min fairness and was much effective.Simulation results demonstrate that attacking traffic can be depressed in a common scenario and the legitimate throughput can be kept in a normal level when current methods fail.A realiza-tion of filters on PC-based router indicates that only a very small amount of memory is needed and the packet throughput is still normal when thousands of filters are installed.

Guang Jin,Jiangang Yang,Wei,Yabo Dong

DOI: https://doi.org/10.1109/nas.2007.38

2007-01-01

Abstract:Denial-of-service (DoS) attacks is a major threat to Internet security. Among numerous defense techniques, recently architecture-level capabilities scheme is a promising one. As a typical and comprehensive capabilities scheme, traffic validation architecture (TVA) tries to limit DoS attacks essentially and completely. Yet its effectiveness suffers from a new kind of DoS attacks, denial-of-capability (DoC), which takes place in the connection-setup step when clients send requests for capabilities. To overcome the DoC attacks, potential attack characteristics are analyzed in detail. And a notification-based mechanism is proposed to mitigate DoC attacks and enhance the robustness of TVA. A capability-enabled router should send a reverse notification with a special and unforgeable source identifier to the source when it has to drop a request packet under DoC attacks. Then an enhanced request packet including the source identifier is returned by the source and verified by the router. The enhanced request packet with higher secure level is processed in enhanced channels instead of unprivileged channels. Moreover enhanced requests are fair-queued based on per-source instead of per-Pi in TVA. Theoretical analysis and simulation results show that the notification mechanism can suppress DoC attacks effectively and make the capabilities architecture more robust and practical.

Donato Ferraro,Luca Palazzi,Federico Gavioli,Michele Guzzinati,Andrea Bernardi,Benjamin Rouxel,Paolo Burgio,Marco Solieri

DOI: https://doi.org/10.1007/s11241-023-09404-2

2023-08-22

Real-Time Systems

Abstract:Autonomous and software-defined vehicles (ASDVs) feature highly complex systems, coupling safety-critical and non-critical components such as infotainment. These systems require the highest connectivity, both inside the vehicle and with the outside world. An effective solution for network communication lies in Time-Sensitive Networking (TSN) which enables high-bandwidth and low-latency communications in a mixed-criticality environment. In this work, we present Time-Sensitive Autonomous Architectures (TSAA) to enable TSN in ASDVs. The software architecture is based on a hypervisor providing strong isolation and virtual access to TSN for virtual machines (VMs). TSAA latest iteration includes an autonomous car controlled by two Xilinx accelerators and a multiport TSN switch. We discuss the engineering challenges and the performance evaluation of the project demonstrator. In addition, we propose a Proof-of-Concept design of virtualized TSN to enable multiple VMs executing on a single board taking advantage of the inherent guarantees offered by TSN.

computer science, theory & methods

Guang Jin,Jian-gang Yang,Wei Wei,Ya-bo Dong

DOI: https://doi.org/10.3724/sp.j.1146.2007.00460

2008-01-01

Abstract:Major defensive mechanisms against DoS attacks in the Internet are reviewed. Especially the most recent capabilities techniques, such as basic concepts, stateless flow filtering and the Traffic Validation Architecture (TVA), are analyzed deeply. The related discussions about the shortcomings of current capabilities techniques, such as potential Denial-of-Capability (DoC) attacks, decrement of transmission efficiency, are given in detail. Some improvement methods are provided. They include protecting capabilities requests with notifications, bi-level capabilities, flexible and dynamical capabilities assignment, etc. These methods enhance the robustness and efficiency of capabilities. Theoretical evaluations and simulations show that the improvements outperform original schemes and are more practical in the Internet.

Linbo Hui,Lei Zhang,Yannan Hu,Jianping Wu,Yong Cui

DOI: https://doi.org/10.1109/mic.2023.3264319

IF: 2.68

2023-01-01

IEEE Internet Computing

Abstract:Large-scale Internet Protocol (IP) spoofing distributed denial-of-service (DDoS) attacks is one of the major cyber threats. Current commercial defenses focus on eliminating attacks at the destination end, which raises concerns about the cost of appliances and the impact on quality of service. As complementaries, source-end schemes using source address validation (SAV) can block IP spoofing traffic from entering the backbone. However, their effectiveness is restricted by incremental deployment. This paper proposes SAV-D, an SAV-based honeynet-like distributed defense architecture against IP spoofing DDoS. Each SAV device functions as a honeypot to capture more threat data. By aggregating these data, SAV-D can accurately detect ongoing attacks and generate defense policies. With the policies, both SAV and non-SAV devices can filter malicious traffic. Our simulation results demonstrate that SAV-D can effectively filter out 80% of attack traffic with a modest deployment ratio of only 10%. To enable broader adoption, we also provide some guidance on standardizing SAV-D.

Ziming Zhao,Zhuotao Liu,Huan Chen,Fan Zhang,Zhuoxue Song,Zhaoxuan Li

DOI: https://doi.org/10.1109/tdsc.2023.3349180

2024-01-01

Abstract:Defending against Distributed Denial of Service (DDoS) attacks is a fundamental problem in the Internet. Over the past few decades, the research and industry communities have proposed a variety of solutions, from adding incremental capabilities to the existing Internet routing stack, to clean-slate future Internet architectures, and to widely deployed commercial DDoS prevention services. Yet a recent interview with over 100 security practitioners in multiple sectors reveals that existing solutions are still insufficient against , due to either unenforceable protocol deployment or non-comprehensive traffic filters. This seemingly endless arms race with attackers probably means that we need a fundamental paradigm shift. In this paper, we propose a new DDoS prevention paradigm named preference-driven and in-network enforced traffic shaping , aiming to explore the novel DDoS prevention norms that focus on delivering victim-preferred traffic rather than consistently chasing after the DDoS attacks. Towards this end, we propose DFNet, a novel DDoS prevention system that provides reliable delivery of victim-preferred traffic without full knowledge of DDoS attacks. At a very high level, the core innovative design of DFNet embraces the advances in Machine Learning (ML) and new network dataplane primitives, by encoding the victim's traffic preference (in the form of complex ML models) into dataplane packet scheduling algorithms such that the victim-preferred traffic is forwarded with priority at line-speed, regardless of the attacker strategy. We implement a prototype of DFNet in 11,560 lines of code, and extensively evaluate it on our testbed. The results show that a single instance of DFNet can forward 99.93% of victim-desired traffic when facing previously unseen attacks, while imposing less than 0.1% forwarding overhead on a dataplane with 80 Gbps upstream links and a 40 Gbps bottleneck.

Xiaolin Chen,Hui Deng,Feng Wang,Mu Mu,Sanglu Lu

DOI: https://doi.org/10.1109/ICYCS.2008.509

2008-01-01

Abstract:In application-level DDoS attacks, attackers mimic legitimate client behavior by sending proper-looking requests via bots. The previous DDoS solutions focus on bandwidth flooding attacks, and have encountered significant difficulty in deployment. This paper presents a deployable architecture that counts the application-level DDoS attacks against Web servers by combining overlay and IP anycast. In this architecture, when a protected Web server is under attacks, the traffic to the server will be redirected to an overlay via IP anycast. The overlay nodes provide effective protection to the server by the distributed filter, the distributed traffic control, and also by building a temporary collaborative edge Web cache. We demonstrate that this novel architecture has strong incentives to deploy and is able to be deployed by a single ISP without any modifications to implementation of routers and end host. We then discuss its properties and design challenges.

Prabhakar Krishnan,Subhasri Duttagupta,Krishnashree Achuthan

DOI: https://doi.org/10.1002/spe.2761

2020-05-01

Abstract:<p>Currently, core networking architectures are facing disruptive developments, due to emergence of paradigms such as Software‐Defined‐Networking (SDN) for control, Network Function Virtualization (NFV) for services, and so on. These are the key enabling technologies for future applications in 5G and locality‐based Internet of things (IoT)/wireless sensor network services. The proliferation of IoT devices at the Edge networks is driving the growth of <i>all‐connected</i> world of Internet traffic. In the <i>Cloud‐to‐Things</i> continuum, processing of information and data at the Edge mandates development of security best practices to arise within a fog computing environment. Service providers are transforming their business using NFV‐based services and SDN‐enabled networks. The SDN paradigm offers an easily programmable model, global view, and control for modern networks, which demand faster response to security incidents and dynamically enforce countermeasures to intrusions and cyberattacks. This article proposes an autonomic multilayer security framework called <i>Distributed Threat Analytics and Response System (DTARS)</i> for a converged architecture of Fog/Edge computing and SDN infrastructures, for emerging applications in IoT and 5G networks. The major detection scheme is deployed within the data plane, consisting of a coarse‐grained behavioral, anti‐spoofing, flow monitoring and fine‐grained traffic multi‐feature entropy‐based algorithms. We developed exemplary defense applications under DTARS framework, on a malware testbed imitating the real‐life DDoS/botnets such as Mirai. The experiments and analysis show that DTARS is capable of detecting attacks in real‐time with accuracy more than 95% under attack intensities up to 50 000 packets/s. The benign traffic forwarding rate remains unaffected with DTARS, while it drops down to 65% with traditional NIDS for advanced DDoS attacks. Further, DTARS achieves this performance without incurring additional latency due to data plane overhead.</p>

Na Ruan,Hori, Y.

DOI: https://doi.org/10.1109/icost.2012.6271291

2012-01-01

Abstract:The Internet of Things (IoTs) is an emerging concept referring to networked everyday objects that interconnect to each other via wireless sensors attached to them. TESLA is a source authentication protocol for the broadcast network. Scalability of TESLA is limited by distribution of its unicast-based initial parameter. Low energy consumption version of TESLA is μTESLA, which is designed for wireless sensor network (WSN), while cannot tolerate DoS attack. TESLA++ is the DoS-tolerant version and is designed for VANET. TESLA++ cannot be accepted by WSN because of its higher consumption of power. To realize secure and robust DoS attack in the hybrid-vehicle-sensor network, we provide a TESLA-based protocol against DoS attack with a lower consumption of power. Analysis results demonstrate that using our protocol is better than using μTESLA or TELSA++, respectively.

Yi Shi,Xinyu Yang

DOI: https://doi.org/10.1007/11596981_54

2005-01-01

Abstract:Flooding-based distributed denial-of-service (DDoS) attack presents a very serious threat to the stability of the Internet. In this paper, we propose a novel global defense architecture to protect the entire Internet from DDoS attacks. This architecture includes all the three parts of defense during the DDoS attack: detection, filtering and traceback, and we use different agents distributed in routers or hosts to fulfill these tasks. The superiority of the architecture that makes it more effective includes: (i) the attack detection algorithm as well as attack filtering and traceback algorithm are both network traffic-based algorithms; (ii) our traceback algorithm itself also can mitigate the effects of the attacks. Our proposed scheme is implemented through simulations of detecting and defending SYN Flooding attack, which is an example of DDoS attack. The results show that such architecture is much effective because the performance of detection algorithm and traceback algorithm are both better.

Lu Yu,Qing Wang,Geddings Barrineau,Jon Oakley,Richard R. Brooks,Kuang-Ching Wang

DOI: https://doi.org/10.1109/MALWARE.2017.8323961

2017-09-04

Abstract:Destination IP prefix-based routing protocols are core to Internet routing today. Internet autonomous systems (AS) possess fixed IP prefixes, while packets carry the intended destination AS's prefix in their headers, in clear text. As a result, network communications can be easily identified using IP addresses and become targets of a wide variety of attacks, such as DNS/IP filtering, distributed Denial-of-Service (DDoS) attacks, man-in-the-middle (MITM) attacks, etc. In this work, we explore an alternative network architecture that fundamentally removes such vulnerabilities by disassociating the relationship between IP prefixes and destination networks, and by allowing any end-to-end communication session to have dynamic, short-lived, and pseudo-random IP addresses drawn from a range of IP prefixes rather than one. The concept is seemingly impossible to realize in todays Internet. We demonstrate how this is doable today with three different strategies using software defined networking (SDN), and how this can be done at scale to transform the Internet addressing and routing paradigms with the novel concept of a distributed software defined Internet exchange (SDX). The solution works with both IPv4 and IPv6, whereas the latter provides higher degrees of IP addressing freedom. Prototypes based on OpenvSwitches (OVS) have been implemented for experimentation across the PEERING BGP testbed. The SDX solution not only provides a technically sustainable pathway towards large-scale traffic analysis resistant network (TARN) support, it also unveils a new business model for customer driven, customizable and trustable end-to-end network services.

Networking and Internet Architecture

Zheng Liu,Mingwei Xu,Jiahao Cao,Qi Li

DOI: https://doi.org/10.1007/978-981-10-8890-2_37

2018-01-01

Abstract:Amplification attack, as a new kind of DDoS attack, is more destructive than traditional DDoS attack. Under the existing Internet architecture, it is difficult to find effective measures to deal with amplification attack. In this paper, we propose a two-phase reference detecting scheme by utilizing Software Defined Infrastructure capabilities: switch side is volume-based and controller side is feature-based. The proposed scheme is protocol-independent and lightweight, unlike most of the existing strategies. It can also detect amplification attack in the request phase for a small price, before these attacks cause actual harm. Upon the architecture, we design detection algorithms and a prototype system. Experimental results with both online and offline data sets show that the detection scheme is effective and efficient.

Zhuotao Liu,Yuan Cao,Min Zhu,Wei Ge

DOI: https://doi.org/10.48550/arXiv.1903.07796

2019-04-06

Abstract:Defending against distributed denial of service (DDoS) attacks in the Internet is a fundamental problem. However, recent industrial interviews with over 100 security experts from more than ten industry segments indicate that DDoS problems have not been fully addressed. The reasons are twofold. On one hand, many academic proposals that are provably secure witness little real-world deployment. On the other hand, the operation model for existing DDoS-prevention service providers (e.g., Cloudflare, Akamai) is privacy invasive for large organizations (e.g., government). In this paper, we present Umbrella, a new DDoS defense mechanism enabling Internet Service Providers (ISPs) to offer readily deployable and privacy-preserving DDoS prevention services to their customers. At its core, Umbrella develops a multi-layered defense architecture to defend against a wide spectrum of DDoS attacks. In particular, the flood throttling layer stops amplification-based DDoS attacks; the congestion resolving layer, aiming to prevent sophisticated attacks that cannot be easily filtered, enforces congestion accountability to ensure that legitimate flows are guaranteed to receive their fair shares regardless of attackers' strategies; and finally the userspecific layer allows DDoS victims to enforce self-desired traffic control policies that best satisfy their business requirements. Based on Linux implementation, we demonstrate that Umbrella is capable to deal with large scale attacks involving millions of attack flows, meanwhile imposing negligible packet processing overhead. Further, our physical testbed experiments and large scale simulations prove that Umbrella is effective to mitigate various DDoS attacks.

Cryptography and Security

Saurav Kumar,Ajit kumar Keshri

DOI: https://doi.org/10.1016/j.knosys.2024.112052

IF: 8.139

2024-06-21

Knowledge-Based Systems

Abstract:The Internet of Things enables the creation of transmitted use cases for interconnected devices and complementary channels. The varied structure of it creates additional security needs and problems. In particular, the safeguards used in the IoT should adjust to the changing environment. One of the major dangers to the World Wide Web (WWW) things is Distributed Denial of Service (DDoS). Therefore, in this work, an intelligent Game Theory-based Adaptive security (GT-AS) mathematical model was developed to maximize the effectiveness of DDoS attack mitigation. Moreover, this strategy can strongly derive the five parameters such as energy channel, memory, intruder, and hybrid. These all can achieve a stronger defense posture against DDoS attacks from the newly designed IoT. Consequently, the Recurrent Bat (RB) framework is developed to classify the nodes into two classes such as trusted node and malicious node. In addition, the proposed frameworks analyze how protection effectiveness and energy consumption interact when evaluating adaptive security techniques. To analyze the effectiveness of the suggested paradigm, researchers also give the outcomes of simulation experiments. Researchers demonstrate that, in comparison to existing models, the developed approach has increased the lifespan of the connected objects by 47 %. Also, the developed strategy has attained better accuracy and lower error rates when comparing traditional strategies. Moreover, the packet delivery ratio is 60 KB, energy consumption is 116 KJ, Mean Location Error is 0.078 and resource usage is 148.

computer science, artificial intelligence

Jun Li,Skyler Berg,Mingwei Zhang,Peter Reiher,Tao Wei

DOI: https://doi.org/10.1145/2740070.2631469

IF: 1.937

2014-01-01

ACM SIGCOMM Computer Communication Review

Abstract:End hosts in today's Internet have the best knowledge of the type of traffic they should receive, but they play no active role in traffic engineering. Traffic engineering is conducted by ISPs, which unfortunately are blind to specific user needs. End hosts are therefore subject to unwanted traffic, particularly from Distributed Denial of Service (DDoS) attacks. This research proposes a new system called DrawBridge to address this traffic engineering dilemma By realizing the potential of software-defined networking (SDN), in this research we investigate a solution that enables end hosts to use their knowledge of desired traffic to improve traffic engineering during DDoS attacks.

Jing Zheng,Qi Li,Guofei Gu,Jiahao Cao,David K. Y. Yau,Jianping Wu

DOI: https://doi.org/10.1109/tifs.2018.2805600

IF: 7.231

2018-07-01

IEEE Transactions on Information Forensics and Security

Abstract:Distributed denial-of-service (DDoS) defense is still a difficult problem though it has been extensively studied. The existing approaches are not capable of detecting various types of DDoS attacks. In particular, new emerging sophisticated DDoS attacks (e.g., Crossfire) constructed by low-rate and short-lived benign traffic are even more challenging to capture. Moreover, it is difficult to enforce realtime defense to throttle these detected attacks since the attack traffic can be concealed in benign traffic. Software defined networking (SDN) opens a new door to address these issues. In this paper, we propose Reinforcing Anti-DDoS Actions in Realtime (RADAR) to detect and throttle DDoS attacks via adaptive correlation analysis built upon unmodified commercial off-the-shelf SDN switches. It is a practical system to defend against a wide range of flooding-based DDoS attacks, e.g., link flooding (including Crossfire), SYN flooding, and UDP-based amplification attacks, while requiring neither modifications in SDN switches/protocols nor extra appliances. It accurately detects attacks by identifying attack features in suspicious flows, and locates attackers (or victims) to throttle the attack traffic by adaptive correlation analysis. We implement RADAR prototype using open source Floodlight controller, and evaluate its performance under various DDoS attacks by real hardware testbed based experiments. We observe that our scheme can successfully detect and effectively defend against various DDoS attacks with acceptable overhead.

computer science, theory & methods,engineering, electrical & electronic