Yinan Jing,Zheng Xiao,Xueping Wang,Gendu Zhang

DOI: https://doi.org/10.1109/icniconsmcl.2006.159

2006-01-01

Abstract:Distributed denial-of-service attack has become one of the major threats to Internet today. And the distributed nature of DDoS problem needs a distributed solution. In this paper, we propose using a hierarchical domain-aware overlay to construct a built-in distributed rate limit framework throughout the Internet. And we leverage the IP traceback technique to avoid collateral damage on legitimate traffic and mitigate DDoS effect near attack sources as possible as we can. This defense framework is a serviceoriented economic model that not only motivates ISPs to deploy it, but also benefits all participants.

Yi Shen,Chunming Wu,Dezhang Kong,Mingliang Yang

DOI: https://doi.org/10.1109/icc40277.2020.9149276

2020-01-01

Abstract:Distributed Denial of Service (DDoS) attack is one of the most severe threats to the current network security. As a new network architecture, Software-Defined Networking (SDN) draws notable attention from both industry and academia. The characteristics of SDN such as centralized management and flow-based traffic monitoring make it an ideal platform to defend against DDoS attacks. When designing a network intrusion detection system (NIDS) in SDN, how to obtain fine-grained flow information with minimal overhead to the SDN architecture is a problem to be solved. In this paper, we propose TPDD, a two-phase DDoS detection system to detect DDoS attacks in SDN. In the first phase, we utilize the characteristics of SDN to collect coarse-grained flow information from the core switches and locate the potential victim. Then we monitor the edge switches located close to the potential victim to obtain finer-grained traffic information in the second phase. The collection method of each phase fully considers the impact on the bandwidth between the controller and switches. Without modifying the existing flow rules, the collection module can obtain sufficient information about traffic. By using entropy-based and machine learning-based methods, the detection module can effectively detect anomalies and identify whether the potential victim marked in the first phase is the target of attacks. Experimental results show that TPDD can effectively detect DDoS attacks with little overhead.

Yinan Jing,Jingtao Li,Xueping Wang,Xiaochun Xiao,Gendu Zhang

DOI: https://doi.org/10.1109/aina.2006.22

2006-01-01

Abstract:Distributed denial-of-service attacks have become the major threat to Internet today. IP traceback is one of the most effective techniques to defeat these attacks by identifying attack sources even in the presence of IP spoofing. Because of low marking packet utilization, the convergence time of traditional probabilistic packet marking (PPM) schemes is still too long. In order to shorten the convergence time, a distributedlog- based IP traceback scheme is proposed. Theoretical analysis and simulation results show that this scheme not only can converge more quickly than previous PPM schemes, but also has much less log overhead than other log-based schemes.

Yinan Jing,Xueping Wang,Xiaochun Xiao,Gendu Zhang

DOI: https://doi.org/10.1109/glocom.2006.283

2006-01-01

Abstract:Distributed denial-of-service attack is one of major threats to Internet today. Rate limit is an effective countermeasure to defeat rate-related attacks on condition that attackers send more traffics than legitimate users. However, sometimes the real case is opposite, because there may be only subtle rate difference between attackers and legitimate users today. We thoroughly investigate such a "meek" DDoS attack case and provide an elaborate IP traceback-based rate limit algorithm. The simulation results show that our method can better mitigate the meek DDoS attack as well as improve the throughput of legitimate traffic.

HUANG Chang-lai,LING Ming,PENG Ge-gang,GAO Chuan-shan

DOI: https://doi.org/10.3969/j.issn.1000-1220.2006.06.022

2006-01-01

Abstract:DDoS attack has increasingly become a great threat to the current Internet. Due to the fact that IP spoofing technique is frequently used,defending DDoS attack faces extreme difficulty. Most of the previous approaches to this problem try to solve it on a generalized Internet scale. For many reasons,the related tracing process requires great overhead and the solutions are difficult to implement.This paper proposes a new DDoS traceback scheme based on real-time consideration by dividing the tracing process into two steps.In the first step,ASPPM Scheme is adopted to determine the attack-originating AS.The second step processing concentrates on identifing ins the exact origin of the attacks. Compared the to the previous schemes,the two-step traceback scheme has the benefits of quick convergence speed,light computational overhead and low false positive. So it is possible to trace the DDoS source on a real-time basis.

Wei Wei,Yabo Dong,Dongming Lu,Guang Jin

DOI: https://doi.org/10.1109/ICCIS.2008.4670732

2008-01-01

Abstract:Distributed defense of DDoS (Distributed Denial of Service) attack has been extensively researched in recent years and control-based defense is a hopeful way. However, existed methods only deal with bandwidth protection. The paper takes defense of DDoS flood as a kind of Processing and Bandwidth Resources allocation and solves it using control theory. Our defense mechanism FFDRF (Feedback Filtering with Dual-Resource Fairness) sets up filters in edge routers of AS and adjusts the filtering thresholds through feedback between these routers and the victim. The simulation results show that FFDRF can make the legitimate traffic keep high survival rate while is stable and converges quickly even in case of heterogeneous flow sources and link conditions. Compared with level-k max-min fairness defense, FFDRF is more effective against CPU-consuming flood. And an implementation of FFDRF in a linux router indicates that FFDRF is feasible in real-life routers. © 2008 IEEE.

Yinan Jing,Xueping Wang,Xiaochun Xiao,Gendu Zhang

DOI: https://doi.org/10.1007/11839569_45

2006-01-01

Abstract:Distributed denial-of-service attack is one of major threats to Internet today. Rate limit algorithm with max-min fairness is an effective countermeasure to defeat flooding-style DDoS attacks under the assumption that attackers are more aggressive than legitimate users. However, under a “meek” DDoS attack where such an assumption is no longer valid, it will fail to protect legitimate traffic effectively. In order to improve the survival ratio of legitimate packets, an IP traceback based rate limit algorithm is proposed. Simulation results show that it could not only mitigate the DDoS attack effect, but also improve the throughput of legitimate traffic even under a meek attack.

CL Huang,M Li,JH Yang,CS Gao

DOI: https://doi.org/10.1109/wcnm.2005.1544263

2005-01-01

Abstract:Due to the fact that IP spoofing technique is frequently used, defending distributed denial of service (DDoS) attacks faces extreme difficulty. Recently, several approaches have been proposed for path identification to trace DDoS attacks. However, most of these schemes require very large number of packets to conduct the traceback process, which results in lengthy and complicated procedure. This paper proposes a novel DDoS traceback scheme based on real-time consideration by dividing the tracing process into two steps. In the first step, probabilistic packet marking (PPM) based on autonomous system (AS) (ASPPM) is adopted to determine the attack-originating AS. In the second step, random number packet marking (RNPM) is used to identify the exact origin of the attacks in the specific AS. Compared with previous schemes, the two-step traceback scheme has the benefits of quick convergence speed, light computational overhead and low false positive, hence making it possible to trace the DDoS source on a real-time basis.

Xiaolin Chen,Hui Deng,Feng Wang,Mu Mu,Sanglu Lu

DOI: https://doi.org/10.1109/ICYCS.2008.509

2008-01-01

Abstract:In application-level DDoS attacks, attackers mimic legitimate client behavior by sending proper-looking requests via bots. The previous DDoS solutions focus on bandwidth flooding attacks, and have encountered significant difficulty in deployment. This paper presents a deployable architecture that counts the application-level DDoS attacks against Web servers by combining overlay and IP anycast. In this architecture, when a protected Web server is under attacks, the traffic to the server will be redirected to an overlay via IP anycast. The overlay nodes provide effective protection to the server by the distributed filter, the distributed traffic control, and also by building a temporary collaborative edge Web cache. We demonstrate that this novel architecture has strong incentives to deploy and is able to be deployed by a single ISP without any modifications to implementation of routers and end host. We then discuss its properties and design challenges.

Ziming Zhao,Zhuotao Liu,Huan Chen,Fan Zhang,Zhuoxue Song,Zhaoxuan Li

DOI: https://doi.org/10.1109/tdsc.2023.3349180

2024-01-01

Abstract:Defending against Distributed Denial of Service (DDoS) attacks is a fundamental problem in the Internet. Over the past few decades, the research and industry communities have proposed a variety of solutions, from adding incremental capabilities to the existing Internet routing stack, to clean-slate future Internet architectures, and to widely deployed commercial DDoS prevention services. Yet a recent interview with over 100 security practitioners in multiple sectors reveals that existing solutions are still insufficient against , due to either unenforceable protocol deployment or non-comprehensive traffic filters. This seemingly endless arms race with attackers probably means that we need a fundamental paradigm shift. In this paper, we propose a new DDoS prevention paradigm named preference-driven and in-network enforced traffic shaping , aiming to explore the novel DDoS prevention norms that focus on delivering victim-preferred traffic rather than consistently chasing after the DDoS attacks. Towards this end, we propose DFNet, a novel DDoS prevention system that provides reliable delivery of victim-preferred traffic without full knowledge of DDoS attacks. At a very high level, the core innovative design of DFNet embraces the advances in Machine Learning (ML) and new network dataplane primitives, by encoding the victim's traffic preference (in the form of complex ML models) into dataplane packet scheduling algorithms such that the victim-preferred traffic is forwarded with priority at line-speed, regardless of the attacker strategy. We implement a prototype of DFNet in 11,560 lines of code, and extensively evaluate it on our testbed. The results show that a single instance of DFNet can forward 99.93% of victim-desired traffic when facing previously unseen attacks, while imposing less than 0.1% forwarding overhead on a dataplane with 80 Gbps upstream links and a 40 Gbps bottleneck.

HONG Jingfeng,DUAN Haixin,YAO Shuzhen

DOI: https://doi.org/10.3969/j.issn.1000-3428.2006.08.066

2006-01-01

Abstract:A new approach to tracing sources of DDoS attacks based on passive sniffing overlay network(PSON) is proposed,which can span multiple autonomy systems to trace back to multiple attack sources of a large scale DDoS attack.Based on this solution,it designs and implements an IP traceback system: SnifferTrack.The architecture and composition of the system are described,as well as the tracing process and algorithms.Several limitations of the system and future work are also proposed.

Kai Bu,Zhixin Sun

DOI: https://doi.org/10.1109/ICYCS.2008.324

2008-01-01

Abstract:The emergence of Distributed Denial of Service (DDoS) attack increases the destructive force of Denial of Service (DoS) attack drastically. Besides bringing more terrible threats, the attack from far and near and the employment of internet protocol (IP) spoofing make the abnormal traffic detection harder and harder. This paper proposes a mechanism defined as AMHI (Address Matching and Hash Inspection) and a method based on it for DDoS attacks detection and defense. Through the simulation experiment, the Address Matching and backup Hash Inspection operations to the suspicious traffic implemented on router interface for local subnet can detect and defend DDoS attacks effectively even when using IP Spoofing. In addition, this method can also decrease a mass of statistical work for the routers, and to some extent ease the pressure of heavy traffic caused by attacks.

Zhuotao Liu,Yuan Cao,Min Zhu,Wei Ge

DOI: https://doi.org/10.48550/arXiv.1903.07796

2019-04-06

Abstract:Defending against distributed denial of service (DDoS) attacks in the Internet is a fundamental problem. However, recent industrial interviews with over 100 security experts from more than ten industry segments indicate that DDoS problems have not been fully addressed. The reasons are twofold. On one hand, many academic proposals that are provably secure witness little real-world deployment. On the other hand, the operation model for existing DDoS-prevention service providers (e.g., Cloudflare, Akamai) is privacy invasive for large organizations (e.g., government). In this paper, we present Umbrella, a new DDoS defense mechanism enabling Internet Service Providers (ISPs) to offer readily deployable and privacy-preserving DDoS prevention services to their customers. At its core, Umbrella develops a multi-layered defense architecture to defend against a wide spectrum of DDoS attacks. In particular, the flood throttling layer stops amplification-based DDoS attacks; the congestion resolving layer, aiming to prevent sophisticated attacks that cannot be easily filtered, enforces congestion accountability to ensure that legitimate flows are guaranteed to receive their fair shares regardless of attackers' strategies; and finally the userspecific layer allows DDoS victims to enforce self-desired traffic control policies that best satisfy their business requirements. Based on Linux implementation, we demonstrate that Umbrella is capable to deal with large scale attacks involving millions of attack flows, meanwhile imposing negligible packet processing overhead. Further, our physical testbed experiments and large scale simulations prove that Umbrella is effective to mitigate various DDoS attacks.

Cryptography and Security

Peter Hillmann,Frank Tietze,Gabi Dreo Rodosek

DOI: https://doi.org/10.1515/pik-2015-0010

2024-06-17

Abstract:The identification of the exact path that packets are routed in the network is quite a challenge. This paper presents a novel, efficient traceback strategy in combination with a defence system against distributed denial of service (DDoS) attacks named Tracemax. A single packets can be directly traced over many more hops than the current existing techniques allow. It let good connections pass while bad ones get thwarted. Initiated by the victim the routers in the network cooperate in tracing and become automatically self-organised and self-managed. The novel concept support analyses of packet flows and transmission paths in a network infrastructure. It can effectively reduce the effect of common bandwidth and resource consumption attacks and foster in addition early warning and prevention.

Networking and Internet Architecture,Distributed, Parallel, and Cluster Computing

JING Yi-nan,WANG Xue-ping,XIAO Xiao-chun,ZHANG Gen-du

DOI: https://doi.org/10.1049/cp:20061579

2006-01-01

Abstract:Distributed denial-of-service attack is one of the major threats to Internet currently.IP traceback is a technique to trace back the attack sources in presence of IP spoofing,and plays a key role in defense for DDoS attacks.Compared with other IP traceback techniques,the probabilistic packet marking (PPM) scheme has more advantages.However,because of low marking information utilization,its traceback speed is still too slow.In order to traceback attackers as quickly as possible,a logless fast IP traceback (LFIT) scheme is proposed,which uses a few router storage space and in-band channel to improve the marking information utilization. Simulation results show that it has two distinct advantages,namely faster traceback speed and little router and network overhead.

Yuanjie Li,Hewu Li,Zhizheng Lv,Xingkun Yao,Qianru Li,Jianping Wu

DOI: https://doi.org/10.1145/3460120.3484737

2021-01-01

Abstract:We devise a simple, provably effective, and readily usable deterrence against intelligent, unknown DDoS threats: Demotivate adversaries to launch attacks via multi-hop traffic divergence. This new strategy is motivated by the fact that existing defenses almost always lag behind numerous emerging DDoS threats and evolving intelligent attack strategies. The root cause is if adversaries are smart and adaptive, no single-hop defenses (including optimal ones) can perfectly differentiate unknown DDoS and legitimate traffic. Instead, we formulate intelligent DDoS as a game between attackers and defenders, and prove how multi-hop traffic divergence helps bypass this dilemma by reversing the asymmetry between attackers and defenders. This insight results in EID, an Economical Intelligent DDoS Demotivation protocol. EID combines local weak (yet divergent) filters to provably null attack gains without knowing exploited vulnerabilities or attack strategies. It incentivizes multi-hop defenders to cooperate with boosted local service availability. EID is resilient to traffic dynamics and manipulations. It is readily deployable with random-drop filters in real networks today. Our experiments over a 49.8 TB dataset from a department at the Tsinghua campus network validate EID's viability against rational and irrational DDoS with negligible costs.

Yunhao Liu,Xiaomei Liu,Chen Wang,Li Xiao

DOI: https://doi.org/10.1109/icpp.2007.31

2007-01-01

Abstract:A flooding-based search mechanism is often used in unstructured P2P systems. Although a flooding-based search mechanism is simple and easy to implement, it is vulnerable to overlay distributed denial-of-service (DDoS) attacks. Most previous security techniques protect networks from network-layer DDoS attacks, but cannot be applied to overlay DDoS attacks. Overlay flooding-based DDoS attacks can be more damaging in that a small number of messages are inherently propagated to consume a large amount of bandwidth and computation resources. We propose a distributed and scalable method, DD-POLICE, to detect malicious nodes in order to defend P2P systems from overlay flooding-based DDoS attacks. We show the effectiveness of DD-POLICE by comprehensive simulation studies. We believe that deploying DD-POLICE will make P2P systems more scalable and robust.

Zhongqiang Chen,Zhongrong Chen,Alex Delis

DOI: https://doi.org/10.1093/comjnl/bxl042

2007-01-01

The Computer Journal

Abstract:By penetrating into a large number of machines and stealthily installing malicious pieces of code, a distributed denial of service (DDoS) attack constructs a hierarchical network and uses it to launch coordinated assaults. DDoS attacks often exhaust the network bandwidth, processing capacity and information resources of victims, thus, leading to unavailability of computing systems services. Various defense mechanisms for the detection, mitigation and/or prevention of DDoS attacks have been suggested including resource redundancy, traceback of attack origins and identification of programs with suspicious behavior. Contemporary DDoS attacks employ sophisticated techniques including formation of hierarchical networks, one-way communication channels, encrypted messages, dynamic ports allocation and source address spoofing to hide the attackers' identities; such techniques make both detection and tracing of DDoS activities a challenge and render traditional DDoS defense mechanisms ineffective. In this paper, we propose the DDoS Container, a comprehensive framework that uses network-based detection methods to overcome the above complex and evasive types of attacks; the framework operates in 'inline' mode to inspect and manipulate ongoing traffic in real-time. By keeping track of connections established by both potential DDoS attacks and legitimate applications, the suggested DDoS Container carries out stateful inspection on data streams and correlates events among sessions. The framework performs stream re-assembly and dissects the resulting aggregations against protocols followed by various known DDoS attacks facilitating their identification. The traffic pattern analysis and data correlation of the framework further enhance its detection accuracy on DDoS traffic camouflaged with encryption. Actions available on identified DDoS traffic range from simple alerting to message blocking and proactive session termination. Experimentation with the prototype of our DDoS Container shows its effectiveness in classifying DDoS traffic.

Yinan Jing,Jingtao Li,Gendu Zhang

DOI: https://doi.org/10.1007/11534310_124

2005-01-01

Abstract:IP traceback is one of the most effective techniques to defeat the denial-of-service attacks and distributed denial-of-service attacks. And in terms of previous research fruits, the technique based on probabilistic packet marking (PPM) has been proven that it has more advantages than other IP traceback techniques. In this paper, we present a hierarchical IP traceback system, which is more practical and can be implemented and deployed more conveniently and securely than previous end-host schemes. We also present an improved edge marking algorithm called adaptive edge marking scheme (AEMS), which not only can shorten the convergence time, but also be more stable and robust. And detailed theoretical analysis and simulation results have also been presented to show the advantage and efficiency of this scheme.

徐恪,徐明伟,吴建平

DOI: https://doi.org/10.3969/j.issn.1000-1220.2004.03.005

2004-01-01

Abstract:Distributed denial-of-service attack (DDoS) brings a very serious threat to the stability of the Internet. In a typical DDoS attack, a large number of compromised hosts are amassed to send useless packets to jam the CPU or Internet connection of victim. In the last two years, it is discovered that DDoS attack methods and tools are becoming more sophisticated, effective, and also more difficult to trace to the real attackers. On the defense side, current technologies are still unable to withstand large-scale attacks. In this paper, we first describe various DDoS attack methods, and then present a discussion and review of current defense mechanisms such as IP traceback. Then we emphasis discuss a long-term solution, the Internet firewall approach, that attempts to intercept attack packets in the Internet core, well before reaching the victim.