Guang Jin,Qian Wang,Xianliang Jiang

DOI: https://doi.org/10.4304/jnw.9.2.291-296

2014-01-01

Journal of Networks

Abstract:Capabilities is a typical scheme of stateless filtering. In order to classify and filter packets effectively, a novel scheme of packet classification and filter based on capabilities is proposed in this paper. In our scheme, a new classifier module is added and a new filter structure is designed. We employ capabilities as verification and introduce new authorization in the communications. All these innovations make packet classification owning good effects in attacking scenario. The experimental results based on large-scale topology datasets and NS2 show that our scheme is better than traditional packet classification algorithms, especially under complex cyber environment.

Guang Jin,Jiangang Yang,Wei,Yabo Dong

DOI: https://doi.org/10.1109/nas.2007.38

2007-01-01

Abstract:Denial-of-service (DoS) attacks is a major threat to Internet security. Among numerous defense techniques, recently architecture-level capabilities scheme is a promising one. As a typical and comprehensive capabilities scheme, traffic validation architecture (TVA) tries to limit DoS attacks essentially and completely. Yet its effectiveness suffers from a new kind of DoS attacks, denial-of-capability (DoC), which takes place in the connection-setup step when clients send requests for capabilities. To overcome the DoC attacks, potential attack characteristics are analyzed in detail. And a notification-based mechanism is proposed to mitigate DoC attacks and enhance the robustness of TVA. A capability-enabled router should send a reverse notification with a special and unforgeable source identifier to the source when it has to drop a request packet under DoC attacks. Then an enhanced request packet including the source identifier is returned by the source and verified by the router. The enhanced request packet with higher secure level is processed in enhanced channels instead of unprivileged channels. Moreover enhanced requests are fair-queued based on per-source instead of per-Pi in TVA. Theoretical analysis and simulation results show that the notification mechanism can suppress DoC attacks effectively and make the capabilities architecture more robust and practical.

魏蔚,董亚波,鲁东明

DOI: https://doi.org/10.3785/j.issn.1008-973x.2010.02.010

2010-01-01

Abstract:Distributed denial of service(DDoS)attack was defended by distributed filtering.Distributed defense was restricted inside autonomous system(AS),which was a suitable bound for defense.Both bandwidth and processing capability of victim were considered.The filtering threshold was dynamically adjusted in AS edge according to the throughput of victim in support vector machine(SVM)-based multi-resource max-min fairness(SMMF)algorithm.Then SMMF achieved multi-resource max-min fairness and was much effective.Simulation results demonstrate that attacking traffic can be depressed in a common scenario and the legitimate throughput can be kept in a normal level when current methods fail.A realiza-tion of filters on PC-based router indicates that only a very small amount of memory is needed and the packet throughput is still normal when thousands of filters are installed.

Wei Wei,Yabo Dong,Dongming Lu,Guang Jin

DOI: https://doi.org/10.1109/ICCIS.2008.4670732

2008-01-01

Abstract:Distributed defense of DDoS (Distributed Denial of Service) attack has been extensively researched in recent years and control-based defense is a hopeful way. However, existed methods only deal with bandwidth protection. The paper takes defense of DDoS flood as a kind of Processing and Bandwidth Resources allocation and solves it using control theory. Our defense mechanism FFDRF (Feedback Filtering with Dual-Resource Fairness) sets up filters in edge routers of AS and adjusts the filtering thresholds through feedback between these routers and the victim. The simulation results show that FFDRF can make the legitimate traffic keep high survival rate while is stable and converges quickly even in case of heterogeneous flow sources and link conditions. Compared with level-k max-min fairness defense, FFDRF is more effective against CPU-consuming flood. And an implementation of FFDRF in a linux router indicates that FFDRF is feasible in real-life routers. © 2008 IEEE.

Junchi Xing,Jingling Cai,Boyang Zhou,Chunming Wu

DOI: https://doi.org/10.1109/iscc47284.2019.8969595

2019-01-01

Abstract:Recently, link flooding attacks (LFA) have been observed as a serious threat for cutting off the Internet connectivity through congesting critical links. A LFA typically utilizes legitimate and low-rate flows, which makes it extremely hard to be detected and, subsequently, to be mitigated. In this paper, we present LF-Shield, that is a deep convolutional neural network (ConvNet) based countermeasure to accurately detect and efficiently mitigate LFAs using software-defined network (SDN) paradigm. LF-Shield can identify malicious bots that launch LFA flows by extracting end-hosts' traffic features and afterwards, classifying the type of end-hosts based on deep ConvNet. Then, LF-Shield mitigates LFAs without affecting legitimate end-hosts through blocking the classified malicious bots and limiting the bandwidths of inactive or newly-accessed end-hosts. A LF-Shield prototype is implemented for evaluating its performance by several experiments. The experimental results demonstrate that LF-Shield can identify malicious bots with an accuracy of 96.4% and mitigate LFAs with the 93.1% reduction in link degradation ratio, with negligible impact on legitimate end-hosts.

Wei Wei,Yingjie Xia,Yabo Dong

DOI: https://doi.org/10.4028/www.scientific.net/AMR.542-543.1275

2012-01-01

Abstract:Security is an important consideration in next generation Internet, where Distributed Denial of Service (DDoS) attack is still a serious threat, especially when Internet of Things is taken into account. To defend against DDoS, capability based Traffic Validation Architecture (TVA) is an excellent candidate. However, there are some shortcomings which make it not so practical, e.g., it has large capability overhead and some DoS attacks could escape from it. To overcome these problems, we proposed the autonomic system based architecture: ASTVA, which created and verified capability using autonomic system as the basic defense unit. In ASTVA, two kinds of sub-capabilities were provided and serveral system security levels were given by mixing the two kinds of sub-capabilities; several key parameters were adjusted dynamically to enhance system flexibility; and an anti-shrew function was added to TVA to make it more robust against low-rate DoS attacks. Finally, we gave out several simulation tests and the results show that ASTVA is more robust and flexible than TVA and is more practical to real world security.

Ziming Zhao,Zhuotao Liu,Huan Chen,Fan Zhang,Zhuoxue Song,Zhaoxuan Li

DOI: https://doi.org/10.1109/tdsc.2023.3349180

2024-01-01

Abstract:Defending against Distributed Denial of Service (DDoS) attacks is a fundamental problem in the Internet. Over the past few decades, the research and industry communities have proposed a variety of solutions, from adding incremental capabilities to the existing Internet routing stack, to clean-slate future Internet architectures, and to widely deployed commercial DDoS prevention services. Yet a recent interview with over 100 security practitioners in multiple sectors reveals that existing solutions are still insufficient against , due to either unenforceable protocol deployment or non-comprehensive traffic filters. This seemingly endless arms race with attackers probably means that we need a fundamental paradigm shift. In this paper, we propose a new DDoS prevention paradigm named preference-driven and in-network enforced traffic shaping , aiming to explore the novel DDoS prevention norms that focus on delivering victim-preferred traffic rather than consistently chasing after the DDoS attacks. Towards this end, we propose DFNet, a novel DDoS prevention system that provides reliable delivery of victim-preferred traffic without full knowledge of DDoS attacks. At a very high level, the core innovative design of DFNet embraces the advances in Machine Learning (ML) and new network dataplane primitives, by encoding the victim's traffic preference (in the form of complex ML models) into dataplane packet scheduling algorithms such that the victim-preferred traffic is forwarded with priority at line-speed, regardless of the attacker strategy. We implement a prototype of DFNet in 11,560 lines of code, and extensively evaluate it on our testbed. The results show that a single instance of DFNet can forward 99.93% of victim-desired traffic when facing previously unseen attacks, while imposing less than 0.1% forwarding overhead on a dataplane with 80 Gbps upstream links and a 40 Gbps bottleneck.

Menghao Zhang,Jun Bi,Jiasong Bai,Guanyu Li

DOI: https://doi.org/10.1109/trustcom/bigdatase.2018.00101

2018-01-01

Abstract:Software-Defined Networking (SDN) has attracted great attention from both academia and industry. However, the deployment of SDN has faced some critical security issues, such as Denial-of-Service (DoS) attacks on the SDN infrastructure. One such DoS attack is the data-to-control plane saturation attack, where an attacker floods a large number of packets to trigger massive table-misses and packet-in messages in the data plane. This attack can exhaust resources of different components of the SDN infrastructure, including TCAM and buffer memory in the data plane, bandwidth of the control channel, and CPU cycles of the controller. In this paper, we analyze the vulnerability of SDN against the data-to-control plane saturation attack extensively and design FloodShield, a comprehensive, deployable and lightweight SDN defense framework to mitigate this dedicated DoS attack. FloodShield combines the following two techniques: 1) source address validation which filters forged packets directly in the data plane, and 2) stateful packet supervision which monitors traffic states of real addresses and performs dynamic countermeasures based on evaluation scores and network resource usages. Implementations and experiments demonstrate that, compared with previous defense frameworks, FloodShield provides effective protection for all three components of the SDN infrastructure - data plane, control channel and control plane - with less resource consumption.

Yao Zhang,Xiaoyou Wang,Adrian Perrig,Zhiming Zheng

DOI: https://doi.org/10.1016/j.comnet.2016.06.005

IF: 5.493

2016-01-01

Computer Networks

Abstract:Despite large-scale flooding attacks, capability-based defense schemes provide end hosts with guaranteed communication. However, facing the challenges of enabling scalable bandwidth fair sharing and adapting to attack strategies, none of the existing schemes adequately stand. In this paper we present Tumbler, a flooding attack defense mechanism that provides scalable competition-based bandwidth fairness at the Autonomous System (AS) granularity, and on-demand bandwidth allocation for end hosts in each AS. Tumbler enforces adaptability in the capability establishment via competition factors that are calculated upon leaf ASes' bandwidth utilization and reputation. Transit ASes independently manage each competition factor based on the corresponding feedback from dedicated bandwidth accounting and monitoring policies. Through Internet-scale simulations, we demonstrate the effectiveness of Tumbler against a variety of attack scenarios and illustrate the deployment benefits for ISPs.

Wu Zhijun,Duan Haixin,Li Xing

DOI: https://doi.org/10.1007/s11767-005-0027-8

2006-01-01

Journal of Electronics (China)

Abstract:An approach of defending against Distributed Denial of Service (DDoS) attack based on flow model and flow detection is presented. The proposed approach can protect targets from DDoS attacking, and allow targets to provide good service to legitimate traffic under DDoS attacking, with fast reaction. This approach adopts the technique of dynamic comb filter, yields a low level of false positives of less than 1.5%, drops similar percentage of good traffic, about 1%, and passes neglectable percentage of attack bandwidth to the victim, less than 1.5%. The prototype of commercial product, D-fighter, is developed by implementing this proposed approach on Intel network processor platform IXP1200.

Wu Qingtao,Shao Zhiqing,Ding Zhiyi,Liu Gang

DOI: https://doi.org/10.1007/bf02829250

2006-01-01

Abstract:Distributed denial of service (DDoS) attacks exploit the availability of Web servers, resulting in the severe loss of their connectivity. We present a robust IP packets filtering mechanism which combines the detection and filtering engine together to protect Web Servers from DDoS Attacks. The mechanism can detect DDoS attacks by inspecting inbound packets with an IP address database, and filter out lower priority IP addresses to preserve the connection for valid users by monitoring the queués status. We use the Netfilter's technique, a framework inside the Linux 2. 4. X, to implement it on a Web server. Also, we evaluate this mechanism and analyze the influence of some important parameters on system performance. The experimental results show that this mechanism is effective against DDoS attacks.

P. Dorey,C. Dunning,A. Millican-Slater,R. Tateo

DOI: https://doi.org/10.48550/arXiv.hep-th/0309054

2003-09-04

Abstract:We review some surprising links which have been discovered in the last few years between the theory of certain ordinary differential equations, and particular integrable lattice models and quantum field theories in two dimensions. An application of this correspondence to a problem in non-Hermitian (PT-symmetric) quantum mechanics is also discussed.

High Energy Physics - Theory

Menghao Zhang,Jun Bi,Jiasong Bai,Yangyang Wang

DOI: https://doi.org/10.3969/j.issn.1001-0505.2017.S1.001

2017-01-01

Abstract:To further mitigate the dedicated denial-of-service(DoS)attack(data-to-control plane saturation attack)against SDN infrastructure,a controller and switch cooperative defense framework, that is,FloodShield,is presented.In this attack,a large number of packets are flooded by attacker to trigger massive table-misses and packet-in messages in the data plane, which would exhaust re-sources of different components of SDN infrastructure, including TCAM in the data plane, band-width of the control channel, and CPU cycles of the controller.With the extensive analysis of the vulnerability of SDN against the saturation attack,a deployable,comprehensive and lightweight SDN defense framework,FloodShield,is proposed and designed.The following two techniques are com-bined with FloodShield:1)source address validation for filtering forged packets directly in the data plane,and 2)stateful packet supervision for monitoring traffic states of real addresses and perform-ing dynamic countermeasures based on evaluation scores and network resource usage.Experimental results show that, compared with previous defense framework, FloodShield provides an effective protection for data plane,control channel and control plane of SDN infrastructure,meanwhile consu-ming less resource.

Yuan Cao,Yuan Gao,Rongjun Tan,Qingbang Han,Zhuotao Liu

DOI: https://doi.org/10.1109/ACCESS.2018.2877710

IF: 3.9

2018-01-01

IEEE Access

Abstract:Defending against distributed denial of service (DDoS) attacks in the Internet is a fundamental problem. One practical approach to addressing DDoS attacks is to redirect all destination (e.g., via DNS or BGP) to a third-party, DDoS protection-as-a-service provider (e.g., Cloudflare and Akamai), which is well provisioned and equipped with proprietary filtering mechanisms to remove attack traffic before passing the remaining traffic to the destination. Although such an approach is appealing, as it requires no modification to the existing Internet infrastructure and can scale to handle very large attacks, recent industrial interviews with more than 100 interviewees from over 10 industry segments reveal that this approach alone is not sufficient, especially for large organizations (e.g., Web hosting companies and government) that cannot afford to allow third-parity security-service providers to terminate their network connections. Instead, these organizations have to rely on their ISPs to filter attack traffic. In this paper, we discuss the challenges faced by the ISPs in order to disrupt the Internet security-service market and sketch our solutions, powered by smart contracts.

Xiong Bing,Chen Xiaosu,Chen Ning

DOI: https://doi.org/10.1109/ieec.2009.27

2009-01-01

Abstract:There is a growing interest in designing high-speed network devices to process packet at flow level above the network layer. A basic operation inherent to such systems is the task of maintaining per-flow state in order to correctly perform their higher-level processing. In this paper, we present an efficient TCP flow state management algorithm in high-speed network. First we devise all flow states and their transformation in conformity to TCP state machine. Based on the flow state transformation, we design the flow state management applying recently accessed first principle and budding connection buffer mechanism. According to the design scheme, the implementation is illustrated in a formal way. Experimental results illustrate that our flow state management algorithm performs better than the traditional one especially under DoS attacks.

Jun Li,Devkishen Sisodia,Yebo Feng,Lumin Shi,Mingwei Zhang,Christopher Early,Peter Reiher

DOI: https://doi.org/10.1109/CNS59707.2023.10288699

2023-05-23

Abstract:Despite the proliferation of traffic filtering capabilities throughout the Internet, attackers continue to launch distributed denial-of-service (DDoS) attacks to successfully overwhelm the victims with DDoS traffic. In this paper, we introduce a distributed filtering system that leverages nodes distributed along the paths of DDoS traffic to filter the DDoS traffic. In particular, we focus on adaptive distributed filtering, a new direction in filtering DDoS traffic. In our design, a subscriber to the distributed filtering service can act on behalf of a DDoS victim and generate filtering rules that not only adapt to the most suitable and effective filtering granularity (e.g., IP source address and a port number vs. an individual IP address vs. IP prefixes at different lengths), but also adapt to the preferences of the subscriber (e.g., maximum coverage of DDoS traffic vs. minimum collateral damage from dropping legitimate traffic vs. minimum number of rules). We design an efficient algorithm that can generate rules adaptive toward filtering granularities and objectives, which can further help determine where to deploy generated rules for the best efficacy. We evaluated our system through both large-scale simulations based on real-world DDoS attack traces and pilot studies. Our evaluations confirm that our algorithm can generate rules that adapt to every distinct filtering objective and achieve optimal results. We studied the success rate and distribution of rule deployment under different Internet-scale rule deployment profiles, and found a small number of autonomous systems can contribute disproportionately to the defense. Our pilot studies also show our adaptive distributed filtering system can effectively defend against real-world DDoS attack traces in real time.

Networking and Internet Architecture,Cryptography and Security

Xin Liu,Xiaowei Yang,Yong Xia

DOI: https://doi.org/10.48550/arXiv.1009.0033

2010-08-31

Networking and Internet Architecture

Abstract:Denial of Service (DoS) attacks frequently happen on the Internet, paralyzing Internet services and causing millions of dollars of financial loss. This work presents NetFence, a scalable DoS-resistant network architecture. NetFence uses a novel mechanism, secure congestion policing feedback, to enable robust congestion policing inside the network. Bottleneck routers update the feedback in packet headers to signal congestion, and access routers use it to police senders' traffic. Targeted DoS victims can use the secure congestion policing feedback as capability tokens to suppress unwanted traffic. When compromised senders and receivers organize into pairs to congest a network link, NetFence provably guarantees a legitimate sender its fair share of network resources without keeping per-host state at the congested link. We use a Linux implementation, ns-2 simulations, and theoretical analysis to show that NetFence is an effective and scalable DoS solution: it reduces the amount of state maintained by a congested router from per-host to at most per-(Autonomous System).

Zhuotao Liu,Yuan Cao,Min Zhu,Wei Ge

DOI: https://doi.org/10.48550/arXiv.1903.07796

2019-04-06

Abstract:Defending against distributed denial of service (DDoS) attacks in the Internet is a fundamental problem. However, recent industrial interviews with over 100 security experts from more than ten industry segments indicate that DDoS problems have not been fully addressed. The reasons are twofold. On one hand, many academic proposals that are provably secure witness little real-world deployment. On the other hand, the operation model for existing DDoS-prevention service providers (e.g., Cloudflare, Akamai) is privacy invasive for large organizations (e.g., government). In this paper, we present Umbrella, a new DDoS defense mechanism enabling Internet Service Providers (ISPs) to offer readily deployable and privacy-preserving DDoS prevention services to their customers. At its core, Umbrella develops a multi-layered defense architecture to defend against a wide spectrum of DDoS attacks. In particular, the flood throttling layer stops amplification-based DDoS attacks; the congestion resolving layer, aiming to prevent sophisticated attacks that cannot be easily filtered, enforces congestion accountability to ensure that legitimate flows are guaranteed to receive their fair shares regardless of attackers' strategies; and finally the userspecific layer allows DDoS victims to enforce self-desired traffic control policies that best satisfy their business requirements. Based on Linux implementation, we demonstrate that Umbrella is capable to deal with large scale attacks involving millions of attack flows, meanwhile imposing negligible packet processing overhead. Further, our physical testbed experiments and large scale simulations prove that Umbrella is effective to mitigate various DDoS attacks.

Cryptography and Security

Katerina J. Argyraki,David R. Cheriton

DOI: https://doi.org/10.1109/TNET.2008.2007431

2004-05-24

Abstract:A distributed denial-of-service (DDoS) attack can flood a victim site with malicious traffic, causing service disruption or even complete failure. Public-access sites like amazon or ebay are particularly vulnerable to such attacks, because they have no way of a priori blocking unauthorized traffic. We present Active Internet Traffic Filtering (AITF), a mechanism that protects public-access sites from highly distributed attacks by causing undesired traffic to be blocked as close as possible to its sources. We identify filters as a scarce resource and show that AITF protects a significant amount of the victim's bandwidth, while requiring from each participating router a number of filters that can be accommodated by today's routers. AITF is incrementally deployable, because it offers a substantial benefit even to the first sites that deploy it.

Networking and Internet Architecture

Wanchun Dou,Qi Chen,Jinjun Chen

DOI: https://doi.org/10.1016/j.future.2012.12.011

IF: 7.307

2013-01-01

Future Generation Computer Systems

Abstract:Distributed Denial-of-Service attack (DDoS) is a major threat for cloud environment. Traditional defending approaches cannot be easily applied in cloud security due to their relatively low efficiency, large storage, to name a few. In view of this challenge, a Confidence-Based Filtering method, named CBF, is investigated for cloud computing environment, in this paper. Concretely speaking, the method is deployed by two periods, i.e., non-attack period and attack period. More specially, legitimate packets are collected in the non-attack period, for extracting attribute pairs to generate a nominal profile. With the nominal profile, the CBF method is promoted by calculating the score of a particular packet in the attack period, to determine whether to discard it or not. At last, extensive simulations are conducted to evaluate the feasibility of the CBF method. The result shows that CBF has a high scoring speed, a small storage requirement, and an acceptable filtering accuracy. It specifically satisfies the real-time filtering requirements in cloud environment.