ZHANG Shao-jun,LI Jian-hua,CHEN Xiu-zhen,HU Wei

DOI: https://doi.org/10.3321/j.issn:1006-2467.2008.02.009

2008-01-01

Abstract:As one of the most notorious network attacks,distributed denial-of-service(DDoS) attack is famous for its easiness to launch and difficulty to defend.DDoS attack was regarded as a multistage game of incomplete information with observable actions and its extensive form was given out.It is pointed out that to attain the game's perfect Bayes equilibrium,the problem of computing and modifying the belief value of each player's type must be solved.As a practice of this viewpoint,a method of filtering attack stream according to its package rate and source address distribution characteristic was proposed.Finally, simulation was given out to demonstrate the effectiveness of the method.

Yinan Jing,Xueping Wang,Xiaochun Xiao,Gendu Zhang

DOI: https://doi.org/10.1007/11839569_45

2006-01-01

Abstract:Distributed denial-of-service attack is one of major threats to Internet today. Rate limit algorithm with max-min fairness is an effective countermeasure to defeat flooding-style DDoS attacks under the assumption that attackers are more aggressive than legitimate users. However, under a “meek” DDoS attack where such an assumption is no longer valid, it will fail to protect legitimate traffic effectively. In order to improve the survival ratio of legitimate packets, an IP traceback based rate limit algorithm is proposed. Simulation results show that it could not only mitigate the DDoS attack effect, but also improve the throughput of legitimate traffic even under a meek attack.

Yinan Jing,Zheng Xiao,Xueping Wang,Gendu Zhang

DOI: https://doi.org/10.1109/icniconsmcl.2006.159

2006-01-01

Abstract:Distributed denial-of-service attack has become one of the major threats to Internet today. And the distributed nature of DDoS problem needs a distributed solution. In this paper, we propose using a hierarchical domain-aware overlay to construct a built-in distributed rate limit framework throughout the Internet. And we leverage the IP traceback technique to avoid collateral damage on legitimate traffic and mitigate DDoS effect near attack sources as possible as we can. This defense framework is a serviceoriented economic model that not only motivates ISPs to deploy it, but also benefits all participants.

Yinan Jing,Xueping Wang,Xiaochun Xiao,Gendu Zhang

DOI: https://doi.org/10.1109/glocom.2006.283

2006-01-01

Abstract:Distributed denial-of-service attack is one of major threats to Internet today. Rate limit is an effective countermeasure to defeat rate-related attacks on condition that attackers send more traffics than legitimate users. However, sometimes the real case is opposite, because there may be only subtle rate difference between attackers and legitimate users today. We thoroughly investigate such a "meek" DDoS attack case and provide an elaborate IP traceback-based rate limit algorithm. The simulation results show that our method can better mitigate the meek DDoS attack as well as improve the throughput of legitimate traffic.

Qingxia Li,Wenhong Wei,Ming Tao,Qian Chen

DOI: https://doi.org/10.1504/ijcnds.2014.064638

IF: 1.3

2014-01-01

International Journal of Communication Networks and Distributed Systems

Abstract:In distributed denial of service (DDoS) attack, the detection techniques have existed for a relatively longer period of time than defence mechanisms, researchers have categorised almost all the existing and expected forthcoming attacks. However, techniques for defence are still nurturing. Researchers have explored that there could be diverse ways of launching DDoS attacks. Consequently, need of defence scheme that adapts and responds autonomously to these variety of attacks is imperative. This paper proposed a distributed defence scheme based on two-stage traffic flow control against DDoS attacks that present the most serious threats to the internet. The defence using this scheme deploys two kinds of coordinated modules through specific mechanism to protect internet servers. And the performance of the scheme was evaluated by network simulation. Simulation results show that the proposed scheme can greatly increase the throughput of legitimate traffic and reduce the attack traffic during DDos attacks, and it performs well even when it is only partially deployed.

Yichuan Wang,Yefei Zhang,Xinhong Hei,Wenjiang Ji,Weigang Ma

DOI: https://doi.org/10.1007/bf03391587

2017-01-01

Journal of Communications and Information Networks

Abstract:Integration of the IoT (Internet of Things) with Cloud Computing, termed as the CoT (Cloud of Things) can help achieve the goals of the envisioned IoT and future Internet. In a typical CoT infrastructure, the data collected from wireless sensor networks and IoTs is transmitted through a SG (Smart Gateway) to the cloud. The bandwidth between an IoT access point and SG becomes a bottleneck for information transmission between the IoT and the cloud. We propose a novel game theory model to describe the CoT attacker, who expects to use minimum set and energy consumption of IoT attack devices to occupy as many bandwidth resources as possible in a given time period; and the defender, who expects to minimize false alarms. By analyzing this model, we have found that the game theory model is a non-cooperative and repeated incomplete information game, and Nash equilibrium is existent, perfected by the subgame. The best strategy for each stage of the attack is to adjust the attack link number dynamically based on the comparison results of value ϵ and turning point ϵ0 for each time period. At the same time, the defender adjusts the threshold value β dynamically, based on the comparison results of the Load value and expected value of a for each time period. The simulation result shows that our strategy can significantly mitigate the harm of a distributed denial of service attack.

Ziming Zhao,Zhuotao Liu,Huan Chen,Fan Zhang,Zhuoxue Song,Zhaoxuan Li

DOI: https://doi.org/10.1109/tdsc.2023.3349180

2024-01-01

Abstract:Defending against Distributed Denial of Service (DDoS) attacks is a fundamental problem in the Internet. Over the past few decades, the research and industry communities have proposed a variety of solutions, from adding incremental capabilities to the existing Internet routing stack, to clean-slate future Internet architectures, and to widely deployed commercial DDoS prevention services. Yet a recent interview with over 100 security practitioners in multiple sectors reveals that existing solutions are still insufficient against , due to either unenforceable protocol deployment or non-comprehensive traffic filters. This seemingly endless arms race with attackers probably means that we need a fundamental paradigm shift. In this paper, we propose a new DDoS prevention paradigm named preference-driven and in-network enforced traffic shaping , aiming to explore the novel DDoS prevention norms that focus on delivering victim-preferred traffic rather than consistently chasing after the DDoS attacks. Towards this end, we propose DFNet, a novel DDoS prevention system that provides reliable delivery of victim-preferred traffic without full knowledge of DDoS attacks. At a very high level, the core innovative design of DFNet embraces the advances in Machine Learning (ML) and new network dataplane primitives, by encoding the victim's traffic preference (in the form of complex ML models) into dataplane packet scheduling algorithms such that the victim-preferred traffic is forwarded with priority at line-speed, regardless of the attacker strategy. We implement a prototype of DFNet in 11,560 lines of code, and extensively evaluate it on our testbed. The results show that a single instance of DFNet can forward 99.93% of victim-desired traffic when facing previously unseen attacks, while imposing less than 0.1% forwarding overhead on a dataplane with 80 Gbps upstream links and a 40 Gbps bottleneck.

LI Gang,HUA Bei,YANG Xing-liang

DOI: https://doi.org/10.3969/j.issn.1006-9348.2006.11.037

2006-01-01

Abstract:This paper proposes a router collaborating based adaptive detection and defending mechanism against DDoS.Through link congestion detection and packet dropping rate analysis,this mechanism can disclose the attack timely and construct the attack signatures accordingly.Then it is able to apply rate-limiting to the packets matching such signatures,and at the same time forward the attack signatures and rate-limiting request hop-by-hop to retrace the attack source using pushback protocol.During this process,rate-limiting is also employed on the intermediate routers,thus this algorithm not only manages to alleviate the link congestion and quench DDoS attack in a short period,but also protects normal network traffic to the utmost degree.And the simulation result on NS2 shows that the algorithm satisfactorily meets our expectation in attack-quenching and normal traffic protection.

Huaping Hu,Jing Zhang,Bo Liu,Lin Chen

DOI: https://doi.org/10.1109/iccit.2010.5711129

2010-01-01

Abstract:Low-rate denial-of-service attack is a novel category of DDoS attacks. The paper defines defense performance as metric to analyze whether the degree of distribution of attack sources impacts the LDoS attack greatly. From the result of simulation on NS2, the deeper degree of distributed, the better defense performance of Droptail (passive queue management), and the worse defense performance of RED (active queue management). And we also analyze the factors which may have impacts on the attack.

Zhihong Tian,Mingzeng Hu,Bin Li,Bo Liu,Hongli Zhang

2006-01-01

Abstract:Distributed denial of service DDoS is a major threat to the availability of Internet services. As one of the most difficult problems in network security, it has received considerable attention from the mass media and the research community. In this paper, we design an effective and practical countermeasure which allows a general-purpose TCP-based public server to sustain high availability even during severe DDoS attacks. A novel microeconomic framework based on Generalized Vickrey auction GVA is proposed. By adopting this mechanism, not only the availability of services is improved, but also the total utility of legitimate clients can be maximized. Initial simulations have shown that this mechanism is highly effective in preferentially dropping attacker traffic over legitimate client traffic, and the protected server can remain operational under various system loads and severely attacked conditions. The results indicate that it is a promising approach to countering DDoS attacks.

pingping lin,xiaosong zhang

DOI: https://doi.org/10.1142/9789812799524_0074

2008-01-01

Abstract:Give a simple but practical scheme for detecting and defending against Distributed Denial of Service (DDoS), especially for Highly Distributed Denial of Service (HDDoS) attacks by monitoring the increase of new IP addresses. Unlike previous proposals, this proposal includes three modules: detecting, filtering, and illegal-packets analyzing. To improve the detection accuracy, we also proposed a simple but robust algorithm: sliding window algorithm. In the filtering module, a filter performs its tasks only during attacks. While the attack-packets-analyzing module uses a trap to analyze attack packets, perfects the defense system. Simulation results demonstrate the effectiveness of the proposed scheme under varieties of DDoS attack scenarios.

Jin Liu,Hefei Ling,Fuhao Zou,Wei Qi Yan,Zhengding Lu

DOI: https://doi.org/10.4018/jdcf.2010100103

2010-01-01

International Journal of Digital Crime and Forensics

Abstract:This paper proposes a technique to defeat Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks in Ad Hoc Networks. The technique is divided into two main parts and with game theory and cryptographic puzzles. Introduced first is a new client puzzle to prevent DoS attacks in such networks. The second part presents a multiplayer game that takes place between the nodes of an ad hoc network and based on fundamental principles of game theory. By combining computational problems with puzzles, improvement occurs in the efficiency and latency of the communicating nodes and resistance in DoS and DDoS attacks. Experimental results show the effectiveness of the approach for devices with limited resources and for environments like ad hoc networks where nodes must exchange information quickly.

Hao Zhang,Jie Yao,Zhuping Wang,Sheng Gao,Huaicheng Yan

DOI: https://doi.org/10.1109/jsyst.2024.3381304

IF: 4.802

2024-01-01

IEEE Systems Journal

Abstract:This article studies the optimal distributed denial-of-service attack strategy for cyber–physical systems with multiple attackers and multiple defenders. An advanced attack strategy is proposed to cause the great damage to system in a multiattacker–defender form. First, a novel model of signal-to-interference-to-noise ratio for the multiattacker and multidefender is built. Taking the energy constraints into consideration, the objective of defenders is to minimize the system performance, while the attackers tend to deteriorate it by emitting interference energy. Thus, the optimal channel selection and optimal energy allocation strategies are proposed to answer which channel both of them should choose and how much power both of them should allocate to each channel in a finite time horizon. Second, a two-player zero-sum matrix game is formulated to solve the optimal problem by linear programming and obtain the Nash equilibrium. When the channel parameters are time-varying, a dynamic optimal channel selection problem is considered and a multistage game algorithm is proposed to find the Nash equilibrium. In addition, the designed optimal strategies of both players are demonstrated and analyzed. Finally, a numerical simulation is provided to illustrate the effectiveness of the proposed approach.

Yinan Jing,Xueping Wang,Xiaochun Xiao,Gendu Zhang

2006-01-01

Journal of Information and Computational Science

Abstract:Distributed denial-of-service attack has become one of the major threats to Internet today. The distributed nature of DDoS problem needs a distributed solution. In this paper, we propose using a hierarchical domain-aware overlay to construct a secure cooperative environment for distributed rate limit. This distributed defense framework has a service-oriented economic model that not only motivates ISPs to deploy it, but also benefits all participants. In addition, an IP traceback-based rate limit algorithm is proposed to leverage the IP traceback technique not only to mitigate the DDoS attack effect as close to attack sources as possible, but also to improve the throughput of legitimate traffic even under a meek attack.

Xu Chen,Liang Xiao,Wei Feng,Ning Ge,Xianbin Wang

DOI: https://doi.org/10.1109/jiot.2021.3138094

IF: 10.6

2021-01-01

IEEE Internet of Things Journal

Abstract:The proliferation of Distributed Denial of Service (DDoS) attacks in Internet of Things (IoT) not only threatens the security of digital devices and infrastructure but also severely degrades IoT system performance due to the overly consumed network resources. With the knowledge of identity information of devices and signaling data, Internet service providers (ISPs) can detect and block DDoS traffic by monitoring the upstream IoT packets, and thereby, improve network efficiency. However, inspecting all data packets online for DDoS detection will significantly increase both the network delay and the computational overhead. Therefore, the packet sampling strategy is crucial for the defenders to detect DDoS attacks. To this end, this article formulates a Stackelberg game model to analyze the collaborative IoT packet sampling against DDoS attacks. Through the equilibrium analysis of the DDoS game, we derive the lower bound of packet sampling rate (PSR) that can effectively deter potential attackers. Unlike traditional offline detection, our proposed packet sampling strategy can support both the online detection and proactive prevention of DDoS traffic. As a use case, a multipoint DDoS defense framework is developed to address the IP spoofing in 5G networks based on the proposed packet sampling strategy, which deters DDoS attacks and reduces the packet sampling cost, and thereby, maximizes the IoT utility, compared with existing methods. In typical reflection attacks (in which no more than five packets of response are triggered by a request packet), our proposed scheme not only reduces more than 70% of the sampling rate but also demonstrates superior robustness against boundary condition variation.

Fei Wang,Xiaofeng Hu,Jinshu Su

DOI: https://doi.org/10.1109/ICCT.2012.6511308

2012-01-01

Abstract:Distributed Denial of Service (DDoS) attack seriously threatens Internet-enabled applications and causes huge financial losses. To tackle this problem, rate limiting is widely adopted due to their effectiveness in high-volume traffic mitigation. However, a portion of valid packets, some of which are vital requests, from legitimate clients may be dropped unintentionally, as they are involved in the same aggregates with attack traffic. We call this phenomenon poor client problem. To protect these poor clients, this paper proposes a mutual-aid team system as a pioneer. Rather than pursuing a perfect classification method, which is impossible, we provide additional service for poor clients via valid flow redirection. In core defense, the mutual-aid team system adopts existing rate-limiting-based mechanism to prevent the victim from being overwhelmed. At edge networks, by joining in the mutual-aid team, mutual-aid members help each other forward valid flows to destinations, in a different aggregate that is not rate limited. As a result, poor client can successfully access the victim. We prove the validity of our approach via simulation. Compared with sole core defense, our mutual-aid team system significantly increases the proportion of valid packets that achieve destinations successfully.We also discuss deployment incentives of proposed approach, self-protection and fee-based service, which are strong economic encouragement for ISPs' innovations.

杨黎斌,慕德俊,蔡晓妍

DOI: https://doi.org/10.3969/j.issn.1004-1699.2009.01.019

2009-01-01

Abstract:In wireless sensor networks,how to accurately and rapidly detect Denial of Service(DoS) attacks so as to ensure the availability of network infrastructure is one of the most challenging security problems.This paper models DoS attack-resistant as a repeated-game based on such an assumption that sensor nodes are rational.The model prevents malicious nodes from attacking by establishing punishment mechanism,and impels sensor networks to reach a collaborative Nash equilibrium.Simulation results show that the devised model can effectively resist the DoS attacks by choosing reasonable configuration parameters.

Chunyang Qi,Jie Huang,Cheng Huang,Huaqing Wu,Xuemin (Sherman) Shen

DOI: https://doi.org/10.1109/globecom48099.2022.10000946

2022-01-01

Abstract:IoTs generally rely on resource-constrained devices to sense, relay, and collect data, which are highly vulnerable to Distributed-Denial-of-Services (DDOS) attacks on network throughput. In this paper, we propose a trust-based method to optimize the network throughput of IoTs under DDOS attacks. Specifically, with the assistance of a small number of dedicatedly deployed defense nodes as defenders, a network controller can first measure the behavior of other IoT nodes and categorize them into three types (i.e., innocent, selfish, and attack) through a well-designed trust evaluation model. Then, a Stackelberg game model is constructed accordingly, where defenders are leaders and other nodes are followers. We carefully define the utilities of the leaders and the followers in the game, and transform the optimization problem of the network throughput into the maximization problem of the defenders' utilities considering the utilities of the followers. We adopt the Dinkelbach Programming (DP)-based algorithm to solve the maximization problem such that a Stackelberg equilibrium can be reached with optimized network throughput. Extensive simulations are performed to demonstrate that the proposed defense method can significantly increase the IoT network throughput under different DDOS attack intensities.

肖军,云晓春,张永铮

DOI: https://doi.org/10.3724/sp.j.1016.2010.01713

2010-01-01

Chinese Journal of Computers

Abstract:Mitigating Distributed Denial-of-Service(DDoS)attacks becomes more challenging with increasing available resources and techniques for attackers.Current network-layer security devices fail to counter application-layer DDoS(App-DDoS)attacks for the normal traffic feature on the network layer.In this paper,to handle App-DDoS attacks,a novel defense model is proposed.App-DDoS attack is divided into 5 types based on the attack URL generating way.Based on the differences between normal sessions and attack sessions,the paper proposes the session behavior suspicion parameters and the session suspicion model,which can be used to differentiate normal sessions from App-DDoS sessions accurately.The model is combined with 3 forwarding policies,including First-Come First-Serve(FCFS),Low Suspicion First(LSF)and Round Robin respectively to defend against 5 types of App-DDoS attacks.Simulation result with real Web trace shows that these forwarding policies perform well when the forwarding rate equals to the maximum normal request arrival rate,and FCFS and Round Robin perform better than LSF on the normal request response delay.

Jeffrey Pawlick,Quanyan Zhu

DOI: https://doi.org/10.48550/arXiv.1707.03708

2017-10-17

Abstract:While the Internet of things (IoT) promises to improve areas such as energy efficiency, health care, and transportation, it is highly vulnerable to cyberattacks. In particular, distributed denial-of-service (DDoS) attacks overload the bandwidth of a server. But many IoT devices form part of cyber-physical systems (CPS). Therefore, they can be used to launch "physical" denial-of-service attacks (PDoS) in which IoT devices overflow the "physical bandwidth" of a CPS. In this paper, we quantify the population-based risk to a group of IoT devices targeted by malware for a PDoS attack. In order to model the recruitment of bots, we develop a "Poisson signaling game," a signaling game with an unknown number of receivers, which have varying abilities to detect deception. Then we use a version of this game to analyze two mechanisms (legal and economic) to deter botnet recruitment. Equilibrium results indicate that 1) defenders can bound botnet activity, and 2) legislating a minimum level of security has only a limited effect, while incentivizing active defense can decrease botnet activity arbitrarily. This work provides a quantitative foundation for proactive PDoS defense.

Cryptography and Security