Yi Shen,Chunming Wu,Dezhang Kong,Mingliang Yang

DOI: https://doi.org/10.1109/icc40277.2020.9149276

2020-01-01

Abstract:Distributed Denial of Service (DDoS) attack is one of the most severe threats to the current network security. As a new network architecture, Software-Defined Networking (SDN) draws notable attention from both industry and academia. The characteristics of SDN such as centralized management and flow-based traffic monitoring make it an ideal platform to defend against DDoS attacks. When designing a network intrusion detection system (NIDS) in SDN, how to obtain fine-grained flow information with minimal overhead to the SDN architecture is a problem to be solved. In this paper, we propose TPDD, a two-phase DDoS detection system to detect DDoS attacks in SDN. In the first phase, we utilize the characteristics of SDN to collect coarse-grained flow information from the core switches and locate the potential victim. Then we monitor the edge switches located close to the potential victim to obtain finer-grained traffic information in the second phase. The collection method of each phase fully considers the impact on the bandwidth between the controller and switches. Without modifying the existing flow rules, the collection module can obtain sufficient information about traffic. By using entropy-based and machine learning-based methods, the detection module can effectively detect anomalies and identify whether the potential victim marked in the first phase is the target of attacks. Experimental results show that TPDD can effectively detect DDoS attacks with little overhead.

Kai Bu,Zhixin Sun

DOI: https://doi.org/10.1109/ICYCS.2008.324

2008-01-01

Abstract:The emergence of Distributed Denial of Service (DDoS) attack increases the destructive force of Denial of Service (DoS) attack drastically. Besides bringing more terrible threats, the attack from far and near and the employment of internet protocol (IP) spoofing make the abnormal traffic detection harder and harder. This paper proposes a mechanism defined as AMHI (Address Matching and Hash Inspection) and a method based on it for DDoS attacks detection and defense. Through the simulation experiment, the Address Matching and backup Hash Inspection operations to the suspicious traffic implemented on router interface for local subnet can detect and defend DDoS attacks effectively even when using IP Spoofing. In addition, this method can also decrease a mass of statistical work for the routers, and to some extent ease the pressure of heavy traffic caused by attacks.

Jie Yu,Zhoujun Li,Huowang Chen,Xiaoming Chen

DOI: https://doi.org/10.1109/icns.2007.5

2007-01-01

Abstract:Application layer DDoS attacks, which are legitimate in packets and protocols, gradually become a pressing problem for commerce, politics and military. We build an attack model and characterize layer-7 attacks into three classes: session flooding attacks, request flooding attacks and asymmetric attacks. We proposed a mechanism named as DOW (defense and offense wall), which defends against layer-7 attacks using combination of detection technology and currency technology. An anomaly dete-ction method based on K-means clustering is introduced to detect and filter request flooding attacks and asymmetric attacks. To defend against session-flooding attacks, we propose an encouragement model that uses client's session rate as currency. Detection model drops suspicious sessions, while currency model encourages more legitimate sessions. By collaboration of these two models, normal clients could gain higher service rate and lower delay of response time.

TANG LIJUAN,ZHANG YONGPING,ZHANG LILI

DOI: https://doi.org/10.3969/j.issn.1008-0570.2007.18.015

2007-01-01

Abstract:The defense of DDoS attacks has become the difficult area in network security.The proposed scheme can prevent DDoS at- tacks roundly and actively.It implements detector based on RBF- NN to detect DDoS attacks ,and the precise can reach 97.9%;im- plements an IP traceback scheme with packet marking in blocks,which provides higher precision and more efficient computation;im- plements a novel approach named Packet funneling to mitigate DDoS attacks,it ensures the quality of service. The technology of the scheme is practical and easy to deploy,low price,it has the very good application prospect.

T Peng,C Leckie,K Ramamohanarao

DOI: https://doi.org/10.1007/978-3-540-24693-0_63

2004-01-01

Abstract:In this paper, we propose a simple but robust scheme to detect denial of service attacks (including distributed denial of service attacks) by monitoring the increase of new IP addresses. Unlike previous proposals for bandwidth attack detection schemes which are based on monitoring the traffic volume, our scheme is very effective for highly distributed denial of service attacks. Our scheme exploits an inherent feature of DDoS attacks, which makes it hard for the attacker to counter this detection scheme by changing their attack signature. Our scheme uses a sequential nonparametric change point detection method to improve the detection accuracy without requiring a detailed model of normal and attack traffic. Furthermore, we show that with the combination of monitoring per flow speed, we can detect all types of DDoS attacks. We demonstrate that we can achieve high detection accuracy on a range of different network packet traces.

Yi Shi,Xinyu Yang

DOI: https://doi.org/10.1007/11596981_54

2005-01-01

Abstract:Flooding-based distributed denial-of-service (DDoS) attack presents a very serious threat to the stability of the Internet. In this paper, we propose a novel global defense architecture to protect the entire Internet from DDoS attacks. This architecture includes all the three parts of defense during the DDoS attack: detection, filtering and traceback, and we use different agents distributed in routers or hosts to fulfill these tasks. The superiority of the architecture that makes it more effective includes: (i) the attack detection algorithm as well as attack filtering and traceback algorithm are both network traffic-based algorithms; (ii) our traceback algorithm itself also can mitigate the effects of the attacks. Our proposed scheme is implemented through simulations of detecting and defending SYN Flooding attack, which is an example of DDoS attack. The results show that such architecture is much effective because the performance of detection algorithm and traceback algorithm are both better.

Shibo Luo,Jun Wu,Jianhua Li,Bei Pei

DOI: https://doi.org/10.1109/FCST.2015.11

2015-01-01

Abstract:Distributed Denial of Service (DDoS) attack is a major threat to Internet based killer applications, such as independent news web sites, e-business and online games. Detecting and blocking such clever attacks has become difficult. Software-Defined Networks (SDN) has emerged as a future communication network architecture which decouples network control and forwarding. It has some particular features such as central control and programmability to combat against DDoS attack. In this paper, we survey DDoS attacks and existing defense mechanisms, and draw a conclusion of the needs of defense mechanism for successful combating against DDoS. Then, we analyze the particular features of SDN and conclude it is conducive to countermeasure DDoS attack. According the analysis, we construct a defense mechanism for DDoS in SDN. At last, we illustrate how this mechanism could combat against DDoS attacks through a working example.

Zhongqiang Chen,Zhongrong Chen,Alex Delis

DOI: https://doi.org/10.1093/comjnl/bxl042

2007-01-01

The Computer Journal

Abstract:By penetrating into a large number of machines and stealthily installing malicious pieces of code, a distributed denial of service (DDoS) attack constructs a hierarchical network and uses it to launch coordinated assaults. DDoS attacks often exhaust the network bandwidth, processing capacity and information resources of victims, thus, leading to unavailability of computing systems services. Various defense mechanisms for the detection, mitigation and/or prevention of DDoS attacks have been suggested including resource redundancy, traceback of attack origins and identification of programs with suspicious behavior. Contemporary DDoS attacks employ sophisticated techniques including formation of hierarchical networks, one-way communication channels, encrypted messages, dynamic ports allocation and source address spoofing to hide the attackers' identities; such techniques make both detection and tracing of DDoS activities a challenge and render traditional DDoS defense mechanisms ineffective. In this paper, we propose the DDoS Container, a comprehensive framework that uses network-based detection methods to overcome the above complex and evasive types of attacks; the framework operates in 'inline' mode to inspect and manipulate ongoing traffic in real-time. By keeping track of connections established by both potential DDoS attacks and legitimate applications, the suggested DDoS Container carries out stateful inspection on data streams and correlates events among sessions. The framework performs stream re-assembly and dissects the resulting aggregations against protocols followed by various known DDoS attacks facilitating their identification. The traffic pattern analysis and data correlation of the framework further enhance its detection accuracy on DDoS traffic camouflaged with encryption. Actions available on identified DDoS traffic range from simple alerting to message blocking and proactive session termination. Experimentation with the prototype of our DDoS Container shows its effectiveness in classifying DDoS traffic.

Di Wu,Jie Li,Sajal K. Das,Jinsong Wu,Yusheng Ji,Zhetao Li

DOI: https://doi.org/10.1109/icc.2018.8422448

2018-01-01

Abstract:Software-Defined networking (SDN), as a new paradigm, fixes the shortage that traditional network does not support the dynamic, scalable computing and storage needs of more computing environments. SDN, however, also faces security problems such as vulnerable to DDoS attacks. DDoS attacks are well-known and powerful attacks. DDoS detection and DDoS traffic separation for SDN environments are still an open research issue. DDoS attacks in SDN environments will not only bring damage to target server, but also takes exact impact on SDN system. In this paper, we identify a new type DDoS attack, specifically aiming SDN environment, which is harder to be detected. We propose a novel real-time DDoS detection scheme for SDN environment, by using Principal Component Analysis (PCA) scheme to analyze the network status on traffic packets data. We separate the network into different parts, to reduce the total calculation burden. We compare our scheme with sample entropy, showed our scheme achieves better detecting ability for DDoS attacks.

Qingxia Li,Wenhong Wei,Ming Tao,Qian Chen

DOI: https://doi.org/10.1504/ijcnds.2014.064638

IF: 1.3

2014-01-01

International Journal of Communication Networks and Distributed Systems

Abstract:In distributed denial of service (DDoS) attack, the detection techniques have existed for a relatively longer period of time than defence mechanisms, researchers have categorised almost all the existing and expected forthcoming attacks. However, techniques for defence are still nurturing. Researchers have explored that there could be diverse ways of launching DDoS attacks. Consequently, need of defence scheme that adapts and responds autonomously to these variety of attacks is imperative. This paper proposed a distributed defence scheme based on two-stage traffic flow control against DDoS attacks that present the most serious threats to the internet. The defence using this scheme deploys two kinds of coordinated modules through specific mechanism to protect internet servers. And the performance of the scheme was evaluated by network simulation. Simulation results show that the proposed scheme can greatly increase the throughput of legitimate traffic and reduce the attack traffic during DDos attacks, and it performs well even when it is only partially deployed.

LI Jun,LI Ming

DOI: https://doi.org/10.3969/j.issn.1000-3428.2006.18.047

2006-01-01

Abstract:One of the most important fields in network security is the defense against DDoS attacks, in which many methods are introduced in literature, namely DWARD, IP trace, packet classification, anomaly traffic detection. Every current method has its advantages and disadvantages. With the idea of classification defense, this paper presents an integrated scheme which has synthesized two complete defending systems against DDoS attacks. The integrated system has more powerful functions in fighting against DDoS attacks. The good performances of the new system for fighting against DDoS attacks are listed as fellow: low false alarm probability, high speed of response, slight affection to the normal traffic.

Fei Wang,Hailong Wang,Xiaofeng Wang,Jinshu Su

DOI: https://doi.org/10.1016/j.mcm.2011.02.025

2011-01-01

Mathematical and Computer Modelling

Abstract:Detection of distributed denial of service (DDoS) attacks has been a challenging problem for network security. Most of the existing works take into account the anomaly features of the traffic caused by DDoS. However, these detection methods suffer from either less generality or high computational and memory costs in detecting subtle DDoS attacks. In this paper, we first present a model for DDoS attacks with quantitative measurements. Based on this model, we find that there are two factors that have a severe influence on the deviation of traffic features. In view of these two factors, the DDoS attack traffic observed by monitors can be trivial, leading to the subtle DDoS attacks which are difficult to detect. To detect the subtle DDoS anomalies at monitors close to the attack sources, we propose a novel multistage DDoS detection framework that consists of a NTS (Network Traffic State) prediction, a fine-grained singularity detection and a malicious address extraction engine. We also briefly introduced how to distribute our detection framework to enhance the performance of detecting world-wide DDoS attacks. Moreover, the prototype system is implemented and evaluated with real network traces from our campus network and testbed. The results show that our method can detect various DDoS attacks efficiently even though the attack rate is low. Our method can extract malicious IPs for attack reaction with records for a short period, and multiple monitors distributed in the network can fuse the results of extraction seamlessly to improve the accuracy of detection

Ping Dong,Xiaojiang Du,Hongke Zhang,Tong Xu

DOI: https://doi.org/10.1109/ICC.2016.7510992

2016-01-01

Abstract:A Distributed Denial of Service (DDoS) attack against controllers is one of the key security threats of Software-Defined Networking (SDN). The breakdown of a controller may disrupt a whole SDN network. Nowadays, a novel DDoS means is that the attackers may generate vast new low-traffic flows to trigger malicious flooding requests to overload the controllers. It is difficult to prevent this attack, as the attackers may connect to any interface of any switch in an SDN network. In this paper, we propose an effective detection method, which is designed to detect the DDoS attack and to further locate the compromised interfaces the malicious attackers have connected. We first classify the flow events associated with an interface, then make a decision using Sequential Probability Ratio Test (SPRT), which has bounded false negative and false positive error rates. In addition, we evaluate the performance of the proposed method using DARPA Intrusion Detection Data Sets. We also discuss and compare our method to three other detection methods, which are based on the percentage, count, and entropy of the flows, respectively, and demonstrate the superiority of our method in terms of promptness, versatility and accuracy.

LI Gang,HUA Bei,YANG Xing-liang

DOI: https://doi.org/10.3969/j.issn.1006-9348.2006.11.037

2006-01-01

Abstract:This paper proposes a router collaborating based adaptive detection and defending mechanism against DDoS.Through link congestion detection and packet dropping rate analysis,this mechanism can disclose the attack timely and construct the attack signatures accordingly.Then it is able to apply rate-limiting to the packets matching such signatures,and at the same time forward the attack signatures and rate-limiting request hop-by-hop to retrace the attack source using pushback protocol.During this process,rate-limiting is also employed on the intermediate routers,thus this algorithm not only manages to alleviate the link congestion and quench DDoS attack in a short period,but also protects normal network traffic to the utmost degree.And the simulation result on NS2 shows that the algorithm satisfactorily meets our expectation in attack-quenching and normal traffic protection.

Dalia Nashat,Xiaohong Jiang,Susumu Horiguchi

DOI: https://doi.org/10.1109/icebe.2009.35

2009-01-01

Abstract:The Distributed Denial of Service attacks (DDoS) is one of the major threats to network security that exhausts network bandwidth and resources. The current detection schemes are sensitive to the number of attackers and may lead to a high false positive probability especially for largescale networks with huge number of attackers. It is notable, however, that in the current DDoS attacks, the flooding rate is usually distributed among many flooding sources to make the detection more difficult. In this paper we propose a more efficient detection scheme for Web Service DDoS attackers. The proposed scheme is based on the number of incoming requests to the server with the consideration of the clients activity (Active and Non-Active clients during the detection time). To make our scheme scalable to large-Scale networks, the non-adaptive group testing theory is applied to detect attackers using low state overhead. Extensive tracedriven simulation has been conducted on real Web trace to demonstrate the efficiency of the proposed scheme in terms of its false positive, false negative probabilities and also detection time.

Xie Yi,Yu Shunzheng

DOI: https://doi.org/10.3969/j.issn.1000-0801.2007.01.023

2007-01-01

Abstract:Distributed denial of service (DDoS) attacks bring a very serious threat to the stability of Internet. DDoS attack methods and tools are becoming more sophisticated, effective and also more difficult to be traced. New forms of DDoS attacks on application layer cause current defense technologies working on TCP or IP level unable to withstand them, which makes a new challenge to the traditional anomaly detection techniques. In this paper, we discuss the rationale of application layer DDoS attacks and the disadvantages of current DDoS detection schemes in dealing with such attacks. At last, a new detection scheme focusing on application layer DDoS attacks defense based on user behavior is proposed. Filtering and blocking are also carried out for the malicious HTTP requests over the application level and TCP level.

Li Xinlei,Zheng Kangfeng,Yang Yixian

DOI: https://doi.org/10.1109/icie.2009.107

2009-01-01

Abstract:The distributed denial of service attacks have become more and more frequent and caused some fatal problems. Many researches have been done to detect and defend such attacks, however, many solutions are still in the phase of theoretical studies. Some of them may have certain practical value, but they have to reconstruct the existing network and the routing instruments with great cost. This paper proposes a DDoS attack defending scheme based on network processor. The scheme takes advantage of network processor's powerful process ability to divide the network flow into different types firstly, and then uses a QoS mechanism to ensure essential communications as well as to eliminate the attack flow to the greatest extent. Experiment results show that the scheme can provide enough bandwidth for high priority flow, and effectively weaken the attack flow.

Muhai Li,Ming Li

2008-01-01

Abstract:Distribution denial-of-service (DDoS) constitutes one of the major threats and among the hardest security problems in today's Internet. However, DDoS detection techniques, such as signature-based detection, anomaly-based detection, and wavelet-based signal analysis, face the considerable challenge of determining network-based flooding attacks from sudden increases in legitimate activity or flash events. In this paper, we study the basic characteristic of network traffic, and propose a method for meeting the challenge. By taking full advantage of known traffic in normal state, we design a detection algorithm for dealing with DDoS attacks. We have carried out experiments with actual data to evaluate the algorithm. The results show that it can recognize DDoS attacks.

Rudong Zhao,Songjie Wei,Milin Ren

DOI: https://doi.org/10.1109/ctceec.2017.8455172

2017-01-01

Abstract:This paper proposes a Distributed Denial of Service (DDoS) attack detection and defense system based on Software Defined Networks (SDN) architecture. The system is composed of a monitoring module, a detection module and a reaction module. The monitoring module is designed to raise alerts by analyzing Packet_In messages. It detects and reports anomalies to the detection module for further evaluation, which overcomes the disadvantages of slow response and large overhead of periodic trigger detection. The reaction module can trace back attack traffic flows to quickly and accurately identify malicious hosts. The use of a SDN controller brings in a global view of the network topology in the monitoring and detection procedures for the access layer switch and reduces the processing range. This paper extends the OpenFlow protocol so that a flow entry can record and track the flow path information, which improves the efficiency and accuracy of attack traffic traceability. Simulation experiments show that the proposed scheme has a relatively faster response to DDoS attack with less processing pressure imposed on the controller.

Wei Zhang,Shize Guo,Kangfeng Zheng,Yixian Yang

DOI: https://doi.org/10.1109/ICYCS.2008.206

2008-01-01

Abstract:Because DDoS attacks destination servers from computers distributed all over network, it is very hard to locate attacking sources and resist DDoS. In this paper, a new defending mechanism based on registration and authentication against DDoS is proposed. By bidirectional warning messages, it can help locate attacking sources quickly and resist DDoS more exactly. According to the mechanism, all servers and routers applying for protecting from DDoS are required to register firstly, so that they can translate warning messages encrypted in public-key algorithm to prevent from spoofing. A flexible defending can be achieved by distributing filtering features and policies dynamically.