魏蔚,董亚波,鲁东明

DOI: https://doi.org/10.3785/j.issn.1008-973x.2010.02.010

2010-01-01

Abstract:Distributed denial of service(DDoS)attack was defended by distributed filtering.Distributed defense was restricted inside autonomous system(AS),which was a suitable bound for defense.Both bandwidth and processing capability of victim were considered.The filtering threshold was dynamically adjusted in AS edge according to the throughput of victim in support vector machine(SVM)-based multi-resource max-min fairness(SMMF)algorithm.Then SMMF achieved multi-resource max-min fairness and was much effective.Simulation results demonstrate that attacking traffic can be depressed in a common scenario and the legitimate throughput can be kept in a normal level when current methods fail.A realiza-tion of filters on PC-based router indicates that only a very small amount of memory is needed and the packet throughput is still normal when thousands of filters are installed.

Junchi Xing,Jingling Cai,Boyang Zhou,Chunming Wu

DOI: https://doi.org/10.1109/iscc47284.2019.8969595

2019-01-01

Abstract:Recently, link flooding attacks (LFA) have been observed as a serious threat for cutting off the Internet connectivity through congesting critical links. A LFA typically utilizes legitimate and low-rate flows, which makes it extremely hard to be detected and, subsequently, to be mitigated. In this paper, we present LF-Shield, that is a deep convolutional neural network (ConvNet) based countermeasure to accurately detect and efficiently mitigate LFAs using software-defined network (SDN) paradigm. LF-Shield can identify malicious bots that launch LFA flows by extracting end-hosts' traffic features and afterwards, classifying the type of end-hosts based on deep ConvNet. Then, LF-Shield mitigates LFAs without affecting legitimate end-hosts through blocking the classified malicious bots and limiting the bandwidths of inactive or newly-accessed end-hosts. A LF-Shield prototype is implemented for evaluating its performance by several experiments. The experimental results demonstrate that LF-Shield can identify malicious bots with an accuracy of 96.4% and mitigate LFAs with the 93.1% reduction in link degradation ratio, with negligible impact on legitimate end-hosts.

Xiang Chen,Hongyan Liu,Qun Huang,Dong Zhang,Haifeng Zhou,Chunming Wu,Xuan Liu

DOI: https://doi.org/10.1109/tnet.2023.3281449

2024-01-01

Abstract:To date, security researchers evaluate their solutions of mitigating distributed denial-of-service (DDoS) attacks via kernel-based or kernel-bypassing testing tools. However, kernelbased tools exhibit poor scalability in attack traffic generation while kernel-bypassing tools incur unacceptable monetary cost. We propose Excalibur, a scalable and low-cost testing framework for evaluating DDoS defense solutions. The key idea is to leverage the emerging programmable switch to empower testing tasks with Tbps-level scalability and low cost. Specifically, Excalibur offers intent-based primitives to enable academic researchers to customize testing tasks on demand. Moreover, in view of switch resource limitations, Excalibur coordinates both a server and a programmable switch to jointly perform testing tasks. It realizes flexible attack traffic generation, which requires a large number of resources, in the server while using the switch to increase the sending rate of attack traffic to Tbps-level. We have implemented Excalibur on a 64 x 100 Gbps Tofino switch. Our experiments on a 64 x 100 Gbps Tofino switch show that Excalibur achieves orders-of-magnitude higher scalability and lower cost than existing tools.

Xiang Chen,Hongyan Liu,Tingxin Sun,Qun Huang,Dong Zhang,Xuan Liu,Boyang Zhou,Haifeng Zhou,Chunming Wu

DOI: https://doi.org/10.1109/infocom53939.2023.10229080

2023-01-01

Abstract:To date, security researchers evaluate their solutions of mitigating denial-of-service (DDoS) attacks via kernel-based or kernel-bypassing testing tools. However, kernel-based tools exhibit poor scalability in attack traffic generation while kernel-bypassing tools result in unacceptable monetary cost. We propose Excalibur, a scalable and low-cost testing framework for DDoS defense solutions. The key idea is to leverage the programmable switch to perform testing tasks with Tbps-level scalability and low cost. Specifically, Excalibur coordinates both a server and a programmable switch to jointly perform testing tasks. It realizes flexible attack traffic generation, which requires a large number of resources, in the server while using the switch to increase the sending rate of attack traffic to Tbps-level. Our experiments on a 64×100Gbps Tofino switch show that Excalibur achieves orders-of-magnitude higher scalability and lower cost than existing tools.

Jiang Ming,Wu Chunming

IF: 1.019

2006-01-01

Chinese Journal of Electronics

Abstract:Issues related to fair sharing of bandwidth in Assured Forwarding based Differentiated Services networks have been discussed in many research papers. The factors that can bias fair sharing of bandwidth are Round trip time (RTT), packet size, the number of flows in aggregate and target rate etc. This paper proposes a new scheme to achieve proportional fair sharing of bandwidth among heterogeneous TCP flows for Assured Service. The Assured Services architecture relies on packet marking mechanism at the edge router, and AQM mechanism at the core router. In the new scheme the marking mechanism is FTSW2CM, which is based on TSW2CM algorithm. By measuring local throughput FTSW2CM can change the marking probability to achieve fairness. As to AQM mechanism we use MRIO algorithm, which can effectively stabilize the queue size and mitigate the "band-width skew" problem. The simulation results indicate that FTSW2CM+MRIO performs better than other popular schemes in providing fairness among heterogeneous TCP flows.

Ziming Zhao,Zhuotao Liu,Huan Chen,Fan Zhang,Zhuoxue Song,Zhaoxuan Li

DOI: https://doi.org/10.1109/tdsc.2023.3349180

2024-01-01

Abstract:Defending against Distributed Denial of Service (DDoS) attacks is a fundamental problem in the Internet. Over the past few decades, the research and industry communities have proposed a variety of solutions, from adding incremental capabilities to the existing Internet routing stack, to clean-slate future Internet architectures, and to widely deployed commercial DDoS prevention services. Yet a recent interview with over 100 security practitioners in multiple sectors reveals that existing solutions are still insufficient against , due to either unenforceable protocol deployment or non-comprehensive traffic filters. This seemingly endless arms race with attackers probably means that we need a fundamental paradigm shift. In this paper, we propose a new DDoS prevention paradigm named preference-driven and in-network enforced traffic shaping , aiming to explore the novel DDoS prevention norms that focus on delivering victim-preferred traffic rather than consistently chasing after the DDoS attacks. Towards this end, we propose DFNet, a novel DDoS prevention system that provides reliable delivery of victim-preferred traffic without full knowledge of DDoS attacks. At a very high level, the core innovative design of DFNet embraces the advances in Machine Learning (ML) and new network dataplane primitives, by encoding the victim's traffic preference (in the form of complex ML models) into dataplane packet scheduling algorithms such that the victim-preferred traffic is forwarded with priority at line-speed, regardless of the attacker strategy. We implement a prototype of DFNet in 11,560 lines of code, and extensively evaluate it on our testbed. The results show that a single instance of DFNet can forward 99.93% of victim-desired traffic when facing previously unseen attacks, while imposing less than 0.1% forwarding overhead on a dataplane with 80 Gbps upstream links and a 40 Gbps bottleneck.

Guang Jin,Jian-gang Yang,Wei Wei,Ya-bo Dong

DOI: https://doi.org/10.3724/sp.j.1146.2007.00460

2008-01-01

Abstract:Major defensive mechanisms against DoS attacks in the Internet are reviewed. Especially the most recent capabilities techniques, such as basic concepts, stateless flow filtering and the Traffic Validation Architecture (TVA), are analyzed deeply. The related discussions about the shortcomings of current capabilities techniques, such as potential Denial-of-Capability (DoC) attacks, decrement of transmission efficiency, are given in detail. Some improvement methods are provided. They include protecting capabilities requests with notifications, bi-level capabilities, flexible and dynamical capabilities assignment, etc. These methods enhance the robustness and efficiency of capabilities. Theoretical evaluations and simulations show that the improvements outperform original schemes and are more practical in the Internet.

Zhuotao Liu,Yuan Cao,Min Zhu,Wei Ge

DOI: https://doi.org/10.48550/arXiv.1903.07796

2019-04-06

Abstract:Defending against distributed denial of service (DDoS) attacks in the Internet is a fundamental problem. However, recent industrial interviews with over 100 security experts from more than ten industry segments indicate that DDoS problems have not been fully addressed. The reasons are twofold. On one hand, many academic proposals that are provably secure witness little real-world deployment. On the other hand, the operation model for existing DDoS-prevention service providers (e.g., Cloudflare, Akamai) is privacy invasive for large organizations (e.g., government). In this paper, we present Umbrella, a new DDoS defense mechanism enabling Internet Service Providers (ISPs) to offer readily deployable and privacy-preserving DDoS prevention services to their customers. At its core, Umbrella develops a multi-layered defense architecture to defend against a wide spectrum of DDoS attacks. In particular, the flood throttling layer stops amplification-based DDoS attacks; the congestion resolving layer, aiming to prevent sophisticated attacks that cannot be easily filtered, enforces congestion accountability to ensure that legitimate flows are guaranteed to receive their fair shares regardless of attackers' strategies; and finally the userspecific layer allows DDoS victims to enforce self-desired traffic control policies that best satisfy their business requirements. Based on Linux implementation, we demonstrate that Umbrella is capable to deal with large scale attacks involving millions of attack flows, meanwhile imposing negligible packet processing overhead. Further, our physical testbed experiments and large scale simulations prove that Umbrella is effective to mitigate various DDoS attacks.

Cryptography and Security

ZH Tian,BX Fang,XC Yun

DOI: https://doi.org/10.1109/wi.2004.50

2005-01-01

Abstract:Flash crowd events (FCEs) and malicious traffic including DDoS and worm attacks present a real threat to the stability of Web services. In this paper, we design a practical defense system that can provide some needed relief from the two types of events and protect the availability of Web services. A novel method of dynamic bandwidth arbitration using Generalized Vickrey auction based on microeconomics is proposed. By adopting this approach, not only the availability of Web services is improved but also the total utility of users can be maximized. Initial simulations have shown that this mechanism is promising direction to control both FCEs and malicious traffic. The presentation in this paper is a first step towards a more rigorous evaluation.

Lijia Xie,Yao Zhang,Zhiming Zheng,Xiao Zhang

DOI: https://doi.org/10.1109/lcomm.2016.2628896

IF: 3.5529

2017-01-01

IEEE Communications Letters

Abstract:The rapid development of network applications has led to a dramatic demand on Internet capacity. In response, internet service providers are exploring new data pricing approaches as economic countermeasures. However, previous pricing schemes are inadequate to provide tussle-resistance property that enables confidential price propagation and accurate bandwidth accounting. In this letter, we propose tussle-resistant Internet pricing mechanism (TRIP), which is built upon border gateway protocol and involves multiple cryptographic algorithms for price encryption and dissemination. TRIP effectively accomplishes source authentication and price confirmation, and leverages network capability to achieve bandwidth allocation and accounting. We confirm the efficiency of TRIP via comprehensive experiments.

Mingxing Liu,Ying Liu,Ke Xu,Lin He,Xiaoliang Wang,Yangfei Guo,Weiyu Jiang

DOI: https://doi.org/10.1109/msn53354.2021.00076

2021-01-01

Abstract:In recent years, Distributed Denial-of-Service (DDoS) attacks have become more rampant and continue to be one of the most serious security threats facing network infrastructure. In a classic DDoS attack, the attacker controls numerous bots from many sources to send a significant volume of traffic to flood the victim end or the bottleneck link. In practical networks, it is inefficient and costly to request all partner routers to collaboratively mitigate DDoS attacks. The common feature of DDoS attacks is the abnormal distribution of traffic to the victim. In this paper, we propose TAP, a collaborative DDoS mitigation framework, based on traffic-aware probabilistic packet marking (PPM). TAP enables the victim to select a few hit routers as collaborators to mitigate attack traffic efficiently depending on the traffic distribution. Our evaluation results show that TAP greatly reduces attack traffic within seconds and mitigate the damage caused by DDoS with less overhead, which demonstrates that TAP is an effective, efficient, and rapid-response scheme for collaborative DDoS mitigation.

Lijia Xie,Shuang Zhao,Xiao Zhang,Yiming Shi,Xin Xiao,Zhiming Zheng

DOI: https://doi.org/10.1007/978-3-030-90019-9_20

2021-01-01

Abstract:Multiple bandwidth reservation mechanisms based on network capability have been proposed to resolve Distributed Denial of Service (DDoS) attacks towards the transit-link. However, previous capability-based techniques are insufficient to provide accurate protection towards legitimate users of contaminated domains. In this paper, we present FIBA, an intra-domain bandwidth allocation mechanism with fine-grained accessing control granularity. FIBA enables source domains to locally differentiate the capability requests by state measuring according to two attributing factors. Moreover, FIBA can establish hierarchical channels for capability requesting packets to realize the isolation of traffic from the same source domain. Our scheme is integrated with existing methods and can be optionally deployed by source domains. Finally, through network experiments, we evaluate FIBA can realize user-level DDoS protection even in 90%-contaminated domain.

LI Gang,HUA Bei,YANG Xing-liang

DOI: https://doi.org/10.3969/j.issn.1006-9348.2006.11.037

2006-01-01

Abstract:This paper proposes a router collaborating based adaptive detection and defending mechanism against DDoS.Through link congestion detection and packet dropping rate analysis,this mechanism can disclose the attack timely and construct the attack signatures accordingly.Then it is able to apply rate-limiting to the packets matching such signatures,and at the same time forward the attack signatures and rate-limiting request hop-by-hop to retrace the attack source using pushback protocol.During this process,rate-limiting is also employed on the intermediate routers,thus this algorithm not only manages to alleviate the link congestion and quench DDoS attack in a short period,but also protects normal network traffic to the utmost degree.And the simulation result on NS2 shows that the algorithm satisfactorily meets our expectation in attack-quenching and normal traffic protection.

Xiaolin Chen,Hui Deng,Feng Wang,Mu Mu,Sanglu Lu

DOI: https://doi.org/10.1109/ICYCS.2008.509

2008-01-01

Abstract:In application-level DDoS attacks, attackers mimic legitimate client behavior by sending proper-looking requests via bots. The previous DDoS solutions focus on bandwidth flooding attacks, and have encountered significant difficulty in deployment. This paper presents a deployable architecture that counts the application-level DDoS attacks against Web servers by combining overlay and IP anycast. In this architecture, when a protected Web server is under attacks, the traffic to the server will be redirected to an overlay via IP anycast. The overlay nodes provide effective protection to the server by the distributed filter, the distributed traffic control, and also by building a temporary collaborative edge Web cache. We demonstrate that this novel architecture has strong incentives to deploy and is able to be deployed by a single ISP without any modifications to implementation of routers and end host. We then discuss its properties and design challenges.

Jie Yu,Chengfang Fang,Liming Lu,Zhoujun Li

DOI: https://doi.org/10.1007/978-3-642-10485-5_13

2009-01-01

Abstract:Application layer DDoS attacks, to which network layer solutions is not applicable as attackers are indistinguishable based on packets or protocols, prevent legitimate users from accessing services. In this paper, we propose Trust Management Helmet (TMH) as a partial solution to this problem, which is a lightweight mitigation mechanism that uses trust to differentiate legitimate users and attackers. Its key insight is that a server should give priority to protecting the connectivity of good users during application layer DDoS attacks, instead of identifying all the attack requests. The trust to clients is evaluated based on their visiting history, and used to schedule the service to their requests. We introduce license, for user identification (even beyond NATs) and storing the trust information at clients. The license is cryptographically secured against forgery or replay attacks. We realize this mitigation mechanism and implement it as a Java package and use it for simulation. Through simulation, we show that TMH is effective in mitigating session flooding attack: even with 20 times number of attackers, more than 99% of the sessions from legitimate users are accepted with TMH; whereas less than 18% are accepted without it.

Xiaobo Ma,Jianfeng Li,Yajuan Tang,Bo An,Xiaohong Guan

DOI: https://doi.org/10.1016/j.ins.2018.04.050

IF: 8.1

2019-01-01

Information Sciences

Abstract:As an emerging threat, link flooding attacks (LFAs) target and congest core links that constitute Internet routing infrastructure, hence posing a growing threat to networks worldwide. Mitigating and defeating LFAs is particularly challenging for two reasons. First, arising from the end-to-end communication from bots to public servers (e.g., Web servers), the attack traffic flows could be indistinguishable from legitimate ones, and even unobservable to the victim network surrounded by the target links. Therefore, typical flow-filtering countermeasures deployed at the network perimeter become invalid when handling LFAs. Second, the target link and the victim network belong to an autonomous system (AS) different from the source ASs where the attack traffic flows originate. These source ASs, however, have no idea the target link is under attack, whereas they are in charge of routing decisions and thus capable of mitigating LFAs by rerouting the attack traffic flows to bypass the target link. Therefore, inter-AS cooperation is indispensable to defeat LFAs. Unfortunately, the source ASs lack incentives to cooperate because the collateral damage of LFAs to them may be negligible, making it challenging to eradicate LFAs. In this paper, we make the first effort to cope with LFAs from a techno-economic perspective, for accelerating ISPs’ cooperation in defending against LFAs. We propose two novel mechanisms to mitigate LFAs by stimulating the inter-AS cooperation via incentive design and Nash bargaining. Experiments using Internet AS relationship data demonstrate the feasibility and effectiveness of our mechanisms.

Bing Xiong,Kun Yang,Jinyuan Zhao,Keqin Li

DOI: https://doi.org/10.1016/j.jnca.2016.04.013

2017-01-01

Abstract:The continual growth of network traffic rates leads to heavy packet processing overheads, and a typical solution is to partition traffic into multiple network processors for parallel processing especially in emerging software-defined networks. This paper is thus motivated to propose a robust dynamic network traffic partitioning scheme to defend against malicious attacks. After introducing the conceptual framework of dynamic network traffic partitioning based on flow tables, we strengthen its TCP connection management by building a half-open connection separation mechanism to isolate false connections in the initial connection table (ICT). Then, the lookup performance of the ICT table is reinforced by applying counting bloom filters to cope with malicious behaviors such as SYN flooding attacks. Finally, we evaluate the performance of our proposed traffic partitioning scheme with real network traffic traces and simulated malicious traffic by experiments. Experimental results indicate that our proposed scheme outperforms the conventional ones in terms of packet distribution performance especially robustness against malicious attacks.

Xu Chen,Wei Feng,Ning Ge,Xianbin Wang

DOI: https://doi.org/10.1109/icc40277.2020.9148653

2020-01-01

Abstract:The link flooding attack (LFA) arises as a new class of Distributed Denial of Service (DDoS) attacks in recent years. By aggregating low-rate protocol-conforming traffic to congest selected links, LFAs can degrade the connectivity of target servers indirectly. Due to the fast proliferation of insecure Internet of Things (IoT) devices, the deployment of botnets is getting easier, which dramatically increases the risk of LFAs. Since the attacking traffic may not reach the victims directly and seems to be legitimate, LFAs are extremely difficult to detect and defend using traditional methods. In this work, we model the interaction between the LFA attacker and the defender as an extensive form game with incomplete information. By using action space compression and the divide and conquer method, we analyze the Nash equilibrium of the subgame on each link, which reveals the rational behaviors of attackers and the optimal strategies of defenders. Furthermore, we concretely expound how to adopt local optimal strategies in the Internet-wide scenario. Experimental results show the effectiveness and robustness of our proposed decision-making method in explicit LFA defending scenarios.

Jun Li,Devkishen Sisodia,Yebo Feng,Lumin Shi,Mingwei Zhang,Christopher Early,Peter Reiher

DOI: https://doi.org/10.1109/CNS59707.2023.10288699

2023-05-23

Abstract:Despite the proliferation of traffic filtering capabilities throughout the Internet, attackers continue to launch distributed denial-of-service (DDoS) attacks to successfully overwhelm the victims with DDoS traffic. In this paper, we introduce a distributed filtering system that leverages nodes distributed along the paths of DDoS traffic to filter the DDoS traffic. In particular, we focus on adaptive distributed filtering, a new direction in filtering DDoS traffic. In our design, a subscriber to the distributed filtering service can act on behalf of a DDoS victim and generate filtering rules that not only adapt to the most suitable and effective filtering granularity (e.g., IP source address and a port number vs. an individual IP address vs. IP prefixes at different lengths), but also adapt to the preferences of the subscriber (e.g., maximum coverage of DDoS traffic vs. minimum collateral damage from dropping legitimate traffic vs. minimum number of rules). We design an efficient algorithm that can generate rules adaptive toward filtering granularities and objectives, which can further help determine where to deploy generated rules for the best efficacy. We evaluated our system through both large-scale simulations based on real-world DDoS attack traces and pilot studies. Our evaluations confirm that our algorithm can generate rules that adapt to every distinct filtering objective and achieve optimal results. We studied the success rate and distribution of rule deployment under different Internet-scale rule deployment profiles, and found a small number of autonomous systems can contribute disproportionately to the defense. Our pilot studies also show our adaptive distributed filtering system can effectively defend against real-world DDoS attack traces in real time.

Networking and Internet Architecture,Cryptography and Security

Qian Wang,Feng Xiao,Man Zhou,Zhibo Wang,Hongyu Ding

2017-01-01

Abstract:Link-flooding attack (LFA) has emerged as a serious threat to Internet which cuts off connections between legitimate hosts and targeted servers by flooding only a few links (e.g., target links). Several mechanisms have been proposed to mitigate LFA, however, they can only mitigate LFA passively after target links have been compromised by adversaries. Based on the fact that adversaries rely on network linkmap to launch LFA, in this paper, we propose an active LFA mitigation mechanism, called Linkbait, that actively mitigates LFA by providing a fake linkmap to adversaries. Inspired by Moving Target Defense (MTD), we propose a link obfuscation algorithm in Linkbait that selectively reroutes detecting flows to hide target links from adversaries and mislead them to consider some bait links as target links. By providing the faked linkmap to adversaries, Linkbait can actively mitigate LFA even without identifying bots and does not affect flows from legitimate hosts. In order to further reduce the junk traffic generated by adversaries from entering the network, we propose a bot detection algorithm in Linkbait that extracts unique traffic patterns from LFA and leverages Support Vector Machine to accurately distinguish bots from legitimate hosts. Finally, we evaluate the feasibility of implementing Linkbait in real Internet, and evaluate its performance by using both a real-world testbed and large-scale simulations. The analyses and experiments results demonstrate the effectiveness of Linkbait.