Liang Ming,Yu-Beng Leau,Ying Xie

DOI: https://doi.org/10.1109/access.2024.3371013

IF: 3.9

2024-03-09

IEEE Access

Abstract:This article offers a comprehensive overview of recent literature on the HTTP/2 protocol and conducts an analysis of the security threats and DDoS attack typologies associated with HTTP/2. The investigation revealed that the introduction of new features in HTTP/2 has significantly improved the network transmission speed and utilization. However, these advancements have also brought forth a series of emerging network security risks. This study examines the current state of the art in DDoS attacks tailored for HTTP/2 and their detection methods, proposing future research directions in the field of attack detection. By analyzing the distinctive features of HTTP/2 protocol, the study suggests extending DDoS attack detection techniques established for HTTP/1 to the realm of HTTP/2. Furthermore, the research underscores the ease with which adversaries can exploit the intrinsic multiplexing in HTTP/2 to launch a large number of malicious requests, leading to severe depletion of network bandwidth and exhaustion of valuable server resources. Additionally, it highlights the potential applicability of deep learning algorithms in the context of the HTTP/2 protocol. Additionally, the article proposes strategies to address challenges associated with DDoS attacks and the scarcity of adequate datasets for HTTP/2. This research contributes to a comprehensive understanding of the security implications surrounding the HTTP/2 protocol and provides valuable insights for advancing DDoS attack detection technologies.

computer science, information systems,telecommunications,engineering, electrical & electronic

Congyuan Xu,Jizhong Shen,Xin Du

DOI: https://doi.org/10.1016/j.jisa.2021.102879

IF: 4.96

2021-01-01

Journal of Information Security and Applications

Abstract:Low-rate Denial of Service (LDoS) attacks use the low-rate requests to achieve the occupation of the network resources and have strong concealment. The traditional signal analysis based detection methods are challenging to detect LDoS attacks in the fluctuating legitimate traffic. In this paper, an LDoS attack detection method based on hybrid deep neural networks is proposed using one-dimensional convolutional neural network and gated recurrent unit. In order to evaluate the proposed detection method in the real scenarios, we captured real legitimate traffic from a website in the datacenter, and carried out a variety of real LDoS attacks on the mirror of the website in the laboratory environment to obtain real attack traffic. The detection results on the real traffic show that the proposed detection method does not need to extract features manually and can effectively detect LDoS attacks in fluctuating HTTP traffic with an average detection rate of 98.68%, which is more advantageous than MF-DFA or power spectral density based detection methods.

Yi Shen,Chunming Wu,Dezhang Kong,Mingliang Yang

DOI: https://doi.org/10.1109/icc40277.2020.9149276

2020-01-01

Abstract:Distributed Denial of Service (DDoS) attack is one of the most severe threats to the current network security. As a new network architecture, Software-Defined Networking (SDN) draws notable attention from both industry and academia. The characteristics of SDN such as centralized management and flow-based traffic monitoring make it an ideal platform to defend against DDoS attacks. When designing a network intrusion detection system (NIDS) in SDN, how to obtain fine-grained flow information with minimal overhead to the SDN architecture is a problem to be solved. In this paper, we propose TPDD, a two-phase DDoS detection system to detect DDoS attacks in SDN. In the first phase, we utilize the characteristics of SDN to collect coarse-grained flow information from the core switches and locate the potential victim. Then we monitor the edge switches located close to the potential victim to obtain finer-grained traffic information in the second phase. The collection method of each phase fully considers the impact on the bandwidth between the controller and switches. Without modifying the existing flow rules, the collection module can obtain sufficient information about traffic. By using entropy-based and machine learning-based methods, the detection module can effectively detect anomalies and identify whether the potential victim marked in the first phase is the target of attacks. Experimental results show that TPDD can effectively detect DDoS attacks with little overhead.

Wei Wei,Yabo Dong,Dongming Lu,Guang Jin,Honglan Lao

DOI: https://doi.org/10.1007/11760146_23

2006-01-01

Abstract:Low-rate TCP-targeted Denial-of-Service (DoS) attack (shrew) is a new kind of DoS attack which is based on TCP’s Retransmission Timeout (RTO) mechanism and can severely reduce the throughput of TCP traffic on victim. The paper proposes a novel mechanism which consists of effective detection and response methods. Through analyzing sampled attack traffic, we find that there is a stable difference between attack and legitimate traffic in frequency field, especially in low frequency. We use Sum of Low Frequency Power spectrum (SLFP) for detection. In our algorithm the destination IP address is used as flow label and SLFP is applied to every flow traversing edge router. If shrew is found, all flows to the destination are processed by Aggregated Flows Balance (AFB) at a proper upstream router. Simulation shows that attack traffics are restrained and TCP traffics can obtain enough bandwidth. The result indicates that our mechanism is effective and deployable.

WEI Wei,DONG Ya-bo,LU Dong-ming,JIN Guang

DOI: https://doi.org/10.3785/j.issn.1008-973x.2008.05.007

2008-01-01

Abstract:Low rate TCP-targeted denial of service(DoS) attack makes use of time-out and retransmission mechanism in transmission control protocol(TCP) and could severely decrease the throughput of legitimate TCP traffic.With its attacking traffic pattern,obvious difference was found between the power spectrum density(PSD) of legitimate and attack traffic samples.The statistical characteristic of this difference in history data was analyzed,and a detection method using the summation of low frequency was proposed.Meanwhile,based on the methods of leak bucket and the increasing of routing buffer,a response method was provided,which uses leak bucket periodically for smoothing the flow and uses buffer for holding extra traffic to send in next period,and its reasonable resource requirement was proved.Simulations show that for more general attack scenarios than the existing methods,the detection method has very low positive and negative false ratio,and the response method can depress attack flows more effectively than the previous methods and maintain the legitimate throughput in a normal level while the previous methods failed.

Xiaolin Chen,Hui Deng,Feng Wang,Mu Mu,Sanglu Lu

DOI: https://doi.org/10.1109/ICYCS.2008.509

2008-01-01

Abstract:In application-level DDoS attacks, attackers mimic legitimate client behavior by sending proper-looking requests via bots. The previous DDoS solutions focus on bandwidth flooding attacks, and have encountered significant difficulty in deployment. This paper presents a deployable architecture that counts the application-level DDoS attacks against Web servers by combining overlay and IP anycast. In this architecture, when a protected Web server is under attacks, the traffic to the server will be redirected to an overlay via IP anycast. The overlay nodes provide effective protection to the server by the distributed filter, the distributed traffic control, and also by building a temporary collaborative edge Web cache. We demonstrate that this novel architecture has strong incentives to deploy and is able to be deployed by a single ISP without any modifications to implementation of routers and end host. We then discuss its properties and design challenges.

Youngjun Kim,Sungho Park,Yeunwoong Kyung,Jinwoo Park,Hyungoo Choi

DOI: https://doi.org/10.1587/TRANSINF.2021EDL8022

2021-09-01

Abstract:SUMMARY HTTP Distributed Denial of Service (DDoS) flooding attack aims to deplete the connection resources of a targeted web server by transmitting a massive amount of HTTP request packets using botnets. This type of attack seriously deteriorates the service quality of the web server by tying up its connection resources and uselessly holds up lots of network resources like link capacity and switching capability. This paper proposes a defense method for mitigating HTTP DDoS flooding attack based on software-defined networking (SDN). It is demonstrated in this paper that the proposed method can e ff ectively defend the web server and preserve network resources against HTTP DDoS flooding attacks.

Engineering,Computer Science

Run Guo,Weizhong Li,Baojun Liu,Shuang Hao,Jia Zhang,Haixin Duan,Kaiwen Sheng,Jianjun Chen,Ying Liu

DOI: https://doi.org/10.14722/ndss.2020.24411

2020-01-01

Abstract:A content delivery network (CDN) improves the accessing performance and availability of websites via its globally distributed network infrastructures, which contributes to the thriving of CDN-powered websites on the Internet. Because CDN-powered websites normally operate important businesses or critical services, attackers are mostly interested in taking down these high-value websites, to achieve severe damage with maximum influence. Because the CDN absorbs distributed attacking traffic with its massive bandwidth resources, it is commonly believed that CDN vendors provide effective DoS protection for the CDN-powered websites. However, we reveal that implementation or protocol weaknesses in the forwarding mechanisms of the CDN can be exploited to break this CDN protection. By sending crafted but legal requests, an attacker can launch an efficient DoS attack against the website origin behind it. In particular, we present three CDN threats in this study. By abusing the HTTP/2 request-converting behavior and HTTP pre-POST behavior of a CDN, an attacker can saturate the CDN-origin bandwidth and exhaust the connection limits of the origin. What is more concerning is that some CDN vendors use only a small set of traffic forwarding IPs with lower IP-churning rates to establish connections with the origin. This characteristic provides a great opportunity for an attacker to effectively degrade the global availability of a website just by cutting off specific CDN-origin connections. In this work, we examine the CDN request-forwarding behaviors across six well-known CDN vendors and perform real-world experiments to evaluate the severity of the threats. Because the threats are caused by flawed trade-offs made by the CDN vendors between usability and security, we discuss possible mitigation and received positive feedback after responsible disclosure to the aforementioned CDN vendors.

Shui Yu,Yonghong Tian,Song Guo,Dapeng Oliver Wu

2013-01-01

Abstract:DDoS attacks aim to exhaust the resources of victims, such as network bandwidth, computing power and operating system data structures. Early DDoS attacks emerged around the year 2000, and well-known web sites, such as CNN, Amazon and Yahoo, have been the targets of hackers since then. The purpose of early attacks was mainly for fun and curiosity about the technique. However, recently we have witnessed an explosive increase in cyber attacks due to the huge financial or political rewards available to cyber attackers [1]. Botnets are the engines behind major DDoS attacks. Hackers exploit the vulnerability of computers connected to the Internet, and establish an overlay network of compromised computers to commit malicious activities, such as DDoS attacks or information phishing. This kind of malicious network is what we call a botnet [2], [3]. A DDoS attack can be carried out in various forms, such as flooding packets or synchronization attacks [2]. Flooding packets is the most common and effective DDoS attack strategy amongst all the available attack weapons. It is critical for defenders to understand the size of botnets, which helps us to estimate the possible attack volume. There has been plenty of work completed on this issue, such as [1] and [4]. Rajab et al. [5] found the number of active bots a botmaster could manipulate was usually at the hundreds or a few thousands level. This means the resources a botnet owner can use is limited. Based on this fact, Yu et al. [6] proposed a similarity based DDoS detection method to beat flash crowd mimicking attacks. Traditionally, a potential victim would be vulnerable if they were left to deal with a DDoS flooding attack by themselves. As nature of the Internet is anarchical, potential victims, such as popular web sites, are usually left

Ziming Zhao,Zhuotao Liu,Huan Chen,Fan Zhang,Zhuoxue Song,Zhaoxuan Li

DOI: https://doi.org/10.1109/tdsc.2023.3349180

2024-01-01

Abstract:Defending against Distributed Denial of Service (DDoS) attacks is a fundamental problem in the Internet. Over the past few decades, the research and industry communities have proposed a variety of solutions, from adding incremental capabilities to the existing Internet routing stack, to clean-slate future Internet architectures, and to widely deployed commercial DDoS prevention services. Yet a recent interview with over 100 security practitioners in multiple sectors reveals that existing solutions are still insufficient against , due to either unenforceable protocol deployment or non-comprehensive traffic filters. This seemingly endless arms race with attackers probably means that we need a fundamental paradigm shift. In this paper, we propose a new DDoS prevention paradigm named preference-driven and in-network enforced traffic shaping , aiming to explore the novel DDoS prevention norms that focus on delivering victim-preferred traffic rather than consistently chasing after the DDoS attacks. Towards this end, we propose DFNet, a novel DDoS prevention system that provides reliable delivery of victim-preferred traffic without full knowledge of DDoS attacks. At a very high level, the core innovative design of DFNet embraces the advances in Machine Learning (ML) and new network dataplane primitives, by encoding the victim's traffic preference (in the form of complex ML models) into dataplane packet scheduling algorithms such that the victim-preferred traffic is forwarded with priority at line-speed, regardless of the attacker strategy. We implement a prototype of DFNet in 11,560 lines of code, and extensively evaluate it on our testbed. The results show that a single instance of DFNet can forward 99.93% of victim-desired traffic when facing previously unseen attacks, while imposing less than 0.1% forwarding overhead on a dataplane with 80 Gbps upstream links and a 40 Gbps bottleneck.

Yue Li,Yingjian Liu,Haoyu Yin,Zhongwen Guo,Yu Wang

DOI: https://doi.org/10.1109/jiot.2023.3297334

IF: 10.6

2023-01-01

IEEE Internet of Things Journal

Abstract:Internet of Underwater Things (IoUT) needs to maintain effective communication even under the circumstances of severe environments and limited energy. Named Data Networking (NDN), a future network architecture, is starting to be used for IoUT as an effective architecture implementation. Despite having a good performance of data transmission, Underwater Named Data Networking (UNDN) nevertheless faces some security risks, such as Denial-of-Service (DoS) brought by Interest Flooding Attacks (IFAs). This paper proposes a novel DoS attack, Synergetic Denial-of-Service (SDoS), which can cause hiding damages to router’s Content Store (CS), Pending Interest Table (PIT), and Forwarding Information Base (FIB). We not only study the basic synergetic attack model of SDoS but also analyze some possible attack variants. Simulation results illustrate that SDoS entirely invalidates the only IFA detection algorithm in UNDN. Compared to ordinary IFAs, SDoS attacks increase network traffic fourfold. Furthermore, we discover a unique infection problem in UNDN and propose a countermeasure named Trident, which has meticulously designed adaptive threshold, Double Trial for attacker identification, and a self-proving mechanism based on leaky bucket. Experiment results demonstrate that Trident can detect and resist not only IFAs but also SDoS attacks effectively. Meanwhile, Trident also achieves good defense performance on the variants of SDoS and can take on burst traffic and network congestion robustly.

computer science, information systems,telecommunications,engineering, electrical & electronic

Xi Ling,Jiongchi Yu,Ziming Zhao,Zhihao Zhou,Haitao Xu,Binbin Chen,Fan Zhang

DOI: https://doi.org/10.1007/978-3-031-54773-7_12

2024-01-01

Abstract:With the proliferation of Internet development, Distributed Denial of Service (DDoS) attacks are on the rise. As rule-based traffic analysis frameworks and Deep Packet Inspection (DPI) defense measures can effectively thwart many DDoS attacks, attackers keep exploring various attack surfaces and traffic amplification strategies to nullify the defense. In this paper, we propose DDoSMiner, an automated framework for DDoS attack characterization and vulnerability mining. DDoSMiner analyzes system call patterns of the TCP-based DDoS attack family, then generates Attack Call Flow Graph (ACFG) by discerning the differences between DDoS attack traffic and benign traffic. Furthermore, DDoSMiner identifies and extracts drop nodes and pivotal TCP states from the distinctive characteristics of attack traffic, then passes to the symbolic execution framework for exploring variants of the DDoS attack. We collectively analyze six types of TCP-based DDoS attacks, construct the corresponding ACFG, and identify a set of attack traffic variants. The attack traffic variants are evaluated on the widely used Network Intrusion Detection System (NIDS) Snort with three popular rule sets. The result shows that DDoSMiner indeed discovers the new DDoS attack trace, and the corresponding attack traffic can bypass all three defense toolkits.

Yao Zhao,Sagar Vemuri,Jiazhen Chen,Yan Chen,Hai Zhou,Zhi Fu

DOI: https://doi.org/10.1109/DSN.2009.5270358

2009-01-01

Abstract:Security protocols are not as secure as we assumed. In this paper, we identified a practical way to launch DoS attacks on security protocols by triggering exceptions. Through experiments, we show that even the latest strongly authenticated protocols such as PEAP, EAP-TLS and EAP-TTLS are vulnerable to these attacks. Real attacks have been implemented and tested against TLS-based EAP protocols, the major family of security protocols for wireless LAN, as well as the return routability of mobile IPv6, an emerging lightweight security protocol in new IPv6 infrastructure. DoS attacks on PEAP, one popular TLS-based EAP protocol were performed and tested on a major university's wireless network, and the attacks were highly successful. We further tested the scalability of our attack through a series of ns-2 simulations. Countermeasures for detection of such attacks and improvements of the protocols to overcome these types of DoS attacks are also proposed and verified experimentally.

Gang Lei,Lejun Ji,Ruiwen Ji,Yuanlong Cao,Xun Shao,Xin Huang

DOI: https://doi.org/10.1155/2021/2264187

2021-07-07

Wireless Communications and Mobile Computing

Abstract:The multipath TCP (MPTCP) enables multihomed mobile devices to realize multipath parallel transmission, which greatly improves the transmission performance of the mobile communication network. With the rapid development of all kinds of emerging technologies, network attacks have shown a trend of development with many types and rapid updates. Among them, low-rate distributed denial of service (LDDoS) attacks are considered to be one of the most threatening issues in the field of network security. In view of the current research status, by using the network simulation software NS2, this paper first compares and analyzes the throughput and delay performance of the MPTCP transmission system under LDDoS attacks and, further, conducts simulation experiments and analysis on the queue occupancy rate of the LDDoS attack flow to extract the basic attack characteristics of the LDDoS attacks. The experimental results show that the LDDoS attacks will have a major destructive effect on the throughput performance and delay performance of the MPTCP transmission system, resulting in a decrease in the robustness of the transmission system. By analyzing and comparing the occupancy rate of the LDDoS attack flow in the MPTCP transmission system, it can be concluded that (1) the occupancy rate of the LDDoS scattered pulse traffic sent by each puppet machine changes slightly, and (2) the occupancy rate of LDDoS attack data flow is much greater than that of ordinary TCP data flow.

computer science, information systems,telecommunications,engineering, electrical & electronic

Yinan Jing,Zheng Xiao,Xueping Wang,Gendu Zhang

DOI: https://doi.org/10.1109/icniconsmcl.2006.159

2006-01-01

Abstract:Distributed denial-of-service attack has become one of the major threats to Internet today. And the distributed nature of DDoS problem needs a distributed solution. In this paper, we propose using a hierarchical domain-aware overlay to construct a built-in distributed rate limit framework throughout the Internet. And we leverage the IP traceback technique to avoid collateral damage on legitimate traffic and mitigate DDoS effect near attack sources as possible as we can. This defense framework is a serviceoriented economic model that not only motivates ISPs to deploy it, but also benefits all participants.

Chenxi Li,Jiahai Yang,Ziyu Wang,Fuliang Li,Yang Yang

DOI: https://doi.org/10.1109/GLOCOM.2015.7417159

2015-01-01

Abstract:DDoS flooding attack is one of the top threats to the Internet. However, due to the fast development of the Internet, current detection algorithms are already inadequate to meet the growth of network traffic. In this paper, we propose a lightweight algorithm. We first observe the real Internet traffic, and find that flows of DDoS flooding attack traffic are persistent and synchronous while most flows of normal traffic are short-lived and non-synchronous. According to this difference, we propose our detection algorithm. We label the alarms firstly and then confirm the attack. Our algorithm is lightweight and sensitive to the ongoing attack. However, randomly spoofing the IP address of the attack source to different IP addresses can hide the synchronization of attack flows. Thus, we add a spoofing IP detection algorithm called hop-count filter (HCF) to our algorithm to strengthen the robustness. At last, we evaluate our detection algorithm based on the real Internet traffic from CAIDA. Results show that our detection algorithm has a high accuracy (93.3%), no false positive in attack confirmation and just 1.1% false positive rate in labeling alarms. In addition, we analyze the challenges we may face when dealing with distributed LDoS attack.

Peng Zhang,Huanzhao Wang,Chengchen Hu,Chuang Lin

DOI: https://doi.org/10.1109/mnet.2016.1600109nm

IF: 10.294

2016-01-01

IEEE Network

Abstract:Software defined networking greatly simplifies network management by decoupling control functions from the network data plane. However, such a decoupling also opens SDN to various denial of service attacks: an adversary can easily exhaust network resources by flooding short-lived spoofed flows. Toward this issue, we present a comprehensive study of DoS attacks in SDN, and propose multi-layer fair queueing (MLFQ), a simple but effective DoS mitigation method. MLFQ enforces fair sharing of an SDN controller's resources with multiple layers of queues, which can dynamically expand and aggregate according to controller load. Both testbed-based and emulation-based experiments demonstrate the effectiveness of MLFQ in mitigating DoS attacks targeted at SDN controllers.

Chen Lei,Ye Dejian

DOI: https://doi.org/10.1109/isise.2008.225

2008-01-01

Abstract:Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) Attacks make great impacts on various applications of the Internet. It disrupts the service provided by the target through consuming the target's CPU, memory or network bandwidth. In this paper, we give a brief summary on traditional DoS, DDoS attacks and defense schemes first. Then, we point out the possibility of DoS, DDoS attacks on streaming media application by analyzing the characteristics of streaming media application and RTSP protocol, show the evidences about DoS, DDoS attacks on streaming media application and analyze all the reasons by simulating attack scenarios, finally point out these serious security issues for streaming media application.

Xiangbin Cheng,Jun Bi,Xing Li

DOI: https://doi.org/10.1109/icn.2008.79

2008-01-01

Abstract:Denial-of-Service (DoS) attacks play a significant role among all the network security issues today. In this paper, we present a mechanism (called Swing) to limit the effectiveness of DoS attacks. Inspired by the address-switch conception of the newly proposed shim6 protocol, Swing tries to protect servers from attacks by using a new strategy. In the mechanism, when a DoS attack is detected, the server will automatically change its address to get rid of the attack. Meanwhile, existing connections from normal clients will be kept using an address-switch protocol like shim6. A p2p network is included in the mechanism to help clients establish new connections to the server under attack situations, and side equipments are deployed near the server to monitor and reshape the network flow. This mechanism suggests a new kind of strategy to defend DoS attacks, and provides a resilient and effective solution.

Yen-Hung Chen,Yuan-Cheng Lai,Kai-Zhong Zhou

DOI: https://doi.org/10.3390/mi12091019

2021-08-26

Abstract:The Deterministic Network (DetNet) is becoming a major feature for 5G and 6G networks to cope with the issue that conventional IT infrastructure cannot efficiently handle latency-sensitive data. The DetNet applies flow virtualization to satisfy time-critical flow requirements, but inevitably, DetNet flows and conventional flows interact/interfere with each other when sharing the same physical resources. This subsequently raises the hybrid DDoS security issue that high malicious traffic not only attacks the DetNet centralized controller itself but also attacks the links that DetNet flows pass through. Previous research focused on either the DDoS type of the centralized controller side or the link side. As DDoS attack techniques are evolving, Hybrid DDoS attacks can attack multiple targets (controllers or links) simultaneously, which are difficultly detected by previous DDoS detection methodologies. This study, therefore, proposes a Flow Differentiation Detector (FDD), a novel approach to detect Hybrid DDoS attacks. The FDD first applies a fuzzy-based mechanism, Target Link Selection, to determine the most valuable links for the DDoS link/server attacker and then statistically evaluates the traffic pattern flowing through these links. Furthermore, the contribution of this study is to deploy the FDD in the SDN controller OpenDayLight to implement a Hybrid DDoS attack detection system. The experimental results show that the FDD has superior detection accuracy (above 90%) than traditional methods under the situation of different ratios of Hybrid DDoS attacks and different types and scales of topology.