Xiang Li,Dashuai Wu,Haixin Duan,Qi Li

DOI: https://doi.org/10.1109/sp54263.2024.00264

2024-01-01

Abstract:DNS employs a variety of mechanisms to guarantee availability, protect security, and enhance reliability. In this paper, however, we reveal that these inherent beneficial mechanisms, including timeout, query aggregation, and response fast-returning, can be transformed into malicious attack vectors.We propose a new practical and powerful pulsing DoS attack, dubbed the DNSBomb attack. DNSBomb exploits multiple widely-implemented DNS mechanisms to accumulate DNS queries that are sent at a low rate, amplify queries into large-sized responses, and concentrate all DNS responses into a short, high-volume periodic pulsing burst to simultaneously overwhelm target systems. Through an extensive evaluation on 10 mainstream DNS software, 46 public DNS services, and around 1.8M open DNS resolvers, we demonstrate all DNS resolvers could be exploited to conduct more practical-and-powerful DNSBomb attacks than previous pulsing DoS attacks. Small-scale experiments show the peak pulse magnitude can approach 8.7Gb/s and the bandwidth amplification factor could exceed 20,000x. Our controlled attacks cause complete packet loss or service degradation on both stateless and stateful connections (TCP, UDP, and QUIC). In addition, we present effective mitigation solutions with detailed evaluations. We have responsibly reported our findings to all affected vendors, and received acknowledgement from 24 of them, which are patching their software using our solutions, such as BIND, Unbound, PowerDNS, and Knot. 10 CVE-IDs are assigned.

Evgeny Sagatov,Samara Mayhoub,Andrei Sukhov,Prasad Calyam

DOI: https://doi.org/10.23919/jcin.2023.10173727

2023-07-08

Journal of Communications and Information Networks

Abstract:Domain name system (DNS) amplification distributed denial of service (DDoS) attacks are one of the popular types of intrusions that involve accessing DNS servers on behalf of the victim. In this case, the size of the response is many times greater than the size of the request, in which the source of the request is substituted for the address of the victim. This paper presents an original method for countering DNS amplification DDoS attacks. The novelty of our approach lies in the analysis of outgoing traffic from the victim's server. DNS servers used for amplification attacks are easily detected in Internet control message protocol (ICMP) packet headers (type 3, code 3) in outgoing traffic. ICMP packets of this type are generated when accessing closed user datagram protocol (UDP) ports of the victim, which are randomly assigned by the Saddam attack tool. To prevent such attacks, we used a Linux utility and a software-defined network (SDN) module that we previously developed to protect against port scanning. The Linux utility showed the highest efficiency of 99.8%, i.e., only two attack packets out of a thousand reached the victim server.

Mehak Fatima,Arshad Ali,Muhammad Tausif Afzal Rana,Muhammad Ahmad,Fakhar Un Nisa,Hamayun Khan,Hafiz Umar Farooq,Muhammad Ahsan Ur Raheem

DOI: https://doi.org/10.26782/jmcms.2024.10.00009

2024-10-10

JOURNAL OF MECHANICS OF CONTINUA AND MATHEMATICAL SCIENCES

Abstract:The Internet of Things (IoTs) are emerging and become a vital need in our daily routine. The privacy protection and insecurity of these IoT-based devices face many challenges. Distributed denial of service (DDoS) attacks in IoT networks become a significant growing challenge that is addressed in this research. The resilience and strategy for IoT devices due to distributed denial of service (DDoS) attacks assess current security measures by proposing modern procedures to upgrade the strength of IoT frameworks. This article proposes a mechanism that mitigiates the effects of DDoS attacks in IoTs, that cause significant destruction to existing systems. Utilizing secondary data from Kaggle, the machine is trained and tested. Our proposed approach incorporates descriptive statistics, correlations, t-tests, chi-square tests, and regression analyses to supply a systematic understanding of IoT security by critically analyzing the existing variants of numerous DDoS attacks, Security issues in IoTs, and creation of them in Botnets or zombies. Our findings show that the proposed security techniques are viable and detection rates correlate with security viability. The proposed model asses various network threat and cybersecurity arrangements for mitigating DDoS attacks in IoT’s and outperforms the previously implemented Web Application Firewall (WAF), Bot Mitigation, Resource Prioritisation, and Content Delivery Networks (CDNs)based DDoS mitigation techniques by 80.5%, 88%, 86% in terms of effectiveness, T-test, chi test, and correlation.

Rebeen Rebwar Hama Amin,Dana Hassan,Masnida Hussin

DOI: https://doi.org/10.24017/science.2020.2.6

2020-12-06

Kurdistan Journal of Applied Research

Abstract:DNS reflection/amplification attacks are types of Distributed Denial of Service (DDoS) attacks that take advantage of vulnerabilities in the Domain Name System (DNS) and use it as an attacking tool. This type of attack can quickly deplete the resources (i.e. computational and bandwidth) of the targeted system. Many defense mechanisms are proposed to mitigate the impact of this type of attack. However, these defense mechanisms are centralized-based and cannot deal with a distributed-based attack. Also, these defense mechanisms have a single point of deployment which leads to a lack of computational resources to handle an attack with a large magnitude. In this work, we presented a new distributed-based defense mechanism (DDM) to counter reflection/ amplification attacks. While operating, we calculated the CPU counters of the machines that we deployed our defense mechanism with which showed 19.9% computational improvement. On top of that, our defense mechanism showed that it can protect the attack path from exhaustion during reflection/amplification attacks without putting any significant traffic load on the network by eliminating every spoofed request from getting responses.

Ziming Zhao,Zhuotao Liu,Huan Chen,Fan Zhang,Zhuoxue Song,Zhaoxuan Li

DOI: https://doi.org/10.1109/tdsc.2023.3349180

2024-01-01

Abstract:Defending against Distributed Denial of Service (DDoS) attacks is a fundamental problem in the Internet. Over the past few decades, the research and industry communities have proposed a variety of solutions, from adding incremental capabilities to the existing Internet routing stack, to clean-slate future Internet architectures, and to widely deployed commercial DDoS prevention services. Yet a recent interview with over 100 security practitioners in multiple sectors reveals that existing solutions are still insufficient against , due to either unenforceable protocol deployment or non-comprehensive traffic filters. This seemingly endless arms race with attackers probably means that we need a fundamental paradigm shift. In this paper, we propose a new DDoS prevention paradigm named preference-driven and in-network enforced traffic shaping , aiming to explore the novel DDoS prevention norms that focus on delivering victim-preferred traffic rather than consistently chasing after the DDoS attacks. Towards this end, we propose DFNet, a novel DDoS prevention system that provides reliable delivery of victim-preferred traffic without full knowledge of DDoS attacks. At a very high level, the core innovative design of DFNet embraces the advances in Machine Learning (ML) and new network dataplane primitives, by encoding the victim's traffic preference (in the form of complex ML models) into dataplane packet scheduling algorithms such that the victim-preferred traffic is forwarded with priority at line-speed, regardless of the attacker strategy. We implement a prototype of DFNet in 11,560 lines of code, and extensively evaluate it on our testbed. The results show that a single instance of DFNet can forward 99.93% of victim-desired traffic when facing previously unseen attacks, while imposing less than 0.1% forwarding overhead on a dataplane with 80 Gbps upstream links and a 40 Gbps bottleneck.

Yuan Cao,Yuan Gao,Rongjun Tan,Qingbang Han,Zhuotao Liu

DOI: https://doi.org/10.1109/ACCESS.2018.2877710

IF: 3.9

2018-01-01

IEEE Access

Abstract:Defending against distributed denial of service (DDoS) attacks in the Internet is a fundamental problem. One practical approach to addressing DDoS attacks is to redirect all destination (e.g., via DNS or BGP) to a third-party, DDoS protection-as-a-service provider (e.g., Cloudflare and Akamai), which is well provisioned and equipped with proprietary filtering mechanisms to remove attack traffic before passing the remaining traffic to the destination. Although such an approach is appealing, as it requires no modification to the existing Internet infrastructure and can scale to handle very large attacks, recent industrial interviews with more than 100 interviewees from over 10 industry segments reveal that this approach alone is not sufficient, especially for large organizations (e.g., Web hosting companies and government) that cannot afford to allow third-parity security-service providers to terminate their network connections. Instead, these organizations have to rely on their ISPs to filter attack traffic. In this paper, we discuss the challenges faced by the ISPs in order to disrupt the Internet security-service market and sketch our solutions, powered by smart contracts.

Shui Yu,Yonghong Tian,Song Guo,Dapeng Oliver Wu

2013-01-01

Abstract:DDoS attacks aim to exhaust the resources of victims, such as network bandwidth, computing power and operating system data structures. Early DDoS attacks emerged around the year 2000, and well-known web sites, such as CNN, Amazon and Yahoo, have been the targets of hackers since then. The purpose of early attacks was mainly for fun and curiosity about the technique. However, recently we have witnessed an explosive increase in cyber attacks due to the huge financial or political rewards available to cyber attackers [1]. Botnets are the engines behind major DDoS attacks. Hackers exploit the vulnerability of computers connected to the Internet, and establish an overlay network of compromised computers to commit malicious activities, such as DDoS attacks or information phishing. This kind of malicious network is what we call a botnet [2], [3]. A DDoS attack can be carried out in various forms, such as flooding packets or synchronization attacks [2]. Flooding packets is the most common and effective DDoS attack strategy amongst all the available attack weapons. It is critical for defenders to understand the size of botnets, which helps us to estimate the possible attack volume. There has been plenty of work completed on this issue, such as [1] and [4]. Rajab et al. [5] found the number of active bots a botmaster could manipulate was usually at the hundreds or a few thousands level. This means the resources a botnet owner can use is limited. Based on this fact, Yu et al. [6] proposed a similarity based DDoS detection method to beat flash crowd mimicking attacks. Traditionally, a potential victim would be vulnerable if they were left to deal with a DDoS flooding attack by themselves. As nature of the Internet is anarchical, potential victims, such as popular web sites, are usually left

Opeyemi Peter Ojajuni,Yasser Ismail,Albertha Lawson

DOI: https://doi.org/10.4018/ijtd.2020040102

2020-04-01

International Journal of Technology Diffusion

Abstract:The Internet of Things (IoT) allows different devices with internet protocol (IP) address to be connected together via the internet to collect, provide, store, and exchange data amongst themselves. The distributed denial of service (DDoS) attack is one of the inevitable challenges which should be addressed in the development of the IoT. A DDoS attack has the potential to render a victim's services unavailable, which can then lead to additional challenges such as website outage, financial loss, reputational damage and loss of confidential information. In this article, a framework of the SDN controller via an application programming interface (API) is compared to an existing framework. SDN provides a new architecture that can detect and mitigate a DDoS attack so that it makes the networking functionalities programmable via the API and also it centralizes the control management of the IoT devices. Experimental results show the capability of the SDN framework to analyze a real-time traffic of the SDN controller via the API by setting a control bandwidth usage threshold using the API.

Yuyang Zhou,Guang Cheng,Shui Yu

DOI: https://doi.org/10.1109/tifs.2021.3127009

IF: 7.231

2021-01-01

IEEE Transactions on Information Forensics and Security

Abstract:The Internet of Things (IoT) is becoming truly ubiquitous in every domain of human lives, and a large number of objects can be connected and enabled to communicate with cloud servers at any time. However, complex connections and vulnerabilities of IoT devices introduce inevitable security threats, in which distributed denial-of-service (DDoS) attacks usually incur catastrophic results. Unfortunately, the existing DDoS mitigation methods cannot provide effective protection. Moreover, the amplifying complexity and increasing delay incurred by defense greatly affect the stability of IoT networks. To tackle these problems, we present a novel framework that can proactively adapt the attack surface of IoT networks, dynamically optimize defense strategies, and rapidly deploy the corresponding defense mechanisms. In particular, we establish hybrid proactive defense mechanisms combining Moving Target Defense (MTD) techniques with cyber deception to spread camouflage information to confuse attackers. Based on these mechanisms, we introduce a defender-led signaling game model to formalize defense scenarios and depict the interactions between the defender and the attacker. Besides, we present an optimal algorithm to solve decision problems and optimize defense implementation in a cost-effective manner. Our extensive experiments demonstrate that the proposed approach can effectively mitigate DDoS attacks and maintain a high level of performance in IoT networks with acceptable overhead.

Michele Nogueira

DOI: https://doi.org/10.48550/arXiv.1611.09983

2016-11-30

Abstract:Volumetric Distributed Denial of Service (DDoS) attacks have been a recurrent issue on the Internet. These attacks generate a flooding of fake network traffic to interfere with targeted servers or network links. Despite many efforts to detect and mitigate them, attackers have played a game always circumventing countermeasures. Today, there is an increase in the number of infected devices, even more with the advent of the Internet of Things and flexible communication technologies. Leveraging device-to-device short range wireless communications and others, infected devices can coordinate sophisticated botnets, which can be employed to intensify DDoS attacks. The new generation of botnets is even harder to detect because of their adaptive and dynamic behavior yielded by infected mobile portable devices. Additionally, because there can be a large number of geographically distributed devices, botnets increase DDoS traffic significantly. In face of their new behavior and the increasing volume of DDoS traffic, novel and intelligent-driven approaches are required. Specifically, we advocate for {\em anticipating} trends of DDoS attacks in the early stages as much as possible. This work provides an overview of approaches that can be employed to anticipate trends of DDoS attacks generated by botnets in their early stages and brings an insightful discussion about the advantages of each kind of approach and open issues.

Networking and Internet Architecture,Cryptography and Security

Bruno Miller,Xihui Zhang

DOI: https://doi.org/10.48009/3_iis_2020_168-178

2020-01-01

Issues in Information Systems

Abstract:As the Internet of Things (IoT) becomes ubiquitous and cybersecurity attacks rapidly evolve, IoT devices must be secured.Their infection can lead to compromised networks, stolen information, service disruptions, and botnet attacks.Botnet attacks, such as Distributed Denial of Service (DDoS), strengthen with larger numbers of devices and IoT devices make great targets for this reason.As IoT devices grow in number, the strength and risk of these massive attacks grow.Infamous botnet attacks, such as Mirai, have proven this to be a serious threat.IoT security faces unique challenges including detection difficulties, device limitations, and user attitudes and education.This paper reviews and analyzes 21 articles providing information on tools and techniques for securing IoT devices against these threats.A multi-layer approach to IoT-botnet detection and prevention is suggested consisting of: the outer layer consisting of ISP architecture; the middle layer consisting of advanced detection methods and DDoS detection and mitigation; and the inner layer consisting of user attitudes, education, and security best practices.By addressing security challenges at multiple points along the botnet lifecycle and within each layer, our proposed approach provides a holistic strategy for detecting and preventing botnet attacks.

Gang Liu,Wei Quan,Nan Cheng,Hongke Zhang,Shui Yu

DOI: https://doi.org/10.1016/j.jnca.2019.01.006

IF: 7.574

2019-01-01

Journal of Network and Computer Applications

Abstract:Stateful forwarding plane is fully considered as a novel forwarding paradigm, which is proven to be beneficial to delivery efficiency and resilient to certain types of attacks. However, this fresh attempt also introduces "varietal" Denial-of-Service attack due to complicated forwarding state operations, which may cause long-term memory exhaustion of forwarding nodes, especially for resource-limited IoT nodes. This new distributed exhaustion attack is extremely hidden and there is currently no effective defense against it. In this paper, we first establish a game model to analyze the attack benefit between attacker and defender. To further make the defender obtain more utility, it is significative to make the defender manage expired state-entries during stateful forwarding. To this end, we propose an enhanced distributed low-rate attack mitigating (eDLAM) mechanism. Particularly, eDLAM maintains a lightweight malicious request table (MRT), which is very small, to offload burden of practical forwarding state table. When a packet request is matched in MRT, it will be marked and dropped directly without any impact on forwarding state table. Based on this, eDLAM adopts an optimal threshold update method for MRT to achieve a maximum defender utility. We evaluate the eDLAM performance in terms of false negatives rate (FNR) and false positives rate (FPR). Extensive experimental results show that eDLAM can reduce FNR by 10.5% and FPR by 44% on average compared with state-of-the-art mechanisms.

Kuai Xu,Feng Wang,Sergio Jimenez,Andrew Lamontagne,John Cummings,Mitchell Hoikka

DOI: https://doi.org/10.1109/jiot.2020.2999327

IF: 10.6

2020-01-01

IEEE Internet of Things Journal

Abstract:The recent spate of cyber attacks and security threats toward Internet-of-Things (IoT) systems in smart cities, smart homes, and industry 4.0 calls for effective techniques to understand if, when, who, what IoT systems are exploited and compromised by Internet attackers. Toward this end, this article attempts to study DNS behavioral patterns of IoT systems in edge networks as a first step of characterizing their communication patterns and their interactions with IoT users, cloud servers, and other IoT or non-IoT devices in the same edge networks. Specifically, we analyze the temporal-spatial patterns of DNS behaviors of a variety of IoT systems in two dozens of edge networks and develop a simple yet effective Bloom filter mechanism for detecting anomalous traffic patterns based on unusual DNS queries and answers. To the best of our knowledge, this article is the first effort to systematically measure and monitor IoT network traffic from a DNS perspective for providing the security of heterogeneous IoT systems and ensuring IoT user privacy.

Xuyang Ding,Feng Xiao,Man Zhou,Zhibo Wang

DOI: https://doi.org/10.1109/trustcom50675.2020.00040

2020-01-01

Abstract:The DDoS attack is a serious threat to Internet of Things (IoT).As a new class of DDoS attack, Link-flooding attack (LFA) disrupts connectivity between legitimate IoT devices and target servers by flooding only a small number of links.In this paper, we propose an active LFA mitigation mechanism, called Linkbait, that is a proactive and preventive defense to throttle LFA for IoT.We propose a link obfuscation algorithm in Linkbait that selectively reroutes probing flows to hide target links from adversaries and mislead them to identify bait links as target links.To block attack traffic and further reduce the impact in IoT, we propose a compromised IoT devices detection algorithm that extracts unique traffic patterns of LFA for IoT and leverages support vector machine (SVM) to identify attack traffic.We evaluate the performance of Linkbait by using both real-world experiments and large-scale simulations.The experimental results demonstrate the effectiveness of Linkbait.

FuiFui Wong,Cheng Xiang Tan

DOI: https://doi.org/10.5121/ijnsa.2014.6305

2014-01-01

Abstract:Distributed Denial of Service (DDoS) attacks today have been amplified into gigabits volume with broadband Internet access; at the same time, the use of more powerful botnets and common DDoS mitigation and protection solutions implemented in small and large organizations’ networks and servers are no longer effective. Our survey provides an in-depth study on the current largest DNS reflection attack with more than 300 Gbps on Spamhaus.org. We have reviewed and analysed the current most popular DDoS attack types that are launched by the hacktivists. Lastly, effective cloud-based DDoS mitigation and protection techniques proposed by both academic researchers and large commercial cloud-based DDoS service providers are discussed.

Keval Doshi,Yasin Yilmaz,Suleyman Uludag

DOI: https://doi.org/10.48550/arXiv.2006.08064

2020-06-15

Abstract:Internet of Things (IoT) networks consist of sensors, actuators, mobile and wearable devices that can connect to the Internet. With billions of such devices already in the market which have significant vulnerabilities, there is a dangerous threat to the Internet services and also some cyber-physical systems that are also connected to the Internet. Specifically, due to their existing vulnerabilities IoT devices are susceptible to being compromised and being part of a new type of stealthy Distributed Denial of Service (DDoS) attack, called Mongolian DDoS, which is characterized by its widely distributed nature and small attack size from each source. This study proposes a novel anomaly-based Intrusion Detection System (IDS) that is capable of timely detecting and mitigating this emerging type of DDoS attacks. The proposed IDS's capability of detecting and mitigating stealthy DDoS attacks with even very low attack size per source is demonstrated through numerical and testbed experiments.

Cryptography and Security,Networking and Internet Architecture,Machine Learning

Saman Taghavi Zargar,James Joshi,David Tipper

DOI: https://doi.org/10.1109/surv.2013.031413.00127

2013-01-01

Abstract:Distributed Denial of Service (DDoS) flooding attacks are one of the biggest concerns for security professionals. DDoS flooding attacks are typically explicit attempts to disrupt legitimate users' access to services. Attackers usually gain access to a large number of computers by exploiting their vulnerabilities to set up attack armies (i.e., Botnets). Once an attack army has been set up, an attacker can invoke a coordinated, large-scale attack against one or more targets. Developing a comprehensive defense mechanism against identified and anticipated DDoS flooding attacks is a desired goal of the intrusion detection and prevention research community. However, the development of such a mechanism requires a comprehensive understanding of the problem and the techniques that have been used thus far in preventing, detecting, and responding to various DDoS flooding attacks. In this paper, we explore the scope of the DDoS flooding attack problem and attempts to combat it. We categorize the DDoS flooding attacks and classify existing countermeasures based on where and when they prevent, detect, and respond to the DDoS flooding attacks. Moreover, we highlight the need for a comprehensive distributed and collaborative defense approach. Our primary intention for this work is to stimulate the research community into developing creative, effective, efficient, and comprehensive prevention, detection, and response mechanisms that address the DDoS flooding problem before, during and after an actual attack.

computer science, information systems,telecommunications

Brij B. Gupta,Anshuman Singh

DOI: https://doi.org/10.4018/ijswis.297143

2022-01-01

Abstract:The demand for Internet security has escalated in the last two decades because the rapid proliferation in the number of Internet users has presented attackers with new detrimental opportunities. One of the simple yet powerful attack, lurking around the Internet today, is the Distributed Denial-of-Service (DDoS) attack. The expeditious surge in the collaborative environments, like IoT, cloud computing and SDN, have provided attackers with countless new avenues to benefit from the distributed nature of DDoS attacks. The attackers protect their anonymity by infecting distributed devices and utilizing them to create a bot army to constitute a large-scale attack. Thus, the development of an effective as well as efficient DDoS defense mechanism becomes an immediate goal. In this exposition, we present a DDoS threat analysis along with a few novel ground-breaking defense mechanisms proposed by various researchers for numerous domains. Further, we talk about popular performance metrics that evaluate the defense schemes. In the end, we list prevalent DDoS attack tools and open challenges.

Computer Science,Engineering

Abdullah Aydeger,Pei Zhou,Sanzida Hoque,Marco Carvalho,Engin Zeydan

2024-10-03

Abstract:One of the most critical components of the Internet that an attacker could exploit is the DNS (Domain Name System) protocol and infrastructure. Researchers have been constantly developing methods to detect and defend against the attacks against DNS, specifically DNS flooding attacks. However, most solutions discard packets for defensive approaches, which can cause legitimate packets to be dropped, making them highly dependable on detection strategies. In this paper, we propose MTDNS, a resilient MTD-based approach that employs Moving Target Defense techniques through Software Defined Networking (SDN) switches to redirect traffic to alternate DNS servers that are dynamically created and run under the Network Function Virtualization (NFV) framework. The proposed approach is implemented in a testbed environment by running our DNS servers as separate Virtual Network Functions, NFV Manager, SDN switches, and an SDN Controller. The experimental result shows that the MTDNS approach achieves a much higher success rate in resolving DNS queries and significantly reduces average latency even if there is a DNS flooding attack.

Networking and Internet Architecture,Cryptography and Security,Distributed, Parallel, and Cluster Computing,Emerging Technologies

Saurav Kumar,Ajit kumar Keshri

DOI: https://doi.org/10.1016/j.knosys.2024.112052

IF: 8.139

2024-06-21

Knowledge-Based Systems

Abstract:The Internet of Things enables the creation of transmitted use cases for interconnected devices and complementary channels. The varied structure of it creates additional security needs and problems. In particular, the safeguards used in the IoT should adjust to the changing environment. One of the major dangers to the World Wide Web (WWW) things is Distributed Denial of Service (DDoS). Therefore, in this work, an intelligent Game Theory-based Adaptive security (GT-AS) mathematical model was developed to maximize the effectiveness of DDoS attack mitigation. Moreover, this strategy can strongly derive the five parameters such as energy channel, memory, intruder, and hybrid. These all can achieve a stronger defense posture against DDoS attacks from the newly designed IoT. Consequently, the Recurrent Bat (RB) framework is developed to classify the nodes into two classes such as trusted node and malicious node. In addition, the proposed frameworks analyze how protection effectiveness and energy consumption interact when evaluating adaptive security techniques. To analyze the effectiveness of the suggested paradigm, researchers also give the outcomes of simulation experiments. Researchers demonstrate that, in comparison to existing models, the developed approach has increased the lifespan of the connected objects by 47 %. Also, the developed strategy has attained better accuracy and lower error rates when comparing traditional strategies. Moreover, the packet delivery ratio is 60 KB, energy consumption is 116 KJ, Mean Location Error is 0.078 and resource usage is 148.

computer science, artificial intelligence