Junchi Xing,Mingliang Yang,Haifeng Zhou,Chunming Wu,Wei Ruan

DOI: https://doi.org/10.1109/IPCCC47392.2019.8958776

2019-01-01

Abstract:Network reconnaissance aims at gathering as much information as possible before an attack is launched. Meanwhile, static host address configuration facilitates network reconnaissance. Currently, more sophisticated network reconnaissance has been emerged with the adaptive and cooperative features. To address this, in this paper, we present Hiding and Trapping (HaT), which is a deceptive approach to disrupt adversarial network reconnaissance with the help of the software-defined networking (SDN) paradigm. HaT is able to hide valuable hosts from attackers and to trap them into decoy nodes through strategic and holistic host address mutation according to characteristic of adversaries. We implement a prototype of HaT, and evaluate its performance by experiments. The experimental results show that HaT is capable to effectively disrupt adversarial network reconnaissance with better deceptive performance than the existing address randomization approach.

Boyang Zhou,Chunming Wu,Qiang Yang,Xiang Chen,Dong Zhang

DOI: https://doi.org/10.1155/2022/2566681

IF: 1.968

2022-01-01

Security and Communication Networks

Abstract:Computer networks are facing the challenge of stealthy crossfire attacks that flood through persistent routes (PRs) towards their decoys at a low rate for disrupting end-to-end connectivity of the target. At first, the PRs can be stealthily probed at the initial stage of the attack. Later, some undefended and vulnerable PRs can be speculated at the renaissance stage of the attack, which yet remains unconcerned. To achieve an effective defense against the two-stage attacks, this paper investigates a new persistent route diversification defense (PRDD) mechanism to mitigate each identified PR under the attacks. The PRDD effectively stops the flooding on the PRs to mitigate their congestion. Meanwhile, it makes the adversary unable to probe or speculate the PRs under their corresponding attack stages. Thus, it disables every flooding choice for the adversary, avoiding the attacks. The PRDD is designed with scalable algorithmic complexity in computation and overhead. The PRDD is extensively assessed using NS-3 and Mininet, and the results show the following. (a) It is more effective in mitigating more attacked PRs compared with the existing solutions. (b) The defense performance of the PRDD remains highly scalable in computation, while maintaining an acceptable overhead.

Wei Wei,Yabo Dong,Dongming Lu,Guang Jin

DOI: https://doi.org/10.1007/11758549_8

2006-01-01

Abstract:In legitimate traffic the correlation exists between the outgoing traffic and incoming traffic of a server network because of the request-reply actions in most protocols. When DDoS attacks occur, the attackers send packets with faked source addresses. As a result, the outgoing traffic to the faked addresses does not induce any related incoming traffic. Our main idea is to find changes in the correlation caused by DDoS. We sample network traffics using Extended First Connection Density (EFCD), and express correlation by cross-correlation function. Because network traffic in DDoS-initiating stage is much similar to legitimate traffic, we use fuzzy classification in order to guarantee the accuracy. Experiments show that DDoS traffic can be identified accurately by our algorithm.

Wei Wei,Yabo Dong,Dongming Lu,Guang Jin,Honglan Lao

DOI: https://doi.org/10.1007/11760146_23

2006-01-01

Abstract:Low-rate TCP-targeted Denial-of-Service (DoS) attack (shrew) is a new kind of DoS attack which is based on TCP’s Retransmission Timeout (RTO) mechanism and can severely reduce the throughput of TCP traffic on victim. The paper proposes a novel mechanism which consists of effective detection and response methods. Through analyzing sampled attack traffic, we find that there is a stable difference between attack and legitimate traffic in frequency field, especially in low frequency. We use Sum of Low Frequency Power spectrum (SLFP) for detection. In our algorithm the destination IP address is used as flow label and SLFP is applied to every flow traversing edge router. If shrew is found, all flows to the destination are processed by Aggregated Flows Balance (AFB) at a proper upstream router. Simulation shows that attack traffics are restrained and TCP traffics can obtain enough bandwidth. The result indicates that our mechanism is effective and deployable.

魏蔚,董亚波,鲁东明

DOI: https://doi.org/10.3785/j.issn.1008-973x.2010.02.010

2010-01-01

Abstract:Distributed denial of service(DDoS)attack was defended by distributed filtering.Distributed defense was restricted inside autonomous system(AS),which was a suitable bound for defense.Both bandwidth and processing capability of victim were considered.The filtering threshold was dynamically adjusted in AS edge according to the throughput of victim in support vector machine(SVM)-based multi-resource max-min fairness(SMMF)algorithm.Then SMMF achieved multi-resource max-min fairness and was much effective.Simulation results demonstrate that attacking traffic can be depressed in a common scenario and the legitimate throughput can be kept in a normal level when current methods fail.A realiza-tion of filters on PC-based router indicates that only a very small amount of memory is needed and the packet throughput is still normal when thousands of filters are installed.

Wenyuan Xu,Timothy Wood,Wade Trappe,Yanyong Zhang

DOI: https://doi.org/10.1145/1023646.1023661

2004-01-01

Abstract:Wireless networks are built upon a shared medium that makes it easy for adversaries to launch denial of service (DoS) attacks. One form of denial of service is targeted at preventing sources from communicating. These attacks can be easily accomplished by an adversary by either bypassing MAC-layer protocols, or emitting a radio signal targeted at jamming a particular channel. In this paper we present two strategies that may be employed by wireless devices to evade a MAC/PHY-layer jamming-style wireless denial of service attack. The first strategy, channel surfing, is a form of spectral evasion that involves legitimate wireless devices changing the channel that they are operating on. The second strategy, spatial retreats, is a form of spatial evasion whereby legitimate mobile devices move away from the locality of the DoS emitter. We study both of these strategies for three broad wireless communication scenarios: two-party radio communication, an infrastructured wireless network, and an ad hoc wireless network. We evaluate several of our proposed strategies and protocols through ns-2 simulations and experiments on the Berkeley mote platform.

Dalia Nashat,Xiaohong Jiang,Susumu Horiguchi

DOI: https://doi.org/10.1109/icebe.2008.18

2008-01-01

Abstract:The TCP SYN flooding attack is the most prevalent type of DDoS attacks that exhaust network resources. A router based detection scheme has been proposed to detect the SYN flooding agents based on the assumption that the SYN packets from the agent and the SYN/ACK packets from the victimpsilas server pass through different leaf routers. In the current IP spoofing techniques, however, the attacker can spoof a random address from any subnetwork, so the SYN packets from the agent and the SYN/ACK packets from the server may pass through the same leaf router. Therefore, a more general and flexible detection scheme is highly desirable for the efficient detection of these flooding agents under any type of IP spoofing. In this paper, we propose such a scheme to detect the flooding agents by considering all the possible kinds of IP spoofing. The proposed scheme is based on the TCP SYN-SYN/ACK protocol pair with the consideration of packet header information (both sequence and Ack. numbers). The Counting Bloom Filter is used to classify all the incoming SYN/ACK packets to the sub network into two streams, the first SYN/ACK packets (SYN/ACKf ) and the retransmission SYN/ACK packets (SYN/ACKr), to make our scheme generally applicable and the Cumulative Sum algorithm is applied to avoid the dependence of detection on sites and access patterns. Compared to the old detection scheme without the consideration of IP spoofing techniques, the proposed new scheme can significantly improve the accuracy in detecting the SYN flooding agents, as verified by extensive simulation results based on different IP spoofing techniques.

Kai Bu,Zhixin Sun

DOI: https://doi.org/10.1109/ICYCS.2008.324

2008-01-01

Abstract:The emergence of Distributed Denial of Service (DDoS) attack increases the destructive force of Denial of Service (DoS) attack drastically. Besides bringing more terrible threats, the attack from far and near and the employment of internet protocol (IP) spoofing make the abnormal traffic detection harder and harder. This paper proposes a mechanism defined as AMHI (Address Matching and Hash Inspection) and a method based on it for DDoS attacks detection and defense. Through the simulation experiment, the Address Matching and backup Hash Inspection operations to the suspicious traffic implemented on router interface for local subnet can detect and defend DDoS attacks effectively even when using IP Spoofing. In addition, this method can also decrease a mass of statistical work for the routers, and to some extent ease the pressure of heavy traffic caused by attacks.

Xi Ling,Jiongchi Yu,Ziming Zhao,Zhihao Zhou,Haitao Xu,Binbin Chen,Fan Zhang

DOI: https://doi.org/10.1007/978-3-031-54773-7_12

2024-01-01

Abstract:With the proliferation of Internet development, Distributed Denial of Service (DDoS) attacks are on the rise. As rule-based traffic analysis frameworks and Deep Packet Inspection (DPI) defense measures can effectively thwart many DDoS attacks, attackers keep exploring various attack surfaces and traffic amplification strategies to nullify the defense. In this paper, we propose DDoSMiner, an automated framework for DDoS attack characterization and vulnerability mining. DDoSMiner analyzes system call patterns of the TCP-based DDoS attack family, then generates Attack Call Flow Graph (ACFG) by discerning the differences between DDoS attack traffic and benign traffic. Furthermore, DDoSMiner identifies and extracts drop nodes and pivotal TCP states from the distinctive characteristics of attack traffic, then passes to the symbolic execution framework for exploring variants of the DDoS attack. We collectively analyze six types of TCP-based DDoS attacks, construct the corresponding ACFG, and identify a set of attack traffic variants. The attack traffic variants are evaluated on the widely used Network Intrusion Detection System (NIDS) Snort with three popular rule sets. The result shows that DDoSMiner indeed discovers the new DDoS attack trace, and the corresponding attack traffic can bypass all three defense toolkits.

Mostafa Rezazad,Matthias R. Brust,Mohammad Akbari,Pascal Bouvry,Ngai-Man Cheung

DOI: https://doi.org/10.48550/arXiv.1903.01550

2019-03-01

Cryptography and Security

Abstract:A novel class of extreme link-flooding DDoS (Distributed Denial of Service) attacks is designed to cut off entire geographical areas such as cities and even countries from the Internet by simultaneously targeting a selected set of network links. The Crossfire attack is a target-area link-flooding attack, which is orchestrated in three complex phases. The attack uses a massively distributed large-scale botnet to generate low-rate benign traffic aiming to congest selected network links, so-called target links. The adoption of benign traffic, while simultaneously targeting multiple network links, makes detecting the Crossfire attack a serious challenge. In this paper, we present analytical and emulated results showing hitherto unidentified vulnerabilities in the execution of the attack, such as a correlation between coordination of the botnet traffic and the quality of the attack, and a correlation between the attack distribution and detectability of the attack. Additionally, we identified a warm-up period due to the bot synchronization. For attack detection, we report results of using two supervised machine learning approaches: Support Vector Machine (SVM) and Random Forest (RF) for classification of network traffic to normal and abnormal traffic, i.e, attack traffic. These machine learning models have been trained in various scenarios using the link volume as the main feature set.

Nashat, D.,Xiaohong Jiang,Horiguchi, S.

DOI: https://doi.org/10.1109/HSPR.2008.4734440

2008-01-01

Abstract:The TCP SYN flooding attack is the most prevalent type of DDoS attacks that exhaust network resources. The current detection schemes only work well for the detection of high-rate flooding sources. It is notable, however, that in the current DDoS attacks, the flooding rate is usually distributed among many low-rate flooding agents to make the detection more difficult. Therefore, a more sensitive and fast detection scheme is highly desirable for the efficient detection of these low-rate flooding sources. In this paper, we focus on the low-rate agent and propose a router-based detection scheme for it. The proposed scheme is based on the TCP SYN-SYN/ACK protocol pair with the consideration of packet header information (both sequence and Ack. numbers). To make our scheme more sensitive and generally applicable, the counting bloom filter is used to avoid the effect of SYN/ACK retransmission and the change point detection method is applied to avoid the dependence of detection on sites and access patterns. Extensive trace-driven simulation has been conducted to demonstrate the efficiency of the proposed scheme in terms of its detection probability and also average detection time.

Ziming Zhao,Zhuotao Liu,Huan Chen,Fan Zhang,Zhuoxue Song,Zhaoxuan Li

DOI: https://doi.org/10.1109/tdsc.2023.3349180

2024-01-01

Abstract:Defending against Distributed Denial of Service (DDoS) attacks is a fundamental problem in the Internet. Over the past few decades, the research and industry communities have proposed a variety of solutions, from adding incremental capabilities to the existing Internet routing stack, to clean-slate future Internet architectures, and to widely deployed commercial DDoS prevention services. Yet a recent interview with over 100 security practitioners in multiple sectors reveals that existing solutions are still insufficient against , due to either unenforceable protocol deployment or non-comprehensive traffic filters. This seemingly endless arms race with attackers probably means that we need a fundamental paradigm shift. In this paper, we propose a new DDoS prevention paradigm named preference-driven and in-network enforced traffic shaping , aiming to explore the novel DDoS prevention norms that focus on delivering victim-preferred traffic rather than consistently chasing after the DDoS attacks. Towards this end, we propose DFNet, a novel DDoS prevention system that provides reliable delivery of victim-preferred traffic without full knowledge of DDoS attacks. At a very high level, the core innovative design of DFNet embraces the advances in Machine Learning (ML) and new network dataplane primitives, by encoding the victim's traffic preference (in the form of complex ML models) into dataplane packet scheduling algorithms such that the victim-preferred traffic is forwarded with priority at line-speed, regardless of the attacker strategy. We implement a prototype of DFNet in 11,560 lines of code, and extensively evaluate it on our testbed. The results show that a single instance of DFNet can forward 99.93% of victim-desired traffic when facing previously unseen attacks, while imposing less than 0.1% forwarding overhead on a dataplane with 80 Gbps upstream links and a 40 Gbps bottleneck.

Kaigui Bian,Jung-Min Park,Ruiliang Chen

DOI: https://doi.org/10.1109/glocom.2006.266

2006-01-01

Abstract:Denial-of-Service (DoS) attacks pose a major threat to the availability of wireless ad hoc networks. Fault tolerant operation of wireless ad hoc networks will depend on the placement of DoS countermeasures in sufficiently robust form. In this paper, we describe a novel type of DoS attack called the Stasis Trap attack, and propose a technique for detecting such an attack. Stasis Trap attack has two distinguishing characteristics-it has a cross-layer design, and is stealthy. The Stasis Trap attack has a cross-layer design in that it is launched from the MAC layer but its aim is to degrade the end-to-end throughput of flows at the transport layer by exploiting TCP's congestion-control mechanism. Specifically, an adversary launches a Stasis Trap attack against neighboring nodes by periodically preempting the wireless channel in order to cause large variations in the round trip time (RTT) of TCP flows. Channel preemptions are carried out by manipulating the back-off mechanism of the Distributed Coordinating Function of the 802.11 MAC protocol. The periodic preemptions induce large RTT variations in the TCP flows that are within the transmission range of the adversary. This in turn causes a significant drop in the throughput of those flows, thereby creating a "stasis trap" around the adversary that entangles TCP flows. The aforementioned attack severely degrades end-to-end throughput but has very little effect on MAC-layer throughput, and hence it is very hard to detect at the MAC layer, which is its point of attack. In this sense, this attack is stealthy. To detect the Stasis Trap attack, we propose a minimax robust decentralized detection framework with robust hypothesis testing.

Bingshuang Liu,Skyler Berg,Jun Li,Tao Wei,Chao Zhang,Xinhui Han

DOI: https://doi.org/10.1109/ICCCN.2014.6911808

2014-01-01

Abstract:Distributed reflective denial of service (DRDoS) attacks, especially those based on UDP reflection and amplification, can generate hundreds of gigabits per second of attack traffic, and have become a significant threat to Internet security. In this paper we show that an attacker can further make the DRDoS attack more dangerous. In particular, we describe a new DRDoS attack called store-and-flood DRDoS, or SF-DRDoS. By leveraging peer-to-peer (P2P) file-sharing networks, SF-DRDoS becomes more surreptitious and powerful than traditional DRDoS. An attacker can store carefully prepared data on reflector nodes before the flooding phase to greatly increase the amplification factor of an attack. We implemented a prototype of SF-DRDoS on Kad, a popular Kademlia-based P2P file-sharing network. With real-world experiments, this attack achieved an amplification factor of 2400 on average, with the upper bound of attack bandwidth at 670 Gbps in Kad. Finally, we discuss possible defenses to mitigate the threat of SF-DRDoS.

Fei Wang,Hailong Wang,Xiaofeng Wang,Jinshu Su

DOI: https://doi.org/10.1016/j.mcm.2011.02.025

2011-01-01

Mathematical and Computer Modelling

Abstract:Detection of distributed denial of service (DDoS) attacks has been a challenging problem for network security. Most of the existing works take into account the anomaly features of the traffic caused by DDoS. However, these detection methods suffer from either less generality or high computational and memory costs in detecting subtle DDoS attacks. In this paper, we first present a model for DDoS attacks with quantitative measurements. Based on this model, we find that there are two factors that have a severe influence on the deviation of traffic features. In view of these two factors, the DDoS attack traffic observed by monitors can be trivial, leading to the subtle DDoS attacks which are difficult to detect. To detect the subtle DDoS anomalies at monitors close to the attack sources, we propose a novel multistage DDoS detection framework that consists of a NTS (Network Traffic State) prediction, a fine-grained singularity detection and a malicious address extraction engine. We also briefly introduced how to distribute our detection framework to enhance the performance of detecting world-wide DDoS attacks. Moreover, the prototype system is implemented and evaluated with real network traces from our campus network and testbed. The results show that our method can detect various DDoS attacks efficiently even though the attack rate is low. Our method can extract malicious IPs for attack reaction with records for a short period, and multiple monitors distributed in the network can fuse the results of extraction seamlessly to improve the accuracy of detection

LI Pei-Guo,BI Jun,ZHOU Zi-Jian

2008-01-01

Periodical of Ocean University of China

Abstract:Source address spoofing has become a widely used mechanism to achieve attack because it is easy to launch and difficult to detect and trace.Source address spoofing attacks pose a significant threat to the Internet today.Network security is facing a severe challenge we have never met before.It is an important task to research source address spoofing attacks.This paper surveys the definition of source address spoofing attacks,explains the principles of Backscatter and ICMP techniques,and analyzes the newest Backscatter data captured by CAIDA network telescopes from the macro and micro views.The traffic of ICMP packets is extracted and gathered by advanced data mining and statistical analysis techniques.The distribution of attacked ports by source address spoofing is given according to the ICMP packet.Some major attacked services are analyzed in detail and new methods of DoS/DDoS by means of spoofing are also explored,including their hazards.Finally,the source address spoofing attacks situation on the Internet and future work are discussed to conclude the article.

Dimitrios Gkounis,Vasileios Kotronis,Xenofontas Dimitropoulos

DOI: https://doi.org/10.48550/arXiv.1412.2013

2014-12-05

Networking and Internet Architecture

Abstract:In this work, we propose online traffic engineering as a novel approach to detect and mitigate an emerging class of stealthy Denial of Service (DoS) link-flooding attacks. Our approach exploits the Software Defined Networking (SDN) paradigm, which renders the management of network traffic more flexible through centralised flow-level control and monitoring. We implement a full prototype of our solution on an emulated SDN environment using OpenFlow to interface with the network devices. We further discuss useful insights gained from our preliminary experiments as well as a number of open research questions which constitute work in progress.

Yun Luo,Xiao Fu,Bin Luo,Xiaojiang Du,Mohsen Guizani

DOI: https://doi.org/10.1109/GLOBECOM42002.2020.9348178

2020-01-01

Abstract:Recent trends have shown that botnets have been active since the 1990s. Attackers use newer technologies to damage enterprises and individuals through identity theft, bank fraud, spam campaigns, malw are distribution, and distributed denial of service (DDoS) attacks. To identify the hidden details from a DDoS attack, we introduce a forensic model in this paper. This model uses NS2 to simulate the connectivity of real nodes in the network and uses Botnet and DDoS attack electronic evidence analysis methods. The botnet uses IRC channels as the basic unit. The analytical algorithm for Botnet uses election vectors to detect the split and transfer behavior of hackers. The analysis method for DDoS attacks uses attack vectors to detect whether Botnet is participating in a DDoS attack. On this basis, the fragmented packet marking method is added to track the source and path reconstruction of the router, thereby improving the scale recognition rate to 93%.

HUANG Chang-lai,LING Ming,PENG Ge-gang,GAO Chuan-shan

DOI: https://doi.org/10.3969/j.issn.1000-1220.2006.06.022

2006-01-01

Abstract:DDoS attack has increasingly become a great threat to the current Internet. Due to the fact that IP spoofing technique is frequently used,defending DDoS attack faces extreme difficulty. Most of the previous approaches to this problem try to solve it on a generalized Internet scale. For many reasons,the related tracing process requires great overhead and the solutions are difficult to implement.This paper proposes a new DDoS traceback scheme based on real-time consideration by dividing the tracing process into two steps.In the first step,ASPPM Scheme is adopted to determine the attack-originating AS.The second step processing concentrates on identifing ins the exact origin of the attacks. Compared the to the previous schemes,the two-step traceback scheme has the benefits of quick convergence speed,light computational overhead and low false positive. So it is possible to trace the DDoS source on a real-time basis.

Yuanjie Li,Hewu Li,Zhizheng Lv,Xingkun Yao,Qianru Li,Jianping Wu

DOI: https://doi.org/10.1145/3460120.3484737

2021-01-01

Abstract:We devise a simple, provably effective, and readily usable deterrence against intelligent, unknown DDoS threats: Demotivate adversaries to launch attacks via multi-hop traffic divergence. This new strategy is motivated by the fact that existing defenses almost always lag behind numerous emerging DDoS threats and evolving intelligent attack strategies. The root cause is if adversaries are smart and adaptive, no single-hop defenses (including optimal ones) can perfectly differentiate unknown DDoS and legitimate traffic. Instead, we formulate intelligent DDoS as a game between attackers and defenders, and prove how multi-hop traffic divergence helps bypass this dilemma by reversing the asymmetry between attackers and defenders. This insight results in EID, an Economical Intelligent DDoS Demotivation protocol. EID combines local weak (yet divergent) filters to provably null attack gains without knowing exploited vulnerabilities or attack strategies. It incentivizes multi-hop defenders to cooperate with boosted local service availability. EID is resilient to traffic dynamics and manipulations. It is readily deployable with random-drop filters in real networks today. Our experiments over a 49.8 TB dataset from a department at the Tsinghua campus network validate EID's viability against rational and irrational DDoS with negligible costs.