Boyang Zhou,Gaoning Pan,Chunming Wu,Kai Zhu,Wei Ruan

DOI: https://doi.org/10.1007/s11432-019-9921-7

2020-01-01

Science China Information Sciences

Abstract:Dear editor, Recently, crossfire attack has been witnessed as a new distributed denial-of-service (DDoS) weapon that can effectively cut off the data connections between the chosen target area (wd) of servers and the end hosts (H).The attack is launched by a network of bot (botnet) to drain bandwidth of persistent routes (PRs) in the indirect and lowrate data flooding towards the decoys that are located in upstream to the target, where the PRs are probed by the adversary who sends Internet control message protocol (ICMP) packets with different time-to-live (TTL) values, e.g., using traceroute [1].Such flooding is hard to be detected by firewalls or IDSes.

Yi Shen,Chunming Wu,Dezhang Kong,Mingliang Yang

DOI: https://doi.org/10.1109/icc40277.2020.9149276

2020-01-01

Abstract:Distributed Denial of Service (DDoS) attack is one of the most severe threats to the current network security. As a new network architecture, Software-Defined Networking (SDN) draws notable attention from both industry and academia. The characteristics of SDN such as centralized management and flow-based traffic monitoring make it an ideal platform to defend against DDoS attacks. When designing a network intrusion detection system (NIDS) in SDN, how to obtain fine-grained flow information with minimal overhead to the SDN architecture is a problem to be solved. In this paper, we propose TPDD, a two-phase DDoS detection system to detect DDoS attacks in SDN. In the first phase, we utilize the characteristics of SDN to collect coarse-grained flow information from the core switches and locate the potential victim. Then we monitor the edge switches located close to the potential victim to obtain finer-grained traffic information in the second phase. The collection method of each phase fully considers the impact on the bandwidth between the controller and switches. Without modifying the existing flow rules, the collection module can obtain sufficient information about traffic. By using entropy-based and machine learning-based methods, the detection module can effectively detect anomalies and identify whether the potential victim marked in the first phase is the target of attacks. Experimental results show that TPDD can effectively detect DDoS attacks with little overhead.

Dezhang Kong,Yi Shen,Xiang Chen,Qiumei Cheng,Hongyan Liu,Dong Zhang,Xuan Liu,Shuangxi Chen,Chunming Wu

DOI: https://doi.org/10.1109/tnet.2022.3203561

2023-01-01

IEEE/ACM Transactions on Networking

Abstract:The topology discovery service in Software-Defined Networking (SDN) provides the controller with a global view of the substrate network topology, allowing for central management of the entire network. Unfortunately, emerging topology attacks can poison the network topology and result in unforeseeable disasters. Although researchers have made great efforts to mitigate this problem, security hazards still exist. In this paper, we propose Invisible Assailant Attack (IAA), the first combination topology attack capable of injecting and maintaining fake links even when 12 existing defense strategies are deployed simultaneously. IAA consists of 14 attack phases that apply multiple attack strategies. Attackers skillfully disguise the attack traffic in each phase so that it looks like normal network traffic, and perform these phases in a well-planned sequence, thereby bypassing existing defenses step by step. To mitigate this attack, we propose a Route Path Verification (RPV) mechanism that orchestrates multiple defense strategies to identify fake links. According to the experiments, RPV can successfully detect IAA with low overhead: its detection completes within 1 ms while its per-flow storage consumption is only a few KB.

Ziming Zhao,Zhuotao Liu,Huan Chen,Fan Zhang,Zhuoxue Song,Zhaoxuan Li

DOI: https://doi.org/10.1109/tdsc.2023.3349180

2024-01-01

Abstract:Defending against Distributed Denial of Service (DDoS) attacks is a fundamental problem in the Internet. Over the past few decades, the research and industry communities have proposed a variety of solutions, from adding incremental capabilities to the existing Internet routing stack, to clean-slate future Internet architectures, and to widely deployed commercial DDoS prevention services. Yet a recent interview with over 100 security practitioners in multiple sectors reveals that existing solutions are still insufficient against , due to either unenforceable protocol deployment or non-comprehensive traffic filters. This seemingly endless arms race with attackers probably means that we need a fundamental paradigm shift. In this paper, we propose a new DDoS prevention paradigm named preference-driven and in-network enforced traffic shaping , aiming to explore the novel DDoS prevention norms that focus on delivering victim-preferred traffic rather than consistently chasing after the DDoS attacks. Towards this end, we propose DFNet, a novel DDoS prevention system that provides reliable delivery of victim-preferred traffic without full knowledge of DDoS attacks. At a very high level, the core innovative design of DFNet embraces the advances in Machine Learning (ML) and new network dataplane primitives, by encoding the victim's traffic preference (in the form of complex ML models) into dataplane packet scheduling algorithms such that the victim-preferred traffic is forwarded with priority at line-speed, regardless of the attacker strategy. We implement a prototype of DFNet in 11,560 lines of code, and extensively evaluate it on our testbed. The results show that a single instance of DFNet can forward 99.93% of victim-desired traffic when facing previously unseen attacks, while imposing less than 0.1% forwarding overhead on a dataplane with 80 Gbps upstream links and a 40 Gbps bottleneck.

Wei Dong,Gonglong Chen,Xiaoyu Zhang,Yi Gao

DOI: https://doi.org/10.1109/tmc.2018.2859270

IF: 6.075

2019-01-01

IEEE Transactions on Mobile Computing

Abstract:Most sensor networks employ distributed and dynamic routing protocols. The flexibility that each node can choose the best forwarder from a diverse candidate set could offer excellent routing performance when the network is highly dynamic. However, it sacrifices routing predictability since it is possible that routing loops are frequently formed. Can we increase the network predictability by controlling the network? As a step towards solving this problem, we introduce FlexCut, a flexible approach for cutting off wireless links, which essentially limits the candidate forwarder set of each node. Unlike existing SDN solutions, FlexCut introduces flexible control over existing distributed and dynamic routing protocols. FlexCut can trade arbitrary amounts of routing diversity for better network performance by exposing to network operators a parameter which quantifies the aggressiveness. We propose novel algorithms, both centralized and distributed, to cut off user-defined number of links so that loops can be alleviated while routing flexibility can be preserved to the largest extent. We evaluate FlexCut extensively by both testbed experiments and simulations. Results show that FlexCut improves the performance by 40% ~ 90% compared with a baseline algorithm in terms of our optimization goal. Results also show that FlexCut can improve the network performance of a sensor network by 20% ~ 35%, 30% ~ 50%, 25% respectively, in terms of packet delivery ratio, transmission delay and radio duty cycle.

Wei Wei,Yabo Dong,Dongming Lu,Guang Jin,Honglan Lao

DOI: https://doi.org/10.1007/11760146_23

2006-01-01

Abstract:Low-rate TCP-targeted Denial-of-Service (DoS) attack (shrew) is a new kind of DoS attack which is based on TCP’s Retransmission Timeout (RTO) mechanism and can severely reduce the throughput of TCP traffic on victim. The paper proposes a novel mechanism which consists of effective detection and response methods. Through analyzing sampled attack traffic, we find that there is a stable difference between attack and legitimate traffic in frequency field, especially in low frequency. We use Sum of Low Frequency Power spectrum (SLFP) for detection. In our algorithm the destination IP address is used as flow label and SLFP is applied to every flow traversing edge router. If shrew is found, all flows to the destination are processed by Aggregated Flows Balance (AFB) at a proper upstream router. Simulation shows that attack traffics are restrained and TCP traffics can obtain enough bandwidth. The result indicates that our mechanism is effective and deployable.

Junchi Xing,Mingliang Yang,Haifeng Zhou,Chunming Wu,Wei Ruan

DOI: https://doi.org/10.1109/IPCCC47392.2019.8958776

2019-01-01

Abstract:Network reconnaissance aims at gathering as much information as possible before an attack is launched. Meanwhile, static host address configuration facilitates network reconnaissance. Currently, more sophisticated network reconnaissance has been emerged with the adaptive and cooperative features. To address this, in this paper, we present Hiding and Trapping (HaT), which is a deceptive approach to disrupt adversarial network reconnaissance with the help of the software-defined networking (SDN) paradigm. HaT is able to hide valuable hosts from attackers and to trap them into decoy nodes through strategic and holistic host address mutation according to characteristic of adversaries. We implement a prototype of HaT, and evaluate its performance by experiments. The experimental results show that HaT is capable to effectively disrupt adversarial network reconnaissance with better deceptive performance than the existing address randomization approach.

Shuhan Chen,Congqi Shen,Chunming Wu,Yi Shen

DOI: https://doi.org/10.1109/ipccc55026.2022.9894298

2022-01-01

Abstract:The router throttling mechanism provides us a chance to prevent DDoS attack proactively through rate-limiting suspicious traffic before effective detection mechanism. The existing search-based and learning-based studies are highly customized to server load and can hardly cope with the constantly changing server load and unseen scenarios. To address the problem above, we design a self-evolutionary DDoS defense system, DeepThrottle, based on deep reinforcement learning (DRL) and router throttling mechanism in software defined network (SDN). The experimental results demonstrate that the DeepThrottle improves the passing ratio of normal traffic to the victim server, and reduces the server load under unseen attack scenarios compared with the state-of-the-art RL-based method.

LI Gang,HUA Bei,YANG Xing-liang

DOI: https://doi.org/10.3969/j.issn.1006-9348.2006.11.037

2006-01-01

Abstract:This paper proposes a router collaborating based adaptive detection and defending mechanism against DDoS.Through link congestion detection and packet dropping rate analysis,this mechanism can disclose the attack timely and construct the attack signatures accordingly.Then it is able to apply rate-limiting to the packets matching such signatures,and at the same time forward the attack signatures and rate-limiting request hop-by-hop to retrace the attack source using pushback protocol.During this process,rate-limiting is also employed on the intermediate routers,thus this algorithm not only manages to alleviate the link congestion and quench DDoS attack in a short period,but also protects normal network traffic to the utmost degree.And the simulation result on NS2 shows that the algorithm satisfactorily meets our expectation in attack-quenching and normal traffic protection.

Quan Ren,Tao Hu,Jiangxing Wu,Yuxiang Hu,Lei He,Julong Lan

DOI: https://doi.org/10.1016/j.comnet.2021.108134

IF: 5.493

2021-01-01

Computer Networks

Abstract:SDN improves the flexibility and programmability of the network. However, malicious attacks caused by potential vulnerabilities and backdoors can easily lead to data and rule tampering in the network. To address this problem, this paper proposes an endogenous secure SDN network framework based on multipath resilient routing (MRR). MRR includes multipath comparing forwarding, multipath weighted forwarding, and multipath random forwarding. The framework ensures the correctness of flow rules and data content by dynamically comparing the consistency of multi-heterogeneous path data within a certain period, and multipath can also achieve load balance by weighted forwarding. In the MRR framework, we also present an intermediate information feedback mechanism based on encryption authentication and give a mathematical model to evaluate it. This mechanism can accurately identify and dynamically repair malicious switches. Simulation evaluation and prototype system test show that this framework can achieve high accuracy of flow transmission and high availability of system. At the same time, multipath comparing forwarding will bring some performance costs such as delay, bandwidth, and jitter at initial and attacking time. However, when the appropriate forwarding mode and reasonable period T are selected, the proportion of delay introduced by comparing and ruling can be less than 10%, and the average bandwidth of mixed forwarding is almost the same as traditional multipaths', such as we can guarantee 25% multipath comparing forwarding when the bandwidth requirement is 250 M in prototype system.

Jing Zheng,Qi Li,Guofei Gu,Jiahao Cao,David K. Y. Yau,Jianping Wu

DOI: https://doi.org/10.1109/tifs.2018.2805600

IF: 7.231

2018-07-01

IEEE Transactions on Information Forensics and Security

Abstract:Distributed denial-of-service (DDoS) defense is still a difficult problem though it has been extensively studied. The existing approaches are not capable of detecting various types of DDoS attacks. In particular, new emerging sophisticated DDoS attacks (e.g., Crossfire) constructed by low-rate and short-lived benign traffic are even more challenging to capture. Moreover, it is difficult to enforce realtime defense to throttle these detected attacks since the attack traffic can be concealed in benign traffic. Software defined networking (SDN) opens a new door to address these issues. In this paper, we propose Reinforcing Anti-DDoS Actions in Realtime (RADAR) to detect and throttle DDoS attacks via adaptive correlation analysis built upon unmodified commercial off-the-shelf SDN switches. It is a practical system to defend against a wide range of flooding-based DDoS attacks, e.g., link flooding (including Crossfire), SYN flooding, and UDP-based amplification attacks, while requiring neither modifications in SDN switches/protocols nor extra appliances. It accurately detects attacks by identifying attack features in suspicious flows, and locates attackers (or victims) to throttle the attack traffic by adaptive correlation analysis. We implement RADAR prototype using open source Floodlight controller, and evaluate its performance under various DDoS attacks by real hardware testbed based experiments. We observe that our scheme can successfully detect and effectively defend against various DDoS attacks with acceptable overhead.

computer science, theory & methods,engineering, electrical & electronic

Mingwei Xu,Meijia Hou,Dan Wang,Jiahai Yang

DOI: https://doi.org/10.1016/j.comnet.2012.09.006

IF: 5.493

2013-01-01

Computer Networks

Abstract:In recent years, there are substantial demands to reduce packet loss on the Internet. Among the proposed schemes, finding backup paths in advance is considered to be an effective method to reduce the reaction time. Very commonly, a backup path is chosen to be the most disjoint path from the primary path, or on the network level, a backup path is computed for each link (e.g., IPFRR). The validity of this straightforward choice is based on two things. The first thing is all the links may have the equal likelihood to fail; the second thing is, facing the high protection requirement today, it just looks weird to have links not protected or to share links between the primary and backup paths. Nevertheless, many studies have confirmed that the individual vulnerability of the links on the Internet is far from being equal. In addition, we have observed that full protection schemes (In this paper, full protection schemes means schemes (1) in which backup path is a most disjoint path from the primary path; or (2) which compute backup path for each link.) may introduce high cost (e.g., computation).

Kexin Chen,Hang Wang,Peilin Hong

DOI: https://doi.org/10.1109/icc45041.2023.10279833

2023-01-01

Abstract:Multi-tenancy and the vulnerabilities of network isolation make Low-Rate Distributed Denial-of-Service (LDDoS) severe threats to cloud data centers. Due to the stealthy nature of the LDDoS attack, it is not easy to detect in data center networks (DCN) with frequent Incast traffic. And the traditional Detect-Drop defense strategy may drop some benign flows, significantly reducing user experience. To this end, this paper first proposes a mathematical model that reveals the attack aggregation mechanism and queuing pattern of LDDoS attack in DCN. On this basis, this article proposes a novel defense strategy that can interfere with LDDoS attack aggregation without breaking the benign user's connection. When there is an attack detected, the information of normal and suspicious flows will be roughly grouped and notified to the preceding switch, where they will enter different switch queues separately. Afterward, the packets in the suspicious flow queue will be added with a subtle delay when dequeuing. As for the attack flows, it directly results in the inability to aggregate into large pulses. For the normal flow, it merely increases the flow completion time (FCT) by a few microseconds. It is due to this property that the method proposed can defend against attacks without affecting the connection of the normal flows. The simulation results are consistent with the theoretical analysis and show that this strategy can effectively recover the network performance. Moreover, it achieves excellent robustness at low detection accuracy, making it suitable for running in DCN.

Pan Zhou,Jie Xu,Wei Wang,Yuchong Hu,Dapeng Oliver Wu,Shouling Ji

DOI: https://doi.org/10.1109/tnet.2019.2930464

2019-01-01

IEEE/ACM Transactions on Networking

Abstract:We consider the online shortest path routing (SPR) of a network with stochastically time varying link states under potential adversarial attacks. Due to the denial of service (DoS) attacks, the distributions of link states could be stochastic (benign) or adversarial at different temporal and spatial locations. Without any a priori, designing an adaptive and optimal DoS-proof SPR protocol to thwart all possible adversarial attacks is a very challenging issue. In this paper, we present the first such integral solution based on the multi-armed bandit (MAB) theory, where jamming is the adversarial strategy. By introducing a novel control parameter into the exploration phase for each link, a martingale inequality is applied in our formulated combinatorial adversarial MAB framework. The proposed algorithm could automatically detect the specific jammed and un-jammed links within a unified framework. As a result, the adaptive online SPR strategies with near-optimal learning performance in all possible regimes are obtained. Moreover, we propose the accelerated algorithms by multi-path route probing and cooperative learning among multiple sources, and study their implementation issues. Comparing to existing works, our algorithm has the respective 30.3% and 87.1% improvements of network delay for oblivious jamming and adaptive jamming given a typical learning period and a 81.5% improvement of learning duration under a specified network delay on average, while it enjoys almost the same performance without jamming. Lastly, the accelerated algorithms can achieve a maximal of 150.2% improvement in network delay and a 431.3% improvement in learning duration.

Hou Meijia,Wang Dan,Xu Mingwei,Yang Jiahai

DOI: https://doi.org/10.1109/ICDCS.2009.7

2009-01-01

Abstract:In recent years, there are substantial demands to reduce packet loss in the Internet. Among the schemes proposed, finding backup paths in advance is considered to be an effective method to reduce the reaction time. Very commonly, a backup path is chosen to be a most disjoint path from the primary path, or in the network level, backup paths are computed for all links (e.g., IPRFF). The validity of this straightforward choice is based on 1) all the links may fail with equal probability; and 2) facing the high protection requirement today, having links not protected or sharing links between the primary and backup paths just simply look weird. Nevertheless, indications from many research studies have confirmed that the vulnerability of the links in the Internet is far from equality. In addition, we have seen that full protection schemes may introduce high costs. In this paper, we argue that such approaches may not be cost effective. We first analyze the failure characteristics based on real world traces from CERNET2, the China Education and Research NETwork 2. We observe that the failure probabilities of the links is heavy-tail, i.e., a small set of links caused most of the failures. We thus propose a selective protection scheme. We carefully analyze the implementation details and the overhead for general backup path schemes of the Internet today. We formulate an optimization problem where the routing performance (in terms of network level availability) should be guaranteed and the backup cost should be minimized. This cost is special as it involves computation overhead. Consequently, we propose a novel Critical-Protection Algorithm which is fast itself. We evaluate our scheme systematically, using real world topologies and randomly generated topologies . We show significant gain even when the network availability requirement is 99.99% as compared to that of the full protection scheme. © 2009 IEEE.

Qian Wang,Zhifeng Zhao,Honggang Zhang

DOI: https://doi.org/10.1109/iccsn.2017.8230285

2017-01-01

Abstract:In this paper, we introduce a SDN(Software Defined Network) based DDoS(Distributed Denial of Service) Defense mechanism. Our mechanism employs SDN's flexibility to redirect packets. The traffic between clients and servers is relayed by a group of dynamic proxy node switches. After several shuffles, our mechanism can mitigate DDoS attack as well as quarantine attackers. The simulation results confirm the effectiveness of our mechanism. In order to accelerate the process of segregating, we propose a efficient algorithm replacing enumerative algorithm. Numerical results verify that the performance of efficient algorithm is closed to enumerative one.

Hung-Min Sun,Chiung-Hsun Chen,Chih-Wen Yeh,Yao-Hsin Chen

DOI: https://doi.org/10.1007/s00779-012-0537-y

2013-01-01

Personal and Ubiquitous Computing

Abstract:Mobile ad hoc networks (MANETs) are vulnerable to active attacks, such as dropping attacks, replay attacks, collusion attacks, and tampering attacks. Many researches have been proposed to provide security transmission. However, they cannot effectively and efficiently resist colluding attacks. Therefore, we propose a collaborative routing protocol (CRP) to detect and isolate colluding attackers via monitor mechanism. Monitor nodes observe and record the behavior of intermediate nodes. Based on the records of intermediate nodes, source node can distinguish malicious nodes and isolate them. Finally, security analyses and simulation verify that CRP can effectively and efficiently resist black hole attacks, gray hole attacks, modify and fake packet attacks, rushing attacks, and collusion attacks.

Yandong Liu,Mianxiong Dong,Kaoru Ota,Jianhua Li,Jun Wu

DOI: https://doi.org/10.1109/CAMAD.2018.8514971

2018-01-01

Abstract:Distributed Denial-of-Service (DDoS) flooding attack has remained as one of the most destructive attacks for more than two decades. Although great efforts have been made to design the defense mechanism, it is still difficult to mitigate these attacks in real time smartly and effectively for the reason that attack traffic may mix with benign traffic. Software-Defined Networks (SDN) decouples control and data plane in the network. Its centralized control paradigm and global view of the network bring some new chances to enhance the defense ability against network attacks. In this paper, we propose a deep reinforcement learning based framework, which can smartly learn the optimal mitigation policies under different attack scenarios and mitigate the DDoS flooding attack in real time. This framework is an effective system to defend against a wide range of DDoS flooding attacks such as TCP SYN, UDP, and ICMP flooding. It can intelligently learn the patterns of attack traffic and throttle the attack traffic, while the traffic of benign users is forwarded normally. We compare our proposed framework with a baseline along with a popular state-of-the-art router throttling method. The experimental results show that our approach can outperform both of them in five attacking scenarios with different attack dynamics significantly.

Xin Li,Peng Yi,Yiming Jiang,Jing Yu

DOI: https://doi.org/10.1088/1742-6596/1738/1/012103

2021-01-01

Journal of Physics Conference Series

Abstract:Abstract With the rapid development of network attacks, traditional security protection technology is difficult to deal with unknown threats and persistent attacks. Active defense improves the ability to defend against network attacks by building a dynamic, heterogeneous and redundant endogenous security system. Aiming at the problem of single abnormal arbitrament information of routers in mimic defense, a router abnormal traffic detection strategy based on active defense is proposed. By clustering the traffic information of multiple heterogeneous redundant routing function entities and comparing the distance measurement between them, the routing function entities in abnormal state are determined. The experimental results show that the proposed strategy effectively detects the security threats of routing functional entities and expand the method of mimic router arbitrament.

Guang Jin,Jiangang Yang,Wei Wei,Yabo Dong

DOI: https://doi.org/10.1109/CHINACOM.2007.4498433

2007-01-01

Abstract:A novel packet marking scheme is proposed to defend against network or bandwidth DDoS attacks, especially where malicious packets do not target the victim directly. A recent study shows that packet-level symmetry exists in legitimate Internet traffic while malicious flooding traffic often exhibits packet asymmetry. Our scheme utilizes the packet asymmetry to differentiate malicious and legitimate traffic. When a packet to a destination host is transmitted from a router, a packet asymmetry score, the ratio of transmitted to received packets of the destination host over the last interval, is calculated and recorded into the packet's header additively. Malicious packets should carry higher scores because of the absence of reverse packets. When packets with packet asymmetry scores arrive at a downstream router, where some packets are dropped because of congestion, the router should drop packets with higher scores preferentially. Simulation results show the scheme is effective to defend against DDoS attacks targeting network resources.