Xiang Chen,Hongyan Liu,Qun Huang,Dong Zhang,Haifeng Zhou,Chunming Wu,Xuan Liu

DOI: https://doi.org/10.1109/tnet.2023.3281449

2024-01-01

Abstract:To date, security researchers evaluate their solutions of mitigating distributed denial-of-service (DDoS) attacks via kernel-based or kernel-bypassing testing tools. However, kernelbased tools exhibit poor scalability in attack traffic generation while kernel-bypassing tools incur unacceptable monetary cost. We propose Excalibur, a scalable and low-cost testing framework for evaluating DDoS defense solutions. The key idea is to leverage the emerging programmable switch to empower testing tasks with Tbps-level scalability and low cost. Specifically, Excalibur offers intent-based primitives to enable academic researchers to customize testing tasks on demand. Moreover, in view of switch resource limitations, Excalibur coordinates both a server and a programmable switch to jointly perform testing tasks. It realizes flexible attack traffic generation, which requires a large number of resources, in the server while using the switch to increase the sending rate of attack traffic to Tbps-level. We have implemented Excalibur on a 64 x 100 Gbps Tofino switch. Our experiments on a 64 x 100 Gbps Tofino switch show that Excalibur achieves orders-of-magnitude higher scalability and lower cost than existing tools.

Tingxin Sun,Jiayi Cai,Kaiwei Guo,Dong Zhang,Xiang Chen,Chunming Wu

DOI: https://doi.org/10.1109/globecom54140.2023.10437875

2023-01-01

Abstract:In Internet Service Provider (ISP) networks, Amplified Reflection DDoS (AR-DDoS) attack is one of the main attack categories, which launches gigabytes of traffic with little effort and minimal cost. Thus, the mitigation of AR-DDoS attacks has been considered as a crucial part. In particular, such mitigation requires full coverage (i.e., mitigating AR-DDoS attacks launched from any location) and low overhead (i.e., mitigation should avoid high latency that degrades user experience). However, existing solutions suffer from either limited coverage or high overhead. In this paper, we propose Aigis, a distributed framework that offers full-coverage and low-overhead mitigation of AR-DDoS attacks. Our key idea is to co-design top-of-rack (ToR) switches and end-hosts, which offers line-rate packet processing performance and fine-grained view inherently, to jointly execute endpoint verification. Specifically, Aigis selectively offloads mitigation operations between ToR switches and end-hosts and implements a network-wide epoch synchronization mechanism to guarantee reliable verification. It efficiently coordinates ToR switches and end-hosts to execute the entire mitigation task. We have implemented Aigis on a testbed comprising 32x100 Gbps Tofino switches. Testbed experiments indicate that Aigis achieves complete full coverage and orders of magnitude lower host-side overhead compared to existing solutions.

Xiang Chen,Hongyan Liu,Junyi Guo,Xinyue Jiang,Qun Huang,Dong Zhang,Chunming Wu,Haifeng Zhou

DOI: https://doi.org/10.1109/infocom48880.2022.9796758

2022-01-01

Abstract:In data center networks (DCNs), host-side packet processing accounts for a large portion of the end-to-end latency of TCP flows. Thus, the profiling of host-side latency anomalies has been considered as a crucial part in DCN performance diagnosis and troubleshooting. In particular, such profiling requires full coverage (i.e., profiling every TCP packet handled by end-hosts) and low overhead (i.e., profiling should avoid high CPU consumption in end-hosts). However, existing solutions fully rely on end-hosts to implement host-side latency profiling, leading to low coverage or high overhead. In this paper, we propose Torp, a framework that offers full-coverage and low-overhead profiling of host-side latency. Our key idea is to offload profiling operations to top-of-rack (ToR) switches, which inherently offer full coverage and line-rate packet processing performance. Specifically, Torp selectively offloads profiling operations to the ToR switch based on switch limitations. It efficiently coordinates the ToR switch and end-hosts to execute the entire latency profiling task. We have implemented Torp on 32×100Gbps Tofino switches. Testbed experiments indicate that Torp achieves full coverage and orders of magnitude lower host-side overhead compared to other solutions.

Wei Wei,Yabo Dong,Dongming Lu,Guang Jin

DOI: https://doi.org/10.1109/ICCIS.2008.4670732

2008-01-01

Abstract:Distributed defense of DDoS (Distributed Denial of Service) attack has been extensively researched in recent years and control-based defense is a hopeful way. However, existed methods only deal with bandwidth protection. The paper takes defense of DDoS flood as a kind of Processing and Bandwidth Resources allocation and solves it using control theory. Our defense mechanism FFDRF (Feedback Filtering with Dual-Resource Fairness) sets up filters in edge routers of AS and adjusts the filtering thresholds through feedback between these routers and the victim. The simulation results show that FFDRF can make the legitimate traffic keep high survival rate while is stable and converges quickly even in case of heterogeneous flow sources and link conditions. Compared with level-k max-min fairness defense, FFDRF is more effective against CPU-consuming flood. And an implementation of FFDRF in a linux router indicates that FFDRF is feasible in real-life routers. © 2008 IEEE.

Xiang Chen,Hongyan Liu,Dong Zhang,Qun Huang,Haifeng Zhou,Chunming Wu,Qiang Yang

DOI: https://doi.org/10.1109/mnet.107.2100643

IF: 10.294

2022-01-01

IEEE Network

Abstract:Distributed denial-of-service (DDoS) attacks have long been the most severe and destructive attack on modern networks. Some solutions place several middleboxes that run security-oriented network functions (SNFs) in the network to defend against DDoS attacks. However, middleboxes are proprietary and fixed-function, making them costly and inflexible when handling attack dynamics. Another class of solutions exploits the capability of software-defined networking (SDN) and network function virtualization (NFV) to run virtualized SNFs on commodity servers. This reduces the cost of DDoS attack mitigation while enabling high flexibility by dynamically removing or adding SNF instances. However, this class of solutions sacrifices packet processing performance and incurs non-trivial end-to-end latency, which is unacceptable for many latency-sensitive internet services. Recently, the emergence of programmable switches brings a promising alternative solution: arbitrary SNFs can be directly performed in line-rate ASIC pipelines of programmable switches, enabling low-cost, flexible, and high-performance DDoS attack mitigation. In this article, we present an illustrative survey of recent solutions that leverage programmable switches to provide DDoS attack mitigation. Our survey can help understand how to make full use of the benefits of programmable switches to defend against DDoS attacks.

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

Xi Ling,Jiongchi Yu,Ziming Zhao,Zhihao Zhou,Haitao Xu,Binbin Chen,Fan Zhang

DOI: https://doi.org/10.1007/978-3-031-54773-7_12

2024-01-01

Abstract:With the proliferation of Internet development, Distributed Denial of Service (DDoS) attacks are on the rise. As rule-based traffic analysis frameworks and Deep Packet Inspection (DPI) defense measures can effectively thwart many DDoS attacks, attackers keep exploring various attack surfaces and traffic amplification strategies to nullify the defense. In this paper, we propose DDoSMiner, an automated framework for DDoS attack characterization and vulnerability mining. DDoSMiner analyzes system call patterns of the TCP-based DDoS attack family, then generates Attack Call Flow Graph (ACFG) by discerning the differences between DDoS attack traffic and benign traffic. Furthermore, DDoSMiner identifies and extracts drop nodes and pivotal TCP states from the distinctive characteristics of attack traffic, then passes to the symbolic execution framework for exploring variants of the DDoS attack. We collectively analyze six types of TCP-based DDoS attacks, construct the corresponding ACFG, and identify a set of attack traffic variants. The attack traffic variants are evaluated on the widely used Network Intrusion Detection System (NIDS) Snort with three popular rule sets. The result shows that DDoSMiner indeed discovers the new DDoS attack trace, and the corresponding attack traffic can bypass all three defense toolkits.

Guanyu Li,Menghao Zhang,Shicheng Wang,Chang Liu,Mingwei Xu,Ang Chen,Hongxin Hu,Guofei Gu,Qi Li,Jianping Wu

DOI: https://doi.org/10.1109/tnet.2021.3062621

2021-01-01

IEEE/ACM Transactions on Networking

Abstract:Distributed Denial-of-Service (DDoS) attacks have become a critical threat to the Internet. Due to the increasing number of vulnerable Internet of Things (IoT) devices, attackers can easily compromise a large set of nodes and launch high-volume DDoS attacks from the botnets. State-of-the-art DDoS defenses, however, have not caught up with the fast development of the attacks. Middlebox-based defenses can achieve high performance with specialized hardware; however, these defenses incur a high cost, and deploying new defenses typically requires a device upgrade. On the other hand, software-based defenses are highly flexible, but software-based packet processing leads to high performance overheads. In this article, we propose Poseidon, a system that addresses these limitations in today's DDoS defenses. It leverages emerging programmable switches, which can be reconfigured in the field without additional hardware upgrades. Users of Poseidon can specify their defense strategies in a modular fashion in the form of a set of defense primitives; this can be further customized easily for each network and extended to include new defenses. Poseidon then maps the defense primitives to run on programmable switches-and when necessary, on server software-for effective defense. When attacks change, Poseidon can reconfigure the underlying defense primitives to respond to the new attack patterns. Evaluations using our prototype demonstrate that Poseidon can effectively defend against high-volume attacks, easily support customization of defense strategies, and adapt to dynamic attacks with low overheads.

Ziming Zhao,Zhuotao Liu,Huan Chen,Fan Zhang,Zhuoxue Song,Zhaoxuan Li

DOI: https://doi.org/10.1109/tdsc.2023.3349180

2024-01-01

Abstract:Defending against Distributed Denial of Service (DDoS) attacks is a fundamental problem in the Internet. Over the past few decades, the research and industry communities have proposed a variety of solutions, from adding incremental capabilities to the existing Internet routing stack, to clean-slate future Internet architectures, and to widely deployed commercial DDoS prevention services. Yet a recent interview with over 100 security practitioners in multiple sectors reveals that existing solutions are still insufficient against , due to either unenforceable protocol deployment or non-comprehensive traffic filters. This seemingly endless arms race with attackers probably means that we need a fundamental paradigm shift. In this paper, we propose a new DDoS prevention paradigm named preference-driven and in-network enforced traffic shaping , aiming to explore the novel DDoS prevention norms that focus on delivering victim-preferred traffic rather than consistently chasing after the DDoS attacks. Towards this end, we propose DFNet, a novel DDoS prevention system that provides reliable delivery of victim-preferred traffic without full knowledge of DDoS attacks. At a very high level, the core innovative design of DFNet embraces the advances in Machine Learning (ML) and new network dataplane primitives, by encoding the victim's traffic preference (in the form of complex ML models) into dataplane packet scheduling algorithms such that the victim-preferred traffic is forwarded with priority at line-speed, regardless of the attacker strategy. We implement a prototype of DFNet in 11,560 lines of code, and extensively evaluate it on our testbed. The results show that a single instance of DFNet can forward 99.93% of victim-desired traffic when facing previously unseen attacks, while imposing less than 0.1% forwarding overhead on a dataplane with 80 Gbps upstream links and a 40 Gbps bottleneck.

Zaoxing Liu,Hun Namkung,Georgios Nikolaidis,Jeongkeun Lee,Changhoon Kim,Xin Jin,Vladimir Braverman,Minlan Yu,Vyas Sekar

2021-01-01

Abstract:The emergence of programmable switches offers a new opportunity to revisit ISP-scale defenses for volumetric DDoS attacks. In theory, these can offer better cost vs. performance vs. flexibility trade-offs relative to proprietary hardware and virtual appliances. However, the ISP setting creates unique challenges in this regard-we need to run a broad spectrum of detection and mitigation functions natively on the programmable switch hardware and respond to dynamic adaptive attacks at scale. Thus, prior efforts in using programmable switches that assume out-of-band detection and/or use switches merely as accelerators for specific tasks are no longer sufficient, and as such, this potential remains unrealized. To tackle these challenges, we design and implement Jaqen, a switch-native approach for volumetric DDoS defense that can run detection and mitigation functions entirely inline on switches, without relying on additional data plane hardware. We design switch-optimized, resource-efficient detection and mitigation building blocks. We design a flexible API to construct a wide spectrum of best-practice (and future) defense strategies that efficiently use switch capabilities. We build a network-wide resource manager that quickly adapts to the attack posture changes. Our experiments show that Jaqen is orders of magnitude more performant than existing systems: Jaqen can handle large-scale hybrid and dynamic attacks within seconds, and mitigate them effectively at high line-rates (380 Gbps).

Yuanjun Dai,An Wang,Yang Guo,Songqing Chen

DOI: https://doi.org/10.1145/3559759

IF: 5.3

2023-02-23

ACM Transactions on Internet Technology

Abstract:Distributed denial of service (DDoS) attacks have been prevalent on the Internet for decades. Albeit various defenses, they keep growing in size, frequency, and duration. The new network paradigm, Software-defined networking (SDN), is also vulnerable to DDoS attacks. SDN uses logically centralized control, bringing the advantages in maintaining a global network view and simplifying programmability. When attacks happen, the control path between the switches and their associated controllers may become congested due to their limited capacity. However, the data plane visibility of SDN provides new opportunities to defend against DDoS attacks in the cloud computing environment. To this end, we conduct measurements to evaluate the throughput of the software control agents on some of the hardware switches when they are under attacks. Then, we design a new mechanism, called Scotch , to enable the network to scale up its capability and handle the DDoS attack traffic. In our design, the congestion works as an indicator to trigger the mitigation mechanism. Scotch elastically scales up the control plane capacity by using an Open vSwitch-based overlay. Scotch takes advantage of both the high control plane capacity of a large number of vSwitches and the high data plane capacity of commodity physical switches to increase the SDN network scalability and resiliency under abnormal (e.g., DDoS attacks) traffic surges. We have implemented a prototype and experimentally evaluated Scotch . Our experiments in the small-scale lab environment and large-scale GENI testbed demonstrate that Scotch can elastically scale up the control channel bandwidth upon attacks.

computer science, information systems, software engineering

Menghao Zhang,Guanyu Li,Shicheng Wang,Chang Liu,Ang Chen,Hongxin Hu,Guofei Gu,Qi Li,Mingwei Xu,Jianping Wu

DOI: https://doi.org/10.14722/ndss.2020.24007

2020-01-01

Abstract:Distributed Denial-of-Service (DDoS) attacks have become a critical threat to the Internet. Due to the increasing number of vulnerable Internet of Things (IoT) devices, attackers can easily compromise a large set of nodes and launch high-volume DDoS attacks from the botnets. State-of-the-art DDoS defenses, however, have not caught up with the fast development of the attacks. Middlebox-based defenses can achieve high performance with specialized hardware; however, these defenses incur a high cost, and deploying new defenses typically requires a device upgrade. On the other hand, software-based defenses are highly flexible, but software-based packet processing leads to high performance overheads. In this paper, we propose POSEIDON, a system that addresses these limitations in today's DDoS defenses. It leverages emerging programmable switches, which can be reconfigured in the field without additional hardware upgrade. Users of POSEIDON can specify their defense strategies in a modular fashion in the form of a set of defense primitives; this can be further customized easily for each network and extended to include new defenses. POSEIDON then maps the defense primitives to run on programmable switches-and when necessary, on server software-for effective defense. When attacks change, POSEIDON can reconfigure the underlying defense primitives to respond to the new attack patterns. Evaluations using our prototype demonstrate that POSEIDON can effectively defend against high-volume attacks, easily support customization of defense strategies, and adapt to dynamic attacks with low overheads.

Yu Zhou,Zhaowei Xi,Dai Zhang,Yangyang Wang,Jinqiu Wang,Mingwei Xu,Jian Wu

DOI: https://doi.org/10.1145/3359989.3365406

2019-01-01

Abstract:Modern network research and operations are inseparable from network testers to evaluate performance limits of proofs-of-concept, troubleshoot failures, etc. Existing network testers suffer from either constrained flexibility or a low performance-cost ratio. In this paper, we propose a new network tester, HyperTester. The core of HyperTester is to leverage new-generation programmable switches for generating and capturing test traffic with high performance, low cost, and remarkable flexibility. We design a series of efficient mechanisms, including template-based packet generation, false-positive-free counter-based queries, and stateless connections to realize various network testing tasks upon switches with limited programmability and resources. Meanwhile, to facilitate developing testing tasks upon HyperTester, we provide a high-level network testing API. We have implemented HyperTester on the Tofino switch and built dozens of network testing tasks. The evaluations on the hardware testbed show that HyperTester supports line-rate packet generation (400Gbps in the testbed) with highly-accurate rate control, while HyperTester can save $40150 per Tps and 9225W per Tbps when compared with the software network testers.

Jing Zheng,Qi Li,Guofei Gu,Jiahao Cao,David K. Y. Yau,Jianping Wu

DOI: https://doi.org/10.1109/tifs.2018.2805600

IF: 7.231

2018-07-01

IEEE Transactions on Information Forensics and Security

Abstract:Distributed denial-of-service (DDoS) defense is still a difficult problem though it has been extensively studied. The existing approaches are not capable of detecting various types of DDoS attacks. In particular, new emerging sophisticated DDoS attacks (e.g., Crossfire) constructed by low-rate and short-lived benign traffic are even more challenging to capture. Moreover, it is difficult to enforce realtime defense to throttle these detected attacks since the attack traffic can be concealed in benign traffic. Software defined networking (SDN) opens a new door to address these issues. In this paper, we propose Reinforcing Anti-DDoS Actions in Realtime (RADAR) to detect and throttle DDoS attacks via adaptive correlation analysis built upon unmodified commercial off-the-shelf SDN switches. It is a practical system to defend against a wide range of flooding-based DDoS attacks, e.g., link flooding (including Crossfire), SYN flooding, and UDP-based amplification attacks, while requiring neither modifications in SDN switches/protocols nor extra appliances. It accurately detects attacks by identifying attack features in suspicious flows, and locates attackers (or victims) to throttle the attack traffic by adaptive correlation analysis. We implement RADAR prototype using open source Floodlight controller, and evaluate its performance under various DDoS attacks by real hardware testbed based experiments. We observe that our scheme can successfully detect and effectively defend against various DDoS attacks with acceptable overhead.

computer science, theory & methods,engineering, electrical & electronic

Biao Han,Xiangrui Yang,Zhigang Sun,Jinfeng Huang,Jinshu Su

DOI: https://doi.org/10.1155/2018/9649643

IF: 1.968

2018-01-01

Security and Communication Networks

Abstract:Distributed Denial of Service (DDoS) attacks are one of the biggest concerns for security professionals. Traditional middle-box based DDoS attack defense is lack of network-wide monitoring flexibility. With the development of software-defined networking (SDN), it becomes prevalent to exploit centralized controllers to defend against DDoS attacks. However, current solutions suffer with serious southbound communication overhead and detection delay. In this paper, we propose a cross-plane DDoS attack defense framework in SDN, called OverWatch, which exploits collaborative intelligence between data plane and control plane with high defense efficiency. Attack detection and reaction are two key procedures of the proposed framework. We develop a collaborative DDoS attack detection mechanism, which consists of a coarse-grained flow monitoring algorithm on the data plane and a fine-grained machine learning based attack classification algorithm on the control plane. We propose a novel defense strategy offloading mechanism to dynamically deploy defense applications across the controller and switches, by which rapid attack reaction and accurate botnet location can be achieved. We conduct extensive experiments on a real-world SDN network. Experimental results validate the efficiency of our proposed OverWatch framework with high detection accuracy and real-time DDoS attack reaction, as well as reduced communication overhead on SDN southbound interface.

Junchen Pan,Kunpeng He,Lei Zhang,Zhuotao Liu,Xinggong Zhang,Yong Cui

DOI: https://doi.org/10.1109/iwqos61813.2024.10682912

2024-01-01

Abstract:Distributed Denial of Service (DDoS) attack is a critical and persistent threat to the Internet. Recent DDoS detection schemes based on emerging programmable switches can achieve higher processing throughput and improve detection accuracy. However, with limited data plane memory, such schemes are not suitable for handling a large number of concurrent flows. Prior arts that attempt to increase memory efficiency have failed to do so without the expense of cost and accuracy. In this paper, we propose NetSentry, the first programmable switch based dynamic pooled testing DDoS detector. NetSentry detects DDoS in a pooled testing manner, where multiple flows are grouped to share the same storage unit on the data plane. NetSentry designs an elastic flow aggregation mechanism to dynamically adjust the detection granularity. Further, to achieve accurate DDoS detection for aggregated flows, NetSentry implements frequency domain DDoS detection on programmable switches. Evaluations of NetSentry’s hardware prototype show that NetSentry can achieve better accuracy while saving up to 91% of the data plane memory required to store flow features compared to the state-of-the-art programmable switch-based flow classification scheme.

Xiaolin Chen,Hui Deng,Feng Wang,Mu Mu,Sanglu Lu

DOI: https://doi.org/10.1109/ICYCS.2008.509

2008-01-01

Abstract:In application-level DDoS attacks, attackers mimic legitimate client behavior by sending proper-looking requests via bots. The previous DDoS solutions focus on bandwidth flooding attacks, and have encountered significant difficulty in deployment. This paper presents a deployable architecture that counts the application-level DDoS attacks against Web servers by combining overlay and IP anycast. In this architecture, when a protected Web server is under attacks, the traffic to the server will be redirected to an overlay via IP anycast. The overlay nodes provide effective protection to the server by the distributed filter, the distributed traffic control, and also by building a temporary collaborative edge Web cache. We demonstrate that this novel architecture has strong incentives to deploy and is able to be deployed by a single ISP without any modifications to implementation of routers and end host. We then discuss its properties and design challenges.

Jun Li,Skyler Berg,Mingwei Zhang,Peter Reiher,Tao Wei

DOI: https://doi.org/10.1145/2740070.2631469

IF: 1.937

2014-01-01

ACM SIGCOMM Computer Communication Review

Abstract:End hosts in today's Internet have the best knowledge of the type of traffic they should receive, but they play no active role in traffic engineering. Traffic engineering is conducted by ISPs, which unfortunately are blind to specific user needs. End hosts are therefore subject to unwanted traffic, particularly from Distributed Denial of Service (DDoS) attacks. This research proposes a new system called DrawBridge to address this traffic engineering dilemma By realizing the potential of software-defined networking (SDN), in this research we investigate a solution that enables end hosts to use their knowledge of desired traffic to improve traffic engineering during DDoS attacks.

Alexandre da Silveira Ilha,Ângelo Cardoso Lapolli,Jonatas Adilson Marques,Luciano Paschoal Gaspary,Angelo Cardoso Lapolli

DOI: https://doi.org/10.1109/tnsm.2020.3048265

2021-09-01

IEEE Transactions on Network and Service Management

Abstract:Distributed Denial-of-Service (DDoS) attacks have been steadily escalating in frequency, scale, and disruptiveness—with outbreaks reaching multiple terabits per second and compromising the availability of highly-resilient networked systems. Existing defenses require frequent interaction between forwarding and control planes, making it difficult to reach a satisfactory trade-off between accuracy (higher is better), resource usage, and defense response delay (lower is better). Recently, high-performance programmable data planes have made it possible to develop a new generation of mechanisms to analyze and manage traffic at line rate. In this article, we explore P4 language constructs and primitives to design Euclid, a fully in-network fine-grained, low-footprint, and low-delay traffic analysis mechanism for DDoS attack detection and mitigation. Euclid utilizes information-theoretic and statistical analysis to detect attacks and classify packets as either legitimate or malicious, thus enabling the enforcement of policies (e.g., discarding, inspection, or throttling) to prevent attack traffic from disrupting the operation of its victims. We experimentally evaluate our proposed mechanism using packet traces from CAIDA. The results indicate that Euclid can detect attacks with high accuracy (98.2%) and low delay (≈250 ms), and correctly identify most of the attack packets (>96%) without affecting more than 1% of the legitimate traffic. Furthermore, our approach operates under a small resource usage footprint (tens of kilobytes of static random-access memory per 1 Gbps link and a few hundred ternary content-addressable memory entries), thus enabling its deployability on high-throughput, high-volume scenarios.

David Chunhu Li,Hsuan-Hao Tu,Li-Der Chou

DOI: https://doi.org/10.1016/j.compeleceng.2024.109307

IF: 4.152

2024-05-30

Computers & Electrical Engineering

Abstract:This paper presents a comprehensive system for detecting and defending against distributed denial-of-service (DDoS) and distributed reflective denial-of-service (DRDoS) flood attacks in software-defined networking (SDN) environments using Programming Protocol-Independent Packet Processors (P4). The proposed system introduces a hybrid intrusion statistical threshold algorithm (HISTA) that analyzes intrusion data statistics to identify potential malicious attacks. Upon detection, the system utilises P4 programmability to implement a custom defence mechanism on the P4 switch. A novel Uruk protocol header collaborates with HISTA for enhanced cross-layer attack detection and categorisation. The HISTA-Uruk mechanism selectively discards malicious packets while ensuring uninterrupted communication for legitimate packets, effectively preventing DDoS/DRDoS attacks. Extensive experiments validate the system's ability to efficiently detect and thwart various DDoS, DRDoS, and internal attacks, demonstrating its effectiveness in identifying threats and restoring impacted network connections across diverse attack scenarios.

engineering, electrical & electronic,computer science, interdisciplinary applications, hardware & architecture

Qing LI,LeJun CHI,ZhaoXin ZHANG

DOI: https://doi.org/10.5815/ijwmt.2011.02.05

2011-01-01

International Journal of Wireless and Microwave Technologies

Abstract:Due to the rapid spread of botnets, distributed denial of service attacks have become more and more frequent and fatal.In order to detect and defend DDoS attack, many researches have been done, such as using NS2 to simulate such attacks.However, the major bottlenecks in large-scale network simulation are the memory usage and simulation time.In this paper, we present a novel approach to simulate DDoS attack, called Analytical Packet Forwarding Model (APFM), which simplifies the procedure of packet forwarding based on computation.The experimental results show that our model ensures the authenticity of the overall simulation procedure and simulation results, compared to NS2.The most significant contribution of APFM is that it significantly reduced the memory usage and simulation time.