Yi Shen,Chunming Wu,Dezhang Kong,Mingliang Yang

DOI: https://doi.org/10.1109/icc40277.2020.9149276

2020-01-01

Abstract:Distributed Denial of Service (DDoS) attack is one of the most severe threats to the current network security. As a new network architecture, Software-Defined Networking (SDN) draws notable attention from both industry and academia. The characteristics of SDN such as centralized management and flow-based traffic monitoring make it an ideal platform to defend against DDoS attacks. When designing a network intrusion detection system (NIDS) in SDN, how to obtain fine-grained flow information with minimal overhead to the SDN architecture is a problem to be solved. In this paper, we propose TPDD, a two-phase DDoS detection system to detect DDoS attacks in SDN. In the first phase, we utilize the characteristics of SDN to collect coarse-grained flow information from the core switches and locate the potential victim. Then we monitor the edge switches located close to the potential victim to obtain finer-grained traffic information in the second phase. The collection method of each phase fully considers the impact on the bandwidth between the controller and switches. Without modifying the existing flow rules, the collection module can obtain sufficient information about traffic. By using entropy-based and machine learning-based methods, the detection module can effectively detect anomalies and identify whether the potential victim marked in the first phase is the target of attacks. Experimental results show that TPDD can effectively detect DDoS attacks with little overhead.

Ziming Zhao,Zhuotao Liu,Huan Chen,Fan Zhang,Zhuoxue Song,Zhaoxuan Li

DOI: https://doi.org/10.1109/tdsc.2023.3349180

2024-01-01

Abstract:Defending against Distributed Denial of Service (DDoS) attacks is a fundamental problem in the Internet. Over the past few decades, the research and industry communities have proposed a variety of solutions, from adding incremental capabilities to the existing Internet routing stack, to clean-slate future Internet architectures, and to widely deployed commercial DDoS prevention services. Yet a recent interview with over 100 security practitioners in multiple sectors reveals that existing solutions are still insufficient against , due to either unenforceable protocol deployment or non-comprehensive traffic filters. This seemingly endless arms race with attackers probably means that we need a fundamental paradigm shift. In this paper, we propose a new DDoS prevention paradigm named preference-driven and in-network enforced traffic shaping , aiming to explore the novel DDoS prevention norms that focus on delivering victim-preferred traffic rather than consistently chasing after the DDoS attacks. Towards this end, we propose DFNet, a novel DDoS prevention system that provides reliable delivery of victim-preferred traffic without full knowledge of DDoS attacks. At a very high level, the core innovative design of DFNet embraces the advances in Machine Learning (ML) and new network dataplane primitives, by encoding the victim's traffic preference (in the form of complex ML models) into dataplane packet scheduling algorithms such that the victim-preferred traffic is forwarded with priority at line-speed, regardless of the attacker strategy. We implement a prototype of DFNet in 11,560 lines of code, and extensively evaluate it on our testbed. The results show that a single instance of DFNet can forward 99.93% of victim-desired traffic when facing previously unseen attacks, while imposing less than 0.1% forwarding overhead on a dataplane with 80 Gbps upstream links and a 40 Gbps bottleneck.

Fei Wang,Hailong Wang,Xiaofeng Wang,Jinshu Su

DOI: https://doi.org/10.1016/j.mcm.2011.02.025

2011-01-01

Mathematical and Computer Modelling

Abstract:Detection of distributed denial of service (DDoS) attacks has been a challenging problem for network security. Most of the existing works take into account the anomaly features of the traffic caused by DDoS. However, these detection methods suffer from either less generality or high computational and memory costs in detecting subtle DDoS attacks. In this paper, we first present a model for DDoS attacks with quantitative measurements. Based on this model, we find that there are two factors that have a severe influence on the deviation of traffic features. In view of these two factors, the DDoS attack traffic observed by monitors can be trivial, leading to the subtle DDoS attacks which are difficult to detect. To detect the subtle DDoS anomalies at monitors close to the attack sources, we propose a novel multistage DDoS detection framework that consists of a NTS (Network Traffic State) prediction, a fine-grained singularity detection and a malicious address extraction engine. We also briefly introduced how to distribute our detection framework to enhance the performance of detecting world-wide DDoS attacks. Moreover, the prototype system is implemented and evaluated with real network traces from our campus network and testbed. The results show that our method can detect various DDoS attacks efficiently even though the attack rate is low. Our method can extract malicious IPs for attack reaction with records for a short period, and multiple monitors distributed in the network can fuse the results of extraction seamlessly to improve the accuracy of detection

Ziming Zhao,Zhaoxuan Li,Zhihao Zhou,Jiongchi Yu,Zhuoxue Song,Xiaofei Xie,Fan Zhang,Rui Zhang

DOI: https://doi.org/10.1016/j.cose.2023.103663

IF: 5.105

2023-12-21

Computers & Security

Abstract:Distributed Denial of Service (DDoS) defense is a profound research problem. In recent years, adversaries tend to complicate their attack strategies by crafting vast DDoS variants. On the one hand, this trend exacerbates both extremes of classification granularity ( i.e. , binary and attack level) in existing machine learning methods. On the other hand, massive attack categories make the filter rule table bulky, as well as cause problems of slow reaction presented in the recent state-of-the-art DDoS mitigation system. Therefore, we propose the concept of a DDoS family to reconcile/cope with these issues. The specific technical roadmap includes traffic pattern characterization, attack fingerprint production, and cross-executed family partition by community detection. Through extensive evaluations, we demonstrate the benefits of the proposal in terms of portraying similarities, guiding model classification/unknown attack detection, optimizing defense strategies, and speeding filtering reactions. For instance, our results show that using only one rule can defend 15 types of attacks due to their homogeneous behavioral representation. Particularly, we find the interesting observation that counting the backward packet is more efficient and robust against some attacks ( e.g. , Tor's Hammer Attack), which is very different from previous solutions.

computer science, information systems

Kai Bu,Zhixin Sun

DOI: https://doi.org/10.1109/ICYCS.2008.324

2008-01-01

Abstract:The emergence of Distributed Denial of Service (DDoS) attack increases the destructive force of Denial of Service (DoS) attack drastically. Besides bringing more terrible threats, the attack from far and near and the employment of internet protocol (IP) spoofing make the abnormal traffic detection harder and harder. This paper proposes a mechanism defined as AMHI (Address Matching and Hash Inspection) and a method based on it for DDoS attacks detection and defense. Through the simulation experiment, the Address Matching and backup Hash Inspection operations to the suspicious traffic implemented on router interface for local subnet can detect and defend DDoS attacks effectively even when using IP Spoofing. In addition, this method can also decrease a mass of statistical work for the routers, and to some extent ease the pressure of heavy traffic caused by attacks.

Li Xinlei,Zheng Kangfeng,Yang Yixian

DOI: https://doi.org/10.1109/icie.2009.107

2009-01-01

Abstract:The distributed denial of service attacks have become more and more frequent and caused some fatal problems. Many researches have been done to detect and defend such attacks, however, many solutions are still in the phase of theoretical studies. Some of them may have certain practical value, but they have to reconstruct the existing network and the routing instruments with great cost. This paper proposes a DDoS attack defending scheme based on network processor. The scheme takes advantage of network processor's powerful process ability to divide the network flow into different types firstly, and then uses a QoS mechanism to ensure essential communications as well as to eliminate the attack flow to the greatest extent. Experiment results show that the scheme can provide enough bandwidth for high priority flow, and effectively weaken the attack flow.

Zhongqiang Chen,Zhongrong Chen,Alex Delis

DOI: https://doi.org/10.1093/comjnl/bxl042

2007-01-01

The Computer Journal

Abstract:By penetrating into a large number of machines and stealthily installing malicious pieces of code, a distributed denial of service (DDoS) attack constructs a hierarchical network and uses it to launch coordinated assaults. DDoS attacks often exhaust the network bandwidth, processing capacity and information resources of victims, thus, leading to unavailability of computing systems services. Various defense mechanisms for the detection, mitigation and/or prevention of DDoS attacks have been suggested including resource redundancy, traceback of attack origins and identification of programs with suspicious behavior. Contemporary DDoS attacks employ sophisticated techniques including formation of hierarchical networks, one-way communication channels, encrypted messages, dynamic ports allocation and source address spoofing to hide the attackers' identities; such techniques make both detection and tracing of DDoS activities a challenge and render traditional DDoS defense mechanisms ineffective. In this paper, we propose the DDoS Container, a comprehensive framework that uses network-based detection methods to overcome the above complex and evasive types of attacks; the framework operates in 'inline' mode to inspect and manipulate ongoing traffic in real-time. By keeping track of connections established by both potential DDoS attacks and legitimate applications, the suggested DDoS Container carries out stateful inspection on data streams and correlates events among sessions. The framework performs stream re-assembly and dissects the resulting aggregations against protocols followed by various known DDoS attacks facilitating their identification. The traffic pattern analysis and data correlation of the framework further enhance its detection accuracy on DDoS traffic camouflaged with encryption. Actions available on identified DDoS traffic range from simple alerting to message blocking and proactive session termination. Experimentation with the prototype of our DDoS Container shows its effectiveness in classifying DDoS traffic.

HOU Jun,LI Qian-mu,ZHANG Hong

DOI: https://doi.org/10.3969/j.issn.1009-7902.2006.06.018

2006-01-01

Abstract:Distributed denial-of-service(DDoS) attacks present an immense threat to the Internet.They engage the power of a vast number of coordinated Internet hosts to consume some critical resource at the target and deny the service to legitimate clients.As a side effect,they frequently create network congestion on the way from a source to the target,thus disrupting normal Internet operation.The existing security mechanisms do not provide effective defense against these attacks.A large number of attacking machines and the use of source IP address spoofing make the trace back impossible.The use of legitimate packets for the attack and the varying of packet fields disable characterization and filtering of the attack streams.This paper analyzes the principle of DDoS attacks and typical attack types,researches into two detection models and proposes a detection model.Several kinds of technology of data mining are introduced,some data mining arithmetic compared and some problems to be resolved are proposed accordingly.

Bin TONG,Zhi-guang QIN,Wei-feng JIA,Jian-wei SONG

DOI: https://doi.org/10.3969/j.issn.1001-0548.2008.04.029

2008-01-01

Abstract:According to the characteristics of DoS/DDoS attack, a defense model adopting data-mining technology is proposed. Based on real-time sample traffic, this model extracts trusted IP list by association analysis to filter, and evaluates packets' danger degree by adopting bayes algorithm. This model makes up disadvantages of traditional filtering based on trusted source IP, and effectively differentiates normal traffic and abnormal traffic. Experimental datum proves this model can launch real-time and effective defense against DoS/DDoS attack.

Yun Luo,Xiao Fu,Bin Luo,Xiaojiang Du,Mohsen Guizani

DOI: https://doi.org/10.1109/GLOBECOM42002.2020.9348178

2020-01-01

Abstract:Recent trends have shown that botnets have been active since the 1990s. Attackers use newer technologies to damage enterprises and individuals through identity theft, bank fraud, spam campaigns, malw are distribution, and distributed denial of service (DDoS) attacks. To identify the hidden details from a DDoS attack, we introduce a forensic model in this paper. This model uses NS2 to simulate the connectivity of real nodes in the network and uses Botnet and DDoS attack electronic evidence analysis methods. The botnet uses IRC channels as the basic unit. The analytical algorithm for Botnet uses election vectors to detect the split and transfer behavior of hackers. The analysis method for DDoS attacks uses attack vectors to detect whether Botnet is participating in a DDoS attack. On this basis, the fragmented packet marking method is added to track the source and path reconstruction of the router, thereby improving the scale recognition rate to 93%.

Liao Qin,Li Hong,Kang Songlin,Liu Chuchu

DOI: https://doi.org/10.1109/ChiCC.2014.6895878

2014-01-01

Abstract:Distributed Denial of Service (DDoS) has been one of the greatest threats to network security for years. In recent years, DDoS attackers turn to application layer, which makes DDoS attack detection systems based on net layer and transport layer lost their performance. In this layer, Web service is the most vulnerable application. The study in this paper analyzed the differentiation between user behavior based on web log, as we proposed a series of features based on user behavior to represent characteristics of user behavior, and then, transformed web logs which contain authentic legal users' records and attackers' records to an 14 dimensional feature space. In particular, through the transformation, our work aims to obtain a better representation for users' behaviors, as well as to investigate the relative differences and/or similarities between DDoS attackers and normal users. Finally, we simulated four kinds of prevalent application layer DDoS attack and conducted experiments using three classical data mining classification algorithms to certify the effectiveness of our method. Experimental results show that proposed features are good to distinguish legal users and attackers in application layer.

Zhang jing,Hu huaping,Liu bo,Xiao fengtao,Chen xin

DOI: https://doi.org/10.3969/j.issn.1674-9456.2010.07.011

2010-01-01

Abstract:Because of the present architecture of Internet and the lack mechanism of certifi cation making DDoS attacks occurs very easy. And the fast development of botnet has been offered powerful tool for DDoS attacks. DDoS attack is one of major threat of network security, so how to defend DDoS attacks become a hot point of network security research. Based on the model of DDoS attacks and analyzing the reason of attacks’ occur, we introduce the defense technology of DDoS attacks from four aspects: attack prevention, attack detection, attack response and attack source tracking. In the last, we suggest the worthy research points.

Muhai Li,Ming Li

2008-01-01

Abstract:Distribution denial-of-service (DDoS) constitutes one of the major threats and among the hardest security problems in today's Internet. However, DDoS detection techniques, such as signature-based detection, anomaly-based detection, and wavelet-based signal analysis, face the considerable challenge of determining network-based flooding attacks from sudden increases in legitimate activity or flash events. In this paper, we study the basic characteristic of network traffic, and propose a method for meeting the challenge. By taking full advantage of known traffic in normal state, we design a detection algorithm for dealing with DDoS attacks. We have carried out experiments with actual data to evaluate the algorithm. The results show that it can recognize DDoS attacks.

Dawei Wang,Longtao He,Yibo Xue,Yingfei Dong

DOI: https://doi.org/10.1109/CCIS.2012.6664254

2012-01-01

Abstract:DoS is still one of the most serious attacks on the Internet. Payload-based approaches are effective to known DOS attacks but are unable to be deployed on high-speed networks. To address this issue, flow-based DOS detection schemes have been proposed for highspeed networks as an effective supplement of payload-based solutions. However, existing flow-based solutions have serious limitations in detecting unknown attacks and efficiently identifying real attack flows buried in the background traffic. In addition, existing solutions also have difficulty to adapt to attack dynamics. To address these issues, this paper proposes a flow-based DOS detection scheme based on Artificial Immune systems. We adopt a tree structure to store flow information such that we can effectively extract useful features from flow information for better detecting DoS attacks. We employ Neighborhood Negative Selection (NNS) as the detection algorithm to detect unknown DoS attacks, and identify attack flows from massive traffic. Because the strong tolerance of NNS, the proposed solution is able to quickly adapt attack dynamics. The experimental results show that this solution is able to effectively detect unknown DoS attack flows and identify attack flows from background traffic. Meanwhile, the theoretical analysis demonstrates that this system can extract flow features more effectively.

Naziya Aslam,Shashank Srivastava,M.M. Gore

DOI: https://doi.org/10.1016/j.compeleceng.2024.109282

IF: 4.152

2024-05-17

Computers & Electrical Engineering

Abstract:Software-Defined Networking (SDN) enhances network management and efficiency and is particularly effective in defending against Distributed Denial of Service (DDoS) attack through its centralized structure. Our proposed DDoS SourceTracer Application utilizes SDN to efficiently identify and mitigate DDoS attack by employing tracebacking and clustering techniques. This application uses supervised and ensemble machine learning algorithms for attack detection, and feature selection methods like the Chi-square test, ANOVA (Analysis of Variance) F-test, Correlation matrix, and Extra tree classifier to optimize the feature set. Our results show that the clustering approach outperforms traditional methods like rate limiting and blocking and effectively mitigates the attack in just 3.5 s. We used the sFlow-RT tool on the Zoo topology to perform real-time analysis and validate our application's effectiveness during attack and normal traffic. This tool analyzes how attack traffic is impacted when using clustering and tracebacking methods to mitigate DDoS attack.

engineering, electrical & electronic,computer science, interdisciplinary applications, hardware & architecture

Linkai Zheng,Xiang Li,Chuhan Wang,Run Guo,Haixin Duan,Jianjun Chen,Chao Zhang,Kaiwen Shen

DOI: https://doi.org/10.14722/ndss.2024.24031

2024-01-01

Abstract:Content Delivery Networks (CDNs) are ubiquitous middleboxes designed to enhance the performance of hosted websites and shield them from various attacks.Numerous notable studies show that CDNs modify a client's request when forwarding it to the original server.Multiple inconsistencies in this forwarding operation have been found to potentially result in security vulnerabilities like DoS attacks.Nonetheless, existing research lacks a systematic approach to studying CDN forwarding request inconsistencies.In this work, we present REQSMINER, an innovative fuzzing framework developed to discover previously unexamined inconsistencies in CDN forwarding requests.The framework uses techniques derived from reinforcement learning to generate valid test cases, even with minimal feedback, and incorporates real field values into the grammar-based fuzzer.With the help of REQSMINER, we comprehensively test 22 major CDN providers and uncover a wealth of hitherto unstudied CDN forwarding request inconsistencies.Moreover, the application of specialized analyzers enables REQSMINER to extend its capabilities, evolving into a framework capable of detecting specific types of attacks.By extension, our work further identifies three novel types of HTTP amplification DoS attacks and uncovers 74 new potential DoS vulnerabilities with an amplification factor that can reach up to 2,000 generally, and even 1,920,000 under specific conditions.The vulnerabilities detected were responsibly disclosed to the affected CDN vendors, and mitigation suggestions were proposed.Our work contributes to fortifying CDN security, thereby enhancing their resilience against malicious attacks and preventing misuse.

Dingwen Hu,Peilin Hong,Yixin Chen

DOI: https://doi.org/10.1109/glocom.2017.8254023

2017-01-01

Abstract:Distributed Denial-of-Service (DDoS) flooding attack is one of the most serious threats to network security. Software-Defined Networking (SDN) has recently emerged as a new network management platform, and its centralized control architecture brings many new opportunities for defending against network attacks. In this paper, we propose FADM, an efficient and lightweight framework to detect and mitigate DDoS attacks in SDN. Firstly, the network traffic information is collected through the SDN controller and sFlow agents. Then an entropy-based method is used to measure network features, and the SVM classifier is applied to identify network anomalies. By adopting these methods together, the timeliness and accuracy of attack detection are effectively improved. To keep the major network functionality working, we propose an efficient attack mitigation mechanism based on the white-list and traffic migration. By introducing the mitigation agent to the network, attack traffic can be timely blocked while benign traffic can be forwarded as usual, which prevents the controller resources from being exhausted and ensures that legitimate users can access the network normally. The experimental results show that multiple DDoS attacks can be accurately detected and effectively mitigated by FADM, which enables the network to recover in a short time.

Jin Wang,Liping Wang

DOI: https://doi.org/10.3390/s22218287

IF: 3.9

2022-10-29

Sensors

Abstract:With the development of Software Defined Networking (SDN), its security is becoming increasingly important. Since SDN has the characteristics of centralized management and programmable, attackers can easily take advantage of the security vulnerabilities of SDN to carry out distributed denial of service (DDoS) attacks, which will cause the memory of controllers and switches to be occupied, network bandwidth and server resources to be exhausted, affecting the use of normal users. To solve this problem, this paper designs and implements an online attack detection and mitigation SDN defense system. The SDN defense system consists of two modules: anomaly detection module and mitigation module. The anomaly detection model uses a lightweight hybrid deep learning method—Convolutional Neural Network and Extreme Learning Machine (CNN-ELM) for anomaly detection of traffic. The mitigation model uses IP traceback to locate the attacker and effectively filters out abnormal traffic by sending flow rule commands from the controller. Finally, we evaluate the SDN defense system. The experimental results show that the SDN defense system can accurately identify and effectively mitigate DDoS attack flows in real-time.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Junjiang He,Wenbo Fang,Xiaolong Lan,Geying Yang,Ziyu Chen,Yang Chen,Tao Li,Jiangchuan Chen

DOI: https://doi.org/10.1155/2024/9044391

IF: 8.993

2024-11-02

International Journal of Intelligent Systems

Abstract:Application‐layer distributed denial of service (DDoS) attacks have become the main threat to Web server security. Because application‐layer DDoS attacks have strong concealability and high authenticity, intrusion detection technologies that rely solely on judging client authenticity cannot accurately detect such attacks. In addition, application‐layer DDoS attacks are periodic and repetitive, and attack targets suddenly in a short period. In this study, we propose an efficient application‐layer DDoS detection system based on improved random forest. Firstly, the Web logs are preprocessed to extract the user session characteristics. Subsequently, we propose a Session Identification based on Separation and Aggregation (SISA) method to accurately capture user sessions. Lastly, we propose an improved random forest classification algorithm based on feature weighting to address the issue of an increasing number of features leading to prolonged calculation times in the random forest algorithm, and as the feature dimension increases, there might be instances where no subfeature is related to the category to be classified. More importantly, we compare the request source IP with the malicious IP in the threat intelligence library to deal with the periodicity and repetition of application‐layer DDoS attacks. We conducted a comprehensive experiment on the publicly available Web log dataset and the threat intelligence database of the laboratory as well as the simulated generated attack log dataset in the laboratory environment. The experimental results show that the proposed detection system can control the false alarm rate and false alarm rate within a reasonable range, improving the detection efficiency further, the detection rate is 99.85%. In secondary attack detection experiments, our proposed detection method achieves a higher detection rate in a shorter time.

computer science, artificial intelligence

Rudong Zhao,Songjie Wei,Milin Ren

DOI: https://doi.org/10.1109/ctceec.2017.8455172

2017-01-01

Abstract:This paper proposes a Distributed Denial of Service (DDoS) attack detection and defense system based on Software Defined Networks (SDN) architecture. The system is composed of a monitoring module, a detection module and a reaction module. The monitoring module is designed to raise alerts by analyzing Packet_In messages. It detects and reports anomalies to the detection module for further evaluation, which overcomes the disadvantages of slow response and large overhead of periodic trigger detection. The reaction module can trace back attack traffic flows to quickly and accurately identify malicious hosts. The use of a SDN controller brings in a global view of the network topology in the monitoring and detection procedures for the access layer switch and reduces the processing range. This paper extends the OpenFlow protocol so that a flow entry can record and track the flow path information, which improves the efficiency and accuracy of attack traffic traceability. Simulation experiments show that the proposed scheme has a relatively faster response to DDoS attack with less processing pressure imposed on the controller.