Detection and defense of application-layer DDoS attacks in backbone web traffic

Web servers are usually located in a well-organized data center where these servers connect with the outside Internet directly through backbones. Meanwhile, the application-layer distributed denials of service (AL-DDoS) attacks are critical threats to the Internet, particularly to those business web servers. Currently, there are some methods designed to handle the AL-DDoS attacks, but most of them cannot be used in heavy backbones. In this paper, we propose a new method to detect AL-DDoS attacks. Our work distinguishes itself from previous methods by considering AL-DDoS attack detection in heavy backbone traffic. Besides, the detection of AL-DDoS attacks is easily misled by flash crowd traffic. In order to overcome this problem, our proposed method constructs a Real-time Frequency Vector (RFV) and real-timely characterizes the traffic as a set of models. By examining the entropy of AL-DDoS attacks and flash crowds, these models can be used to recognize the real AL-DDoS attacks. We integrate the above detection principles into a modularized defense architecture, which consists of a head-end sensor, a detection module and a traffic filter. With a swift AL-DDoS detection speed, the filter is capable of letting the legitimate requests through but the attack traffic is stopped. In the experiment, we adopt certain episodes of real traffic from Sina and Taobao to evaluate our AL-DDoS detection method and architecture. Compared with previous methods, the results show that our approach is very effective in defending AL-DDoS attacks at backbones.     

基于特征参数相关性的DDoS攻击检测算法

针对传统方法难以实时有效地检测分布式拒绝服务攻击(DDoS)的问题,通过DDoS攻击的基本特征分析,从理论上严格区分了DDoS攻击流和正常突发流,并且在此基础上提出了一种基于特征参数相关性的DDoS攻击检测算法.该算法能在早期检测出DDoS攻击流,而这时的DDoS攻击包特征并不明显,并且该算法能有效地区分DDoS攻击流和正常的突发流.实验结果表明了该算法的有效性和精确性.     

RMCARTAM For DDoS Attack Mitigation in SDN Using Machine Learning

The impact of a Distributed Denial of Service (DDoS) attack on Software Defined Networks (SDN) is briefly analyzed. Many approaches to detecting DDoS attacks exist, varying on the feature being considered and the method used. Still, the methods have a deficiency in the performance of detecting DDoS attacks and mitigating them. To improve the performance of SDN, an efficient Real-time Multi-Constrained Adaptive Replication and Traffic Approximation Model (RMCARTAM) is sketched in this article. The RMCARTAM considers different parameters or constraints in running different controllers responsible for handling incoming packets. The model is designed with multiple controllers to handle network traffic but can turn the controllers according to requirements. The multi-constraint adaptive replication model monitors different features of network traffic like rate of packet reception, class-based packet reception and target-specific reception. According to these features, the method estimates the Replication Turning Weight (RTW) based on which triggering controllers are performed. Similarly, the method applies Traffic Approximation (TA) in the detection of DDoS attacks. The detection of a DDoS attack is performed by approximating the incoming traffic to any service and using various features like hop count, payload, service frequency, and malformed frequency to compute various support measures on bandwidth access, data support, frequency support, malformed support, route support, and so on. Using all these support measures, the method computes the value of legitimate weight to conclude the behavior of any source in identifying the malicious node. Identified node details are used in the mitigation of DDoS attacks. The method stimulates the network performance by reducing the power factor by switching the controller according to different factors, which also reduces the cost. In the same way, the proposed model improves the accuracy of detecting DDoS attacks by estimating the features of incoming traffic in different corners.     

D-WARD: a source-end defense against flooding denial-of-service attacks

Defenses against flooding distributed denial-of-service (DDoS) commonly respond to the attack by dropping the excess traffic, thus reducing the overload at the victim. The major challenge is the differentiation of the legitimate from the attack traffic, so that the dropping policies can be selectively applied. We propose D-WARD, a source-end DDoS defense system that achieves autonomous attack detection and surgically accurate response, thanks to its novel traffic profiling techniques, the adaptive response and the source-end deployment. Moderate traffic volumes seen near the sources, even during the attacks, enable extensive statistics gathering and profiling, facilitating high response selectiveness. D-WARD inflicts an extremely low collateral damage to the legitimate traffic, while quickly detecting and severely rate-limiting outgoing attacks. D-WARD has been extensively evaluated in a controlled testbed environment and in real network operation. Results of selected tests are presented in the paper.     

一种新型大规模分布式拒绝服务检测模型研究

将基于HOPCOUNT的异常数据包过滤技术引入到TaoPeng等人提出的检测方法中,提出了一个新型的DDoS攻击的检测模型.通过判定算法,该模型能够较为准确的区分出正常通信量和异常通信量,并在此基础上,运用CUSUM算法监测两个特征量,实现了DDoS攻击检测.此外,本文将Bloom Filter算法引入到数据库的查找过程中,提高了检测的性能以及检测模型自身的安全性.实验结果证明,该检测模型能够以较高的精确度及时的检测出DDoS攻击行为.     

一种IPv6环境下实时DDoS防御方法

现有的DDoS防御方法大多是针对传统IPv4网络提出的,而且它们的防御实时性还有待进一步提高。针对这种情况,提出了一种IPv6环境下实时防御DDoS的新方法,其核心思想是首先在受害者自治系统内建立决策判据树,然后依据决策判据1和2对该树进行实时监控,如果发现攻击,就发送过滤消息通知有关实体在受害端和源端一起对攻击包进行过滤,从而保护受害者。实验证明,该方法能够在秒钟数量级检测到攻击并且对攻击包进行过滤,能有效地防范多个DDoS攻击源。另外,该方法还能准确地区分攻击流和高业务流,可以在不恢复攻击路径的情况下直接追踪到攻击源所在的自治系统（甚至是子网）。     

基于网络流量的应用层DDoS攻击检测方法研究

根据应用层DDoS攻击和正常网络流量在特征上的不同,提出一种基于流量分析的应用层DDoS攻击检测方法,通过对源IP地址进行分析,能够有效地识别应用层DDoS攻击.同时,针对DDoS攻击流量和突发流量的相似性,在识别DDoS攻击的同时,能够正确区分突发流量,减少误报和漏报.     

Deciding optimal entropic thresholds to calibrate the detection mechanism for variable rate DDoS attacks in ISP domain: honeypot based approach

High bandwidth DDoS attacks consume more resources and have direct impact at ISP level in contrast to low rate DDoS attacks which lead to graceful degradation of network and are mostly undetectable. Although an array of detection schemes have been proposed, current requirement is a real time DDoS detection mechanism that adapts itself to varying network conditions to give minimum false alarms. DDoS attacks that disturb the distribution of traffic features in ISP domain are reflected by entropic variations on in stream samples. We propose honeypot detection for attack traffic having statistically similar distribution features as legitimate traffic. Next we propose to calibrate the detection mechanism for minimum false alarm rate by varying tolerance factor in real time. Simulations are carried out in ns-2 at different attack strengths. We also report our experimental results over MIT Lincoln lab dataset and its subset KDD 99 dataset. Results show that the proposed approach is comparable to previously reported approaches with an advantage of variable rate attack detection with minimum false positives and negatives.     

Monitoring the macroscopic effect of DDoS flooding attacks

Creating defenses against flooding-based, distributed denial-of-service (DDoS) attacks requires real-time monitoring of network-wide traffic to obtain timely and significant information. Unfortunately, continuously monitoring network-wide traffic for suspicious activities presents difficult challenges because attacks may arise anywhere at any time and because attackers constantly modify attack dynamics to evade detection. In this paper, we propose a method for early attack detection. Using only a few observation points, our proposed method can monitor the macroscopic effect of DDoS flooding attacks. We show that such macroscopic-level monitoring might be used to capture shifts in spatial-temporal traffic patterns caused by various DDoS attacks and then to inform more detailed detection systems about where and when a DDoS attack possibly arises in transit or source networks. We also show that such monitoring enables DDoS attack detection without any traffic observation in the victim network.     

DDoS攻击实时检测防御系统的硬件实现

分布式拒绝服务攻击是因特网安全的头号威胁。针对DDoS攻击,本文介绍了一种基于MPC860和FPGA的实时检测防御系统的体系结构与实现原理,探讨了基于非参数累积和(CUSUM)算法检测新IP地址到达速率变化的DDoS攻击检测方法。实验结果表明该系统不仅实时检测准确性高、在线检测速度快、防御效果好,而且不损失网络信息吞吐量,保证了合法用户的正常访问。     

一种防御DDoS攻击的集成方法

防御DDoS攻击是网络安全的一个重要研究领域，在该领域已有许多方法，例如：源端检测，地址跟踪，数据包分类，流量检测。但是，每种方法都有它的特点和应用局限。文章运用分级防御的思想提出了一种集成方法。“集成”的意思是指把若干体系的方法集成在一起，使其成为一个新的功能更强的防御体系。该防御系统具有可靠性高、响应速度快、对合法数据包影响小等特点。     

一种部署于源-目的端供应商的包标记方案研究

提出了一个新的包标记方案,分别部署于源端和目的端供应商,主要用来描绘DDoS攻击流特征。这些特征对于受害者过滤攻击非常有效。在过滤方面,提出了一个比率控制方案,通过限制攻击流并保持合法数据流不受影响来有效保护受害者。在经济方面,提供更好的安全措施可以作为ISP对客户的增值服务,因此也就更有积极性来部署。     

A Flow Monitoring Scheme to Defend Reduction-of-Quality (RoQ) Attacks in Mobile Ad-hoc Networks

ABSTRACT

Reduction-of-Quality (RoQ) attack is a type of Distributed Denial-of-Service (DDoS) attack that is difficult to detect in current computing systems and networks. These RoQ attacks throttle the throughput heavily and reduce the Quality of Service (QoS) to end systems gradually rather than refusing the clients from the services completely. In this paper, we propose to develop a flow monitoring scheme to defend against such attacks in mobile Ad-hoc networks. Our proposed defense mechanism consists of a flow monitoring table (FMT) at each node to identify the attackers. If the channel continues to be congested because some sender nodes do not reduce their sending rate, it can be found by the destination using the updated FMT. Once the attackers are identified, all packets from those nodes will be blocked. By simulation results, we show that our proposed scheme achieves higher throughput and packet delivery ratio with reduced packet drop for legitimate users.     

Detection of DDoS attacks using optimized traffic matrix

Distributed Denial of Service (DDoS) attacks have been increasing with the growth of computer and network infrastructures in Ubiquitous computing. DDoS attacks generating mass traffic deplete network bandwidth and/or system resources. It is therefore significant to detect DDoS attacks in their early stage. Our previous approach used a traffic matrix to detect DDoS attacks quickly and accurately. However, it could not find out to tune up parameters of the traffic matrix including (i) size of traffic matrix, (ii) time based window size, and (iii) a threshold value of variance from packets information with respect to various monitored environments and DDoS attacks. Moreover, the time based window size led to computational overheads when DDoS attacks did not occur. To cope with it, we propose an enhanced DDoS attacks detection approach by optimizing the parameters of the traffic matrix using a Genetic Algorithm (GA) to maximize the detection rates. Furthermore, we improve the traffic matrix building operation by (i) reforming the hash function to decrease hash collisions and (ii) replacing the time based window size with a packet based window size to reduce the computational overheads. We perform experiments with DARPA 2000 LLDOS 1.0, LBL-PKT-4 of Lawrence Berkeley Laboratory and generated attack datasets. The experimental results show the feasibility of our approach in terms of detection accuracy and speed.     

Distributed Denial of Service Attacks: A Threat or Challenge

In today’s cyber world, the Internet has become a vital resource for providing a plethora of services. Unavailability of these services due to any reason leads to huge financial implications or even consequences on society. Distributed Denial of Service (DDoS) attacks have emerged as one of the most serious threats to the Internet whose aim is to completely deny the availability of different Internet based services to legitimate users. The attackers compromise a large number of Internet enabled devices and gain malicious control over them by exploiting their vulnerabilities. Simplicity of launching, traffic variety, IP spoofing, high volume traffic, involvement of numerous agent machines, and weak spots in Internet topology are important characteristics of DDoS attacks and makes its defense very challenging. This article provides a survey with the enhanced taxonomies of DDoS attacks and defense mechanisms. Additionally, we describe the timeline of DDoS attacks to date and attempt to discuss its impact according to various motivations. We highlighted the general issues, challenges, and current trends of DDoS attack technology. The aim of the article is to provide complete knowledge of DDoS attacks and defense mechanisms to the research community. This will, in turn, help to develop a powerful, effective, and efficient defense mechanism by filling the various research gaps addressed in already proposed defense mechanisms.     

A fast self-similarity matrix-based method for shrew DDoS attack detection

ABSTRACT

Shrew DDoS attack mainly targets the TCP’s retransmission timeout (RTO) mechanism that handles severe cases of congestion and packet losses. This attack is very hard to detect due to its stealthy nature and low-rate in volume which if remained undetected can affect the legitimate TCP flows. In this paper, we propose a fast shrew DDoS attack detection method based on self-similarity matrix (SSM) that measures the self-similarity of network traffic across multiple time scales over a subset of relevant features. The method can detect any presence of shrew attack in-line with the incoming traffic samples and thus identify the attack flows. We experimented our method over real-life low-rate datasets for multiple scenarios and the results demonstrate its efficiency both in terms of detection accuracy and speed.     

网络DDoS攻击流的小波分析与检测

将小波分析中的小波变换模极大方法用于检测分布式拒绝服务攻击引起的突发流量。在探讨如何运用小波模极大对突发流量进行判定的基础上,设计了一个检测突发攻击流量的方法,并对实际采集到的网络流量和仿真攻击流量的混合流作了计算机模拟验证。结果表明,当攻击流的突变幅度为正常流量的2倍￣3倍时,检测漏判率不超过5%;当攻击流的突变幅度提升为正常流量均值的3倍￣5倍时,检测漏判率不超过1%。攻击越强,检测漏判率越小。     

On the defense of the distributed denial of service attacks: anon-off feedback control approach

Proposes a coordinated defense scheme of distributed denial of service (DDoS) network attacks, based on the backward-propagation, on-off control strategy. When a DDoS attack is in effect, a high concentration of malicious packet streams are routed to the victim in a short time, making it a hot spot. A similar problem has been observed in multiprocessor systems, where a hot spot is formed when a large number of processors access simultaneously shared variables in the same memory module. Despite the similar terminologies used here, solutions for multiprocessor hot spot problems cannot be applied to that in the Internet, because the hot traffic in DDoS may only represent a small fraction of the Internet traffic, and the attack strategies on the Internet are far more sophisticated than that in the multiprocessor systems. The performance impact on the hot spot is related to the total hot packet rate that can be tolerated by the victim. We present a backward pressure propagation, feedback control scheme to defend DDoS attacks. We use a generic network model to analyze the dynamics of network traffic, and develop the algorithms for rate-based and queue-length-based feedback control. We show a simple design to implement our control scheme on a practical switch queue architecture     

基于混合深度学习的多类型低速率DDoS攻击检测方法

低速率分布式拒绝服务攻击针对网络协议自适应机制中的漏洞实施攻击,对网络服务质量造成了巨大威胁,具有隐蔽性强、攻击速率低和周期性的特点.现有检测方法存在检测类型单一和识别精度低的问题,因此提出了一种基于混合深度学习的多类型低速率DDoS攻击检测方法.模拟不同类型的低速率DDoS攻击和5G环境下不同场景的正常流量,在网络入...