PacketScore: a statistics-based packet filtering scheme against distributed denial-of-service attacks

Distributed denial-of-service (DDoS) attacks are a critical threat to the Internet. This paper introduces a DDoS defense scheme that supports automated online attack characterizations and accurate attack packet discarding based on statistical processing. The key idea is to prioritize a packet based on a score which estimates its legitimacy given the attribute values it carries. Once the score of a packet is computed, this scheme performs score-based selective packet discarding where the dropping threshold is dynamically adjusted based on the score distribution of recent incoming packets and the current level of system overload. This paper describes the design and evaluation of automated attack characterizations, selective packet discarding, and an overload control process. Special considerations are made to ensure that the scheme is amenable to high-speed hardware implementation through scorebook generation and pipeline processing. A simulation study indicates that packetscore is very effective in blocking several different attack types under many different conditions.     

A collaborative defense mechanism against SYN flooding attacks in IP networks

SYN flooding exploits the Transmission Control Protocol (TCP) three-way handshake process by sending many connection requests using spoofed source IP addresses to a victim's host. This keeps that host from handling legitimate requests, causing it to populate its backlog queue with forged TCP connections. In this article, we propose a novel defense mechanism that makes use of the edge routers that are associated with the spoofed IP addresses’ networks to determine whether the incoming SYN–ACK segment is valid. This is accomplished by maintaining a matching table of the outgoing SYNs and incoming SYN–ACKs and also by using the ARP protocol. If an incoming SYN–ACK segment is not valid, the edge router resets the connection at the victim's host, freeing up an entry in the victim's backlog queue, and enabling it to accept other legitimate incoming connection requests. We also present a communication protocol to encourage collaboration between various networks to protect each other. We evaluated the performance of our proposed approach and studied its impact on the network. Our experimental and simulation results showed the efficiency of our proposed collaborative defense mechanism.     

An autonomous defense against SYN flooding attacks: Detect and throttle attacks at the victim side independently

Distributed denial of service (DDoS) attacks seriously threaten Internet services yet there is currently no defence against such attacks that provides both early detection, allowing time for counteraction, and an accurate response. Traditional detection methods rely on passively sniffing an attacking signature and are inaccurate in the early stages of an attack. Current counteractions such as traffic filter or rate-limit methods do not accurately distinguish between legitimate and illegitimate traffic and are difficult to deploy. This work seeks to provide a method that detects SYN flooding attacks in a timely fashion and that responds accurately and independently on the victim side. We use the knowledge of network traffic delay distribution and apply an active probing technique (DARB) to identify half-open connections that, suspiciously, may not arise from normal network congestion. This method is suitable for large network areas and is capable of handling bursts of traffic flowing into a victim server. Accurate filtering is ensured by a counteraction method using IP address and time-to-live(TTL) fields. Simulation results show that our active detection method can detect SYN flooding attacks accurately and promptly and that the proposed rate-limit counteraction scheme can efficiently minimize the damage caused by DDoS attacks and guarantee constant services to legitimate users.     

DyProSD: a dynamic protocol specific defense for high-rate DDoS flooding attacks

Microsystem Technologies - High-rate distributed denial of service (HDDoS) flooding attacks pose as a major threat to the Internet. Most present solutions based on machine learning approach are...     

System identification with binary-valued observations under both denial-of-service attacks and data tampering attacks:defense scheme and its optimality

In this paper,we investigate the defense problem against the joint attacks of denial-of-service attacks and data tampering attacks in the framework of system identification with binary-valued observations.By estimating the key parameters of the joint attack and compensating them in the identification algorithm,a compensation-oriented defense scheme is proposed.Then the identification algorithm of system parameter is designed and is further proved to be consistent.The asymptotic normality of the algorithm is obtained,and on this basis,we propose the optimal defense scheme.Furthermore,the implementation of the optimal defense scheme is discussed.Finally,a simulation example is presented to verify the effectiveness of the main results.     

MANET中分布式拒绝服务攻击研究综述

随着移动自组织网络在各个领域内得到广泛的使用,其安全性研究显得越来越重要。DDoS攻击给有线网络造成了很大的威胁,同样也威胁到了移动自组织网络的安全性。由于移动自组织网络和有线网络存在着结构型差异,因此移动自组织网络中的DDoS攻击研究与有线网络中的DDoS攻击研究有较大的不同。论文首先描述了移动自组织网络的安全状况;然后从移动自组织网络的网络架构出发,分别分析移动自组织网络中针对物理层、MAC层、网络层以及传输层的DDoS攻击,同时总结针对不同网络层次的攻击所需要采取的防御措施;最后为移动自组织网络建设过程中就如何防范DDoS攻击提出参考意见。     

Perimeter-based defense against high bandwidth DDoS attacks

Distributed denial of service (DDoS) is a major threat to the availability of Internet services. The anonymity allowed by IP networking, together with the distributed, large scale nature of the Internet, makes DDoS attacks stealthy and difficult to counter. To make the problem worse, attack traffic is often indistinguishable from normal traffic. As various attack tools become widely available and require minimum knowledge to operate, automated antiDDoS systems become increasingly important. Many current solutions are either excessively expensive or require universal deployment across many administrative domains. This paper proposes two perimeter-based defense mechanisms for Internet service providers (ISPs) to provide the antiDDoS service to their customers. These mechanisms rely completely on the edge routers to cooperatively identify the flooding sources and establish rate-limit filters to block the attack traffic. The system does not require any support from routers outside or inside of the ISP, which not only makes it locally deployable, but also avoids the stress on the ISP core routers. We also study a new problem of perimeter-based IP traceback and provide three solutions. We demonstrate analytically and by simulations that the proposed defense mechanisms react quickly in blocking attack traffic while achieving high survival ratio for legitimate traffic. Even when 40 percent of all customer networks attack, the survival ratio for traffic from the other customer networks is still close to 100 percent.     

Defense against SYN flooding attacks: A particle swarm optimization approach

SYN flooding attack is a threat that has been designed based on vulnerabilities of the connection establishment phase of the TCP protocol. In this attack some sources send a large number of TCP SYN segments, without completing the third handshake step to quickly exhaust connection resources of the victim server. Hence, a main part of the server’s buffer space is allocated to the attack half open connections and incoming new connection requests will be blocked. This paper proposes a novel framework, in which, the defense issue is formulated as an optimization problem. Then it employs the particle swarm optimization (PSO) algorithm to solve this optimization problem. Our theoretical analysis and packet-level simulations in ns-2 environment show that the proposed defense strategy called PSO_SYN decreases the number of blocked TCP connection requests and cuts down share of attack connections from the buffer space.     

基于路由器的DDoS攻击防御系统的设计

针对分布式拒绝服务攻击设计了一种基于路由器的DDoS攻击防御系统。它具有检测响应及时的优点。不但能保护受害者以及合法用户的请求,还能在受害者遭受攻击时保护攻击源与受害者之间的网络带宽资源,从而改善网络性能。模拟实验验证了系统中检测控制方法的有效性。     

A multi-layer framework for puzzle-based denial-of-service defense

Client puzzles have been advocated as a promising countermeasure to denial-of-service (DoS) attacks in recent years. However, how to operationalize this idea in network protocol stacks still has not been sufficiently studied. In this paper, we describe our research on a multi-layer puzzle-based DoS defense architecture, which embeds puzzle techniques into both end-to-end and IP-layer services. Specifically, our research results in two new puzzle techniques: puzzle auctions for end-to-end protection and congestion puzzles for IP-layer protection. We present the designs of these approaches and evaluations of their efficacy. We demonstrate that our techniques effectively mitigate DoS threats to IP, TCP and application protocols; maintain full interoperability with legacy systems; and support incremental deployment. We also provide a game theoretic analysis that sheds light on the potential to use client puzzles for incentive engineering: the costs of solving puzzles on an attackers’ behalf could motivate computer owners to more aggressively cleanse their computers of malware, in turn hindering the attacker from capturing a large number of computers with which it can launch DoS attacks.     

PSO-SFDD: Defense against SYN flooding DoS attacks by employing PSO algorithm

A DoS attack can be regarded as an attempt of attackers to prevent legal users from gaining a normal network service. The TCP connection management protocol sets a position for a classic DoS attack, namely, the SYN flood attack. In this attack some sources send a large number of TCP SYN segments, without completing the third handshake step to quickly exhaust connection resources of the under attack system. This paper models the under attack server by using the queuing theory in which attack requests are recognized based on their long service time. Then it proposes a framework in which the defense issue is formulated as an optimization problem and employs the particle swarm optimization (PSO) algorithm to optimally solve this problem. PSO tries to direct the server to an optimum defense point by dynamically setting two TCP parameters, namely, maximum number of connections and maximum duration of a half-open connection. The simulation results show that the proposed defense strategy improves the performance of the under attack system in terms of rejection probability of connection requests and efficient consumption of buffer space.     

Utilizing bloom filters for detecting flooding attacks against SIP based services

Any application or service utilizing the Internet is exposed to both general Internet attacks and other specific ones. Most of the times the latter are exploiting a vulnerability or misconfiguration in the provided service and/or in the utilized protocol itself. Consequently, the employment of critical services, like Voice over IP (VoIP) services, over the Internet is vulnerable to such attacks and, on top of that, they offer a field for new attacks or variations of existing ones. Among the various threats–attacks that a service provider should consider are the flooding attacks, at the signaling level, which are very similar to those against TCP servers but have emerged at the application level of the Internet architecture. This paper examines flooding attacks against VoIP architectures that employ the Session Initiation Protocol (SIP) as their signaling protocol. The focus is on the design and implementation of the appropriate detection method. Specifically, a bloom filter based monitor is presented and a new metric, named session distance, is introduced in order to provide an effective protection scheme against flooding attacks. The proposed scheme is evaluated through experimental test bed architecture under different scenarios. The results of the evaluation demonstrate that the required time to detect such an attack is negligible and also that the number of false alarms is close to zero.     

Characterization of defense mechanisms against distributed denial of service attacks

We propose a characterization of distributed denial of service (DDOS) defenses where reaction points are network-based and attack responses are active. The purpose is to provide a framework for comparing the performance and deployment of DDOS defenses. We identify the characteristics in attack detection algorithms and attack responses by reviewing defenses that have appeared in the literature. We expect that this characterization will provide practitioners and academia insights into deploying DDOS defense as network services.     

Securing SIP-based VoIP infrastructure against flooding attacks and Spam Over IP Telephony

Security of session initiation protocol (SIP) servers is a serious concern of Voice over Internet (VoIP) vendors. The important contribution of our paper is an accurate and real-time attack classification system that detects: (1) application layer SIP flood attacks that result in denial of service (DoS) and distributed DoS attacks, and (2) Spam over Internet Telephony (SPIT). The major advantage of our framework over existing schemes is that it performs packet-based analysis using a set of spatial and temporal features. As a result, we do not need to transform network packet streams into traffic flows and thus save significant processing and memory overheads associated with the flow-based analysis. We evaluate our framework on a real-world SIP traffic—collected from the SIP server of a VoIP vendor—by injecting a number of application layer anomalies in it. The results of our experiments show that our proposed framework achieves significantly greater detection accuracy compared with existing state-of-the-art flooding and SPIT detection schemes.     

ChoKIFA+: an early detection and mitigation approach against interest flooding attacks in NDN

International Journal of Information Security - Several ongoing research efforts aim to design potential Future Internet Architectures, among which Named-Data Networking (NDN) introduces a shift...     

Providing secure execution environments with a last line of defense against Trojan circuit attacks

Integrated circuits (ICs) are often produced in foundries that lack effective security controls. In these foundries, sophisticated attackers are able to insert malicious Trojan circuits that are easily hidden in the large, complex circuitry that comprises modern ICs. These so-called Trojan circuits are capable of launching attacks directly in hardware, or, more deviously, can facilitate software attacks. Current defense against Trojan circuits consists of statistical detection techniques to find such circuits before product deployment. The fact that statistical detection can result in false negatives raises the obvious questions: can attacks be detected post-deployment, and is secure execution nonetheless possible using chips with undetected Trojan circuits? In this paper we present the Secure Heartbeat And Dual-Encryption (SHADE) architecture, a compiler–hardware solution for detecting and preventing a subset of Trojan circuit attacks in deployed systems. Two layers of hardware encryption are combined with a heartbeat of off-chip accesses to provide a secure execution environment using untrusted hardware. The SHADE system is designed to complement pre-deployment detection techniques and to add a final, last-chance layer of security.     

Using honeynodes for defense against jamming attacks in wireless infrastructure-based networks

The advent of wireless networks has brought a new set of security issues with it. One of the most feared of these is the jamming-based attacks. In this paper, we propose a pre-emptive detection strategy using honeynodes and a response mechanism based on the existing Channel Surfing Algorithm [Xu W, Trappe W, Zhang Y, Wood T. Channel surfing and spatial retreats: defenses against wireless denial of service. ACM Wireless Security 2004;80-9] to protect wireless nodes from a jammer. Honeynodes generate dummy communication at a frequency close to the actual frequency of operation, and pre-emptively alert authentic nodes of imminent attacks, so that the authentic nodes can jump to another frequency even before a jammer starts scanning that frequency. The next frequency is selected using a novel approach which uses a hybrid of reactive and proactive channel selection procedures. We have simulated the proposed approach using NS-2. The experimental results further prove a marked improvement in the performance of the proposed system over the Channel Surfing Algorithm in terms of the packet delivery ratio, the jammed duration, control message overhead and the number of channel re-configurations.     

Binary-centric defense of production operating systems against kernel queue injection attacks

Kernel callback queues (KQs) are the established mechanism for event handling in modern kernels. Unfortunately, real-world malware has abused KQs to run malicious logic, through an attack called kernel queue injection (KQI). Current kernel-level defense mechanisms have difficulties with KQI attacks, since they work without necessarily changing legitimate kernel code or data. In this paper, we present the design, implementation, and evaluation of KQguard, an efficient and effective protection mechanism of KQs. KQguard employs static and dynamic analysis of kernel and device drivers to learn specifications of legitimate event handlers. At runtime, KQguard rejects all the unknown KQ requests that cannot be validated. We implement KQguard on the Windows Research Kernel (WRK), Windows XP, and Linux, using source code instrumentation or binary patching. Our extensive experimental evaluation shows that KQguard is effective (i.e., it can have zero false positives against representative benign workloads after enough training and very low false negatives against 125 real-world malware), and it incurs a small overhead (up to ~5%). We also present the result of an automated analysis of 1,528 real-world kernel-level malware samples aiming to detect their KQ Injection behaviors. KQguard protects KQs in both Windows and Linux kernels, can accommodate new device drivers, and can support closed source device drivers through dynamic analysis of their binary code.

     

System identification with binary-valued observations under both denial-of-service attacks and data tampering attacks:the optimality of attack strategy

With the development of wireless communication technology,cyber physical systems are applied in various fields such as industrial production and infrastructure,where lots of information exchange brings cyber security threats to the systems.From the perspective of system identification with binary-valued observations,we study the optimal attack problem when the system is subject to both denial of service attacks and data tampering attacks.The packet loss rate and the data tampering rate caused by the attack is given,and the estimation error is derived.Then the optimal attack strategy to maximize the identification error with the least energy is described as a min–max optimization problem with constraints.The explicit expression of the optimal attack strategy is obtained.Simulation examples are presented to verify the effectiveness of the main conclusions.