Defense techniques for low-rate DoS attacks against application servers

Low-rate denial of service (DoS) attacks have recently emerged as new strategies for denying networking services. Such attacks are capable of discovering vulnerabilities in protocols or applications behavior to carry out a DoS with low-rate traffic. In this paper, we focus on a specific attack: the low-rate DoS attack against application servers, and address the task of finding an effective defense against this attack.Different approaches are explored and four alternatives to defeat these attacks are suggested. The techniques proposed are based on modifying the way in which an application server accepts incoming requests. They focus on protective measures aimed at (i) preventing an attacker from capturing all the positions in the incoming queues of applications, and (ii) randomizing the server operation to eliminate possible vulnerabilities due to predictable behaviors.We extensively describe the suggested techniques, discussing the benefits and drawbacks for each under two criteria: the attack efficiency reduction obtained, and the impact on the normal operation of the server. We evaluate the proposed solutions in a both a simulated and a real environment, and provide guidelines for their implementation in a production system.     

Design and analysis of a replicated elusive server scheme for mitigating denial of service attacks

The paper proposes a scheme, referred to as proactive server roaming, to mitigate the effects of denial of service (DoS) attacks. The scheme is based on the concept of “replicated elusive service”, which through server roaming, causes the service to physically migrate from one physical location to another. Furthermore, the proactiveness of the scheme makes it difficult for attackers to guess when or where servers roam. The combined effect of elusive service replication and proactive roaming makes the scheme resilient to DoS attacks, thereby ensuring a high-level of quality of service. The paper describes the basic components of the scheme and discusses a simulation study to assess the performance of the scheme for different types of DoS attacks. The details of the NS2-based design and implementation of the server roaming strategy to mitigate the DoS attacks are provided, along with a thorough discussion and analysis of the simulation results.     

对一种DoS攻击的分析及防范策略研究

Web服务器常常遭到来自外部网络主机的拒绝服务攻击,其中,SYN flood攻击是最常见的一种。攻击者使用伪造的源地址向服务器发送大量的TCP连接请求,致使服务器为每一个连接请求分配资源直至资源耗尽,因此,合法用户的正常访问也因为无法建立TCP连接而被拒绝。分析了SYN flood攻击的基本原理,对现有的几种处理资源耗尽及伪造源地址的方法进行了分析,指出了它们的优缺点。     

Improving the resilience of content distribution networks to large scale distributed denial of service attacks

Distributed Denial of Service (DDoS) attacks remain a daunting challenge for Internet service providers. Previous work on countering these attacks has focused primarily on attacks at a single server location and the associated network infrastructure. Increasingly, however, high-volume sites are served via content distribution networks (CDNs). In this paper, we propose two mechanisms to withstand and deter DDoS attacks on CDN-hosted Web sites and the CDN infrastructure. First, we present a novel CDN request routing algorithm which allows CDN proxies to effectively distinguish attacks from the requests from actual users. The proposed scheme, based on the keyed hash function, can significantly improve the resilience of CDNs to DDoS attacks. In particular, the resilience of a CDN, consisting of n proxies, becomes O(n²) with the proposed approach, when compared to a site hosted by a single server. We present performance numbers from a controlled test environment to show that the proposed approach is effective. Second, we introduce novel site allocation algorithms based on the well-established theory on binary codes. The proposed allocation algorithm guarantees an upper bound on the level of service outage of a CDN-hosted site even when a DoS attack on another site on the same CDN has been successful. Together, our schemes significantly improve the resilience of the Web sites hosted by CDNs, and complement other work on countering DoS.     

基于Renyi熵的Openflow信道链路泛洪攻击主动防御方法

针对新型链路泛洪攻击,提出一种基于Renyi熵的Openflow信道链路泛洪攻击主动防御方法。运用Renyi熵分析攻击者在构建Openflow信道Linkmap过程中产生的ICMP超时报文数量变化。一旦出现攻击前兆由流量监控服务器向控制器发出攻击预警,控制器启动交换机-控制器连接迁移机制,将交换机迁移至新的控制器下并使用新的Openflow信道与之通信。实验证明,主动防御方法能有效避免控制器与交换机之间通信链路受到链路泛洪攻击的影响,确保控制器和交换机能持续交互提供网络服务,增强了SDN网络的健壮性。     

Resilient control for wireless networked control systems under DoS attack via a hierarchical game

In this paper, the resilient control problem is investigated for a wireless networked control system (WNCS) under denial‐of‐service (DoS) attack via a hierarchical game approach. In the presence of a wireless network, a DoS attacker leads to extra packet dropout in the cyber layer of WNCS by launching interference power. A zero‐sum Markov game is exploited to model the interaction between the transmitter and the DoS attacker under dynamic network environment. Additionally, with the attack‐induced packet loss, an H_∞ minimax controller is designed in the physical layer by using a delta operator approach. Both value iteration and Q‐learning methods are used to solve the hierarchical game problem for the WNCS. The proposed method is applied to a load frequency control system to illustrate the effectiveness.     

Stochastic DoS Attack Allocation Against Collaborative Estimation in Sensor Networks

In this paper, denial of service (DoS) attack management for destroying the collaborative estimation in sensor networks and minimizing attack energy from the attacker perspective is studied. In the communication channels between sensors and a remote estimator, the attacker chooses some channels to randomly jam DoS attacks to make their packets randomly dropped. A stochastic power allocation approach composed of three steps is proposed. Firstly, the minimum number of channels and the channel set to be attacked are given. Secondly, a necessary condition and a sufficient condition on the packet loss probabilities of the channels in the attack set are provided for general and special systems, respectively. Finally, by converting the original coupling nonlinear programming problem to a linear programming problem, a method of searching attack probabilities and power to minimize the attack energy is proposed. The effectiveness of the proposed scheme is verified by simulation examples.      

分布式主动型防火墙

介绍了分布式防火墙的概念与模型,分析了分布式防火墙不依赖于网络拓朴结构的优点。为克服分布式防火墙在防止拒绝服务攻击中的不足,提出了分布式主动型防火墙的模型:不被动地防止攻击,而是将内部的攻击拒绝在攻击者处。运用策略分解的方法,将一条KeyNote语言描述的策略分为两部分再发放给相应主机。此方法有效地防止了来自内部的拒绝服务攻击,使服务器能正常提供服务。     

Dynamic entropy based DoS attack detection method

Denial of Service (DoS) attack poses a severe threat to the Internet. Entropy-based methods have been successfully used to detect specific types of malicious traffic. This paper presents a novel dynamic entropy-based model for the detection of DoS attack. Based on the theory of alive communication, the dynamic entropy model is constructed by combining the information entropy as well as the feature of netflow conversation correlation. This is the first application of the theory of alive communication in the network anomalies detection. To evaluate the performance of the dynamic entropy model, we compare it with the traditional information entropy model. The experiment results demonstrate the presence of traffic’s dynamic entropy and show that the dynamic entropy keeps stable under normal traffic. By contrast, it fluctuates significantly when the network subjects to DoS attacks. Moreover, the detection rate of dynamic entropy-based model is higher and can detect unknown DoS attacks effectively.     

Protocol-level attacks against Tor

Tor is a real-world, circuit-based low-latency anonymous communication network, supporting TCP applications over the Internet. In this paper, we present an extensive study of protocol-level attacks against Tor. Different from existing attacks, the attacks investigated in this paper can confirm anonymous communication relationships quickly and accurately by manipulating one single cell and pose a serious threat against Tor. In these attacks, a malicious entry onion router may duplicate, modify, insert, or delete cells of a TCP stream from a sender, which can cause cell recognition errors at the exit onion router. If an accomplice of the attacker at the entry onion router also controls the exit onion router and recognizes such cell recognition errors, the communication relationship between the sender and receiver will be confirmed. These attacks can also be used for launching the denial-of-service (DoS) attack to disrupt the operation of Tor. We systematically analyze the impact of these attacks and our data indicate that these attacks may drastically degrade the anonymity service that Tor provides, if the attacker is able to control a small number of Tor routers. We have implemented these attacks on Tor and our experiments validate their feasibility and effectiveness. We also present guidelines for defending against protocol-level attacks.     

Keeping Denial-of-Service Attackers in the Dark

We consider the problem of overcoming (distributed) denial-of-service (DoS) attacks by realistic adversaries that have knowledge of their attack's successfulness, for example, by observing service performance degradation or by eavesdropping on messages or parts thereof. A solution for this problem in a high-speed network environment necessitates lightweight mechanisms for differentiating between valid traffic and the attacker's packets. The main challenge in presenting such a solution is to exploit existing packet-filtering mechanisms in a way that allows fast processing of packets but is complex enough so that the attacker cannot efficiently craft packets that pass the filters. We show a protocol that mitigates DoS attacks by adversaries that can eavesdrop and (with some delay) adapt their attacks accordingly. The protocol uses only available efficient packet-filtering mechanisms based mainly on addresses and port numbers. Our protocol avoids the use of fixed ports and instead performs "pseudorandom port hopping." We model the underlying packet-filtering services and define measures for the capabilities of the adversary and for the success rate of the protocol. Using these, we provide a novel rigorous analysis of the impact of DoS on an end-to-end protocol and show that our protocol provides effective DoS prevention for realistic attack and deployment scenarios.     

PSO-SFDD: Defense against SYN flooding DoS attacks by employing PSO algorithm

A DoS attack can be regarded as an attempt of attackers to prevent legal users from gaining a normal network service. The TCP connection management protocol sets a position for a classic DoS attack, namely, the SYN flood attack. In this attack some sources send a large number of TCP SYN segments, without completing the third handshake step to quickly exhaust connection resources of the under attack system. This paper models the under attack server by using the queuing theory in which attack requests are recognized based on their long service time. Then it proposes a framework in which the defense issue is formulated as an optimization problem and employs the particle swarm optimization (PSO) algorithm to optimally solve this problem. PSO tries to direct the server to an optimum defense point by dynamically setting two TCP parameters, namely, maximum number of connections and maximum duration of a half-open connection. The simulation results show that the proposed defense strategy improves the performance of the under attack system in terms of rejection probability of connection requests and efficient consumption of buffer space.     

一种基于移动Agent的分布式应用系统架构

拒绝服务（Dos）攻击对分布式应用系统的安全威胁日益严重。文章提出了一种基于移动Agent的分布式应用系统架构,用以保护系统中的应用服务器,提高其抗DoS攻击的能力。为进一步改善系统抗DoS攻击性能,提出了一种基于遗传算法的代理主机分组算法。最后定性评估了系统的抗DoS攻击能力。     

Denial of service attacks and defenses in decentralized trust management

Trust management is an approach to scalable and flexible access control in decentralized systems. In trust management, a server often needs to evaluate a chain of credentials submitted by a client; this requires the server to perform multiple expensive digital signature verifications. In this paper, we study low-bandwidth Denial-of-Service (DoS) attacks that exploit the existence of trust management systems to deplete server resources. Although the threat of DoS attacks has been studied for some application-level protocols such as authentication protocols, we show that it is especially destructive for trust management systems. Exploiting the delegation feature in trust management languages, an attacker can forge a long credential chain to force a server to consume a large amount of computing resource. Using game theory as an analytic tool, we demonstrate that unprotected trust management servers will easily fall prey to a witty attacker who moves smartly. We report our empirical study of existing trust management systems, which manifests the gravity of this threat. We also propose a defense technique using credential caching, and show that it is effective in the presence of intelligent attackers. A preliminary version of this paper was presented at the Second IEEE International Conference on Security and Privacy in Communication Networks, Baltimore, MD, USA, August 2006.     

定制加权公平队列调度下的SIP DoS攻击防御机制

SIP由于协议的开放性而容易受到DoS洪泛攻击,队列调度方案可以大大减轻洪泛攻击对SIP服务器的影响。通过对SIP消息特征和现有队列调度方案的分析,提出了一种基于定制加权公平队列调度的SIP DoS洪泛攻击防御机制,并对该机制进行了性能仿真。仿真结果显示该方案在防御INVITE洪泛攻击方面比单队列和优先级队列更为有效。     

Probabilistic model checking for the quantification of DoS security threats

Secure authentication features of communication and electronic commerce protocols involve computationally expensive and memory intensive cryptographic operations that have the potential to be turned into denial-of-service (DoS) exploits. Recent proposals attempt to improve DoS resistance by implementing a trade-off between the resources required for the potential victim(s) with the resources used by a prospective attacker. Such improvements have been proposed for the Internet Key Exchange (IKE), the Just Fast Keying (JFK) key agreement protocol and the Secure Sockets Layer (SSL/TLS) protocol. In present article, we introduce probabilistic model checking as an efficient tool-assisted approach for systematically quantifying DoS security threats. We model a security protocol with a fixed network topology using probabilistic specifications for the protocol participants. We attach into the protocol model, a probabilistic attacker model which performs DoS related actions with assigned cost values. The costs for the protocol participants and the attacker reflect the level of some resource expenditure (memory, processing capacity or communication bandwidth) for the associated actions. From the developed model we obtain a Discrete Time Markov Chain (DTMC) via property preserving discrete-time semantics. The DTMC model is verified using the PRISM model checker that produces probabilistic estimates for the analyzed DoS threat. In this way, it is possible to evaluate the level of resource expenditure for the attacker, beyond which the likelihood of widespread attack is reduced and subsequently to compare alternative design considerations for optimal resistance to the analyzed DoS threat. Our approach is validated through the analysis of the Host Identity Protocol (HIP). The HIP base-exchange is seen as a cryptographic key-exchange protocol with special features related to DoS protection. We analyze a serious DoS threat, for which we provide probabilistic estimates, as well as results for the associated attacker and participants' costs.     

Secure Dynamic Identity-Based Authentication Scheme Using Smart Cards

ABSTRACT

In 2004, Das et al. proposed a dynamic identity-based remote user authentication scheme using smart cards. This scheme allows users to choose and change their passwords freely, and the server does not maintain any verification table. Das et al. claimed that their scheme is secure against stolen verifier attack, replay attack, forgery attack, dictionary attack, insider attack and identity theft. However, many researchers have demonstrated that Das et al.'s scheme is susceptible to various attacks. Furthermore, this scheme does not achieve mutual authentication and thus cannot resist malicious server attack. In 2009, Wang et al. argued that Das et al.'s scheme is susceptible to stolen smart card attack. If an attacker obtains the smart card of the user and chooses any random password, the attacker gets through the authentication process to get access of the remote server. Therefore, Wang et al. suggested an improved scheme to preclude the weaknesses of Das et al.'s scheme. However, we found that Wang et al.'s scheme is susceptible to impersonation attack, stolen smart card attack, offline password guessing attack, denial of service attack and fails to preserve the user anonymity. This paper improves Wang et al.'s scheme to resolve the aforementioned problems, while keeping the merits of different dynamic identity based smart card authentication schemes.     

Countering jamming attacks against an authentication and key agreement protocol for mobile satellite communications

The radio-based medium of satellite communication systems is vulnerable to interference on physical channels: unintentional interferences occur frequently and jamming attacks can be achieved using low-grade technology. While application layer security protocols cannot defend against denial of service (DoS) attacks where the attacker jams continuously, effective security protocols ensure that communication can continue after such interference has stopped.This paper analyses an authentication and key agreement protocol for satellite communications. The presented analysis reveals that the protocol is susceptible to a new DoS attack, where attackers jam a single message to achieve a permanent DoS condition. A new authentication and key agreement protocol is proposed that additionally addresses the scenario where messages send over the mobile satellite channel may not reach their intended recipient due to accidental or malicious interference. Analysis of the new protocol demonstrates that it is effective in countering the disruptive effects of jamming.     

A queueing analysis for the denial of service (DoS) attacks in computer networks

In most network security analysis, researchers mainly focus on qualitative studies on security schemes and possible attacks, and there are few papers on quantitative analysis in the current literature. In this paper, we propose one queueing model for the evaluation of the denial of service (DoS) attacks in computer networks. The network under DoS attacks is characterized by a two-dimensional embedded Markov chain model. With this model, we can develop a memory-efficient algorithm for finding the stationary probability distribution which can be used to find other interesting performance metrics such as the connection loss probability and buffer occupancy percentages of half-open connections for regular traffic and attack traffic. Different from previous works in the literature, this paper gives a more general analytical approach to the study of security measures of a computer network under DoS attacks. We hope that our approach opens a new avenue to the quantitative evaluation of more complicated security schemes in computer networks.