改进的基于认证的DDoS源追踪方案

利用基于双钥序列的消息认证码理论,以自适应概率包标记和高级包标记Ⅱ为基础,针对当前危害甚大的拒绝服务攻击,提出了一种改进的基于认证的DDoS源IP追踪方案.以自适应概率为基础,既达到了较高的追踪收敛率,又能最大限度地降低攻击者伪造数据包的余地.采用基于双钥序列的HMAC算法,对标记信息进行认证,防止攻击者修改已有的标记信息,达到较高的安全性和抗干扰性.     

IP traceback-based intelligent packet filtering: a novel technique for defending against Internet DDoS attacks

Distributed Denial of Service (DDoS) is one of the most difficult security problems to address. While many existing techniques (e.g., IP traceback) focus on tracking the location of the attackers after-the-fact, little is done to mitigate the effect of an attack while it is raging on. We present a novel technique that can effectively filter out the majority of DDoS traffic, thus improving the overall throughput of the legitimate traffic. The proposed scheme leverages on and generalizes the IP traceback schemes to obtain the information concerning whether a network edge is on the attacking path of an attacker ("infected") or not ("clean"). We observe that, while an attacker will have all the edges on its path marked as "infected," edges on the path of a legitimate client will mostly be "clean". By preferentially filtering out packets that are inscribed with the marks of "infected" edges, the proposed scheme removes most of the DDoS traffic while affecting legitimate traffic only slightly. Simulation results based on real-world network topologies all demonstrate that the proposed technique can improve the throughput of legitimate traffic by three to seven times during DDoS attacks.     

IP routers: new tool for gigabit networking

IP routing continues to receive much attention from the research and vendor communities. Its primary function-forwarding packets between networks-must keep pace with the demands of the exponentially growing end user population. It must accommodate attachment of gigabit data link technologies such as ATM, packet Sonet, Gigabit Ethernet, and dense wave division multiplexing, and fill those links at full capacity. As network providers introduce new services supporting multicast, QoS, voice, and security, IP routing-and more specifically the IP forwarding function-will be called upon to analyze additional packet information at gigabit rates to determine how each packet should be handled. Performing these new functions while maintaining parity with the advances in available bandwidth will present an interesting challenge for the forwarding capabilities of IP routers. Indeed, for the Internet to scale, we must scale all dimensions of the IP routing process     

基于验证机制的应用层DDoS攻击防御方法

针对应用层分布式拒绝服务攻击的原理和特点,提出一种基于轻量级验证机制的防御算法,在客户端与服务器的通信过程中嵌入验证码,利用客户端计算,正确识别合法请求,过滤恶意攻击.验证机制在TCP/IP协议栈中呈非对称性,服务端的过滤在IP层进行,客户端的计算在应用层进行,使算法具有低的资源消耗和对通信双方的透明.该方法在抗分布式拒绝服务攻击网关平台上实现,测试结果表明,该方法具有良好的防御效果和优异的性能表现.     

一种自定义动态密钥预防DDoS攻击的算法

DDoS攻击表现形式有多种,主要造成后果是导致Web服务器无法提供网络服务,最终造成一系列损失。针对通过某一网页端口进行的DDosS攻击,提出了一种预防算法,自定义动态密钥,并采用自定义算法调用,动态改变被攻击端口处的文件名。该算法使得攻击者无法通过加密后的文件来得到原文件名称,从而达到预防此种DDoS攻击的目的。实验证明,此算法有效。     

DyProSD: a dynamic protocol specific defense for high-rate DDoS flooding attacks

Microsystem Technologies - High-rate distributed denial of service (HDDoS) flooding attacks pose as a major threat to the Internet. Most present solutions based on machine learning approach are...     

一种新型抵御字典攻击的认证方案

身份验证是网络应用系统中的第一道防线,目的是验证通信双方的身份,防止非法用户窃取和假冒合法用户.尽管通过口令是最方便的身份验证方法,但它也伴随着字典攻击的威胁.分析了常用的几种一次性口令身份认证方案,在挑战-响应方案基础上,利用安全单向哈希函数提出并设计了一种新型身份验证方案.该方案不仅明显减少了认证服务器的开销,而且能有效地抵御字典攻击、拒绝服务攻击等攻击手段,显著增强了应用系统的安全性.     

A collaborative defense mechanism against SYN flooding attacks in IP networks

SYN flooding exploits the Transmission Control Protocol (TCP) three-way handshake process by sending many connection requests using spoofed source IP addresses to a victim's host. This keeps that host from handling legitimate requests, causing it to populate its backlog queue with forged TCP connections. In this article, we propose a novel defense mechanism that makes use of the edge routers that are associated with the spoofed IP addresses’ networks to determine whether the incoming SYN–ACK segment is valid. This is accomplished by maintaining a matching table of the outgoing SYNs and incoming SYN–ACKs and also by using the ARP protocol. If an incoming SYN–ACK segment is not valid, the edge router resets the connection at the victim's host, freeing up an entry in the victim's backlog queue, and enabling it to accept other legitimate incoming connection requests. We also present a communication protocol to encourage collaboration between various networks to protect each other. We evaluated the performance of our proposed approach and studied its impact on the network. Our experimental and simulation results showed the efficiency of our proposed collaborative defense mechanism.     

Deciding optimal entropic thresholds to calibrate the detection mechanism for variable rate DDoS attacks in ISP domain: honeypot based approach

High bandwidth DDoS attacks consume more resources and have direct impact at ISP level in contrast to low rate DDoS attacks which lead to graceful degradation of network and are mostly undetectable. Although an array of detection schemes have been proposed, current requirement is a real time DDoS detection mechanism that adapts itself to varying network conditions to give minimum false alarms. DDoS attacks that disturb the distribution of traffic features in ISP domain are reflected by entropic variations on in stream samples. We propose honeypot detection for attack traffic having statistically similar distribution features as legitimate traffic. Next we propose to calibrate the detection mechanism for minimum false alarm rate by varying tolerance factor in real time. Simulations are carried out in ns-2 at different attack strengths. We also report our experimental results over MIT Lincoln lab dataset and its subset KDD 99 dataset. Results show that the proposed approach is comparable to previously reported approaches with an advantage of variable rate attack detection with minimum false positives and negatives.     

Behavior-based approach to detect spam over IP telephony attacks

Spam over IP telephony (SPIT) is expected to become a serious problem as the use of voice over IP grows. This kind of spam is appreciated by spammers due to its effectiveness and low cost. Many anti-SPIT solutions are applied to resolve this problem but there are still limited in some cases. Thus, in this paper, we propose a system to detect SPIT attacks through behavior-based approach. Our framework operates in three steps: (1) collecting significant calls attributes by exploring and analyzing network traces using OPNET environment; (2) applying sliding windows strategy to properly maintain the callers profiles; and (3) classifying caller (i.e., legitimate or SPITter) using ten supervised learning methods: NaïveBayes, BayesNet, SMO RBFKernel, SMO PolyKernel, MultiLayerPerceptron with two and three layers, NBTree, J48, Bagging and AdaBoostM1. The results of our experiments demonstrate the great performance of these methods. Our study, based on receiver operating characteristics curves, shows that the AdaBoostM1 classifier is more efficient than the other methods and achieve an almost perfect detection rate with acceptable training time.     

On the feasibility of exploiting P2P systems to launch DDoS attacks

We show that malicious nodes in a peer-to-peer (P2P) system may impact the external Internet environment, by causing large-scale distributed denial of service (DDoS) attacks on nodes not even part of the overlay system. This is in contrast to attacks that disrupt the normal functioning, and performance of the overlay system itself. We demonstrate the significance of the attacks in the context of mature and extensively deployed P2P systems with representative and contrasting membership management algorithms—Kad, a DHT-based file-sharing system, and ESM, a gossip-based video broadcasting system. We then present an evaluation study of three possible mitigation schemes and discuss their strength and weakness. These schemes include (i) preferring pull-based membership propagation over push-based; (ii) corroborating membership information through multiple sources; and (iii) bounding multiple references to the same network entity. We evaluate the schemes through both experiments on PlanetLab with real and synthetic traces, and measurement of the real deployments. Our results show the potential of the schemes in enhancing the DDoS resilience of P2P systems, and also reveal the weakness in the schemes and regimes where they may not be sufficient.     

A fault-tolerant real-time multiprocessor with a built-in recovery mechanism

The architecture of a fault-tolerant multiprocessor with a rollback recovery mechanism is described. Fault-tolerance is attained owing to restarts of faulty processes of computations or their definite parts after detecting failures. An error occurring during the interaction of some processes leads to the multistep reconstruction of the entire computational process. An estimate of the efficiency of the proposed fault-tolerant technology is given.Translated from Kibernetika i Sistemnyi Analiz, No. 5, pp. 169–176, September–October 2004.     

防御链接预测攻击的隐私保护方法

为解决现有的防御链接预测攻击的隐私保护方法的不足,提出一种基于积分梯度的局部扰动算法LDIG (local disturbance algorithm based on integral gradient)。利用敏感链接的闭合子图确定扰动范围,根据扰动范围内链接的积分梯度迭代扰动链接,同时将链接预测对扰动图中敏感链接的预测结果作为扰动结束的判断依据。实验结果表明,LDIG算法的计算复杂度较低,适用于大规模社交网络的隐私保护,扰动链接的数量较少,提高了数据的效用性。     

MASK: An efficient mechanism to extend inter-domain IP spoofing preventions

IP spoofing hinders the efficiency of DDoS defenses. While recent proposals of IP spoofing prevention mechanisms are weak at filtering spoofing packets due to the complexity in maintaining source IP spaces and the low incentive of deployments. To address this problem, we propose an efficient mechanism to extend the range of inter-domain IP spoofing prevention called MASK. Source MASK nodes inform destination MASK nodes about the source IP spaces and labels of their neighbor Stub-ASes in order to implement the marking and verification of packets towards the Stub-ASes, and limit the number of MASK peers through the propagation of BGP updates so as to reduce the overheads of computing and storing of labels. By utilizing the method of extending the spoofing prevention to Stub-ASes, MASK can not only enlarge the domain of the spoofing prevention service, but also filter spoofing packets in advance. Through analysis and simulations, we demonstrate MASK＇s accuracy and effectiveness.     

Defense schemes for variants of distributed denial-of-service (DDoS) attacks in cloud computing: A survey

Cloud computing is a fast-growing and promising technology segment that aims to reduce maintenance and management costs by shifting high-quality computing infrastructure to the Internet. It is emerging as a dominant technology because it provides an on-demand, self-service, scalable, and pay-per-use business model. Despite its numerous benefits, it suffers from several security challenges. As a consequence of on-demand service, availability of computing resources is the crucial attribute of cloud computing among security necessities. In this work, a survey is presented on various issues related to the availability of resources in a cloud environment. Ensuring availability and security of computing/storage resources are still challenging tasks. The adversary class readily exploits the vulnerabilities in the cloud infrastructure for attack implementation. The article presents a study of various categories of distributed denial-of-service (DDoS) attacks in cloud computing and their defense mechanisms. It is believed that this is the first work which surveys all varieties of DDoS attacks in the cloud environment.     

MDCI:一个分布式检测DDoS攻击的方法

鉴于DDoS攻击分布式、汇聚性的特点，实现分布在大规模网络环境中的多个IDS系统间合作检测有助于在攻击流形成规模前合成攻击全貌并适当反应．MDCI系统首次提出了环形合作模式，即构建一个环重要网络信息资源的IDS系统合作组，通过组内节点同信息共享和警报关联分析，迅速判定DDoS攻击、MDCI系统中，采用报头内容分析和反向散射分析相结合的方法对本地捕获的数据报进行分析并采用统一标准格式对可疑特征进行报警；采用数据流分类概率评估的方法实现合作结点间警报信息的关联分析，从而合成攻击的全貌．通过实验可以看到，该系统有效地提高了针对DDoS攻击的预警速度．     

Login: a logic programming language with built-in inheritance

An elaboration of the PROLOG language is described in which the notion of first-order term is replaced by a more general one. This extended form of terms allows the integration of inheritance—an IS-A taxonomy—directly into the unification process rather than indirectly through the resolution-based inference mechanism of PROLOG. This results in more efficient computations and enhanced language expressiveness. The language thus obtained, called LOGIN, subsumes PROLOG, in the sense that conventional PROLOG programs are equally well executed by LOGIN.