Distributed denial-of-service (DDoS) is a rapidly growing problem. The multitude and variety of both the attacks and the defense approaches is overwhelming. This paper presents two taxonomies for classifying attacks and defenses, and thus provides researchers with a better understanding of the problem and the current solution space. The attack classification criteria was selected to highlight commonalities and important features of attack strategies, that define challenges and dictate the design of countermeasures. The defense taxonomy classifies the body of existing DDoS defenses based on their design decisions; it then shows how these decisions dictate the advantages and deficiencies of proposed solutions.

/pdf/a-taxonomy-of-ddos-attack-and-ddos-defense-mechanisms-3fjlj0hhjy.pdf

A taxonomy of DDoS attack and DDoS defense mechanisms

The Transmission Control Protocol.

We report on the design and implementation of the Privacy Integrated Queries (PINQ) platform for privacy-preserving data analysis. PINQ provides analysts with a programming interface to unscrubbed data through a SQL-like language. At the same time, the design of PINQ's analysis language and its careful implementation provide formal guarantees of differential privacy for any and all uses of the platform. PINQ's unconditional structural guarantees require no trust placed in the expertise or diligence of the analysts, substantially broadening the scope for design and deployment of privacy-preserving data analysis, especially by non-experts.

/pdf/privacy-integrated-queries-an-extensible-platform-for-36s2soxejh.pdf

Privacy integrated queries: an extensible platform for privacy-preserving data analysis

The Mirai botnet, composed primarily of embedded and IoT devices, took the Internet by storm in late 2016 when it overwhelmed several high-profile targets with massive distributed denial-of-service (DDoS) attacks. In this paper, we provide a seven-month retrospective analysis of Mirai's growth to a peak of 600k infections and a history of its DDoS victims. By combining a variety of measurement perspectives, we analyze how the botnet emerged, what classes of devices were affected, and how Mirai variants evolved and competed for vulnerable hosts. Our measurements serve as a lens into the fragile ecosystem of IoT devices. We argue that Mirai may represent a sea change in the evolutionary development of botnets--the simplicity through which devices were infected and its precipitous growth, demonstrate that novice malicious techniques can compromise enough low-end devices to threaten even some of the best-defended targets. To address this risk, we recommend technical and nontechnical interventions, as well as propose future research directions.

https://www.usenix.org/system/files/conference/usenixsecurity17/sec17-antonakakis.pdf

Understanding the mirai botnet

Distributed Denial of Service (DDoS) flooding attacks are one of the biggest concerns for security professionals. DDoS flooding attacks are typically explicit attempts to disrupt legitimate users' access to services. Attackers usually gain access to a large number of computers by exploiting their vulnerabilities to set up attack armies (i.e., Botnets). Once an attack army has been set up, an attacker can invoke a coordinated, large-scale attack against one or more targets. Developing a comprehensive defense mechanism against identified and anticipated DDoS flooding attacks is a desired goal of the intrusion detection and prevention research community. However, the development of such a mechanism requires a comprehensive understanding of the problem and the techniques that have been used thus far in preventing, detecting, and responding to various DDoS flooding attacks. In this paper, we explore the scope of the DDoS flooding attack problem and attempts to combat it. We categorize the DDoS flooding attacks and classify existing countermeasures based on where and when they prevent, detect, and respond to the DDoS flooding attacks. Moreover, we highlight the need for a comprehensive distributed and collaborative defense approach. Our primary intention for this work is to stimulate the research community into developing creative, effective, efficient, and comprehensive prevention, detection, and response mechanisms that address the DDoS flooding problem before, during and after an actual attack.

/pdf/a-survey-of-defense-mechanisms-against-distributed-denial-of-36i5dbdzy6.pdf

A Survey of Defense Mechanisms Against Distributed Denial of Service (DDoS) Flooding Attacks

Flash Crowd Attacks (FCAs) are DDoS attacks that flood victim services, such as Web servers, with well-formed requests, generated by numerous bots. It is hard to detect and filter such attacks because both legitimate and attack requests look identical. In our previous work [1], we proposed models of how human users interact with Web servers, and also showed in simulation that these models can detect naive FCA attacks. We significantly extend these proposed models to make them more robust, simpler, and applicable to a wider variety of FCA attacks in this paper. We implement the models in a system called FRADE, and evaluate it on three Web servers with different server applications and different content. We show that FRADE can detect both naive and sophisticated bots within seconds and successfully filters out attack traffic. Therefore, FRADE significantly raises the bar for a successful attack by requiring attackers to deploy botnets that are at least three orders of magnitude larger than the botnets today.

Defending Web Servers Against Flash Crowd Attacks

Venmo is a US-based mobile social payments platform. Each Venmo transaction requires a “payment note”, a brief memo. By default, these memos are visible to all other Venmo users. Using three data sets of Venmo transactions, which span 8 years and a total of 389 M transactions with over 22.5 M unique users, we quantify the extent of private data leaks from public transaction notes. To quantify the leaks, we develop a classification framework SENMO, that uses BERT and regular expressions to classify public transaction notes as sensitive or non-sensitive. We find that 41 M notes (10.5%) leak some sensitive information such as health condition, political orientation and drug/alcohol consumption involving 8.5 M (37.8%) users. We further find that users seek privacy by making their notes private, inconspicuous or cryptic. However, the large increase in Venmo’s user base means that the number of users whose privacy is publicly exposed has grown substantially. Finally, the privacy of a user who transacts with a group on Venmo can be reduced or eliminated through the actions of other users. We find that this happens to around half of Alcoholics Anonymous, gambling and biker gang group members. Our findings strongly suggest that public-by-default payment information puts many users at risk of unintended privacy leaks.

/pdf/i-know-what-you-did-on-venmo-discovering-privacy-leaks-in-30y1e9hh.pdf

I know what you did on Venmo: Discovering privacy leaks in mobile social payments

Traditional DDoS attack detection monitors volumetric traffic features to detect attack onset. To reduce false positives, such detection is often conservative---raising an alert only after a sustained period of observed anomalous behavior. However, contemporary attacks tend to be short, which combined with a long detection delay means that most of the attack still reaches and impacts the victim. We propose Xatu, a system that utilizes auxiliary signals to improve the accuracy and timeliness of existing DDoS detection systems. We explore two types of auxiliary signals, attack preparation signals and the history of prior attacks. These signals can be easily mined from existing traffic monitoring systems in many ISP networks. To leverage these auxiliary signals for attack detection, we propose a multi-timescale LSTM model, which derives both long-term and short-term patterns from diverse auxiliary signals. We then leverage survival analysis to quickly detect attacks when they occur while minimizing false positives and thus scrubbing costs. We evaluate Xatu on traffic from a large ISP, using commercial defense alert data to label prevalent attack events. Xatu would help the commercial defense scrub up to 44.1% additional anomalous traffic and would reduce its median detection delay by 9.5 minutes.1

Xatu: boosting existing DDoS detection systems using auxiliary signals

In this paper we demonstrate the ease of generating and modifying background traffic in testbed experiments through the traffic generation framework we developed, called LegoTG. LegoTG is a modular framework for composing custom traffic generation. It makes it easy to combine different traffic generators and traffic modulators (e.g., Delay models), and to port the same background traffic to different topologies. In addition to the framework, we have developed several traffic generation/modulation tools that can be used in LegoTG to generate realistic and highly controllable network and transport-level traffic. We build our demonstration around a series of simple experiments which reinforce how much background traffic matters in experiments and how different traffic models can drastically affect experiment results and research conclusions.

/pdf/expressing-different-traffic-models-using-the-legotg-2aaln18t57.pdf

Expressing Different Traffic Models Using the LegoTG Framework

Differential privacy has emerged as a promising mechanism for privacy-safe data mining. One popular differential privacy mechanism allows researchers to pose queries over a dataset, and adds random noise to all output points to protect privacy. While differential privacy produces useful data in many scenarios, added noise may jeopardize utility for queries posed over small populations or over long-tailed datasets. Gehrke et al. proposed crowd-blending privacy, with random noise added only to those output points where fewer than k individuals (a configurable parameter) contribute to the point in the same manner. This approach has a lower privacy guarantee, but preserves more research utility than differential privacy. We propose an even more liberal privacy goal---commoner privacy---which fuzzes (omits, aggregates or adds noise to) only those output points where an individual's contribution to this point is an outlier. By hiding outliers, our mechanism hides the presence or absence of an individual in a dataset. We propose one mechanism that achieves commoner privacy---interactive k-anonymity. We also discuss query composition and show how we can guarantee privacy via either a pre-sampling step or via query introspection. We implement interactive k-anonymity and query introspection in a system called Patrol for network trace processing. Our evaluation shows that commoner privacy prevents common attacks while preserving orders of magnitude higher research utility than differential privacy, and at least 9-49 times the utility of crowd-blending privacy.

Jelena Mirkovic

Papers

Defending Web Servers Against Flash Crowd Attacks

I know what you did on Venmo: Discovering privacy leaks in mobile social payments

Xatu: boosting existing DDoS detection systems using auxiliary signals

Expressing Different Traffic Models Using the LegoTG Framework

Commoner Privacy And A Study On Network Traces