Attacks over the Internet are becoming more and more complex and sophisticated. How to detect security threats and measure the security of the Internet arises a significant research topic. For detecting the Internet attacks and measuring its security, collecting different categories of data and employing methods of data analytics are essential. However, the literature still lacks a thorough review on security-related data collection and analytics on the Internet. Therefore, it becomes a necessity to review the current state of the art in order to gain a deep insight on what categories of data should be collected and which methods should be used to detect the Internet attacks and to measure its security. In this paper, we survey existing studies about security-related data collection and analytics for the purpose of measuring the Internet security. We first divide the data related to network security measurement into four categories: 1) packet-level data; 2) flow-level data; 3) connection-level data; and 4) host-level data. For each category of data, we provide a specific classification and discuss its advantages and disadvantages with regard to the Internet security threat detection. We also propose several additional requirements for security-related data analytics in order to make the analytics flexible and scalable. Based on the usage of data categories and the types of data analytic methods, we review current detection methods for distributed denial of service flooding and worm attacks by applying the proposed requirements to evaluate their performance. Finally, based on the completed review, a list of open issues is outlined and future research directions are identified.

/pdf/security-data-collection-and-data-analytics-in-the-internet-42jezn60fe.pdf

Security Data Collection and Data Analytics in the Internet: A Survey

The severity of amplification attacks has grown in recent years. Since 2013 there have been at least two attacks which involved over 300Gbps of attack traffic. This paper offers an analysis of these and many other amplification attacks. We compare a wide selection of different proposals for detecting and preventing amplification attacks, as well as proposals for tracing the attackers. Since source IP spoofing plays an important part in almost all of the attacks mentioned, a survey on the state of the art in spoofing defenses is also presented. This work acts as an introduction into amplification attacks and source IP address spoofing. By combining previous works into a single comprehensive bibliography, and with our concise discussion, we hope to prevent redundant work and encourage others to find practical solutions for defending against future amplification attacks.

Amplification and DRDoS Attack Defense - A Survey and New Perspectives.

Distributed Denial-of-Service (DDoS) is a menace for service provider and prominent issue in network security. Defeating or defending the DDoS is a prime challenge. DDoS make a service unavailable for a certain time. This phenomenon harms the service providers, and hence, loss of business revenue. Therefore, DDoS is a grand challenge to defeat. There are numerous mechanism to defend DDoS, however, this paper surveys the deployment of Bloom Filter in defending a DDoS attack. The Bloom Filter is a probabilistic data structure for membership query that returns either true or false. Bloom Filter uses tiny memory to store information of large data. Therefore, packet information is stored in Bloom Filter to defend and defeat DDoS. This paper presents a survey on DDoS defending technique using Bloom Filter.

/pdf/preventing-ddos-using-bloom-filter-a-survey-2xkxwyka9u.pdf

Preventing DDoS using Bloom Filter: A Survey

The purpose of this study is to understand the flaws of existing solutions to combat the DDoS attack and a novel scheme is being provided with its validation to reduce the effect of DDoS attack in MANET Environment. As Internet users are increasing day by day, it is becoming more prone to attacks and new hacking techniques. People are accessing information and communicating with each other on the move. Mobile Ad-hoc Network (MANET) is responsible for this rapid change in the lives of people. With the emergence of technology, where people communicate or share important documentations on the go with the help of laptops, PDAs, notebooks, smart phones etc., the loopholes in the Internet security have also increased and they are becoming more difficult to handle due to the characteristics of MANET such as dynamic topologies, low battery life, multicast routing, frequency of updates or network overhead, scalability, mobile agent based routing and power aware routing, etc. The network is becoming more prone to attacks like DDoS, byzantine, resource consumption, blackhole, grayhole, etc. Therefore, there is an urgent need to look into the security issues to allow authorized users to access the information available on Internet without any risk. In this study, a novel scheme is proposed which deals with suppressing the influence of the attack. The effectiveness of the approach is validated with simulation in GloMoSim, integrated with parsec compiler, on a windows platform.

An Efficient Scheme to Prevent DDoS Flooding Attacks in Mobile Ad-Hoc Network (MANET)

DRDoS (Distributed Reflection Denial of Service) attack is a kind of DoS (Denial of Service) attack, in which third-party servers are tricked into sending large amounts of data to the victims. That is, attackers use source address IP spoofing to hide their identity and cause third-parties to send data to the victims as identified by the source address field of the IP packet. This is called reflection because the servers of benign services are tricked into "reflecting" attack traffic to the victims. The most typical existing detection methods of such attacks are designed based on known attacks by protocol and are difficult to detect the unknown ones. According to our investigations, one protocol-independent detection method has been existing, which is based on the assumption that a strong linear relationship exists among the abnormal flows from the reflector to the victim. Moreover, the method is assumed that the all packets from reflectors are attack packets when attacked, which is clearly not reasonable. In this study, we found five features are effective for detecting DRDoS attacks, and we proposed a method to detect DRDoS attacks using these features and machine learning algorithms. Its detection performance is experimentally examined and the experimental result indicates that our proposal is of clearly better detection performance.

/pdf/a-machine-learning-based-approach-for-detecting-drdos-2mp9evpod5.pdf

A Machine Learning Based Approach for Detecting DRDoS Attacks and Its Performance Evaluation

DDoS attack is considered to be a major threat among security problems in today's Internet. These kinds of attack are potentially severe. They bring down business of company drastically. DDoS attack can easily exhaust the computing and communication resources of its victim within a short period of time. There are attacks exploiting some vulnerability or implementation bug in the software implementation of a service, to bring the server down. Some attacks will use all the available resources at the target machine. This paper deals on attacks that consume all the bandwidth available to the victim machine. While concentrating on the bandwidth attack the TCP SYN flood is the more prominent attack. TCP/IP protocol suite is the most widely used protocol suite for data communication. The TCP SYN flood works by exhausting the TCP connection queue of the host and thus denying legitimate connection requests. There are various methods used to detect and prevent this attack, one of which is to block the packet based on SYN flag count from the same IP address. This kind of prevention methods becomes unsuitable when the attackers use the Spoofed IP address. For the prevention of this kind of attacks, the TCP specific probing is used in the proposed scheme where the client is requested to change the windows size/ cause packet retransmission while sending the ACK in the three way hand shake. This is very useful to find the Spoofed IP Packets/TCP SYN flood and preventing them.

A mitigation model for TCP SYN flooding with IP spoofing

The challenging number is used for the detection of Spoofing attack. The IP Spoofing is considered to be one of the potentially brutal attack which acts as a tool for the DDoS attack which is considered to be a major threat among security problems in today's internet. These kinds of attack are extremely severe. They bring down business of company drastically. DDoS attack can easily exhaust the computing and communication resources of its victim within a short period of time. There are attacks exploiting some vulnerability or implementation bug in the software implementation of a service to bring that down and some attacks will use all the available resources at the target machine. This deals on attacks that consume all the bandwidth available to the victim machine. While concentrating on the bandwidth attack the TCP SYN flood is the more prominent attack. TCP/IP protocol suite is the most widely used protocol suite for data communication. The TCP SYN flood works by exhausting the TCP connection queue of the host and thus denying legitimate connection request. There are various methods used to detect and prevent this attack, one of which is to block the packet based on SYN flag count from the same IP address. This kind of prevention methods becomes unsuitable when the attackers use the Spoofed IP address. The SYN spoofing becomes a major tool the TCP SYN flooding. For the prevention of this kind of attacks, the TCP specific probing is used in the proposed scheme where the client is requested challenging number while sending the ACK in the three way hand shake. This is very useful to find the Spoofed IP Packets/TCP SYN flood and preventing them.

CNoA: Challenging Number Approach for uncovering TCP SYN flooding using SYN spoofing attack

Protection of critical server from cyber attacks is vital, especially in the case of active attacks like Distributed Denial of Service (DDoS). Seamless services are provided by the constant availability of the server which plays an important factor in providing the customer good Quality of Service (QoS). Monitoring and rate limiting the flow of packets will protect the victim systems by allowing only trusted users during the DDoS attack. The job of the security professionals becomes complex, when the attacks are launched from trusted IP addresses, using Synchronization (SYN) spoofing. The work presented in this paper is experimented with Efficient Spoofed Mitigation Scheme (ESMS) which uses the TCP probing method along with the bloom filter trust model. The proposed scheme provides accurate and robust information for the detection and controlling of the spoofed packets, during the DDoS attacks.

Efficient SYN Spoofing Detection and Mitigation Scheme for DDoS Attack

DDoS (Distributed Denial of Service) has been a continuous threat to the cyber world with the growth in cyber technology. This technical evolution has given rise to a number of ultra-sophisticated ways for the attackers to perform their DDoS attack. In general, the attackers who generate the denial of service, use the vulnerabilities of the TCP. Some of the vulnerabilities like SYN (synchronization) flooding, and IP spoofing are used by the attacker to create these Distributed Reflected Denial of Service (DrDoS) attacks. An attacker, with the assistance of IP spoofing creates a number of attack packets, which reflects the flooded packets to an attacker’s intended victim system, known as the primary target. The proposed scheme, Efficient Spoofed Flooding Defense (ESFD) provides two level checks which, consist of probing and non-repudiation, before allocating a service to the clients. The probing is used to determine the availability of the requested client. Non-repudiation is taken care of by the timestamp enabled in the packet, which is our major contribution. The real time experimental results showed the efficiency of our proposed ESFD scheme, by increasing the performance of the CPU up to 40%, the memory up to 52% and the network bandwidth up to 67%. This proves the fact that the proposed ESFD scheme is fast and efficient, negating the impact on the network, victim and primary target.

A pioneer scheme in the detection and defense of DrDoS attack involving spoofed flooding packets

A Distributed Denial-of-Service (DDoS) attack is a strenuous attack to defend, mainly due to a server’s inability to control the amount and the origin of requests. It is easily performed by utilizing the weakness of the network protocol. DDoS attack is considered to be a major threat among security problems in today’s Internet. TCP/IP protocol suite is the most widely used protocol suite for data communication. While SYN flooding exploits the TCP three-way handshake process by sending many connection requests using spoofed source IP addresses to a victim server. The IP protocol specifies no method for validating the authenticity of the packet’s source. This implies that an attacker can forge the source address to their desire. These kinds of attack are potentially severe. They bring down business of company drastically. DDoS attack can easily exhaust the computing and communication resources of its victim within a short period of time. This paper deals on attacks that consume all the bandwidth available to the victim machine. The TCP SYN flood works by exhausting the TCP connection queue of the host and thus denying legitimate connection requests. There are various methods used to detect and prevent this attack, one of which is to block the packet based on SYN flag count from the same IP address. This kind of prevention methods becomes unsuitable when the attackers use the Spoofed IP address. For the prevention of this kind of attacks, the TCP specific probing is used in the proposed scheme where the client is requested to change the windows size/ cause packet retransmission while sending the ACK in the three way hand shake. We also use the DHCP to statically assign the IP address based on the MAC address in a private environment. This is very useful to find the Spoofed IP Packets/TCP SYN flood and preventing them.

L. Kavisankar

Papers

A mitigation model for TCP SYN flooding with IP spoofing

CNoA: Challenging Number Approach for uncovering TCP SYN flooding using SYN spoofing attack

Efficient SYN Spoofing Detection and Mitigation Scheme for DDoS Attack

A pioneer scheme in the detection and defense of DrDoS attack involving spoofed flooding packets

T-RAP: (TCP Reply Acknowledgement Packet) a Resilient Filtering Model for DDoS Attack with Spoofed IP Address