Survey of network-based defense mechanisms countering the DoS and DDoS problems
TL;DR: This survey analyzes the design decisions in the Internet that have created the potential for denial of service attacks and the methods that have been proposed for defense against these attacks, and discusses potential countermeasures against each defense mechanism.
Abstract: This article presents a survey of denial of service attacks and the methods that have been proposed for defense against these attacks. In this survey, we analyze the design decisions in the Internet that have created the potential for denial of service attacks. We review the state-of-art mechanisms for defending against denial of service attacks, compare the strengths and weaknesses of each proposal, and discuss potential countermeasures against each defense mechanism. We conclude by highlighting opportunities for an integrated solution to solve the problem of distributed denial of service attacks.
Citations
More filters
TL;DR: The primary intention for this work is to stimulate the research community into developing creative, effective, efficient, and comprehensive prevention, detection, and response mechanisms that address the DDoS flooding problem before, during and after an actual attack.
Abstract: Distributed Denial of Service (DDoS) flooding attacks are one of the biggest concerns for security professionals. DDoS flooding attacks are typically explicit attempts to disrupt legitimate users' access to services. Attackers usually gain access to a large number of computers by exploiting their vulnerabilities to set up attack armies (i.e., Botnets). Once an attack army has been set up, an attacker can invoke a coordinated, large-scale attack against one or more targets. Developing a comprehensive defense mechanism against identified and anticipated DDoS flooding attacks is a desired goal of the intrusion detection and prevention research community. However, the development of such a mechanism requires a comprehensive understanding of the problem and the techniques that have been used thus far in preventing, detecting, and responding to various DDoS flooding attacks. In this paper, we explore the scope of the DDoS flooding attack problem and attempts to combat it. We categorize the DDoS flooding attacks and classify existing countermeasures based on where and when they prevent, detect, and respond to the DDoS flooding attacks. Moreover, we highlight the need for a comprehensive distributed and collaborative defense approach. Our primary intention for this work is to stimulate the research community into developing creative, effective, efficient, and comprehensive prevention, detection, and response mechanisms that address the DDoS flooding problem before, during and after an actual attack.
1,153 citations
TL;DR: This paper provides a structured and comprehensive overview of various facets of network anomaly detection so that a researcher can become quickly familiar with every aspect of network anomalies detection.
Abstract: Network anomaly detection is an important and dynamic research area. Many network intrusion detection methods and systems (NIDS) have been proposed in the literature. In this paper, we provide a structured and comprehensive overview of various facets of network anomaly detection so that a researcher can become quickly familiar with every aspect of network anomaly detection. We present attacks normally encountered by network intrusion detection systems. We categorize existing network anomaly detection methods and systems based on the underlying computational techniques used. Within this framework, we briefly describe and compare a large number of network anomaly detection methods and systems. In addition, we also discuss tools that can be used by network defenders and datasets that researchers in network anomaly detection can use. We also highlight research directions in network anomaly detection.
971 citations
Cites methods from "Survey of network-based defense mec..."
...Methods /NIDSs /Tools Topics covered [8] [10] [11] [6] [16] [17] [3] [7] [21] [26] [29] [31] [32] [33] [34] Our survey...
[...]
...An extensive survey of DoS and distributed DoS attack detection techniques is presented in [26]....
[...]
TL;DR: This work can help to understand how to make full use of SDN's advantages to defeat DDoS attacks in cloud computing environments and how to prevent SDN itself from becoming a victim of DDoSDoS attacks, which are important for the smooth evolution ofSDN-based cloud without the distraction ofDDoS attacks.
Abstract: Distributed denial of service (DDoS) attacks in cloud computing environments are growing due to the essential characteristics of cloud computing. With recent advances in software-defined networking (SDN), SDN-based cloud brings us new chances to defeat DDoS attacks in cloud computing environments. Nevertheless, there is a contradictory relationship between SDN and DDoS attacks. On one hand, the capabilities of SDN, including software-based traffic analysis, centralized control, global view of the network, dynamic updating of forwarding rules, make it easier to detect and react to DDoS attacks. On the other hand, the security of SDN itself remains to be addressed, and potential DDoS vulnerabilities exist across SDN platforms. In this paper, we discuss the new trends and characteristics of DDoS attacks in cloud computing, and provide a comprehensive survey of defense mechanisms against DDoS attacks using SDN. In addition, we review the studies about launching DDoS attacks on SDN, as well as the methods against DDoS attacks in SDN. To the best of our knowledge, the contradictory relationship between SDN and DDoS attacks has not been well addressed in previous works. This work can help to understand how to make full use of SDN's advantages to defeat DDoS attacks in cloud computing environments and how to prevent SDN itself from becoming a victim of DDoS attacks, which are important for the smooth evolution of SDN-based cloud without the distraction of DDoS attacks.
669 citations
Cites background from "Survey of network-based defense mec..."
...SAVE protocol enables routers to update the information of expected source IP addresses on each link and block any IP packet with an unexpected source IP address [57]....
[...]
...Source Address Validity Enforcement (SAVE) protocol enables routers to update the information of expected source IP addresses on each link and block any IP packet with an unexpected source IP address [57]....
[...]
...The second group is called anomaly-based detection [57] (e....
[...]
TL;DR: This paper summarizes the current research directions in detecting coordinated attacks using collaborative intrusion detection systems (CIDSs), and highlights two main challenges in CIDS research: CIDS architectures and alert correlation algorithms.
366 citations
Cites background or methods from "Survey of network-based defense mec..."
...…in detail machine learning based data mining methods for intrusion detection, DoS defense and network wide anomaly detection, which have been previously surveyed in (Brugger, 2004; Lee and Stolfo, 2000; Stolfo et al., 2001; Mirkovic and Reiher, 2004; Peng et al., 2006; Lakhina et al., 2004, 2005)....
[...]
...Note that we do not attempt to provide a comprehensive survey of these attacks, which can be found in (Staniford, 2002; Weaver et al., 2003; Goldi and Hiestand, 2005; Peng et al., 2006; Mirkovic and Reiher, 2004; Igure and Williams, 2008)....
[...]
References
More filters
TL;DR: The population problem has no technical solution; it requires a fundamental extension in morality.
Abstract: The population problem has no technical solution; it requires a fundamental extension in morality.
22,421 citations
"Survey of network-based defense mec..." refers background in this paper
...7The tragedy of the commons [Hardin 1968] happens when individuals try to maximize their bene.ts while ignoring the public interests....
[...]
...More importantly, similar problems, such as the tragedy of the commons7[Hardin 1968], have been solved through legislation....
[...]
TL;DR: Analysis of the paradigm problem demonstrates that allowing a small number of test messages to be falsely identified as members of the given set will permit a much smaller hash area to be used without increasing reject time.
Abstract: In this paper trade-offs among certain computational factors in hash coding are analyzed. The paradigm problem considered is that of testing a series of messages one-by-one for membership in a given set of messages. Two new hash-coding methods are examined and compared with a particular conventional hash-coding method. The computational factors considered are the size of the hash area (space), the time required to identify a message as a nonmember of the given set (reject time), and an allowable error frequency.The new methods are intended to reduce the amount of space required to contain the hash-coded information from that associated with conventional methods. The reduction in space is accomplished by exploiting the possibility that a small fraction of errors of commission may be tolerable in some applications, in particular, applications in which a large amount of data is involved and a core resident hash area is consequently not feasible using conventional methods.In such applications, it is envisaged that overall performance could be improved by using a smaller core resident hash area in conjunction with the new methods and, when necessary, by using some secondary and perhaps time-consuming test to “catch” the small fraction of errors associated with the new methods. An example is discussed which illustrates possible areas of application for the new methods.Analysis of the paradigm problem demonstrates that allowing a small number of test messages to be falsely identified as members of the given set will permit a much smaller hash area to be used without increasing reject time.
7,390 citations
"Survey of network-based defense mec..." refers methods in this paper
...A Bloom .lter [Bloom 1970] is used to reduce the memory requirement to store packet records....
[...]
TL;DR: The tragedy of the commons as a food basket is averted by private property, or something formally like it as mentioned in this paper, which is why the commons, if justifiable at all, is justifiable only under conditions of low-population density.
Abstract: The tragedy of the commons as a food basket is averted by private property, or something formally like it. The pollution problem is a consequence of population. Analysis of the pollution problem as a function of population density uncovers a not generally recognized principle of morality, namely: the morality of an act is a function of the state of the system at the time it is performed. Those who have more children will produce a larger fraction of the next generation than those with more susceptible consciences. Perhaps the simplest summary of the analysis of man’s population problems is this: the commons, if justifiable at all, is justifiable only under conditions of low-population density. As the human population has increased, the commons has had to be abandoned in one aspect after another. The man who takes money from a bank acts as if the bank were a commons.
7,119 citations
TL;DR: Red gateways are designed to accompany a transport-layer congestion control protocol such as TCP and have no bias against bursty traffic and avoids the global synchronization of many connections decreasing their window at the same time.
Abstract: The authors present random early detection (RED) gateways for congestion avoidance in packet-switched networks. The gateway detects incipient congestion by computing the average queue size. The gateway could notify connections of congestion either by dropping packets arriving at the gateway or by setting a bit in packet headers. When the average queue size exceeds a present threshold, the gateway drops or marks each arriving packet with a certain probability, where the exact probability is a function of the average queue size. RED gateways keep the average queue size low while allowing occasional bursts of packets in the queue. During congestion, the probability that the gateway notifies a particular connection to reduce its window is roughly proportional to that connection's share of the bandwidth through the gateway. RED gateways are designed to accompany a transport-layer congestion control protocol such as TCP. The RED gateway has no bias against bursty traffic and avoids the global synchronization of many connections decreasing their window at the same time. Simulations of a TCP/IP network are used to illustrate the performance of RED gateways. >
6,198 citations
"Survey of network-based defense mec..." refers background in this paper
...In Lau et al. [2000] have shown that class-based queuing (CBQ) [Floyd and Jacobson 1995] algorithms can guarantee bandwidth for certain classes of input .ows, while Random Early Detection (RED) [Floyd and Jacobson 1993] performs poorly with regard to DDoS attacks....
[...]
01 Jun 2002
TL;DR: Session Initiation Protocol (SIP) as discussed by the authors is an application layer control (signaling) protocol for creating, modifying, and terminating sessions with one or more participants, such as Internet telephone calls, multimedia distribution, and multimedia conferences.
Abstract: This document describes Session Initiation Protocol (SIP), an application-layer control (signaling) protocol for creating, modifying, and terminating sessions with one or more participants. These sessions include Internet telephone calls, multimedia distribution, and multimedia conferences.
5,482 citations