Showing papers on "DDoS mitigation published in 2012"

System and Method for Mitigating Application Layer Distributed Denial of Service Attacks Using Human Behavior Analysis

Abstract: A method of mitigating an application distributed denial of service (DDoS) attack on a network includes receiving at an application DDoS mitigation appliance application layer logs, parsing the application layer logs into an application layer forensic file, comparing an entry of the application layer forensic file with a human behavior profile to determine a malicious qualifier associated with an application DDoS attack on the network, parsing the application layer log into a per-source forensic file, comparing an entry of the per-source forensic files with the malicious qualifier to determine a malicious Internet protocol (IP) addresses associated with the application DDoS attack, and providing the malicious IP address to a network device, wherein the network device drops network traffic associated with the application DDoS attack based upon the malicious IP address.

Threshold Based Kernel Level HTTP Filter (TBHF) for DDoS Mitigation

Abstract: HTTP flooding attack has a unique feature of interrupting application level services rather than depleting the network resources as in any other flooding attacks. Bombarding of HTTP GET requests to a target results in Denial of Service (DoS) of the web server. Usage of shortened Uniform Resource Locator (URL) is one of the best ways to unknowingly trap users for their participation in HTTP GET flooding attack. The existing solutions for HTTP attacks are based on browser level cache maintenance, CAPTCHA technique, and usage of Access Control Lists (ACL). Such techniques fail to prevent dynamic URL based HTTP attacks. To come up with a solution for the prevention of such kind of HTTP flooding attack, a real time HTTP GET flooding attack was generated using d0z-me, a malicious URL shortener tool. When user clicked the shortened URL, it was found that the user intended web page was displayed in the web browser. But simultaneously, an avalanche of HTTP GET requests were generated at the backdrop to the web server based on the scripts downloaded from the attacker. Since HTTP GET request traffic are part of any genuine internet traffic, it becomes difficult for the firewall to detect such kind of attacks. This motivated us to propose a Threshold Based Kernel Level HTTP Filter (TBHF), which would prevent internet users from taking part in such kind of Distributed Denial of Service (DDoS) attacks unknowingly. Windows Filtering Platform (WFP), which is an Application Programming Interface (API), was used to develop TBHF. The proposed solution was tested by installing TBHF on a victim machine and generating the DDoS attack. It was observed that the TBHF completely prevented the user from participating in DDoS attack by filtering out the malicious HTTP GET requests while allowing other genuine HTTP GET requests generated from that system

Integrated user challenge presentation for DDoS mitigation service

Abstract: Systems and methods are disclosed for providing distributed denial-of-service (DDoS) mitigation service. The systems and methods may receive a request to access a web server from a user host, generate an integrated user challenge page including a user challenge test and a web page image of the web server, and transmits the integrated user challenge page to the user host. The systems and methods may further receive an answer to the user challenge test from the user host, determine whether the answer to the user challenge test is correct or not. When the answer to the user challenge test is correct, the systems and methods may establish a connection between the user host and the web server.

Unfair rate limiting for DDoS mitigation based on traffic increasing patterns

Abstract: Distributed Denial of Service (DDoS) attacks pose a significant threat to network applications. Many countermeasures have been proposed to tackle such attacks. This paper focuses on DDoS mitigation techniques, the practical way to filter attack traffic and keep victims alive. To rate limit attack traffic with as little normal traffic affected as possible, not just the amount of increased volume, but also how increased traffic is propagated in the network, denoted by traffic increasing patterns, is considered. In this paper, we propose unfair rate limiting (URL), in which traffic aggregates are given different priority by extracting increasing patterns and analyzing their relationship with DDoS attacks. Aggregates more likely to include attacks traffic are punished harder during mitigation. Two URL mechanisms are presented, Local URL (LoURL) and Collaborative URL (CoURL). LoURL works locally, while CoURL deals with locally indeterminate patterns based on global information, and thus achieves more effective mitigation. We evaluate the performance of proposed mechanisms through simulation. The simulation results show that both LoURL and CoURL can effectively mitigate DDoS attacks. CoURL outperforms LoURL with regard to the percentage of filtered attack traffic.

Unfair rate limiting on traffic aggregates for DDoS attacks mitigation

Abstract: Distributed Denial of Service (DDoS) attacks pose a threat to network applications. Many countermeasures have been proposed to tackle such attacks. This paper focuses on DDoS mitigation techniques, the practical way to filter attack traffic and keep victims alive. To rate limit attack traffic with as little normal traffic affected as possible, not just the amount of increased volume, but also how increased traffic is propagated in the network, denoted by traffic increasing patterns, is considered. In this paper, we propose unfair rate limiting (URL), in which traffic aggregates are given different priority by extracting increasing patterns and analyzing their relationship with DDoS attacks. Aggregates more likely to include attacks traffic are punished harder during mitigation. Basic and fine-grained unfair rate limiting mechanisms (BURL and FURL) are presented upon port-flows and bitwise-flows, respectively. Simulation results show that both two mechanisms can effectively mitigate DDoS attacks. But FURL outperforms BURL in filtering attack traffic without dropping normal packets.