Showing papers on "DDoS mitigation published in 2015"

Distributed denial of service attacks in software-defined networking with cloud computing

Abstract: Although software-defined networking (SDN) brings numerous benefits by decoupling the control plane from the data plane, there is a contradictory relationship between SDN and distributed denial-of-service (DDoS) attacks. On one hand, the capabilities of SDN make it easy to detect and to react to DDoS attacks. On the other hand, the separation of the control plane from the data plane of SDN introduces new attacks. Consequently, SDN itself may be a target of DDoS attacks. In this paper, we first discuss the new trends and characteristics of DDoS attacks in cloud computing environments. We show that SDN brings us a new chance to defeat DDoS attacks in cloud computing environments, and we summarize good features of SDN in defeating DDoS attacks. Then we review the studies about launching DDoS attacks on SDN and the methods against DDoS attacks in SDN. In addition, we discuss a number of challenges that need to be addressed to mitigate DDoS attached in SDN with cloud computing. This work can help understand how to make full use of SDN's advantages to defeat DDoS attacks in cloud computing environments and how to prevent SDN itself from becoming a victim of DDoS attacks.

Towards Autonomic DDoS Mitigation using Software Defined Networking

Abstract: Distributed Denial of Service attacks (DDoS) have remained as one of the most destructive attacks in the Internet for over two decades. Despite tremendous efforts on the design of DDoS defense strategies, few of them have been considered for widespread deployment due to strong design assumptions on the Internet infrastructure, prohibitive operational costs and complexity. Recently, the emergence of Software Defined Networking (SDN) has offered a solution to reduce network management complexity. It is also believed to facilitate security management thanks to its programmability. To explore the advantages of using SDN to mitigate DDoS attacks, we propose a distributed collaborative framework that allows the customers to request DDoS mitigation service from ISPs. Upon request, ISPs can change the label of the anomalous traffic and redirect them to security middleboxes, while attack detection and analysis modules are deployed at customer side, avoiding privacy leakage and other legal concerns. Our preliminary analysis demonstrates that SDN has promising potential to enable autonomic mitigation of DDoS attacks, as well as other large-scale attacks

Flooding DDoS mitigation and traffic management with software defined networking

Abstract: Mitigating distributed denial-of-service attacks can be a complex task due to the wide range of attack types, attacker adaptation, and defender constraints. We propose a defense mechanism which is largely automated and can be implemented on current software defined networking (SDN)-enabled networks. Our mechanism combines normal traffic learning, external blacklist information, and elastic capacity invocation in order to provide effective load control, filtering and service elasticity during an attack. We implement the mechanism and analyze its performance on a physical SDN testbed using a comprehensive set of real-life normal traffic traces and synthetic attack traces. The results indicate that the mechanism is effective in maintaining roughly 50% to 80% service levels even when hit by an overwhelming attack.

VGuard: A distributed denial of service attack mitigation method using network function virtualization

Abstract: Distributed denial of service (DDoS) attacks have caused tremendous damage to ISPs and online services. They can be divided into attacks using spoofed IPs and attacks using real IPs (botnet). Among them the attacks from real IPs are much harder to mitigate since the attack traffic can be fabricated to be similar to legitimate traffic. The corresponding DDoS defence strategies proposed in past few years have not been proven to be highly effective due to the limitation of participating devices. However, the emergence of the next generation networking technologies such a network function virtualization (NFV) provide a new opportunity for researchers to design DDoS mitigation solutions. In this paper we propose VGuard, a dynamic traffic engineering solution based on prioritization, which is implemented on a DDoS virtual network function (VNF). The flows from the external zone are directed to different tunnels based on their priority levels. This way trusted legitimate flows are served with guaranteed quality of service, while attack flows and suspicious flows compete for resources with each other. We propose two methods for flow direction: the static method and the dynamic method. We evaluated the performance of both methods through simulation. Our results show that both methods can effectively provide satisfying service to trusted flows under DDoS attacks, and both methods have their pros and cons under different situations.

STONE: A streaming DDoS defense framework

Abstract: Distributed Denial-of-Service (DDoS) attacks aim at rapidly exhausting the communication and computational power of a network target by flooding it with large volumes of malicious traffic. In order to be effective, a DDoS defense mechanism should detect and mitigate threats quickly, while allowing legitimate users access to the attack's target. Nevertheless, defense mechanisms proposed in the literature tend not to address detection and mitigation challenges jointly, but rather focus solely on the detection or the mitigation facet. At the same time, they usually overlook the limitations of centralized defense frameworks that, when deployed physically close to a possible target, become ineffective if DDoS attacks are able to saturate the target's incoming links. This paper presents STONE, a framework with expert system functionality that provides effective and joint DDoS detection and mitigation. STONE characterizes regular network traffic of a service by aggregating it into common prefixes of IP addresses, and detecting attacks when the aggregated traffic deviates from the regular one. Upon detection of an attack, STONE allows traffic from known sources to access the service while discarding suspicious one. STONE relies on the data streaming processing paradigm in order to characterize and detect anomalies in real time. We implemented STONE on top of StreamCloud, an elastic and parallel-distributed stream processing engine. The evaluation, conducted on real network traces, shows that STONE detects DDoS attacks rapidly, provides minimal degradation of legitimate traffic while mitigating a threat, and also exhibits a processing throughput that scales linearly with the number of nodes used to deploy and run it.

Web Server Protection against Application Layer DDoS Attacks Using Machine Learning and Traffic Authentication

Abstract: Application layer Distributed Denial of Service (DDoS) attacks are among the deadliest kinds of attacks that have significant impact on destination servers and networks due to their ability to be launched with minimal computational resources to cause an effect of high magnitude. Commercial and government Web servers have become the primary target of these kinds of attacks, with the recent mitigation efforts struggling to deaden the problem efficiently. Most application layer DDoS attacks can successfully mimic legitimate traffic without being detected by Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS). IDSs and IPSs can also mistake a normal and legitimate activity for a malicious one, producing a False Positive (FP) that affects Web users if it is ignored or dropped. False positives in a large and complex network topology can potentially be dangerous as they may cause IDS/IPS to block the user's benign traffic. Our focus and contributions in this paper are first, to mitigate the undetected malicious traffic mimicking legitimate traffic and developing a special anti-DDoS module for general and specific DDoS tools attacks by using a trained classifier in a random tree machine-learning algorithm. We use labeled datasets to generate rules to incorporate and fine-tune existing IDS/IPS such as Snort. Secondly, we further assist IDS/IPS by processing traffic that is classified as malicious by the IDS/IPS in order to identify FPs and route them to their intended destinations. To achieve this, our approach uses active authentication of traffic source of both legitimate and malicious traffic at the Bait and Decoy server respectively before destined to the Web server.

DARAC: DDoS Mitigation Using DDoS Aware Resource Allocation in Cloud

Abstract: Internet-based computing has lead to an emergence of a large number of threats. One of the major threat is DDoS Distributed Denial of Service attack. Recent incidents have shown that DDoS attacks have the capability of shutting a business not for a day but weeks. DDoS attacks have a greater impact on multi-tenant clouds than traditional infrastructure. DDoS attacks in the cloud, take the shape of EDoS Economic denial of sustainability attacks. In EDoS, instead of "Service Denial", economic harms occur due to fake resource usage and subsequent addition or buying of resources using on-demand provisioning. To detect and mitigate DDoS attacks in the cloud, we argue that on-demand resource allocation known as auto-scaling should also be looked, in addition to network or application layer mitigation. We have proposed a novel mitigation strategy, DARAC, which makes auto-scaling decisions by accurately differentiating between legitimate requests and attacker traffic. Attacker traffic is detected and dropped based on human behavior analysis based detection. We also argue that most of the solutions in the literature, do not pay much attention to the service quality to legitimate requests during an attack. We calculate the share of legitimate clients in resource addition/buying and make subsequent accurate auto-scaling decisions. Experimental results show that DARAC mitigates various DDoS attack sets and take accurate and quick auto-scaling decisions for various legitimate and attacker traffic combinations saving from EDoS. We also show how proposed mechanism could make "arms-race" very difficult for the attackers as the resource need to defeat DARAC mechanism on a very small capacity server is huge. Results also show significant improvements in the average response time of the web-service under attack, in addition to infrastructure cost savings upi?źto 50i?ź% in heavy attack cases.

Non-disruptive ddos testing

Abstract: DDoS testing service features testing and verifying the integrity of a DDoS mitigation strategy of an organization while maintaining operation of the targeted organization's IT infrastructure. This facilitates ongoing and recurring operation and integrity of the DDoS mitigation strategy, at regular intervals and without causing service disruption to the IT infrastructure. Testing can include an array of DDoS attack vectors allowing the risk assessment of the organization to be fully visible tor the production environment concerning successfiil DDoS attack being launched against the organization.

DDOS Mitigation Cloud-Based Service

Abstract: Cloud computing has evolved over the last decade from a simple storage service for more complex ones, offering software as a service (SaaS), platforms as a service (PaaS) and most recently security as a service (SECaaS). The work presented in this paper is a response to: (1) the resource constraints in physical security devices such as firewalls or IPS/IDS, that can no more counter advanced DDOS attacks, (2) The expensive cost, management complexity and the requirement of high amount of resources on existing DDOS mitigation tools to verify the traffic. We propose a new architecture of a cloud based firewalling service using resources offered by the Cloud and characterized by: a low financial cost, high availability, reliability, self scaling and easy managing. In order to improve the efficiency of our proposal to face DDOS attacks, we deploy, configure and test our mitigation service using Network Function Virtualization technology (NFV) and other virtualization capabilities. We also detail some result and point out future work.

Unobtrusive and dynamic DDoS mitigation

Abstract: Some embodiments provide techniques for mitigating against layer 7 distributed denial of service attacks. Some embodiments submit a computational intensive problem, also referred to as a bot detection problem, in response to a user request. Bots that lack sophistication needed to render websites or are configured to not respond to the server response will be unable to provide a solution to the problem and their requests will therefore be denied. If the requesting user is a bot and has the sophisticated to correctly solve the problem, the server will monitor the user request rate. For subsequent requests from that same user, the server can increase the difficulty of the problem when the request rate exceeds different thresholds. In so doing, the problem consumes greater resources of the user, slowing the rate at which the user can submit subsequent requests, and thereby preventing the user from overwhelming the server.

Scalable DDoS Mitigation System for Data Centers

Abstract: Distributed Denial of Service attacks (DDoS) have been used by attackers for over two decades because of their effectiveness. This type of the cyber-attack is one of the most destructive attacks in the Internet. In recent years, the intensity of DDoS attacks has been rapidly increasing and the attackers combine more often different techniques of DDoS to bypass the protection. Therefore, the main goal of our research is to propose a DDoS solution that allows to increase the filtering capacity linearly and allows to protect against the combination of attacks. The main idea is to develop the DDoS defense system in the form of a portable software image that can be installed on the reserve hardware capacities. During a DDoS attack, these servers will be used as filters of this DDoS attack. Our solution is suitable for data centers and eliminates some lacks of commercial solutions. The system employs modular DDoS filters in the form of special grids containing specific protocol parameters and conditions.

Open Threat Signaling using RPC API over HTTPS and IPFIX

Abstract: This document defines a method by which a device or application may signal information relating to current threat handling to other devices/applications that may reside locally or at the service provider. The initial focus is ddos mitigation; however, the method may be extended to communicate any threat type. This will allow for a vendor or provider agnostic approach to threat mitigation utilising multiple layers of protection as the operator sees fit. The dissemination of threat information will occur utilising JSON RPC API over HTTPS communications between devices/applications and will be augmented by IPFIX and UDP or SCTP for signaling telemetry information relating to attacks and protected object data. An open standards based approach to communication between on-premise DDoS mitigation devices and service provider based DDoS protection services allows for enterprises to have a wider range of options to better secure their environments without the limitations of vendor lock-in.

A Novel Approach for DDoS Mitigation with Router

Abstract: Security is one of the critical attributes of any communication network. Various attacks have been reported over the last years but mainly denial of service effects entire network in a drastic way. So many mechanisms are developed but they are lagging in aspects like identifying IP spoofing (by session hijacking) and attack source. Existed Mechanisms identifies the attack after it’s effect is being experienced by the victim. So we propose a new mechanism that is implemented on a router to identify the attack by monitoring the traffic flow, for that router uses a routing table with newly proposing attributes, i.e., timer, MAC address, and packet count. By using MAC address, there is possibility of finding actual attacker.

BGP Flow-Spec Redirect to IP Action

Abstract: Flow-spec is an extension to BGP that allows for the dissemination of traffic flow specification rules. This has many possible applications but the primary one for many network operators is the distribution of traffic filtering actions for DDoS mitigation. The flow-spec standard [RFC 5575] defines a redirect-to-VRF action for policy-based forwarding but this mechanism can be difficult to use, particularly in networks without L3 VPN infrastructure. This draft defines a new redirect-to-IP flow-spec action that provides a simpler method of policy-based forwarding. The details of the action, including the IPv4 or IPv6 target address, are encoded in newly defined BGP extended communities.

A novel puzzle-based framework for mitigating distributed denial of service attacks against internet applications

Abstract: Cryptographic puzzles are promising techniques for mitigating DDoS attacks via decreasing the incoming rate of service eligible requests. However, existing cryptographic puzzle techniques have several shortcomings that make them less appealing as a tool of choice for DDoS defense. These shortcomings include: (1) the lack of accurate models for dynamically determining puzzle hardness; (2) the lack of an efficient and effective counter mechanism for puzzle solution replay attacks; and (3) the wastefulness of the puzzle computations in terms of the clients' computational resources. In this thesis, we provide a puzzle based DDoS defense framework that addresses these shortcomings. Our puzzle framework includes three novel puzzle mechanisms. The first mechanism, called Puzzle+, provides a mathematical model of per-request puzzle hardness. Through extensive experimental study, we show that this model optimizes the effectiveness of puzzle based DDoS mitigation while enabling tight control over the server utilization. In addition, Puzzle+ disables puzzle solution replay attacks by utilizing a novel cache algorithm to detect replays. The second puzzle mechanism, called Productive Puzzles, alleviates the wastefulness of computational puzzles by transforming the puzzle computations into computations of meaningful tasks that provide utility. Our third puzzle mechanism, called Guided Tour Puzzles, eliminates the wasteful puzzle computations all together, and adopts a novel delay-based puzzle construction idea. In addition, it is not affected by the disparity in the computational resources of the client machines that perform the puzzle computations. Through measurement analysis on real network testbeds as well as extensive simulation study, we show that both Productive Puzzles and Guided Tour Puzzles achieve effective mitigation of DDoS attacks while satisfying no wasteful computation requirement. Lastly, we introduce a novel queue management algorithm, called Stochastic Fair Drop Queue (SFDQ), to further strengthen the DDoS protection provided by the puzzle framework. SFDQ is not only effective against DDoS attacks at multiple layers of the protocol stack, it is also simple to configure and deploy. SFDQ is implemented over a novel data structure, called Indexed Linked List, to provide enqueue, dequeue, and remove operations with O(1) time complexity.

An Efficient Threshold Vector Based Model for Detecting DDOS in Cloud Environment

Abstract: Cloud computing is been the interesting topic in recent time. It provides and offers various services to end user or clients. Cloud provides a storage services which is stored in it data center but user always feel insecure of their virtualized storage data. So security is always an issue specially security risk like including Distributed Denial of Service (DDOS) attack.Many cloud providers like amazon, drop box provide service based on http protocol.So here we propose efficient DDOS mitigation system for cloud environment. Here we design an algorithm which is based on threshold vector to detect DDOS for cloud. We tested our approach on different http data set and found that our system improves the detection accuracy of DDOS in Cloud. We also provide a security for DDOS by designing an image text fusion turing which improves the security of our system. We designed and implemented our system and also evaluated the performance which shows that our system works efficiently to mitigate the DDOS traffic from the Internet.