Showing papers on "DDoS mitigation published in 2016"

Blackholing at IXPs: On the Effectiveness of DDoS Mitigation in the Wild

Abstract: DDoS attacks remain a serious threat not only to the edge of the Internet but also to the core peering links at Internet Exchange Points (IXPs). Currently, the main mitigation technique is to blackhole traffic to a specific IP prefix at upstream providers. Blackholing is an operational technique that allows a peer to announce a prefix via BGP to another peer, which then discards traffic destined for this prefix. However, as far as we know there is only anecdotal evidence of the success of blackholing.

MiddlePolice: Toward Enforcing Destination-Defined Policies in the Middle of the Internet

Abstract: Volumetric attacks, which overwhelm the bandwidth of a destination, are amongst the most common DDoS attacks today. One practical approach to addressing these attacks is to redirect all destination traffic (e.g., via DNS or BGP) to a third-party, DDoS-protection-as-a-service provider (e.g., CloudFlare) that is well provisioned and equipped with filtering mechanisms to remove attack traffic before passing the remaining benign traffic to the destination. An alternative approach is based on the concept of network capabilities, whereby source sending rates are determined by receiver consent, in the form of capabilities enforced by the network. While both third-party scrubbing services and network capabilities can be effective at reducing unwanted traffic at an overwhelmed destination, DDoS-protection-as-a-service solutions outsource all of the scheduling decisions (e.g., fairness, priority and attack identification) to the provider, while capability-based solutions require extensive modifications to existing infrastructure to operate. In this paper we introduce MiddlePolice, which seeks to marry the deployability of DDoS-protection-as-a-service solutions with the destination-based control of network capability systems. We show that by allowing feedback from the destination to the provider, MiddlePolice can effectively enforce destination-chosen policies, while requiring no deployment from unrelated parties.

DDoS Attacks with Randomized Traffic Innovation: Botnet Identification Challenges and Strategies

Abstract: Distributed Denial-of-Service (DDoS) attacks are usually launched through the $botnet$, an "army" of compromised nodes hidden in the network. Inferential tools for DDoS mitigation should accordingly enable an early and reliable discrimination of the normal users from the compromised ones. Unfortunately, the recent emergence of attacks performed at the application layer has multiplied the number of possibilities that a botnet can exploit to conceal its malicious activities. New challenges arise, which cannot be addressed by simply borrowing the tools that have been successfully applied so far to earlier DDoS paradigms. In this work, we offer basically three contributions: $i)$ we introduce an abstract model for the aforementioned class of attacks, where the botnet emulates normal traffic by continually learning admissible patterns from the environment; $ii)$ we devise an inference algorithm that is shown to provide a consistent (i.e., converging to the true solution as time progresses) estimate of the botnet possibly hidden in the network; and $iii)$ we verify the validity of the proposed inferential strategy over $real$ network traces.

Survey on Recent DDoS Mitigation Techniques and Comparative Analysis

Abstract: Customers trust is the most important factor for an organization success. This trust only builds if customers receive unhindered services from their vendors. A major threat in successfully building a customer-vendor trust relationship exists in the form of Distributed Denial of Service attacks. These attacks have become more evasive and complex with time such that existing security mechanisms are not sufficient to counter them. A lot of techniques are already proposed by various researchers to counter these attacks which have their own application domain, advantages and disadvantages. In this paper we present an extensive survey of recent DDoS mitigation techniques along with their comparative analysis.

Anycast and Its Potential for DDoS Mitigation

Abstract: IP anycast is widely being used to distribute essential Internet services, such as DNS, across the globe. One of the main reasons for doing so is to increase the redundancy of the service and reduce the impacts of the growing threat of DDoS attacks. IP anycast can be further used to mitigate DDoS attacks by confining the attack traffic to certain areas. This might cause the targeted service to become unavailable only to a fraction of its users. In this PhD research we aim at investigating how IP anycast can be optimized both statically and dynamically to support the mitigation of DDoS attacks.

Denial-of-service (DoS) mitigation approach based on connection characteristics

Abstract: Systems and methods for an improved DDoS mitigation approach are provided. According to one embodiment, a current threshold for a network connection characteristic is established within a Denial-of-Service (DoS) mitigation device logically interposed between a protected resource of a private network and multiple client devices residing external to the private network. A number of connections between the client devices and the protected network resource are tracked. During a period of time in which the number of connections exceeds a connection count threshold: (i) for each of the connections, a measured value for the network connection characteristic is compared to the current threshold; (ii) responsive to a determination that the measured value exceeds the current threshold, the connection is dropped; and (iii) the current threshold is periodically reduced, such that only those connections complying with the current threshold are maintained.

A Review on Distributed Denial of Service (DDoS) Mitigation Techniques in Cloud Computing Environment

Abstract: Distributed Denial of Service (DDoS) attack becomes a serious hazard for cloud computing environments as they target the victim and completely suppress the Datacenter to serve for its legitimate clients.This work focus on analyzing the several works and suggesting the better approach to suit cloud environment to detect and to maintain better detection accuracy. Also we have made historical comparison of research works of DDoS mitigation schemes with respect to cloud computing environment. The comparison is also made on five existing research works and provided a summary of them which evaluates the detection accuracy of each work.

DDoS testbed based on peer-to-peer grid

Abstract: Distributed Denial of Service (DDoS) attacks and defence against them poses great challenge in network security. Studying of DDoS mitigation strategies, understanding of secure state of a network as well as the testing of defense appliances is the main purpose of our testbed. The testbed is based on a P2P grid-Our Grid environment and aids to run DDoS attacks on existing nodes of P2P grid to use spreading, control, and attack techniques for testing of real network system. We employ the P2P grid environment to carry out as well as to coordinate DDoS attack on the availability of services to simulate real DDoS attack launched indirectly through many compromised computing systems. The paper gives background, design and experimental practice of the testbed.

Automatic alerts annotation for improving DDoS mitigation systems

Abstract: Distributed Denial of Service (DDoS) attacks have been on the rise [1]. With the use of Botnets, an attacker can bring down vital applications and services available on the Internet [2], [3]. Several commercial DDoS mitigation services are available including those by Verisign [4], GigeNET [5], BlockDOS [6], Black Lotus [7], and Arbor Networks [8], among others. A majority of these commercial services use a combination of specialized hardware and a rule-based software to flag suspected traffic and alert the operators for further attentions.

Denial-of-service (DoS) mitigation based on health of protected network device

Abstract: Systems and methods for improving the performance of DDoS mitigation by monitoring the health of a protected network resource are provided. According to one embodiment, health of a network device protected by DoS mitigation device can be evaluated and packet/traffic received on the DoS mitigation device can be selectively/conditionally forwarded to the protected network device or can be dropped based on the health of the protected network device. According to one embodiment, at-least a part of the traffic is blocked when the health of the protected network device is below a predetermined health threshold. In an exemplary implementation, a measure of volume of traffic originated by different computing devices and handled by the protected network device can be computed, and packet filtering or conditional forwarding can be enabled when the computed measure of volume of traffic exceeds a predetermined traffic volume threshold.

Adaptive self-optimzing DDoS mitigation

Abstract: A system for mitigating network attacks includes a protected network including a plurality of devices The system further includes attack mitigation devices communicatively coupled to the protected network The mitigation devices are configured to receive network data packets from external devices attempting to access protected devices in the protected network The attack mitigation devices are further configured to periodically analyze effectiveness of each of a plurality of packet analysis sections Each of the plurality of packet analysis sections includes a plurality of packet analysis instructions and is associated with a counter configured to count number of packets dropped by a corresponding analysis section The attack mitigation devices are further configured to disable one or more of the plurality of packet analysis sections responsive to the performed analysis and to analyze the received network data packets by utilizing only enabled one or more of the plurality of the packet analysis sections

Commoditising DDoS mitigation

Abstract: Current practices in network security deployment require multiple specialised devices as firewalls, traffic shapers, sensors or Intrusion Detection Systems (IDSs) to handle malicious traffic. This practice not only increases the overall operational costs but also makes network administration complicated. The high cost of Distributed Denial of Service (DDoS) mitigation devices empowers centralised services and network architectures as there is not a cost-effective model to deploy them at the “true edge” of the network. This paper describes the design and implementation of a multi-10 Gbit extensible network traffic analysis and policing system. It is composed of logical detection and enforcement functions built from reusable underlying primitives. As an example of such modular approach, we present an innovative DDoS scrubbing system composed of various attack detection primitives, combined with enforcement primitives that include traffic filtering, rate limiting, and proxying. Based on commodity hardware and open source software, such system is price, space, and power efficient enough to be practically deployable at the edge of the network. Performance measurements carried on 10Gbit networks, show that it can effectively provide both traffic visibility and enforcement of a wide range of network traffic policies.

A Real-Time (on Premise) Baseline Based DDoS Mitigation Scheme in a Hybrid Cloud

Abstract: Uninterrupted services are the most important factor for building customers trust towards a particular service providers, Distributed denial of service attacks are major threats towards disrupting the customer base for these service providers. Increasing sophistication of these attacks make them stealthier to evade existing perimeter security mechanisms. Hence, there is a need to design a dedicated mechanism to counter these attacks. In this paper we present a real time mitigation approach for DDoS attacks in a hybrid cloud. This approach utilizes a real time hybrid cloud test bed environment implemented with both intrusion detection system (IDS) and intrusion prevention system (IPS) components for result analysis and is utilized to mitigate signature based attacks at layers 3, 4 and 7 of TCP/IP network model. To implement this approach various stages to mitigate these attacks are considered. The results obtained have 100 % detection accuracy in all the scenarios considered.

A reconfigurable heterogeneous multicore architecture for DDoS protection

Abstract: This paper proposes a reconfigurable heterogeneous multicore architecture to integrate multiple DDoS defense mechanisms for DDoS protection The architecture allows multiple cooperating DDoS mitigation techniques to classify incoming network packets The proposed architecture consists of two separated partitions: static and dynamic The static partition includes packet pre-processing and post-processing modules while the DDoS filtering techniques are implemented on the dynamic partition These filtering techniques can be implemented by either hardware custom computing cores or general purpose soft processors or both In all cases, these DDoS filtering computing cores can be updated or changed at runtime or design time We implement our first prototype system with Hop-count filtering and Ingress/Engress filtering techniques using Xilinx Virtex 5xc5vtx240t FPGA device The synthesis results show that the system can work at up to 116782MHz while utilizing about 41% LUTs, 47% Registers, and 53% Block Memory of the available hardware resources The system achieves the detection rate of 100% with the false negative rate at 0% and false positive rate closed to 074% The prototype system achieves packet decoding throughput at 9869 Gbps in half-duplex mode and 19738 Gbps in full-duplex mode

ML: DDoS Damage Control with MPLS

Abstract: We present a DDoS mitigation mechanism dispatching suspicious and legitimate traffic into separate MultiProtocol Label Switching (MPLS) tunnels, well upstream from the target. The objective is to limit the impact a voluminous attack could otherwise have on the legitimate traffic through saturation of network resources. The separation of traffic is based on a signature identifying suspicious flows, carried in an MPLS label, and then used by a load-balancing mechanism in a router. The legitimite traffic is preserved at the expense of suspcious flows, whose resource allocations are throttled as needed to avoid congestion.

Fuzzy Logic based Application Layer DDoS Mitigation System in Cloud

Abstract: Cloud Computing is at the forefront of Information Technology and has revolutionized computing in many ways. As numerous enterprises move into the cloud, the chances of being targeted by attacks especially Application Layer Distributed Denial of Service (DDoS) attacks will increase dramatically. Such attacks are capable of exhausting a victim's resources (such as servers, network, storage and applications), denying access and overloading with bogus requests, resulting in significant economic loss. Unlike the traditional DDoS attacks which occur at the network layer, these attacks occur at the application layer where the detection is comparatively difficult, since the attacker already has a valid connection to the victim server. Fuzzy logic is a precise algorithm for imprecise system that plays an important role in decision making process of the incoming HTTP requests to decide whether the request is malicious or genuine. Hence, a Fuzzy Logic based Application Layer Mitigation is necessary to handle such threats for maintaining cloud based services and ensuring availability of enterprise systems. Hence, this thesis is focused on combining evidences of the existing architectures (used for protecting and tracing DDoS attacks) as well as filtering malicious requests using DDoS mitigation systems and Fuzzy Logic.