Showing papers on "DDoS mitigation published in 2017"

DDoS Attack Detection and Mitigation Using SDN: Methods, Practices, and Solutions

Abstract: Distributed denial-of-service (DDoS) attacks have become a weapon of choice for hackers, cyber extortionists, and cyber terrorists. These attacks can swiftly incapacitate a victim, causing huge revenue losses. Despite the large number of traditional mitigation solutions that exists today, DDoS attacks continue to grow in frequency, volume, and severity. This calls for a new network paradigm to address the requirements of today’s challenging security threats. Software-defined networking (SDN) is an emerging network paradigm which has gained significant traction by many researchers to address the requirement of today’s data centers. Inspired by the capabilities of SDN, we present a comprehensive survey of existing SDN-based DDoS attack detection and mitigation solutions. We classify solutions based on DDoS attack detection techniques and identify requirements of an effective solution. Based on our findings, we propose a novel framework for detection and mitigation of DDoS attacks in a large-scale network which comprises a smart city built on SDN infrastructure. Our proposed framework is capable of meeting application-specific DDoS attack detection and mitigation requirements. The primary contribution of this paper is twofold. First, we provide an in-depth survey and discussion of SDN-based DDoS attack detection and mitigation mechanisms, and we classify them with respect to the detection techniques. Second, leveraging the characteristics of SDN for network security, we propose and present an SDN-based proactive DDoS Defense Framework (ProDefense). We show how this framework can be utilized to secure applications built for smart cities. Moreover, the paper highlights open research challenges, future research directions, and recommendations related to SDN-based DDoS detection and mitigation.

A Blockchain-Based Architecture for Collaborative DDoS Mitigation with Smart Contracts

Abstract: The rapid growth in the number of insecure portable and stationary devices and the exponential increase of traffic volume makes Distributed Denial-of-Service (DDoS) attacks a top security threat to services provisioning. Existing defense mechanisms lack resources and flexibility to cope with attacks by themselves, and by utilizing other’s companies resources, the burden of the mitigation can be shared. Emerging technologies such as blockchain and smart contracts allows for the sharing of attack information in a fully distributed and automated fashion. In this paper, the design of a novel architecture is proposed by combining these technologies introducing new opportunities for flexible and efficient DDoS mitigation solutions across multiple domains. Main advantages are the deployment of an already existing public and distributed infrastructure to advertise white or blacklisted IP addresses, and the usage of such infrastructure as an additional security mechanism to existing DDoS defense systems, without the need to build specialized registries or other distribution mechanisms, which enables the enforcement of rules across multiple domains.

A Defense System for Defeating DDoS Attacks in SDN based Networks

Abstract: Software-Defined Networking (SDN) is a network architecture that aims at providing high flexibility through the decoupling of the network logic from the forwarding functions. The ease of programmability makes SDN a great platform implementation of various initiatives that involve application deployment, security solutions, and decentralized network management in a multi-tenant data center environment. Although this can introduce many applications in different areas and leads to the high impact on several aspects, security of SDN architecture remains an open question and needs to be revisited based on the new concept of SDN. Current SDN-based attack detection mechanisms have some limitations. In this paper, we investigate two of those limitations: Misbehavior Attack and NewFlow Attack. We propose a secure system that periodically collects network statistics from the forwarding elements and apply Machine Learning (ML) classification algorithms. Our framework ensures that the proposed solution makes the SDN architecture more self-adaptive, and intelligent while reacting to network changes.

A Game Theoretical Based System Using Holt-Winters and Genetic Algorithm With Fuzzy Logic for DoS/DDoS Mitigation on SDN Networks

Abstract: The ever expanding the usage of cloud computing environments, connected applications and Internet of Things-based devices have progressively increased the amount of data that travels through our networks. Software-defined network (SDN) is an emergent paradigm that aims to support next-generation networks through its flexible and powerful management mechanisms. One of the biggest threats faced by these services nowadays is security management. Attacks based on the denial of service (DoS) are particularly efficient against this paradigm due to its centralized control characteristic. Once this controlling system receives a massive amount of malicious requests, the overall performance of the network operation is impaired. Although several researches propose to address this problem, most of them are reactive approaches, detecting the attacks and warning the network administrators, i.e., after the network is already compromised. This paper presents an autonomic DoS/DDoS defensive approach for SDNs called Game Theory (GT)-Holt-Winters for Digital Signature (HWDS), which unites the anomaly detection and identification provided by an HWDS system with an autonomous decision-making model based on GT. Real collected data and simulated attacks are used by the system to measure its effectiveness and efficiency. Furthermore, we also use a heuristic Fuzzy-GADS method for anomaly detection instead of HWDS, aiming to compare the achieved performance and evaluate the behavior of the presented game theoretical approaches a standalone mitigation module.

Inferring BGP blackholing activity in the internet

Abstract: The Border Gateway Protocol (BGP) has been used for decades as the de facto protocol to exchange reachability information among networks in the Internet. However, little is known about how this protocol is used to restrict reachability to selected destinations, e.g., that are under attack. While such a feature, BGP blackholing, has been available for some time, we lack a systematic study of its Internet-wide adoption, practices, and network efficacy, as well as the profile of blackholed destinations. In this paper, we develop and evaluate a methodology to automatically detect BGP blackholing activity in the wild. We apply our method to both public and private BGP datasets. We find that hundreds of networks, including large transit providers, as well as about 50 Internet exchange points (IXPs) offer blackholing service to their customers, peers, and members. Between 2014--2017, the number of blackholed prefixes increased by a factor of 6, peaking at 5K concurrently blackholed prefixes by up to 400 Autonomous Systems. We assess the effect of blackholing on the data plane using both targeted active measurements as well as passive datasets, finding that blackholing is indeed highly effective in dropping traffic before it reaches its destination, though it also discards legitimate traffic. We augment our findings with an analysis of the target IP addresses of blackholing. Our tools and insights are relevant for operators considering offering or using BGP blackholing services as well as for researchers studying DDoS mitigation in the Internet.

Combating DDoS Attacks in the Cloud: Requirements, Trends, and Future Directions

Abstract: Distributed Denial of Service (DDoS) attacks targeted to cloud services, show serious attack consequences like heavy downtime, economic losses and both short term and long-term business and reputation losses. We present an overview of these attacks and their variants in consonance to cloud infrastructure and explain the attack dynamics. Cloud resource management using auto-scaling algorithms is used to dig the requirements of DDoS mitigation solutions. These requirements include sustainability or budget constraints, controlled auto-scaling, minimization based optimized control of attack traffic, mitigation throughput time (MTT), service quality and availability. Towards the end, we develop and propose a detailed guideline on possible solutions leading to a novel collaborative solution framework based on multi-level alert flows. We also comment on the future attacks in the DDoS space and give a novel DDoS attack variant "Detection Near Impossible (DeNy) DDoS" as an anticipated vision for future attacks to orchestrate the upcoming solutions from the community.

DDoS Attacks With Randomized Traffic Innovation: Botnet Identification Challenges and Strategies

Abstract: Distributed Denial-of-Service (DDoS) attacks are usually launched through the botnet , an “army” of compromised nodes hidden in the network. Inferential tools for DDoS mitigation should accordingly enable an early and reliable discrimination of the normal users from the compromised ones. Unfortunately, the recent emergence of attacks performed at the application layer has multiplied the number of possibilities that a botnet can exploit to conceal its malicious activities. New challenges arise, which cannot be addressed by simply borrowing the tools that have been successfully applied so far to earlier DDoS paradigms. In this paper, we offer basically three contributions: 1) we introduce an abstract model for the aforementioned class of attacks, where the botnet emulates normal traffic by continually learning admissible patterns from the environment; 2) we devise an inference algorithm that is shown to provide a consistent (i.e., converging to the true solution as time elapses) estimate of the botnet possibly hidden in the network; and 3) we verify the validity of the proposed inferential strategy on a test-bed environment. Our tests show that, for several scenarios of implementation, the proposed botnet identification algorithm needs an observation time in the order of (or even less than) 1 min to identify correctly almost all bots, without affecting the normal users’ activity.

A DDoS attack mitigation framework for internet of things

Abstract: The ubiquity of Internet has been escalating in the recent past as the Internet of Things (IoT) came into the picture A large number of connected things has completely redefined the perspective of Internet Advancements in the underlying technologies accelerated this change On the other side, cyber-attacks also increased with all these developments The distributed denial of service (DDoS) attacks have increased steeply with more devices to compromise and less secure targets to attack The IoT networks have been a major victim of the DDoS attacks due to their resource constrained characteristics Defending IoT-enabled devices and networks from DDoS attacks and being compromised to perform the DDoS attack is a challenging task In this work, we have proposed a DDoS mitigation framework to defend DDoS attacks on an IoT network The proposed framework matches with the resource constrained characteristics of IoT environment and suits to adapt to different IoT applications

Service resizing for quick DDoS mitigation in cloud computing environment

Abstract: Current trends in distributed denial of service (DDoS) attacks show variations in terms of attack motivation, planning, infrastructure, and scale “DDoS-for-Hire” and “DDoS mitigation as a Service” are the two services, which are available to attackers and victims, respectively In this work, we provide a fundamental difference between a “regular” DDoS attack and an “extreme” DDoS attack We conduct DDoS attacks on cloud services, where having the same attack features, two different services show completely different consequences, due to the difference in the resource utilization per request We study various aspects of these attacks and find out that the DDoS mitigation service’s performance is dependent on two factors One factor is related to the severity of the “resource-race” with the victim web-service Second factor is “attack cooling down period” which is the time taken to bring the service availability post detection of the attack Utilizing these two important factors, we propose a supporting framework for the DDoS mitigation services, by assisting in reducing the attack mitigation time and the overall downtime This novel framework comprises of an affinity-based victim-service resizing algorithm to provide performance isolation, and a TCP tuning technique to quickly free the attack connections, hence minimizing the attack cooling down period We evaluate the proposed novel techniques with real attack instances and compare various attack metrics Results show a significant improvement to the performance of DDoS mitigation service, providing quick attack mitigation The presence of proposed DDoS mitigation support framework demonstrated a major reduction of more than 50% in the service downtime

Holistic DDoS mitigation using NFV

Abstract: Distributed Denial of Service (DDoS) is a sophisticated cyber-attack due to its variety of types and techniques. The traditional mitigation method of this attack is to deploy dedicated security appliances such as firewall, load balancer, etc. However, due to the limited capacity of the hardware and the potential high volume of DDoS traffic, it may not be able to defend all the attacks. Therefore, cloud-based DDoS protection services were introduced to allow the organizations to redirect their traffic to the scrubbing centers in the cloud for filtering. This solution has some drawbacks such as privacy violation and latency. More recently, Network Functions Virtualization (NFV) and edge computing have been proposed as new networking service models. In this paper, we design a framework that leverages NFV and edge computing for DDoS mitigation through two-stage processes.

Applying NFV/SDN in mitigating DDoS attacks

Abstract: Distributed Denial of Service (DDoS) is a widely employed attacking scheme over network that interrupts services by creating network congestion, draining server resources, or disabling normal functions of network components. An attacker launches the DDoS attack from a large number of compromised while geographically distributed devices by sending low rate seemly legitimate traffic that disturbs server's service, or high rate large volume traffic that overwhelms victim's processing capacity. DDoS attack mitigating approaches that apply pre-established defending strategy, functionality or capacity, and guard at fixed locations are costly and not effective either. Network Function Virtualization (NFV) supports the flexibility in on-demand function instantiation and allocation, and recently finds its applications in handling DDoS attacks. This paper proposes a NFV and Software-Defined Networking (SDN) enabled DDoS mitigation framework. In the framework, network traffic is monitored and analyzed utilizing the SDN features of central control and global network view, and the detection of anomaly traffic will trigger the actions of corresponding countermeasure computation, defending resources virtualization, instantiation, deployment and interconnection. The paper presents an application example of the proposed framework in protecting an industrial control system, and shows its effectiveness in mitigating DDoS attacks in the control system.

Leveraging SDN for collaborative DDoS mitigation

Abstract: In this paper we propose a collaborative distributed denial of service (DDoS) attack mitigation scheme using SDN. We design a secure controller-to-controller (C-to-C) protocol that allows SDN-controllers lying in different autonomous systems (AS) to securely communicate and transfer attack information with each other. This enables efficient notification along the path of an ongoing attack and effective filtering of traffic near the source of attack, thus saving valuable time and network resources. We developed and deployed a prototype of the proposed scheme in our lab to evaluate the performance and efficiency. Based on the experimental results we showed that our SDN based collaborative scheme is capable of efficiently mitigating DDoS attacks in real time with very small computational footprints.

Multi-domain DDoS Mitigation Based on Blockchains

Abstract: The exponential increase of the traffic volume makes Distributed Denial-of-Service (DDoS) attacks a top security threat to service providers. Existing DDoS defense mechanisms lack resources and flexibility to cope with attacks by themselves, and by utilizing other’s companies resources, the burden of the mitigation can be shared. Technologies as blockchain and smart contracts allow distributing attack information across multiple domains, while SDN (Software-Defined Networking) and NFV (Network Function Virtualization) enables to scale defense capabilities on demand for a single network domain. This proposal presents the design of a novel architecture combining these elements and introducing novel opportunities for flexible and efficient DDoS mitigation solutions across multiple domains.

A Multi-Criteria based Software Defined Networking System Architecture for DDoS-Attack Mitigation

Abstract: Nowadays, Software-Defined Networking (SDN) has become a promising network architecture in which network devices are controlled in a separate Control Plane (i.e., SDN controller). In a specific aspect, employing SDN in a network offers an attractive network security solution due to its flexibility in building and adding more new software security rules. From another perspective, attack prediction and mitigation, especially for Distributed Denial of Service (DDoS) attacks, are still challenges in SDN environments since a SDN control system works probably slower than a non-SDN one and the SDN controller can become a target of attacks. In this article, at first, we analyze a real traffic use case in order to derive DDoS indicators and thresholds. Secondly, we design an Openflow/SDN-based Attack Mitigation Architecture that is able to quickly mitigate DDoS attacks on the fly. The design solves the existing problems of the Openflow protocol, reducing the traffic volume traversing over the interface between the data plane (switch) and the control plane (SDN controller) and decreasing the buffer size at the Openflow switch. Applying our proposed Fuzzy Logic-based DDoS Mitigation algorithm that deploys multiple criteria for DDoS detection - FDDoM, the system demonstrates the ability to detect and filter 97% of attack flows and reach a False Positive Rate of 5% that are acceptable figures in real system management. The results also show that the network resource which is required to cope and maintain flow entries is 50% reduced during attack time.

An Extensible Host-Agnostic Framework for SDN-Assisted DDoS-Mitigation

Abstract: With the omnipresence of the Internet of Things and poorly secured devices with it in combination with high bandwidth networks, Distributed Denial of Service (DDoS) attacks have become one of the biggest threats for network security. With high bandwidth attacks flooding network infrastructure, the pressure to secure the attack targets shifts more and more to the network operators. Often without direct access to the target, the operators are asked to secure their clients. We propose a framework based on Software-Defined Networking (SDN) and the Bro Security Monitor that can mitigate attacks purely within the network infrastructure. In our evaluation, we show that our framework can reliably mitigate several different attack scenarios, including SYN flooding and HTTP flooding.

FPGA-based Multicore Architecture for Integrating Multiple DDoS Defense Mechanisms

Abstract: This paper proposes an FPGA-based multicore architecture to integrate multiple DDoS defense mechanisms for DDoS protection. The architecture allows multiple cooperating DDoS mitigation techniques to classify incoming network packets. The proposed architecture consists of two separate partitions static and dynamic. The static partition includes packet pre-processing and post-processing modules while the DDoS filtering techniques are implemented within the dynamic partition. These filtering techniques can be implemented by either hardware custom computing cores or general purpose soft processors or both. In all cases, these DDoS filtering computing cores can be updated or changed at runtime or design time. We implement our first prototype system with the Hop-count filtering and Ingress/Engress filtering techniques using the Xilinx Virtex 5 xc5vtx240t FPGA device. The synthesis results show that the system can work at up to 116.782MHz while utilizing about 41% LUTs, 47% Registers, and 53% Block Memory of the available hardware resources. Experimental results show that our system achieves a 100% detection rate (true positive) with a 0% false negative rate and the maximum 0.74% false positive rate. Moreover, the prototype system obtains packet processing throughput by up to 9.869 Gbps in half-duplex mode and 19.738 Gbps in full-duplex mode.

An Unsupervised Approach for Online Detection and Mitigation of High-Rate DDoS Attacks Based on an In-Memory Distributed Graph Using Streaming Data and Analytics

Abstract: A Distributed Denial of Service (DDoS) attack is an attempt to make an online service, a network, or even an entire organization, unavailable by saturating it with traffic from multiple sources. DDoS attacks are among the most common and most devastating threats that network defenders have to watch out for. DDoS attacks are becoming bigger, more frequent, and more sophisticated. Volumetric attacks are the most common types of DDoS attacks. A DDoS attack is considered volumetric, or high-rate, when within a short period of time it generates a large amount of packets or a high volume of traffic. High-rate attacks are well-known and have received much attention in the past decade; however, despite several detection and mitigation strategies have been designed and implemented, high-rate attacks are still halting the normal operation of information technology infrastructures across the Internet when the protection mechanisms are not able to cope with the aggregated capacity that the perpetrators have put together. With this in mind, the present paper aims to propose and test a distributed and collaborative architecture for online high-rate DDoS attack detection and mitigation based on an in-memory distributed graph data structure and unsupervised machine learning algorithms that leverage real-time streaming data and analytics. We have successfully tested our proposed mechanism using a real-world DDoS attack dataset at its original rate in pursuance of reproducing the conditions of an actual large scale attack.

Software defined networking-based one-packet DDoS mitigation architecture

Abstract: Nowadays, Distributed Denial of Service (DDoS) attacks get the most attention since volumetric attacks saturate company's networks and associated server infrastructure. In fact, DDoS can occur weekly or daily in a network but many organizations have no systems in place to monitor DDoS traffic so as to be aware if their networks are being attacked. Within that context, we propose to develop an architecture that enables a network a capacity of monitoring traffic on the fly and flexibly applying various detection and mitigation methods in order to reduce DDoS impact on the system shortly after it has happened. We also propose a SDN One-packet DDoS Mitigation (SODM) scheme with an Openflow switch functioning as a gateway to protect the inner server infrastructure. We also analyze Internet traffic to understand its common nature during attack and normal time. Knowledge of the traffic characteristics and the way to derive attack indicators are a critical input for the detection mechanism to work. The defense solution performance is evaluated to be able to cope with DDoS in small real time-scale with an acceptable false positive rate of ~ 6%.

EarlyDrop: A Trade-off Driven DDoS Defense Mechanism for Software-Defined Infrastructures

Abstract: While many DDoS mitigation approaches utilize the flexibility of software-defined infrastructures in a decentralized fashion, most of them assume that the infrastructure as a whole is willing and capable of mitigating all incoming packets of an attack. Those approaches cannot be used out of the box, if the attack overburdens the infrastructure or the monetary budget for mitigation is limited. Therefore we present EarlyDrop, a trade-off driven DDoS defense mechanism based on transparent blackbox monitoring. With EarlyDrop, operators can choose to drop undifferentiated traffic before it is forwarded to the mitigation system in order to reduce the load onto the infrastructure – a trade-off between mitigation cost (resources, money) and return of mitigation.

DNS DDoS Mitigation, via DNS Timer Design Changes

Abstract: DDoS attacks have been a problem since 2000. In October 2016, there was a major DDoS attack against the service provider Dyn’s DNS service, which took the service down. This was one of the largest bandwidth DDoS attack ever documented, with attack bandwidth over 650 Gbps. By taking down just Dyn’s DNS service, clients could not obtain the IP addresses, of the organizations hosting their DNS with Dyn, such as Twitter. Our contribution is that we have found a way to mitigate the effect of DDoS attacks against DNS services. We only require some very small algorithm changes, in the DNS protocol. More specifically, we propose to add two additional timers. Even if the end DNS clients don’t support these timers, they will receive our new functionality via the DNS resolvers and recursive servers. In summary, our contributions give much more control to the organizations, as to under which specific conditions the DNS cache entries should be aged or used. This allows the organization to (1) much more quickly expire client DNS caches and (2) to mitigate the DDoS DNS attack effects. Our contributions are also helpful to organizations, even if there are no DDoS DNS attack.

Data Mining Approaches for IP Address Clustering

Abstract: Distributed Denial of Service (DDoS) attacks have for the last two decades been among the greatest threats facing the internet infrastructure. Mitigating DDoS attacks is a particularly challenging task as an attacker masks the attack traffic among legitimate users. Mitigation approaches within DDoS has therefore often been investigated within the field of anomaly intrusion detection. This means that even a successful mitigation approach will risk a high disregard of legitimate users. This article proposes to use data mining and machine learning approaches to find unique hidden data structures which keep a high degree of accepted legitimate traffic, while still being able to remove illegitimate and irrelevant data traffic which don’t follow the hidden structure. In this perspective, we devise and evaluate two novel IP Address clustering algorithms for DDoS mitigation, namely, Geographical Clustering (GC) and Reduced Geographical Clustering (RGC).

Cloud-based ddos mitigation

Abstract: Systems and methods provide mitigation for denial of service attacks against servers open to the Internet by preventing delivery of malicious traffic to servers using network gateways.

Internet of things DDoS mitigation. Preventing DDoS attacks using learning algorithms on limited hardware

Abstract: ddos attacks are becoming more andmore common, and threatens the current infrastructure of the internet. Cheap new iot devices have led to a lot of new devices that are poorly secured and can easily be compromised and used for such nefarious purposes. While there are many attempts at solving this problem this thesis looks at a solution which could be applied to typical home router. This would stop malicious traffic before even hitting the internet, as a compliment to the greater effort. iot devices typically have fairly simple traffic patterns during normal operations. The system tries to learn these patterns in order to block traffic which would be outside of normal. A home router however is an extremely limited device from a hardware perspective, so a balance has to be struck between learning capability and resource consumption. This becomes especially apparent when considering that most of the chips in home routers doesn’t even support floating point operations, which are commonly used for various learning methods. The proposed system, with the accompanying implementation, shows promising results throughout the testing suite while remaining very low in resource consumption. However dealing with false negatives and implementing the result in a qos algorithm are still difficult questions. Over all however the solution shows promise and by implementing something like this along with other existing ddos mitigation efforts a substantial dent can be made in the viability of these attacks.