Showing papers on "Denial-of-service attack published in 2001"

On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law internets

Abstract: Denial of service (DoS) attack on the Internet has become a pressing problem. In this paper, we describe and evaluate route-based distributed packet filtering (DPF), a novel approach to distributed DoS (DDoS) attack prevention. We show that DPF achieves proactiveness and scalability, and we show that there is an intimate relationship between the effectiveness of DPF at mitigating DDoS attack and power-law network topology.The salient features of this work are two-fold. First, we show that DPF is able to proactively filter out a significant fraction of spoofed packet flows and prevent attack packets from reaching their targets in the first place. The IP flows that cannot be proactively curtailed are extremely sparse so that their origin can be localized---i.e., IP traceback---to within a small, constant number of candidate sites. We show that the two proactive and reactive performance effects can be achieved by implementing route-based filtering on less than 20% of Internet autonomous system (AS) sites. Second, we show that the two complementary performance measures are dependent on the properties of the underlying AS graph. In particular, we show that the power-law structure of Internet AS topology leads to connectivity properties which are crucial in facilitating the observed performance effects.

An analysis of using reflectors for distributed denial-of-service attacks

Abstract: Attackers can render distributed denial-of-service attacks more difficult to defend against by bouncing their flooding traffic off of reflectors; that is, by spoofing requests from the victim to a large set of Internet servers that will in turn send their combined replies to the victim. The resulting dilution of locality in the flooding stream complicates the victim's abilities both to isolate the attack traffic in order to block it, and to use traceback techniques for locating the source of streams of packets with spoofed source addresses, such as ITRACE [Be00a], probabilistic packet marking [SWKA00], [SP01], and SPIE [S+01]. We discuss a number of possible defenses against reflector attacks, finding that most prove impractical, and then assess the degree to which different forms of reflector traffic will have characteristic signatures that the victim can use to identify and filter out the attack traffic. Our analysis indicates that three types of reflectors pose particularly significant threats: DNS and Gnutella servers, and TCP-based servers (particularly Web servers) running on TCP implementations that suffer from predictable initial sequence numbers. We argue in conclusion in support of "reverse ITRACE" [Ba00] and for the utility of packet traceback techniques that work even for low volume flows, such as SPIE.

On the effectiveness of probabilistic packet marking for IP traceback under denial of service attack

Abstract: Effective mitigation of denial of service (DoS) attack is a pressing problem on the Internet. In many instances, DoS attacks can be prevented if the spoofed source IP address is traced back to its origin which allows assigning penalties to the offending party or isolating the compromised hosts and domains from the rest of the network. IP traceback mechanisms based on probabilistic packet marking (PPM) have been proposed for achieving traceback of DoS attacks. We show that probabilistic packet marking-of interest due to its efficiency and implementability vis-a-vis deterministic packet marking and logging or messaging based schemes-suffers under spoofing of the marking field in the IP header by the attacker which can impede traceback by the victim. We show that there is a trade-off between the ability of the victim to localize the attacker and the severity of the DoS attack, which is represented as a function of the marking probability, path length, and traffic volume. The optimal decision problem-the victim can choose the marking probability whereas the attacker can choose the spoofed marking value, source address, and attack volume-can be expressed as a constrained minimax optimization problem, where the victim chooses the marking probability such that the number of forgeable attack paths is minimized. We show that the attacker's ability to hide his location is curtailed by increasing the marking probability, however, the latter is upper-bounded due to sampling constraints. In typical IP internets, the attacker's address can be localized to within 2-5 equally likely sites which renders PPM effective against single source attacks. Under distributed DoS attacks, the uncertainty achievable by the attacker can be amplified, which diminishes the effectiveness of PPM.

Traffic Analysis Attacks and Trade-Offs in Anonymity Providing Systems

Abstract: We discuss problems and trade-offs with systems providing anonymity for web browsing (or more generally any communication system that requires low latency interaction). We focus on two main systems: the Freedom network [12] and PipeNet [8]. Although Freedom is efficient and reasonably secure against denial of service attacks, it is vulnerable to some generic traffic analysis attacks, which we describe. On the other hand, we look at PipeNet, a simple theoretical model which protects against the traffic analysis attacks we point out, but is vulnerable to denial of services attacks and has efficiency problems. In light of these observations, we discuss the trade-offs that one faces when trying to construct an efficient low latency communication system that protects users anonymity.

On design and evaluation of "intention-driven" ICMP traceback

Abstract: Since late 1999, DDoS (distributed denial of service) attack has drawn many attentions from both research and industry communities. Many potential solutions (e.g., ingress filtering, packet marking or tracing, and aggregate-based congestion control or rate limiting) have been proposed to handle this network bandwidth consumption attack. Among them, "ICMP traceback (iTrace)" is currently being considered as an industry standard by the IETF (Internet Engineering Task Force). While the idea of iTrace is very clever, efficient, reasonably secure and practical, it suffers a serious statistic problem such that the chance for "useful" and "valuable" iTrace messages can be extremely small against various types of DDoS attacks. This implies that most of the network resources spent on generating and utilizing iTrace messages will be wasted. Therefore, we propose a simple enhancement called "intention-driven" iTrace, which conceptually introduces an extra bit in the routing and forwarding process. With the new "intention-bit", it is shown that, through our simulation study, the performance of iTrace improves dramatically. This work has been proposed to IETF's ICMP Trace-Back working group.

Proactive detection of distributed denial of service attacks using MIB traffic variables-a feasibility study

Abstract: We propose a methodology for utilizing network management systems for the early detection of distributed denial of service (DDoS) attacks. Although there are quite a large number of events that are prior to an attack (e.g. suspicious log-ons, start of processes, addition of new files, sudden shifts in traffic, etc.), in this work we depend solely on information from MIB (management information base) traffic variables collected from the systems participating in the attack. Three types of DDoS attacks were effected on a research test bed, and MIB variables were recorded. Using these datasets, we show how there are indeed MIB-based precursors of DDoS attacks that render it possible to detect them before the target is shut down. Most importantly, we describe how the relevant MIB variables at the attacker can be extracted automatically using statistical tests for causality. It is shown that statistical tests applied in the time series of MIB traffic at the target and the attacker are effective in extracting the correct variables for monitoring in the attacker machine. Following the extraction of these key variables at the attacker, it is shown that an anomaly detection scheme, based on a simple model of the normal rate of change of the key MIBs can be used to determine statistical signatures of attacking behavior. These observations suggest the possibility of an entirely automated procedure centered on network management systems for detecting precursors of distributed denial of service attacks, and responding to them.

Method and apparatus for monitoring and processing voice over internet protocol packets

Abstract: A processor architecture for processing data packets representing voice over Internet Protocol (VoIP) calls in a packet-switched network is disclosed in Figure 1. According to an embodiment, a VoIP processor (126) executes a voice packet processing operating system that is configured to monitor or manipulate the packets at an IP layer, media layer and signaling layer of the call. The VoIP processor (126) includes a plurality of independently callable primitive software functions that carry out low-level VoIP packet processing functions. The VoIP processor (126) executes one or more application programs that selectively call one or more of the primitive software functions and are independent of any underlying protocols of an existing network, thereby isolating the application programs from low-level processing details. Further, techniques are described for modifying characteristics of VoIP traffic for the purpose of monitoring and directing the VoIP traffic through a network. The techniques include extracting information associated with the VoIP traffic and using the information for the purpose of controlling access, for fraud detection, for billing, for enforcing policy decisions, for protection against denial of service attacks, for lawful interception, for service selection, and other applications.

Protecting web servers from distributed denial of service attacks

Abstract: Recently many prominent web sites face so called Distributed Denial of Service Attacks (DDoS). While former security threats could be faced by a tight security policy and active measures like using rewalls, vendor patches etc. these DDoS are new in such way that there is no completely satisfying protection yet. In this paper we categorize di erent forms of attacks and give an overview over the most common DDoS tools. Furthermore we present a solution based on Class Based Routing mechanisms in the Linux kernel that will prevent the most severe impacts of DDoS on clusters of web servers with a prepended load balancing server. The goal is to keep the web servers under attack responding to the normal client requests. Some performance tests and a comparison to other approaches conclude our paper.

A novel approach to detection of \denial{of{service" attacks via adaptive sequential and batch{sequential change{point detection methods

Abstract: In computer networks, large scale attacks in theirflnalstagescanreadilybeidentifledbyobservingvery abruptchangesinthenetworktra-c,butintheearlystage of an attack, these changes are hard to detect and di-cult todistinguishfromusualtra-c∞uctuations. Inthispaper, wedevelope-cientadaptivesequentialandbatch-sequential methods for an early detection of attacks from the class of \denial{of{service attacks". These methods employ statis- tical analysis of data from multiple layers of the network protocol for detection of very subtle tra-c changes, which are typical for these kinds of attacks. Both the sequential and batch-sequential algorithms utilize thresholding of test statistics to achieve a flxed rate of false alarms. The algo- rithmsaredevelopedonthebasisofthechange-pointdetec- tiontheory: todetectachangeinstatisticalmodelsassoon as possible, controlling the rate of false alarms. There are threeattractivefeaturesoftheapproach. First,bothmeth- odsareself-learning,whichenablesthemtoadapttovarious network loads and usage patterns. Second, they allow for detecting attacks with small average delay for a given false alarm rate. Third, they are computationally simple, and hence,canbeimplementedonline. Theoreticalframeworks for both kinds of detection procedures, as well as results of simulations, are presented.

Method and apparatus for recognizing and reacting to denial of service attacks on a computerized network

Abstract: The invention refers to a procedure for recognizing and refusing attacks on server systems of network service providers and operators by means of an electronic intermediary device ( 4 ) installed on a computer network. This electronic intermediary device operates a computer program as well as a data carrier to realize the advantaged of the present invention. In addition, the present invention applies to any computer system connected to a network such as Internet ( 6 ), an intranet, a virtual private network and the like, regardless whether such network contains just one computer or many computers configured as a server computer ( 2 ) or as a client computer and also applies to a computer program product containing computer codes for recognizing and refusing attacks on server systems, and provides: defense against DoS and DDoS attacks (flood attacks) link level security, examination of valid IP headers, examination of the IP packet, TCP/IP fingerprint protection, blocking of each UDP network packet, length restrictions of ICMP packets, exclusion of specific external IP addresses, packet-level firewall function, and protection of reachable services of the target system. The present invention thus guarantees a high degree of security and protection against DoS and DDoS attacks.

Method and apparatus for preventing a denial of service (dos) attack by selectively throttling tcp/ip requests

Abstract: According to the present invention, method, apparatus, and computer readable medium for preventing a DoS attack without notifying the DoS attacker are disclosed. In one embodiment, in a client/server environment, a DoS defense module determines a connection request rate for a particular client. The client is blocked (618) if the connection request rate is determined (616) to be above a first pre-determined threshold. If, however, the connection request rate is below the first threshold but above a second threshold, then the client's connection request rate is slowed (620), or throttled, down to a rate consistent with a connection delay interval that's is based upon a throttling factor.

Prevention of bandwidth congestion in a denial of service or other internet-based attack

Abstract: A method and apparatus for preventing a Denial of Service attack directed at a target that is hosted on a server. The attack is detected and the IP address of the source client of the attack is identified. The IP address of the source of the attack is then communicated upstream to router devices close to the attacking source and the attacker is prevented from further attacks until it is determined that the attacker poses no threat. The detection of the attack and the communication of the identity of the attacker to upstream routers is performed automatically or by human intervention.

Method, data carrier, computer system and computer programme for the identification and defence of attacks on server systems of network service providers and operators

Abstract: The invention relates to a method for the identification and defence of attacks on the server systems of network service providers and operators, using an electronic device (4) that can be integrated into a computer network and that comprises a computer programme, and relates to a data carrier, which contains a computer programme for carrying out said method. The invention also relates to a computer system, which is connected to a network, such as the Internet (6), an intranet or similar and has one or several computers that are configured as server computers (2) or client computers, and to a computer programme containing computer programme codes for the identification and defence of attacks on server systems. The invention comprises - protection against DoS and DDoS attacks (flood attacks)- link-level security,- verification of valid IP headers, - verification of IP packet characteristics, - TCP/IP fingerprint protection,- blocking of all UDP network packets,- exclusion of specific external IP addresses, - packet-level firewall function, - protection of accessible services of the target system. The invention provides the highest possible degree of security and protection against DoS and DDoS attacks.

On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law internets

Abstract: Denial of service (DoS) attack on the Internet has become a pressing problem. In this paper, we describe and evaluate route-based distributed packet filtering (DPF), a novel approach to distributed...

Mitigating distributed denial of service attacks with dynamic resource pricing

Abstract: Distributed denial of service (DDoS) attacks exploit the acute imbalance between client and server workloads to cause devastation to the service providers. We propose a distributed gateway architecture and a payment protocol that imposes dynamically changing prices on network, server, and information resources in order to push some cost of initiating service requests - in terms of monetary payments and/or computational burdens back onto the requesting clients. By employing different price and purchase functions, the architecture can provide service quality differentiation and furthermore, select good client behavior and discriminate against adversarial behavior. If confirmed by additional experiments, judicious partitioning of resources using different pricing functions can improve overall service survivability.

Controlling High Bandwidth Aggregates in the Network (Extended Version)

Abstract: The current Internet infrastructure has very few built-in protection mechanisms and is therefore vulnerable to attacks and failures. In particular, recent events have illustrated the Internet’ s vulnerability to both denial of service (DoS) attacks and flash crowds in which one or more links in the network (or servers at the edge of the network) become severely congested. In both flash crowds and DoS attacks the congestion is not due to a single flo w, nor to a general increase in traffic, but to a well-defined subset of the traffic ‐ an aggregate. This paper discusses mechanisms for detecting and controlling such high bandwidth aggregates. Our approach involves both a local mechanism for detecting and controlling an aggregate at a single router, and a cooperative pushback mechanism in which a router can ask adjacent routers to control an aggregate upstream. These mechanisms, while certainly not a panacea, provide relief from flash crowds and flooding-style DoS attacks.

Overload Control Mechanisms for Web Servers

Abstract: Web servers often experience overload situations due to the extremely bursty nature of Internet traffic, popular online events or malicious attacks. Such overload situations significantly affect performance and may result in lost revenue as reported by the recent denial of service attacks. Overload control schemes are well researched and understood in telecommunication systems. However, their use in web servers is currently very limited. Our focus in this paper is to propose effective overload control mechanisms for web servers. An important aspect in overload control is to minimize the work spent on a request which is eventually not serviced due to overload. This paper studies three simple schemes for controlling the load effectively. The first scheme selectively drops incoming requests as they arrive at the server using an intelligent network interface card (NIC). The second scheme provides feedback to a previous node (proxy server or ultimate client) to allow a gapping control that reduces offered load under overload. The third scheme is simply a combination of the two. The experimental results show that even these simple schemes are effective in improving the throughput of the web server by 40% and response time by 70% under heavy overloads, as compared with the case without any overload control.

Remote Denial of Service Attacks and Countermeasures

Abstract: As evinced by a series of high profile attacks, denial of service (DoS), or prevention of legitimate access to resources, is a threat that demands attention. Of particular concern are distributed attacks, in which an adversary recruits several computers to aid in the attack. The first major distributed denial of service (DDoS) attack brought down the University of Minnesota’s network for three days in August 1999. About six months later, the attack by a Canadian teenager on several major sights including Yahoo, Amazon, eBay, CNN, and Buy.com made headlines. In accord with the underlying principle that destruction is simpler than construction, denial of service attacks come in many forms and are easy to carry out, but preventing them can sometimes be tricky. Although there is no panacea for all flavors of denial of service, there are several countermeasures that focus on either making the attacks more difficult or on making the attacker accountable via logging and tracing.

Apparatus and method for using a network processor to guard against a “denial-of-service” attack on a server or server cluster

Abstract: A system comprising a network resource server or a server farm formed by a plurality of computer systems and a network processor which transfers data exchanged with an external network supported by the server farm at a data rate substantially the same as the data flow rate of the network and related method The network processor protects the network resource server against attacks such as a denial of service attack by monitoring data flow, computing a derivative of the data flow over time to determine the rate of change of data flow, and modifying instructions for the discarding of packets in response to rates of change which are outside predetermined boundaries

Method and system for overcoming denial of service attacks

Abstract: A system for handling denial of service attacks on behalf of a shared network resource (210). A request processing component (201) deployed within a network, the request processing component (201) having an interface configured to receive requests on behalf of the shared network resource. A rate control component coupled to the request processing component, the rate control component comprising program and data structures operable to selectively forward received requests to the shared network resource at a rate selected to prevent the shared network resource from crashing or becoming undesirably busy. Preferably, the system includes a denial of service attack detection component coupled to the request processing component and the rate control component and operable to monitor request metrics from the request processing component and provide configuration information to the rate control component.

Method and apparatus for tracing packets in a communications network

Abstract: A method for tracing packets in a communications network directed to tracing a stream of anonymous packets received at a given target host, in order to identify their source, in response, for example, to a Denial-of-Service (“DoS”) attack on the target host. Advantageously, the tracing is performed without reliance on knowledge or cooperation from intervening Internet Service Providers (ISPs) along the path. The method is performed by applying a “burst load” (i.e., a brief but heavy load of transmitted packets) to various elements (i.e., links or routers) in the network and measuring the change in the rate with which the stream of packets arrive at the target. If the rate is substantially altered upon introduction of the burst load, then it may be deduced that the given element is most likely on the path from the source host of the DoS attack to the target host.

Countering denial-of-service attacks using congestion triggered packet sampling and filtering

Abstract: Denial-of-service (DoS) attacks have received a great amount of attention in research communities and general public alike, due to recent, high-profile attacks against major Internet e-commerce sites. We present a countermeasure against such attacks, called the congestion-triggered packet sampling/packet filtering (CTPS/PF) architecture. With CTPS/PF, a packet sampling mechanism that is integrated with the congestion control mechanism at routers is used to detect DoS attacks, and packet filters are activated only when sampling results warrant action. One important concern in deploying any form of traffic analysis in the critical data-forwarding paths of the Internet is performance. Our sample processing algorithm takes into account the confidence indicators of statistic results to raise alarms with relatively small numbers of samples. Moreover, the per-sample processing complexity is only O(1). Our simulation study reveals that the CTPS/PF architecture is able to detect the presence of DoS attacks and take proper action within hundreds of milliseconds to tens of seconds. Moreover, the average sampling overhead during a congestion period is in the vicinity of 1 sample per second.

Autonomic Response to Distributed Denial of Service Attacks

Abstract: The Cooperative Intrusion Traceback and Response Architecture (CITRA) [1] and the Intruder Detection and Isolation Protocol (IDIP) [2] provide an infrastructure that enables intrusion detection systems, firewalls, routers, and other components to cooperatively trace and block network intrusions as close to their sources as possible. We present the results of recent testbed experiments using CITRA and IDIPto defend streaming multimedia sessions against the Stacheldraht DDoS toolkit. Experimental data suggests that these technologies represent a promising approach for autonomic DDoS defense.

Distributed denial of service attack defense method and device

Abstract: When DDoS attack packets are transmitted from the attacker to the victim's server, the attack packets are detected in the edge router of the LAN accommodating the server. These packets are then destroyed, the address of the upstream routers close to the attack source are retrieved, and attack source retrieval modules are transmitted from the edge router to all the upstream routers. By executing the retrieval modules in the upstream routers, verification is performed as to whether the attack packets are passing through those upstream routers. The results are notified to the transmission source router and if the attack packets are passing through, the retrieval modules are transmitted to routers at the upper stream. When the router at the uppermost stream is reached, a protection module is executed to destroy the attack packets. When the attacks cease, the protection module deletes itself and the protection process is ended.

System and method for the detection of and reaction to computer hacker denial of service attacks

Abstract: Challenge-response and probative methods together or independent of each other enable detection of devices participating in denial of service (DOS) and distributed DOS (DDOS) attacks upon a network resource, and upon identification of devices participating in attacks, minimize the effect of the attack and/or minimize the ability of the device to continue its attack by placing the attacking devices in a state of reduced or denied service.

System and method for managing denial of service attacks

Abstract: A system and method for monitoring and controlling the total number of SSL port resources that are allowed to be tied up by a malicious or inept client making multiple requests from a single IP address. Smart SSL handshake timeout detection is used to track and deny service to any SSL clients that do denial of service (DOS) attacks.

On the defense of the distributed denial of service attacks: an on-off feedback control approach

Abstract: Proposes a coordinated defense scheme of distributed denial of service (DDoS) network attacks, based on the backward-propagation, on-off control strategy. When a DDoS attack is in effect, a high concentration of malicious packet streams are routed to the victim in a short time, making it a hot spot. A similar problem has been observed in multiprocessor systems, where a hot spot is formed when a large number of processors access simultaneously shared variables in the same memory module. Despite the similar terminologies used here, solutions for multiprocessor hot spot problems cannot be applied to that in the Internet, because the hot traffic in DDoS may only represent a small fraction of the Internet traffic, and the attack strategies on the Internet are far more sophisticated than that in the multiprocessor systems. The performance impact on the hot spot is related to the total hot packet rate that can be tolerated by the victim. We present a backward pressure propagation, feedback control scheme to defend DDoS attacks. We use a generic network model to analyze the dynamics of network traffic, and develop the algorithms for rate-based and queue-length-based feedback control. We show a simple design to implement our control scheme on a practical switch queue architecture.

Defenses Against Distributed Denial of Service Attacks

Abstract: This short paper discusses defenses against Distributed Denial of Service (DDoS) attacks. DoS attacks are of particular interest and concern to the Internet community because they seek to render target systems inoperable and/or target networks inaccessible. "Traditional" DoS attacks, however, typically generate a large amount of traffic from a given host or subnet and it is possible for a site to detect such an attack in progress and defend themselves. Distributed DoS attacks are a much more nefarious extension of DoS attacks because they are designed as a coordinated attack from many sources simultaneously against one or more targets.

Resource management for scalable disconnected access to Web services

Abstract: Disconnected operation, in which a client accesses a service without relying on network connectivity, is crucial for improving availability, supporting mobility, and providing responsive performance. Because many web services are not cachable, disconnected access to web services may require mobile service code to execute in client caches. Unfortunately, (a) this code is untrusted, (b) this code may have nearly limitless resource demands due to prefetching, and (c) a large number of competing code modules must coexist. Thus, resource management is a key problem both for preventing denial of service attacks and for providing good performance across many services. This paper addresses the feasibility of meeting the resource management needs of an environment where service code is shipped to clients, proxies, or content distribution intermediaries. It rst examines the requirements of such a system and then develops a resource-management strategy to meet these requirements by (a) providing isolation across services to prevent denial of service attacks, (b) automatically providing appropriate allocations to di erent services to provide good global performance, and (c) requiring no hand tuning across a wide range of system con gurations and workloads.

Preventing denial of service attacks on quality of service

Abstract: Capabilities are being added to IP networks to support quality of service (QoS) guarantees. These guarantees are needed for many applications, such as voice and video transmission, real-time control, etc. Little attention has been paid to making these capabilities secure; in their present form, they are vulnerable to attack. The ARQoS project is examining these vulnerabilities, and ways to prevent denial-of-service attacks on QoS capabilities. In this paper, we describe two important parts of the project. The first part is the application of a pricing paradigm to resource allocation. User acquisition of network resources must be authorized, and the relative amount of resources that can be requested is carefully controlled. We present a distributed method of pricing which is highly flexible and responsive to changing conditions. Experimental results illustrate its effectiveness. The second part is the detection of TCP dropping attacks by compromised routers. The detection occurs at the end system and does not require any cooperation from the network. We have enhanced a method of statistically analyzing traffic patterns to detect dropping attacks. The method has been implemented and tested over the Internet, and results are presented.