Showing papers on "Denial-of-service attack published in 2002"
01 Jan 2002
TL;DR: This paper captures in one place the various applications, improvements suggested and related subsequent publications, and describes initial experience from experiments using hashcash.
Abstract: Hashcash was originally proposed as a mechanism to throttle systematic abuse of un-metered internet resources such as email, and anonymous remailers in May 1997. Five years on, this paper captures in one place the various applications, improvements suggested and related subsequent publications, and describes initial experience from experiments using hashcash. The hashcash CPU cost-function computes a token which can be used as a proof-of-work. Interactive and noninteractive variants of cost-functions can be constructed which can be used in situations where the server can issue a challenge (connection oriented interactive protocol), and where it can not (where the communication is store–and– forward, or packet oriented) respectively.
810 citations
01 Jul 2002
TL;DR: The design involves both a local mechanism for detecting and controlling an aggregate at a single router, and a cooperative pushback mechanism in which a router can ask upstream routers to control an aggregate.
Abstract: The current Internet infrastructure has very few built-in protection mechanisms, and is therefore vulnerable to attacks and failures. In particular, recent events have illustrated the Internet's vulnerability to both denial of service (DoS) attacks and flash crowds in which one or more links in the network (or servers at the edge of the network) become severely congested. In both DoS attacks and flash crowds the congestion is due neither to a single flow, nor to a general increase in traffic, but to a well-defined subset of the traffic --- an aggregate. This paper proposes mechanisms for detecting and controlling such high bandwidth aggregates. Our design involves both a local mechanism for detecting and controlling an aggregate at a single router, and a cooperative pushback mechanism in which a router can ask upstream routers to control an aggregate. While certainly not a panacea, these mechanisms could provide some needed relief from flash crowds and flooding-style DoS attacks. The presentation in this paper is a first step towards a more rigorous evaluation of these mechanisms.
808 citations
07 May 2002
TL;DR: An enhancement to CDNs is proposed that offers better protection to Web sites against flash events and trace-driven simulations are used to study the effect of the enhancement on CDNs and Web sites.
Abstract: The paper studies two types of events that often overload Web sites to a point when their services are degraded or disrupted entirely - flash events (FEs) and denial of service attacks (DoS). The former are created by legitimate requests and the latter contain malicious requests whose goal is to subvert the normal operation of the site. We study the properties of both types of events with a special attention to characteristics that distinguish the two. Identifying these characteristics allows a formulation of a strategy for Web sites to quickly discard malicious requests. We also show that some content distribution networks (CDNs) may not provide the desired level of protection to Web sites against flash events. We therefore propose an enhancement to CDNs that offers better protection and use trace-driven simulations to study the effect of our enhancement on CDNs and Web sites.
747 citations
01 Jan 2002
TL;DR: This paper presents an architecture for Pushback, its implementation under FreeBSD, and suggestions for how such a system can be implemented in core routers.
Abstract: Pushback is a mechanism for defending against distributed denial-of-service (DDoS) attacks. DDoS attacks are treated as a congestion-control problem, but because most such congestion is caused by malicious hosts not obeying traditional end-to-end congestion control, the problem must be handled by the routers. Functionality is added to each router to detect and preferentially drop packets that probably belong to an attack. Upstream routers are also notified to drop such packets (hence the term Pushback ) in order that the router’s resources be used to route legitimate traffic. In this paper we present an architecture for Pushback, its implementation under FreeBSD, and suggestions for how such a system can be implemented in core routers.
602 citations
TL;DR: Various DDoS attack methods are described, and a longer-term solution that attempts to intercept attack packets in the Internet core, well before reaching the victim is discussed, dubbed the Internet-firewall approach.
Abstract: Flooding-based distributed denial-of-service (DDoS) attack presents a very serious threat to the stability of the Internet. In a typical DDoS attack, a large number of compromised hosts are amassed to send useless packets to jam a victim, or its Internet connection, or both. In the last two years, it was discovered that DDoS attack methods and tools are becoming more sophisticated, effective, and also more difficult to trace to the real attackers. On the defense side, current technologies are still unable to withstand large-scale attacks. The main purpose of this article is therefore twofold. The first one is to describe various DDoS attack methods, and to present a systematic review and evaluation of the existing defense mechanisms. The second is to discuss a longer-term solution, dubbed the Internet-firewall approach, that attempts to intercept attack packets in the Internet core, well before reaching the victim.
503 citations
12 Nov 2002
TL;DR: D-WARD is proposed, a DDoS defense system deployed at source-end networks that autonomously detects and stops attacks originating from these networks that offers good service to legitimate traffic even during an attack, while effectively reducing DDoS traffic to a negligible level.
Abstract: Distributed denial-of-service (DDoS) attacks present an Internet-wide threat. We propose D-WARD, a DDoS defense system deployed at source-end networks that autonomously detects and stops attacks originating from these networks. Attacks are detected by the constant monitoring of two-way traffic flows between the network and the rest of the Internet and periodic comparison with normal flow models. Mismatching flows are rate-limited in proportion to their aggressiveness. D-WARD offers good service to legitimate traffic even during an attack, while effectively reducing DDoS traffic to a negligible level. A prototype of the system has been built in a Linux router. We show its effectiveness in various attack scenarios, discuss motivations for deployment, and describe associated costs.
486 citations
19 Aug 2002
TL;DR: This work proposes an architecture called Secure Overlay Services (SOS) that proactively prevents DoS attacks, geared toward supporting Emergency Services or similar types of communication, and demonstrates that such an architecture reduces the likelihood of a successful attack to minuscule levels.
Abstract: Denial of service (DoS) attacks continue to threaten the reliability of networking systems. Previous approaches for protecting networks from DoS attacks are reactive in that they wait for an attack to be launched before taking appropriate measures to protect the network. This leaves the door open for other attacks that use more sophisticated methods to mask their traffic.We propose an architecture called Secure Overlay Services (SOS) that proactively prevents DoS attacks, geared toward supporting Emergency Services or similar types of communication. The architecture is constructed using a combination of secure overlay tunneling, routing via consistent hashing, and filtering. We reduce the probability of successful attacks by (i) performing intensive filtering near protected network edges, pushing the attack point perimeter into the core of the network, where high-speed routers can handle the volume of attack traffic, and (ii) introducing randomness and anonymity into the architecture, making it difficult for an attacker to target nodes along the path to a specific SOS-protected destination.Using simple analytical models, we evaluate the likelihood that an attacker can successfully launch a DoS attack against an SOS-protected network. Our analysis demonstrates that such an architecture reduces the likelihood of a successful attack to minuscule levels.
485 citations
Patent•
28 Feb 2002
TL;DR: In this paper, the authors propose to protect a host network from a flood-type denial of service attack by passively collecting a data packet from data received by the host network, comparing information in the data packet to a signature of an attack type of the attack, and detecting the attack in response to a determination that the signature and the information comprise matching data.
Abstract: Protecting a host network from a flood-type denial of service attack by passively collecting a data packet (305) from data received by the host network, comparing information in the data packet to a signature of an attack type of the attack, and detecting the attack (310) in response to a determination that the signature and the information comprise matching data. A defensive countermeasure can be initiated (330) to protect the host network from the attack and to provide a pathway for an offensive countermeasure (340) against a source of the attack.
412 citations
Patent•
27 Jun 2002
TL;DR: In this article, an apparatus and method for secure, automated response to distributed denial of service (DDoS) attacks are described, which includes notification of a DDoS attack received by an Internet host, establishing security authentication from an upstream router from which the attack traffic, transmitted by one or more host computers, is received.
Abstract: An apparatus and method for secure, automated response to distributed denial of service (DDoS) attacks are described. The method includes notification of a DDoS attack received by an Internet host. Once received by an Internet host, the Internet host establishes security authentication from an upstream router from which the attack traffic, transmitted by one or more host computers, is received. The Internet host then transmits filter(s) to the upstream router generated based upon characteristics of the attack traffic. Once installed by the upstream router, the attack traffic is dropped to terminate a DDoS attack. In addition, the router may determine upstream router(s) coupled to ports from which attack traffic is received, and securely forward the filter(s) to the upstream routers as a routing protocol updated in order to drop the attack traffic at a point closer to a source of the DDoS attack.
358 citations
07 Oct 2002
TL;DR: This work analyzes attacks that deny channel access by causing pockets of congestion in mobile ad hoc networks and focuses on the properties of the popular medium access control protocol, the IEEE 802.11x MAC protocol, which enable such attacks.
Abstract: We analyze attacks that deny channel access by causing pockets of congestion in mobile ad hoc networks Such attacks would essentially prevent one or more nodes from accessing or providing specific services In particular, we focus on the properties of the popular medium access control (MAC) protocol, the IEEE 80211x MAC protocol, which enable such attacks We consider various traffic patterns that an intelligent attacker might generate in order to cause denial of service We show that conventional methods used in wire-line networks are unable to help in prevention or detection of such attacks Our analysis and simulations show that providing MAC layer fairness alleviates the effects of such attacks
248 citations
11 Feb 2002
TL;DR: This paper discusses several approaches for dealing with the exhaustion problem, including SYN caches and SYN cookies, and the implementation of the specific solution used in FreeBSD is analyzed.
Abstract: Machines that provide TCP services are often susceptible to various types of Denial of Service attacks from external hosts on the network. One particular type of attack is known as a SYN flood, where external hosts attempt to overwhelm the server machine by sending a constant stream of TCP connection requests, forcing the server to allocate resources for each new connection until all resources are exhausted. This paper discusses several approaches for dealing with the exhaustion problem, including SYN caches and SYN cookies. The advantages and drawbacks of each approach are presented, and the implementation of the specific solution used in FreeBSD is analyzed.
17 Nov 2002
TL;DR: Using spectral analysis to identify normal TCP traffic so that it will not be dropped or rate-limited in defense against denial of service (DoS) attacks can reduce false positives of attacker identification schemes and thus decrease the associated unnecessary slowdown or stoppage of legitimate traffic.
Abstract: We propose using spectral analysis to identify normal TCP traffic so that it will not be dropped or rate-limited in defense against denial of service (DoS) attacks. The approach can reduce false positives of attacker identification schemes and thus decrease the associated unnecessary slowdown or stoppage of legitimate traffic. For the spectral analysis, we use the number of packet arrivals of a flow in fixed-length time intervals as the signal. We then estimate the power spectral density of the signal, in which information of periodicity, or lack thereof, in the signal reveals itself. A normal TCP flow should exhibit strong periodicity around its round-trip time in both flow directions, whereas an attack flow usually does not. We validate the effectiveness of the approach with simulation and trace analysis. We argue that the approach complements existing DoS defense mechanisms that focus on identifying attack traffic.
Proceedings Article•
01 Jan 2002TL;DR: Characteristics of Statistic Uniqueness and Cryptographic Verifiability of certain entities, called SUCV Identifiers and Addresses, are used to solve the address ownership problem that hinders mechanisms like Binding Updates in Mobile IPv6.
Abstract: This paper addresses the identifier ownership problem. It does so by using characteristics of Statistic Uniqueness and Cryptographic Verifiability (SUCV) of certain entities which this document calls SUCV Identifiers and Addresses. Their characteristics allow them to severely limit certain classes of denial of service attacks and hijacking attacks. SUCV addresses are particularly applicable to solve the address ownership problem that hinders mechanisms like Binding Updates in Mobile IPv6. keywords: Security, Mobile IPv6, Address ownership.
18 Nov 2002
TL;DR: A new approach to IP traceback based on the probabilistic packet marking paradigm, which uses large checksum cords to "link" message fragments in a way that is highly scalable, for the checksums serve both as associative addresses and data integrity verifiers.
Abstract: We present a new approach to IP traceback based on the probabilistic packet marking paradigm. Our approach, which we call randomize-and-link, uses large checksum cords to "link" message fragments in a way that is highly scalable, for the checksums serve both as associative addresses and data integrity verifiers. The main advantage of these checksum cords is that they spread the addresses of possible router messages across a spectrum that is too large for the attacker to easily create messages that collide with legitimate messages. Our methods therefore scale to attack trees containing hundreds of routers and do not require that a victim know the topology of the attack tree a priori. In addition, by utilizing authenticated dictionaries in a novel way, our methods do not require routers sign any setup messages individually.
01 Jan 2002
TL;DR: This work explores network based intrusion detection using classifying, self-organizing maps for data clustering and MLP neural networks for detection and shows that many of these attacks can be found by a careful analysis of network data.
Abstract: With the growth of computer networking, electronic commerce, and web services, security of networking systems has become very important. Many companies now rely on web services as a major source of revenue. Computer hacking poses significant problems to these companies, as distributed attacks can render their cyber-storefront inoperable for long periods of time. This happens so often, that an entire area of research, called Intrusion Detection, is devoted to detecting this activity. We show that evidence of many of these attacks can be found by a careful analysis of network data. We also illustrate that neural networks can efficiently detect this activity. We test our systems against denial of service attacks, distributed denial of service attacks, and portscans. In this work, we explore network based intrusion detection using classifying, self-organizing maps for data clustering and MLP neural networks for detection.
Patent•
13 Sep 2002
TL;DR: In this article, the authors propose to protect a host network from a flood-type denial-of-service (DoS) attack by performing statistical analysis of data packets in the network and detecting the attack when the statistical items exceed the threshold value.
Abstract: Protecting a host network from a flood-type denial of service attack by performing statistical analysis of data packets in the network. The statistical analysis comprises comparing evaluated items in the data packets to threshold values and detecting the attack when the statistical items exceed the threshold value. A countermeasure can be initiated to protect the host network from the attack.
02 Jul 2002
TL;DR: Cooperative service model is proposed, in which a pool of similar servers, possibly geographically distributed across the Internet, cooperate in sustaining a service by migration of client connections within the pool.
Abstract: Today's Internet services are commonly built over TCP, the standard Internet connection-oriented reliable transport protocol. The endpoint naming scheme of TCP, based on network layer (IP) addresses, creates an implicit binding between a service and the IP address of a server providing it, throughout the lifetime of a client connection. This makes a TCP client prone to all adverse conditions that may affect the server endpoint or the internetwork in between, after the connection is established: congestion or failure in the network, server overloaded, failed or under DoS attack. Studies that quantify the effects of network stability and route availability demonstrate that connectivity failures can significantly impact Internet services. As a result, although highly available servers can be deployed, sustaining continuous service remains a problem. We propose cooperative service model, in which a pool of similar servers, possibly geographically distributed across the Internet, cooperate in sustaining a service by migration of client connections within the pool. The control traffic between servers, needed to support migrated connections, can be carried either over the Internet or over a private network. From client's viewpoint, at any point during the lifetime of its service session, the remote endpoint of its connection may transparently migrate between servers.
10 Jun 2002
TL;DR: The goal is to simulate convincingly success of the compromise of a system to a potential DDoS attacker so that lessons learned by the honeypot can be implemented in other systems to strengthen them against such attacks.
Abstract: Distributed denial-of-service attacks are still a big threat to the Internet. Several proposals for coping with the attacks have been made, but none are successful by themselves. In this paper, we present a system that helps to defend a network from DDoS attacks. In addition to state of the art active and passive security defences, we propose a honeypot for such attacks. The goal is to simulate convincingly success of the compromise of a system to a potential DDoS attacker. Thereby, we can implement lessons learned by the honeypot in other systems to strengthen them against such attacks. On the other hand, we protect the rest of our network infrastructure from the impact of such an attack.
18 Nov 2002
TL;DR: JFK is described, a new key exchange protocol primarily designed for use in the IP Security Architecture, which is simple, efficient, and secure; a proof of the latter property is sketched.
Abstract: We describe JFK, a new key exchange protocol, primarily designed for use in the IP Security Architecture. It is simple, efficient, and secure; we sketch a proof of the latter property. JFK also has a number of novel engineering parameters that permit a variety of trade-offs, most notably the ability to balance the need for perfect forward secrecy against susceptibility to denial-of-service attacks.
12 Nov 2002
TL;DR: A novel technique is presented that can effectively filter out the majority of DDoS traffic, thus improving the overall throughput of the legitimate traffic and preferentially filtering out packets that are inscribed with the marks of "infected" edges.
Abstract: Distributed denial of service (DDoS) is one of the most difficult security problems to address. While many existing techniques (e.g., IP traceback) focus on tracking the location of the attackers after-the-fact, little is done to mitigate the effect of an attack while it is raging on. We present a novel technique that can effectively filter out the majority of DDoS traffic, thus improving the overall throughput of the legitimate traffic. The proposed scheme leverages on and generalizes the IP traceback schemes to obtain the information concerning whether a network edge is on the attacking path of an attacker ("infected") or not ("clean"). We observe that while an attacker will have all the edges on its path marked as "infected", edges on the path of a legitimate client will mostly be "clean". By preferentially filtering out packets that are inscribed with the marks of "infected" edges, the proposed scheme removes most of the DDoS traffic while affecting legitimate traffic only slightly. Simulation results based on real-world network topologies (e.g., Skitter) all demonstrate that the proposed technique can improve the throughput of legitimate traffic by 3 to 7 times during DDoS attacks.
Patent•
15 Jul 2002TL;DR: Denial of service type attacks are attacks where the nature of a system used to establish communication sessions is exploited to prevent the establishment of sessions as discussed by the authors. But these attacks are limited to the case of TCP/Internet Protocol (IP).
Abstract: Denial of service type attacks are attacks where the nature of a system used to establish communication sessions is exploited to prevent the establishment of sessions. For example, to establish a Transmission Control Protocol (TCP)/Internet Protocol (IP) communication session, a three-way handshake is performed between communication endpoints. When a connection request is received, resources are allocated towards establishing the communication session. Malicious entities can attack the handshake by repeatedly only partially completing the handshake, causing the receiving endpoint to run out of resources for allocating towards establishing sessions, thus preventing legitimate connections. Illustrated embodiments overcome such attacks by delaying allocating resources until after the three-way handshake is successfully completed.
19 May 2002
TL;DR: This paper presents a packet marking algorithm which allows the victim to traceback the approximate origin of spoofed IP packets, and develops three techniques to adjust the packet marking probability, which significantly reduces the number of packets needed by the Victim to reconstruct the attack path.
Abstract: Distributed denial-of-service attack is one of the greatest threats to the Internet today. One of the biggest difficulties in defending against this attack is that attackers always use incorrect, or "spoofed" IP source addresses to disguise their true origin. In this paper, we present a packet marking algorithm which allows the victim to traceback the approximate origin of spoofed IP packets. The difference between this proposal and previous proposals lies in two points. First, we develop three techniques to adjust the packet marking probability, which significantly reduces the number of packets needed by the victim to reconstruct the attack path. Second, we give a detailed analysis of the vulnerabilities of probabilistic packet marking, and describe a version of our adjusted probabilistic packet marking scheme whose performance is not affected by spoofed marking fields.
03 Apr 2002
TL;DR: The application of Bayesian methods to data being gathered from distributed IDS is applied to improve the capabilities for early detection of distributed attacks against infrastructure and the detection of the preliminary phases of distributed denial of service attacks.
Abstract: In computer and network security, standard approaches to intrusion detection and response attempt to detect and prevent individual attacks. However, it is not the attack but rather the attacker against which our networks must be defended. To do this, the information that is being provided by intrusion detection systems (IDS) must be gathered and then divided into its component parts such that the activity of individual attackers is made clear. Our approach to this involves the application of Bayesian methods to data being gathered from distributed IDS. With this we hope to improve the capabilities for early detection of distributed attacks against infrastructure and the detection of the preliminary phases of distributed denial of service attacks.
TL;DR: This article surveys the up-to-date secure routing schemes.
Abstract: The unprecedented growth of the Internet over the last years, and the expectation of an even faster increase in the numbers of users and networked systems, resulted in the Internet assuming its position as a mass communication medium At the same time, the emergence of an increasingly large number of application areas and the evolution of the networking technology suggest that in the near future the Internet may become the single integrated communication infrastructure However, as the dependence on the networking infrastructure grows, its security becomes a major concern, in light of the increased attempt to compromise the infrastructure In particular, the routing operation is a highly visible target that must be shielded against a wide range of attacks The injection of false routing information can easily degrade network performance, or even cause denial of service for a large number of hosts and networks over a long period of time Different approaches have been proposed to secure the routing protocols, with a variety of countermeasures, which, nonetheless, have not eradicated the vulnerability of the routing infrastructure In this article, we survey the up-to-date secure routing schemes that appeared over the last few years Our critical point of view and thorough review of the literature are an attempt to identify directions for future research on an indeed difficult and still largely open problem
Patent•
29 Aug 2002TL;DR: In this article, a method for authenticating packet communication traffic is proposed, where a data packet is sent over a network from a source address to a destination address and read from the packet a value of a field that is indicative of a number of hops traversed by the packet since having been sent from the source address.
Abstract: A method for authenticating packet communication traffic includes receiving a data packet sent over a network (26) from a source address (24) to a destination address (22) and reading from the packet a value of a field that is indicative of a number of hops traversed by the packet since having been sent from the source address. The authenticity of the source address is assessed responsive to the value.
Patent•
03 Sep 2002
TL;DR: In this paper, a distributed adaptive IP filtering technique is proposed for detecting and blocking IP packets involved in DDOS attacks through the use of Bloom Filters and leaky-bucket concepts to identify attack flows.
Abstract: The present invention provides systems and methods for providing distributed, adaptive IP filtering techniques used in detecting and blocking IP packets involved in DDOS attacks through the use of Bloom Filters and leaky-bucket concepts to identify “attack” flows. In an exemplary embodiment of the present invention, a device tracks certain criteria of all IP packets traveling from IP sources outside a security perimeter to network devices within the security perimeter. The present invention examines the criteria and places them in different classifications in a uniformly random manner, estimates the amount of criteria normally received and then determines when a group of stored classifications is too excessive to be considered normal for a given period of time. After the device determines the criteria that excessive IP packets have in common, the device then determines rules to identify the packets that meet such criteria and filters or blocks so identified packets.
07 Aug 2002
TL;DR: It is shown that traditional rate- based regulation combined with proposed window-based regulation of resources at the aggregate level at the network layer is a feasible vehicle for mitigating the impact of DOS attacks on end servers.
Abstract: As more and more critical services are provided over the Internet, the risk to these services from malicious users is also increasing. Several networks have witnessed denial of service attacks in the past. This paper reports on our experience in building a Linux-based prototype to mitigate the effect of such attacks. Our prototype provides an efficient way to keep track of server and network resources at the network layer and allows aggregate resource regulation. Our scheme provides a general, and not attack specific, mechanism to provide graceful server degradation in the face of such an attack. We report on the rationale of our approach, the experience in building the prototype, and the results from real experiments. We show that traditional rate-based regulation combined with proposed window-based regulation of resources at the aggregate level at the network layer is a feasible vehicle for mitigating the impact of DOS attacks on end servers.
Patent•
31 Dec 2002TL;DR: In this paper, a plurality of attack detection modules and broker modules are proposed to detect and trace a denial-of-service attack on a network segment by sending an attack signature to one or more broker modules on the network segment.
Abstract: Systems and methods for detecting and tracing a denial-of-service attack are disclosed. One aspect of the systems and methods includes providing a plurality of attack detection modules and a plurality of broker modules operable to communicably couple to a network. The attack detection modules operate to detect a potential denial-of-service attack on network segment. An attack signature for the potential denial of service attack may be forwarded to one or more broker modules on the network segment. The broker modules collectively analyze the data in order to determine a source or sources for the attack.
Patent•
10 Sep 2002
TL;DR: In this paper, a filter is established at a network location to prevent data packets received at a first network location and deemed responsible for the denial of service flooding condition from being forwarded to a subsequent network location.
Abstract: Detecting and protecting against denial of service flooding attacks that are initiated against an end system on a computer network. In accordance with one aspect of the invention, a filter is established at a network location. The filter prevents data packets received at a first network location and deemed responsible for the denial of service flooding condition from being forwarded to a subsequent network location. Data packets received at the first network location are then monitored to determine whether the flow of any data packets from a network source exhibit a legitimate behavior, such as where the flow of data packets exhibits a backoff behavior. The filter is then modified to permit data packets that exhibit legitimate behavior to pass through the filter.
01 Jan 2002
TL;DR: A security mechanism based on a collaborative monitoring technique that prevents active and passive denial of service attacks by enforcing node cooperation is suggested that can be smoothly extended to basic network functions with little impact on existing protocols.
Abstract: Countermeasures against denial of service attacks and node misbehaviour are mandatory requirements in MANET. Essential network operations assuring basic connectivity can be heavily jeopardized by nodes that do not properly execute their share of the network operations. We suggest a security mechanism based on a collaborative monitoring technique that prevents active and passive denial of service attacks by enforcing node cooperation. This mechanism can be smoothly extended to basic network functions with little impact on existing protocols. We also investigate on some attacks scenarios in order to analyze the robustness of the proposed security scheme.