Showing papers on "Denial-of-service attack published in 2007"

Defense against spoofed IP traffic using hop-count filtering

Abstract: IP spoofing has often been exploited by Distributed Denial of Service (DDoS) attacks to: 1) conceal flooding sources and dilute localities in flooding traffic, and 2) coax legitimate hosts into becoming reflectors, redirecting and amplifying flooding traffic. Thus, the ability to filter spoofed IP packets near victim servers is essential to their own protection and prevention of becoming involuntary DoS reflectors. Although an attacker can forge any field in the IP header, he cannot falsify the number of hops an IP packet takes to reach its destination. More importantly, since the hop-count values are diverse, an attacker cannot randomly spoof IP addresses while maintaining consistent hop-counts. On the other hand, an Internet server can easily infer the hop-count information from the Time-to-Live (TTL) field of the IP header. Using a mapping between IP addresses and their hop-counts, the server can distinguish spoofed IP packets from legitimate ones. Based on this observation, we present a novel filtering technique, called Hop-Count Filtering (HCF)--which builds an accurate IP-to-hop-count (IP2HC) mapping table--to detect and discard spoofed IP packets. HCF is easy to deploy, as it does not require any support from the underlying network. Through analysis using network measurement data, we show that HCF can identify close to 90% of spoofed IP packets, and then discard them with little collateral damage. We implement and evaluate HCF in the Linux kernel, demonstrating its effectiveness with experimental measurements.

Collaborative Detection of DDoS Attacks over Multiple Network Domains

Abstract: This paper presents a new distributed approach to detecting DDoS (distributed denial of services) flooding attacks at the traffic-flow level The new defense system is suitable for efficient implementation over the core networks operated by Internet service providers (ISPs). At the early stage of a DDoS attack, some traffic fluctuations are detectable at Internet routers or at the gateways of edge networks. We develop a distributed change-point detection (DCD) architecture using change aggregation trees (CAT). The idea is to detect abrupt traffic changes across multiple network domains at the earliest time. Early detection of DDoS attacks minimizes the floe cling damages to the victim systems serviced by the provider. The system is built over attack-transit routers, which work together cooperatively. Each ISP domain has a CAT server to aggregate the flooding alerts reported by the routers. CAT domain servers collaborate among themselves to make the final decision. To resolve policy conflicts at different ISP domains, a new secure infrastructure protocol (SIP) is developed to establish mutual trust or consensus. We simulated the DCD system up to 16 network domains on the Cyber Defense Technology Experimental Research (DETER) testbed, a 220-node PC cluster for Internet emulation experiments at the University of Southern California (USC) Information Science Institute. Experimental results show that four network domains are sufficient to yield a 98 percent detection accuracy with only 1 percent false-positive alarms. Based on a 2006 Internet report on autonomous system (AS) domain distribution, we prove that this DDoS defense system can scale well to cover 84 AS domains. This security coverage is wide enough to safeguard most ISP core networks from real-life DDoS flooding attacks.

DEEJAM: Defeating Energy-Efficient Jamming in IEEE 802.15.4-based Wireless Networks

Abstract: Jamming is a very effective denial-of-service attack that renders most higher-layer security mechanisms moot - yet it is often ignored in WSN design. We show that an interrupt jamming attack is simple to perpetrate in software using a MICAz mote, is energy efficient and stealthy for the jammer, and completely disrupts communication. Solutions are needed to mitigate this insider threat even if more powerful attackers are not thwarted. We present DEEJAM, a novel MAC-layer protocol for defeating stealthy jammers with IEEE 802.15.4-based hardware, to address this problematic area. It layers four defensive mechanisms to hide communication from a jammer, evade its search, and reduce its impact. Given the difficulty of modeling the physical layer accurately in simulation, we evaluate DEEJAM instead on the MICAz mote. We show the performance of the protocol against successively more complex attacks: interrupt jamming, activity jamming, scan jamming, and pulse jamming. Results show that DEEJAM defeats the otherwise devastating interrupt jammer, and achieves a packet delivery ratio of 88% in the presence of a pulse jammer. To the best of our knowledge, this work is the first to confront multiple types of jamming on common WSN hardware with solutions that are shown empirically to enable continued communication despite an ongoing attack.

Accurate Real-time Identification of IP Prefix Hijacking

Abstract: We present novel and practical techniques to accurately detect IP prefix hijacking attacks in real time to facilitate mitigation. Attacks may hijack victim's address space to disrupt network services or perpetrate malicious activities such as spamming and DoS attacks without disclosing identity. We propose novel ways to significantly improve the detection accuracy by combining analysis of passively collected BGP routing updates with data plane fingerprints of suspicious prefixes. The key insight is to use data plane information in the form of edge network fingerprinting to disambiguate suspect IP hijacking incidences based on routing anomaly detection. Conflicts in data plane fingerprints provide much more definitive evidence of successful IP prefix hijacking. Utilizing multiple real-time BGP feeds, we demonstrate the ability of our system to distinguish between legitimate routing changes and actual attacks. Strong correlation with addresses that originate spam emails from a spam honeypot confirms the accuracy of our techniques.

Detection of distributed denial of service attacks in autonomous system domains

Abstract: A denial-of-service network attack detection system is deployable in single-homed and multi-homed stub networks. The detection system maintains state information of flows entering and leaving the stub domain to determine if exiting traffic exceeds traffic entering the system. Monitors perform simple processing tasks on sampled packets at individual routers in the network at line speed and perform more intensive processing at the routers periodically. The monitors at the routers form an overlay network and communicate pertinent traffic state information between nodes. The state information is collected and analyzed to determine the presence of an attack.

Denial of service or denial of security

Abstract: We consider the effect attackers who disrupt anonymous communications have on the security of traditional high- and low-latency anonymous communication systems, as well as on the Hydra-Onion and Cashmere systems that aim to offer reliable mixing, and Salsa, a peer-to-peer anonymous communication network. We show that denial of service (DoS) lowers anonymity as messages need to get retransmitted to be delivered, presenting more opportunities for attack. We uncover a fundamental limit on the security of mix networks, showing that they cannot tolerate a majority of nodes being malicious. Cashmere, Hydra-Onion, and Salsa security is also badly affected by DoS attackers. Our results are backed by probabilistic modeling and extensive simulations and are of direct applicability to deployed anonymity systems.

On the Detection of Signaling DoS Attacks on 3G Wireless Networks

Abstract: Third generation (3G) wireless networks based on the CDMA2000 and UMTS standards are now increasingly being deployed throughout the world. Because of their complex signaling and relatively limited bandwidth, these 3G networks are generally more vulnerable than their wireline counterparts, thus making them fertile ground for new attacks. In this paper, we identify and study a novel denial of service (DoS) attack, called signaling attack, that exploits the unique vulnerabilities of the signaling/control plane in 3G wireless networks. Using simulations driven by real traces, we are able to demonstrate the impact of a signaling attack. Specifically, we show how a well-timed low-volume signaling attack can potentially overload the control plane and detrimentally affect the key elements in a 3G wireless infrastructure. The low-volume nature of the signaling attack allows it to avoid detection by existing intrusion detection algorithms, which are often signature or volume-based. As a counter-measure, we present and evaluate an online early detection algorithm based on the statistical CUSUM method. Through the use of extensive trace-driven simulations, we demonstrate that the algorithm is robust and can identify an attack in its inception, before significant damage is done.

SPREAD: Foiling Smart Jammers Using Multi-Layer Agility

Abstract: In this paper, we address the problem of cross-layer denial of service attack in wireless data networks. We introduce SPREAD -a novel adaptive diversification approach to provide resiliency against such attacks. SPREAD relies on a mechanism-hopping technique, which can be seen as a multi-layer extension of the frequency-hopping technique. We apply a game-theoretic framework for modeling the interaction of the communicating nodes and the adversaries and analyze the proposed approach. We reason about the advantages of SPREAD against various types of jammers and demonstrate the effectiveness of our approach in the case of IEEE 802.11 protocol stack by studying the EIFS attack, periodical jamming and a Packet-Size Game. As an example, we show that mechanism-hopping over two instances of IEEE 802.11 can achieve several orders of magnitude gain in throughput over a single-instance network under the EIFS attack.

On attack causality in internet-connected cellular networks

Abstract: The emergence of connections between telecommunications networks and the Internet creates significant avenues for exploitation. For example, through the use of small volumes of targeted traffic, researchers have demonstrated a number of attacks capable of denying service to users in major metropolitan areas. While such investigations have explored the impact of specific vulnerabilities, they neglect to address a larger issue - how the architecture of cellular networks makes these systems susceptible to denial of service attacks. As we show in this paper, these problems have little to do with a mismatch of available bandwidth. Instead, they are the result of the pairing of two networks built on fundamentally opposing design philosophies. We support this a claim by presenting two new attacks on cellular data services. These attacks are capable of preventing the use of high-bandwidth cellular data services throughout an area the size of Manhattan with less than 200Kbps of malicious traffic. We then examine the characteristics common to these and previous attacks as a means of explaining why such vulnerabilites are artifacts of design rigidity. Specifically, we show that the shoehorning of data communications protocols onto a network rigorously optimized for the delivery of voice causes that network to fail under modest loads.

Adaptive Behavioral HTTP Flood Protection

Abstract: A system and method to detect and mitigate denial of service and distributed denial of service HTTP “page” flood attacks. Detection of attack/anomaly is made according to multiple traffic parameters including rate-based and rate-invariant parameters in both traffic directions. Prevention is done according to HTTP traffic parameters that are analyzed once a traffic anomaly is detected. This protection includes a differential adaptive mechanism that tunes the sensitivity of the anomaly detection engine. The decision engine is based on a combination between fuzzy logic inference systems and statistical thresholds. A “trap buffer” characterizes the attack to allow an accurate mitigation according to the source IP(s) and the HTTP request URL's that are used as part of the attack. Mitigation is controlled through a feedback mechanism that tunes the level of rate limit factors that are needed in order to mitigate the attack effectively while letting legitimate traffic to pass.

Detection of HTTP-GET flood Attack Based on Analysis of Page Access Behavior

Abstract: Recently, there are many denial-of-service (DoS) attacks by computer viruses or botnet. DoS attacks to Web services are called HTTP-GET flood attack and threats of them increase day by day. In this type of attacks, malicious clients send a large number of HTTP-GET requests to the target Web server automatically. Since these HTTP-GET requests have legitimate formats and are sent via normal TCP connections, an intrusion detection system (IDS) can not detect them. In this paper, we propose HTTP-GET flood detection techniques based on analysis of page access behavior. We propose two detection algorithms, one is focusing on a browsing order of pages and the other is focusing on a correlation with browsing time to page information size. We implement detection techniques and evaluate attack detection rates, i.e., false positive and false negative. The results show that our techniques can detect the HTTP-GET flood attack effectively.

A Novel Gray Hole Attack Detection Scheme for Mobile Ad-Hoc Networks

Abstract: Mobile ad hoc networks are vulnerable to various types of denial of service (DoS) attacks for the absence of fixed network infrastructure. The gray hole attack is a type of DoS attacks. In this attack, an adversary silently drops some or all of the data packets sent to it for further forwarding even when no congestion occurs. Firstly, DSR protocol, aggregate signature algorithm and network model were introduced. Secondly, we proposed to use aggregate signature algorithm to trace packet dropping nodes. The proposal was consisted of three related algorithms: the creating proof algorithm, the checkup algorithm and the diagnosis algorithm. The first was for creating proof and the second was for checking up source route nodes, and the last was for locating the malicious nodes. Finally, the efficiency of the proposal was analyzed. The simulation results using ns-2 show that in a moderately changing network, most of the malicious nodes could be detected, the routing packet overhead was low, and the packet delivery rate has been improved.

Detecting DNS amplification attacks

Abstract: DNS amplification attacks massively exploit open recursive DNS servers mainly for performing bandwidth consumption DDoS attacks. The amplification effect lies in the fact that DNS response messages may be substantially larger than DNS query messages. In this paper, we present and evaluate a novel and practical method that is able to distinguish between authentic and bogus DNS replies. The proposed scheme can effectively protect local DNS servers acting both proactively and reactively. Our analysis and the corresponding real-usage experimental results demonstrate that the proposed scheme offers a flexible, robust and effective solution.

A Distributed Approach using Entropy to Detect DDoS Attacks in ISP Domain

Abstract: DDoS attacks are best detected near the victim's site as maximum attack traffic converges at this point. In most of the current solutions, monitoring and analysis of traffic for DDoS detection have been carried at a single link which connects victim to ISP. However the mammoth volume generated by DDoS attacks pose the biggest challenge in terms of memory and computational overheads. These overheads make DDoS solution itself vulnerable against DDoS attacks. We propose to distribute these overheads amongst all POPs of the ISP using an ISP level traffic feature distribution based approach. An ISP level topology and well known attack tools are used for simulations in ns-2. The comparison with volume based approach clearly indicates the supremacy of the proposed methodology

Streaming Algorithms for Robust, Real-Time Detection of DDoS Attacks

Abstract: Effective mechanisms for detecting and thwarting distributed denial-of-service (DDoS) attacks are becoming increasingly important to the success of today's Internet as a viable commercial and business tool. In this paper, we propose novel data-streaming algorithms for the robust, real-time detection of DDoS activity in large ISP networks. The key element of our solution is a new, hash-based synopsis data structure for network-data streams that allows us to efficiently track, in guaranteed small space and time, destination IP addresses in the underlying network that are "large" with respect to the number of distinct source IP addresses that have established potentially-malicious (e.g., "half-open") connections to them. Our work is the first to address the problem of efficiently tracking the top distinct-source frequencies over a general stream of updates (insertions and deletions) to the set of underlying network flows, thus enabling us to effectively distinguish between DDoS activity and flash crowds. Preliminary experimental results verify the effectiveness of our approach.

On scalable attack detection in the network

Abstract: Current intrusion detection and prevention systems seek to detect a wide class of network intrusions (e.g., DoS attacks, worms, port scans) at network vantage points. Unfortunately, even today, many IDS systems we know of keep per-connection or per-flow state to detect malicious TCP flows. Thus, it is hardly surprising that these IDS systems have not scaled to multi-gigabit speeds. By contrast, both router lookups and fair queuing have scaled to high speeds using aggregation via prefix lookups or DiffServ. Thus, in this paper, we initiate research into the question as to whether one can detect attacks without keeping per-flow state. We will show that such aggregation, while making fast implementations possible, immediately causes two problems. First, aggregation can cause behavioral aliasing where, for example, good behaviors can aggregate to look like bad behaviors. Second, aggregated schemes are susceptible to spoofing by which the intruder sends attacks that have appropriate aggregate behavior. We examine a wide variety of DoS and scanning attacks and show that several categories (bandwidth based, claim-and-hold, port-scanning) can be scalably detected. In addition to existing approaches for scalable attack detection, we propose a novel data structure called partial completion filters (PCFs) that can detect claim-and-hold attacks scalably in the network. We analyze PCFs both analytically and using experiments on real network traces to demonstrate how we can tune PCFs to achieve extremely low false positive and false negative probabilities

Smurf-based Distributed Denial of Service (DDoS) Attack Amplification in Internet

Abstract: The Smurf-based distributed denial of service (DDoS) attack is an amplification attack where the attacker uses unprotected intermediate networks to amplify the attack traffic load and direct it to the victim computer. In this paper, we investigate the factors that contribute to the amplification of the smurf attack traffic and understand the relation among the original attack traffic, intermediate unprotected network and the final amplified attack traffic. We also define a new term called attack amplification factor which represents the degree of amplification that original attack traffic undergoes during its transmission towards the victim computer. It is also shown in this paper that utilizing this attack, it is possible for an attacker to just use a dialup modem and an unprotected intermediary network to exhaust even an ultra high speed optical line such as OC-192 of the victim network.

Denial of Service or Denial of Security? How Attacks on Reliability can Compromise Anonymity

Abstract: We consider the eect attackers who disrupt anonymous communications have on the security of traditional high- and low-latency anonymous communication systems, as well as on the Hydra-Onion and Cashmere systems that aim to oer reliable mixing, and Salsa, a peer-to-peer anonymous communication network. We show that denial of service (DoS) lowers anonymity as messages need to get retransmitted to be delivered, presenting more opportunities for attack. We uncover a fundamental limit on the security of mix networks, showing that they cannot tolerate a majority of nodes being malicious. Cashmere, Hydra-Onion, and Salsa security is also badly aected by DoS attackers. Our results are backed by probabilistic modeling and extensive simulations and are of direct applicability to deployed anonymity systems.

dfence: transparent network-based denial of service mitigation

Abstract: Denial of service (DoS) attacks are a growing threat to the availability of Internet services. We present dFence, a novel network-based defense system for mitigating DoS attacks. The main thesis of dFence is complete transparency to the existing Internet infrastructure with no software modifications at either routers, or the end hosts. dFence dynamically introduces special-purpose middlebox devices into the data paths of the hosts under attack. By intercepting both directions of IP traffic (to and from attacked hosts) and applying stateful defense policies, dFence middleboxes effectively mitigate a broad range of spoofed and unspoofed attacks. We describe the architecture of the dFence middlebox, mechanisms for ondemand introduction and removal, and DoS mitigation policies, including defenses against DoS attacks on the middlebox itself. We evaluate our prototype implementation based on Intel IXP network processors.

Keeping Denial-of-Service Attackers in the Dark

Abstract: We consider the problem of overcoming (distributed) denial-of-service (DoS) attacks by realistic adversaries that have knowledge of their attack's successfulness, for example, by observing service performance degradation or by eavesdropping on messages or parts thereof. A solution for this problem in a high-speed network environment necessitates lightweight mechanisms for differentiating between valid traffic and the attacker's packets. The main challenge in presenting such a solution is to exploit existing packet-filtering mechanisms in a way that allows fast processing of packets but is complex enough so that the attacker cannot efficiently craft packets that pass the filters. We show a protocol that mitigates DoS attacks by adversaries that can eavesdrop and (with some delay) adapt their attacks accordingly. The protocol uses only available efficient packet-filtering mechanisms based mainly on addresses and port numbers. Our protocol avoids the use of fixed ports and instead performs "pseudorandom port hopping." We model the underlying packet-filtering services and define measures for the capabilities of the adversary and for the success rate of the protocol. Using these, we provide a novel rigorous analysis of the impact of DoS on an end-to-end protocol and show that our protocol provides effective DoS prevention for realistic attack and deployment scenarios.

A Detection and Offense Mechanism to Defend Against Application Layer DDoS Attacks

Abstract: Application layer DDoS attacks, which are legitimate in packets and protocols, gradually become a pressing problem for commerce, politics and military. We build an attack model and characterize layer-7 attacks into three classes: session flooding attacks, request flooding attacks and asymmetric attacks. We proposed a mechanism named as DOW (defense and offense wall), which defends against layer-7 attacks using combination of detection technology and currency technology. An anomaly dete-ction method based on K-means clustering is introduced to detect and filter request flooding attacks and asymmetric attacks. To defend against session-flooding attacks, we propose an encouragement model that uses client's session rate as currency. Detection model drops suspicious sessions, while currency model encourages more legitimate sessions. By collaboration of these two models, normal clients could gain higher service rate and lower delay of response time.

A Divide-and-Conquer Strategy for Thwarting Distributed Denial-of-Service Attacks

Abstract: Attack mitigation schemes actively throttle attack traffic generated in distributed denial-of-service (DDoS) attacks. This paper presents attack diagnosis (AD), a novel attack mitigation scheme that adopts a divide-and-conquer strategy. AD combines the concepts of pushback and packet marking, and its architecture is in line with the ideal DDoS attack countermeasure paradigm - attack detection is performed near the victim host and packet filtering is executed close to the attack sources. AD is a reactive defense mechanism that is activated by a victim host after an attack is detected. By instructing its upstream routers to mark packets deterministically, the victim can trace back one attack source and command an AD-enabled router close to the source to filter the attack packets. This process isolates one attacker and throttles it, which is repeated until the attack is mitigated. We also propose an extension to AD called parallel attack diagnosis (PAD) that is capable of throttling traffic coming from a large number of attackers simultaneously. AD and PAD are analyzed and evaluated using the Skitter Internet map, Lumeta's Internet map, and the 6-degree complete tree topology model. Both schemes are shown to be robust against IP spoofing and to incur low false positive ratios

A survey of bots used for distributed denial of service attacks

Abstract: In recent years, we have seen the arrival of Distributed Denial-of-Service (DDoS) open-source bot-based attack tools facilitating easy code enhancement, and so resulting in attack tools becoming more powerful. Developing new techniques for detecting and responding to the latest DDoS attacks often entails using attack traces to determine attack signatures and to test the techniques. However, obtaining actual attack traces is difficult, because the high-profile organizations that are typically attacked will not release monitored data as it may contain sensitive information. In this paper, we present a detailed study of the source code of the popular DDoS attack bots, Agobot, SDBot, RBot and Spybot to provide an in-depth understanding of the attacks in order to facilitate the design of more effective and efficient detection and mitigation techniques.

Machine Learning for Automatic Defence Against Distributed Denial of Service Attacks

Abstract: Distributed denial of service attacks pose a serious threat to many businesses which rely on constant availability of their network services. Companies like Google, Yahoo and Amazon are completely reliant on the Internet for their business. It is very hard to defend against these attacks because of the many different ways in which hackers may strike. Distinguishing between legitimate and malicious traffic is a complex task. Setting up filtering by hand is often impossible due to the large number of hosts involved in the attack. The goal of this paper is to explore the effectiveness of machine learning techniques in developing automatic defences against DDoS attacks. As a first step, a data collection and traffic filtering framework is developed. This foundation is then used to explore the potential of artificial neural networks in the defence against DDoS attacks.

Detecting Denial of Service Attacks with Bayesian Classifiers and the Random Neural Network

Abstract: Denial of service (DoS) is a prevalent threat in today's networks. While such an attack is not difficult to launch, defending a network resource against it is disproportionately difficult, and despite the extensive research in recent years, DoS attacks continue to harm. The first goal of any protection scheme against DoS is the detection of its existence, ideally long before the destructive traffic build-up. In this paper we propose a generic approach which uses multiple Bayesian classifiers, and we present and compare four different implementations of it, combining likelihood estimation and the random neural network (RNN). The RNNs are biologically inspired structures which represent the true functioning of a biophysical neural network, where the signals travel as spikes rather than analog signals. We use such an RNN structure to fuse real-time networking statistical data and distinguish between normal and attack traffic during a DoS attack. We present experimental results obtained for different traffic data in a large networking testbed.