Distributed defense against distributed denial-of-service attacks

Distributed defense is a promising way to neutralize the distributed Denial-of-Service attacks by detecting and responding the attacking sources widespread around the Internet. Components of the distributed defense system will cooperate with each other to combat the attacks. Compared with the centralized defense systems, distributed defense systems can discover the attacks more timely from both source end and victim end, fight the attacks with more resources and take advantage of more flexible strategies. This paper investigates 7 distributed defense systems which make use of various strategies to mitigate the DDoS attacks. Different architectures are designed in these 7 systems to provide distributed DDoS defense solutions. We evaluate these systems in terms of deployment, detection, response, security, robustness and implementation. For each criteria, we give a recommendation on which technologies are best suitable for a successful distributed defense system based on the analysis result. Finally we propose our idea on the design of an effective distributed defense system.

Decision analysis of statistically detecting distributed denial-of-service flooding attacks

There are two statistical decision making questions regarding statistically detecting sings of denial-of-service flooding attacks. One is how to represent the distributions of detection probability, false alarm probability and miss probability. The other is how to quantitatively express a decision region within which one may make a decision that has high detection probability, low false alarm probability and low miss probability. This paper gives the answers to the above questions. In addition, a case study is demonstrated.

Protecting web services from distributed denial of service attacks

The outcome of the research was the development of three network defence systems to protect corporate network infrastructure. The results showed that these defences were able to detect and filter around 94% of the DDoS attack traffic within a matter of seconds.

Keynote : Detection of and defense against distributed denial-of-service (DDoS) attacks

Distributed denial-of-service (DDoS) attacks typically exhaust bandwidth, processing capacity, or memory of a targeted machine, service or network. Despite enormous efforts in combating DDoS attacks in the past decade, DDoS attacks are still a serious threat to the security of cyberspace. In this talk I shall outline the recent efforts of my research group in detection of and defence against DDoS attacks. In particular, this talk will concentrate on the following three critical issues related to DDoS attacks: (1) Traceback of DDoS attacks; (2) Detection of low-rate DDoS attacks; and (3) Discriminating DDoS attacks from flash crowds.

Distributed denial of service (DDoS) detection by traffic pattern analysis

In this paper, we propose a behavior-based detection that can discriminate Distributed Denial of Service (DDoS) attack traffic from legitimated traffic regardless to various types of the attack packets and methods. Current DDoS attacks are carried out by attack tools, worms and botnets using different packet-transmission rates and packet forms to beat defense systems. These various attack strategies lead to defense systems requiring various detection methods in order to identify the attacks. Moreover, DDoS attacks can craft the traffics like flash crowd events and fly under the radar through the victim. We notice that DDoS attacks have features of repeatable patterns which are different from legitimate flash crowd traffics. In this paper, we propose a comparable detection methods based on the Pearson’s correlation coefficient. Our methods can extract the repeatable features from the packet arrivals in the DDoS traffics but not in flash crowd traffics. The extensive simulations were tested for the optimization of the detection methods. We then performed experiments with several datasets and our results affirm that the proposed methods can differentiate DDoS attacks from legitimate traffics.

Protecting web applications from DDoS attacks by an active distributed defense system

In the last a few years a number of highly publicized incidents of Distributed Denial of Service (DDoS) attacks against high-profile government and commercial websites have made people aware of the importance of providing data and services security to users. A DDoS attack is an availability attack, which is characterized by an explicit attempt from an attacker to prevent legitimate users of a service from using the desired resources. This paper introduces the vulnerability of web applications to DDoS attacks, and presents an active distributed defense system that has a deployment mixture of sub-systems to protect web applications from DDoS attacks. According to the simulation experiments, this system is effective in that it is able to defend web applications against attacks. It can avoid overall network congestion and provide more resources to legitimate web users.

Mark-aided distributed filtering by using neural network for DDoS defense

Currently Distributed Denial of Service (DDoS) attacks have been identified as one of the most serious problems on the Internet. The aim of DDoS attacks is to prevent legitimate users from accessing desired resources, such as network bandwidth. Hence the immediate task of DDoS defense is to provide as much resources as possible to legitimate users when there is an attack. Unfortunately most current defense approaches can not efficiently detect and filter out attack traffic. Our approach is to find the network anomalies by using neural network, deploy the system at distributed routers, identify the attack packets, and then filter them. The marks in the IP header that are generated by a group of IP traceback schemes, Deterministic Packet Marking (DPM)/Flexible Deterministic Packet Marking (FDPM), assist this process of identifying attack packets. The experimental results show that this approach can be used to defend against both intensive and subtle DDoS attacks, and can catch DDoS attacks’ characteristic of starting from multiple sources to a single victim. According to results, we find the marks in IP headers can enhance the sensitivity and accuracy of detection, thus improve the legitimate traffic throughput and reduce attack traffic throughput. Therefore, it can perform well in filtering DDoS attack traffic precisely and effectively.

Protecting web services with service oriented traceback architecture

Service oriented architecture (SOA) is a way of reorganizing software infrastructure into a set of service abstracts. In the area of applying SOA to Web service security, there have been some well defined security dimensions. However, current Web security systems, like WS-Security are not efficient enough to handle distributed denial of service (DDoS) attacks. Our new approach, service oriented traceback architecture (SOTA), provides a framework to be able to identify the source of an attack. This is accomplished by deploying our defence system at distributed routers, in order to examine the incoming SOAP messages and place our own SOAP header. By this method, we can then use the new SOAP header information, to traceback through the network the source of the attack. According to our experimental performance evaluations, we find that SOTA is quite scaleable, simple and quite effective at identifying the source.

Traceback of DDoS attacks using entropy variations

Distributed Denial-of-Service (DDoS) attacks are a critical threat to the Internet. However, the memoryless feature of the Internet routing mechanisms makes it extremely hard to trace back to the source of these attacks. As a result, there is no effective and efficient method to deal with this issue so far. In this paper, we propose a novel traceback method for DDoS attacks that is based on entropy variations between normal and DDoS attack traffic, which is fundamentally different from commonly used packet marking techniques. In comparison to the existing DDoS traceback methods, the proposed strategy possesses a number of advantagesit is memory nonintensive, efficiently scalable, robust against packet pollution, and independent of attack traffic patterns. The results of extensive experimental and simulation studies are presented to demonstrate the effectiveness and efficiency of the proposed method. Our experiments show that accurate traceback is possible within 20 seconds (approximately) in a large-scale attack network with thousands of zombies.

Protect grids from DDoS attacks

Recently a number of highly publicised incidents of Distributed Denial of Service (DDoS) attacks have made people aware of the importance of providing available securely the grids’ data and services to users. This paper introduces the vulnerability of grids to DDoS attacks, and proposes a distributed defense system that has a mixture deployment of sub-systems to protect grids from DDoS attacks. According to the simulation experiments, this system is effective to defend grids against attacks. It can avoid overall network congestion and provide more resources to legitimate grid users.

Safeguard information infrastructure against DDoS attacks: experiments and modeling

Nowadays Distributed Denial of Service (DDoS) attacks have made one of the most serious threats to the information infrastructure. In this paper we firstly present a new filtering approach, Mark-Aided Distributed Filtering (MADF), which is to find the network anomalies by using a back-propagation neural network, deploy the defense system at distributed routers, identify and filtering the attack packets before they can reach the victim; and secondly propose an analytical model for the interactions between DDoS attack party and defense party, which allows us to have a deep insight of the interactions between the attack and defense parties. According to the experimental results, we find that MADF can detect and filter DDoS attack packets with high sensitivity and accuracy, thus provide high legitimate traffic throughput and low attack traffic throughput. Through the comparison between experiments and numerical results, we also demonstrate the validity of the analytical model that can precisely estimate the effectiveness of a DDoS defense system before it encounters different attacks.

Intelligent DDoS packet filtering in high-speed networks

Currently high-speed networks have been attacked by successive waves of Distributed Denial of Service (DDoS) attacks. There are two major challenges on DDoS defense in the high-speed networks. One is to sensitively and accurately detect attack traffic, and the other is to filter out the attack traffic quickly, which mainly depends on high-speed packet classification. Unfortunately most current defense approaches can not efficiently detect and quickly filter out attack traffic. Our approach is to find the network anomalies by using neural network, deploy the system at distributed routers, identify the attack packets, and then filter them quickly by a Bloom filter-based classifier. The evaluation results show that this approach can be used to defend against both intensive and subtle DDoS attacks, and can catch DDoS attacks’ characteristic of starting from multiple sources to a single victim. The simple complexity, high classification speed and low storage requirements make it especially suitable for DDoS defense in high-speed networks.

Classifying DDoS packets in high-speed networks

Recently high-speed networks have been utilized by attackers as Distributed Denial of Service (DDoS) attack infrastructure. Services on high-speed networks also have been attacked by successive waves of the DDoS attacks. How to sensitively and accurately detect the attack traffic, and quickly filter out the attack packets are still the major challenges in DDoS defense. Unfortunately most current defense approaches can not efficiently fulfill these tasks. Our approach is to find the network anomalies by using neural network and classify DDoS packets by a Bloom filter-based classifier (BFC). BFC is a set of spaceefficient data structures and algorithms for packet classification. The evaluation results show that the simple complexity, high classification speed and accuracy and low storage requirements of this classifier make it not only suitable for DDoS filtering in high-speed networks, but also suitable for other applications such as string matching for intrusion detection systems and IP lookup for programmable routers.