An SDN-based Approach For Defending Against Reflective DDoS Attacks

Distributed Reflective Denial of Service (DRDoS) attacks are an immanent threat to Internet services. The potential scale of such attacks became apparent in March 2018 when a memcached-based attack peaked at 1.7 Tbps. Novel services built upon UDP increase the need for automated mitigation mechanisms that react to attacks without prior knowledge of the actual application protocols used. With the flexibility that software-defined networks offer, we developed a new approach for defending against DRDoS attacks; it not only protects against arbitrary DRDoS attacks but is also transparent for the attack target and can be used without assistance of the target host operator. The approach provides a robust mitigation system which is protocol-agnostic and effective in the defense against DRDoS attacks

Analyzing Attacks on Cooperative Adaptive Cruise Control (CACC)

Cooperative Adaptive Cruise Control (CACC) is one of the driving applications of vehicular ad-hoc networks (VANETs) and promises to bring more efficient and faster transportation through cooperative behavior between vehicles. In CACC, vehicles exchange information, which is relied on to partially automate driving; however, this reliance on cooperation requires resilience against attacks and other forms of misbehavior. In this paper, we propose a rigorous attacker model and an evaluation framework for this resilience by quantifying the attack impact, providing the necessary tools to compare controller resilience and attack effectiveness simultaneously. Although there are significant differences between the resilience of the three analyzed controllers, we show that each can be attacked effectively and easily through either jamming or data injection. Our results suggest a combination of misbehavior detection and resilient control algorithms with graceful degradation are necessary ingredients for secure and safe platoons.Comment: 8 pages (author version), 5 Figures, Accepted at 2017 IEEE Vehicular Networking Conference (VNC

SDN-Assisted Network-Based Mitigation of Slow HTTP Attacks

SDN-Assisted Network-Based Mitigation of Slow HTTP Attack

Security in high-bandwidth networks

Ever-increasing bandwidth in networks presents a challenge to security mechanisms as the amount of traffic following Gilder's law) increases faster than the computational power (following Moore's law). This continuous increase in the amount of data not only impedes the effort to analyze the data in firewalls or Intrusion Detection Systems, but it can also be exploited by attackers to achieve ever stronger attacks. Moreover, testing network security mechanisms in high-bandwidth networks presents a challenge in itself as common testing tools are neither designed to produce nor to analyze such a vast amount of traffic. In this thesis, firstly, we look into testing of network applications, devices, and algorithms in high-bandwidth networks as a challenge in and of itself. We analyze traffic, build a network testing framework, and provide test data sets as groundwork for the other parts of this thesis. Following these insights, we work on improving security mechanisms to tackle the challenges of high-bandwidth networks. Hereby, we focus on two commonly used security mechanisms found in today's networks: Intrusion Detection Systems (IDS) and Mitigation Systems for Distributed Denial-of-Service (DDoS) attacks and investigate the impact of rising network traffic on their performance. We look into ways to raise IDS throughput through hardware-supported parallelization of regular expression matching. Matching regular expressions is a key component of the payload analysis in IDS and presents a major bottleneck for their throughput. Moreover, we present a framework able to detect DDoS attacks, identify attacking clients, and defend successfully against attacks. The system entails improvements in these areas with a particular focus on identifying slow DDoS attackers and defense against reflective attacks. The software developed, the data sets produced, and the insights gained in this work can help researchers, network administrators, and developers improve network security mechanisms and defend their networks more reliably against attacks.Die ständig wachsende Bandbreite in Netzen stellt eine Herausforderung für die Sicherheitsmechanismen dar, da die Menge des Datenverkehrs nach Gilder's Gesetz schneller steigt als die Rechenleistung nach Moore's Gesetz. Diese kontinuierliche Zunahme der Datenmenge erhöht nicht nur den Aufwand zur Analyse der Daten in Firewalls oder Intrusion Detection Systemen, sondern kann auch von Angreifern genutzt werden, um immer stärkere Angriffe zu erzielen. Darüber hinaus stellt das Testen von Sicherheitsmechanismen in Netzen mit hoher Bandbreite eine Herausforderung an sich dar, da Testwerkzeuge weder dazu ausgelegt sind, eine so große Menge an Datenverkehr zu produzieren noch zu analysieren. In dieser Arbeit untersuchen wir zunächst das Testen von Anwendungen, Geräten und Algorithmen in Netze mit hoher Bandbreite als eine Herausforderung an sich. Wir analysieren den Datenverkehr, bauen ein Netzwerk Testframework und stellen Testdatensätze zur Verfügung die uns im weiteren Verlauf der Arbeit nützen. Folgend den erlangten Erkenntnissen arbeiten wir an der Verbesserung der Sicherheitsmechanismen, um die Herausforderungen von Netzen mit hoher Bandbreite zu bewältigen. Dabei konzentrieren wir uns auf zwei häufig verwendete Sicherheitsmechanismen, die in heutigen Netzwerken zu finden sind: Intrusion Detection Systeme (IDS) und Abwehrsysteme von Distributed Denial of Service (DDoS) Angriffen und untersuchen die Auswirkungen des steigenden Netzwerkverkehrs auf ihre Leistung. Wir untersuchen Möglichkeiten, den IDS-Durchsatz durch die Parallelisierung von Regular Expression Matching durch Hardwareunterstüzung zu erhöhen. Das Matching von regulären Ausdrücken ist eine Schlüsselkomponente der Payload-Analyse im IDS und stellt einen großen Engpass für deren Durchsatz dar. Darüber hinaus stellen wir ein Framework vor, das in der Lage ist, DDoS-Angriffe zu erkennen, Angreifer zu identifizieren und sich erfolgreich gegen Angriffe zu verteidigen. Das System bringt Verbesserungen in diesen Bereichen mit sich, mit besonderem Fokus auf die Identifizierung von slow DDoS-Angreifern und die Abwehr von Reflective Angriffen. Die entwickelte Software, die produzierten Datensätze und die dabei gewonnenen Erkenntnisse können Forschern, Aministratoren und Entwicklern helfen, ihre Sicherheitsmechanismen in Netzen zu verbessern und ihre Netze zuverlässiger gegen Angriffe zu schützen

VeReMi: a dataset for comparable evaluation of misbehavior detection in VANETs

Vehicular networks are networks of communicating vehicles, a major enabling technology for future cooperative and autonomous driving technologies. The most important messages in these networks are broadcast-authenticated periodic one-hop beacons, used for safety and traffic efficiency applications such as collision avoidance and traffic jam detection. However, broadcast authenticity is not sufficient to guarantee message correctness. The goal of misbehavior detection is to analyze application data and knowledge about physical processes in these cyber-physical systems to detect incorrect messages, enabling local revocation of vehicles transmitting malicious messages. Comparative studies between detection mechanisms are rare due to the lack of a reference dataset. We take the first steps to address this challenge by introducing the Vehicular Reference Misbehavior Dataset (VeReMi) and a discussion of valid metrics for such an assessment. VeReMi is the first public extensible dataset, allowing anyone to reproduce the generation process, as well as contribute attacks and use the data to compare new detection mechanisms against existing ones. The result of our analysis shows that the acceptance range threshold and the simple speed check are complementary mechanisms that detect different attacks. This supports the intuitive notion that fusion can lead to better results with data, and we suggest that future work should focus on effective fusion with VeReMi as an evaluation baseline

A comparison of TCP congestion control algorithms in 10G networks

The increasing availability of 10G Ethernet network capabilities challenges existing transport layer protocols. As 10G connections gain momentum outside of backbone networks, the choice of appropriate TCP congestion control algorithms becomes even more relevant for networked applications running in environments such as data centers. Therefore, we provide an extensive overview of relevant TCP congestion control algorithms for high-speed environments leveraging 10G. We analyzed and evaluated six TCP variants using a physical network testbed, with a focus on the effects of propagation delay and significant drop rates. The results indicate that of the algorithms compared, BIC is most suitable when no legacy variant is present, CUBIC is suggested otherwise