8,251 research outputs found
An SDN-based Approach For Defending Against Reflective DDoS Attacks
Distributed Reflective Denial of Service (DRDoS) attacks are an immanent
threat to Internet services. The potential scale of such attacks became
apparent in March 2018 when a memcached-based attack peaked at 1.7 Tbps. Novel
services built upon UDP increase the need for automated mitigation mechanisms
that react to attacks without prior knowledge of the actual application
protocols used. With the flexibility that software-defined networks offer, we
developed a new approach for defending against DRDoS attacks; it not only
protects against arbitrary DRDoS attacks but is also transparent for the attack
target and can be used without assistance of the target host operator. The
approach provides a robust mitigation system which is protocol-agnostic and
effective in the defense against DRDoS attacks
Recommended from our members
Techniques for the dynamic randomization of network attributes
Critical infrastructure control systems continue to foster predictable communication paths and static configurations that allow easy access to our networked critical infrastructure around the world. This makes them attractive and easy targets for cyber-attack. We have developed technologies that address these attack vectors by automatically reconfiguring network settings. Applying these protective measures will convert control systems into «moving targets» that proactively defend themselves against attack. This «Moving Target Defense» (MTD) revolves about the movement of network reconfiguration, securely communicating reconfiguration specifications to other network nodes as required, and ensuring that connectivity between nodes is uninterrupted. Software-defined Networking (SDN) is leveraged to meet many of these goals. Our MTD approach eliminates adversaries targeting known static attributes of network devices and systems, and consists of the following three techniques: (1) Network Randomization for TCP/UDP Ports; (2) Network Randomization for IP Addresses; (3) Network Randomization for Network Paths In this paper, we describe the implementation of the aforementioned technologies. We also discuss the individual and collective successes for the techniques, challenges for deployment, constraints and assumptions, and the performance implications for each technique
Hyp3rArmor: reducing web application exposure to automated attacks
Web applications (webapps) are subjected constantly to automated, opportunistic attacks from autonomous robots (bots) engaged in reconnaissance to discover victims that may be vulnerable to specific exploits. This is a typical behavior found in botnet recruitment, worm propagation, largescale fingerprinting and vulnerability scanners. Most anti-bot techniques are deployed at the application layer, thus leaving the network stack of the webapp’s server exposed. In this paper we present a mechanism called Hyp3rArmor, that addresses this vulnerability by minimizing the webapp’s attack surface exposed to automated opportunistic attackers, for JavaScriptenabled web browser clients. Our solution uses port knocking to eliminate the webapp’s visible network footprint. Clients of the webapp are directed to a visible static web server to obtain JavaScript that authenticates the client to the webapp server (using port knocking) before making any requests to the webapp. Our implementation of Hyp3rArmor, which is compatible with all webapp architectures, has been deployed and used to defend single and multi-page websites on the Internet for 114 days. During this time period the static web server observed 964 attempted attacks that were deflected from the webapp, which was only accessed by authenticated clients. Our evaluation shows that in most cases client-side overheads were negligible and that server-side overheads were minimal. Hyp3rArmor is ideal for critical systems and legacy applications that must be accessible on the Internet. Additionally Hyp3rArmor is composable with other security tools, adding an additional layer to a defense in depth approach.This work has been supported by the National Science Foundation (NSF) awards #1430145, #1414119, and #1012798
Survey on: Software Puzzle for Offsetting DoS Attack
A Denial of Service (DoS) attack is a malevolent attempt to make a server or a network resource inaccessible to users, usually by temporarily breaking or suspending the services of a host connected to the Internet. DoS attacks and Distributed DoS (DDoS) attacks attempt to deplete an online service's resource such as network bandwidth, memory and computational power by overwhelming the service with bogus requests. Thus, DoS and DDoS attacks have become a major problem for users of computer systems connected to the Internet. Many state-art of the techniques used for defending the internet from these attacks have been discussed in this paper. After conducting an exhaustive survey on these techniques it has been found that the proposed software puzzle scheme that randomly generates only after a client request is received at the server side gives better performance as compared with previous techniques
A defense against address spoofing using active networks
Thesis (M. Eng.)--Massachusetts Institute of Technology, Dept. of Electrical Engineering and Computer Science, 1997.Includes bibliographical references (p. 45-46).by Van C. Van.M.Eng
Security and Privacy Issues in Wireless Mesh Networks: A Survey
This book chapter identifies various security threats in wireless mesh
network (WMN). Keeping in mind the critical requirement of security and user
privacy in WMNs, this chapter provides a comprehensive overview of various
possible attacks on different layers of the communication protocol stack for
WMNs and their corresponding defense mechanisms. First, it identifies the
security vulnerabilities in the physical, link, network, transport, application
layers. Furthermore, various possible attacks on the key management protocols,
user authentication and access control protocols, and user privacy preservation
protocols are presented. After enumerating various possible attacks, the
chapter provides a detailed discussion on various existing security mechanisms
and protocols to defend against and wherever possible prevent the possible
attacks. Comparative analyses are also presented on the security schemes with
regards to the cryptographic schemes used, key management strategies deployed,
use of any trusted third party, computation and communication overhead involved
etc. The chapter then presents a brief discussion on various trust management
approaches for WMNs since trust and reputation-based schemes are increasingly
becoming popular for enforcing security in wireless networks. A number of open
problems in security and privacy issues for WMNs are subsequently discussed
before the chapter is finally concluded.Comment: 62 pages, 12 figures, 6 tables. This chapter is an extension of the
author's previous submission in arXiv submission: arXiv:1102.1226. There are
some text overlaps with the previous submissio
Towards Loop-Free Forwarding of Anonymous Internet Datagrams that Enforce Provenance
The way in which addressing and forwarding are implemented in the Internet
constitutes one of its biggest privacy and security challenges. The fact that
source addresses in Internet datagrams cannot be trusted makes the IP Internet
inherently vulnerable to DoS and DDoS attacks. The Internet forwarding plane is
open to attacks to the privacy of datagram sources, because source addresses in
Internet datagrams have global scope. The fact an Internet datagrams are
forwarded based solely on the destination addresses stated in datagram headers
and the next hops stored in the forwarding information bases (FIB) of relaying
routers allows Internet datagrams to traverse loops, which wastes resources and
leaves the Internet open to further attacks. We introduce PEAR (Provenance
Enforcement through Addressing and Routing), a new approach for addressing and
forwarding of Internet datagrams that enables anonymous forwarding of Internet
datagrams, eliminates many of the existing DDoS attacks on the IP Internet, and
prevents Internet datagrams from looping, even in the presence of routing-table
loops.Comment: Proceedings of IEEE Globecom 2016, 4-8 December 2016, Washington,
D.C., US
Blacklisting Malicious Websites using Peer-to-Peer Technology
The misuse of websites to serve exploit code to compromise hosts on the Internet has increased drastically in the recent years. With new methods like Fast- or Domain Fluxing the attackers have found ways to generate thousands of links leading to malicious webservers in a very short time. With the help of the distributed blacklist solution we propose in this paper we are able to quickly respond to new threats and have the ability to involve different sources to collect information about malicious websites. It is therefore possible to protect networks from threats that they have not even been targeted for yet, by sharing attack information globally
Intrusion detection mechanisms for VoIP applications
VoIP applications are emerging today as an important component in business
and communication industry. In this paper, we address the intrusion detection
and prevention in VoIP networks and describe how a conceptual solution based on
the Bayes inference approach can be used to reinforce the existent security
mechanisms. Our approach is based on network monitoring and analyzing of the
VoIP-specific traffic. We give a detailed example on attack detection using the
SIP signaling protocol
- …