Application-layer denial of service attacks: taxonomy and survey

The recent escalation of application-layer denial of service (DoS) attacks has attracted a significant interest of the security research community. Since application-layer DoS attacks usually do not manifest themselves at the network level, they avoid traditional network-layer-based detection. Therefore, the security community has focused on specialised application-layer DoS attacks detection and mitigation mechanisms. However, the deployment of reliable and efficient defence mechanisms against these attacks requires the comprehensive understanding of the existing application-layer DoS attacks supported by a unified terminology. Thus, in this paper we address this issue and devise a taxonomy of application-layer DoS attacks. By devising the proposed taxonomy, we intend to give researchers a better understanding of these attacks and provide a foundation for organising research efforts within this specific field

A Survey on Detection and Defense of Application Layer DDoS Attacks

As the time is passing on, the effect of DDoS attacks on Internet security is growing tremendously. Within a very little span there is a huge increase in the size and frequency of DDoS attacks. With the new technologies and new techniques, the attackers are finding more sophisticated ways to attack the servers. In this situation, it is necessary to come up with various mechanisms to detect and defend these DDoS attacks and protect the servers from the attackers. Many researches have been carried out to detect the DDoS attack traffic in transport layer, which is more vulnerable to DDoS attacks. DDoS attacks are more common in transport layer. Coming to application layer, they incur huge loss and it is very difficult to mitigate DDoS attacks even under the presence of strong firewalls and Intrusion Prevention Security. Researches are being conducted to mitigate application layer DDoS attacks. This Research contains a discussion of various types of DDoS attacks, their detection, and defense and prevention methods proposed by various researchers

АТАКИ НА ВІДМОВУ В МЕРЕЖІ ІНТЕРНЕТ: ОПИС ПРОБЛЕМИ ТА ПІДХОДІВ ЩОДО ЇЇ ВИРІШЕННЯ

Розглядаються питання захисту від одного з найбільш небезпечних видів зловмисної діяльності в мережі Інтернет – атак на відмову. Описана історія виникнення проблеми та причини, що зумовили її появу. Проведено огляд основних типів атак на відмову, їх класифікація і основні характеристики. \ud В роботі проводиться огляд існуючих на сьогоднішній день механізмів захисту. Система протидії або захисту від атак на відмову має вирішувати наступні задачі: попередження атаки, виявлення атаки, ідентифікація джерел атаки, протидія атаці. Задача виявлення атаки полягає в детектуванні атаки на відмову в разі її появи, це важливий етап, від якого залежать всі подальші дії. Тому алгоритмам виявлення надається велике значення. Вони мають задовольняти вимогам за швидкістю, надійністю, ефективністю. У роботі розглядуються широковживані алгоритми виявлення атак, що дозволяють швидко аналізувати дані як з одного, так і з багатьох каналів спостереження. \ud Одним з перспективних напрямків розвитку є побудова систем захисту на основі мультиагентних систем. Багатоагентні системи являються найбільш мобільними, крім того вони мають додаткові особливості, такі як, наприклад, розподіленість, можливість працювати в умовах непередбачуваних змін як мережі так і зловмисної діяльності, виявлення і документування значимих подій, навчання, аналіз зібраної інформації, планування дій, автономність, адаптивність. В роботі описується загальна архітектура такої системи, склад і основні задачі її елементів. \u

A survey of defense mechanisms against distributed denial of service (DDOS) flooding attacks

Distributed Denial of Service (DDoS) flooding attacks are one of the biggest concerns for security professionals. DDoS flooding attacks are typically explicit attempts to disrupt legitimate users' access to services. Attackers usually gain access to a large number of computers by exploiting their vulnerabilities to set up attack armies (i.e., Botnets). Once an attack army has been set up, an attacker can invoke a coordinated, large-scale attack against one or more targets. Developing a comprehensive defense mechanism against identified and anticipated DDoS flooding attacks is a desired goal of the intrusion detection and prevention research community. However, the development of such a mechanism requires a comprehensive understanding of the problem and the techniques that have been used thus far in preventing, detecting, and responding to various DDoS flooding attacks. In this paper, we explore the scope of the DDoS flooding attack problem and attempts to combat it. We categorize the DDoS flooding attacks and classify existing countermeasures based on where and when they prevent, detect, and respond to the DDoS flooding attacks. Moreover, we highlight the need for a comprehensive distributed and collaborative defense approach. Our primary intention for this work is to stimulate the research community into developing creative, effective, efficient, and comprehensive prevention, detection, and response mechanisms that address the DDoS flooding problem before, during and after an actual attack. © 1998-2012 IEEE

Prototipo de detección de ataques distribuidos de denegación de servicios (DDOS1) a partir de máquinas de aprendizaje

Los ataques Distribuidos de Denegación de Servicios (DDOS) afectan la disponibilidad de los servicios WEB por un periodo de tiempo indeterminado, inundando con peticiones fraudulentas los servidores de las empresas y denegando las solicitudes de los usuarios legítimos, generando pérdidas económicas por indisponibilidad de los servicios prestados. Por este motivo, el alcance de este documento es desarrollar un prototipo de detección de ataques DDOS a partir de máquinas de aprendizaje (SVM2),el cual captura el tráfico de red, filtra las cabeceras HTTP3, normaliza los datos teniendo como base las variables operacionales: Tasa de Falsos Positivos, Tasa de Falsos Negativos, Tasa de Clasificación, y envía la información a la SVM para el respectivo entrenamiento y pruebas de detección, integrado con el software estadístico para minería de datos WEKA4, permitiendo identificar efectivamente estos comportamientos anómalos en la capa superior a la sesión (Modelo de referencia OSI5), con el propósito de aumentar el tiempo de disponibilidad de los servicios. El experimento permitirá evaluar, validar y comparar la técnica del prototipo basado en un modelo supervisado SVM, contra un modelo tradicional basado en reglas como SNORT(Snort, 2008).Distributed Denial of Services (DDOS) attacks affect the availability of WEB services for an indeterminate period of time, flooding company servers with fraudulent requests and denying requests from legitimate users, generating economic losses due to unavailability of services. rendered. For this reason, the scope of this document is to develop a DDOS attack detection prototype from machine learning (SVM2), which captures network traffic, filters HTTP3 headers, normalizes data based on operational variables : False Positive Rate, False Negative Rate, Classification Rate, and sends the information to the SVM for the respective training and detection tests, integrated with the statistical software for data mining WEKA4, allowing to effectively identify these anomalous behaviors in the layer above the session (OSI5 Reference Model), in order to increase the availability time of services. The experiment will allow to evaluate, validate and compare the technique of the prototype based on a supervised SVM model, against a traditional model based on rules such as SNORT (Snort, 2008)

Towards Coordinated, Network-Wide Traffic Monitoring for Early Detection of DDoS Flooding Attacks

DDoS flooding attacks are one of the biggest concerns for security professionals and they are typically explicit attempts to disrupt legitimate users' access to services. Developing a comprehensive defense mechanism against such attacks requires a comprehensive understanding of the problem and the techniques that have been used thus far in preventing, detecting, and responding to various such attacks. In this thesis, we dig into the problem of DDoS flooding attacks from four directions: (1) We study the origin of these attacks, their variations, and various existing defense mechanisms against them. Our literature review gives insight into a list of key required features for the next generation of DDoS flooding defense mechanisms. The most important requirement on this list is to see more distributed DDoS flooding defense mechanisms in near future, (2) In such systems, the success in detecting DDoS flooding attacks earlier and in a distributed fashion is highly dependent on the quality and quantity of the traffic flows that are covered by the employed traffic monitoring mechanisms. This motivates us to study and understand the challenges of existing traffic monitoring mechanisms, (3) We propose a novel distributed, coordinated, network-wide traffic monitoring (DiCoTraM) approach that addresses the key challenges of current traffic monitoring mechanisms. DiCoTraM enhances flow coverage to enable effective, early detection of DDoS flooding attacks. We compare and evaluate the performance of DiCoTraM with various other traffic monitoring mechanisms in terms of their total flow coverage and DDoS flooding attack flow coverage, and (4) We evaluate the effectiveness of DiCoTraM with cSamp, an existing traffic monitoring mechanism that outperforms most of other traffic monitoring mechanisms, with regards to supporting early detection of DDoS flooding attacks (i.e., at the intermediate network) by employing two existing DDoS flooding detection mechanisms over them. We then compare the effectiveness of DiCoTraM with that of cSamp by comparing the detection rates and false positive rates achieved when the selected detection mechanisms are employed over DiCoTraM and cSamp. The results show that DiCoTraM outperforms other traffic monitoring mechanisms in terms of DDoS flooding attack flow coverage