Protecting web applications from DDoS attacks by an active distributed defense system

In the last a few years a number of highly publicized incidents of Distributed Denial of Service (DDoS) attacks against high-profile government and commercial websites have made people aware of the importance of providing data and services security to users. A DDoS attack is an availability attack, which is characterized by an explicit attempt from an attacker to prevent legitimate users of a service from using the desired resources. This paper introduces the vulnerability of web applications to DDoS attacks, and presents an active distributed defense system that has a deployment mixture of sub-systems to protect web applications from DDoS attacks. According to the simulation experiments, this system is effective in that it is able to defend web applications against attacks. It can avoid overall network congestion and provide more resources to legitimate web users.<br /

Distributed Denial-of-Service Defense System

Distributed denial-of-service (DoS) attacks present a great threat to the Internet, and existing security mechanisms cannot detect or stop them successfully. The problem lies in the distributed nature of attacks, which engages the power of a vast number of coordinated hosts. To mitigate the impacts of DDoS attacks, it is important to develop such defenses system that canbothdetect andreact against ongoing attacks. The attacks ideally should be stopped as close to the sources as possible, saving network resources andreducing congestion. The DDoS defense system that is deployed at the source-end should prevent the machines at associated network from participating in DDoS attacks. The primary objective of this project, which is developing a DDoS defense system, is to provide good service to a victim's legitimate clients during the attack, thus canceling the denial-of-service effect. The scope of study will coverthe aspect of howthe attack detection algorithms work and identify the attack traffic, hence develop appropriate attack responses. As a source-end defense against DDoS attacks, the attack flows can be stopped before they enter the Internet core and before they aggregate with other attack flows. The methodology chosen for this project is the combination of sequential and iterative approaches of the software development process, which comprises of six main phases, which are initial planning phase, requirement definition phase, system design phase, coding and testing phase, implementation phase, and lastly maintenance and support phase. The system used a source router approach, in which the source router serves as a gateway between the source network containing some of the attack nodes and the rest of the Internet, to detectand limitDDoS streams long before they reach the target. This will be covered in the Findings section of the report. TheDiscussion section will be focus more onthe architecture onthe system, which having three important component; observation, rate-limiting and traffic-policing

Categorizing and Assessing the Severity of Disruptive Cyber Incidents

Faced with a rapidly growing volume and range of cyber attacks, policymakers and organizational leaders have had difficulty setting priorities, allocating resources, and responding effectively without a standard way to categorize cyber events and estimate their consequences. Presidential Policy Directive 41 laid out the Obama administration’s principles for executive branch responses to significant cyber incidents in the public or private sector. But it neither drew important distinctions between different types of cyber incidents, nor gave a standard way to determine where a particular incident falls on its 0-5 point severity scale. This policy brief demonstrates how an analytical framework developed at the Center for International and Security Studies at the University of Maryland (CISSM) can help address these problems. It first differentiates between low-level incidents and more significant cyber events that result in either exploitation of information and/or disruption of operations. It categorizes five types of disruptive events and analyzes 2,030 cyber events in a dataset developed from media sources, showing that cyber exploitation remains more common than disruption, and that most disruptive activity fits into two categories: message manipulation and external denial of service attacks. Finally, the brief offers a standard method to assess the severity of different categories of disruptive attacks against different kinds of organizations based on the scope, magnitude, and duration of the event. This Cyber Disruption Index (CDI) is then applied to survey data on Distributed Denial of Service (DDoS) attacks in the private sector to assess severity within a common category of disruptive events. Of 3,900 cases reported, only 5 events (less than 1% of the DDoS cases) had a combined scope, magnitude, and duration severe enough to be a priority for prevention and potentially warrant government involvement

Adaptive Response System for Distributed Denial-of-Service Attacks

The continued prevalence and severe damaging effects of the Distributed Denial of Service (DDoS) attacks in today’s Internet raise growing security concerns and call for an immediate response to come up with better solutions to tackle DDoS attacks. The current DDoS prevention mechanisms are usually inflexible and determined attackers with knowledge of these mechanisms, could work around them. Most existing detection and response mechanisms are standalone systems which do not rely on adaptive updates to mitigate attacks. As different responses vary in their “leniency” in treating detected attack traffic, there is a need for an Adaptive Response System. We designed and implemented our DDoS Adaptive ResponsE (DARE) System, which is a distributed DDoS mitigation system capable of executing appropriate detection and mitigation responses automatically and adaptively according to the attacks. It supports easy integrations for both signature-based and anomaly-based detection modules. Additionally, the design of DARE’s individual components takes into consideration the strengths and weaknesses of existing defence mechanisms, and the characteristics and possible future mutations of DDoS attacks. These components consist of an Enhanced TCP SYN Attack Detector and Bloom-based Filter, a DDoS Flooding Attack Detector and Flow Identifier, and a Non Intrusive IP Traceback mechanism. The components work together interactively to adapt the detections and responses in accordance to the attack types. Experiments conducted on DARE show that the attack detection and mitigation are successfully completed within seconds, with about 60% to 86% of the attack traffic being dropped, while availability for legitimate and new legitimate requests is maintained. DARE is able to detect and trigger appropriate responses in accordance to the attacks being launched with high accuracy, effectiveness and efficiency. We also designed and implemented a Traffic Redirection Attack Protection System (TRAPS), a stand-alone DDoS attack detection and mitigation system for IPv6 networks. In TRAPS, the victim under attack verifies the authenticity of the source by performing virtual relocations to differentiate the legitimate traffic from the attack traffic. TRAPS requires minimal deployment effort and does not require modifications to the Internet infrastructure due to its incorporation of the Mobile IPv6 protocol. Experiments to test the feasibility of TRAPS were carried out in a testbed environment to verify that it would work with the existing Mobile IPv6 implementation. It was observed that the operations of each module were functioning correctly and TRAPS was able to successfully mitigate an attack launched with spoofed source IP addresses