On mitigating distributed denial of service attacks

Denial of service (DoS) attacks and distributed denial of service (DDoS) attacks are probably the most ferocious threats in the Internet, resulting in tremendous economic and social implications/impacts on our daily lives that are increasingly depending on the wellbeing of the Internet. How to mitigate these attacks effectively and efficiently has become an active research area. The critical issues here include 1) IP spoofing, i.e., forged source lIP addresses are routinely employed to conceal the identities of the attack sources and deter the efforts of detection, defense, and tracing; 2) the distributed nature, that is, hundreds or thousands of compromised hosts are orchestrated to attack the victim synchronously. Other related issues are scalability, lack of incentives to deploy a new scheme, and the effectiveness under partial deployment. This dissertation investigates and proposes effective schemes to mitigate DDoS attacks. It is comprised of three parts. The first part introduces the classification of DDoS attacks and the evaluation of previous schemes. The second part presents the proposed IP traceback scheme, namely, autonomous system-based edge marking (ASEM). ASEM enhances probabilistic packet marking (PPM) in several aspects: (1) ASEM is capable of addressing large-scale DDoS attacks efficiently; (2) ASEM is capable of handling spoofed marking from the attacker and spurious marking incurred by subverted routers, which is a unique and critical feature; (3) ASEM can significantly reduce the number of marked packets required for path reconstruction and suppress false positives as well. The third part presents the proposed DDoS defense mechanisms, including the four-color-theorem based path marking, and a comprehensive framework for DDoS defense. The salient features of the framework include (1) it is designed to tackle a wide spectrum of DDoS attacks rather than a specified one, and (2) it can differentiate malicious traffic from normal ones. The receiver-center design avoids several related issues such as scalability, and lack of incentives to deploy a new scheme. Finally, conclusions are drawn and future works are discussed

A composable approach to design of newer techniques for large-scale denial-of-service attack attribution

Since its early days, the Internet has witnessed not only a phenomenal growth, but also a large number of security attacks, and in recent years, denial-of-service (DoS) attacks have emerged as one of the top threats. The stateless and destination-oriented Internet routing combined with the ability to harness a large number of compromised machines and the relative ease and low costs of launching such attacks has made this a hard problem to address. Additionally, the myriad requirements of scalability, incremental deployment, adequate user privacy protections, and appropriate economic incentives has further complicated the design of DDoS defense mechanisms. While the many research proposals to date have focussed differently on prevention, mitigation, or traceback of DDoS attacks, the lack of a comprehensive approach satisfying the different design criteria for successful attack attribution is indeed disturbing. Our first contribution here has been the design of a composable data model that has helped us represent the various dimensions of the attack attribution problem, particularly the performance attributes of accuracy, effectiveness, speed and overhead, as orthogonal and mutually independent design considerations. We have then designed custom optimizations along each of these dimensions, and have further integrated them into a single composite model, to provide strong performance guarantees. Thus, the proposed model has given us a single framework that can not only address the individual shortcomings of the various known attack attribution techniques, but also provide a more wholesome counter-measure against DDoS attacks. Our second contribution here has been a concrete implementation based on the proposed composable data model, having adopted a graph-theoretic approach to identify and subsequently stitch together individual edge fragments in the Internet graph to reveal the true routing path of any network data packet. The proposed approach has been analyzed through theoretical and experimental evaluation across multiple metrics, including scalability, incremental deployment, speed and efficiency of the distributed algorithm, and finally the total overhead associated with its deployment. We have thereby shown that it is realistically feasible to provide strong performance and scalability guarantees for Internet-wide attack attribution. Our third contribution here has further advanced the state of the art by directly identifying individual path fragments in the Internet graph, having adopted a distributed divide-and-conquer approach employing simple recurrence relations as individual building blocks. A detailed analysis of the proposed approach on real-life Internet topologies with respect to network storage and traffic overhead, has provided a more realistic characterization. Thus, not only does the proposed approach lend well for simplified operations at scale but can also provide robust network-wide performance and security guarantees for Internet-wide attack attribution. Our final contribution here has introduced the notion of anonymity in the overall attack attribution process to significantly broaden its scope. The highly invasive nature of wide-spread data gathering for network traceback continues to violate one of the key principles of Internet use today - the ability to stay anonymous and operate freely without retribution. In this regard, we have successfully reconciled these mutually divergent requirements to make it not only economically feasible and politically viable but also socially acceptable. This work opens up several directions for future research - analysis of existing attack attribution techniques to identify further scope for improvements, incorporation of newer attributes into the design framework of the composable data model abstraction, and finally design of newer attack attribution techniques that comprehensively integrate the various attack prevention, mitigation and traceback techniques in an efficient manner

Scalable schemes against Distributed Denial of Service attacks

Defense against Distributed Denial of Service (DDoS) attacks is one of the primary concerns on the Internet today. DDoS attacks are difficult to prevent because of the open, interconnected nature of the Internet and its underlying protocols, which can be used in several ways to deny service. Attackers hide their identity by using third parties such as private chat channels on IRC (Internet Relay Chat). They also insert false return IP address, spoofing, in a packet which makes it difficult for the victim to determine the packet\u27s origin. We propose three novel and realistic traceback mechanisms which offer many advantages over the existing schemes. All the three schemes take advantage of the Autonomous System topology and consider the fact that the attacker\u27s packets may traverse through a number of domains under different administrative control. Most of the traceback mechanisms make wrong assumptions that the network details of a company under an administrative control are disclosed to the public. For security reasons, this is not the case most of the times. The proposed schemes overcome this drawback by considering reconstruction at the inter and intra AS levels. Hierarchical Internet Traceback (HIT) and Simple Traceback Mechanism (STM) trace back to an attacker in two phases. In the first phase the attack originating Autonomous System is identified while in the second phase the attacker within an AS is identified. Both the schemes, HIT and STM, allow the victim to trace back to the attackers in a few seconds. Their computational overhead is very low and they scale to large distributed attacks with thousands of attackers. Fast Autonomous System Traceback allows complete attack path reconstruction with few packets. We use traceroute maps of real Internet topologies CAIDA\u27s skitter to simulate DDoS attacks and validate our design

IP traceback marking scheme based DDoS defense.

Ping Yan.Thesis submitted in: December 2004.Thesis (M.Phil.)--Chinese University of Hong Kong, 2005.Includes bibliographical references (leaves 93-100).Abstracts in English and Chinese.Abstract --- p.iAcknowledgement --- p.iiiChapter 1 --- INTRODUCTION --- p.1Chapter 1.1 --- The Problem --- p.1Chapter 1.2 --- Research Motivations and Objectives --- p.3Chapter 1.3 --- The Rationale --- p.8Chapter 1.4 --- Thesis Organization --- p.9Chapter 2 --- BACKGROUND STUDY --- p.10Chapter 2.1 --- Distributed Denial of Service Attacks --- p.10Chapter 2.1.1 --- Taxonomy of DoS and DDoS Attacks --- p.13Chapter 2.2 --- IP Traceback --- p.17Chapter 2.2.1 --- Assumptions --- p.18Chapter 2.2.2 --- Problem Model and Performance Metrics --- p.20Chapter 2.3 --- IP Traceback Proposals --- p.24Chapter 2.3.1 --- Probabilistic Packet Marking (PPM) --- p.24Chapter 2.3.2 --- ICMP Traceback Messaging --- p.26Chapter 2.3.3 --- Logging --- p.27Chapter 2.3.4 --- Tracing Hop-by-hop --- p.29Chapter 2.3.5 --- Controlled Flooding --- p.30Chapter 2.4 --- DDoS Attack Countermeasures --- p.30Chapter 2.4.1 --- Ingress/Egress Filtering --- p.33Chapter 2.4.2 --- Route-based Distributed Packet Filtering (DPF) --- p.34Chapter 2.4.3 --- IP Traceback Based Intelligent Packet Filtering --- p.35Chapter 2.4.4 --- Source-end DDoS Attack Recognition and Defense --- p.36Chapter 2.4.5 --- Classification of DDoS Defense Methods --- p.38Chapter 3 --- ADAPTIVE PACKET MARKING SCHEME --- p.41Chapter 3.1 --- Scheme Overview --- p.41Chapter 3.2 --- Adaptive Packet Marking Scheme --- p.44Chapter 3.2.1 --- Design Motivation --- p.44Chapter 3.2.2 --- Marking Algorithm Basics --- p.46Chapter 3.2.3 --- Domain id Marking --- p.49Chapter 3.2.4 --- Router id Marking --- p.51Chapter 3.2.5 --- Attack Graph Reconstruction --- p.53Chapter 3.2.6 --- IP Header Overloading --- p.56Chapter 3.3 --- Experiments on the Packet Marking Scheme --- p.59Chapter 3.3.1 --- Simulation Set-up --- p.59Chapter 3.3.2 --- Experimental Results and Analysis --- p.61Chapter 4 --- DDoS DEFENSE SCHEMES --- p.67Chapter 4.1 --- Scheme I: Packet Filtering at Victim-end --- p.68Chapter 4.1.1 --- Packet Marking Scheme Modification --- p.68Chapter 4.1.2 --- Packet Filtering Algorithm --- p.69Chapter 4.1.3 --- Determining the Filtering Probabilities --- p.70Chapter 4.1.4 --- Suppressing Packets Filtering with did Markings from Nearby Routers --- p.73Chapter 4.2 --- Scheme II: Rate Limiting at the Sources --- p.73Chapter 4.2.1 --- Algorithm of the Rate-limiting Scheme --- p.74Chapter 4.3 --- Performance Measurements for Scheme I & Scheme II . --- p.77Chapter 5 --- CONCLUSION --- p.87Chapter 5.1 --- Contributions --- p.87Chapter 5.2 --- Discussion and Future Work --- p.91Bibliography --- p.10

Towards IP traceback based defense against DDoS attacks.

Lau Nga Sin.Thesis (M.Phil.)--Chinese University of Hong Kong, 2004.Includes bibliographical references (leaves 101-110).Abstracts in English and Chinese.Abstract --- p.iAcknowledgement --- p.ivChapter 1 --- Introduction --- p.1Chapter 1.1 --- Research Motivation --- p.2Chapter 1.2 --- Problem Statement --- p.3Chapter 1.3 --- Research Objectives --- p.4Chapter 1.4 --- Structure of the Thesis --- p.6Chapter 2 --- Background Study on DDoS Attacks --- p.8Chapter 2.1 --- Distributed Denial of Service Attacks --- p.8Chapter 2.1.1 --- DDoS Attack Architecture --- p.9Chapter 2.1.2 --- DDoS Attack Taxonomy --- p.11Chapter 2.1.3 --- DDoS Tools --- p.19Chapter 2.1.4 --- DDoS Detection --- p.21Chapter 2.2 --- DDoS Countermeasure: Attack Source Traceback --- p.23Chapter 2.2.1 --- Link Testing --- p.23Chapter 2.2.2 --- Logging --- p.24Chapter 2.2.3 --- ICMP-based traceback --- p.26Chapter 2.2.4 --- Packet marking --- p.28Chapter 2.2.5 --- Comparison of various IP Traceback Schemes --- p.31Chapter 2.3 --- DDoS Countermeasure: Packet Filtering --- p.33Chapter 2.3.1 --- Ingress Filtering --- p.33Chapter 2.3.2 --- Egress Filtering --- p.34Chapter 2.3.3 --- Route-based Packet Filtering --- p.35Chapter 2.3.4 --- IP Traceback-based Packet Filtering --- p.36Chapter 2.3.5 --- Router-based Pushback --- p.37Chapter 3 --- Domain-based IP Traceback Scheme --- p.40Chapter 3.1 --- Overview of our IP Traceback Scheme --- p.41Chapter 3.2 --- Assumptions --- p.44Chapter 3.3 --- Proposed Packet Marking Scheme --- p.45Chapter 3.3.1 --- IP Markings with Edge Sampling --- p.46Chapter 3.3.2 --- Domain-based Design Motivation --- p.48Chapter 3.3.3 --- Mathematical Principle --- p.49Chapter 3.3.4 --- Marking Mechanism --- p.51Chapter 3.3.5 --- Storage Space of the Marking Fields --- p.56Chapter 3.3.6 --- Packet Marking Integrity --- p.57Chapter 3.3.7 --- Path Reconstruction --- p.58Chapter 4 --- Route-based Packet Filtering Scheme --- p.62Chapter 4.1 --- Placement of Filters --- p.63Chapter 4.1.1 --- At Sources' Networks --- p.64Chapter 4.1.2 --- At Victim's Network --- p.64Chapter 4.2 --- Proposed Packet Filtering Scheme --- p.65Chapter 4.2.1 --- Classification of Packets --- p.66Chapter 4.2.2 --- Filtering Mechanism --- p.67Chapter 5 --- Performance Evaluation --- p.70Chapter 5.1 --- Simulation Setup --- p.70Chapter 5.2 --- Experiments on IP Traceback Scheme --- p.72Chapter 5.2.1 --- Performance Metrics --- p.72Chapter 5.2.2 --- Choice of Marking Probabilities --- p.73Chapter 5.2.3 --- Experimental Results --- p.75Chapter 5.3 --- Experiments on Packet Filtering Scheme --- p.82Chapter 5.3.1 --- Performance Metrics --- p.82Chapter 5.3.2 --- Choices of Filtering Probabilities --- p.84Chapter 5.3.3 --- Experimental Results --- p.85Chapter 5.4 --- Deployment Issues --- p.91Chapter 5.4.1 --- Backward Compatibility --- p.91Chapter 5.4.2 --- Processing Overheads to the Routers and Network --- p.93Chapter 5.5 --- Evaluations --- p.95Chapter 6 --- Conclusion --- p.96Chapter 6.1 --- Contributions --- p.96Chapter 6.2 --- Discussions and future work --- p.99Bibliography --- p.11

A Robust Mechanism for Defending Distributed Denial OF Service Attacks on Web Servers

Distributed Denial of Service (DDoS) attacks have emerged as a popular means of causing mass targeted service disruptions, often for extended periods of time. The relative ease and low costs of launching such attacks, supplemented by the current inadequate sate of any viable defense mechanism, have made them one of the top threats to the Internet community today. Since the increasing popularity of web-based applications has led to several critical services being provided over the Internet, it is imperative to monitor the network traffic so as to prevent malicious attackers from depleting the resources of the network and denying services to legitimate users. This paper first presents a brief discussion on some of the important types of DDoS attacks that currently exist and some existing mechanisms to combat these attacks. It then points out the major drawbacks of the currently existing defense mechanisms and proposes a new mechanism for protecting a web-server against a DDoS attack. In the proposed mechanism, incoming traffic to the server is continuously monitored and any abnormal rise in the inbound traffic is immediately detected. The detection algorithm is based on a statistical analysis of the inbound traffic on the server and a robust hypothesis testing framework. Simulations carried out on the proposed mechanism have produced results that demonstrate effectiveness of the proposed defense mechanism against DDoS attacks.Comment: 18 pages, 3 figures, 5 table

Impact of denial of service solutions on network quality of service

The Internet has become a universal communication network tool. It has evolved from a platform that supports best-effort traffic to one that now carries different traffic types including those involving continuous media with quality of service (QoS) requirements. As more services are delivered over the Internet, we face increasing risk to their availability given that malicious attacks on those Internet services continue to increase. Several networks have witnessed denial of service (DoS) and distributed denial of service (DDoS) attacks over the past few years which have disrupted QoS of network services, thereby violating the Service Level Agreement (SLA) between the client and the Internet Service Provider (ISP). Hence DoS or DDoS attacks are major threats to network QoS. In this paper we survey techniques and solutions that have been deployed to thwart DoS and DDoS attacks and we evaluate them in terms of their impact on network QoS for Internet services. We also present vulnerabilities that can be exploited for QoS protocols and also affect QoS if exploited. In addition, we also highlight challenges that still need to be addressed to achieve end-to-end QoS with recently proposed DoS/DDoS solutions

DoS and DDoS Attacks: Defense, Detection and Traceback Mechanisms - A Survey

Denial of Service (DoS) or Distributed Denial of Service (DDoS) attacks are typically explicit attempts to exhaust victim2019;s bandwidth or disrupt legitimate users2019; access to services. Traditional architecture of internet is vulnerable to DDoS attacks and it provides an opportunity to an attacker to gain access to a large number of compromised computers by exploiting their vulnerabilities to set up attack networks or Botnets. Once attack network or Botnet has been set up, an attacker invokes a large-scale, coordinated attack against one or more targets. Asa result of the continuous evolution of new attacks and ever-increasing range of vulnerable hosts on the internet, many DDoS attack Detection, Prevention and Traceback mechanisms have been proposed, In this paper, we tend to surveyed different types of attacks and techniques of DDoS attacks and their countermeasures. The significance of this paper is that the coverage of many aspects of countering DDoS attacks including detection, defence and mitigation, traceback approaches, open issues and research challenges

IP spoofing defense: An introduction

In current Internet communication world, validity of source IP packet is and important issue.The problems of IP spoofing alarm the legitimate user of the Internet.This paper review recent progress of spoofing defenses by various researchers.Techniques and mechanisms proposed are being categorized to better illustrate the deployment and functionality of the mechanism.Overall, this paper summarizes the current anti spoofing mechanism in the Internet