DDoS Defense using MTD and SDN

Distributed large-scale cyber attacks targeting the availability of computing and network resources still remains a serious threat. In order to limit the effects caused by those attacks and to provide a proactive defense, mitigation should move to the networks of Internet Service Providers. In this context, Moving Target Defense (MTD) is a technique that increases uncertainty due to an ever-changing attack surface. In combination with Software Defined Networking (SDN), MTD has the potential to reduce the effects of a large-scale cyber attack. In this paper, we combine the defense techniques moving- target using Software Defined Networking and investigate their effectiveness. We review current moving-target defense strategies and their applicability in context of large-scale cyber attacks and the networks of Internet Service Providers. Further, we enforce the implementation of moving target defense strategies using Software Defined Networks in a collaborative environment. In particular, we focus on ISPs that cooperate among trusted partners. We found that the effects of a large-scale cyber attack can be significantly reduced using the moving-target defense and Software Defined Networking. Moreover, we show that Software Defined Networking is an appropriate approach to enforce implementation of the moving target defense and thus mitigate the effects caused by large-scale cyber attacks

DDoS Mitigation by Blockchain With Approach of Cost Model

Computer networks and internet services are increasingly threatened by attacks like Distributed Denial-of-Service (DDoS). DDoS attack mitigation techniques now in use are ineffective due to a lack of resources and a lack of adaptability. Using blockchains like Ethereum, DDoS attacks can be thwarted in innovative ways. With smart contracts, it is possible to track down the IP addresses of attackers without additional hardware. This study examines blockchain-based solutions to combat DDoS attacks for feasibility, effectiveness, as well as cost and performance. The cost model delves into economic aspects like gas, gas price, and Ether value. In it, the evaluation of various smart contracts for the signalization of DDoS attacks is documented and compared to assess three system variants, analyzing gas costs, deployment, speed, and accuracy. It also details Ethereum's ecosystem and how that affects smart contract design and it also acknowledges scalability challenges and suggests outsourcing data for a more scalable solution, advocating for specialized blockchains for DDoS signaling applications. The analysis provides insights into the gas costs associated with different variants, considering various scenarios and highlighting the trade-offs and efficiencies of each approach

The DNS in IoT:Opportunities, Risks, and Challenges

The Internet of Things (IoT) is widely expected to make our society safer, smarter, and more sustainable. However, a key challenge remains, which is how to protect users and Internet infrastructure operators from attacks on or launched through vast numbers of autonomously operating sensors and actuators. In this article, we discuss how the security extensions of the domain name system (DNS) offer an opportunity to help tackle that challenge, while also outlining the risks that the IoT poses to the DNS in terms of complex and quickly growing IoT-powered distributed denial of service (DDoS) attacks. We identify three challenges for the DNS and IoT industries to seize these opportunities and address the risks, for example, by making DNS security functions (e.g., response verification and encryption) available on popular IoT operating systems

Tennison: A Distributed SDN Framework for Scalable Network Security

Despite the relative maturity of the Internet, the computer networks of today are still susceptible to attack. The necessary distributed nature of networks for wide area connectivity has traditionally led to high cost and complexity in designing and implementing secure networks. With the introduction of software-defined networks (SDNs) and network functions virtualization, there are opportunities for efficient network threat detection and protection. SDN's global view provides a means of monitoring and defense across the entire network. However, current SDN-based security systems are limited by a centralized framework that introduces significant control plane overhead, leading to the saturation of vital control links. In this paper, we introduce TENNISON, a novel distributed SDN security framework that combines the efficiency of SDN control and monitoring with the resilience and scalability of a distributed system. TENNISON offers effective and proportionate monitoring and remediation, compatibility with widely available networking hardware, support for legacy networks, and a modular and extensible distributed design. We demonstrate the effectiveness and capabilities of the TENNISON framework through the use of four attack scenarios. These highlight multiple levels of monitoring, rapid detection, and remediation, and provide a unique insight into the impact of multiple controllers on network attack detection at scale

Per-host DDoS mitigation by direct-control reinforcement learning

DDoS attacks plague the availability of online services today, yet like many cybersecurity problems are evolving and non-stationary. Normal and attack patterns shift as new protocols and applications are introduced, further compounded by burstiness and seasonal variation. Accordingly, it is difficult to apply machine learning-based techniques and defences in practice. Reinforcement learning (RL) may overcome this detection problem for DDoS attacks by managing and monitoring consequences; an agent’s role is to learn to optimise performance criteria (which are always available) in an online manner. We advance the state-of-the-art in RL-based DDoS mitigation by introducing two agent classes designed to act on a per-flow basis, in a protocol-agnostic manner for any network topology. This is supported by an in-depth investigation of feature suitability and empirical evaluation. Our results show the existence of flow features with high predictive power for different traffic classes, when used as a basis for feedback-loop-like control. We show that the new RL agent models can offer a significant increase in goodput of legitimate TCP traffic for many choices of host density

Packet filter performance monitor (anti-DDOS algorithm for hybrid topologies)

DDoS attacks are increasingly becoming a major problem. According to Arbor Networks, the largest DDoS attack reported by a respondent in 2015 was 500 Gbps. Hacker News stated that the largest DDoS attack as of March 2016 was over 600 Gbps, and the attack targeted the entire BBC website. With this increasing frequency and threat, and the average DDoS attack duration at about 16 hours, we know for certain that DDoS attacks will not be going away anytime soon. Commercial companies are not effectively providing mitigation techniques against these attacks, considering that major corporations face the same challenges. Current security appliances are not strong enough to handle the overwhelming traffic that accompanies current DDoS attacks. There is also a limited research on solutions to mitigate DDoS attacks. Therefore, there is a need for a means of mitigating DDoS attacks in order to minimize downtime. One possible solution is for organizations to implement their own architectures that are meant to mitigate DDoS attacks. In this dissertation, we present and implement an architecture that utilizes an activity monitor to change the states of firewalls based on their performance in a hybrid network. Both firewalls are connected inline. The monitor is mirrored to monitor the firewall states. The monitor reroutes traffic when one of the firewalls become overwhelmed due to a HTTP DDoS flooding attack. The monitor connects to the API of both firewalls. The communication between the rewalls and monitor is encrypted using AES, based on PyCrypto Python implementation. This dissertation is structured in three parts. The first found the weakness of the hardware firewall and determined its threshold based on spike and endurance tests. This was achieved by flooding the hardware firewall with HTTP packets until the firewall became overwhelmed and unresponsive. The second part implements the same test as the first, but targeted towards the virtual firewall. The same parameters, test factors, and determinants were used; however a different load tester was utilized. The final part was the implementation and design of the firewall performance monitor. The main goal of the dissertation is to minimize downtime when network firewalls are overwhelmed as a result of a DDoS attack

Security Mechanisms for a Cooperative Firewall

The growing number of mobile users and mobile broadband subscriptions around the world calls for support of mobility in the Internet and also demands more addresses from the already depleting IP address space. The deployment of Network Address Translation (NAT) at network edges to extend the lifetime of IPv4 address space introduced the reachability problem in the Internet. While various NAT traversal proposals have attempted to solve the reachability problem, no perfect solution for mobile devices has been proposed. A solution is proposed at COMNET department of Aalto University, which is called Customer Edge Switching and it has resulted in a prototype called Customer Edge Switches (CES). While it addresses many of the current Internet issues i.e. reachability problem, IPv4 address space depletion, so far security has generally been considered out of scope. This thesis aims at identifying the security vulnerabilities present within the CES architecture. The architecture is secured against various network attacks by presenting a set of security models. The evaluation and performance analysis of these security models proves that the CES architecture is secured against various network attacks only by introducing minimal delay in connection establishment. The delay introduced does not affect the normal communication pattern and the sending host does not notice a difference compared to the current situation. For legacy interworking a CES can have the Private Realm Gateway (PRGW) function. The security mechanisms for PRGW also generate promising results in terms of security. The thesis further contributes towards security by discussing a set of deployment models for PRGW and CES-to-CES communication

An Inter-domain Collaboration Scheme to Remedy DDoS Attacks in Computer Networks

Distributed Denial-of-Service (DDoS) attacks continue to trouble network operators and service providers, and with increasing intensity. Effective response to DDoS can be slow (because of manual diagnosis and interaction) and potentially self-defeating (as indiscriminate filtering accomplishes a likely goal of the attacker), and this is the result of the discrepancy between the service provider's flow-based, application-level view of traffic and the network operator's packet-based, network-level view and limited functionality. Furthermore, a network required to take action may be in an Autonomous System (AS) several AS-hops away from the service, so it has no direct relationship with the service on whose behalf it acts. This paper presents Antidose, a means of interaction between a vulnerable peripheral service and an indirectly related AS that allows the AS to confidently deploy local filtering with discrimination under the control of the remote service. We implement the core filtering mechanism of Antidose, and provide an analysis of it to demonstrate that conscious attacks against the mechanism will not expose the AS to additional attacks. We present a performance evaluation to show that the mechanism is operationally feasible in the emerging trend of operators' willingness to increase the programmability of their hardware with SDN technologies such as OpenFlow, as well as to act to mitigate attacks on downstream customers