Defense-through-Deception Network Security Model: Securing University Campus Network from DOS/DDOS Attack

Denial of Service (DOS) and (DDOS) Distributed Denial of Service attacks have become a major security threat to university campus network security since most of the students and teachers prepare online services such as enrolment, grading system, library etc. Therefore, the issue of network security has become a priority to university campus network management. Using online services in university network can be easily compromised. However, traditional security mechanisms approach such as Defense-In-Depth (DID) Model is outdated in today’s complex network and DID Model has been used as a primary cybersecurity defense model in the university campus network today. However, university administration should realize that Defense-In-Depth (DID) are playing an increasingly limited role in DOS/DDoS protection and this paper brings this fact to light. This paper presents that the Defense-In-Depth (DID) is not capable of defending complex and volatile DOS/DDOS attacks effectively. The test results were presented in this study in order to support our claim. The researchers established a Defense-In-Depth (DID) Network model at the Central Luzon State University and penetrated the Network System using DOS/DDOS attack to simulate the real network scenario. This paper also presents the new approach Defense-through-Deception network security model that improves the traditional passive protection by applying deception techniques to them that give insights into the limitations posed by the Defense-In-Depth (DID) Model. Furthermore, this model is designed to prevent an attacker who has already entered the network from doing damage

Iowa Communications Network: DDoS Mitigation, March 6, 2019

ICN’s premier network-based DDoS Mitigation service, delivers a strong cyber security layered defense against intruders. As DDoS attacks continue to rise in size, frequency, and complexity, organizations must take a layered approach to help aid in comprehensive protection

Intrusion detection routers: Design, implementation and evaluation using an experimental testbed

In this paper, we present the design, the implementation details, and the evaluation results of an intrusion detection and defense system for distributed denial-of-service (DDoS) attack. The evaluation is conducted using an experimental testbed. The system, known as intrusion detection router (IDR), is deployed on network routers to perform online detection on any DDoS attack event, and then react with defense mechanisms to mitigate the attack. The testbed is built up by a cluster of sufficient number of Linux machines to mimic a portion of the Internet. Using the testbed, we conduct real experiments to evaluate the IDR system and demonstrate that IDR is effective in protecting the network from various DDoS attacks. © 2006 IEEE.published_or_final_versio

A senior design project on network security

Distributed denial-of-service (DDoS) attack is a rapidly growing threat to today’s Internet. Significant works have been done in this field. It is vital to incorporate the latest development of technology into academic programs to provide training and education to students and professionals. In this paper, we present the design and implementation of a senior design project named DDoS Attack, Detection and Defense Simulation. We aim to build a test bed and configure the network environment to simulate “real-world” DDoS attack, detection and defense. We study several DDoS attack tools, as well as some commonly-used DDoS detection and defense software. We perform extensive tests, collect and analyze the experimental data, and draw our conclusions. This is an on-going project. Some preliminary results have been reported here. The purpose of this project is to help students to apply their technical skills and knowledge on a simulated “real world” project, and gain better understanding and more hands-on experience on Internet security, especially DDoS attack, detection and defense mechanisms

Classifying DDoS packets in high-speed networks

Recently high-speed networks have been utilized by attackers as Distributed Denial of Service (DDoS) attack infrastructure. Services on high-speed networks also have been attacked by successive waves of the DDoS attacks. How to sensitively and accurately detect the attack traffic, and quickly filter out the attack packets are still the major challenges in DDoS defense. Unfortunately most current defense approaches can not efficiently fulfill these tasks. Our approach is to find the network anomalies by using neural network and classify DDoS packets by a Bloom filter-based classifier (BFC). BFC is a set of spaceefficient data structures and algorithms for packet classification. The evaluation results show that the simple complexity, high classification speed and accuracy and low storage requirements of this classifier make it not only suitable for DDoS filtering in high-speed networks, but also suitable for other applications such as string matching for intrusion detection systems and IP lookup for programmable routers.<br /

Mark-aided distributed filtering by using neural network for DDoS defense

Currently Distributed Denial of Service (DDoS) attacks have been identified as one of the most serious problems on the Internet. The aim of DDoS attacks is to prevent legitimate users from accessing desired resources, such as network bandwidth. Hence the immediate task of DDoS defense is to provide as much resources as possible to legitimate users when there is an attack. Unfortunately most current defense approaches can not efficiently detect and filter out attack traffic. Our approach is to find the network anomalies by using neural network, deploy the system at distributed routers, identify the attack packets, and then filter them. The marks in the IP header that are generated by a group of IP traceback schemes, Deterministic Packet Marking (DPM)/Flexible Deterministic Packet Marking (FDPM), assist this process of identifying attack packets. The experimental results show that this approach can be used to defend against both intensive and subtle DDoS attacks, and can catch DDoS attacks&rsquo; characteristic of starting from multiple sources to a single victim. According to results, we find the marks in IP headers can enhance the sensitivity and accuracy of detection, thus improve the legitimate traffic throughput and reduce attack traffic throughput. Therefore, it can perform well in filtering DDoS attack traffic precisely and effectively.<br /

Distributed Denial-of-Service Defense System

Distributed denial-of-service (DoS) attacks present a great threat to the Internet, and existing security mechanisms cannot detect or stop them successfully. The problem lies in the distributed nature of attacks, which engages the power of a vast number of coordinated hosts. To mitigate the impacts of DDoS attacks, it is important to develop such defenses system that canbothdetect andreact against ongoing attacks. The attacks ideally should be stopped as close to the sources as possible, saving network resources andreducing congestion. The DDoS defense system that is deployed at the source-end should prevent the machines at associated network from participating in DDoS attacks. The primary objective of this project, which is developing a DDoS defense system, is to provide good service to a victim's legitimate clients during the attack, thus canceling the denial-of-service effect. The scope of study will coverthe aspect of howthe attack detection algorithms work and identify the attack traffic, hence develop appropriate attack responses. As a source-end defense against DDoS attacks, the attack flows can be stopped before they enter the Internet core and before they aggregate with other attack flows. The methodology chosen for this project is the combination of sequential and iterative approaches of the software development process, which comprises of six main phases, which are initial planning phase, requirement definition phase, system design phase, coding and testing phase, implementation phase, and lastly maintenance and support phase. The system used a source router approach, in which the source router serves as a gateway between the source network containing some of the attack nodes and the rest of the Internet, to detectand limitDDoS streams long before they reach the target. This will be covered in the Findings section of the report. TheDiscussion section will be focus more onthe architecture onthe system, which having three important component; observation, rate-limiting and traffic-policing

A Robust Mechanism for Defending Distributed Denial OF Service Attacks on Web Servers

Distributed Denial of Service (DDoS) attacks have emerged as a popular means of causing mass targeted service disruptions, often for extended periods of time. The relative ease and low costs of launching such attacks, supplemented by the current inadequate sate of any viable defense mechanism, have made them one of the top threats to the Internet community today. Since the increasing popularity of web-based applications has led to several critical services being provided over the Internet, it is imperative to monitor the network traffic so as to prevent malicious attackers from depleting the resources of the network and denying services to legitimate users. This paper first presents a brief discussion on some of the important types of DDoS attacks that currently exist and some existing mechanisms to combat these attacks. It then points out the major drawbacks of the currently existing defense mechanisms and proposes a new mechanism for protecting a web-server against a DDoS attack. In the proposed mechanism, incoming traffic to the server is continuously monitored and any abnormal rise in the inbound traffic is immediately detected. The detection algorithm is based on a statistical analysis of the inbound traffic on the server and a robust hypothesis testing framework. Simulations carried out on the proposed mechanism have produced results that demonstrate effectiveness of the proposed defense mechanism against DDoS attacks.Comment: 18 pages, 3 figures, 5 table

Flow-oriented anomaly-based detection of denial of service attacks with flow-control-assisted mitigation

Flooding-based distributed denial-of-service (DDoS) attacks present a serious and major threat to the targeted enterprises and hosts. Current protection technologies are still largely inadequate in mitigating such attacks, especially if they are large-scale. In this doctoral dissertation, the Computer Network Management and Control System (CNMCS) is proposed and investigated; it consists of the Flow-based Network Intrusion Detection System (FNIDS), the Flow-based Congestion Control (FCC) System, and the Server Bandwidth Management System (SBMS). These components form a composite defense system intended to protect against DDoS flooding attacks. The system as a whole adopts a flow-oriented and anomaly-based approach to the detection of these attacks, as well as a control-theoretic approach to adjust the flow rate of every link to sustain the high priority flow-rates at their desired level. The results showed that the misclassification rates of FNIDS are low, less than 0.1%, for the investigated DDOS attacks, while the fine-grained service differentiation and resource isolation provided within the FCC comprise a novel and powerful built-in protection mechanism that helps mitigate DDoS attacks