An authentication scheme to defend against UDP DrDoS attacks in 5G networks

5th generation wireless systems are coming. While we are excited about the delay-free high speeds 5G will bring, security problems are becoming more and more serious. Increasingly rampant Distributed Denial of service (DDoS) attacks, particularly Distributed Reflection Denial of Service (DrDoS) attacks with User Datagram Protocols (UDPs) have developed into a global problem. This article presents a design, implementation, analysis, and experimental evaluation of an authentication scheme, a defense against UDP DrDoS attacks, by which attackers cleverly use rebound server farms to bounce a flood of packets to a target host. We call our solution IEWA because it combines the concepts of increasing expenses and weak authentication. In this paper, we apply IEWA to Network Time Protocol (NTP). First, we simulate and compare the original and improved protocols. Next, we verify the effectiveness of our proposed scheme. We show that our improved scheme is safer than the original scheme. Finally, we compare our solution with existing state-of-the-art schemes, using indicators such as communication overhead, server storage costs, client storage costs, computation costs of server and computation costs of client. We find that our scheme improves system stability and security, reduces communication overhead, server storage cost and computational costs. Our solution not only improves the NTP protocol to mitigate DrDoS attacks, but also strengthens other UDP protocols that are vulnerable to DrDoS attacks. Therefore, our solution can be used as a solution to UDP DrDoS attacks in 5G Network

A new proactive feature selection model based on the enhanced optimization algorithms to detect DRDoS attacks

Cyberattacks have grown steadily over the last few years. The distributed reflection denial of service (DRDoS) attack has been rising, a new variant of distributed denial of service (DDoS) attack. DRDoS attacks are more difficult to mitigate due to the dynamics and the attack strategy of this type of attack. The number of features influences the performance of the intrusion detection system by investigating the behavior of traffic. Therefore, the feature selection model improves the accuracy of the detection mechanism also reduces the time of detection by reducing the number of features. The proposed model aims to detect DRDoS attacks based on the feature selection model, and this model is called a proactive feature selection model proactive feature selection (PFS). This model uses a nature-inspired optimization algorithm for the feature subset selection. Three machine learning algorithms, i.e., k-nearest neighbor (KNN), random forest (RF), and support vector machine (SVM), were evaluated as the potential classifier for evaluating the selected features. We have used the CICDDoS2019 dataset for evaluation purposes. The performance of each classifier is compared to previous models. The results indicate that the suggested model works better than the current approaches providing a higher detection rate (DR), a low false-positive rate (FPR), and increased accuracy detection (DA). The PFS model shows better accuracy to detect DRDoS attacks with 89.59%

Distributed reflection denial of service attack: A critical review

As the world becomes increasingly connected and the number of users grows exponentially and “things” go online, the prospect of cyberspace becoming a significant target for cybercriminals is a reality. Any host or device that is exposed on the internet is a prime target for cyberattacks. A denial-of-service (DoS) attack is accountable for the majority of these cyberattacks. Although various solutions have been proposed by researchers to mitigate this issue, cybercriminals always adapt their attack approach to circumvent countermeasures. One of the modified DoS attacks is known as distributed reflection denial-of-service attack (DRDoS). This type of attack is considered to be a more severe variant of the DoS attack and can be conducted in transmission control protocol (TCP) and user datagram protocol (UDP). However, this attack is not effective in the TCP protocol due to the three-way handshake approach that prevents this type of attack from passing through the network layer to the upper layers in the network stack. On the other hand, UDP is a connectionless protocol, so most of these DRDoS attacks pass through UDP. This study aims to examine and identify the differences between TCP-based and UDP-based DRDoS attacks

Discriminating DRDoS Packets using Time Interval Analysis

Distributed Reflection Denial of Service (DRDoS) attack is one of the critical security threats. As the attack generates unidirectional traffic, it is not easy for the targets of the attack to protect themselves. To mitigate the attack, we need a defense mechanism installed at backbone networks, i.e., detecting and blocking the attack traffic before they reach to the destinations. A conventional approach is to monitor the traffic volume of the attack, i.e., an attack is detected if the observed traffic volume exceeds a certain threshold. However, such a simple approach may not work when an attacker adjusts the traffic volume to evade the detection. This paper proposes a novel method that can detect the DRDoS attacks accurately. The key idea is to leverage the characteristics of time intervals between the packets. We make use of the K-means clustering algorithm to find the best threshold values used to distinguish packets associated with DRDoS attacks. We implement the proposed algorithm into an equipment at a data center and demonstrate that our approach attains high accuracy

Detecting DRDoS Attacks using Honeypot

DAB (Digital Audio Broadcasting) is the radio digital system developed as an european standard by the ETSI, EN 300 400, based on the Eureka-147 group works, to improve the performance of the analogue radio systems (AM and FM). The system is based on the OFDM technology which allows DAB to exploit the spectrum frequencies in a better way with a higher quality of sound for mobile receivers specially. The main part of the OFDM system is based on the FFT algorithms to spread the data flow over different orthogonal carriers. The simulation has been developed in Simulink<sup>TM</sup>and Matlab<sup>TM</sup>and the layout designed follows faithfully the standard for the transmission system. The simulation can be reloaded by the user with the information presented in this thesis. Thus, this work can be continued to complete the DAB whole system simulation. The results obtained running this simulation show the main DAB system characteristics

Uncovering Vulnerable Industrial Control Systems from the Internet Core

Industrial control systems (ICS) are managed remotely with the help of dedicated protocols that were originally designed to work in walled gardens. Many of these protocols have been adapted to Internet transport and support wide-area communication. ICS now exchange insecure traffic on an inter-domain level, putting at risk not only common critical infrastructure but also the Internet ecosystem (e.g., DRDoS~attacks). In this paper, we uncover unprotected inter-domain ICS traffic at two central Internet vantage points, an IXP and an ISP. This traffic analysis is correlated with data from honeypots and Internet-wide scans to separate industrial from non-industrial ICS traffic. We provide an in-depth view on Internet-wide ICS communication. Our results can be used i) to create precise filters for potentially harmful non-industrial ICS traffic, and ii) to detect ICS sending unprotected inter-domain ICS traffic, being vulnerable to eavesdropping and traffic manipulation attacks

Discriminating DDoS flows from flash crowds using information distance

Discriminating DDoS flooding attacks from flash crowds poses a tough challenge for the network security community. Because of the vulnerability of the original design of the Internet, attackers can easily mimic the patterns of legitimate network traffic to fly under the radar. The existing fingerprint or feature based algorithms are incapable to detect new attack strategies. In this paper, we aim to differentiate DDoS attack flows from flash crowds. We are motivated by the following fact: the attack flows are generated by the same prebuilt program (attack tools), however, flash crowds come from randomly distributed users all over the Internet. Therefore, the flow similarity among DDoS attack flows is much stronger than that among flash crowds. We employ abstract distance metrics, the Jeffrey distance, the Sibson distance, and the Hellinger distance to measure the similarity among flows to achieve our goal. We compared the three metrics and found that the Sibson distance is the most suitable one for our purpose. We apply our algorithm to the real datasets and the results indicate that the proposed algorithm can differentiate them with an accuracy around 65%.<br /