Denial-of-service attack modelling and detection for HTTP/2 services

Businesses and society alike have been heavily dependent on Internet-based services, albeit with experiences of constant and annoying disruptions caused by the adversary class. A malicious attack that can prevent establishment of Internet connections to web servers, initiated from legitimate client machines, is termed as a Denial of Service (DoS) attack; volume and intensity of which is rapidly growing thanks to the readily available attack tools and the ever-increasing network bandwidths. A majority of contemporary web servers are built on the HTTP/1.1 communication protocol. As a consequence, all literature found on DoS attack modelling and appertaining detection techniques, addresses only HTTP/1.x network traffic. This thesis presents a model of DoS attack traffic against servers employing the new communication protocol, namely HTTP/2. The HTTP/2 protocol significantly differs from its predecessor and introduces new messaging formats and data exchange mechanisms. This creates an urgent need to understand how malicious attacks including Denial of Service, can be launched against HTTP/2 services. Moreover, the ability of attackers to vary the network traffic models to stealthy affects web services, thereby requires extensive research and modelling. This research work not only provides a novel model for DoS attacks against HTTP/2 services, but also provides a model of stealthy variants of such attacks, that can disrupt routine web services. Specifically, HTTP/2 traffic patterns that consume computing resources of a server, such as CPU utilisation and memory consumption, were thoroughly explored and examined. The study presents four HTTP/2 attack models. The first being a flooding-based attack model, the second being a distributed model, the third and fourth are variant DoS attack models. The attack traffic analysis conducted in this study employed four machine learning techniques, namely Naïve Bayes, Decision Tree, JRip and Support Vector Machines. The HTTP/2 normal traffic model portrays online activities of human users. The model thus formulated was employed to also generate flash-crowd traffic, i.e. a large volume of normal traffic that incapacitates a web server, similar in fashion to a DoS attack, albeit with non-malicious intent. Flash-crowd traffic generated based on the defined model was used to populate the dataset of legitimate network traffic, to fuzz the machine learning-based attack detection process. The two variants of DoS attack traffic differed in terms of the traffic intensities and the inter-packet arrival delays introduced to better analyse the type and quality of DoS attacks that can be launched against HTTP/2 services. A detailed analysis of HTTP/2 features is also presented to rank relevant network traffic features for all four traffic models presented. These features were ranked based on legitimate as well as attack traffic observations conducted in this study. The study shows that machine learning-based analysis yields better classification performance, i.e. lower percentage of incorrectly classified instances, when the proposed HTTP/2 features are employed compared to when HTTP/1.1 features alone are used. The study shows how HTTP/2 DoS attack can be modelled, and how future work can extend the proposed model to create variant attack traffic models that can bypass intrusion-detection systems. Likewise, as the Internet traffic and the heterogeneity of Internet-connected devices are projected to increase significantly, legitimate traffic can yield varying traffic patterns, demanding further analysis. The significance of having current legitimate traffic datasets, together with the scope to extend the DoS attack models presented herewith, suggest that research in the DoS attack analysis and detection area will benefit from the work presented in this thesis

Packet filter performance monitor (anti-DDOS algorithm for hybrid topologies)

DDoS attacks are increasingly becoming a major problem. According to Arbor Networks, the largest DDoS attack reported by a respondent in 2015 was 500 Gbps. Hacker News stated that the largest DDoS attack as of March 2016 was over 600 Gbps, and the attack targeted the entire BBC website. With this increasing frequency and threat, and the average DDoS attack duration at about 16 hours, we know for certain that DDoS attacks will not be going away anytime soon. Commercial companies are not effectively providing mitigation techniques against these attacks, considering that major corporations face the same challenges. Current security appliances are not strong enough to handle the overwhelming traffic that accompanies current DDoS attacks. There is also a limited research on solutions to mitigate DDoS attacks. Therefore, there is a need for a means of mitigating DDoS attacks in order to minimize downtime. One possible solution is for organizations to implement their own architectures that are meant to mitigate DDoS attacks. In this dissertation, we present and implement an architecture that utilizes an activity monitor to change the states of firewalls based on their performance in a hybrid network. Both firewalls are connected inline. The monitor is mirrored to monitor the firewall states. The monitor reroutes traffic when one of the firewalls become overwhelmed due to a HTTP DDoS flooding attack. The monitor connects to the API of both firewalls. The communication between the rewalls and monitor is encrypted using AES, based on PyCrypto Python implementation. This dissertation is structured in three parts. The first found the weakness of the hardware firewall and determined its threshold based on spike and endurance tests. This was achieved by flooding the hardware firewall with HTTP packets until the firewall became overwhelmed and unresponsive. The second part implements the same test as the first, but targeted towards the virtual firewall. The same parameters, test factors, and determinants were used; however a different load tester was utilized. The final part was the implementation and design of the firewall performance monitor. The main goal of the dissertation is to minimize downtime when network firewalls are overwhelmed as a result of a DDoS attack

Design and Analysis of Anomaly Detection and Mitigation Schemes for Distributed Denial of Service Attacks in Software Defined Network. An Investigation into the Security Vulnerabilities of Software Defined Network and the Design of Efficient Detection and Mitigation Techniques for DDoS Attack using Machine Learning Techniques

Software Defined Networks (SDN) has created great potential and hope to overcome the need for secure, reliable and well managed next generation networks to drive effective service delivery on the go and meet the demand for high data rate and seamless connectivity expected by users. Thus, it is a network technology that is set to enhance our day-to-day activities. As network usage and reliance on computer technology are increasing and popular, users with bad intentions exploit the inherent weakness of this technology to render targeted services unavailable to legitimate users. Among the security weaknesses of SDN is Distributed Denial of Service (DDoS) attacks. Even though DDoS attack strategy is known, the number of successful DDoS attacks launched has seen an increment at an alarming rate over the last decade. Existing detection mechanisms depend on signatures of known attacks which has not been successful in detecting unknown or different shades of DDoS attacks. Therefore, a novel detection mechanism that relies on deviation from confidence interval obtained from the normal distribution of throughput polled without attack from the server. Furthermore, sensitivity analysis to determine which of the network metrics (jitter, throughput and response time) is more sensitive to attack by introducing white Gaussian noise and evaluating the local sensitivity using feed-forward artificial neural network is evaluated. All metrics are sensitive in detecting DDoS attacks. However, jitter appears to be the most sensitive to attack. As a result, the developed framework provides an avenue to make the SDN technology more robust and secure to DDoS attacks

Design and Analysis of Anomaly Detection and Mitigation Schemes for Distributed Denial of Service Attacks in Software Defined Network. An Investigation into the Security Vulnerabilities of Software Defined Network and the Design of Efficient Detection and Mitigation Techniques for DDoS Attack using Machine Learning Techniques

Software Defined Networks (SDN) has created great potential and hope to overcome the need for secure, reliable and well managed next generation networks to drive effective service delivery on the go and meet the demand for high data rate and seamless connectivity expected by users. Thus, it is a network technology that is set to enhance our day-to-day activities. As network usage and reliance on computer technology are increasing and popular, users with bad intentions exploit the inherent weakness of this technology to render targeted services unavailable to legitimate users. Among the security weaknesses of SDN is Distributed Denial of Service (DDoS) attacks. Even though DDoS attack strategy is known, the number of successful DDoS attacks launched has seen an increment at an alarming rate over the last decade. Existing detection mechanisms depend on signatures of known attacks which has not been successful in detecting unknown or different shades of DDoS attacks. Therefore, a novel detection mechanism that relies on deviation from confidence interval obtained from the normal distribution of throughput polled without attack from the server. Furthermore, sensitivity analysis to determine which of the network metrics (jitter, throughput and response time) is more sensitive to attack by introducing white Gaussian noise and evaluating the local sensitivity using feed-forward artificial neural network is evaluated. All metrics are sensitive in detecting DDoS attacks. However, jitter appears to be the most sensitive to attack. As a result, the developed framework provides an avenue to make the SDN technology more robust and secure to DDoS attacks

IP traceback marking scheme based DDoS defense.

Ping Yan.Thesis submitted in: December 2004.Thesis (M.Phil.)--Chinese University of Hong Kong, 2005.Includes bibliographical references (leaves 93-100).Abstracts in English and Chinese.Abstract --- p.iAcknowledgement --- p.iiiChapter 1 --- INTRODUCTION --- p.1Chapter 1.1 --- The Problem --- p.1Chapter 1.2 --- Research Motivations and Objectives --- p.3Chapter 1.3 --- The Rationale --- p.8Chapter 1.4 --- Thesis Organization --- p.9Chapter 2 --- BACKGROUND STUDY --- p.10Chapter 2.1 --- Distributed Denial of Service Attacks --- p.10Chapter 2.1.1 --- Taxonomy of DoS and DDoS Attacks --- p.13Chapter 2.2 --- IP Traceback --- p.17Chapter 2.2.1 --- Assumptions --- p.18Chapter 2.2.2 --- Problem Model and Performance Metrics --- p.20Chapter 2.3 --- IP Traceback Proposals --- p.24Chapter 2.3.1 --- Probabilistic Packet Marking (PPM) --- p.24Chapter 2.3.2 --- ICMP Traceback Messaging --- p.26Chapter 2.3.3 --- Logging --- p.27Chapter 2.3.4 --- Tracing Hop-by-hop --- p.29Chapter 2.3.5 --- Controlled Flooding --- p.30Chapter 2.4 --- DDoS Attack Countermeasures --- p.30Chapter 2.4.1 --- Ingress/Egress Filtering --- p.33Chapter 2.4.2 --- Route-based Distributed Packet Filtering (DPF) --- p.34Chapter 2.4.3 --- IP Traceback Based Intelligent Packet Filtering --- p.35Chapter 2.4.4 --- Source-end DDoS Attack Recognition and Defense --- p.36Chapter 2.4.5 --- Classification of DDoS Defense Methods --- p.38Chapter 3 --- ADAPTIVE PACKET MARKING SCHEME --- p.41Chapter 3.1 --- Scheme Overview --- p.41Chapter 3.2 --- Adaptive Packet Marking Scheme --- p.44Chapter 3.2.1 --- Design Motivation --- p.44Chapter 3.2.2 --- Marking Algorithm Basics --- p.46Chapter 3.2.3 --- Domain id Marking --- p.49Chapter 3.2.4 --- Router id Marking --- p.51Chapter 3.2.5 --- Attack Graph Reconstruction --- p.53Chapter 3.2.6 --- IP Header Overloading --- p.56Chapter 3.3 --- Experiments on the Packet Marking Scheme --- p.59Chapter 3.3.1 --- Simulation Set-up --- p.59Chapter 3.3.2 --- Experimental Results and Analysis --- p.61Chapter 4 --- DDoS DEFENSE SCHEMES --- p.67Chapter 4.1 --- Scheme I: Packet Filtering at Victim-end --- p.68Chapter 4.1.1 --- Packet Marking Scheme Modification --- p.68Chapter 4.1.2 --- Packet Filtering Algorithm --- p.69Chapter 4.1.3 --- Determining the Filtering Probabilities --- p.70Chapter 4.1.4 --- Suppressing Packets Filtering with did Markings from Nearby Routers --- p.73Chapter 4.2 --- Scheme II: Rate Limiting at the Sources --- p.73Chapter 4.2.1 --- Algorithm of the Rate-limiting Scheme --- p.74Chapter 4.3 --- Performance Measurements for Scheme I & Scheme II . --- p.77Chapter 5 --- CONCLUSION --- p.87Chapter 5.1 --- Contributions --- p.87Chapter 5.2 --- Discussion and Future Work --- p.91Bibliography --- p.10

Resource Exhaustion Attack Detection Scheme for WLAN Using Artificial Neural Network

IEEE 802.11 Wi-Fi networks are prone to many denial of service (DoS) attacks due to vulnerabilities at the media access control (MAC) layer of the 802.11 protocol. Due to the data transmission nature of the wireless local area network (WLAN) through radio waves, its communication is exposed to the possibility of being attacked by illegitimate users. Moreover, the security design of the wireless structure is vulnerable to versatile attacks. For example, the attacker can imitate genuine features, rendering classification-based methods inaccurate in differentiating between real and false messages. Although many security standards have been proposed over the last decades to overcome many wireless network attacks, effectively detecting such attacks is crucial in today’s real-world applications. This paper presents a novel resource exhaustion attack detection scheme (READS) to detect resource exhaustion attacks effectively. The proposed scheme can differentiate between the genuine and fake management frames in the early stages of the attack such that access points can effectively mitigate the consequences of the attack. The scheme is built through learning from clustered samples using artificial neural networks to identify the genuine and rogue resource exhaustion management frames effectively and efficiently in the WLAN. The proposed scheme consists of four modules which make it capable to alleviates the attack impact more effectively than the related work. The experimental results show the effectiveness of the proposed technique by gaining an 89.11% improvement compared to the existing works in terms of detection

From Intrusion Detection to an Intrusion Response System: Fundamentals, Requirements, and Future Directions

In the past few decades, the rise in attacks on communication devices in networks has resulted in a reduction of network functionality, throughput, and performance. To detect and mitigate these network attacks, researchers, academicians, and practitioners developed Intrusion Detection Systems (IDSs) with automatic response systems. The response system is considered an important component of IDS, since without a timely response IDSs may not function properly in countering various attacks, especially on a real-time basis. To respond appropriately, IDSs should select the optimal response option according to the type of network attack. This research study provides a complete survey of IDSs and Intrusion Response Systems (IRSs) on the basis of our in-depth understanding of the response option for different types of network attacks. Knowledge of the path from IDS to IRS can assist network administrators and network staffs in understanding how to tackle different attacks with state-of-the-art technologies

To NACK or not to NACK? Negative Acknowledgments in Information-Centric Networking

Information-Centric Networking (ICN) is an internetworking paradigm that offers an alternative to the current IP\nobreakdash-based Internet architecture. ICN's most distinguishing feature is its emphasis on information (content) instead of communication endpoints. One important open issue in ICN is whether negative acknowledgments (NACKs) at the network layer are useful for notifying downstream nodes about forwarding failures, or requests for incorrect or non-existent information. In benign settings, NACKs are beneficial for ICN architectures, such as CCNx and NDN, since they flush state in routers and notify consumers. In terms of security, NACKs seem useful as they can help mitigating so-called Interest Flooding attacks. However, as we show in this paper, network-layer NACKs also have some unpleasant security implications. We consider several types of NACKs and discuss their security design requirements and implications. We also demonstrate that providing secure NACKs triggers the threat of producer-bound flooding attacks. Although we discuss some potential countermeasures to these attacks, the main conclusion of this paper is that network-layer NACKs are best avoided, at least for security reasons.Comment: 10 pages, 7 figure