8 research outputs found
Estratégias para tratamento de ataques de negação de serviço na camada de aplicação em redes IP
Distributed Denial of Service (DDoS) attacks remain among the most dangerous and noticeable
attacks on the Internet. Differently from previous attacks, many recent DDoS attacks
have not been carried out over the Transport Layer, but over the Application Layer. The
main difference is that in the latter, an attacker can target a particular application of the
server, while leaving the others applications still available, thus generating less traffic and
being harder to detected. Such attacks are possible by exploiting application layer protocols
used by the target application. This work proposes a novel defense, called SeVen, for
Application Layer DDoS attacks (ADDoS) based on the Adaptive Selective Verification
(ASV) defense used for Transport Layer DDoS attacks. We used two approches to validate
the SeVen: 1) Simulation: The entire defense mechanism was formalized in Maude tool
and simulated using the statistical model checker (PVeStA). 2) Real scenario experiments:
Analysis of efficiency SeVen, implemented in C++, in a real experiment on the network.
We investigate the resilience for mitigating three attacks using the HTTP protocol: HTTPPOST,
Slowloris, and HTTP-GET. The defence is effective, with high levels of availability,
for all three types of attacks, despite having different attack profiles, and even for a relatively large number of attackers.Ataques de Negação de Serviço Distribuídos (Distributed Denial of Service - DDoS) estão
entre os ataques mais perigosos na Internet. As abordagens desses ataques vêm mudando
nos últimos anos, ou seja, os ataques DDoS mais recentes não têm sido realizados na camada
de transporte e sim na camada de aplicação. A principal diferença é que, nesse último, um
atacante pode direcionar o ataque para uma aplicação específica do servidor, gerando menos
tráfego na rede e tornando-se mais difícil de detectar. Tais ataques exploram algumas peculiaridades
nos protocolos utilizados na camada de aplicação. Este trabalho propõe SeVen,
um mecanismo de defesa probabilístico para mitigar ataques DDoS na camada de aplicação,
baseada em Adaptive Selective Verification (ASV), um mecanismo de defesa para ataques
DDoS na camada de transporte. Foram utilizadas duas abordagens para validar o SeVen:
1) Simulação: Todo o mecanismo de defesa foi formalizado na ferramenta computacional,
baseada em lógica de reescrita, chamada Maude e simulado usando um modelo estatístico
(PVeStA). 2) Experimentos na rede: Análise da eficiência do SeVen, implementado em C++,
em um experimento real na rede. Em particular, foram investigados três ataques direcionados
ao Protocolo HTTP: GET FLOOD, Slowloris e o POST. Nesses ataques, apesar de
terem perfis diferentes, o SeVen obteve um elevado índice de disponibilidade
Slow TCAM Exhaustion DDoS Attack
Part 1: Network Security and Cyber AttacksInternational audienceSoftware Defined Networks (SDN) facilitate network management by decoupling the data plane which forwards packets using efficient switches from the control plane by leaving the decisions on how packets should be forwarded to a (centralized) controller. However, due to limitations on the number of forwarding rules a switch can store in its TCAM memory, SDN networks have been subject to saturation and TCAM exhaustion attacks where the attacker is able to deny service by forcing a target switch to install a great number of rules. An underlying assumption is that these attacks are carried out by sending a high rate of unique packets. This paper shows that this assumption is not necessarily true and that SDNs are vulnerable to Slow TCAM exhaustion attacks (Slow-TCAM). We analyse this attack arguing that existing defenses for saturation and TCAM exhaustion attacks are not able to mitigate Slow-TCAM due to its relatively low traffic rate. We then propose a novel defense called SIFT based on selective strategies demonstrating its effectiveness against the Slow-TCAM attack
On the Accuracy of Formal Verification of Selective Defenses for TDoS Attacks
Telephony Denial of Service (TDoS) attacks target telephony services, such as
Voice over IP (VoIP), not allowing legitimate users to make calls. There are
few defenses that attempt to mitigate TDoS attacks, most of them using IP
filtering, with limited applicability. In our previous work, we proposed to use
selective strategies for mitigating HTTP Application-Layer DDoS Attacks
demonstrating their effectiveness in mitigating different types of attacks.
Developing such types of defenses is challenging as there are many design
options, eg, which dropping functions and selection algorithms to use. Our
first contribution is to demonstrate both experimentally and by using formal
verification that selective strategies are suitable for mitigating TDoS
attacks. We used our formal model to help decide which selective strategies to
use with much less effort than carrying out experiments. Our second
contribution is a detailed comparison of the results obtained from our formal
models and the results obtained by carrying out experiments. We demonstrate
that formal methods is a powerful tool for specifying defenses for mitigating
Distributed Denial of Service attacks allowing to increase our confidence on
the proposed defense before actual implementation