Abstract: Distributed Denial of Service (DDoS) attacks have become a large problem for users of computer systems connected to the Internet. DDoS attackers hijack secondary victim systems using them to wage a coordinated large-scale attack against primary victim systems. As new countermeasures are developed to prevent or mitigate DDoS attacks, attackers are constantly developing new methods to circumvent these new countermeasures. In this paper, we describe DDoS attack models and propose taxonomies to characterize the scope of DDoS attacks, the characteristics of the software attack tools used, and the countermeasures available. These taxonomies illustrate similarities and patterns in different DDoS attacks and tools, to assist in the development of more generalized solutions to countering DDoS attacks, including new derivative attacks.

Abstract: We propose an architecture called secure overlay services (SOS) that proactively prevents denial of service (DoS) attacks, including distributed (DDoS) attacks; it is geared toward supporting emergency services, or similar types of communication. The architecture uses a combination of secure overlay tunneling, routing via consistent hashing, and filtering. We reduce the probability of successful attacks by: 1) performing intensive filtering near protected network edges, pushing the attack point perimeter into the core of the network, where high-speed routers can handle the volume of attack traffic and 2) introducing randomness and anonymity into the forwarding architecture, making it difficult for an attacker to target nodes along the path to a specific SOS-protected destination. Using simple analytical models, we evaluate the likelihood that an attacker can successfully launch a DoS attack against an SOS-protected network. Our analysis demonstrates that such an architecture reduces the likelihood of a successful attack to minuscule levels. Our performance measurements using a prototype implementation indicate an increase in end-to-end latency by a factor of two for the general case, and an average heal time of less than 10 s.

Abstract: In this paper, we propose a simple but robust scheme to detect denial of service attacks (including distributed denial of service attacks) by monitoring the increase of new IP addresses. Unlike previous proposals for bandwidth attack detection schemes which are based on monitoring the traffic volume, our scheme is very effective for highly distributed denial of service attacks. Our scheme exploits an inherent feature of DDoS attacks, which makes it hard for the attacker to counter this detection scheme by changing their attack signature. Our scheme uses a sequential nonparametric change point detection method to improve the detection accuracy without requiring a detailed model of normal and attack traffic. Furthermore, we show that with the combination of monitoring per flow speed, we can detect all types of DDoS attacks. We demonstrate that we can achieve high detection accuracy on a range of different network packet traces.

Abstract: Distributed denial of service (DDoS) attack is a critical threat to the Internet. Currently, most ISPs merely rely on manual detection of DDoS attacks after which offline fine-grain traffic analysis is performed and new filtering rules are installed manually to the routers. The need of human intervention results in poor response time and fails to protect the victim before severe damages are realized. The expressiveness of existing filtering rules is also too limited and rigid when compared to the ever-evolving characteristics of the attacking packets. Recently, we have proposed a DDoS defense architecture that supports distributed detection and automated on-line attack characterization. We focus on the design and evaluation of the automated attack characterization, selective packet discarding and overload control portion of the proposed architecture. Our key idea is to prioritize packets based on a per-packet score which estimates the legitimacy of a packet given the attribute values it carries. Special considerations are made to ensure that the scheme is amenable to high-speed hardware implementation. Once the score of a packet is computed, we perform score-based selective packet discarding where the dropping threshold is dynamically adjusted based on (1) the score distribution of recent incoming packets and (2) the current level of overload of the system.

Abstract: Suddenly your Web server becomes unavailable When you investigate, you realize that a flood of packets is surging into your network You have just become one of the hundreds of thousands of victims of a denial-of-service attack, a pervasive and growing threat to the Internet What do you do?Internet Denial of Service sheds light on a complex and fascinating form of computer attack that impacts the confidentiality, integrity, and availability of millions of computers worldwide It tells the network administrator, corporate CTO, incident responder, and student how DDoS attacks are prepared and executed, how to think about DDoS, and how to arrange computer and network defenses It also provides a suite of actions that can be taken before, during, and after an attackInside, you'll find comprehensive information on the following topics How denial-of-service attacks are waged How to improve your network's resilience to denial-of-service attacks What to do when you are involved in a denial-of-service attack The laws that apply to these attacks and their implications How often denial-of-service attacks occur, how strong they are, and the kinds of damage they can cause Real examples of denial-of-service attacks as experienced by the attacker, victim, and unwitting accomplicesThe authors' extensive experience in handling denial-of-service attacks and researching defense approaches is laid out clearly in practical, detailed terms

Abstract: We propose a metric to determine whether one version of a system is relatively more secure thananother with respect to the system’s attack surface. Intuitively, the more exposed the attack surface,the more likely the system could be successfully attacked, and hence the more insecure it is. Wedefine an attack surface in terms of the system’s actions that are externally visible to its usersand the system’s resources that each action accesses or modifies. To apply our metric in practice,rather than consider all possible system resources, we narrow our focus on a “relevant” subset ofresource types, which we call attack classes; these reflect the types of system resources that aremore likely to be targets of attack. We assign payoffs to attack classes to represent likelihoods ofattack; resources in an attack class with a high payoff value are more likely to be targets or enablersof an attack than resources in an attack class with a low payoff value. We outline a method toidentify attack classes and to measure a system’s attack surface. We demonstrate and validate ourmethod by measuring the relative attack surface of four different versions of the Linux operatingsystem.Keywords: Security metrics, attack, attack class, attack surface, threat modeling

Abstract: Recently, the detection of distributed denial of service (DDoS) and the discovery of DDoS attacking signature used the mean of traffic measurement analysis at protocol level. This technique is not suited to find the signatures of DDoS attack, which is formless. Also, DDoS is in general the combination of different forms of denial of service (DoS). As a result, it is difficult to find the exact signature of attack. Moreover, it is very difficult to distinguish the difference between an unusual high traffic which is caused by the attack, and the flash crowds which normally occur when a huge number of users use the target machine at the same time. In fact, this difference should only be observed from analyzing the data in the packet header. In this paper, we propose to discover the DDoS attacking signature by analyzing the TCP/IP packet header against the well defined rules and conditions, and distinguish the difference between normal and abnormal traffic. We here observe three groups or delegates of DDoS attacking, i.e., ICMP flood, UDP flood and TCP SYN flood, and present convincing preliminary experiments.

Abstract: Distributed denial-of-service (DDoS) attack has turned into one of the major security threats in recent years. Usually the only solution is to stop the services or shut down the victim and then discard the attack traffic only after the DDoS attack characteristics (such as the destination ports of the attack packets) are known. In this paper, we introduce a generic DDoS attack detection mechanism as well as the design and setup of a testbed for performing experiments and analysis. Our results showed that the mechanism can detect DDoS attack. This enables us to proceed to the next steps of packet classification and traffic control.

Abstract: A new method of real-time distributed denial of service (DDOS) attack inspection is introduced, based on changes in the characteristic of network self-similarity. Using the real-time RS (R/sup 2/S) algorithm, simulation experiments with real DDOS attacks and background traffic have been carried out. The results show that DDOS attacks can be detected effectively and precisely under most situations using the proposed method.

Abstract: A new method of real-time distributed denial of service (DDOS) attack inspection is introduced, based on changes in the characteristic of network self-similarity. Using the real-time RS (R 2 S) algorithm, simulation experiments with real DDOS attacks and background traffic have been carried out. The results show that DDOS attacks can be detected effectively and precisely under most situations using the proposed method.

Abstract: A system and method for aiding the handling of DDoS attacks in which VPN traffic entering an ISP network at some points will be black-holed, while VPN traffic entering the ISP network at other points will be routed, as it should be, to the system-under-attack. Thus, the system-under-attack is made available to some of the user community and made unavailable to suspect portions of the user community. Furthermore, the number of entry points where black-holing of VPN traffic occurs can be selected and changed in real-time during a DDoS attack.

Abstract: We propose a cooperative intrusion detection framework focused on countering Distributed Denial-of-Service (DDoS) attacks through the introduction of a distributed overlay early-warning network. Our goal is to minimize the detection and reaction time and automate responses, while involving as many networks as possible along the attack path. The proposed approach relies on building a “community” of trusted partners that will cooperate by exchanging security information so that inclusion in the attack path is detected locally and without traceback procedures. The main building block is the Cooperative anti-DDoS Entity, a modular software system deployed in each participating network domain that supports secure message exchanges and local responses tailored to individual sites' policies. We discuss the operation and the implementation of a prototype, and we provide a survey of the methodologies against DDoS and compare our approach to related work.

Abstract: Denial of service attacks, viruses and worms are common tools for malicious adversarial behavior in networks. Experience shows that over the last few years several of these techniques have probably been used by governments to impair the Internet communications of various entities, and we can expect that these and other information warfare tools will be used increasingly as part of hostile behavior either independently, or in conjunction with other forms of attack in conventional or asymmetric warfare, as well as in other forms of malicious behavior. In this paper we concentrate on Distributed Denial of Service Attacks (DDoS) where one or more attackers generate flooding traffic and direct it from multiple sources towards a set of selected nodes or IP addresses in the Internet. We first briefly survey the literature on the subject, and discuss some examples of DDoS incidents. We then present a technique that can be used for DDoS protection based on creating islands of protection around a critical information infrastructure. This technique, that we call the CPN-DoS-DT (Cognitive Packet Networks DoS Defence Technique), creates a self-monitoring sub-network surrounding each critical infrastructure node. CPN-DoS-DT is triggered by a DDoS detection scheme, and generates control traffic from the objects of the DDoS attack to the islands of protection where DDOS packet flows are destroyed before they reach the critical infrastructure. We use mathematical modelling, simulation and experiments on our test-bed to show the positive and negative outcomes that may result from both the attack, and the CPN-DoS-DT protection mechanism, due to imperfect detection and false alarms.

Abstract: Distributed denial of service (DDoS) attacks are currently major threats to communication in the Internet. A secure overlay services (SOS) architecture has been proposed to provide reliable communication between clients and a target under DDoS attacks. The SOS architecture employs a set of overlay nodes arranged in three hierarchical layers that controls access to the target. Although the architecture is novel and works well under simple congestion based attacks, we observe that it is vulnerable under more intelligent attacks. We generalize the SOS architecture by introducing more flexibility in layering to the original architecture. We define two intelligent DDoS attack models and develop an analytical approach to study the impacts of the number of layers, number of neighbors per node and the node distribution per layer on the system performance under these two attack models. Our data clearly demonstrate that performance is indeed sensitive to the design features and the different design features interact with each other to impact overall system performance.

Abstract: Distributed denial of service (DDoS) attack is a critical threat to the Internet. Recently we have proposed the PacketScore scheme, a DDoS defense architecture that supports automated attack detection, on-line attack characterization and attack blocking. Its key idea is to use a statistics-based packet scoring mechanism to distinguish between legitimate and non-legitimate packets and discard packets based on the packet scores. In order for such an approach to work, we need to perform on-line traffic characterizations, and compare such characterizations with the nominal profiles (generated from past history or off-line analysis). The threshold used for the score-based selective packet discard decision is dynamically adjusted based on the score distribution of recent incoming packets. In our previous paper [Kim et al. 2004], we discuss how our proposed system performs in different attack scenarios. In this paper, we first give a brief review of the PacketScore approach and further elaborate on the transient performance under varying attack types and intensities, which may be exploited in more sophisticated attacks. We then show that PacketScore is well capable of blocking such sophisticated attacks by simply adjusting the measurement window time scale to closely track the attack profile.

Abstract: Distributed denial of service (DDoS) is a major threat to the availability of Internet services. The anonymity allowed by IP networking, together with the distributed, large scale nature of the Internet, makes DDoS attacks stealthy and difficult to counter. As various attack tools become widely available and require minimum knowledge to operate, automated anti-DDoS systems are increasingly important. This paper studies the problem of providing an anti-DoS service (called AID) for general-purpose TCP-based public servers. We design a random peer-to-peer (RP2P) network that connects the registered client networks with the registered servers. RP2P is easy to manage and its longest path length is just three hops. The AID service ensures that the registered client networks can always access the registered servers even when they are under DoS attacks. It creates the financial incentive for commercial companies to provide the service, and meets the need for enterprises without the expertise to outsource their anti-DoS operations.

Abstract: Distributed Denial of Service (DDoS) attack is among the hardest network security problems to address Recently, several countermeasures are proposed, among which, PPM (probabilistic packet marking) pioneered by Savage et al is promising In this paper, a brief review of countermeasures to DDoS is given and then an analysis on some of the packet marking schemes is provided Some modifications are further provided One modification to the basic PPM scheme can reduce its computation remarkably

Abstract: Conventional countermeasures to Distributed Denial of Service (DDoS) attacks typically focus on practices and rules for organizing a robust, DDoS-resilient network which anticipates proactive cooperation of users. Such measures involve widespread implementation cooperation and may be difficult or problematic to enforce in a large organization. Configurations of the invention employ the attacker's technique preventatively against the attack to identify sources likely to be employed for DDoS attacks. Crawlers scan web sites for identifying pages likely to be exploited as launch pads by DDoS attackers. A scanner device dispatches robots for sending probe messages from the launch pads which emulate an actual attack. Each of the probe messages are sent to a known, predetermined destination for determining identifying characteristics of such a message. The identifying characteristics define a signature of messages emanating from the launch pad. Such probe messages are tagged with an identifying field or label, such as a predetermined address. The signatures are then employed for comparison with other incoming message traffic.

Abstract: We propose a Controller-Agent model that would greatly minimize distributed denial-of-service (DDoS) attacks on the Internet. We introduce a new packet marking technique and agent design that enables us to identify the approximate source of attack (nearest router) with a single packet even in the case of attacks with spoofed source addresses. Our model is invoked only during attack times, and is able to process the victims traffic separately without disturbing other traffic, it is also able to establish different attack signatures for different attacking sources and can prevent the attack traffic at the nearest router to the attacking system. It is simple in its implementation, it has fast response for any changes in attack traffic pattern, and can be incrementally deployed. Hence we believe that the model proposed in this paper seems to be a promising approach to prevent distributed denial-of-service attacks.

Abstract: Reflector attack belongs to one of the most serious types of Distributed Denial-of-Service (DDoS) attacks, which can hardly be traced by traceback techniques, since the marked information written by any routers between the attacker and the reflectors will be lost in the replied packets from the reflectors. In response to such attacks, advanced IP traceback technology must be suggested. This study proposed a NS-2 based traceback system for simulating iTrace technique that identifies DDoS traffics with multi-hop iTrace mechanism based on TTL information at reflector for malicious reflector source trace. According to the result of simulation, the proposed technique reduced network load and improved filter/traceback performance on distributed reflector attacks.

Abstract: It is a pressing task to fight off DDoS (Distributed Denial-of-Service) attacks effectively on the Internet. However, despite that there has been a plethora of efforts suggested in the literature to combat DDoS attacks, we are yet to see a really practicable efficient solution. First of all, such a solution has to be scalable because we need to inspect and process a gigantic amount of traffic flows in order to accurately detect an attack in its incipient stage. Thus, maintaining per flow state or simple per-packet based book-keeping schemes will not work in practice. Secondly, such a solution has to be simple to implement such that the subsequent action—pushing the attack back—can be launched in a swift manner. In this paper, we propose a novel technique for detecting incipient DDoS attacks and pushing the attack flows back to the perimeter ingress routers of an autonomous system. Our technique is based on probabilistic counting of the cardinality of the union of two crucial packet sets: ingress packet set and the destination packet set. In a high speed core network, these packet sets are huge, even if we just keep track of them over a short period of time. Our technique is of very low time- and space-complexity. Indeed, the amount of space needed to keep track of accurate traffic matrix entries is O(loglogn) (where n is the number of packets to be counted) so that the pushback mechanism is highly efficient because the amount of information to be communicated among routers is very small. Our NS-2 simulation results indicate that our proposed new technique is highly effective in combating DDoS attacks with an accuracy rate at around 90%. This can be achieved with a small amount of counting storage, say 2 KBytes, at each router. Furthermore, the amount of legitimate packets dropped is less than 10% when the pushback mechanism is in action. In summary, the new technique is both time- and space-efficient, demand low-cost to implement and low-overhead to operate, results in high accuracy and low error rate, and is highly scalable in defending against DDoS attacks over an increasing number of routers.

Abstract: : This report addresses two pressing challenges facing network security today: distributed denial of service (DDoS) and worm attacks. New solutions are aimed at providing scalable defenses against these potentially debilitating cyber threats. Two complementary modes of protection are achieved: 1) proactive protection that prevents attacks from imparting harm in the first place, and 2) reactive protection that locates the physical source of an attack and adapts to unforeseen vulnerabilities. The solutions are based on a new approach to network security (distributed packet filtering (DPF)) that casts a filter net" over the network system which stops the attack traffic. Scalability is afforded by the small size of the filter net: with only 15% deployment for DDoS and 4% for worm, DPF is able to achieve overwhelming protection. Efficacy under partial deployment, a key requirement of any viable solution, is made possible by the recently discovered power-law connectivity of the Internet. Performance evaluation of DPF using large-scale Internet topologies is carried out with DaSSF-Turbo, a scalable network simulation environment developed as part of the project. DaSSF- Turbo is a performance-oriented extension of DaSSF and facilitates Internet-scale benchmarking through automated network configuration, performance monitoring, and power-law partitioning.

Abstract: Recently a number of highly publicized incidents of Distributed Denial of Service (DDoS) attacks against high-profile government and commercial websites have made people aware of the importance of providing data and services security to users. A DDoS attack is an availability attack, which is characterized by an explicit attempt from an attacker to prevent legitimate users of a service from using the desired resources. This paper introduces the vulnerability of web applications to DDoS attacks, and presents an active distributed defense system that includes a deployment mixture of sub-systems to protect web applications from DDoS attacks. According to the simulation experiments, this system is effective in that it is able to defend web applications against attacks. It can avoid overall network congestion and provide more resources to legitimate web users.

Abstract: We propose modifications to the automated model to counteract TCP SYN distributed denial of service (DDoS) attacks nearest to the attacking source and also discuss the prototype implementation of our technique. It should be noted that we do not solve the TCP SYN problem, but we enable the victim to differentiate between the traffic originating from good and bad network domains, trace the router that is nearest to the attacking source with a single packet, even if the source address of the packet is spoofed, and prevent the attack traffic at the router which is nearest to the attacking source. Since our model is invoked only during attack times, it has much less overhead, and the main advantage of this technique is that the victim can provide better service for traffic originating from good network domains and completely eliminate or provide limited service for the traffic originating from the bad network domain.

Abstract: SYN flooding attack is a common method employed in denial of service (DoS) and distributed denial of service (DDoS). It's hard to maintain the effective defense merely by passive defense measures such as monitoring and filtering. To avoid influencing the legitimate service requests and stop attacks at the source, the attack-detection and service-protection must be combined with the trace of the attack source. Having studied and concluded the features of such attacks, we propose a few key metrics to judge if an attack is undergoing. In this paper, the based platform, network measurement system (NMS) is outlined first. Then the detection method is discussed in detail, focusing on the features of service-protection, attack-elimination, and how to trace back the attack source. Finally, we present the experiments of the defending mechanism and analyze their results.

Abstract: This research presents Traffic Rate Analysis (TRA) to efficiently analyze network traffic and a defense mechanism for DDoS attacks. TRA is defined as the ratio of a specific type of packets among the total amount of network packets, and divided into TCP flag rate and Protocol rate. By using the TRA for the network traffic, the normal and abnormal network traffic can be obviously distinguished from each other. Furthermore, to defense DDoS attacks, we probabilistically drop the network packets if their occurrence rates exceed the normal traffic rates. We expect that our proposed mechanism for analyzing network traffic and defending DDoS attacks will be very useful to early detect DDoS attacks and to protect TCP-based servers (e.g. Web servers) against DDoS attacks.

Abstract: Distributed denial of service (DDoS) attacks in the Internet pose huge problems on nowadays communication infrastructure Attacks either destroy information or impede access to a service Since the significance of the Internet to business and economy is growing rapidly, efficient protection mechanisms are urgently required to protect hosts from being infected and, more important, sites from being attacked Detection of DDoS attacks requires deep packet inspection at link speed, and context-dependent packet handling for countermeasures This functionality is not achievable with nowadays commercial high-performance routers In this paper, we therefore present our problem space exploration of DDoS attacks and propose a flexible service architecture for detection and filter mechanisms to counteract DDoS attacks To achieve the performance required for backbone routers together with the flexibility needed for services counteracting DDoS attacks, we base the proposal on our PromethOS NP router platform that manages and controls hierarchical network nodes built of network and host processors