Abstract: When a P2P system has millions of concurrently active peers, there is the risk that it could serve as a DDoS engine for attacks against a targeted host. In this paper we describe two approaches to creating a DDoS engine out of a P2P system: the first involves poisoning the distributed index in the peers; the second involves poisoning the routing tables in the peers. For both approaches, the targeted host does not have to be a participant in the P2P system, and could be a web server, a mail server, or a user's desktop. We then examine these two poisoning attacks in Overnet, a popular DHT-based P2P file-sharing system. By using limited poisoning attacks of short duration on Overnet's indexing and routing tables, we create DDoS attacks against a targeted host. We find that with modest effort, both DDoS attacks can direct significant traffic from diverse peers to the target.

Abstract: Increasing use of the Internet for critical services makes flooding distributed denial-of-service (DDoS) a top security threat. A distributed nature of DDoS suggests that a distributed mechanism is necessary for a successful defense. Three main DDoS defense functionalities -- attack detection, rate limiting and traffic differentiation -- are most effective when performed at the victim-end, core and sourceend respectively. Many existing systems are successful in one aspect of defense, but none offers a comprehensive solution and none has seen a wide deployment. We propose to harvest the strengths of existing defenses by organizing them into a collaborative overlay, called DefCOM, and augmenting them with communication and collaboration functionalities. Nodes collaborate during the attack to spread alerts and protect legitimate traffic, while rate limiting the attack. DefCOM can accommodate existing defenses, provide synergistic response to attacks and naturally lead to an Internet-wide response to DDoS threat.

Abstract: Distributed denial of service (DDoS) attacks on the Internet have become an immediate problem. As DDoS streams do not have common characteristics, currently available intrusion detection systems (IDS) cannot detect them accurately. As a result, defend DDoS attacks based on current available IDS will dramatically affect legitimate traffic. In this paper, we propose a distributed approach to defend against distributed denial of service attacks by coordinating across the Internet. Unlike traditional IDS, we detect and stop DDoS attacks within the intermediate network. In the proposed approach, DDoS defence systems are deployed in the network to detect DDoS attacks independently. A gossip based communication mechanism is used to exchange information about network attacks between these independent detection nodes to aggregate information about the overall network attacks observed. Using the aggregated information, the individual defence nodes have approximate information about global network attacks and can stop them more effectively and accurately. To provide reliable, rapid and widespread dissemination of attack information, the system is built as a peer to peer overlay network on top of the internet. ACM Classification: C.2(Computer-Communication Networks), D.2(Software Engineering)

Abstract: Distributed denial-of-service (DDoS) attacks pose a significant threat to the Internet. Most solutions proposed to-date face scalability problems as the size and speed of the network increase, with no widespread DDoS solution deployed in the industry. PacketScore has been proposed as a proactive DDoS defense scheme, which detects DDoS attacks, differentiates attack packets from legitimate ones with the use of packet scoring (where the score of a packet is calculated based on attribute values it possesses), and discards packets whose scores are lower than a dynamic threshold. In this paper, we propose ALPi, a new scheme which extends the packet scoring concept with reduced implementation complexity and enhanced performance. More specifically, a leaky-bucket overflow control scheme simplifies the score computation, and facilitates high-speed implementation. An attribute-value-variation scoring scheme analyzes the deviations of the current traffic attribute values, and increases the accuracy of detecting and differentiating attacks. An enhanced control-theoretic packet discarding method allows both schemes to be more adaptive to challenging attacks such as those with ever-changing signatures and intensities. When combined together, the proposed extensions not only greatly reduce the memory requirement and implementation complexity but also substantially improve the accuracies in attack detection and packet differentiation. This makes ALPi an attractive DDoS defense system amenable for high-speed hardware implementation

Abstract: We present a measurement study analyzing DDoS attacks from multiple data sources, relying on both direct measurements of flow-level information, and more traditional indirect measurements using backscatter analysis Understanding the nature of DDoS attacks is critically important to the development of effective counter measures to this pressing problem While much of the community's current understanding of DDoS attacks result from indirect measurements, our analysis suggests that such studies do not give a comprehensive view of DDoS attacks witnessed in today's Internet Specifically, our results suggest little use of address spoofing by attackers, which imply that such attacks will be invisible to indirect backscatter measurement techniques Further, at the detailed packet-level characterization (eg, attack destination ports), there are significant differences between direct and indirect measurements Thus, there is tremendous value in moving towards direct observations to better understand DDoS attacks Direct measurements additionally provide information inaccessible to indirect measurements, enabling us to better understand how to defend against attacks We find that for 70% of the attacks fewer than 50 source ASes are involved and a relatively small number of ASes produce nearly 72% of the total attack volume This suggests that network providers can reduce a substantial volume of malicious traffic with targeted deployment of DDoS defenses

Abstract: A community network often operates within the same ISP (Internet Service Provider) domain or the network is administered by a virtual organization spanning across multiple network domains with an established trust relationship. To counter DDoS (distributed denial-of-service) attacks in such a federated network environment, the routers can work cooperatively to raise early warning to avoid catastrophic damages. This paper proposes a collaborative architecture to detect DDoS flooding attacks. The scheme appeals, in particular, to protect networked resource centers that work as a collaboration Grid. By monitoring the distribution of suspicious traffic changes over a number of attack-transit routers, we developed a new Change-Aggregation Tree (CAT) mechanism to enable early detection of DDoS attacks on community networks. We want to detect flooding attacks as early as possible. Here, we report preliminary NS-2 simulation results on a singledomain ISP core network to prove the effectiveness of the new collaborative CAT architecture for DDoS defense. The simulated system achieved a detection rate as high as 95% with less than 1% of false positive alarms. Extensions of this architecture to cross-domain DDoS defense are discussed with further research challenges identified.

Abstract: To defend against distributed denial of service (DDoS) attacks, one critical issue is to effectively isolate the attack traffic from the normal ones. A novel DDoS defense scheme based on TCP is hereby contrived because TCP is the dominant traffic for both the normal and lethal flows in the Internet. Unlike most of the previous DDoS defense schemes that are passive in nature, the proposal uses proactive tests to identify and isolate the malicious traffic. Simulation results validate the effectiveness of our proposed scheme

Abstract: Distributed Denial of Service (DDoS) attack is the greatest security fear for IT managers. With in no time, thousands of vulnerable computers can flood victim website by choking legitimate traffic. Several specific security measurements are deployed to encounter DDoS problem. Instead of specific solution, a comprehensive DDoS cure is needed which can combat against the previously and upcoming DDoS attack vulnerabilities. Development of such solution requires understanding of all those aspects which can help hacker to activate zombies and launch DDoS attack. In this paper, we comprehensively analyzed the DDoS problem and we proposed a simplified taxonomy to categorize the attack scope and available defense solutions. This taxonomy can help the software developers and security practitioners to understand the common vulnerabilities that encourage the attackers to launch DDoS attack.

Abstract: Distributed Denial-of-Service (DDoS) attacks pose a serious threat to Internet security. Most current research focuses on detection and prevention methods on the victim server or source side. To date, there has been no work on defenses using valuable information from the innocent client whose IP has been used in attacking packets. In this paper, we propose a novel cooperative system for producing warning of a DDoS attack. The system consists of a client detector and a server detector. The client detector is placed on the innocent client side and uses a Bloom filter-based detection scheme to generate accurate detection results yet consumes minimal storage and computational resources. The server detector can actively assist the warning process by sending requests to innocent hosts. Simulation results show that the cooperative technique presented in this paper can yield accurate DDoS alarms at an early stage. We theoretically show the false alarm probability of the detection scheme, which is insensitive to false alarms when using specially designed evaluation functions.

Abstract: We define distinct attack patterns depicting Distributed Denial of Service (DDoS) attacks against target nodes within wireless sensor networks for three most commonly used network topologies. We propose a Graph Neuron (GN)-based, decentralized pattern recognition scheme for attack detection. The scheme does analysis of internal traffic flow of the network for DDoS attack patterns. We stipulate that the attack patterns depend on both the current energy levels, as well as the energy consumption rates of individual target nodes. The results of varying pattern update rates on the pattern recognition accuracies for the three network topologies are included in the end to test the effectiveness of our implementation.

Abstract: Distributed Denial of Service (DDoS) attack is the greatest security fear for IT managers. With in no time, thousands of vulnerable computers can flood victim website by choking legitimate traffic. Several specific security measurements are deployed to encounter DDoS problem. Instead of specific solution, a comprehensive DDoS cure is needed which can combat against the previously and upcoming DDoS attack vulnerabilities. Development of such solution requires understanding of all those aspects which can help hacker to activate zombies and launch DDoS attack. In this paper, we comprehensively analyzed the DDoS problem and we proposed a simplified taxonomy to categorize the attack scope and available defense solutions. This taxonomy can help the software developers and security practitioners to understand the common vulnerabilities that encourage the attackers to launch DDoS attack.

Abstract: Most existing distributed denial-of-service (DDoS) mitigation proposals are reactive in nature, i.e., they are deployed to limit the damage caused by attacks after they are detected. In contrast, we present PRIMED, a proactive approach to DDoS mitigation that allows users to specify to their ISP a priori their (dis)interest in receiving traffic from particular network entities. Our solution employs communities of interest (COIs) to capture the collective past behavior of remote network entities and uses them to predict future behavior. Specifically, ISPs construct a network-wide bad COI that contains network entities who exhibited unwanted behavior in the past, and per-customer good COIs containing remote network entities that have previously engaged in legitimate communication with the customer. Our system uses these derived sets together with customer-specific policies to proactively mitigate DDoS attacks using existing router mechanisms. Indeed, preliminary lab testing shows that our approach is deployable on modern edge router platforms without degrading packet forwarding performance. This implies that our approach offers DDoS protection at a truly massive scale, i.e., every customer access link. Simulation results show that our approach improves protection against 91--93% of actual DDoS attacks on real customers---providing complete protection against 38--53% of such attacks---while slightly increasing vulnerability in only 5--7% of attacks.

Abstract: In the framework of a set of clients communicating with a critical server over the Internet, a recent approach to protect communication from distributed denial of service (DDoS) attacks involves the usage of overlay systems. SOS, MAYDAY, and I3 are such systems. The architecture of these systems consists of a set of overlay nodes that serve as intermediate forwarders between the clients and the server, thereby controlling access to the server. Although such systems perform well under random DDoS attacks, it is questionable whether they are resilient to intelligent DDoS attacks which aim to infer architectures of the systems to launch more efficient attacks. In this paper, we define several intelligent DDoS attack models and develop analytical/simulation approaches to study the impacts of architectural design features of such, overlay systems on the system performance in terms of path availability between clients and the server under attacks. Our data clearly demonstrate that the system performance is indeed sensitive to the architectural features and the different features interact with each other to impact overall system performance under intelligent DDoS attacks. Our observations provide important guidelines in the design of such secure overlay forwarding systems

Abstract: We present a new scheme, Distributed Filtering Service or DFS, for protecting services against Distributed Denial of Service (DDoS) attacks. Our system is proactive and requires no changes to the Internet core, and no changes to existing ISP routers. DFS can be deployed incrementally, and benefits are obtained immediately. The key to our approach is forcing traffic destined for protected services to widely dispersed filtering points on the Internet, using IP anycast. DFS requires no unicast address nodes that can be targetted by an attacker; we are unaware of any other DDoS defensive system with this property. We also use two other techniques that have not been well used in DDoS defensive systems: key logging and the IPsec replay window. For the latter, we model attacks and give lower bounds for its effectiveness. We analyze DFS's resistance against large scale DDoS flooding attacks; DFS offers relatively strong protection against DDoS attacks.

Abstract: Distributed denial-of-service (DDoS) attacks present serious threats to servers in the Internet. They can exhaust critical resources at a target host with the help of a large number of compromised Internet hosts and hence deny services to legitimate clients. This paper studies some existing schemes for the detection and defense against TCP-based DDoS attacks. We propose a distributed scheme that can mitigate the damage caused by DDoS through a coordinated detection and response framework. This proposed scheme composes of a number of heterogeneous defense systems which cooperate with each other in protecting Internet servers. We have set up a network testbed for carrying out extensive experiments using real server machines, routers and software attack tools. Experimental results show that, compared to existing schemes, our proposed scheme can greatly improve the throughput of legitimate traffic and reduce the attack traffic during DDoS attacks. To investigate the scale-up behavior of our scheme, we have also developed a software simulator for larger-scale experiments. Simulation results show that our scheme performs consistently well even in networks with more than 3000 nodes and under high traffic load.

Abstract: In this paper, we present a scheme that protects legitimate traffic from the large volume of attackers packets during a DDoS attack. Legitimate packets can be recognized by the tokens they carry in the IP header. Obtaining a token does not require protocol additions or changes, rather it is automatically obtained when a TCP connection is established. We believe that the Implicit Token Scheme (ITS) has numerous advantages: (1) It is totally transparent to clients. (2) No new protocols or modification of existing ones is needed to implement ITS. (3) Operations required by intermediate routers are computationally not more intensive than a couple of addition operations which could be easily done at wire-speed. (4) Does not lead to false positives. (5) Can sustain server availability even during attacks involving hundreds of thousands of attackers.

Abstract: Distributed Denial of Service (DDoS) attacks have become one of the most serious threats to the information infrastructure. In this paper, we propose a new approach, Mark-Aided Distributed Filtering (MADF), to find the network anomalies by using a back-propagation neural network. The marks in the IP header that are generated by a group of IP traceback schemes called Deterministic Packet Marking (DPM)/Flexible Deterministic Packet Marking (FDPM) assist this process of identifying and filtering attack packets. MADF can detect and filter DDoS attack packets with high sensitivity and accuracy, thus providing high legitimate traffic throughput and low attack traffic throughput.

Abstract: Distributed Denial of Service (DDoS) attack has been identified as one of the most serious problems on the Internet. While much of the current research focus on DDoS countermeasures, little attention has been paid on DDoS modeling, which is one of the important aspects that can help provide better solutions against DDoS attacks. This paper proposes an analytical model for the interactions between DDoS attack party and defense party, which allows us to have a deep insight of the interactions between the attack and defense parties. Many refinements of the basic analytical model such as reinforcement of the defense party and loss in defense party are given in the paper, which suit for many real DDoS scenarios. Moreover, the applications of this model demonstrate that the model can precisely estimate the effectiveness of a DDoS defense system before it encounters different attacks and quantitatively estimate the optimal level of investment on DDoS defense system. Additionally, it can also be applied to model some other network security problems such as virus and spam defense.

Abstract: Network topology has no direct effect on the correctness of network protocols, however, it influences the performance of networks and their survivability when they are under attack. Recent studies have analyzed the robustness of the Internet in the face of faults or attacks which may cause node failures. However, the effect of link failure or a series of link failures has not been extensively examined, even though such a situation is more likely to occur in the current Internet environment. In this paper, we propose an attack-and-failure graph model and practical techniques for attacking strategies against nodes, edges or paths in order to reflect real-life attack scenarios. The resiliency of Internet topologies is examined under the attacking strategies, with various metrics including path-failure ratio and "attack power," which is defined as the ratio of the failure to attack. The experiments reveal that "path-based" attacks can result in greater damage to the connectivity of a network than the other types of attack. Nonetheless, the effectiveness of an attack depends on the objective that the attacker wants to achieve through the attack. The proposed simple but formalized approach can be a springboard for developing more resilient Internet topologies in a variety of aspects.

Abstract: It is widely recognized that distributed denial of service (DDoS) attacks can disrupt web service and cause large revenue losses. However, effective defenses continue to be mostly unavailable. We design a novel DDoS security mechanism, which is a three-layer defense mechanism based on Web servers. Combining the characteristic of the traffic of web servers and aiming at TCP/IP reference model, it utilizes the means of statistical filtering and traffic limit in the network layer, transport layer and application layer to filter the illegitimate traffic to secure the pass of the normal traffic. A majority of illegitimate traffic is filtered by the algorithm of SHCF (Simplified Hop Count Filtering) on network layer. The rest of illegitimate traffic is filtered by the algorithm of SYN Proxy Firewall on transmission layer. And traffic limit is used on the application layer for DDoS attacks using legitimate IP. By the collaborative defense of the three-layer mechanism, sustaining availability of Web services can be ensured under DDoS attacks. The defense mechanism is implemented and tested inside the Linux kernel. The result indicates that the three-layer defense mechanism can defend DDoS attacks effectively.

Abstract: Today's Internet is extremely vulnerable to Distributed Denial of service (DDoS) attacks. There is tremendous pressure on the sites performing online business and ISP's to protect their networks from DDoS attacks. Recently, several novel traceback techniques have been proposed to trace the approximate spoofed source of attack. Each proposed traceback technique has some unique advantages and disadvantages over the others. In this paper we will consider some of the novel traceback techniques and focus our discussion i) to raise some of the real time issues that can be addressed in the further research and ii) from the attackers perspective on how to generate DDoS attacks and remain untraced even if any of the traceback technique is deployed in the Internet. We will also demonstrate how attacks can be further amplified if ICMP traceback technique is deployed in the Internet and discuss techniques to minimise the additional attack traffic. We believe that the networks tend to become complex and more vulnerable to DDoS attacks if some of the proposed traceback techniques are deployed in the Internet.

Abstract: How to find essential features between normal stream and attack stream and identify the Distributed Denial of Service (DDoS) attack online with simple algorithm are two critical issues in detecting DDoS attack which will contribute to identifying DDoS attack with low false positive and low false negative. According to the features of DDoS attack, a conception of one-way connection density (OWCD) and time serial analysis on OWCD are proposed in this paper. Then a DDoS detecting algorithm based on the mechanism of distance measure of OWCD is also presented. In terms of the experimental results, our detection scheme overcoming the shortage of two-classification detecting methods can efficiently identify the DDoS attack with various attacking intensity.

Abstract: Distributed denial-of-service attack is one of major threats to Internet today. Rate limit is an effective countermeasure to defeat rate-related attacks on condition that attackers send more traffics than legitimate users. However, sometimes the real case is opposite, because there may be only subtle rate difference between attackers and legitimate users today. We thoroughly investigate such a "meek" DDoS attack case and provide an elaborate IP traceback-based rate limit algorithm. The simulation results show that our method can better mitigate the meek DDoS attack as well as improve the throughput of legitimate traffic.

Abstract: Distributed denial-of-service attack is one of major threats to Internet today. Rate limit is an effective countermeasure to defeat rate-related attacks on condition that attackers send more traffics than legitimate users. However, sometimes the real case is opposite, because there may be only subtle rate difference between attackers and legitimate users today. We thoroughly investigate such a "meek" DDoS attack case and provide an elaborate IP traceback-based rate limit algorithm. The simulation results show that our method can better mitigate the meek DDoS attack as well as improve the throughput of legitimate traffic.

Abstract: Distributed denial-of-service attack has become one of the major threats to Internet today. And the distributed nature of DDoS problem needs a distributed solution. In this paper, we propose using a hierarchical domain-aware overlay to construct a built-in distributed rate limit framework throughout the Internet. And we leverage the IP traceback technique to avoid collateral damage on legitimate traffic and mitigate DDoS effect near attack sources as possible as we can. This defense framework is a serviceoriented economic model that not only motivates ISPs to deploy it, but also benefits all participants.

Abstract: Availability requires that computer systems function normally without loss of resources to legitimate users. One of the most challenging issues to availability is the denial-of-service (DoS) attack. DoS attacks constitute one of the major threats and among the hardest security problems in today’s Internet. The main aim of a DoS is the disruption of services by attempting to limit access to a machine or service. Depending on the attackers’ strategy, the target resources may be the file system space, the process space, the network bandwidth, or the network connections. These attacks achieve their goal by sending at a victim a stream of packets in order to exhaust the bandwidth of its network traffic or its processing capacity denying or degrading service to legitimate users. There have been some large-scale attacks targeting high-profile Internet sites.

Abstract: Distributed Denial of Service(DDoS) attack is a major threat to Internet services. Research on this kind of attack is significant for the security and reliability of the Internet. Defense at the source-end has many advantages but it also encounters several challenges. One is the inaccurate detection. Compared to the attacking traffic at victim side, the malicious traffic near source-end is relatively much low and does not show evident features. Another problem for the source-end detections is a lack of motivation for source-end ISPs to deploy them due to storage and computation cost consideration. To make the defense at the source-end more practical, the authors propose an efficient and flexible method. A Bloom filter based hash table is employed to monitor asymmetric TCP handshakes for the purpose of saving memory storage and computation cost. After information about the asymmetric traffic is extracted and stored in the Bloom filter, CUSUM is then applied to detect abnormal changes in the digested traffic. The method is evaluated and compared with other two similar methods in experiments. In experiment environment DARPA data is replayed and all methods use same storage cost, results show the proposed method obtains the most accurate detection result with lest computation cost.

Abstract: In the last a few years a number of highly publicized incidents of Distributed Denial of Service (DDoS) attacks against high‐profile government and commercial websites have made people aware of the importance of providing data and services security to users. A DDoS attack is an availability attack, which is characterized by an explicit attempt from an attacker to prevent legitimate users of a service from using the desired resources. This paper introduces the vulnerability of web applications to DDoS attacks, and presents an active distributed defense system that has a deployment mixture of sub‐systems to protect web applications from DDoS attacks. According to the simulation experiments, this system is effective in that it is able to defend web applications against attacks. It can avoid overall network congestion and provide more resources to legitimate web users.

Abstract: A distributed denial-of-service (DDoS) attack presents a very serious threat to the stability of the Internet. In a typical DDoS attack, a large number of compromised hosts are amassed to send useless packets to jam a victim or its Internet connection, or both. Defense against DDoS attacks as well as identification of their sources comprise demanding challenges in the realm of Internet security studies. In this paper, effective measures are proposed for detecting attacks in routers through the use of queuing models, which help detect attacks closer to the attack sources. Utilizing these measures, an effective DDoS attack detection and packet-filtering scheme is proposed. The suggested approach is a cooperative technique among routers intended to protect the network from persistent and severe congestion arising from a rapid increase in attack traffic. Through computer simulations, it is shown that the proposed scheme can trace attacks near to the attack sources, and can effectively filter attack packets.