Abstract: DDoS attacks are best detected near the victim's site as maximum attack traffic converges at this point. In most of the current solutions, monitoring and analysis of traffic for DDoS detection have been carried at a single link which connects victim to ISP. However the mammoth volume generated by DDoS attacks pose the biggest challenge in terms of memory and computational overheads. These overheads make DDoS solution itself vulnerable against DDoS attacks. We propose to distribute these overheads amongst all POPs of the ISP using an ISP level traffic feature distribution based approach. An ISP level topology and well known attack tools are used for simulations in ns-2. The comparison with volume based approach clearly indicates the supremacy of the proposed methodology

Abstract: The Smurf-based distributed denial of service (DDoS) attack is an amplification attack where the attacker uses unprotected intermediate networks to amplify the attack traffic load and direct it to the victim computer. In this paper, we investigate the factors that contribute to the amplification of the smurf attack traffic and understand the relation among the original attack traffic, intermediate unprotected network and the final amplified attack traffic. We also define a new term called attack amplification factor which represents the degree of amplification that original attack traffic undergoes during its transmission towards the victim computer. It is also shown in this paper that utilizing this attack, it is possible for an attacker to just use a dialup modem and an unprotected intermediary network to exhaust even an ultra high speed optical line such as OC-192 of the victim network.

Abstract: Application layer DDoS attacks, which are legitimate in packets and protocols, gradually become a pressing problem for commerce, politics and military. We build an attack model and characterize layer-7 attacks into three classes: session flooding attacks, request flooding attacks and asymmetric attacks. We proposed a mechanism named as DOW (defense and offense wall), which defends against layer-7 attacks using combination of detection technology and currency technology. An anomaly dete-ction method based on K-means clustering is introduced to detect and filter request flooding attacks and asymmetric attacks. To defend against session-flooding attacks, we propose an encouragement model that uses client's session rate as currency. Detection model drops suspicious sessions, while currency model encourages more legitimate sessions. By collaboration of these two models, normal clients could gain higher service rate and lower delay of response time.

Abstract: Distributed denial of service attacks pose a serious threat to many businesses which rely on constant availability of their network services. Companies like Google, Yahoo and Amazon are completely reliant on the Internet for their business. It is very hard to defend against these attacks because of the many different ways in which hackers may strike. Distinguishing between legitimate and malicious traffic is a complex task. Setting up filtering by hand is often impossible due to the large number of hosts involved in the attack. The goal of this paper is to explore the effectiveness of machine learning techniques in developing automatic defences against DDoS attacks. As a first step, a data collection and traffic filtering framework is developed. This foundation is then used to explore the potential of artificial neural networks in the defence against DDoS attacks.

Abstract: Attack mitigation schemes actively throttle attack traffic generated in distributed denial-of-service (DDoS) attacks. This paper presents attack diagnosis (AD), a novel attack mitigation scheme that adopts a divide-and-conquer strategy. AD combines the concepts of pushback and packet marking, and its architecture is in line with the ideal DDoS attack countermeasure paradigm - attack detection is performed near the victim host and packet filtering is executed close to the attack sources. AD is a reactive defense mechanism that is activated by a victim host after an attack is detected. By instructing its upstream routers to mark packets deterministically, the victim can trace back one attack source and command an AD-enabled router close to the source to filter the attack packets. This process isolates one attacker and throttles it, which is repeated until the attack is mitigated. We also propose an extension to AD called parallel attack diagnosis (PAD) that is capable of throttling traffic coming from a large number of attackers simultaneously. AD and PAD are analyzed and evaluated using the Skitter Internet map, Lumeta's Internet map, and the 6-degree complete tree topology model. Both schemes are shown to be robust against IP spoofing and to incur low false positive ratios

Abstract: In recent years, distributed denial of service (DDoS) attacks have brought increasing threats to the Internet since attack traffic caused by DDoS attacks can consume lots of bandwidth or computing resources on the Internet and the availability of DDoS attack tools has become more and more easy. However, due to the similarity between DDoS attack traffic and transient bursts of normal traffic, it is very difficult to detect DDoS attacks accurately and quickly. In this paper, a novel DDoS detection approach based on Hidden Markov Models (HMMs) and cooperative reinforcement learning is proposed, where a distributed cooperation detection scheme using source IP address monitoring is employed. To realize earlier detection of DDoS attacks, the detectors are distributed in the mediate network nodes or near the sources of DDoS attacks and HMMs are used to establish a profile for normal traffic based on the frequencies of new IP addresses. A cooperative reinforcement learning algorithm is proposed to compute optimized strategies of information exchange among the distributed multiple detectors so that the detection accuracies can be improved without much load on information communications among the detectors. Simulation results on distributed detection of DDoS attacks generated by TFN2K tools illustrate the effectiveness of the proposed method.

Abstract: In recent years, we have seen the arrival of Distributed Denial-of-Service (DDoS) open-source bot-based attack tools facilitating easy code enhancement, and so resulting in attack tools becoming more powerful. Developing new techniques for detecting and responding to the latest DDoS attacks often entails using attack traces to determine attack signatures and to test the techniques. However, obtaining actual attack traces is difficult, because the high-profile organizations that are typically attacked will not release monitored data as it may contain sensitive information. In this paper, we present a detailed study of the source code of the popular DDoS attack bots, Agobot, SDBot, RBot and Spybot to provide an in-depth understanding of the attacks in order to facilitate the design of more effective and efficient detection and mitigation techniques.

Abstract: A system detects an attack on the computer system. The system identifies the attack as polymorphic, capable of modifying itself for every instance of execution of the attack. The modification of the attack is utilized to defeat detection of the attack. In one embodiment, the system determines generation of an effective signature of the attack has failed. The signature is utilized to prevent execution of the attack. The system then adjusts access to an interface to prevent further damage caused to the computer system by the attack.

Abstract: The DoS/DDoS attacks are always the leading threats to the Internet. With the development of Internet, IPv6 is inevitably taking the place of IPv4 as the main protocol of Internet. So the security issues of IPv6 become the focus of the present research. In this paper we mainly focus on the typical DoS/DDoS attacks under IPv6, which including the DoS attacks pertinent to IPv6 Neighbor Discovery protocol and DDoS attacks based on the four representative attack modes, they are respectively TCP-Flood, UDP-Flood, ICMP-Flood and Smurf. We do these attack experiments under IPv6 with and without IPSec configuration respectively. The experiments without IPSec validate the effectiveness of the typical DoS/DDoS attacks under IPv6, and those with IPSec show the effectiveness of IPSec against these attacks whose source addresses are spoofed.

Abstract: Cooperative technological solutions for Distributed Denial-of-Service (DDoS) attacks are already available, yet organizations in the best position to implement them lack incentive to do so, and the victims of DDoS attacks cannot find effective methods to motivate them. In this article we discuss two components of the technological solutions to DDoS attacks: cooperative filtering and cooperative traffic smoothing by caching. We then analyze the broken incentive chain in each of these technological solutions. As a remedy, we propose usage-based pricing and Capacity Provision Networks, which enable victims to disseminate enough incentive along attack paths to stimulate cooperation against DDoS attacks.

Abstract: Reduction of Quality (RoQ) attack is a new style of Distributed Denial of Service (DDoS) attack. The goodput and delay performance of TCP or UDP flows are very sensitive to such RoQ attacks. In this paper, we study in detail congestion-based RoQ DDoS attacks in mobile ad-hoc networks for the first time. Specifically, we study the attacking principles based on analysis of the network capacity and classify these attacks into four categories: pulsing attack, round robin attack, self-whisper attack, and flooding attack. We then propose a defense scheme that includes both the detection and response mechanisms. The detection signals include the frequency of receiving RTS/CTS packets, frequency of sensing a busy channel (signal interference), and number of RTS/DATA retransmissions. The response scheme is based on the ECN marking mechanism. Through extensive ns2 network simulations, we demonstrate the existence of high goodput and delay jitters under the pulsing attack mode. Increase in delay (by 110 times under five attacking flows) and decrease in goodput (to 77% under five attacking flows) can be observed especially when more attacking flows occurs. Moreover, we show through simulations that similar behaviors can also be observed for TCP flows as well as networks of other topology types.

Abstract: One of the most significant current groups of security endangerments in the Internet is DoS/DDoS attacks. The goal of these kinds of attacks is to completely engage available resources so that legitimate users are not able to access a service. Some traceback approach has been proposed to traceback source of attack. One of these methods is Intention-driven iTrace which is the working base of the ICMP traceback. By this method, it will be possible to increase effective ICMP traceback messages which can provide useful information to the victim in tracing source of attack. Reconstructed path to the source of attack by the victim can be done accurately when more effective ICMP traceback messages are generated in critical routers. In this paper, we proposed a model considering incoming packets routed to the victim and by modifying intention-driven iTrace model, we can generate more effective ICMP traceback packets to locate the source of attack more accurately.

Abstract: DDoS(distributed denial of service) attack is a critical threat to current Internet Recently too many technologies of the detection and prevention have developed, but it is difficult that the IDS distinguishes normal traffic from the DDoS attack Therefore, when the DDoS attack is detected by IDS, the firewall just discards all over-bounded traffic for a victim of absolutely decreases the threshold of the router Also, Attacker use spoofing IP address To solve this problem, we propose security framework using IP Traceback being able to response DDoS attack Our Implementation shows that proposed security framework is safe to deploy and protect data in network from attackers and others

Abstract: Distributed Denial of Service (DDoS) attack poses a severe threat to the Internet. It is difficult to find the exact signature of attacking. Moreover, it is hard to distinguish the difference of an unusual high volume of traffic which is caused by the attack or occurs when a huge number of users occasionally access the target machine at the same time. The entropy detection method is an effective method to detect the DDoS attack. It is mainly used to calculate the distribution randomness of some attributes in the network packets' headers. In this paper, we focus on the detection technology of DDoS attack. We improve the previous entropy detection algorithm, and propose two enhanced detection methods based on cumulative entropy and time, respectively. Experiment results show that these methods could lead to more accurate and effective DDoS detection.

Abstract: Defenses against botnet-based distributed denial-of-service (DDoS) attacks must demonstrate that in addition to being technically feasible, they are also economically viable, particularly when compared with the two most widely deployed defenses--simple massive overprovisioning of resources to absorb and handle DDoS traffic, and "scrubbing" of incoming traffic by the victim's ISP. We argue that the key to cost-effective handling of DDoS attacks on a network such as the Internet is accountability, meaning that the sources of all traffic can be accurately and reliably identified, and receivers can effectively block traffic to them from any source. We propose a simple approach to directly providing accountability within a group of ASes. It combines strict ingress filtering on all edge traffic with an AS-based infrastructure that allows hosts to request that traffic to them from specific other hosts be blocked at the source. We also propose using the previously proposed "evil bit" in IP headers to allow a group of ASes that implement accountability to collectively reduce the impact of DDoS attacks originating outside their portion of the Internet. Finally, we present evidence for the economic competitiveness of our approach, compared with the current default approaches of massive overprovisioning and ISP scrubbing.

Abstract: The paper describes a Non-Intrusive IP traceback scheme which uses sampled traffic under non-attack conditions to build and maintains caches of the valid source addresses transiting network routers. Under attack conditions, route anomalies are detected by determining which routers have been used for unknown source addresses, in order to construct the attack graph. Results of simulation studies are presented. Our approach does not require changes to the Internet routers or protocols. Precise information regarding the attack is not required allowing a wide variety of DDoS attack detection techniques to be used. Our algorithm is simple and efficient, allowing for a fast traceback and the scheme is scalable due to the distribution of processing workload.

Abstract: Distributed Denial-of-Service attack (DDoS) is one of the most outstanding menaces on the Internet. A DDoS attack generally attempts to overwhelm the victim in order to deny their services to legitimate users. A number of approaches have been proposed for defending against DDoS attacks accurately in real time. However, existing schemes have limits in terms of detection accuracy and delay if the IDRS (Intrusion Detection and Response System) deployed only at a specific location detects and responds against attacks. As in this case, it is not able to catch the characteristic of the attack which is distributed in large-scale. Moreover, the existing detection schemes have vulnerabilities to intellectual DDoS attacks which are able to avoid its detection threshold or delay its detection time. This paper suggests the effective DDoS defense system which uses the collaborative scheme among distributed IDRSs located in the vicinity of the attack source or victim network. In proposed scheme, both victim and source-end IDRS work synergistically to identify the attack and avoid false alarm rate up to great extent. Additionally, we propose the duplicate detection window scheme to detect various attacks dynamics which increase the detection threshold gradually in early stage. The proposed scheme can effectively detect and respond against these diverse DDoS attack dynamics.

Abstract: By penetrating into a large number of machines and stealthily installing malicious pieces of code, a distributed denial of service (DDoS) attack constructs a hierarchical network and uses it to launch coordinated assaults. DDoS attacks often exhaust the network bandwidth, processing capacity and information resources of victims, thus, leading to unavailability of computing systems services. Various defense mechanisms for the detection, mitigation and/or prevention of DDoS attacks have been suggested including resource redundancy, traceback of attack origins and identification of programs with suspicious behavior. Contemporary DDoS attacks employ sophisticated techniques including formation of hierarchical networks, one-way communication channels, encrypted messages, dynamic ports allocation and source address spoofing to hide the attackers' identities; such techniques make both detection and tracing of DDoS activities a challenge and render traditional DDoS defense mechanisms ineffective. In this paper, we propose the DDoS Container, a comprehensive framework that uses network-based detection methods to overcome the above complex and evasive types of attacks; the framework operates in 'inline' mode to inspect and manipulate ongoing traffic in real-time. By keeping track of connections established by both potential DDoS attacks and legitimate applications, the suggested DDoS Container carries out stateful inspection on data streams and correlates events among sessions. The framework performs stream re-assembly and dissects the resulting aggregations against protocols followed by various known DDoS attacks facilitating their identification. The traffic pattern analysis and data correlation of the framework further enhance its detection accuracy on DDoS traffic camouflaged with encryption. Actions available on identified DDoS traffic range from simple alerting to message blocking and proactive session termination. Experimentation with the prototype of our DDoS Container shows its effectiveness in classifying DDoS traffic.

Abstract: Increased instances of distributed denial of service (DDoS) attacks on the Internet have raised questions on whether and how ad hoc networks are vulnerable to such attacks. This paper studies the special properties of such attacks in ad hoc networks. We examine two types of area-congestion-based DDoS attacks - remote and local attacks - and present in-depth analysis on various factors and attack constraints that an attacker may use and face. We find that (1) there are two types of congestion - self congestion and cross congestion - that need to be carefully monitored; (2) the normal traffic itself causes significant packet loss in addition to the attack impacts in both remote and local attacks; (3) the number of flooding nodes has major impacts on remote attacks while, the load of normal traffic and the position of flooding nodes are critical to local attacks; and (4) given the same number of flooding nodes and attack loads, a remote DDoS attack can cause more damage to the network than a local DDoS attack.

Abstract: With the incoming of information era, Internet has been developed rapidly and offered more and more services However, intrusions, viruses and worms follow with the grown of Internet, spread widely all over the world within high speed network Although many kinds of intrusion detection systems (IDSs) are developed, they have some disadvantages in that they focus on low-level attacks or anomalies, and raise alerts independently In this paper, we give a formal description about attack patterns, attack transition states and attack scenarios We proposed the system architecture to generate an attack scenario database correctly and completely We first classify and extract attack patterns, then, correlate attack patterns with pre/post conditions matching and Moreover, the approach, attack scenario generation with casual relationship (ASGCR), is proposed to build an attack scenario database Finally, we present the combination of our attack scenario database with security operation center (SOC) to implement the related components concerning alert integrations and correlations It is shown that our method is better than CAML [4] since we can generate more attack scenarios effectively and correctly to help system managers to maintain network security

Abstract: Provided is a method for responding a distributed denial of service (DDoS) attack using deterministic pushback scheme. In the method, all of packets outbound from an edge router of a predetermined network system to the other network system are marked with own IP address in order to enable a victim system to confirm an IP address of an attack source edge router for DDoS attack packets. Then, IP address information of an attack source edge router is obtained by reassembling an IP address of detected DDoS attack packets at a victim system that detects DDoS attack. A deterministic pushback message is received at an attack source edge router if a victim system transmits a deterministic pushback message to the attack source edge router, information of the attack source edge router is confirmed, and corresponding attack packets are filtered.

Abstract: Distributed denial-of-service (DDoS) attacks are increasingly mounted by cyber-criminal gangs to extort money from online businesses. This kind of attacks is normally targeted at a particular service provider to exhaust the network and system resources of the provider. Since the scale of the attack is limited, the ISP operators normally cannot observe this type of attacks. As a result, the victim of the attack is left to deal with the attack on its own accord. This paper proposes a SOA approach to build a system against DDoS attacks targeting online businesses. The system is built on Web services. It can be constructed and reconfigured easily by an attack victim. Experiments were also carried out to measure the overheads and the effectiveness of the proposed approach.

Abstract: Distributed denial-of-service (DDoS) attacks are a major problem in the Internet today. During a DDoS attack, a large number of compromised hosts send unwanted traffic to the victim, thus exhausting the resources of the victim and preventing it from serving its legitimate clients. One of the main mechanisms against DDoS is filtering, which allows routers to selectively block unwanted traffic. Given the magnitude of DDoS attacks and the high cost of filters in the routers today, the successful mitigation of a DDoS attack using filtering crucially depends on the efficient allocation of filtering resources. In this paper, we consider a single router with a limited number of available filters. We study how to optimally allocate filters to attack sources, or entire domains of attack sources, so as to maximize the amount of good traffic preserved, under a constraint on the number of filters. First, we look at the single-tier problem, where the collateral damage on legitimate traffic is high due to the filtering at the granularity of attack domains. Second, we look at the two-tier problem, where we have an additional constraint on the number of filters and filtering is performed at the granularity of attackers and/or domains. We formulate both problems as optimization problems, and we evaluate the optimal solution over a range of realistic attack-scenarios. Our results demonstrate that efficient filter allocation significantly improves the tradeoff between the number of filters used and the amount of legitimate traffic preserved.

Abstract: - The shrew or RoS attacks are low-rate DDoS attacks that degrade the QoS to end systems slowly but not to deny the services completely. These attacks are more difficult to detect than the flooding type of DDoS attacks. In this paper, we explore the energy distributions of Internet traffic flows in frequency domain. Normal TCP traffic flows present some form of periodicity because of TCP protocol behavior. Our results reveal that normal TCP flows can be segregated from malicious flows using some energy distribution properties. We discover the spectral shifting of attack flows from that of normal flows. Combining flow-level spectral analysis with sequential hypothesis testing, we propose a novel defense scheme against shrew DDoS or RoQ (reduction-of-service) attacks. Our detection and filtering scheme can effectively rescue 99% legitimate TCP flows under the RoS attacks. Keywords: Network security, Internet traffic spectrum, low-rate DDoS attacks, reduction-of-quality attacks, digital signal processing, spectral analysis.

Abstract: Functionality and availability are one of the main characteristics of internet and hence very inviting for attackers to try to provoke a denial-of-service attack. As the intensity and frequency of DDoS attacks has increased, various preventive mechanisms have also been proposed. One of the most effective defence mechanisms proposed was Path Identification (Pi). This method tracks the packet transmission path. With this packets carrying path information, the victim node can defend itself from DDoS attack by filtering the packets transmitting via/from an attacking node. The Pi method has advantages such as trivial operation, filtering on a per-packet and independency on router for blocking over the other trace back methods etc. As the Pi method uses the router's IP address to construct the path information of each packet, which was stored in each packet's ID field. However, because of the limitation of the ID field, only two bits of resulted message digest of router's IP address are used, which results in same path information representing different paths. To ad-dress this problem, we propose using Link-ID's instead of IP addresses or routers to construct the path information of each packet. A Link-ID was the in-formation of path between Border Gateway Protocol (BGP) routers in the Autonomic Systems (AS) and each BGP router's connection to the outside of the AS. Further analysis shows promising results if compared with contemporary filtering methods.

Abstract: We introduce a game-theoretic framework for reasoning about bandwidth attacks, a common form of distributed denial of service (DDoS) attacks. In particular, our traffic injection game models the attacker as a rational but limited-resource entity who uses limited knowledge of traffic patterns to launch IP spoofing based bandwidth attacks on a server. We model the defender as a coarse-grained, relative volume based statistical filter. We analyze the effectiveness of the defender against the attacker by analyzing the payoffs of various strategies in the traffic injection game. Furthermore, we analyze how these payoffs change in the presence of random noise. Our results show that there is potential for using statistical methods for creating defense mechanisms that can detect a DDoS attack and that even when an attacker has a priori knowledge of the expected traffic volume for the dimension and divisions employed in the attack, the attack traffic can still be exposed to the defender.