Abstract: Countering distributed denial of service (DDoS) attacks is becoming ever more challenging with the vast resources and techniques increasingly available to attackers. In this paper, we consider sophisticated attacks that are protocol-compliant, non-intrusive, and utilize legitimate application-layer requests to overwhelm system resources. We characterize application-layer resource attacks as either request flooding, asymmetric, or repeated one-shot, on the basis of the application workload parameters that they exploit. To protect servers from these attacks, we propose a counter-mechanism namely DDoS Shield that consists of a suspicion assignment mechanism and a DDoS-resilient scheduler. In contrast to prior work, our suspicion mechanism assigns a continuous value as opposed to a binary measure to each client session, and the scheduler utilizes these values to determine if and when to schedule a session's requests. Using testbed experiments on a web application, we demonstrate the potency of these resource attacks and evaluate the efficacy of our counter-mechanism. For instance, we mount an asymmetric attack which overwhelms the server resources, increasing the response time of legitimate clients from 0.3 seconds to 40 seconds. Under the same attack scenario, DDoS Shield improves the victims' performance to 1.5 seconds.

Abstract: Flash-crowd attacks are the most vicious form of distributed denial of service (DDoS). They flood the victim with service requests generated from numerous bots. Attack requests are identical in content to those generated by legitimate, human users, and bots send at a low rate to appear non-aggressive -- these features defeat many existing DDoS defenses. We propose defenses against flash-crowd attacks via human behavior modeling, which differentiate DDoS bots from human users. Current approaches to human-vs-bot differentiation, such as graphical puzzles, are insufficient and annoying to humans, whereas our defenses are highly transparent. We model three aspects of human behavior: a) request dynamics, by learning several chosen features of human interaction dynamics, and detecting bots that exhibit higher aggressiveness in one or more of these features, b) request semantics, by learning transitional probabilities of user requests, and detecting bots that generate valid but low-probability sequences, and c) ability to process visual cues, by embedding into server replies human-invisible objects, which cannot be detected by automated analysis, and flagging users that visit them as bots. We evaluate our defenses' performance on a series of web traffic logs, interlaced with synthetically generated attacks, and conclude that they raise the bar for a successful, sustained attack to botnets whose size is larger than the size observed in 1-5% of DDoS attacks today.

Abstract: Distributed Denial of Service (DDoS) attacks on user machines, organizations, and infrastructures of the Internet have become highly publicized incidents and call for immediate solution. It is a complex and difficult problem characterized by an explicit attempt of the attackers to prevent access to resources by legitimate users for which they have authorization. Several schemes have been proposed on how to defend against these attacks, yet the problem still lacks a complete solution. The main purpose of this paper is therefore twofold. First is to present a comprehensive study of a wide range of DDoS attacks and defense methods proposed to combat them. This provides better understanding of the problem, current solution space, and future research scope to defend against DDoS attacks. Second is to propose an integrated solution for completely defending against flooding DDoS attacks at the Internet Service Provider (ISP) level.

Abstract: DDoS attack traffic is difficult to differentiate from legitimate network traffic during transit from the attacker, or zombies, to the victim. In this paper, we use the theory of network self-similarity to differentiate DDoS flooding attack traffic from legitimate self-similar traffic in the network. We observed that DDoS traffic causes a strange attractor to develop in the pattern of network traffic. From this observation, we developed a neural network detector trained by our DDoS prediction algorithm. Our preliminary experiments and analysis indicate that our proposed chaotic model can accurately and effectively detect DDoS attack traffic. Our approach has the potential to not only detect attack traffic during transit, but to also filter it.

Abstract: Both Flash crowds and DDoS (Distributed Denial-of-Service) attacks have very similar properties in terms of internet traffic, however Flash crowds are legitimate flows and DDoS attacks are illegitimate flows, and DDoS attacks have been a serious threat to internet security and stability. In this paper we propose a set of novel methods using probability metrics to distinguish DDoS attacks from Flash crowds effectively, and our simulations show that the proposed methods work well. In particular, these mathods can not only distinguish DDoS attacks from Flash crowds clearly, but also can distinguish the anomaly flow being DDoS attacks flow or being Flash crowd flow from Normal network flow effectively. Furthermore, we show our proposed hybrid probability metrics can greatly reduce both false positive and false negative rates in detection.

Abstract: As modern life becomes increasingly closely bound to the Internet, network security becomes increasingly important. Like it or not, we all live under the shadow of network threats. The threats could cause leakage of privacy and/or economic loss. Among network attacks, the DDoS (distributed denial-of-service) attack is one of the most frequent and serious. In a DDoS attack, an attacker first breaks into many innocent computers (called zombies) by taking advantages of known or unknown bugs and vulnerabilities in the software. Then the attacker sends a large number of packets from these already-captured zombies to a server. These packets either occupy a major portion of the server's network bandwidth or they consume much of the server's time. The server is then prevented from conducting normal business operations.In order to mitigate the DDoS threat, we design a system to detect DDoS attacks based on a decision-tree technique and, after detecting an attack, to trace back to the approximate locations of the attacker with a traffic-flow pattern-matching technique. We conduct our experiment on the DETER system. According to our experiment results, our system could detect the DDoS attack with the false positive ratio about 1.2% - 2.4%, false negative ratio about 2% - 10% with different kind of attack, attack sending rate and find the attack path in trace back with the false negative rate 8% - 12% and false positive rate 12% - 14%.

Abstract: Collaborative applications are feasible nowadays and are becoming more popular due to the advancement in internetworking technology. The typical collaborative applications, in India include the Space research, Military applications, Higher learning in Universities and Satellite campuses, State and Central government sponsored projects, e-governance, e-healthcare systems, etc. In such applications, computing resources for a particular institution/organization spread across districts and states and communication is achieved through internetworking. Therefore the computing and communication resources must be protected against security attacks as any compromise on these resources would jeopardize the entire application/mission. Collaborative environment is prone for various threats, of which Distributed Denial of Service (DDoS) attacks are of major concern. DDoS attack prevents legitimate access to critical resources. A survey by Arbor networks reveals that approximately 1,200 DDoS attacks occur per day. As the DDoS attack is coordinated, the defense for the same has to be a collaborative one. To counter DDoS attacks in a collaborative environment, all the routers need to work collaboratively by exchanging their caveat messages with their neighbors. This paper analyses the security measures in a collaborative environment, identifles the popular DDoS attack tools, and surveys the existing traceback mechanisms to trace the real attacker.

Abstract: The DoS attack is the most popular attack in the network security with the development of network and internet. In this paper, the DoS attack principle is discussed and some DoS attack methods are deeply analyzed. The DoS attack detection technologies which include network traffic detection and packet content detection are presented. The DDoS based on DoS is introduced and some DDoS tools are described and the important TCP flood DoS attack theory is discussed. The DoS attack program and a DoS attack detection program based on Winpcap for experiment are designed and the network packet generation and capture are implemented. The experiment expressed the key progress of DoS attack and detection in detail.

Abstract: Method and apparatus for blocking a distributed denial-of-service (DDoS) attack are provided. It is first determined whether a traffic status of an origin server is based on the DDoS attack. When it is determined that the traffic status of the origin server is based on the DDoS attack, a DNS is requested to change an Internet protocol (IP) address of the origin server to the IP address of at least one of plural servers. Accordingly, it is possible to accept a normal service providing request and also to determined and block the DDoS attack. In addition, since a device for determining and blocking the DDoS attack need not be installed in each site or server, it is possible to efficiently determine and block the DDoS attack at reduced cost.

Abstract: We propose a new stealthy DDoS attack model referred to as the "quiet" attack. The attack traffic consists of TCP traffic only. Widely used botnets in today's various attacks and newly introduced network feedback control are integral part of the quiet attack model. We show that shortlived TCP flows can be intentionally misused. The quiet attack is detrimental to the Internet traffic and at the same time difficult to be detected by using current defense systems. We demonstrate the inability of representative defense schemes such as adaptive queue management and aggregate congestion control to detect the quiet attack.

Abstract: Distributed denial-of-service (DDoS) attacks present serious threats to servers in the Internet. We argue that the difference of the goals, manners and results of the interaction behaviors of normal flows and attack flows, which show different characteristics on IP addresses and ports. IAI (IP Address Interaction Feature) algorithm is proposed based on the addresses interaction, abrupt traffic change, addresses many-to-one dissymmetry, distributed source IP addresses and concentrated target addresses. The IAI is designed to describe the essential characteristics of network flow states. Furthermore, a support vector machine (SVM) classifier, which is trained by IAI time series from normal flow and attack flow, is applied to classify the state of current network flows and identify the DDoS attacks. The experiment results show that, IAI can reflect the different characteristics of DDoS attack flows and normal flows; the IAI-based detection scheme can distinguish between normal flows and abnormal flows with DDoS attack flows effectively, and help to identify fast and accurate attack flows when the attacking traffic is hidden among a relatively large volume of normal flows or close to the attacking sources, and it has higher detection and lower false alarm rate compared with related works.

Abstract: Denial-of-Service (DoS) attacks especially distributed DoS (DDoS) attacks have become significant and increasing threats to the Internet Huge efforts from both academia and industry have been made on detection and defense of DDoS attacks However, most detection and defense schemes do not directly aim at protecting the victim of attacks itself (eg, servers) but attack sources or intermediate network units Although locating and identifying attacking sources are critical to stop attacks and for legal procedure, rapid and efficient predicting DDoS attacks to happen in the server is more important to reduce damage caused by attacks and even prevent attacks from happening However, this part has not been addressed sufficiently in the literature In this paper, we first briefly review research efforts on DDoS attacks, and then discuss a method to define and quantify attacks to severs based on available service rates This is because the server is often the direct victim of DDoS attacks and the one-point failure of the entire service system No matter whether there are attacks undergoing, if a sever is overloaded even by normal service requests, the effect imposed to a service system is equivalent to that of attacks A prediction method for the available service rate of the protected server is then proposed, which applies the Auto Regressive Integrated Auto Regressive (ARIMA) model Finally, we investigate the proposed prediction method to predict DDoS attacks through simulation studies with NS2 The simulation results show that the prediction algorithm is effective to predict most attacks

Abstract: Application layer DDoS attacks, to which network layer solutions is not applicable as attackers are indistinguishable based on packets or protocols, prevent legitimate users from accessing services. In this paper, we propose Trust Management Helmet (TMH) as a partial solution to this problem, which is a lightweight mitigation mechanism that uses trust to differentiate legitimate users and attackers. Its key insight is that a server should give priority to protecting the connectivity of good users during application layer DDoS attacks, instead of identifying all the attack requests. The trust to clients is evaluated based on their visiting history, and used to schedule the service to their requests. We introduce license, for user identification (even beyond NATs) and storing the trust information at clients. The license is cryptographically secured against forgery or replay attacks. We realize this mitigation mechanism and implement it as a Java package and use it for simulation. Through simulation, we show that TMH is effective in mitigating session flooding attack: even with 20 times number of attackers, more than 99% of the sessions from legitimate users are accepted with TMH; whereas less than 18% are accepted without it.

Abstract: Distributed denial of service (DDoS) attack is one of the major threats to the current Internet. After analyzing the characteristics of DDoS attacks and the existing Algorithms to detect DDoS attacks, this paper proposes a novel detecting algorithm for DDoS attacks based on IP address features value (IAFV). IAFV is designed to reflect the essential DDoS attacks characteristics, such as the abrupt traffic change, flow dissymmetry, distributed source IP addresses and concentrated target IP addresses. IAFV time series can be used to characterize the essential change features of network flows. Furthermore, a trained support vector machine (SVM) classifier is applied to identify the DDoS attacks. The experimental results on the MIT data set show that our algorithm can detect DDoS attacks accurately and reduce the false alarm rate drastically.

Abstract: Distributed denial-of-service (DDoS) attacks have been becoming one of the major threats and the hardest security problems in today's internet. However, the present DDoS attack detection techniques face a problem that they cannot distinguish flooding attacks from abrupt changes of legitimate activity. We discover that the traffic at one time is similar to that at the same time in different days under no attacks but its abrupt changes will occur under attacking. Based on this phenomenon, we propose a model for detecting DDoS attacks automatically. In order to reduce the error to identify attacks, we use discrete wavelet transform (DWT) technique. In the end, we use actual data to validate our model and obtain good results in terms of tradeoff between correct detections and false alarms.

Abstract: In this paper, we propose an agent_based distributed intrusion detection architecture, which detects DoS/DDoS attacks by comparing source IP addresses’ normal and current connection frequencies. First, we collect source IPs’ packet statistics to obtain their normal packet distribution. When current statistics suddenly increase, very often it is an attack. Experimental results show that this approach can effectively detect DoS/DDoS attacks.

Abstract: Distributed Denial of Service (DDoS) attacks are the major threat to the current internet world. Source IP Address spoofing in one of the approach to perform Distributed Denial of Service (DDoS) attacks. In this scenario the packet true origin is difficult to identify. Thus the defense against the Distributed Denial of Service (DDoS) attack is very complex to handle. We propose a novel scheme which is based on a firewall. This firewall can distinguish the attack packets from the packets sent by legitimate users based on the marking value on the packet, and thus filter out most of the attack packets. Compared to other packet-marking based solutions, our scheme is very effective and has a very low deployment cost. In the implementation of this scheme we would require the cooperation of only about 10% of the Internet routers in the marking process, and server to generate encrypted marking for secured transmission. The scheme allows the firewall to Detected and prevents the DDoS attacks from the first packet itself.

Abstract: Summary Distributed Denial of Service Attacks imposes a major threat to the availability of Internet services. Most of the applications like banking, trade, and e-commerce are dependent on availability of Internet. Defending Internet from these attacks has become the need of the hour. A typical DDoS defense comprises of three modules namely traffic monitoring, traffic analysis and traffic filtering. Based on placement of these modules, DDoS defense can be categorized into centralized DDoS defense and distributed DDoS defense. In centralized defense, all modules are placed on single point. Under severe DDoS attack, centralized defense itself succumbs to high volume of traffic. Hence it is itself vulnerable to DDoS attacks. In distributed defense, all of the defense modules are placed at different points and do not succumb to high volume of DDoS attack and can discover the attacks timely as well as fight the attacks with more resources. In this paper first important metrics are identified to evaluate distributed defense techniques. Then a comparative analysis based on identified metrics is done for existing distributed defense techniques. Research gaps are also highlighted in exiting techniques so as pursue research in this problem. Finally a generic defense methodology is proposed to combat DDoS attacks in automated manner.

Abstract: Distributed Denial-of-Service (DDoS) attacks against public web servers are increasingly common. Countering DDoS attacks are becoming ever more challenging with the vast resources and techniques increasingly available to attackers. It is impossible for the victim servers to work on the individual level of on-going traffic flows. In this paper, we establish IP Flow which is used to select proper features for DDoS detection. The IP flow statistics is used to allocate the weights for traffic routing by routers. Our system protects servers from DDoS attacks without strong client authentication or allowing an attacker with partial connectivity information to repeatedly disrupt communications. The new algorithm is thus proposed to get efficiently maximum throughput by the traffic filtering, and its feasibility and validity have been verified in a real network circumstance. The experiment shows that it is with high average detection and with low false alarm and miss alarm. Moreover, it can optimize the network traffic simultaneously with defending against DDoS attacks, thus eliminating efficiently the global burst of traffic arising from normal traffic.

Abstract: Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) are widely known security attacks which attempt to make computer resources unavailable to its intended users In this paper, I discuss some well known DoS and DDoS attacks Experience shows that in the detection of these attacks human brain is more perfect than mathematical computation Therefore, I propose a technique to incorporate the representative of human brain, Recurrent Neural Networks (RNN), to identify these attacks

Abstract: Botnet-based distributed denial of service (DDoS) attacks represent an emerging and sophisticated threat for today's Internet. Attackers are now able to mimic the behavior of legitimate users to a great extent, making the issue of countering these attacks very challenging. In this paper, we propose a simple yet effective scheme that enables an ISP's edge routers to pass a great percentage of legitimate traffic, that is destined to a web server under DDoS attack within that ISP, while filtering all other traffic. The proposed scheme, called JUST-Google, is based on the fact that web search engines (especially Google™) represent the entrance for today's web, thus making it in a strategic position to defend against these attacks. The main idea is that Google™ can assist in identifying human users from bot programs by directing users who want to access a web site under attack to a group of nodes that will perform authentication in which users are required to solve a reverse Turing test to obtain access to the web server. Performance analysis shows that the proposed scheme would enable legitimate clients to access a web site that is under attack with high probability.

Abstract: ECMA-368 (European Computer Manufacturers Association) Standard specifies the ultra wideband MAC(Medium Access Control) sublayer for a high-speed short range wireless network. This Standard specifies a 4-way handshake mechanism to guarantee secure data transmission; however, it also provides opportunities for hackers to produce DoS(Denial of Service) or DDoS(Distributed DoS) attacks. The paper outlines two scenarios where it is possible to produce DoS and DDoS attacks to 4-way handshake of ECMA-368 standard while two solutions are given respectively. The first DoS attack will consume system’s resources such as CPU and memory resources. The solution successfully prevents the first DoS attack. The second attack deprives the legitimate device of the possibilities to build secure relationship and the solution suppresses the hackers’ behavior. The solutions increase the security of ECMA-368.

Abstract: Distributed Denial of Service (DDoS) attacks have become significant threats on Internet according to the development of network infrastructure and recent communication technology. There are various types of DDoS attacks with different characteristics. These differences have made very difficult to detect such attacks. Furthermore, the sophisticated the evolution of DDoS attacks techniques and the enhanced scale of Botnet encourage attackers to launch DDoS attacks. The IP spoofing technique also makes difficult detect and traceback of DDoS attacks. In this paper, we propose a new detection model for spoofed DDoS attacks using dispersible traffic matrix and weighted moving average. This proposed detection model can not only visualize network traffic streams but also describe the dispersibility characteristics of DDoS attacks such as intensity, duration and rate of DDoS traffic. We carry out experiments on both DARPA 2000 dataset and real data in our network testbed environments so as to validate the feasibility of our approach. Our approach demonstrates that it effectively detects the DDoS attacks in the early stage and in very short time, even though DDoS attacks' streams are low. Also, the proposed detection model shows a good performance in terms of detection accuracy, speed, and false alarms.

Abstract: Distributed denial of service(DDoS)attacks remain a serious threat on the Internet and again it is very difficult to devise a perfect DDoS defense mechanismIn this paper,we investigate the damage caused by the DDoS attacks and analyze the root reasons why DDoS attacks take placeAfter that,we make a survey on the new solutions against DDoS attacks especially after year 2005,which mainly includes 1)Network filters based on ISP;2)Proof-of-work;3)Overlay network;and 4)Network capabilitiesWe analyze the advantages and disadvantages of these solutions,and conclude the features of the deployed solutionsFinally,we discuss possible future defense strategies against the DDoS attacks

Abstract: With the development of network, the issues of network security are rapidly becoming a serious problem, and the Denial of Service (DoS) attack has already become the greatest threat to the network. SYN Flood attack is one of the most common distributed denial of service attack way (DDoS). This paper presents an improved SYN Cookie method, designing a novel attack detector processing and a enhanced attack respondor with a new cookie verification algorithm and changing the definition of cookie field, to reduce algorithm complexity with the ensurance of security. The experiment results show that the proposed method provided an average computational complexity reduction of 30% compared with the traditional method. The new method can be an effective defense against the TCP SYN Flood attack with a lower complexity.

Abstract: Internet is vulnerable to overloading caused by flash crowds and distributed denial-of-service (DDoS) attacks. Recently vo ice over IP (VoIP), an Internet-based service is experiencing a phenomenal growth. As its deployment spreads, VoIP systems are likely to become attack targets, of which flooding lists high, perhaps due to its simplicity and the abundance of tool support. The DDoS attacks and flash crowds degrade the performance of call processing server to the point where it becomes sluggish and even unresponsive. The network administrator's dilemma is that how to give a differential treatment to malicious and legitimate call requests that differ in intent, but not in content. In this paper, we show that DDoS attacks and flash crowds, while similar in the message structure and the number of INVITEs they generate, exhibit different traffic patterns and hence making them distinguishable. We also introduce a new entropy-based approach to detect those DDoS attacks that masquerade as flash crowds. Our approach is based on an observation that the creation of malicious sessions has certain effects on entropy of the call durations; hence, a change in the entropy provides an important clue for mimicry attack detection. As an overloading preventive measure, we exploit the SIP protocol's inbuilt reliability mechanism and exponential backoff timer values to regulate and distinguish legitimates call requests from the spoofed ones.

Abstract: We propose a two-stage Distributed Denial of Service (DDoS) defense system, which can protect a given subnet by serving existing flows and new flows with a different priority based on IP history information. Denial of Service (DoS) usually occurs when the resource of a network node or link is limited and the demand of the users for that resource exceeds the capacity. The objective of the proposed defense system is to provide continued service to existing flows even in the presence of DDoS attacks, and we attempt to achieve this goal by discriminating existing flows from new flows. The proposed scheme can protect existing connections effectively with a reduced memory size by reducing the monitored IP address set through sampling in the first stage and using Bloom filters. We evaluate the performance of the proposed scheme through simulation.

Abstract: The distributed hosts in the Internet are organized into a P2P network by Chord protocol for detection. The detection node uses the CUSUM’s sensitivity to the slight change to detect the change in the amount of packets to destination address. Upon the abnormality detected, it is broadcast based on the node trust. The response nodes use space similarity algorithm to calculate the similarity between request node and response node. The victim end makes a comprehensive decision whether the DDoS attack happens.The scheme detects DDoS at the source end; it can prevent the DDoS attack by means of forged IP address and random IP address and trace the origin of the attack hosts. The experimental results indicate that our scheme has better performance than CUSUM and time similarity algorithm single deployed. It can reach as high as 96.1% detection rate and with only 6.9% false positives rate.