Abstract: Threats of distributed denial of service (DDoS) attacks have been increasing day-by-day due to rapid development of computer networks and associated infrastructure, and millions of software applications, large and small, addressing all varieties of tasks. Botnets pose a major threat to network security as they are widely used for many Internet crimes such as DDoS attacks, identity theft, email spamming, and click fraud. Botnet based DDoS attacks are catastrophic to the victim network as they can exhaust both network bandwidth and resources of the victim machine. This survey presents a comprehensive overview of DDoS attacks, their causes, types with a taxonomy, and technical details of various attack launching tools. A detailed discussion of several botnet architectures, tools developed using botnet architectures, and pros and cons analysis are also included. Furthermore, a list of important issues and research challenges is also reported.

Abstract: Although software-defined networking (SDN) brings numerous benefits by decoupling the control plane from the data plane, there is a contradictory relationship between SDN and distributed denial-of-service (DDoS) attacks. On one hand, the capabilities of SDN make it easy to detect and to react to DDoS attacks. On the other hand, the separation of the control plane from the data plane of SDN introduces new attacks. Consequently, SDN itself may be a target of DDoS attacks. In this paper, we first discuss the new trends and characteristics of DDoS attacks in cloud computing environments. We show that SDN brings us a new chance to defeat DDoS attacks in cloud computing environments, and we summarize good features of SDN in defeating DDoS attacks. Then we review the studies about launching DDoS attacks on SDN and the methods against DDoS attacks in SDN. In addition, we discuss a number of challenges that need to be addressed to mitigate DDoS attached in SDN with cloud computing. This work can help understand how to make full use of SDN's advantages to defeat DDoS attacks in cloud computing environments and how to prevent SDN itself from becoming a victim of DDoS attacks.

Abstract: The idea of Internet of Things (IoT) is implanting networked heterogeneous detectors into our daily life. It opens extra channels for information submission and remote control to our physical world. A significant feature of an IoT network is that it collects data from network edges. Moreover, human involvement for network and devices maintenance is greatly reduced, which suggests an IoT network need to be highly self-managed and self-secured. For the reason that the use of IoT is growing in many important fields, the security issues of IoT need to be properly addressed. Among all, Distributed Denial of Service (DDoS) is one of the most notorious attacking behaviors over network which interrupt and block genuine user requests by flooding the host server with huge number of requests using a group of zombie computers via geographically distributed internet connections. DDoS disrupts service by creating network congestion and disabling normal functions of network components, which is even more disruptive for IoT. In this paper, a lightweight defensive algorithm for DDoS attack over IoT network environment is proposed and tested against several scenarios to dissect the interactive communication among different types of network nodes.

Abstract: The recent amplification DDoS attacks have swamped victims with huge loads of undesired traffic, sometimes even exceeding hundreds of Gbps attack bandwidth. We analyze these amplification attacks in more detail. First, we inspect the reconnaissance step, i.e., how both researchers and attackers scan for amplifiers that are open for abuse. Second, we design AmpPot, a novel honeypot that tracks amplification attacks. We deploy 21 honeypots to reveal previously-undocumented insights about the attacks. We find that the vast majority of attacks are short-lived and most victims are attacked only once. Furthermore, 96i¾?% of the attacks stem from single sources, which is also confirmed by our detailed analysis of four popular Linux-based DDoS botnets.

Abstract: Distributed Denial of Service attacks (DDoS) have remained as one of the most destructive attacks in the Internet for over two decades. Despite tremendous efforts on the design of DDoS defense strategies, few of them have been considered for widespread deployment due to strong design assumptions on the Internet infrastructure, prohibitive operational costs and complexity. Recently, the emergence of Software Defined Networking (SDN) has offered a solution to reduce network management complexity. It is also believed to facilitate security management thanks to its programmability. To explore the advantages of using SDN to mitigate DDoS attacks, we propose a distributed collaborative framework that allows the customers to request DDoS mitigation service from ISPs. Upon request, ISPs can change the label of the anomalous traffic and redirect them to security middleboxes, while attack detection and analysis modules are deployed at customer side, avoiding privacy leakage and other legal concerns. Our preliminary analysis demonstrates that SDN has promising potential to enable autonomic mitigation of DDoS attacks, as well as other large-scale attacks

Abstract: Internet Distributed Denial of Service (DDoS) at- tacks are prevalent but hard to defend against, partially due to the volatility of the attacking methods and patterns used by attackers Understanding the latest DDoS attacks can provide new insights for effective defense But most of existing understandings are based on indirect traffic measures (eg, backscatters) or traffic seen locally In this study, we present an in-depth analysis based on 50,704 different Internet DDoS attacks directly observed in a seven-month period These attacks were launched by 674 botnets from 23 different botnet families with a total of 9,026 victim IPs belonging to 1,074 organizations in 186 countries Our analysis reveals several interesting findings about today's Internet DDoS attacks Some highlights include: (1) geolocation analysis shows that the geospatial distribution of the attacking sources follows certain patterns, which enables very accurate source prediction of future attacks for most active botnet families, (2) from the target perspective, multiple attacks to the same target also exhibit strong patterns of inter-attack time interval, allowing accurate start time prediction of the next anticipated attacks from certain botnet families, (3) there is a trend for different botnets to launch DDoS attacks targeting the same victim, simultaneously or in turn These findings add to the existing literature on the understanding of today's Internet DDoS attacks, and offer new insights for designing new defense schemes at different levels

Abstract: A Software Defined Network (SDN) is a new paradigm in network management that separates control plane and data plane. A control plane has an important role in managing the whole networks. Since SDN introduces control plane as the manager of the network, it also introduces the single point of failure. When SDN controller is unreachable by the network devices, the whole networks will collapse. One of the attack methods that can make SDN controller unreachable is DDoS attack. This paper reports our initial step of our research to develop the method for DDoS attack detection and mitigation for SDN controller. The method considers the time duration of DDoS attack detection and attacks time pattern of DDoS attack to prevent the future attack. In this paper, we present the potential vulnerabilities in SDN controller that can be exploited for DDoS attack and discuss the methods to detect and mitigate DDoS attack.

Abstract: Cloud service availability has been one of the major concerns of cloud service providers (CSP), while hosting different cloud based information technology services by managing different resources on the internet. The vulnerability of internet, the distribute nature of cloud computing, various security issues related to cloud computing service models, and cloud's main attributes contribute to its susceptibility of security threats associated with cloud service availability. One of the major sophisticated threats that happen to be very difficult and challenging to counter due to its distributed nature and resulted in cloud service disruption is Distributed Denial of Service (DDoS) attacks. Even though there are number of intrusion detection solutions proposed by different research groups, and cloud service providers (CSP) are currently using different detection solutions by promising that their product is well secured, there is no such a perfect solution that prevents the DDoS attack. The characteristics of DDoS attack, i.e., Having different appearance with different scenarios, make it difficult to detect. This paper will review and analyze different existing DDoS detecting techniques against different parameters, discusses their advantage and disadvantages, and propose a hybrid statistical model that could significantly mitigate these attacks and be a better alternative solution for current detection problems.

Abstract: There exists a way that attackers can identify software defined networks (SDNs). Knowing the vulnerabilities of a SDN, the attackers can mount a saturation attack on the SDN controller with the aim of incapacitating the entire SDN. Therefore, the controller should have an architecture to weather out such an attack while continuing operation. A scheduling-based architecture is proposed for the SDN controller that leads to effective attack confinement and network protection during denial of service (DoS) attacks.

Abstract: DDoS attacks have been a persistent threat to network availability for many years. Most of the existing mitigation techniques attempt to protect against DDoS by filtering out attack traffic. However, as critical network resources are usually static, adversaries are able to bypass filtering by sending stealthy low traffic from large number of bots that mimic benign traffic behavior. Sophisticated stealthy attacks on critical links can cause a devastating effect such as partitioning domains and networks. In this paper, we propose to defend against DDoS attacks by proactively changing the footprint of critical resources in an unpredictable fashion to invalidate an adversary's knowledge and plan of attack against critical network resources. Our present approach employs virtual networks (VNs) to dynamically reallocate network resources using VN placement and offers constant VN migration to new resources. Our approach has two components: (1) a correct-by-construction VN migration planning that significantly increases the uncertainty about critical links of multiple VNs while preserving the VN placement properties, and (2) an efficient VN migration mechanism that identifies the appropriate configuration sequence to enable node migration while maintaining the network integrity (e.g., avoiding session disconnection). We formulate and implement this framework using SMT logic. We also demonstrate the effectiveness of our implemented framework on both PlanetLab and Mininet-based experimentations.

Abstract: Distributed Denial of Service attack DDoS has been one of the greatest threats to network security for years. In recent years, DDoS attackers turn to application layer, which makes DDoS attack detection systems based on net layer and transport layer lose their performance. In this layer, Web service is the most vulnerable application. In this study, we analyze the differentiation between users behaviors, as we extract two feature sequences from Web logs to represent characteristics of user behavior, and then, application layer DDoS attack detection system architecture based on feature sequences is presented. This architecture is divided into two parts. For each part, we propose detection methods, respectively. Specially, we consider users request frequency sequence as sparse vector, and then put forward a kind of classification algorithm called sparse vector decomposition and rhythm matching SVD-RM, which is based on sparse vector decomposition and rhythm matching. This algorithm is fully considering the discrepancy of different users in access behavior. A cluster algorithm with label, called L-Kmeans, is also proposed as embedded classifier in SVD-RM. Finally, we simulate four kinds of prevalent application layer DDoS attack and conduct experiments to certify the effectiveness of our methods. Experimental results show that proposed methods are good to distinguish legal users and attackers in application layer. Copyright © 2015 John Wiley & Sons, Ltd.

Abstract: Availability of information and services, along with integrity and confidentiality presents a critical parameter in security in information and communication systems. Activities focused on denial of network communication availability are current from the beginning of global communication network development and they demand continuous development of protection methods. Significant challenge is the emergence of the Internet of Things (IoT) concept which will significantly increase the number of connected devices. That kind of environment is possible to use for generation of DDoS attacks. The paper investigates the effect of a significant increase in the number of connected devices in the IoT concept on increase of the number and volume of DDoS attacks.

Abstract: Distributed Denial-of-Service (DDoS) attacks aim at rapidly exhausting the communication and computational power of a network target by flooding it with large volumes of malicious traffic. In order to be effective, a DDoS defense mechanism should detect and mitigate threats quickly, while allowing legitimate users access to the attack's target. Nevertheless, defense mechanisms proposed in the literature tend not to address detection and mitigation challenges jointly, but rather focus solely on the detection or the mitigation facet. At the same time, they usually overlook the limitations of centralized defense frameworks that, when deployed physically close to a possible target, become ineffective if DDoS attacks are able to saturate the target's incoming links. This paper presents STONE, a framework with expert system functionality that provides effective and joint DDoS detection and mitigation. STONE characterizes regular network traffic of a service by aggregating it into common prefixes of IP addresses, and detecting attacks when the aggregated traffic deviates from the regular one. Upon detection of an attack, STONE allows traffic from known sources to access the service while discarding suspicious one. STONE relies on the data streaming processing paradigm in order to characterize and detect anomalies in real time. We implemented STONE on top of StreamCloud, an elastic and parallel-distributed stream processing engine. The evaluation, conducted on real network traces, shows that STONE detects DDoS attacks rapidly, provides minimal degradation of legitimate traffic while mitigating a threat, and also exhibits a processing throughput that scales linearly with the number of nodes used to deploy and run it.

Abstract: DDoS attack has been a threat to network security since a decade and it will continue to be so in the near future also. Now a days application layer DDoS attack poses a major challenge to webservers. The main objective of web server is to offer an uninterrupted application layer services to its benign users. But, the application layer ddos attack blocks the services of the web server to its legitimate clients which can cause immense financial losses. Moreover, it requires very less amount of resources to perform the application layer ddos attack. The solutions available to detect application layer ddos attack, detect only limited number of application layer ddos attacks. The solutions that detect all types of application layer ddos attacks have huge complexity. To find an effective solution for the detection of application layer ddos attack the normal user browsing behavior has to be modeled in such a way that normal user and attacker can be differentiated. In this paper, we propose a method using feature construction and logistic regression to model normal web user browsing behavior to detect application layer ddos attacks. The performance of the proposed method was evaluated in terms of the metrics such as total accuracy, false positive rate, and detection rate. Comparison of the proposed solution with the existing methods reveals that the proposed method performs better than the existing methods.

Abstract: Presently, one of the main problems of computer networks are Distributed Denial of Service attacks which can block network resources like servers. In order to prevent such situations some mechanisms are needed. This paper gives an overview of the Quality of Services methods. A DDoS attack model is described for development purposes. In conslusion some new QoS features are presented. According to presented features QoS method could be used as a protection tool against DDoS attack which is also proven in this paper. The ability to implement the proposed QoS features has already been partially tested. Presented results suggest that the method could be applied widely in practice.

Abstract: As the cloud computing market continues to grow, the cloud platform is becoming an attractive target for attackers to disrupt services and steal data, and to compromise resources to launch attacks. In this paper, using three months of NetFlow data in 2013 from a large cloud provider, we present the first large-scale characterization of inbound attacks towards the cloud and outbound attacks from the cloud. We investigate nine types of attacks ranging from network-level attacks such as DDoS to application-level attacks such as SQL injection and spam. Our analysis covers the complexity, intensity, duration, and distribution of these attacks, highlighting the key challenges in defending against attacks in the cloud. By characterizing the diversity of cloud attacks, we aim to motivate the research community towards improving future security solutions for cloud systems.

Abstract: Internet has great impact on various facets of everyone’s life. With the enormous advantage Internet provides to users all around the world, it has some inherent weaknesses because of the protocol stack on which it is built. It can be easily attacked by attackers who exploit the vulnerabilities in the protocols and compromise systems and remotely control them to do further damage. Major attacks are focused on confidentiality, integrity and availability of data or resources. Flooding attack is one such resource availability attack which is a great cause of concern. Hackers can use the flooding attacks and cause Distributed Denial of Service (DDoS) attack with ease. With the increase and variations in the attack mode makes the investigation of these attacks essential. Random-UDP flooding attack is a different type of attack in which the attacker sends multiple UDP datagrams of different sizes at a time. This causes denial of service to the system and its resources. In this paper, we have proposed a technique for the forensics of Random-UDP flooding attack. We have tried to get as close as possible to the source of such attacks. The proposed technique is capable to identify the source of Random-UDP flooding bot attack.

Abstract: The growth of web technology has brought convenience to our life, since it has become the most important communication channel. However, now this merit is threatened by complicated network-based attacks, such as denial of service (DoS) and distributed denial of service (DDoS) attacks. Despite many researchers' efforts, no optimal solution that addresses all sorts of HTTP DoS/DDoS attacks is on offer. Therefore, this research aims to fix this gap by designing an alternative solution called a flexible, collaborative, multilayer, DDoS prevention framework (FCMDPF). The innovative design of the FCMDPF framework handles all aspects of HTTP-based DoS/DDoS attacks through the following three subsequent framework's schemes (layers). Firstly, an outer blocking (OB) scheme blocks attacking IP source if it is listed on the black list table. Secondly, the service traceback oriented architecture (STBOA) scheme is to validate whether the incoming request is launched by a human or by an automated tool. Then, it traces back the true attacking IP source. Thirdly, the flexible advanced entropy based (FAEB) scheme is to eliminate high rate DDoS (HR-DDoS) and flash crowd (FC) attacks. Compared to the previous researches, our framework's design provides an efficient protection for web applications against all sorts of DoS/DDoS attacks.

Abstract: Distributed denial of service (DDoS) attacks have caused tremendous damage to ISPs and online services. They can be divided into attacks using spoofed IPs and attacks using real IPs (botnet). Among them the attacks from real IPs are much harder to mitigate since the attack traffic can be fabricated to be similar to legitimate traffic. The corresponding DDoS defence strategies proposed in past few years have not been proven to be highly effective due to the limitation of participating devices. However, the emergence of the next generation networking technologies such a network function virtualization (NFV) provide a new opportunity for researchers to design DDoS mitigation solutions. In this paper we propose VGuard, a dynamic traffic engineering solution based on prioritization, which is implemented on a DDoS virtual network function (VNF). The flows from the external zone are directed to different tunnels based on their priority levels. This way trusted legitimate flows are served with guaranteed quality of service, while attack flows and suspicious flows compete for resources with each other. We propose two methods for flow direction: the static method and the dynamic method. We evaluated the performance of both methods through simulation. Our results show that both methods can effectively provide satisfying service to trusted flows under DDoS attacks, and both methods have their pros and cons under different situations.

Abstract: DDoS attacks have become fatal attacks in recent times. There are large number of incidents which have been reported recently and caused heavy downtime and economic losses. Evolution of utility computing models like cloud computing and its adoption across enterprises is visible due to many promising features. Effects of DDoS attacks in cloud are no more similar to what they were in traditional fixed or on premise infrastructure. In addition to effects on the service, economic or sustainability effects are significant in the form of Economic Denial of Sustainability (EDoS) attacks. We argue that in a multi-tenant public cloud, multiple stakeholders are involved other than the victim server. Some of these important stakeholders are co-hosted virtual servers, physical server(s), network and, cloud service providers. We have shown through system analysis, experiments and simulations that these stakeholders are indeed affected though they are not the actual targets. Effects to other stakeholders include performance interference, web service performance, resource race, indirect EDoS, downtime and, business losses. Cloud scale simulations have revealed that overall energy consumption and no. of VM migrations are adversely affected due to DDoS/EDoS attacks. Losses to these stakeholders should be properly accounted and there is a need to devise methods to isolate these components well.

Abstract: Recently, a botnet based DDoS (Distributed Denial of Service) attack, called target link flooding attack, has been reported that cuts off specific links over the Internet and disconnects a specific region from other regions. Detecting or mitigating the target link flooding attack is more difficult than legacy DDoS attack techniques, since attacking flows do not reach the target region. Although many mitigation schemes are proposed, they detect the attack after it occurs. In this paper, we propose a fast target link flooding attack detection scheme by leveraging the fact that the traceroute packets are increased before the attack caused by the attacker's reconnaissance. Moreover, by analyzing the characteristic of the target link flooding attack that the number of traceroute packets simultaneously increases in various regions over the network, we propose a detection scheme with multiple detection servers to eliminate false alarms caused by sudden increase of traceroute packets sent by legitimate users. We show the effectiveness of our scheme by computer simulations.

Abstract: Distributed Denial of Service (DDoS) attacks are the major concern for the security experts. DDoS attack presents a serious risk to the internet. In this type of attack a huge number of accommodated targets send a request at the victim's site simultaneously, to exhaust the resources (whether computing or communication resources) within very less time. In the last few years, it is recognised that DDoS attack tools and techniques are emerging as effective, refined, and complex to indicate the actual attackers. Due to the seriousness of the problem many detection and prevention methods have been recommended to deal with these types of attacks. This paper aims to provide a better understanding of the existing tools, methods and attack mechanism. In this paper, we commenced a detailed study of various DDoS tools. This paper can be useful for researchers and readers to provide the better understanding of DDoS tools in present times.

Abstract: Spoofing of IP is a key attribute of Distributed Denial of Service (DDoS) attack that consumes Cloud resources and network bandwidth within a short period of time. This is costly to both the providers and users of Cloud. Cloud computing offers a metered service, which uses pay-per use. Therefore providing a high available Cloud will improve the Cloud provider's reputation and financial proceeds. To the Cloud users, it solely depends on the provider for its resources therefore it must always be available as contained in the service level agreement (SLA). The goal of this paper is to analyse and compare the TCP/IP packet header features of incoming traffic that identifies remote hosts according to their Operating System. This is used to detect the true source of a packet during spoofed DDoS attack. Our solution further analyses the observed final TTL value in both active and passive stage of the OS fingerprints to cater for false negative during detection. We demonstrated our proposed solution on a Xen Cloud Platform Test bed.

Abstract: Distributed Denial of Service flooding attacks are one of the biggest challenges to the availability of online services today. These DDoS attacks overwhelm the victim with huge volume of traffic and render it incapable of performing normal communication or crashes it completely. If there are delays in detecting the flooding attacks, nothing much can be done except to manually disconnect the victim and fix the problem. With the rapid increase of DDoS volume and frequency, the current DDoS detection technologies are challenged to deal with huge attack volume in reasonable and affordable response time. In this paper, we propose HADEC, a Hadoop based Live DDoS Detection framework to tackle efficient analysis of flooding attacks by harnessing MapReduce and HDFS. We implemented a counter-based DDoS detection algorithm for four major flooding attacks (TCP-SYN, HTTP GET, UDP and ICMP) in MapReduce, consisting of map and reduce functions. We deployed a testbed to evaluate the performance of HADEC framework for live DDoS detection. Based on the experiments we showed that HADEC is capable of processing and detecting DDoS attacks in affordable time.

Abstract: The scalability and dynamic configuration of service clouds can be susceptible to Distributed Denial of Service (DDoS) attacks. The attack on web services causes a performance decrease in the cloud applications or can shut them down. Additionally, due to the high distribution of the service cloud components, finding the original attacking service becomes a far more complex task. This paper advocates a DDoS attack detection approach for service clouds and develops efficient algorithms to resolve the originating service for the attack. The detection approach is composed of four levels such that each level detects symptoms of DDoS attacks from its local data. The detection results of all levels are corroborated to confirm the victim and attacking services. We evaluate our proposed solution by using a random dataset. The results indicate that it is a promising solution to mitigate the DDoS attack in the service cloud.

Abstract: The Distributed Denial of Service (DDoS) attack has seriously harmed network availability over decades and there is still no effective defense mechanism. The emerging software-defined networking (SDN) gives a new way to rethink the defense of DDoS attacks. In this paper, we first modeled DDoS attacks from the perspective of network architecture. Then a software-defined security networking mechanism (SDSNM) was proposed to remove or restrict these necessary conditions which were summarized from the model. The SDSNM is mainly implemented at the edge SDN networks as well as inherits the infrastructure of IP core network. The Cloud computing and Chord technologies were applied to solve the expansibility and consistency problems. Experiments based on the prototype proved that the brand new mechanism was feasible and incrementally deployable. DDoS attacks were unable to be launched if strict access control policies were used. The attacker along with hosts in botnet can be located quickly and accurately when loose access control policies were used.