Abstract: As Cloud computing is reforming the infrastructure of IT industries, it has become one of the critical security concerns of the defensive mechanisms applied to secure Cloud environment. Even if there are tremendous advancements in defense systems regarding the confidentiality, authentication and access control, there is still a challenge to provide security against availability of associated resources. Denial-of-service (DoS) attack and distributed denial-of-service (DDoS) attack can primarily compromise availability of the system services and can be easily started by using various tools, leading to financial damage or affecting the reputation. These attacks are very difficult to detect and filter, since packets that cause the attack are very much similar to legitimate traffic. DoS attack is considered as the biggest threat to IT industry, and intensity, size and frequency of the attack are observed to be increasing every year. Therefore, there is a need for stronger and universal method to impede these attacks. In this paper, we present an overview of DoS attack and distributed DoS attack that can be carried out in Cloud environment and possible defensive mechanisms, tools and devices. In addition, we discuss many open issues and challenges in defending Cloud environment against DoS attack. This provides better understanding of the DDoS attack problem in Cloud computing environment, current solution space, and future research scope to deal with such attacks efficiently.

Abstract: Although the number of cloud projects has dramatically increased over the last few years, ensuring the availability and security of project data, services, and resources is still a crucial and challenging research issue. Distributed denial of service (DDoS) attacks are the second most prevalent cybercrime attacks after information theft. DDoS TCP flood attacks can exhaust the cloud’s resources, consume most of its bandwidth, and damage an entire cloud project within a short period of time. The timely detection and prevention of such attacks in cloud projects are therefore vital, especially for eHealth clouds. In this paper, we present a new classifier system for detecting and preventing DDoS TCP flood attacks (CS_DDoS) in public clouds. The proposed CS_DDoS system offers a solution to securing stored records by classifying the incoming packets and making a decision based on the classification results. During the detection phase, the CS_DDOS identifies and determines whether a packet is normal or originates from an attacker. During the prevention phase, packets, which are classified as malicious, will be denied to access the cloud service and the source IP will be blacklisted. The performance of the CS_DDoS system is compared using the different classifiers of the least squares support vector machine (LS-SVM), naive Bayes, K-nearest, and multilayer perceptron. The results show that CS_DDoS yields the best performance when the LS-SVM classifier is adopted. It can detect DDoS TCP flood attacks with about 97% accuracy and with a Kappa coefficient of 0.89 when under attack from a single source, and 94% accuracy with a Kappa coefficient of 0.9 when under attack from multiple attackers. Finally, the results are discussed in terms of accuracy and time complexity, and validated using a K-fold cross-validation model.

Abstract: Distributed Denial-of-Service (DDoS) attacks are increasing in frequency and volume on the Internet, and there is evidence that cyber-criminals are turning to Internet-of-Things (IoT) devices such as cameras and vending machines as easy launchpads for large-scale attacks. This paper quantifies the capability of consumer IoT devices to participate in reflective DDoS attacks. We first show that household devices can be exposed to Internet reflection even if they are secured behind home gateways. We then evaluate eight household devices available on the market today, including lightbulbs, webcams, and printers, and experimentally profile their reflective capability, amplification factor, duration, and intensity rate for TCP, SNMP, and SSDP based attacks. Lastly, we demonstrate reflection attacks in a real-world setting involving three IoT-equipped smart-homes, emphasising the imminent need to address this problem before it becomes widespread.

Abstract: Distributed Denial of Service (DDoS) attacks are the intimidation trials on the Internet that depletes the network bandwidth or exhausts the victim’s resources. Researchers have introduced various defense mechanisms (such as attack prevention, traceback, reaction, detection, and characterization) against DDoS attacks, but such attacks are still growing year by year, and the ideal solutions of this problem are eluded so far. In the past, various signature-based and anomaly-based approaches were introduced for the detection of DDoS attacks, but only a few of them have focused on the nature of anomalies. Most of the detection approaches do not provide efficient real-time detection with high detection rate and low faux pas. In this paper, a classification of detection approaches against DDoS attacks has been presented with an aim to go deep insight into the DDoS problem for the beginners in this research area. The detection approaches have been explained along with their pluses and minuses. Further, t...

Abstract: Software-Defined Networking (SDN) is a network architecture that aims at providing high flexibility through the decoupling of the network logic from the forwarding functions. The ease of programmability makes SDN a great platform implementation of various initiatives that involve application deployment, security solutions, and decentralized network management in a multi-tenant data center environment. Although this can introduce many applications in different areas and leads to the high impact on several aspects, security of SDN architecture remains an open question and needs to be revisited based on the new concept of SDN. Current SDN-based attack detection mechanisms have some limitations. In this paper, we investigate two of those limitations: Misbehavior Attack and NewFlow Attack. We propose a secure system that periodically collects network statistics from the forwarding elements and apply Machine Learning (ML) classification algorithms. Our framework ensures that the proposed solution makes the SDN architecture more self-adaptive, and intelligent while reacting to network changes.

Abstract: Software-Defined Networking (SDN) allows for fast reactions to security threats by dynamically enforcing simple forwarding rules as counter-measures. However, in classic SDN all the intelligence resides at the controller, with the switches only capable of performing stateless forwarding as ruled by the controller. It follows that the controller, in addition to network management and control duties, must collect and process any piece of information required to take advanced (stateful) forwarding decisions. This threatens both to overload the controller and to congest the control channel. On the other hand, stateful SDN represents a new concept, developed both to improve reactivity and to offload the controller and the control channel by delegating local treatments to the switches. In this paper, we adopt this stateful paradigm to protect end-hosts from Distributed Denial of Service (DDoS). We propose StateSec, a novel approach based on in-switch processing capabilities to detect and mitigate DDoS attacks. StateSec monitors packets matching configurable traffic features (e.g., IP src/dst, port src/dst) without resorting to the controller. By feeding an entropy-based algorithm with such monitoring features, StateSec detects and mitigates several threats such as (D)DoS and port scans with high accuracy. We implemented StateSec and compared it with a state-of-the-art approach to monitor traffic in SDN. We show that StateSec is more efficient: it achieves very accurate detection levels, limiting at the same time the control plane overhead.

Abstract: Distributed Denial of Service (DDoS) attack is transforming into a weapon by the attackers, politicians, and cyber terrorists, etc. Today there is a quick ascent in the exploration field of mitigation and guard against DDoS attacks, however in actuality; the capabilities of the hackers are additionally growing. From early news of focusing on the network and transport layer, now a day’s application layer becomes the point of convergence of the attacks. In the paper, we first analyze the features from incoming packets. These features include Hyper Text Transfer Protocol (HTTP) count, the number of the Internet Protocol (IP) address during a time window, the constant mapping of the port number and frame of the packets. In the paper, we write all the combinations of these metrics and then analyzed the client’s behaviors from the public attack and normal data sets. We use Environmental Protection Agency-Hypertext Transfer Protocol (EPA-HTTP) DDoS, Center for Applied Internet Data Analysis (CAIDA) 2007 and experimentally produced DDoS data set using Slowloris attack to draw the efficiency and effectiveness of the features for layer seven DDoS detection. Second, we employ Multilayer Perceptron with a Genetic Algorithm (MLP-GA) to estimate the efficiency of the detection using the metrics. The experimental results show that MLP-GA provides the best efficiency of 98.04% for detecting the layer seven DDoS attacks. The proposed method provides a minimum value of False Positive when compared with traditional classifiers such as Naive Bayes, Radial Basis Function (RBF) Network, MLP, J48, and C45, etc.

Abstract: Software Defined Network (SDN) facilitates network programmers with easier network monitoring, identification of anomalies, instant implementation of changes, central control to the whole network in a cost effective and efficient manner. These features could be beneficial for securing and maintaining entire network. Being a promising network paradigm, it draws a lot of attention from researchers in security domain. But it's logically centralized control tends to single point of failure, increasing the risk of attacks such as Distributed Denial of Service (DDoS) attack. In this paper, we have tried to identify various possibilities of DDoS attacks in SDN environment with the help of attack tree and an attack model. Further, an attempt to analyze the impact of various traditional DDoS attacks on SDN components is done. Such analysis helps in identifying the type of DDoS attacks that impose bigger threat on SDN architecture and also the features that could play important role in identification of these attacks are deduced.

Abstract: Low-rate Distributed Denial-of-Service (low-rate DDoS) attacks are a new challenge to cyberspace, as the attackers send a large amount of attack packets similar to normal traffic, to throttle legitimate flows. In this paper, we propose a measurement—expectation of packet size—that is based on the distribution difference of the packet size to distinguish two typical low-rate DDoS attacks, the constant attack and the pulsing attack, from legitimate traffic. The experimental results, obtained using a series of real datasets with different times and different tolerance factors, are presented to demonstrate the effectiveness of the proposed measurement. In addition, extensive experiments are performed to show that the proposed measurement can detect the low-rate DDoS attacks not only in the short and long terms but also for low packet rates and high packet rates. Furthermore, the false-negative rates and the adjudication distance can be adjusted based on the detection sensitivity requirements.

Abstract: The number of internet users and devices that are in need for more IP addresses to be assigned to them is rapidly increasing. A new protocol named IPv6 was developed in 1998 to overcome the addressing issue and to improve network communications in general. IPv6 is an improved protocol compared to IPv4 in terms of security since it provides built-in security mechanisms, such as IPSec. In addition, it brought new functionalities, such as Neighbour Discovery Protocol (NDP) procedure, which depends on Internet Control Message Protocol version 6 (ICMPv6) protocol messages. However, IPv6 inherited a number of attacks from IPv4 in addition to new attacks it brought within its new features. One of the most common attacks is the Denial of Service (DoS) attack due to its ease of being launched in different ways. A more serious DoS attack can be launched from many hosts called Distributed Denial of Service (DDoS). DoS and DDoS attacks are thorny and a grave problem of today's internet, resulting in economic damages for organizations and individuals. Therefore, this paper is created to study the properties of DoS and DDoS attacks against IPv6 networks using ICMPv6 messages. Additionally, it analyzes the various existing detection and prevention approaches that are proposed to tackle ICMPv6-based DoS and DDoS attacks. Moreover, it explains the existing tools that might be used for performing these attacks.

Abstract: Software Defined Networking (SDN) is a promising solution for addressing challenges of future networks. Despite its advantages such as flexibility, simplification and low costs, it has several drawbacks that are largely induced by the centralized control paradigm. Security is one of the most significant challenges related to centralization. In that regard, Distributed Denial of Service (DDoS) attacks pose crucial security questions in software-defined networks. In SDN architecture, switches send all packets to the controller if they do not have any applicable rules in their flow tables. Basically, controller is the key place that can take initiative in decisions. However, this characteristic results in large communication overhead and delay until a DDoS attack is detected and an appropriate action is activated against attack packets. Therefore, in this work we propose a hybrid mechanism, namely SDNScore, where switches are not simply data forwarders. Instead, they can collect statistics and decide if DDoS attack is in action. Then they coordinate with the controller and act on attack packets in cooperation. SDNScore is a statistical and packet-based defense mechanism against DDoS attacks in SDN environment. Since it has a statistical scoring method, it can detect not only known but also unknown attacks entailing packets that are alike in terms of TCP and IP layer properties. In addition, it does not drop all packets in a flow which includes both attack and legal packets, but rather filters out attack packets using packet-based analysis.

Abstract: Distributed Denial of Service (DDoS) attacks targeted to cloud services, show serious attack consequences like heavy downtime, economic losses and both short term and long-term business and reputation losses. We present an overview of these attacks and their variants in consonance to cloud infrastructure and explain the attack dynamics. Cloud resource management using auto-scaling algorithms is used to dig the requirements of DDoS mitigation solutions. These requirements include sustainability or budget constraints, controlled auto-scaling, minimization based optimized control of attack traffic, mitigation throughput time (MTT), service quality and availability. Towards the end, we develop and propose a detailed guideline on possible solutions leading to a novel collaborative solution framework based on multi-level alert flows. We also comment on the future attacks in the DDoS space and give a novel DDoS attack variant "Detection Near Impossible (DeNy) DDoS" as an anticipated vision for future attacks to orchestrate the upcoming solutions from the community.

Abstract: This paper presents a comprehensive survey on filtering-based defense mechanisms against distributed denial of service (DDoS) attacks. Several filtering techniques are analyzed and their advantages and disadvantages are presented. In order to help network security analysts choose the most appropriate mechanism according to their security requirements, a comparative classification of these methods is provided. The relevant research efforts are identified and discussed for rendering the current state of the art in the literature. This classification will also serve researchers to address weaknesses of these filtering methods, and thus mitigate DDoS attacks using more effective defense mechanisms.

Abstract: Di s tributed Denial of Service (DDoS) is a type of attack using the volume, intensity, and m ore costs m itigation to increase in this era . A ttack ers used many zombie computers to exhaust the resources available to a network, application or service so that authorize users cannot gain access or the network service is down, and it is a great loss for Internet users in computer networks affected by DDoS attacks. In the Network Forensic, a crime that occurs in the system network services can be sued in the court and the attackers will be punished in accordance with law. This research has the goal to develop a new approach to detect DDoS attacks based on network traffic activity were statistically analyzed using Naive Bayes method. Data were taken from the training and testing of network traffic in a core router in Master of Information Technology Research Laboratory University of Ahmad Dahlan Yogyakarta. The new approach in detecting DDoS attacks is expected to be a relation with Intrusion Detection System (IDS) to predict the existence of DDoS attacks.

Abstract: Auto-scaling mechanisms are an important line of defense against Distributed Denial of Service (DDoS) in the cloud. Using auto-scaling, machines can be added and removed in an on-line manner to respond to fluctuating load. It is commonly believed that the auto-scaling mechanism casts DDoS attacks into Economic Denial of Sustainability (EDoS) attacks. Rather than suffering from performance degradation up to a total denial of service, the victim suffers only from the economic damage incurred by paying for the extra resources required to process the bogus traffic of the attack. Contrary to this belief, we present and analyze the Yo-Yo attack, a new attack against the auto-scaling mechanism, that can cause significant performance degradation in addition to economic damage. In the Yo-Yo attack, the attacker sends periodic bursts of overload, thus causing the auto-scaling mechanism to oscillate between scale-up and scale-down phases. The Yo-Yo attack is harder to detect and requires less resources from the attacker compared to traditional DDoS. We demonstrate the attack on Amazon EC2 [4], and analyze protection measures the victim can take by reconfiguring the auto-scaling mechanism.

Abstract: Current trends in distributed denial of service (DDoS) attacks show variations in terms of attack motivation, planning, infrastructure, and scale “DDoS-for-Hire” and “DDoS mitigation as a Service” are the two services, which are available to attackers and victims, respectively In this work, we provide a fundamental difference between a “regular” DDoS attack and an “extreme” DDoS attack We conduct DDoS attacks on cloud services, where having the same attack features, two different services show completely different consequences, due to the difference in the resource utilization per request We study various aspects of these attacks and find out that the DDoS mitigation service’s performance is dependent on two factors One factor is related to the severity of the “resource-race” with the victim web-service Second factor is “attack cooling down period” which is the time taken to bring the service availability post detection of the attack Utilizing these two important factors, we propose a supporting framework for the DDoS mitigation services, by assisting in reducing the attack mitigation time and the overall downtime This novel framework comprises of an affinity-based victim-service resizing algorithm to provide performance isolation, and a TCP tuning technique to quickly free the attack connections, hence minimizing the attack cooling down period We evaluate the proposed novel techniques with real attack instances and compare various attack metrics Results show a significant improvement to the performance of DDoS mitigation service, providing quick attack mitigation The presence of proposed DDoS mitigation support framework demonstrated a major reduction of more than 50% in the service downtime

Abstract: The Wide-reaching usage of the standard called as IEEE 802.111 has been acting as a solution to support aggressive network coverage with high bandwidth raised various security threats. The wide use of the Wi-Fi (Wireless Fidelity) has enabled us to easily access the internet and it has also paved way for the origin of many hacking attacks. Anomaly detection as applied to detecting active data breaches is possible on several things such as end user along with management discover it repeatedly trying to understanding with distributed denial of service (DDoS) attack. A new approach for anomaly detection using Decision Tree procedure to secure wireless nodes inside the network and destination nodes from DDoS attacks and to determinate the attack patterns and provide suitable counter steps using KDDCup'99 dataset for classification intention and determination indicated that it classifies instances into respective attack types with week sensing rate. This exploit integrates are well recognized classification proficiencies are Random Forest and J48.

Abstract: Distributed Denial of Service (DDoS) attacks are a popular and inexpensive form of cyber attacks. Application layer DDoS attacks utilize legitimate application layer requests to overwhelm a web server. These attacks are a major threat to Internet applications and web services. The main goal of these attacks is to make the services unavailable to legitimate users by overwhelming the resources on a web server. They look valid in connection and protocol characteristics, which makes them difficult to detect. In this paper, we propose a detection method for the application layer DDoS attacks, which is based on user behavior anomaly detection. We extract instances of user behaviors requesting resources from HTTP web server logs. We apply the Principle Component Analysis (PCA) subspace anomaly detection method for the detection of anomalous behavior instances. Web server logs from a web server hosting a student resource portal were collected as experimental data. We also generated nine different HTTP DDoS attacks through penetration testing. Our performance results on the collected data show that using PCAsubspace anomaly detection on user behavior data can detect application layer DDoS attacks, even if they are trying to mimic a normal user’s behavior at some level.

Abstract: Distributed Denial of Service (DDoS) is a sophisticated cyber-attack due to its variety of types and techniques. The traditional mitigation method of this attack is to deploy dedicated security appliances such as firewall, load balancer, etc. However, due to the limited capacity of the hardware and the potential high volume of DDoS traffic, it may not be able to defend all the attacks. Therefore, cloud-based DDoS protection services were introduced to allow the organizations to redirect their traffic to the scrubbing centers in the cloud for filtering. This solution has some drawbacks such as privacy violation and latency. More recently, Network Functions Virtualization (NFV) and edge computing have been proposed as new networking service models. In this paper, we design a framework that leverages NFV and edge computing for DDoS mitigation through two-stage processes.

Abstract: The evolution of information and communication technologies has brought new challenges in managing the Internet. Software-Defined Networking (SDN) aims to provide easily configured and remotely controlled networks based on centralized control. Since SDN will be the next disruption in networking, SDN security has become a hot research topic because of its importance in communication systems. A centralized controller can become a focal point of attack, thus preventing attack in controller will be a priority. The whole network will be affected if attacker gain access to the controller. One of the attacks that affect SDN controller is DDoS attacks. This paper reviews different detection techniques that are available to prevent DDoS attacks, characteristics of these techniques and issues that may arise using these techniques.

Abstract: Application layer based DDoS attacks have changed the way DoS attacks are taking place with more subtle level of attacking methods being imparted, which pose an ever-increasing challenge towards the emerging trends of internet based application systems development Among the key range of attacks that take place, HTTP flood DDoS attacks are on high In the case of DDoS attacks based on HTTP flood, unusual quantum of requests are sent to the servers within quick time interval and it affects the response and the performance levels of the server There are numerous solutions in contemporary literature, pertaining to thwarting HTTP flood kind of attacks It is imperative from the analysis that there are constraints in the existing models since the most of these models are user session based and/or packet flow patterns The session based evolution models are vulnerable to botnets and packet flow pattern based models are vulnerable if attack sources are equipped with human resource and/or proxy servers Hence, there is inherent need for improving the solutions towards addressing the HTTP flood kind of attacks over the system The crux for such system is about ensuring that fast and early detection with minimal false alarming in streaming network transactions, and ensures that the genuine requests are not impacted To address such a system, the model of Bio-Inspired Anomaly based HTTP-flood detection aimed, and the proposed model depicted in detail along with experimental inputs Results attained from the process exemplify the significance and robustness of the model towards achieving the objectives considered for the solution

Abstract: Cloud computing data centers have become one of the most important infrastructures in the big-data era. When considering the security of data centers, distributed denial of service (DDoS) attacks are one of the most serious problems. Here we consider DDoS attacks leveraging TCP traffic, which are increasingly rampant but are difficult to detect. To detect DDoS attacks, we identify two attack modes: fixed source IP attacks (FSIA) and random source IP attacks (RSIA), based on the source IP address used by attackers. We also propose a real-time TCP-based DDoS detection approach, which extracts effective features of TCP traffic and distinguishes malicious traffic from normal traffic by two decision tree classifiers. We evaluate the proposed approach using a simulated dataset and real datasets, including the ISCX IDS dataset, the CAIDA DDoS Attack 2007 dataset, and a Baidu Cloud Computing Platform dataset. Experimental results show that the proposed approach can achieve attack detection rate higher than 99% with a false alarm rate less than 1%. This approach will be deployed to the victim-end DDoS defense system in Baidu cloud computing data center.

Abstract: Distributed Denial of Service (DDoS) attacks are some of the most persistent threats on the Internet today. The evolution of DDoS attacks calls for an in-depth analysis of those attacks. A better understanding of the attackers’ behavior can provide insights to unveil patterns and strategies utilized by attackers. The prior art on the attackers’ behavior analysis often falls in two aspects: it assumes that adversaries are static, and makes certain simplifying assumptions on their behavior, which often are not supported by real attack data. In this paper, we take a data-driven approach to designing and validating three DDoS attack models from temporal (e.g., attack magnitudes), spatial (e.g., attacker origin), and spatiotemporal (e.g., attack inter-launching time) perspectives. We design these models based on the analysis of traces consisting of more than 50,000 verified DDoS attacks from industrial mitigation operations. Each model is also validated by testing its effectiveness in accurately predicting future DDoS attacks. Comparisons against simple intuitive models further show that our models can more accurately capture the essential features of DDoS attacks.