DDoS Attacks and Defenses Overview



Similar documents
A Novel Distributed Denial of Service (DDoS) Attacks Discriminating Detection in Flash Crowds

DDoS Protection Technology White Paper

Application of Netflow logs in Analysis and Detection of DDoS Attacks

CS 356 Lecture 16 Denial of Service. Spring 2013

Keywords Attack model, DDoS, Host Scan, Port Scan

Adaptive Discriminating Detection for DDoS Attacks from Flash Crowds Using Flow. Feedback

Survey on DDoS Attack in Cloud Environment

DDOS WALL: AN INTERNET SERVICE PROVIDER PROTECTOR

An Anomaly-Based Method for DDoS Attacks Detection using RBF Neural Networks

A HYBRID APPROACH TO COUNTER APPLICATION LAYER DDOS ATTACKS

Index Terms Denial-of-Service Attack, Intrusion Prevention System, Internet Service Provider. Fig.1.Single IPS System

A TWO LEVEL ARCHITECTURE USING CONSENSUS METHOD FOR GLOBAL DECISION MAKING AGAINST DDoS ATTACKS

Comparing Two Models of Distributed Denial of Service (DDoS) Defences

Active Internet Traffic Filtering to Denial of Service Attacks from Flash Crowds

Distributed Denial of Service

Network Security. Dr. Ihsan Ullah. Department of Computer Science & IT University of Balochistan, Quetta Pakistan. April 23, 2015

MONITORING OF TRAFFIC OVER THE VICTIM UNDER TCP SYN FLOOD IN A LAN

Denial of Service Attacks

Dual Mechanism to Detect DDOS Attack Priyanka Dembla, Chander Diwaker 2 1 Research Scholar, 2 Assistant Professor

SECURING APACHE : DOS & DDOS ATTACKS - I

Abstract. Introduction. Section I. What is Denial of Service Attack?

Survey on DDoS Attack Detection and Prevention in Cloud

Denial of Service attacks: analysis and countermeasures. Marek Ostaszewski

DDoS Attack Detection Using Flow Entropy and Packet Sampling on Huge Networks

A Novel Packet Marketing Method in DDoS Attack Detection

Distributed Denial of Service (DDoS)

Denial-Of-Service Attack Detection Based On Multivariate Correlation Analysis and Triangle Area Map Generation

Malicious Programs. CEN 448 Security and Internet Protocols Chapter 19 Malicious Software

DDoS Attack Trends and Countermeasures A Information Theoretical Metric Based Approach

Malice Aforethought [D]DoS on Today's Internet

A Flow-based Method for Abnormal Network Traffic Detection

Discriminating DDoS Attack Traffic from Flash Crowd through Packet Arrival Patterns

Network Bandwidth Denial of Service (DoS)

Methodologies for detecting DoS/DDoS attacks against network servers

A System for in-network Anomaly Detection

Analysis on Some Defences against SYN-Flood Based Denial-of-Service Attacks

Defending against Flooding-Based Distributed Denial-of-Service Attacks: A Tutorial

Cloud-based DDoS Attacks and Defenses

Firewalls and Intrusion Detection

A Novel Approach for Evaluating and Detecting Low Rate SIP Flooding Attack

Design and Experiments of small DDoS Defense System using Traffic Deflecting in Autonomous System

Second-generation (GenII) honeypots

NEW TECHNIQUES FOR THE DETECTION AND TRACKING OF THE DDOS ATTACKS

SECURITY FLAWS IN INTERNET VOTING SYSTEM

A Hybrid Approach for Detecting, Preventing, and Traceback DDoS Attacks

Network Security. Chapter 9. Attack prevention, detection and response. Attack Prevention. Part I: Attack Prevention

A Distributed Approach to Defend Web Service from DDoS Attacks

Detection and Controlling of DDoS Attacks by a Collaborative Protection Network

A novel approach to detecting DDoS attacks at an early stage

Agenda. Taxonomy of Botnet Threats. Background. Summary. Background. Taxonomy. Trend Micro Inc. Presented by Tushar Ranka

DDoS Vulnerability Analysis of Bittorrent Protocol

A Layperson s Guide To DoS Attacks

Index Terms: DDOS, Flash Crowds, Flow Correlation Coefficient, Packet Arrival Patterns, Information Distance, Probability Metrics.

Provider-Based Deterministic Packet Marking against Distributed DoS Attacks

Study and Performance Evaluation on Recent DDoS Trends of Attack & Defense

A Survey of IP Traceback Mechanisms to overcome Denial-of-Service Attacks

A PREVENTION OF DDOS ATTACKS IN CLOUD USING NEIF TECHNIQUES

A Defense Framework for Flooding-based DDoS Attacks

CSE 3482 Introduction to Computer Security. Denial of Service (DoS) Attacks

co Characterizing and Tracing Packet Floods Using Cisco R

Automated Mitigation of the Largest and Smartest DDoS Attacks

Survey of Network-Based Defense Mechanisms Countering the DoS and DDoS Problems

Network Protection Against DDoS Attacks

JUST FOR THOSE WHO CAN T TOLERATE DOWNTIME WE ARE NOT FOR EVERYONE

A Novel Method to Defense Against Web DDoS

DoS: Attack and Defense

Distributed Denial of Service(DDoS) Attack Techniques and Prevention on Cloud Environment

Preventing Resource Exhaustion Attacks in Ad Hoc Networks

Denial of Service Attacks, What They are and How to Combat Them

Attack and Defense Techniques

ECE 578 Term Paper Network Security through IP packet Filtering

Impact of Feature Selection on the Performance of Wireless Intrusion Detection Systems

Characteristics of Network Traffic Flow Anomalies

Flexible Deterministic Packet Marking: An IP Traceback Scheme Against DDOS Attacks

Preventing DDOS attack in Mobile Ad-hoc Network using a Secure Intrusion Detection System

COSC 472 Network Security

The Reverse Firewall: Defeating DDOS Attacks Emanating from a Local Area Network

Detecting Anomalies in Network Traffic Using Maximum Entropy Estimation

NOVEL TRENDS AND TECHNIQUES USABLE FOR SOPHISTICATED APPLICATION LAYER DENIAL OF SERVICE ATTACKS DETECTION

Outline. Outline. Outline

An Efficient Filter for Denial-of-Service Bandwidth Attacks

Secure Software Programming and Vulnerability Analysis

Frequent Denial of Service Attacks

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

MODELLING OF CENTRAL PROCESSING UNIT WORK DENIAL OF SERVICE ATTACKS

A UNIFIED APPROACH FOR DETECTION AND PREVENTION OF DDOS ATTACKS USING ENHANCED SUPPORT VECTOR MACHINES AND FILTERING MECHANISMS

Ashok Kumar Gonela MTech Department of CSE Miracle Educational Group Of Institutions Bhogapuram.

Exploring DDoS Defense Mechanisms

Transcription:

DDoS Attacks and Defenses Overview Pedro Pinto 1 1 ESTG/IPVC Escola Superior de Tecnologia e Gestão, Intituto Politécnico de Viana do Castelo, Av. do Atlântico, 4900-348 Viana do Castelo, Portugal pedropinto@estg.ipvc.pt 1 INESC Porto INESC Porto, Faculdade de Engenharia, Universidade do Porto Rua Dr. Roberto Frias, 378, 4200-465 Porto, Portugal ppinto@inescporto.pt Abstract. The Denial of Service (DoS) attack has been a subject of study and research for the last two decades. Nowadays, this attack and is mutations as is the Distributed DoS (DDoS) attacks, remain a serious concern by Corporation Security Administrators, Service Providers, Governments, by its power, its easy of use contrasted with the preservation of attacker s anonymity. This paper offer an overview on the attack methods and on detection and defense techniques that have been proposed recently, hoping to give readers and future researchers on the subject a straight view to help better understanding and facing this problem. 1. Introduction Denial of Service attack definition stands for an attack that aims to deny access by legitimate users to shared services or resources (Gligor 1984). This was applied first to operating systems and then to networking environments (Needham 1994). Now, and in this context, when DoS attack traffic comes from multiple sources, it is commonly called a distributed denial of service (DDoS) attack. Since the first appearances (in late 90s) to nowadays, DDoS attacks are a real concern of Corporation Security Administrators, Service Providers, Governments, among others who provide internet services, bringing new issues to active research community on the security topic. This type of attack can be characterized instantaneously as fast, distributed, effective, many often untraceable, and very powerful. For these years, the research community has been organizing and collecting information about this type of attack, the attackers and their targets to better understand and intervene in this problem. Since the first occurrences, the interest is to know better the attacker and its objectives, constitute attack frameworks to help defining attacks and decompose on a set of actions, and finally to prevent this actions to occur or detect ongoing attacks. The expectation is to mitigate the attack power and better adapt methods and systems to respond to this threat in the future. Recent academic community efforts in this subject can be separated and evaluated in three stages, the attack identification or taxonomy, the defense methods, including prevention and detection actions and finally, the attack reaction and countermeasures. In this context, the main goal of this article is to present recent knowledge on these categories in order to do a systematic analysis of the whole problem.

In the next section it is presented a brief review of main attack techniques and related work on the subject. In third section it is presented an overview of detection and defense methods. In fourth section it is presented the main conclusions about all content. 2. DDoS Attacks Overview Since its first appearances, some authors contributed with wide characterization of DoS attacks. Two groups of attacks have been distinguished in (Moore et al. 2001): Logic and Flooding attacks. The first group exploits existing software flaws causing remote servers to crash or substantially degrade in performance. These attacks can be often obfuscated and prevented by either upgrading faulty software or filtering particular packet sequences. The intention of second class attacks (flooding attacks) is overwhelm the victim s CPU, memory, or network resources by sending large numbers of false requests. Same considerations are taken by (Hussain et al. 2003) (Specht 2004), among other references, where can be seen the same characterization pushed from above, but with different names: software exploits and flooding/bandwidth attacks. This second type of attack is difficult to prevent or detect, once that is difficult to separate legitimate from illegitimate traffic. This is the reason that leads many authors to place more effort on this last group and also the motive to focus on the same direction in the present paper. Focusing bandwidth attack, (Paxson 2001) distinguish important subcategories: single source, multisource, the first forms of DoS attacks (Isolated and Distributed form, latter called DDoS attacks) but among these two, the author introduces the reflector attacks (Figure 1). Figure 1. Three main DoS attack Categories (Hussain et al. 2003). First understanding about DDoS subject suggests always that only compromised and vulnerable machines can perform a DDoS attack. The reflection type is based on the use of uncompromised machines that produce legitimate replies to legitimate requests. By faking the source of the request the reply is directed to the real target of the attack. This procedure makes this attack more difficult to identify, and the identity of the attacker hided in the back of reflectors and zombies. In the (Peng et al. 2007) survey, authors redefine DoS attack and also present it generically as a Bandwidth attack, with two main characteristics: consumption of host s resources and consumption of network bandwidth. Then it summarizes some good examples of DDoS as is:

Protocol-Based Bandwidth Attacks: These types of attacks try to take advantage of normal protocol procedures to produce a flood attack. Two main types in this category are known SYN and ICMP Floods. Application-Based Bandwidth Attacks: Application-based take advantage of application services as is the HTTP, SIP etc, with the intention to cause expensive processing and time consuming tasks in the server. Distributed Reflector Attacks: As been stated before in this paper, in this case the attackers hide behind the reflectors, innocent third parties that reply to an incoming request. According to the source, this attack is considered to be a potent and increasingly prevalent internet attack. Infrastructure Attacks: This attack pretends to disable principal infrastructures that provide main services in internet. Regarding existent DDoS attack taxonomies can be depicted some authors (Specht 2004) (Campbell 2005) that start to present a graphical overview with tree representations of DDoS attack types. Recently, other approaches followed to widely classify the attacks by a group of metrics providing more complete and updated taxonomies as is the case of (Abbass Asosheh & Ramezani 2008). The authors propose eight features to be deployed in new taxonomy for DDoS attacks. They are architecture, degree of automation, impact, vulnerability, attack rate dynamics, scanning strategy, propagation strategy and packet content. The schematic can be seen in figure 2. Figure 2. DDoS Attack Taxonomy (Abbass Asosheh & Ramezani 2008). In next section is presented an overview on detection methods or defense techniques. 3. DDoS Attack Detection and Defense Regarding DoS defenses context, (Schwartau 1999) formulate one group of main objectives to assure, which are: No modifications to existing protocols or altering the infrastructure. All DOS attacks should be detected and unsuccessful.

False positives should approach 0%. Recovery from DOS should be as rapid as possible. The perpetrators of the DOS attack should be identified. For DDoS these rules still relevant to take into account towards implementation of defenses and countermeasures. In the same paper is proposed a specific model for DoS defense, called reaction module that is based principally in filtration, blocking or deviating attack attempts. Other initial approach was made by (Cabrera et al. 2001) that use collected information from management information base (MIB). Later, various and more complex detection techniques were presented, as is the example in (Moore et al. 2001) by the use of backscatter analysis (consistent analysis of replying traffic). This technique only can detect attacks that uniformly spoof addresses in the complete IP address space and consequently, it doesn t detect reflection, subnet spoofing or no spoofing addresses attack. Another perspective is to apply signal processing knowledge. One of the approaches was through spectral analysis by (Chen- Mou Cheng et al. 2002) based on a comparison of power spectral density of a normal TCP flow, that usually present strong periodicity around its round-trip time in both flow directions compared to DDoS attack flow, most often only in one direction. Another proposal (Barford et al. 2002) follows to identify frequency characteristics of four classes of network anomalous traffic and collect results of signal analysis. The classes evaluated were outages, flash crowds, real attacks and measurement failures resulting in specific patterns and defining behaviors. Some related approach also followed by (Mirkovic et al. 2002), that is based on monitoring the asymmetry of two-way packet rates and to identify attacks in edge routers. In (Hussain et al. 2003) proposal the authors used three simultaneous methods that, once combined, produce better and accurate results than its separate use. It is analyzed the header contents, observing relevant fields, as fragment identification field (ID) and time-to-live field (TTL), the Ramp-up Behavior, i. e., the growing behavior, and finally, the spectral analysis. Another similar proposal presented by (Yuan & Mills 2005) used the cross-correlation analysis to capture the traffic patterns and then to decide where and when a DDoS attack possibly arises. Another point of view presented in (Xie & Yu 2009) suggests that it can be assumed three different levels of detection according to their action in network layer, transport layer, and application layer. The authors state that most DDoS-related research has focused on the IP layer and related mechanisms attempt to detect attacks by analyzing specific features, e.g., arrival rate or header information. Their approach is detecting attacks in application layer, called App-DDoS attacks, by collection of spatialtemporal patterns and implementing models to differentiate these attacks from flash crowd events. More recently, some authors present combined approaches and complex prediction methods like (Zhang et al. 2009) that applies one autoregressive integrated moving average model (ARIMA) to predict available service rate on target server or (Qingtao Wu et al. 2009) which propose an adaptive control mechanism for early detection of DDoS attacks.

4. Conclusion The DoS attacks still an important issue and concern of many companies, governments and service providers nowadays, particularly in is distributed form: DDoS, mainly by easy implementation facing the devastating effects and constant mutation of its procedures. This paper provides an overview on recent DDoS attacks characterization, related taxonomies and on detection and defense techniques proposed by research community. This short paper shows that many efforts were already made in attack characterization, prevention, detection, attack source identification and attack reaction. Knowledge about this type of attack is grown and the methods proposed by researchers provide a good approach to the problem. Even though, future work can be pointed towards integrating knowledge in defense proposals and aggregate some methods and techniques, evaluating and presenting their results. In addition, more detailed analysis and simulations can be performed to establish relationship between parameters as detection performance and complexity, detection ratio, detection time or detection area range. References Abbass Asosheh, D. & Ramezani, N., 2008. A comprehensive taxonomy of DDOS attacks and defense mechanism applying in a smart classification. W. Trans. on Comp., 7(4), 281-290. Barford, P. et al., 2002. A signal analysis of network traffic anomalies. In Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment. Marseille, France: ACM, pp. 71-82. Available at: http://portal.acm.org/citation.cfm?id=637201.637210. Cabrera, J. et al., 2001. Proactive detection of distributed denial of service attacks using MIB traffic variables-a feasibility study. In Integrated Network Management Proceedings, 2001 IEEE/IFIP International Symposium on. Integrated Network Management Proceedings, 2001 IEEE/IFIP International Symposium on. pp. 609-622. Campbell, P., 2005. The denial-of-service dance. Security & Privacy, IEEE, 3(6), 34-40. Chen-Mou Cheng, Kung, H. & Koan-Sin Tan, 2002. Use of spectral analysis in defense against DoS attacks. In Global Telecommunications Conference, 2002. GLOBECOM '02. IEEE. Global Telecommunications Conference, 2002. GLOBECOM '02. IEEE. pp. 2143-2148 vol.3. Gligor, V.D., 1984. A note on denial-of-service in operating systems. IEEE Trans. Softw. Eng., 10(3), 320-324. Hussain, A., Heidemann, J. & Papadopoulos, C., 2003. A framework for classifying denial of service attacks. In Proceedings of the 2003 conference on Applications, technologies, architectures, and protocols for computer communications. Karlsruhe, Germany: ACM, pp. 99-110. Available at: http://portal.acm.org/citation.cfm?id=863968. Mirkovic, J., Prier, G. & Reiher, P.L., 2002. Attacking DDoS at the Source. In Proceedings of the 10th IEEE International Conference on Network Protocols. IEEE

Computer Society, pp. 312-321. Available at: http://portal.acm.org/citation.cfm?id=656169. Moore, D., Voelker, G. & Savage, S., 2001. Inferring Internet Denial-of-Service Activity. In Proceedings of the 10th USENIX Security Symposium, 9--22. Needham, R.M., 1994. Denial of service: an example. Commun. ACM, 37(11), 42-46. Paxson, V., 2001. An analysis of using reflectors for distributed denial-of-service attacks. SIGCOMM Comput. Commun. Rev., 31(3), 38-47. Peng, T., Leckie, C. & Ramamohanarao, K., 2007. Survey of network-based defense mechanisms countering the DoS and DDoS problems. ACM Comput. Surv., 39(1), 3. Qingtao Wu et al., 2009. An adaptive control mechanism for mitigating DDoS attacks. In Automation and Logistics, 2009. ICAL '09. IEEE International Conference on. Automation and Logistics, 2009. ICAL '09. IEEE International Conference on. pp. 1760-1764. Schwartau, W., 1999. Surviving denial of service. Computers & Security, 18(2), 124-133. Specht, S.M., 2004. Distributed denial of service: taxonomies of attacks, tools and countermeasures. Proceedings of the International Workshop on Security in Parallel and Distributed Systems, 2004, 543--550. Xie, Y. & Yu, S., 2009. Monitoring the application-layer DDoS attacks for popular websites. IEEE/ACM Trans. Netw., 17(1), 15-25. Yuan, J. & Mills, K., 2005. Monitoring the Macroscopic Effect of DDoS Flooding Attacks. IEEE Trans. Dependable Secur. Comput., 2(4), 324-335. Zhang, G. et al., 2009. A prediction-based detection algorithm against distributed denial-of-service attacks. In Proceedings of the 2009 International Conference on Wireless Communications and Mobile Computing: Connecting the World Wirelessly. Leipzig, Germany: ACM, pp. 106-110. Available at: http://portal.acm.org/citation.cfm?id=1582403&dl=guide&coll=guide&cfid=6 2608014&CFTOKEN=64715650.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information