Visible to the public Distributed Denial of Service Attack Prevention 2015Conflict Detection Enabled

SoS Newsletter- Advanced Book Block


SoS Logo

Distributed Denial of Service Attack Prevention 2015


Distributed Denial of Service Attacks continue to be among the most prolific forms of attack against information systems.  According to the NSFOCUS DDOS Report for 2014 (available at:, DDOS attacks occur at the rate of 28 per hour.  Research into methods of prevention is also substantial, as the articles presented here show.  This work was presented in 2015.

Akbar, Abdullah; Basha, S.Mahaboob; Sattar, Syed Abdul, "Leveraging the SIP Load Balancer to Detect and Mitigate DDoS Attacks," in Green Computing and Internet of Things (ICGCIoT), 2015 International Conference on, pp. 1204-1208, 8-10 Oct. 2015. doi: 10.1109/ICGCIoT.2015.7380646

Abstract: SIP-based Voice Over IP(VoIP) network is becoming predominant in current and future communications. Distributed Denial of service attacks pose a serious threat to VOIP network security. SIP servers are victims of DDos attacks. The major aim of the DDos attacks is to avoid legitimate users to access resources of SIP servers. Distributed Denial of service attacks target the VOIP network by deploying bots at different locations by injecting malformed packets and even they halt the entire VOIP service causes degradation of QoS(Quality of Service). DDos attacks are easy to launch and quickly drain computational resources of VOIP network and nodes. Detecting DDos attacks is a challenging and extremely difficult due to its varying strategy and scope of attackers. Many DDos detection and prevention schemes are deployed in VOIP networks but they are not complete working in both realtime and offline modes. They are inefficient in detecting dynamic and low-rate DDos attacks and even fail when the attack is launched by simultaneously manipulating multiple SIP attributes. In this paper we propose a novel scheme based on Hellinger distance(HD) to detect low-rate and multi-attribute DDos attacks. Usually DDos detection and mitigations schemes are implemented in SIP proxy. But we leverage the SIP load balancer to fight against DDos by using existing load balancing features. We have implemented the proposed scheme by modifying leading open source kamailio SIP proxy server. We have evaluated our scheme by experimental test setup and found results are outperforming the existing DDos prevention schemes in terms of detection rate, system overhead and false-positive alarms.

Keywords: Computer crime; Feature extraction; Floods; Internet telephony; Multimedia communication; Protocols; Servers; Overload Control; Session Initiation Protocol (SIP); kamailio; server (ID#: 16-9050)



Ndibwile, J.D.; Govardhan, A.; Okada, K.; Kadobayashi, Y., "Web Server Protection against Application Layer DDoS Attacks Using Machine Learning and Traffic Authentication," in Computer Software and Applications Conference (COMPSAC), 2015 IEEE 39th Annual, vol. 3, pp. 261-267, 1-5 July 2015. doi: 10.1109/COMPSAC.2015.240

Abstract: Application layer Distributed Denial of Service (DDoS) attacks are among the deadliest kinds of attacks that have significant impact on destination servers and networks due to their ability to be launched with minimal computational resources to cause an effect of high magnitude. Commercial and government Web servers have become the primary target of these kinds of attacks, with the recent mitigation efforts struggling to deaden the problem efficiently. Most application layer DDoS attacks can successfully mimic legitimate traffic without being detected by Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS). IDSs and IPSs can also mistake a normal and legitimate activity for a malicious one, producing a False Positive (FP) that affects Web users if it is ignored or dropped. False positives in a large and complex network topology can potentially be dangerous as they may cause IDS/IPS to block the user's benign traffic. Our focus and contributions in this paper are first, to mitigate the undetected malicious traffic mimicking legitimate traffic and developing a special anti-DDoS module for general and specific DDoS tools attacks by using a trained classifier in a random tree machine-learning algorithm. We use labeled datasets to generate rules to incorporate and fine-tune existing IDS/IPS such as Snort. Secondly, we further assist IDS/IPS by processing traffic that is classified as malicious by the IDS/IPS in order to identify FPs and route them to their intended destinations. To achieve this, our approach uses active authentication of traffic source of both legitimate and malicious traffic at the Bait and Decoy server respectively before destined to the Web server.

Keywords: Internet; computer network security; file servers; learning (artificial intelligence); pattern classification; telecommunication traffic; FP; IDS; IPS; Web server protection; Web users; application layer DDoS attacks; bait-and-decoy server; destination servers; distributed denial of service; false positive; government Web servers; intrusion detection systems; intrusion prevention systems; legitimate traffic; malicious traffic; minimal computational resources; mitigation efforts; random tree machine-learning algorithm; traffic authentication; traffic source active authentication; trained classifier; Authentication; Computer crime; Logic gates; Training; Web servers; DDoS Mitigation; False Positives; IDS/IPS; Java Script; Machine Learning (ID#: 16-9051)



Van Trung, Phan; Huong, Truong Thu; Van Tuyen, Dang; Duc, Duong Minh; Thanh, Nguyen Huu; Marshall, Alan, "A Multi-Criteria-Based DDoS-Attack Prevention Solution Using Software Defined Networking," in Advanced Technologies for Communications (ATC), 2015 International Conference on, pp. 308-313, 14-16 Oct. 2015. doi: 10.1109/ATC.2015.7388340

Abstract: Software-Defined Networking (SDN) has become a promising network architecture in which network devices are controlled by a SDN Controller. Employing SDN offers an attractive solution for network security. However the attack prediction and Prevention, especially for Distributed Denial of Service (DDoS) attacks is a challenge in SDN environments. This paper, analyzes the characteristics of traffic flows up-streaming to a Vietnamese ISP server, during both states of normal and DDoS attack traffic. Based on the traffic analysis, an SDN-based Attack Prevention Architecture is proposed that is able to capture and analyze incoming flows on-the-fly. A multi-criteria based Prevention mechanism is then designed using both hard-decision thresholds and Fuzzy Inference System to detect DDoS attack. In response to determining the presence of attacks, the designed system is capable of dropping attacks flows, demanding from the control plane.

Keywords: Computer architecture; Computer crime; Fuzzy logic; IP networks; Servers; Switches; DDoS attack; Fuzzy Logic; OpenFlow/SDN (ID#: 16-9052)



Osanaiye, O.A., "Short Paper: IP Spoofing Detection for Preventing DDoS Attack in Cloud Computing," in Intelligence in Next Generation Networks (ICIN), 2015 18th International Conference on, pp. 139-141, 17-19 Feb. 2015. doi: 10.1109/ICIN.2015.7073820

Abstract: Distributed Denial of Service (DDoS) attack has been identified as the biggest security threat to service availability in Cloud Computing. It prevents legitimate Cloud Users from accessing pool of resources provided by Cloud Providers by flooding and consuming network bandwidth to exhaust servers and computing resources. A major attribute of a DDoS attack is spoofing of IP address that hides the identity of the attacker. This paper discusses different methods for detecting spoofed IP packet in Cloud Computing and proposes Host-Based Operating System (OS) fingerprinting that uses both passive and active method to match the Operating System of incoming packet from its database. Additionally, how the proposed technique can be implemented was demonstrated in Cloud Computing environment.

Keywords: IP networks; cloud computing; computer network security; operating systems (computers);resource allocation; DDoS attack prevention; IP spoofing detection; active method; cloud computing; cloud providers; cloud users; computing resources; distributed denial of service attack; host-based OS fingerprinting; host-based operating system fingerprinting; network bandwidth flooding; passive method; security threat; service availability; spoofed IP packet detection; Cloud computing; Computer crime; Databases; Fingerprint recognition; IP networks; Probes; Cloud Computing; DDoS attack; IP Spoofing; OS Fingerprinting (ID#: 16-9053)



Mizukoshi, M.; Munetomo, M., "Distributed Denial of Services Attack Protection System With Genetic Algorithms on Hadoop Cluster Computing Framework," in Evolutionary Computation (CEC), 2015 IEEE Congress on, pp. 1575-1580, 25-28 May 2015. doi: 10.1109/CEC.2015.7257075

Abstract: DDoS attacks become serious as one of the menaces of the Internet security. It is difficult to prevent because DDoS attacker send spoofing packets to victim which makes the identification of the origin of attacks very difficult. A series of techniques have been studied such as pattern matching by learning the attack pattern and abnormal traffic detection. However, pattern matching approach is not reliable because attackers always set attacks of different traffic patterns and pattern matching approach only learns from the past DDoS data. Therefore, a reliable system has to watch what kind of attacks are carried out now and investigate how to prevent those attacks. Moreover, the amount of traffic flowing through the Internet increase rapidly and thus packet analysis should be done within considerable amount of time. This paper proposes a scalable, real-time traffic pattern analysis based on genetic algorithm to detect and prevent DDoS attacks on Hadoop distributed processing infrastructure. Experimental results demonstrate the effectiveness of our scalable DDoS protection system.

Keywords: computer network security; data handling; genetic algorithms; parallel processing; telecommunication traffic; DDoS attack prevention; Hadoop cluster computing framework; Hadoop distributed processing infrastructure; Internet security; distributed denial-of-service attack protection system; genetic algorithms; scalable DDoS protection system; spoofing packets; traffic pattern analysis; Accuracy; Computer crime; Distributed processing; Genetic algorithms; Genetics; IP networks; Sparks; DDoS attack; Genetic Algorithm; Hadoop (ID#: 16-9054)



Nagpal, B.; Sharma, P.; Chauhan, N.; Panesar, A., "DDoS Tools: Classification, Analysis and Comparison," in Computing for Sustainable Global Development (INDIACom), 2015 2nd International Conference on, pp. 342-346, 11-13 March 2015.  Doi:  (not provided)

Abstract: Distributed Denial of Service (DDoS) attacks are the major concern for the security experts. DDoS attack presents a serious risk to the internet. In this type of attack a huge number of accommodated targets send a request at the victim's site simultaneously, to exhaust the resources (whether computing or communication resources) within very less time. In the last few years, it is recognised that DDoS attack tools and techniques are emerging as effective, refined, and complex to indicate the actual attackers. Due to the seriousness of the problem many detection and prevention methods have been recommended to deal with these types of attacks. This paper aims to provide a better understanding of the existing tools, methods and attack mechanism. In this paper, we commenced a detailed study of various DDoS tools. This paper can be useful for researchers and readers to provide the better understanding of DDoS tools in present times.

Keywords: computer network security; DDoS attack tools; classification; distributed denial of service attacks; Bandwidth; Computer architecture; Computer crime; Encryption; Floods; IP networks; Internet; DDoS; DDoS attack methods; DDoS attack tools; DDoS defences (ID#: 16-9055)



Ali, W.; Jun Sang; Naeem, H.; Naeem, R.; Raza, A., "Wireshark Window Authentication Based Packet Capturing Scheme to Prevent DDoS Related Security Issues in Cloud Network Nodes," in Software Engineering and Service Science (ICSESS), 2015 6th IEEE International Conference on, pp. 114-118, 23-25 Sept. 2015. doi: 10.1109/ICSESS.2015.7339017

Abstract: DoS (Denial of Service) attack forces a cloud network node to handle few unauthorized access that employ unwanted computing cycle. As a result, the cloud node response is slow as usual and resource on cloud network becomes unavailable. Some Dos attacks are Ping of Death, Teardrop, Snork, Locking authentication, SYN flooding, Operating System Attacks etc. The most vulnerable incident happen when the adversary is committed DDoS (Distributed Denial of Service) attack with comprised cloud network. In this paper, the prevention techniques for DDoS (Distributed Denial of Service) attack in cloud nodes were discussed, a dynamic window scheme in cloud nodes to determine a message verification to resolve unnecessary packet processing was proposed.

Keywords: authorisation; cloud computing; computer network security; DDoS related security issues; Ping of Death; SYN flooding; Snork; Teardrop; Wireshark window authentication based packet capturing scheme; cloud network node response; distributed denial of service attack; dynamic window scheme; locking authentication; operating system attacks; unauthorized access; Computer crime; Computer science; Computers; Service computing; Software; Software engineering; Cloud Nodes; DDoS attack; DoS attack; cloud network; dynamic windows (ID#: 16-9056)



Krylov, V.; Kravtsov, K., "The Convoluted Multiaddress Networking Architecture Principles and Application," in Future Generation Communication Technology (FGCT), 2015 Fourth International Conference on, pp. 1-6, 29-31 July 2015. doi: 10.1109/FGCT.2015.7300237

Abstract: To increase robustness of network nodes and their communication sessions, we propose convoluted multiaddress networking architecture. This approach prevents malicious packets from getting into the incoming traffic of a network terminal. Usually, traffic analyzers and filtering solutions should be installed in the network to isolate a victim node from packet streams created by malefactor terminals. Our network security technique is built on a different approach. The principles of convoluted multiaddress networks are based on the idea that we can protect nodes by hiding their network location from illegitimate clients. In our study, we show how to create dynamic addressing policies for preventing DDoS attacks and traffic eavesdropping. These policies randomize address space and communication data streams, therefore a malefactor cannot acquire access to data streams or destination terminals. In this paper, we discuss IP Fast Hopping, an application of convoluted multiaddress networking in TCP/IP networks. We consider basic implementation of this architecture, its major practical constraints and initial experimental results. The presented approach aims to ensure security of future generation communication technologies. In this study, we suggest Thing Lakes architecture of the Internet of Things, which is based on IP Fast Hopping approach and intended to protect the IoT environment against several major security issues in such networks.

Keywords: IP networks; Internet of Things; telecommunication security; transport protocols; DDoS attacks prevention; IP fast hopping; Internet of Things; IoT environment; TCP-IP networks; convoluted multiaddress networking architecture principles; malefactor terminals; network security technique; network terminal; packet streams; Computer crime; IP networks; Internet of things; Lakes; Logic gates; Servers; DDoS; IP Fast Hopping; Internet of Thing; network security; networking architecture (ID#: 16-9057)



Kumara M A, A.; Jaidhar, C.D., "Hypervisor and Virtual Machine Dependent Intrusion Detection and Prevention System for Virtualized Cloud Environment," in Telematics and Future Generation Networks (TAFGEN), 2015 1st International Conference on, pp. 28-33, 26-28 May 2015. doi: 10.1109/TAFGEN.2015.7289570

Abstract: Cloud Computing enabled by virtualization technology exhibits revolutionary change in IT Infrastructure. Hypervisor is a pillar of virtualization and it allows sharing of resources to virtual machines. Vulnerabilities present in virtual machine leveraged by an attacker to launch the advanced persistent attacks such as stealthy rootkit, Trojan, Denial of Service (DoS) and Distributed Denial of Service (DDoS) attack etc. Virtual Machines are prime target for malignant cloud user or an attacker to launch attacks as they are easily available for rent from Cloud Service Provider (CSP). Attacks on virtual machine can disrupt the normal operation of cloud infrastructure. In order to secure the virtual environment, defence mechanism is highly imperative at each virtual machine to identify the attacks occurring at virtual machine in timely manner. This work proposes In-and-Out-of-the-Box Virtual Machine and Hypervisor based Intrusion Detection and Prevention System for virtualized environment to ensure robust state of the virtual machine by detecting followed by eradicating rootkits as well as other attacks. We conducted experiments using popular open source Host based Intrusion Detection System (HIDS) called Open Source SECurity Event Correlator (OSSEC). Both Linux and windows based rootkits, DoS attack, Files integrity verification test are conducted and they are successfully detected by OSSEC.

Keywords: Linux; cloud computing; computer network security; formal verification; virtual machines; CSP; DDoS attack; HIDS;IT Infrastructure; Linux; OSSEC; Windows based rootkits; cloud computing; cloud infrastructure; cloud service provider; defence mechanism; distributed denial of service attack; files integrity verification test; hypervisor; intrusion prevention system; open source host based intrusion detection system; open source security event correlator; persistent attacks; resource sharing; stealthy rootkit; trojan; virtual machines; virtualization technology; virtualized cloud environment; Computer crime; Databases; Intrusion detection; Kernel; Virtual machine monitors; Virtual machining; Cloud Computing; DoS Attack; Hypervisor; Intrusion Detection and Prevention System; Rootkit; Virtual Machine; Virtualization (ID#: 16-9058)



Khadka, B.; Withana, C.; Alsadoon, A.; Elchouemi, A., "Distributed Denial of Service Attack on Cloud: Detection and Prevention," in Computing and Communication (IEMCON), 2015 International Conference and Workshop on, pp. 1-6, 15-17 Oct. 2015. doi: 10.1109/IEMCON.2015.7344496

Abstract: Cloud computing is a distributive and scalable computing architecture. It provides sharing of data and other resources which are accessible from any part of the world for a very low cost. However, Security is one major concern for such computing environment. Distributed Denial of Service (DDoS) is an attack that consumes all the cloud resources may have making it unavailable to other general users. This paper identifies characteristics of DDoS attack and provides an Intrusion Detection System (IDS) tool based on Snort to detect DDoS. The proposed tool will alert the network administrator regarding any attack for any possible resources and the nature of the attack. Also, it suspends the attacker for some time to allow the network admin to implement a fall back plan. As Snort is an open source system, modifying different parameters of the system showed a significant aid in not only detection of DDoS, but also reduction the time for the down time of the network. The proposed tool helps minimize the effect of DDoS by detecting the attack at very early stage and by altering with various parameters which facilitates easy diagnose of the problem.

Keywords: cloud computing; computer network security; public domain software; resource allocation; DDoS attack characteristics; IDS tool; cloud computing; cloud resources; distributed denial of service attack; distributive computing architecture; intrusion detection system tool; network admin; network administrator; open source system; scalable computing architecture; Cloud computing; Computer crime; Cryptography; Firewalls (computing); IP networks; Servers; DDoS; cloud computing; open-source; security; snort (ID#: 16-9059)



Singh, S.; Khan, R.A.; Agrawal, A., "Prevention Mechanism for Infrastructure Based Denial-of-Service Attack Over Software Defined Network," in Computing, Communication & Automation (ICCCA), 2015 International Conference on, pp. 348-353, 15-16 May 2015. doi: 10.1109/CCAA.2015.7148442

Abstract: In software Defined Networking a Denial-of-Service (DoS) or Distributed Denial-of-Service (DDoS) attack is an attempt to make a machine or network resources unavailable for its intended users. Hence the need for protection of such network controller against attacks from within or outside a network is very much important. Although network devices in open flow can also be targeted by attackers and so required a prevention mechanism in order to avoid problems in smooth packet forwarding. In this research task we compose an Infrastructure based DoS attacking scenario over the software defined network and address the vulnerabilities in flow table, and afterward we developed a prevention mechanism to avoid such kind of attack in its initial stage before harming our network. The scenarios for the Infrastructure based DoS attack are developed using Mininet 2.2.0 and platform used for the simulation is Linux Ubuntu-14.10 Utopic Unicorn.

Keywords: computer network security; software defined networking; DDoS attack; Linux Ubuntu-14.10 Utopic Unicorn; Mininet 2.2.0;distributed denial-of-service attack; flow table vulnerabilities ;infrastructure based DoS attacking scenario; network controller protection; network devices; open flow; prevention mechanism; smooth packet forwarding; software defined networking; Bandwidth; Computer crime; Floods; IP networks; Servers; Software defined networking; Denial of Service attack; Mininet; Open Flow; Software Defined Network (ID#: 16-9060)



Alosaimi, Wael; Alshamrani, Mazin; Al-Begain, Khalid, "Simulation-Based Study of Distributed Denial of Service Attacks Prevention in the Cloud," in Next Generation Mobile Applications, Services and Technologies, 2015 9th International Conference on, pp. 60-65, 9-11 Sept. 2015. doi: 10.1109/NGMAST.2015.50

Abstract: Distributed Denial of Service (DDoS) attacks can affect the availability of the networks. In the age of cloud computing, these attacks are being more harmful in terms of their common influences and their new effects that harm the cloud sustainability by exploiting its scalability and payment model (pay-as-you-use). Therefore, a new form of DDoS attacks is introduced in the cloud context as an economical version of such attack. This new form is known as Economical Denial of Sustainability (EDoS) attack. To counteract such attacks, traditional network security means are used. Specifically, the firewalls that are working as filters for the incoming packets to the targeted network according to designated rules by the administrators can mitigate the impacts of DDoS and EDoS attacks. In this paper, a new solution called Enhanced DDoS-Mitigation System (Enhanced DDoS-MS) is proposed to encounter these attacks by utilizing the firewall capabilities in controlling a verification process to protect the targeted system. These capabilities are evaluated in a simulation environment. The results proved that the firewall mitigates the DDoS impacts successfully by improving the provided services to the users in terms of the response time and server load under attack. The study also suggests following implementation for the proposed framework with an active testbed.

Keywords: Cloud computing; Computer crime; Floods; IP networks; Protocols; Servers; DDoS; Distributed Denial of Service attacks; EDoS; Economical Denial of Sustainability; cloud computing (ID#: 16-9061)



Hillmann, Peter; Tietze, Frank; Rodosek, Gabi Dreo, "Tracemax: A Novel Single Packet IP Traceback Strategy for Data-Flow Analysis," in Local Computer Networks (LCN), 2015 IEEE 40th Conference on, pp. 177-180, 26-29 Oct. 2015. doi: 10.1109/LCN.2015.7366300

Abstract: The identification of the exact path that packets are routed on in the network is quite a challenge. This paper presents a novel, efficient traceback strategy named Tracemax in context of a defense system against distributed denial of service (DDoS) attacks. A single packet can be directly traced over many more hops than the current existing techniques allow. In combination with a defense system it differentiates between multiple connections. It aims to letting non-malicious connections pass while bad ones get thwarted. The novel concept allows detailed analyses of the traffic and the transmission path through the network. The strategy can effectively reduce the effect of common bandwidth and resource consumption attacks, foster early warning and prevention as well as higher the availability of the network services for the wanted customers.

Keywords: Bandwidth; Computer crime; IP networks; Labeling; Ports (Computers); Reconstruction algorithms; Routing; Computer network management; Denial of Service; IP networks; IP packet; Packet trace; Traceback (ID#: 16-9062)



AbdAllah, E.G.; Zulkernine, M.; Hassanein, H.S., "Detection and Prevention of Malicious Requests in ICN Routing and Caching," in Computer and Information Technology; Ubiquitous Computing and Communications; Dependable, Autonomic and Secure Computing; Pervasive Intelligence and Computing (CIT/IUCC/DASC/PICOM), 2015 IEEE International Conference on,  pp. 1741-1748, 26-28 Oct. 2015. doi: 10.1109/CIT/IUCC/DASC/PICOM.2015.262

Abstract: Information Centric Networking (ICN) is a new communication paradigm for the upcoming Next Generation Internet (NGI). ICN is an open environment that depends on in-network caching and focuses on contents rather than infrastructures or end-points as in current Internet architectures. These ICN attributes make ICN architectures subject to different types of routing and caching attacks. An attacker sends malicious requests that can cause Distributed Denial of Service (DDoS), cache pollution, and privacy violation of ICN architectures. In this paper, we propose a solution that detects and prevents these malicious requests in ICN routing and caching. This solution allows ICN routers to differentiate between legitimate and attack behaviours in the detection phase based on threshold values. In the prevention phase, ICN routers are able to take actions against these attacks. Our experiments show that the proposed solution effectively mitigates routing and caching attacks in ICN.

Keywords: Internet; computer network security; next generation networks; telecommunication network routing; DDoS; ICN architectures; ICN caching; ICN routing; Internet architectures; NGI; attack behaviours; cache pollution; caching attacks; detection phase; distributed denial of service; information centric networking; innetwork caching; malicious requests detection; malicious requests prevention; next generation Internet; privacy violation; routing attacks; Computer architecture; Computer crime; Internet; Pollution; Privacy; Routing; Time factors; ICN routing and caching attacks; Information centric networking (ID#: 16-9063)



Articles listed on these pages have been found on publicly available internet pages and are cited with links to those pages. Some of the information included herein has been reprinted with permission from the authors or data repositories. Direct any requests via Email to for removal of the links or modifications to specific citations. Please include the ID# of the specific citation in your correspondence.