Visible to the public Distributed Denial of Service Attack Mitigation 2015Conflict Detection Enabled

SoS Newsletter- Advanced Book Block


SoS Logo

Distributed Denial of Service Attack Mitigation 2015


Distributed Denial of Service Attacks continue to be among the most prolific forms of attack against information systems.  According to the NSFOCUS DDOS Report for 2014 (available at:, DDOS attacks occur at the rate of 28 per hour.  Research into methods of response and mitigation is also substantial, as the articles presented here show.  This work was presented in 2015.

Akbar, Abdullah; Basha, S.Mahaboob; Sattar, Syed Abdul, "Leveraging the SIP Load Balancer to Detect and Mitigate DDoS Attacks," in Green Computing and Internet of Things (ICGCIoT), 2015 International Conference on, pp. 1204-1208, 8-10 Oct. 2015. doi: 10.1109/ICGCIoT.2015.7380646

Abstract: SIP-based Voice Over IP(VoIP) network is becoming predominant in current and future communications. Distributed Denial of service attacks pose a serious threat to VOIP network security. SIP servers are victims of DDos attacks. The major aim of the DDos attacks is to avoid legitimate users to access resources of SIP servers. Distributed Denial of service attacks target the VOIP network by deploying bots at different locations by injecting malformed packets and even they halt the entire VOIP service causes degradation of QoS(Quality of Service). DDos attacks are easy to launch and quickly drain computational resources of VOIP network and nodes. Detecting DDos attacks is a challenging and extremely difficult due to its varying strategy and scope of attackers. Many DDos detection and prevention schemes are deployed in VOIP networks but they are not complete working in both realtime and offline modes. They are inefficient in detecting dynamic and low-rate DDos attacks and even fail when the attack is launched by simultaneously manipulating multiple SIP attributes. In this paper we propose a novel scheme based on Hellinger distance(HD) to detect low-rate and multi-attribute DDos attacks. Usually DDos detection and mitigations schemes are implemented in SIP proxy. But we leverage the SIP load balancer to fight against DDos by using existing load balancing features. We have implemented the proposed scheme by modifying leading open source kamailio SIP proxy server. We have evaluated our scheme by experimental test setup and found results are outperforming the existing DDos prevention schemes in terms of detection rate, system overhead and false-positive alarms.

Keywords: Computer crime; Feature extraction; Floods; Internet telephony; Multimedia communication; Protocols; Servers; Overload Control; Session Initiation Protocol (SIP); kamailio; server (ID#: 16-9064)



Santanna, J.J.; van Rijswijk-Deij, R.; Hofstede, R.; Sperotto, A.; Wierbosch, M.; Zambenedetti Granville, L.; Pras, A., "Booters — An Analysis of DDoS-as-a-Service Attacks," in Integrated Network Management (IM), 2015 IFIP/IEEE International Symposium on, pp. 243-251, 11-15 May 2015. doi: 10.1109/INM.2015.7140298

Abstract: In 2012, the Dutch National Research and Education Network, SURFnet, observed a multitude of Distributed Denial of Service (DDoS) attacks against educational institutions. These attacks were effective enough to cause the online exams of hundreds of students to be cancelled. Surprisingly, these attacks were purchased by students from Web sites, known as Booters. These sites provide DDoS attacks as a paid service (DDoS-as-a-Service) at costs starting from 1 USD. Since this problem was first identified by SURFnet, Booters have been used repeatedly to perform attacks on schools in SURFnet's constituency. Very little is known, however, about the characteristics of Booters, and particularly how their attacks are structure. This is vital information needed to mitigate these attacks. In this paper we analyse the characteristics of 14 distinct Booters based on more than 250 GB of network data from real attacks. Our findings show that Booters pose a real threat that should not be underestimated, especially since our analysis suggests that they can easily increase their firepower based on their current infrastructure.

Keywords: Web sites; computer network security; educational administrative data processing; educational institutions; Booters Web site; DDoS-as-a-service attack analysis; Dutch National Research and Education Network; SURFnet; attack mitigation; distributed denial-of-service attacks; educational institutions; firepower; network data; online exams; paid service; Algorithm design and analysis; Computer crime; Crawlers; IP networks; Internet; Protocols; Servers (ID#: 16-9065)



Ndibwile, J.D.; Govardhan, A.; Okada, K.; Kadobayashi, Y., "Web Server Protection against Application Layer DDoS Attacks Using Machine Learning and Traffic Authentication," in Computer Software and Applications Conference (COMPSAC), 2015 IEEE 39th Annual, vol. 3, pp. 261-267, 1-5 July 2015. doi: 10.1109/COMPSAC.2015.240

Abstract: Application layer Distributed Denial of Service (DDoS) attacks are among the deadliest kinds of attacks that have significant impact on destination servers and networks due to their ability to be launched with minimal computational resources to cause an effect of high magnitude. Commercial and government Web servers have become the primary target of these kinds of attacks, with the recent mitigation efforts struggling to deaden the problem efficiently. Most application layer DDoS attacks can successfully mimic legitimate traffic without being detected by Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS). IDSs and IPSs can also mistake a normal and legitimate activity for a malicious one, producing a False Positive (FP) that affects Web users if it is ignored or dropped. False positives in a large and complex network topology can potentially be dangerous as they may cause IDS/IPS to block the user's benign traffic. Our focus and contributions in this paper are first, to mitigate the undetected malicious traffic mimicking legitimate traffic and developing a special anti-DDoS module for general and specific DDoS tools attacks by using a trained classifier in a random tree machine-learning algorithm. We use labeled datasets to generate rules to incorporate and fine-tune existing IDS/IPS such as Snort. Secondly, we further assist IDS/IPS by processing traffic that is classified as malicious by the IDS/IPS in order to identify FPs and route them to their intended destinations. To achieve this, our approach uses active authentication of traffic source of both legitimate and malicious traffic at the Bait and Decoy server respectively before destined to the Web server.

Keywords: Internet; computer network security; file servers; learning (artificial intelligence);pattern classification; telecommunication traffic; FP; IDS; IPS; Web server protection; Web users; application layer DDoS attacks; bait-and-decoy server; destination servers; distributed denial of service; false positive; government Web servers ;intrusion detection systems; intrusion prevention systems; legitimate traffic; malicious traffic; minimal computational resources; mitigation efforts; random tree machine-learning algorithm; traffic authentication; traffic source active authentication; trained classifier; Authentication; Computer crime; Logic gates; Training; Web servers; DDoS Mitigation; False Positives; IDS/IPS; Java Script; Machine Learning (ID#: 16-9066)



Zeb, K.; Baig, O.; Asif, M.K., "DDoS Attacks and Countermeasures in Cyberspace," in Web Applications and Networking (WSWAN), 2015 2nd World Symposium on, pp. 1-6, 21-23 March 2015. doi: 10.1109/WSWAN.2015.7210322

Abstract: In cyberspace, availability of the resources is the key component of cyber security along with confidentiality and integrity. Distributed Denial of Service (DDoS) attack has become one of the major threats to the availability of resources in computer networks. It is a challenging problem in the Internet. In this paper, we present a detailed study of DDoS attacks on the Internet specifically the attacks due to protocols vulnerabilities in the TCP/IP model, their countermeasures and various DDoS attack mechanisms. We thoroughly review DDoS attacks defense and analyze the strengths and weaknesses of different proposed mechanisms.

Keywords: Internet; computer network security; transport protocols; DDoS attack mechanisms; Internet; TCP-IP model; computer networks; cyber security; cyberspace; distributed denial of service attacks; Computer crime; Filtering; Floods; IP networks; Internet; Protocols; Servers; Cyber security; Cyber-attack; Cyberspace; DDoS Defense; DDoS attack; Mitigation; Vulnerability (ID#: 16-9067)



Al-Ali, Zaid; Al-Duwairi, Basheer; Al-Hammouri, Ahmad T., "Handling System Overload Resulting from DDoS Attacks and Flash Crowd Events," in Cyber Security and Cloud Computing (CSCloud), 2015 IEEE 2nd International Conference on, pp. 512-512, 3-5 Nov. 2015. doi: 10.1109/CSCloud.2015.66

Abstract: This paper presents a system that provides mitigation for DDoS attacks as a service, and is capable of handling flash crowd events at the same time. Providing DDoS protection as a service represents an important solution especially for Websites that have limited resources with no infrastructure in place for defense against these attacks. The proposed system is composed of two main components: (i) The distributed CAPTCHA service, which comprises a large number of powerful nodes geographically and suitably distributed in the Internet acting as a large distributed firewall, and (ii) The HTTP redirect module, which is a stateless HTTP server that redirects Web requests destined to the targeted Webserver to one of the CAPTCHA nodes. The CAPTCHA node can then segregate legitimate clients from automated attacks by requiring them to solve a challenge. Upon successful response, legitimate clients (humans) are forwarded through a given CAPTCHA node to the Webserver.

Keywords: Ash; CAPTCHAs; Computer crime; Conferences; Relays; Servers (ID#: 16-9068)



Singh, K.J.; De, T., "DDOS Attack Detection and Mitigation Technique Based on Http Count and Verification Using CAPTCHA," in Computational Intelligence and Networks (CINE), 2015 International Conference on, pp. 196-197, 12-13 Jan. 2015. doi: 10.1109/CINE.2015.47

Abstract: With the rapid development of internet, the number of people who are online also increases tremendously. But now a day's we find not only growing positive use of internet but also the negative use of it. The misuse and abuse of internet is growing at an alarming rate. There are large cases of virus and worms infecting our systems having the software vulnerability. These systems can even become the clients for the bot herders. These infected system aid in launching the DDoS attack to a target server. In this paper we introduced the concept of IP blacklisting which will blocked the entire blacklisted IP address, http count filter will enable us to detect the normal and the suspected IP addresses and the CAPTCHA technique to counter check whether these suspected IP address are in control by human or botnet.

Keywords: Internet; client-server systems; computer network security; computer viruses; transport protocols; CAPTCHA; DDOS attack detection; DDOS attack mitigation technique; HTTP count filter; HTTP verification; IP address; IP blacklisting; Internet; botnet; software vulnerability; target server; virus; worms; CAPTCHAs; Computer crime; IP networks; Internet; Radiation detectors; Servers; bot; botnets; captcha; filter; http; mitigation (ID#: 16-9069)



Gde Dharma, N.I.; Muthohar, M.F.; Prayuda, J.D.A.; Priagung, K.; Deokjai Choi, "Time-based DDoS Detection and Mitigation for SDN Controller," in Network Operations and Management Symposium (APNOMS), 2015 17th Asia-Pacific, pp. 550-553, 19-21 Aug. 2015. doi: 10.1109/APNOMS.2015.7275389

Abstract: A Software Defined Network (SDN) is a new paradigm in network management that separates control plane and data plane. A control plane has an important role in managing the whole networks. Since SDN introduces control plane as the manager of the network, it also introduces the single point of failure. When SDN controller is unreachable by the network devices, the whole networks will collapse. One of the attack methods that can make SDN controller unreachable is DDoS attack. This paper reports our initial step of our research to develop the method for DDoS attack detection and mitigation for SDN controller. The method considers the time duration of DDoS attack detection and attacks time pattern of DDoS attack to prevent the future attack. In this paper, we present the potential vulnerabilities in SDN controller that can be exploited for DDoS attack and discuss the methods to detect and mitigate DDoS attack.

Keywords: computer network management; computer network reliability; computer network security; control engineering computing; software defined networking; SDN controller failure; control plane; data plane; software defined network management; time-based DDoS attack detection; time-based DDoS attack mitigation; Computer crime; Floods; Monitoring; Software defined networking; Switches; DDoS attack; Network; Network Management; Network Security; SDN (ID#: 16-9070)



Jaehoon Jeong; Jihyeok Seo; Geumhwan Cho; Hyoungshick Kim; Jung-Soo Park, "A Framework for Security Services Based on Software-Defined Networking," in Advanced Information Networking and Applications Workshops (WAINA), 2015 IEEE 29th International Conference on, pp. 150-153, 24-27 March 2015. doi: 10.1109/WAINA.2015.102

Abstract: This paper proposes a framework for security services using Software-Defined Networking (SDN) and specifies requirements for such a framework. It describes two representative security services, such as (i) centralized firewall system and (ii) centralized DDoS-attack mitigation system. For each service, this paper discusses the limitations of legacy systems and presents a possible SDN-based system to protect network resources by controlling suspicious and dangerous network traffic that can be regarded as security attacks.

Keywords: computer network security; firewalls; software defined networking; software maintenance; SDN; centralized DDoS-attack mitigation system; centralized firewall system; legacy system; network resource protection; network traffic; security attack; security service; software-defined networking; Access control; Computer crime; Control systems; Firewalls (computing); Malware; Servers; DDoS-Attack Mitigator; Firewall; Framework; Security Services; Software-Defined Networking (ID#: 16-9071)



Ugwoke, F.N.; Okafor, K.C.; Chijindu, V.C., "Security QoS Profiling Against Cyber Terrorism in Airport Network Systems," in Cyberspace (CYBER-Abuja), 2015 International Conference on pp. 241-251, 4-7 Nov. 2015. doi: 10.1109/CYBER-Abuja.2015.7360516

Abstract: Attacks on airport information network services in the form of Denial of Service (DoS), Distributed DoS (DDoS), and hijacking are the most effective schemes mostly explored by cyber terrorists in the aviation industry running Mission Critical Services (MCSs). This work presents a case for Airport Information Resource Management Systems (AIRMS) which is a cloud based platform proposed for the Nigerian aviation industry. Granting that AIRMS is susceptible to DoS attacks, there is need to develop a robust counter security network model aimed at pre-empting such attacks and subsequently mitigating the vulnerability in such networks. Existing works in literature regarding cyber security DoS and other schemes have not explored embedded Stateful Packet Inspection (SPI) based on OpenFlow Application Centric Infrastructure (OACI) for securing critical network assets. As such, SPI-OACI was proposed to address the challenge of Vulnerability Bandwidth Depletion DDoS Attacks (VBDDA). A characterization of the Cisco 9000 router firewall as an embedded network device with support for Virtual DDoS protection was carried out in the AIRMS threat mitigation design. Afterwards, the mitigation procedure and the initial phase of the design with Riverbed modeler software were realized. For the security Quality of Service (QoS) profiling, the system response metrics (i.e. SPI-OACI delay, throughput and utilization) in cloud based network were analyzed only for normal traffic flows. The work concludes by offering practical suggestion for securing similar enterprise management systems running on cloud infrastructure against cyber terrorists.

Keywords: airports; cloud computing; embedded systems; firewalls; information management; quality of service; telecommunication network routing; AIRMS; Cisco 9000 router firewall; MCS; Nigerian aviation industry; OpenFlow application centric infrastructure; SPI-OACI; VBDDA; airport information network services; airport information resource management systems; airport network systems; aviation industry; cloud based network; cloud based platform; cloud infrastructure; critical network assets; cyber terrorism; cyber terrorists; denial of service; distributed DoS; embedded network device; mission critical services; quality of service profiling; riverbed modeler software; robust counter security network model; security QoS profiling; stateful packet inspection; system response metrics; virtual DDoS protection; vulnerability bandwidth depletion DDoS attacks; Air traffic control; Airports; Atmospheric modeling; Computer crime; Floods; AIRMS; Attacks; Aviation Industry; Cloud Datacenters; DDoS; DoS; Mitigation Techniques; Vulnerabilities (ID#: 16-9072)



Gillani, F.; Al-Shaer, E.; Lo, S.; Qi Duan; Ammar, M.; Zegura, E., "Agile Virtualized Infrastructure to Proactively Defend Against Cyber Attacks," in Computer Communications (INFOCOM), 2015 IEEE Conference on, pp. 729-737, April 26 2015-May 1 2015. doi: 10.1109/INFOCOM.2015.7218442

Abstract: DDoS attacks have been a persistent threat to network availability for many years. Most of the existing mitigation techniques attempt to protect against DDoS by filtering out attack traffic. However, as critical network resources are usually static, adversaries are able to bypass filtering by sending stealthy low traffic from large number of bots that mimic benign traffic behavior. Sophisticated stealthy attacks on critical links can cause a devastating effect such as partitioning domains and networks. In this paper, we propose to defend against DDoS attacks by proactively changing the footprint of critical resources in an unpredictable fashion to invalidate an adversary's knowledge and plan of attack against critical network resources. Our present approach employs virtual networks (VNs) to dynamically reallocate network resources using VN placement and offers constant VN migration to new resources. Our approach has two components: (1) a correct-by-construction VN migration planning that significantly increases the uncertainty about critical links of multiple VNs while preserving the VN placement properties, and (2) an efficient VN migration mechanism that identifies the appropriate configuration sequence to enable node migration while maintaining the network integrity (e.g., avoiding session disconnection). We formulate and implement this framework using SMT logic. We also demonstrate the effectiveness of our implemented framework on both PlanetLab and Mininet-based experimentations.

Keywords: computer network security; formal logic; virtualisation; DDoS attacks; Mininet; PlanetLab; SMT logic; VN migration; VN placement; agile virtualized infrastructure; attack mitigation techniques; critical network resources;cyber attacks; distributed denial-of-service attack; network availability; network resource reallocation; virtual networks; Computational modeling; Computer crime; Mathematical model; Reconnaissance; Routing protocols; Servers; Substrates (ID#: 16-9073)



Kalliola, A.; Kiryong Lee; Heejo Lee; Aura, T., "Flooding DDoS Mitigation and Traffic Management with Software Defined Networking," in Cloud Networking (CloudNet), 2015 IEEE 4th International Conference on, pp. 248-254, 5-7 Oct. 2015. doi: 10.1109/CloudNet.2015.7335317

Abstract: Mitigating distributed denial-of-service attacks can be a complex task due to the wide range of attack types, attacker adaptation, and defender constraints. We propose a defense mechanism which is largely automated and can be implemented on current software defined networking (SDN)-enabled networks. Our mechanism combines normal traffic learning, external blacklist information, and elastic capacity invocation in order to provide effective load control, filtering and service elasticity during an attack. We implement the mechanism and analyze its performance on a physical SDN testbed using a comprehensive set of real-life normal traffic traces and synthetic attack traces. The results indicate that the mechanism is effective in maintaining roughly 50% to 80% service levels even when hit by an overwhelming attack.

Keywords: computer network security; software defined networking; telecommunication traffic; SDN-enabled networks; attack types; attacker adaptation; defender constraints; defense mechanism; distributed denial-of-service attack mitigation; elastic capacity invocation; external blacklist information; filtering; flooding DDoS mitigation; load control; normal traffic learning; overwhelming attack; performance analysis; physical SDN testbed; real-life normal traffic traces; service elasticity; service levels; software defined networking; synthetic attack traces; traffic management; Cloud computing; Clustering algorithms; Computer crime; Control systems; IP networks; Servers (ID#: 16-9074)



Hirayama, Takayuki; Toyoda, Kentaroh; Sasase, Iwao, "Fast Target Link Flooding Attack Detection Scheme by Analyzing Traceroute Packets Flow," in Information Forensics and Security (WIFS), 2015 IEEE International Workshop on, pp. 1-6, 16-19 Nov. 2015. doi: 10.1109/WIFS.2015.7368594

Abstract: Recently, a botnet based DDoS (Distributed Denial of Service) attack, called target link flooding attack, has been reported that cuts off specific links over the Internet and disconnects a specific region from other regions. Detecting or mitigating the target link flooding attack is more difficult than legacy DDoS attack techniques, since attacking flows do not reach the target region. Although many mitigation schemes are proposed, they detect the attack after it occurs. In this paper, we propose a fast target link flooding attack detection scheme by leveraging the fact that the traceroute packets are increased before the attack caused by the attacker's reconnaissance. Moreover, by analyzing the characteristic of the target link flooding attack that the number of traceroute packets simultaneously increases in various regions over the network, we propose a detection scheme with multiple detection servers to eliminate false alarms caused by sudden increase of traceroute packets sent by legitimate users. We show the effectiveness of our scheme by computer simulations.

Keywords: Computational modeling; Reconnaissance (ID#: 16-9075)



Jog, M.; Natu, M.; Shelke, S., "Distributed Capabilities-based DDoS Defense," in Pervasive Computing (ICPC), 2015 International Conference on, pp. 1-6, 8-10 Jan. 2015. doi: 10.1109/PERVASIVE.2015.7086993

Abstract: Existing strategies against DDoS are implemented as single-point solutions at different network locations. Our understanding is that, no single network location can cater to the needs of a full-proof defense solution, given the nature of DDoS and activities for its mitigation. This paper gives collective information about some important defense mechanisms discussing their advantages and limitations. Based on our understanding, we propose distribution of DDoS defense which uses improved techniques for capabilities-based traffic differentiation and scheduling-based rate-limiting. Additionally, we propose a novel approach for prediction of attack to determine the prospective attackers as well as the time-to-saturation of victim. We present two algorithms for this distribution of defense. The proposed distributed approach built with these incremental improvements in the defense activities is expected to provide better solution against the DDoS problem.

Keywords: computer network security; DDoS defense; capabilities-based traffic differentiation; distributed denial-of-service; incremental improvements; scheduling-based rate-limiting; single-point solutions; Aggregates; Bandwidth; Computer crime; Filtering; Floods; IP networks; Limiting; Attack detection; Distributed Denial-of-Service; Distributed defense; Network security; Rate-limiting; Traffic differentiation (ID#: 16-9076)



Guenane, F.; Nogueira, M.; Serhrouchni, A., "DDOS Mitigation Cloud-Based Service," in Trustcom/BigDataSE/ISPA, 2015 IEEE, vol. 1, pp. 1363-1368, 20-22 Aug. 2015. doi: 10.1109/Trustcom.2015.531

Abstract: Cloud computing has evolved over the last decade from a simple storage service for more complex ones, offering software as a service (SaaS), platforms as a service (PaaS) and most recently security as a service (SECaaS). The work presented in this paper is a response to: (1) the resource constraints in physical security devices such as firewalls or IPS/IDS, that can no more counter advanced DDOS attacks, (2) The expensive cost, management complexity and the requirement of high amount of resources on existing DDOS mitigation tools to verify the traffic. We propose a new architecture of a cloud based firewalling service using resources offered by the Cloud and characterized by: a low financial cost, high availability, reliability, self scaling and easy managing. In order to improve the efficiency of our proposal to face DDOS attacks, we deploy, configure and test our mitigation service using Network Function Virtualization technology (NFV) and other virtualization capabilities. We also detail some result and point out future work.

Keywords: cloud computing; firewalls; reliability; virtualisation; DDOS mitigation tools; NFV; availability; cloud based firewalling service; cloud computing; cloud-based service; distributed denial of service; financial cost; management complexity; network function virtualization technology; physical security devices resource constraints; reliability; self scaling; traffic verification; Authentication; Cloud computing; Computer architecture; Computer crime; Firewalls (computing);Logic gates; Cloud based service; DDOS; Distributed Denial of Service; Firewalling; SECAAS; Security As A Service (ID#: 16-9077)



Alosaimi, Wael; Zak, Michal; Al-Begain, Khalid, "Denial of Service Attacks Mitigation in the Cloud," in Next Generation Mobile Applications, Services and Technologies, 2015 9th International Conference on, pp. 47-53, 9-11 Sept. 2015. doi: 10.1109/NGMAST.2015.48

Abstract: Denial of Service attack (DoS) forms a permanent risk to the traditional networks and the cloud environment. This malicious attack can be amplified by Distributed Denial of Service (DDoS) attacks. Moreover, the cloud payment model can be affected by such attacks exploiting the cloud scalability. In this case, it is called Economical Denial of Sustainability (EDoS) attack. This study introduces an effective solution that is designed to counteract such attacks and protect targeted networks. The proposed framework is called Enhanced DDoS-Mitigation System (Enhanced DDoS-MS). This method is tested practically and the test's results proved the success of the framework in limiting the end-to-end response time and handling complex versions of these attacks on multiple layers.

Keywords: CAPTCHAs; Cloud computing Computer crime; Firewalls (computing); IP networks; Limiting; Servers; Cloud Computing; DDoS; Denial of Service; Distributed Denial of Service attacks; DoS; EDoS; Economical Denial of Sustainability (ID#: 16-9078)



Fung, C.J.; McCormick, B., "VGuard: A Distributed Denial of Service Attack Mitigation Method Using Network Function Virtualization," in Network and Service Management (CNSM), 2015 11th International Conference on, pp. 64-70, 9-13 Nov. 2015. doi: 10.1109/CNSM.2015.7367340

Abstract: Distributed denial of service (DDoS) attacks have caused tremendous damage to ISPs and online services. They can be divided into attacks using spoofed IPs and attacks using real IPs (botnet). Among them the attacks from real IPs are much harder to mitigate since the attack traffic can be fabricated to be similar to legitimate traffic. The corresponding DDoS defence strategies proposed in past few years have not been proven to be highly effective due to the limitation of participating devices. However, the emergence of the next generation networking technologies such a network function virtualization (NFV) provide a new opportunity for researchers to design DDoS mitigation solutions. In this paper we propose VGuard, a dynamic traffic engineering solution based on prioritization, which is implemented on a DDoS virtual network function (VNF). The flows from the external zone are directed to different tunnels based on their priority levels. This way trusted legitimate flows are served with guaranteed quality of service, while attack flows and suspicious flows compete for resources with each other. We propose two methods for flow direction: the static method and the dynamic method. We evaluated the performance of both methods through simulation. Our results show that both methods can effectively provide satisfying service to trusted flows under DDoS attacks, and both methods have their pros and cons under different situations.

Keywords: computer network security; telecommunication traffic; virtualisation; DDoS virtual network function; IP spoofing; VGuard; distributed denial of service attack mitigation; dynamic method; flow direction method; network function virtualization; prioritization based dynamic traffic engineering; real IP botnet; static method; Computer crime; Dispatching; Hardware; IP networks; Quality of service; Servers (ID#: 16-9079)



Alosaimi, Wael; Alshamrani, Mazin; Al-Begain, Khalid, "Simulation-Based Study of Distributed Denial of Service Attacks Prevention in the Cloud," in Next Generation Mobile Applications, Services and Technologies, 2015 9th International Conference on, pp. 60-65, 9-11 Sept. 2015. doi: 10.1109/NGMAST.2015.50

Abstract: Distributed Denial of Service (DDoS) attacks can affect the availability of the networks. In the age of cloud computing, these attacks are being more harmful in terms of their common influences and their new effects that harm the cloud sustainability by exploiting its scalability and payment model (pay-as-you-use). Therefore, a new form of DDoS attacks is introduced in the cloud context as an economical version of such attack. This new form is known as Economical Denial of Sustainability (EDoS) attack. To counteract such attacks, traditional network security means are used. Specifically, the firewalls that are working as filters for the incoming packets to the targeted network according to designated rules by the administrators can mitigate the impacts of DDoS and EDoS attacks. In this paper, a new solution called Enhanced DDoS-Mitigation System (Enhanced DDoS-MS) is proposed to encounter these attacks by utilizing the firewall capabilities in controlling a verification process to protect the targeted system. These capabilities are evaluated in a simulation environment. The results proved that the firewall mitigates the DDoS impacts successfully by improving the provided services to the users in terms of the response time and server load under attack. The study also suggests following implementation for the proposed framework with an active testbed.

Keywords: Cloud computing; Computer crime; Floods; IP networks; Protocols; Servers; DDoS; Distributed Denial of Service attacks; EDoS; Economical Denial of Sustainability; cloud computing (ID#: 16-9080)



Jinyong Kim; Daghmehchi Firoozjaei, M.; Jeong, J.P.; Hyoungshick Kim; Jung-Soo Park, "SDN-Based Security Services Using Interface To Network Security Functions," in Information and Communication Technology Convergence (ICTC), 2015 International Conference on, pp. 526-529, 28-30 Oct. 2015. doi: 10.1109/ICTC.2015.7354602

Abstract: This paper proposes a framework for security services using Software-Defined Networking (SDN) and Interface to Network Security Functions (I2NSF). It specifies requirements for such a framework for security services based on network virtualization. It describes two representative security systems, such as (i) centralized firewall system and (ii) DDoS-attack mitigation system. For each service, this paper discusses the limitations of existing systems and presents a possible SDN-based system to protect network resources by controlling suspicious and dangerous network traffic.

Keywords: firewalls; software defined networking; telecommunication security; (I2NSF; DDoS-attack mitigation system; SDN-based security services; SDN-based system; centralized firewall system; interface-to-network security functions; network resources; network security functions; network traffic; software-defined networking; Access control; Communication networks; Computer crime; Control systems; Firewalls (computing); Servers (ID#: 16-9081)



Tang, C.; Lee, E.; Tang, A.; Lixin Tao, "Mitigating HTTP Flooding Attacks with Meta-data Analysis," in High Performance Computing and Communications (HPCC), 2015 IEEE 7th International Symposium on Cyberspace Safety and Security (CSS), 2015 IEEE 12th International Conference on Embedded Software and Systems (ICESS), 2015 IEEE 17th International Conference on, pp. 1406-1411, 24-26 Aug. 2015. doi: 10.1109/HPCC-CSS-ICESS.2015.203

Abstract: The rise of Distributed Denial of Service (DDoS) attacks has posed a dire threat to cloud computing services in recent years. First, it is getting increasingly difficult to discriminate legitimate traffic from malicious traffic since both are legal at the application-protocol level. Second, DDoS attacks have tremendous impacts on virtual machine performance due to the over-subscribed sharing nature of a cloud data center. To prevent the most serious HTTP GET flooding attacks, we propose a meta-data based monitoring approach, in which the behavior of malicious HTTP requests is captured through real-time and big-data analysis. The proposed DDoS defense system can provide continued service to legitimate clients even when the attacking line-rate is as high as 9Gbps. An intelligent probe is first used to extract the meta-data about an HTTP connection, which can be thought of as (IP, URL) (Uniform Resource Locators). Then, a real-time big-data analyzing technique is applied on top of the meta-data to identify the IP addresses whose HTTP request frequency significantly surpasses the norm. The blacklist, consisting of these IP addresses, is further aggregated, enabling inline devices (firewalls and load balancers) to apply rate-limiting rules to mitigate the attacks. Our findings show that the performance of the meta-data based detection system is one order of magnitude better than the previous approach.

Keywords: Big Data; cloud computing; computer centres; data analysis; firewalls; meta data; telecommunication traffic; transport protocols; virtual machines; Big-Data analysis; DDoS attack; DDoS defense system; HTTP GET flooding attack mitigation; HTTP connection; HTTP request frequency; IP address; application-protocol level; cloud computing services; cloud data center; distributed denial of service attack; firewall; inline devices; intelligent probe; legitimate traffic; load balancer; malicious HTTP request; malicious traffic; meta-data analysis; meta-data based detection system; meta-data based monitoring approach; rate-limiting rule; virtual machine performance; Computer crime; Floods; IP networks; Protocols; Real-time systems; Servers; Uniform resource locators; DDoS; HTTP GET flooding; meta-data analysis; network protocol parser (ID#: 16-9082)




Articles listed on these pages have been found on publicly available internet pages and are cited with links to those pages. Some of the information included herein has been reprinted with permission from the authors or data repositories. Direct any requests via Email to for removal of the links or modifications to specific citations. Please include the ID# of the specific citation in your correspondence.