A Source-End Defense System Against DDoS Attacks

Background & Objective: DDoS attack poses a huge threat to communication and security of mobile nodes in MANETs. The number of approaches proposed to defense against DDoS attacks in MANETs is much less as compared to those for the wire-based networks. The aim of this paper is to test the effectiveness of proposed cluster based DDoS attacks mechanism with various reactive routing protocols. Method: The scheme proposed here is clustering based DDoS defense mechanism, in which the Accepted: cluster heads monitors the incoming traffic to identify the presence of suspicious behaviour. After the successful identification of suspicious behavior, the flow responsible behind it will be identified and confirmed whether it is related to DDoS attack or not. Once DDoS attack is confirmed, all the packet related to it will be discarded. Results & Discussions: OMNeT++ along with INET framework is used to evaluate the effectiveness of proposed defense scheme with different routing protocols. In attack situations, DYMO exhibited higher throughput and able to deliver approximately 95% legitimate packets. DYMO, in comparison to AODV and DSR, managed to control end-to-end delay at its best levels (i.e. 0.40 to 0.70 seconds). In terms of packet delivery ratio, AODV and DYMO both perform better than DSR and able to maintain PDR at their highest levels (i.e. 0.90 to 0.94). Conclusion: The attack detection mechanism proposed here performs various tasks like monitoring, characterization, and identification of attack traffic from the incoming flow with the help neighbouring cluster heads. The flow identified as attack is discarded and attack related information would be shared with neighbouring cluster heads to achieve distributed defense. The performance of proposed defense system is assessed with different reactive routing protocols and identified that DYMO protocols performs better than AODV and DSR.

Download Full-text

A Defense System against DDoS Attacks by Large-Scale IP Traceback

Third International Conference on Information Technology and Applications (ICITA'05) ◽

10.1109/icita.2005.10 ◽

2005 ◽

Cited By ~ 9

Author(s):

Yang Xiang ◽

Wanlei Zhou

Keyword(s):

Large Scale ◽

Ddos Attacks ◽

Defense System ◽

Ip Traceback

Download Full-text

Multi-Core Defense System (MSDS) for Protecting Computer Infrastructure against DDoS Attacks

2008 Ninth International Conference on Parallel and Distributed Computing, Applications and Technologies ◽

10.1109/pdcat.2008.72 ◽

2008 ◽

Cited By ~ 3

Author(s):

Ashley Chonka ◽

Soon Keow Chong ◽

Wanlei Zhou ◽

Yang Xiang

Keyword(s):

Ddos Attacks ◽

Defense System

Download Full-text

PERFORMANCE ANALYSIS OF AGENT BASED DISTRIBUTED DEFENSE MECHANISMS AGAINST DDOS ATTACKS

International Journal of Computing ◽

10.47839/ijc.17.1.945 ◽

2018 ◽

pp. 15-24 ◽

Cited By ~ 1

Author(s):

Karanbir Singh ◽

Kanwalvir Singh Dhindsa ◽

Bharat Bhushan

Keyword(s):

Defense Mechanisms ◽

Denial Of Service ◽

Detection Algorithm ◽

Attack Detection ◽

Ddos Attacks ◽

Defense System ◽

Internet Service ◽

Agent Based ◽

Related Information ◽

Edge Router

The current internet infrastructure is susceptible to distributed denial of service (DDoS) attacks and has no built in mechanism to defend against them. The research on these kinds of attacks and their defense is significant for the security and reliability of the internet. We have already proposed a collaborative agent based distributed DDoS defense scheme which detect and prevents against DDoS attacks in ISP (Internet Service Provider) boundaries. The actual task of defense is carried out by agents and coordinators in each ISP. The defense system works by inspecting incoming traffic on edge router and identify the happening of DDoS attacks. The agent’s implements an entropy-threshold based detection algorithm. The coordinators share attack related information with neighboring ISPs in order to achieve distributed defense. The performance of defense system is evaluated on the basis of some identified metrics. The effectiveness of the defense system is evaluated in the presence and absence of defense system. The result indicates that the proposed defense system does accurate attack detection with very few false positives and false negatives.

Download Full-text

DDoS on Sketch: Spoofed DDoS attack defense with programmable data plans using sketches in SDN

10.5753/sbrc.2019.7404 ◽

2019 ◽

Author(s):

Kairo Tavares ◽

Tiago Coelho Ferreto

Keyword(s):

Defense Mechanism ◽

Denial Of Service ◽

Management Control ◽

Ddos Attacks ◽

Limited Data ◽

Defense System ◽

Flooding Attacks ◽

Data Plane ◽

High Level ◽

Flexible Management

Distributed Denial of Service (DDoS) attacks continues to be a major issue in todays Internet. Over the last few years, we have observed a dramatic escalation in the number, scale, and diversity of these attacks. Among the various types, spoofed TCP SYN Flood is one of the most common forms of volumetric DDoS attacks. Several works explored the flexible management control provided by the new network paradigm called Defined Networking Software (SDN) to produce a flexible and powerful defense system. Among them, data plane based solutions combined with recent flexibility of programmable switches aims to leverage hardware speed and defend against Spoofed Flooding attacks. Usually, they implement anti-spoofing mechanisms that rely on performing client authentication on the data plane using techniques such as TCP Proxy, TCP Reset, and Safe Reset. However, these mechanisms have several limitations. First, due to the required interaction to authenticate the client, they penalize all clients connection time even without an ongoing attack. Second, they use a limited version of TCP cookies to detect a valid client ACK or RST, and finally, they are vulnerable to a buffer saturation attack due to limited data plan resources that stores the whitelist of authenticated users. In this work, we propose the use of sketch-based solutions to improve the data plane Safe Reset anti-spoofing defense mechanism. We implemented our solution in P4, a high-level language for programmable data planes, and evaluate our solution against a data plan. Safe Reset technique on an emulated environment using Mininet.

Download Full-text

An Adaptive Approach for Defending against DDoS Attacks

Mathematical Problems in Engineering ◽

10.1155/2010/570940 ◽

2010 ◽

Vol 2010 ◽

pp. 1-15 ◽

Cited By ~ 9

Author(s):

Muhai Li ◽

Ming Li

Keyword(s):

Traffic Control ◽

Denial Of Service ◽

Ddos Attacks ◽

Defense System ◽

Simulation Test ◽

Network Attacks ◽

Adaptive Approach ◽

Control Approach ◽

Malicious Attack ◽

The Common

In various network attacks, the Distributed Denial-of-Service (DDoS) attack is a severe threat. In order to deal with this kind of attack in time, it is necessary to establish a special type of defense system to change strategy dynamically against attacks. In this paper, we introduce an adaptive approach, which is used for defending against DDoS attacks, based on normal traffic analysis. The approach can check DDoS attacks and adaptively adjust its configurations according to the network condition and attack severity. In order to insure the common users to visit the victim server that is being attacked, we provide a nonlinear traffic control formula for the system. Our simulation test indicates that the nonlinear control approach can prevent the malicious attack packets effectively while making legitimate traffic flows arrive at the victim.

Download Full-text