scholarly journals A Strategy for Detection and Mitigation of DoS Attacks on Software-Defined Networks

2021 ◽  
Author(s):  
Diogo Mourão de Almeida Pereira ◽  
Joberto S. B. Martins

Computer networks support applications in virtually every area of application and knowledge, and as such, they have widely distributed structures and are susceptible to security attacks in general.Software-Defined Networks (SDN), in turn, are a technological solution that has several advantages by separating the control plane from the data plane in the structuring of computer networks. Given this technological difference, software-defined networks are a network implementation paradigm used to mitigate network security attacks. In summary, the use of SDN to mitigate network attacks provides greater flexibility in implementing the attack strategy. However, the separation of control and data planes creates new points of vulnerability for the security of the network operation.The denial of service attack (DoS) of the type Syn-Flooding is one of the most common possible attacks. It can cause, concerning the network, the commitment to perform services and, concerning the operation of the SDN, the commitment in the bandwidth of the communication channel between the control planes and the data plane, the saturation of the ow table in the switch, and the increasing of the processing load in the controller.In general, the investigation about new strategies aimed at safety with SDN becomes necessary to improve security strategies for network attacks and maximize the reliability of SDN operation, allowing use in different application scenarios. This work presents a defense strategy against attacks of DoS Syn-Flooding using the SDN facilities of an integrated controller with an intrusion detection system (IDS).The proposed strategy aims to mitigate Syn-Flooding DoS attacks and the vulnerability arising from the use of SDN to mitigate attacks.

2021 ◽  
Vol 2021 ◽  
pp. 1-14
Author(s):  
Xinzhi Feng ◽  
Yang Yang ◽  
Xiaozhong Qi ◽  
Chunming Xu ◽  
Ze Ji

In recent years, the research of the network control system under the event triggering mechanism subjected to network attacks has attracted foreign and domestic scholars’ wide attention. Among all kinds of network attacks, denial-of-service (DoS) attack is considered the most likely to impact the performance of NCS significantly. The existing results on event triggering do not assess the occurrence of DoS attacks and controller changes, which will reduce the control performance of the addressed system. Aiming at the network control system attacked by DoS, this paper combines double-ended elastic event trigger control, DoS attack, and quantitative feedback control to study the stability of NCS with quantitative feedback of DoS attack triggered by a double-ended elastic event. Simulation examples show that this method can meet the requirements of control performance and counteract the known periodic DoS attacks, which save limited resources and improve the system’s antijamming ability.


2021 ◽  
Author(s):  
Eduardo De Oliveira Burger Monteiro Luiz ◽  
Alessandro Copetti ◽  
Luciano Bertini ◽  
Juliano Fontoura Kazienko

The introduction of the IPv6 protocol solved the problem of providingaddresses to network devices. With the emergence of the Internetof Things (IoT), there was also the need to develop a protocolthat would assist in connecting low-power devices. The 6LoWPANprotocols were created for this purpose. However, such protocolsinherited the vulnerabilities and threats related to Denial of Service(DoS) attacks from the IPv4 and IPv6 protocols. In this paper, weprepare a network environment for low-power IoT devices usingCOOJA simulator and Contiki operating system to analyze theenergy consumption of devices. Besides, we propose an IntrusionDetection System (IDS) associated with the AES symmetric encryptionalgorithm for the detection of reflection DoS attacks. Thesymmetric encryption has proven to be an appropriate methoddue to low implementation overhead, not incurring in large powerconsumption, and keeping a high level of system security. The maincontributions of this paper are: (i) implementation of a reflectionattack algorithm for IoT devices; (ii) implementation of an intrusiondetection system using AES encryption; (iii) comparison ofthe power consumption in three distinct scenarios: normal messageexchange, the occurrence of a reflection attack, and runningIDS algorithm. Finally, the results presented show that the IDSwith symmetric cryptography meets the security requirements andrespects the energy limits of low-power sensors.


2019 ◽  
pp. 1952-1983
Author(s):  
Pourya Shamsolmoali ◽  
Masoumeh Zareapoor ◽  
M.Afshar Alam

Distributed Denial of Service (DDoS) attacks have become a serious attack for internet security and Cloud Computing environment. This kind of attacks is the most complex form of DoS (Denial of Service) attacks. This type of attack can simply duplicate its source address, such as spoofing attack, which defending methods do not able to disguises the real location of the attack. Therefore, DDoS attack is the most significant challenge for network. In this chapter we present different aspect of security in Cloud Computing, mostly we concentrated on DDOS Attacks. The Authors illustrated all types of Dos Attacks and discussed the most effective detection methods.


Author(s):  
Mohamed Cheikh ◽  
Salima Hacini ◽  
Zizette Boufaida

Intrusion detection system (IDS) plays a vital and crucial role in a computer security. However, they suffer from a number of problems such as low detection of DoS (denial-of-service)/DDoS (distributed denial-of-service) attacks with a high rate of false alarms. In this chapter, a new technique for detecting DoS attacks is proposed; it detects DOS attacks using a set of classifiers and visualizes them in real time. This technique is based on the collection of network parameter values (data packets), which are automatically represented by simple geometric graphs in order to highlight relevant elements. Two implementations for this technique are performed. The first is based on the Euclidian distance while the second is based on KNN algorithm. The effectiveness of the proposed technique has been proven through a simulation of network traffic drawn from the 10% KDD and a comparison with other classification techniques for intrusion detection.


2019 ◽  
Vol 2 (1) ◽  
pp. 6
Author(s):  
Abdullahi Mikail ◽  
Bernardi Pranggono

The shift to Cloud computing has brought with it its specific security challenges concerning the loss of control, trust and multi-tenancy especially in Infrastructure-as-a-Service (IaaS) Cloud model. This article focuses on the design and development of an intrusion detection system (IDS) that can handle security challenges in IaaS Cloud model using an open source IDS. We have implemented a proof-of-concept prototype on the most deployed hypervisor—VMware ESXi—and performed various real-world cyber-attacks, such as port scanning and denial of service (DoS) attacks to validate the practicality and effectiveness of our proposed IDS architecture. Based on our experimental results we found that our Security Onion-based IDS can provide the required protection in a reasonable and effective manner.


2014 ◽  
pp. 95-104
Author(s):  
Andrian Piskozub

The aim of this paper is to understand reasons why denial of service (DoS) attacks are happening; to find ways how to avoid these attacks or lessen their influence; to work out strategy of detecting and preventing these attacks.


2020 ◽  
pp. 399-410
Author(s):  
Jawad Dalou' ◽  
Basheer Al-Duwairi ◽  
Mohammad Al-Jarrah

Software Defined Networking (SDN) has emerged as a new networking paradigm that is based on the decoupling between data plane and control plane providing several benefits that include flexible, manageable, and centrally controlled networks. From a security point of view, SDNs suffer from several vulnerabilities that are associated with the nature of communication between control plane and data plane. In this context, software defined networks are vulnerable to distributed denial of service attacks. In particular, the centralization of the SDN controller makes it an attractive target for these attacks because overloading the controller with huge packet volume would result in bringing the whole network down or degrade its performance. Moreover, DDoS attacks may have the objective of flooding a network segment with huge traffic volume targeting single or multiple end systems. In this paper, we propose an entropy-based mechanism for Distributed Denial of Service (DDoS) attack detection and mitigation in SDN networks. The proposed mechanism is based on the entropy values of source and destination IP addresses of flows observed by the SDN controller which are compared to a preset entropy threshold values that change in adaptive manner based on network dynamics. The proposed mechanism has been evaluated through extensive simulation experiments.


2015 ◽  
Vol 24 (2) ◽  
pp. 199-213
Author(s):  
Zouheir Trabelsi ◽  
Mohamed Al Hemairy ◽  
Mohammad M. Masud

AbstractBiometrics readers are deployed in many public sites and are used for user identification and verification. Nowadays, most biometrics readers can be connected to local area networks, and consequently, they are potential targets for network attacks. This article investigates the robustness of several fingerprint and iris readers against common denial of service (DoS) attacks. This investigation has been conducted using a set of laboratory experiments and DoS attack generator tools. The experiments show clearly that the tested biometric readers are very vulnerable to common DoS attacks, and their recognition performances deteriorate significantly once they are under DoS attacks. Finally, the article lists some security consideration that should be taken into consideration when designing secure biometrics readers.


2019 ◽  
Vol 2019 ◽  
pp. 1-15 ◽  
Author(s):  
Francisco Sales de Lima Filho ◽  
Frederico A. F. Silveira ◽  
Agostinho de Medeiros Brito Junior ◽  
Genoveva Vargas-Solar ◽  
Luiz F. Silveira

Users and Internet service providers (ISPs) are constantly affected by denial-of-service (DoS) attacks. This cyber threat continues to grow even with the development of new protection technologies. Developing mechanisms to detect this threat is a current challenge in network security. This article presents a machine learning- (ML-) based DoS detection system. The proposed approach makes inferences based on signatures previously extracted from samples of network traffic. The experiments were performed using four modern benchmark datasets. The results show an online detection rate (DR) of attacks above 96%, with high precision (PREC) and low false alarm rate (FAR) using a sampling rate (SR) of 20% of network traffic.


Sign in / Sign up

Export Citation Format

Share Document