An efficient algorithm to detect DDoS amplification attacks

Domain name system (DNS) plays a critical part in the functioning of the Internet. But since DNS queries are sent using UDP, it is vulnerable to Distributed Denial of Service (DDoS) attacks. The attacker can take advantage of this and spoof the source IP address and direct the response towards the victim network. And since the network does not keep track of the number of requests going out and responses coming in, the attacker can flood the network with these unwanted DNS responses. Along with DNS, other protocols are also exploited to perform DDoS. Usage of Network Time Protocol (NTP) is to synchronize clocks on systems. Its monlist command replies with 600 entries of previous traffic records. This response is enormous compared to the request. This functionality is used by the attacker in DDoS. Since these attacks can cause colossal congestion, it is crucial to prevent or mitigate these types of attacks. It is obligatory to discover a way to drop the spoofed packets while entering the network to mitigate this type of attack. Intelligent cybersecurity systems are designed for the detection of these attacks. An Intelligent system has AI and ML algorithms to achieve its function. This paper discusses such intelligent method to detect the attack server from legitimate traffic. This method uses an algorithm that gets activated by excess traffic in the network. The excess traffic is determined by the speed or rate of the requests and responses and their ratio. The algorithm extracts the IP addresses of servers and detects which server is sending more packets than requested or which are not requested. This server can be later blocked using a firewall or Access Control List (ACL).

Download Full-text

DoS Attack Prevention Using Rule-Based Sniffing Technique and Firewall in Cloud Computing

E3S Web of Conferences ◽

10.1051/e3sconf/201912521004 ◽

2019 ◽

Vol 125 ◽

pp. 21004

Author(s):

Kagiraneza Alexis Fidele ◽

Agus Hartanto

Keyword(s):

Denial Of Service ◽

The Internet ◽

Data Service ◽

Distributed Denial Of Service ◽

Dos Attack ◽

Ip Address ◽

Attack Pattern ◽

Main Target ◽

Cloud Servers ◽

Sniffing Technique

Nowadays, we are entering an era where the internet has become a necessary infrastructure and support that can be applied as a means of regular communication and data service. In these services, cloud-based on servers has an essential role as it can serve numerous types of devices that are interconnected with several protocols. Unfortunately, internet cloud servers become the main target of attacks such as Denial of Service (DoS), Distributed Denial of Service (DDoS). These attacks have illegal access that could interfere in service functions. Sniffing techniques are typically practiced by hackers and crackers to tap data that passes through the internet network. In this paper, sniffing technique aims to identify packets that are moving across the network. This technique will distinguish packet on the routers or bridges through a sniffer tool known as snort connected to a database containing the attack pattern. If the sniffing system encounters strange patterns and recognizes them as attacks, it will notify to the firewall to separate the attacker's original Internet Protocol (IP) address. Then, communication from the attacker's host to the target will be discontinued. Consequently, the identified attack activity will stop working, and the service will proceed to run.

Download Full-text

A Malware Distribution Simulator for the Verification of Network Threat Prevention Tools

Sensors ◽

10.3390/s21216983 ◽

2021 ◽

Vol 21 (21) ◽

pp. 6983

Author(s):

Song-Yi Hwang ◽

Jeong-Nyeo Kim

Keyword(s):

Denial Of Service ◽

Malicious Code ◽

The Internet ◽

Simulation Tool ◽

Distributed Denial Of Service ◽

Network Access ◽

Ip Address ◽

Network Equipment ◽

Low Performance ◽

Iot Devices

With the expansion of the Internet of Things (IoT), security incidents about exploiting vulnerabilities in IoT devices have become prominent. However, due to the characteristics of IoT devices such as low power and low performance, it is difficult to apply existing security solutions to IoT devices. As a result, IoT devices have easily become targets for cyber attackers, and malware attacks on IoT devices are increasing every year. The most representative is the Mirai malware that caused distributed denial of service (DDoS) attacks by creating a massive IoT botnet. Moreover, Mirai malware has been released on the Internet, resulting in increasing variants and new malicious codes. One of the ways to mitigate distributed denial of service attacks is to render the creation of massive IoT botnets difficult by preventing the spread of malicious code. For IoT infrastructure security, security solutions are being studied to analyze network packets going in and out of IoT infrastructure to detect threats, and to prevent the spread of threats within IoT infrastructure by dynamically controlling network access to maliciously used IoT devices, network equipment, and IoT services. However, there is a great risk to apply unverified security solutions to real-world environments. In this paper, we propose a malware simulation tool that scans vulnerable IoT devices assigned a private IP address, and spreads malicious code within IoT infrastructure by injecting malicious code download command into vulnerable devices. The malware simulation tool proposed in this paper can be used to verify the functionality of network threat detection and prevention solutions.

Download Full-text

NTP DRDoS Attack Vulnerability and Mitigation

Applied Mechanics and Materials ◽

10.4028/www.scientific.net/amm.644-650.2875 ◽

2014 ◽

Vol 644-650 ◽

pp. 2875-2880

Author(s):

A. Alfraih Abdulaziz Nasser ◽

Wen Bo Chen

Keyword(s):

Amplification Factor ◽

Denial Of Service ◽

Personal Computers ◽

Distributed Network ◽

Network Time ◽

Hands On ◽

Time Zones ◽

Network Time Protocol ◽

The Way

The Network Time Protocol (NTP) is used to synchronize clocks of various computer devices such as personal computers, tablets, and phones based their set time zones. The network of devices that use these NTP servers form a huge distributed network that attracted a number of attacks from late 2013 towards early 2014. This paper presents a hands-on test of the Distributed Reflection Denial of Service (DRDoS) attack by the monlist command, provides more vulnerability in the protocol, and offers mitigation to these vulnerabilities. A Kali Linux server was used to test the monlist command on its localhost. The results showed that a request with a size of 234 bytes got a response of 4,680 bytes. A busy NTP server can return up to 600 addresses which were theoretically calculated to return approximately 48 kilobytes in 100 packets. Consequently, this results in an amplification factor of 206×. The knowledge of the way the attack can be propagated was an important step in thwarting the attack and mitigating more such threats in the same protocol.

Download Full-text

Analisa Real-Time Data log honeypot menggunakan Algoritma K-Means pada serangan Distributed Denial of Service

Repositor ◽

10.22219/repositor.v2i5.440 ◽

2020 ◽

Vol 2 (5) ◽

pp. 541

Author(s):

Denni Septian Hermawan ◽

Syaifuddin Syaifuddin ◽

Diah Risqiwati

Keyword(s):

Real Time ◽

Data Storage ◽

Denial Of Service ◽

The Internet ◽

Distributed Denial Of Service ◽

Time Data ◽

Local Networks ◽

Real Time Data ◽

Internet Networks ◽

Data Log

AbstrakJaringan internet yang saat ini di gunakan untuk penyimpanan data atau halaman informasi pada website menjadi rentan terhadap serangan, untuk meninkatkan keamanan website dan jaringannya, di butuhkan honeypot yang mampu menangkap serangan yang di lakukan pada jaringan lokal dan internet. Untuk memudahkan administrator mengatasi serangan digunakanlah pengelompokan serangan dengan metode K-Means untuk mengambil ip penyerang. Pembagian kelompok pada titik cluster akan menghasilkan output ip penyerang.serangan di ambil sercara realtime dari log yang di miliki honeypot dengan memanfaatkan MHN.Abstract The number of internet networks used for data storage or information pages on the website is vulnerable to attacks, to secure the security of their websites and networks, requiring honeypots that are capable of capturing attacks on local networks and the internet. To make it easier for administrators to tackle attacks in the use of attacking groupings with the K-Means method to retrieve the attacker ip. Group divisions at the cluster point will generate the ip output of the attacker. The strike is taken as realtime from the logs that have honeypot by utilizing the MHN.

Download Full-text

Proactively Detecting Distributed Denial of Service Attacks Using Source IP Address Monitoring

Lecture Notes in Computer Science - NETWORKING 2004. Networking Technologies, Services, and Protocols; Performance of Computer and Communication Networks; Mobile and Wireless Communications ◽

10.1007/978-3-540-24693-0_63 ◽

2004 ◽

pp. 771-782 ◽

Cited By ~ 47

Author(s):

Tao Peng ◽

Christopher Leckie ◽

Kotagiri Ramamohanarao

Keyword(s):

Denial Of Service ◽

Denial Of Service Attacks ◽

Distributed Denial Of Service ◽

Ip Address

Download Full-text

Network Worms

Encyclopedia of Information Science and Technology, Second Edition ◽

10.4018/978-1-60566-026-4.ch444 ◽

2011 ◽

pp. 2783-2788

Author(s):

Thomas M. Chen ◽

Greg W. Tally

Keyword(s):

Denial Of Service ◽

Human Action ◽

Network Services ◽

The Internet ◽

Distributed Denial Of Service ◽

Functional Perspective ◽

Internet Users ◽

Confidential Data ◽

Self Replication ◽

E Mail

Internet users are currently plagued by an assortment of malicious software (malware). The Internet provides not only connectivity for network services such as e-mail and Web browsing, but also an environment for the spread of malware between computers. Users can be affected even if their computers are not vulnerable to malware. For example, fast-spreading worms can cause widespread congestion that will bring down network services. Worms and viruses are both common types of self-replicating malware but differ in their method of replication (Grimes, 2001; Harley, Slade, & Gattiker, 2001; Szor, 2005). A computer virus depends on hijacking control of another (host) program to attach a copy of its virus code to more files or programs. When the newly infected program is executed, the virus code is also executed. In contrast, a worm is a standalone program that does not depend on other programs (Nazario, 2004). It replicates by searching for vulnerable targets through the network, and attempts to transfer a copy of itself. Worms are dependent on the network environment to spread. Over the years, the Internet has become a fertile environment for worms to thrive. The constant exposure of computer users to worm threats from the Internet is a major concern. Another concern is the possible rate of infection. Because worms are automated programs, they can spread without any human action. The fastest time needed to infect a majority of Internet users is a matter of speculation, but some worry that a new worm outbreak could spread through the Internet much faster than defenses could detect and block it. The most reliable defenses are based on attack signatures. If a new worm does not have an existing signature, it could have some time to spread unhindered and complete its damage before a signature can be devised for it. Perhaps a greater concern about worms is their role as vehicles for delivery of other malware in their payload. Once a worm has compromised a host victim, it can execute any payload. Historical examples of worms have included: • Trojan horses: Software with a hidden malicious function, for example, to steal confidential data or open a backdoor; • Droppers: Designed to facilitate downloading of other malware; • Bots: Software to listen covertly for and execute remote commands, for example, to send spam or carry out a distributed denial of service (DDoS) attack. These types of malware are not able to spread by themselves, and therefore take advantage of the self-replication characteristic of worms to spread. This article presents a review of the historical development of worms, and an overview of worm anatomy from a functional perspective.

Download Full-text

Structure and Organization of the Domain Name System

Domain Name Law And Practice ◽

10.1093/oso/9780199663163.003.0002 ◽

2015 ◽

Author(s):

Torsten Bettinger

Keyword(s):

Host Computer ◽

The Internet ◽

Domain Name System ◽

Domain Name ◽

Global Regulation ◽

Ip Address ◽

Domain Names ◽

Data Packets ◽

System P ◽

Administrative Tasks

Although the Internet has no cross-organizational, financial, or operational management responsible for the entire Internet, certain administrative tasks are coordinated centrally. Among the most important organizational tasks that require global regulation is the management of Internet Protocol (IP) addresses and their corresponding domain names. The IP address consists of an existing 32 bit (IP4) or 128 bit (IP6) sequence of digits and is the actual physical network address by which routing on the Internet takes place and which will ensure that the data packets reach the correct host computer.

Download Full-text

Booters: can anything justify distributed denial-of-service (DDoS) attacks for hire?

Journal of Information Communication and Ethics in Society ◽

10.1108/jices-09-2016-0033 ◽

2017 ◽

Vol 15 (01) ◽

pp. 90-104 ◽

Cited By ~ 5

Author(s):

David Douglas ◽

José Jair Santanna ◽

Ricardo de Oliveira Schmidt ◽

Lisandro Zambenedetti Granville ◽

Aiko Pras

Keyword(s):

Heavy Traffic ◽

Denial Of Service ◽

Civil Disobedience ◽

Third Party ◽

The Internet ◽

Distributed Denial Of Service ◽

Ddos Attacks ◽

Law Enforcement Agencies ◽

Content Type ◽

Testing Tools

Purpose This paper aims to examine whether there are morally defensible reasons for using or operating websites (called ‘booters’) that offer distributed denial-of-service (DDoS) attacks on a specified target to users for a price. Booters have been linked to some of the most powerful DDoS attacks in recent years. Design/methodology/approach The authors identify the various parties associated with booter websites and the means through which booters operate. Then, the authors present and evaluate the two arguments that they claim may be used to justify operating and using booters: that they are a useful tool for testing the ability of networks and servers to handle heavy traffic, and that they may be used to perform DDoS attacks as a form of civil disobedience on the internet. Findings The authors argue that the characteristics of existing booters disqualify them from being morally justified as network stress testing tools or as a means of performing civil disobedience. The use of botnets that include systems without the permission of their owners undermines the legitimacy of both justifications. While a booter that does not use any third-party systems without permission might in principle be justified under certain conditions, the authors argue that it is unlikely that any existing booters meet these requirements. Practical/implications Law enforcement agencies may use the arguments presented here to justify shutting down the operation of booters, and so reduce the number of DDoS attacks on the internet. Originality/value The value of this work is in critically examining the potential justifications for using and operating booter websites and in further exploring the ethical aspects of using DDoS attacks as a form of civil disobedience.

Download Full-text

Mitigation of Distributed Denial of Service Attacks on the Internet of Things

Applied Mathematics & Information Sciences ◽

10.18576/amis/130517 ◽

2019 ◽

Vol 13 (5) ◽

pp. 831-837

Author(s):

R., K. Radhika, Kulothungan

Keyword(s):

Internet Of Things ◽

Denial Of Service ◽

The Internet ◽

Denial Of Service Attacks ◽

Distributed Denial Of Service ◽

The Internet Of Things

Download Full-text

DDoS-Capable IoT Malwares: Comparative Analysis and Mirai Investigation

Security and Communication Networks ◽

10.1155/2018/7178164 ◽

2018 ◽

Vol 2018 ◽

pp. 1-30 ◽

Cited By ~ 34

Author(s):

Michele De Donno ◽

Nicola Dragoni ◽

Alberto Giaretta ◽

Angelo Spognardi

Keyword(s):

Comparative Analysis ◽

Internet Of Things ◽

Detailed Analysis ◽

Real World ◽

General Framework ◽

Denial Of Service ◽

The Internet ◽

Distributed Denial Of Service ◽

Ddos Attacks ◽

The Internet Of Things

The Internet of Things (IoT) revolution has not only carried the astonishing promise to interconnect a whole generation of traditionally “dumb” devices, but also brought to the Internet the menace of billions of badly protected and easily hackable objects. Not surprisingly, this sudden flooding of fresh and insecure devices fueled older threats, such as Distributed Denial of Service (DDoS) attacks. In this paper, we first propose an updated and comprehensive taxonomy of DDoS attacks, together with a number of examples on how this classification maps to real-world attacks. Then, we outline the current situation of DDoS-enabled malwares in IoT networks, highlighting how recent data support our concerns about the growing in popularity of these malwares. Finally, we give a detailed analysis of the general framework and the operating principles of Mirai, the most disruptive DDoS-capable IoT malware seen so far.

Download Full-text