Detection and mitigation of SYN and HTTP flood DDoS attacks in software defined networks

Mapping Intimacies ◽

10.32920/ryerson.14647329.v1 ◽

2021 ◽

Author(s):

Amandeep Singh Dhaliwal

Keyword(s):

Denial Of Service ◽

False Positives ◽

Ddos Attacks ◽

Network Resources ◽

Detection Mechanism ◽

Ip Address ◽

Security Scheme ◽

Ip Addresses ◽

Simple Detection ◽

Mitigation Methods

Distributed Denial of Service (DDoS) constitutes major threat to both traditional and SDN networks. An attacker can launch a DDoS attack to exhaust either the controller or other network resources, such as switches, or both. There are different DDoS attacks such as UDP flood, SYN flood, Ping of death, ICMP flood and HTTP flood. Among these, SYN and HTTP flood are the most common attacks these days. In this thesis, we focus on developing a security scheme to alleviate the DDoS attacks with spoofed and non-spoofed IP addresses in the SDN environment. First we use a simple detection mechanism that utilizes a time series window-based traffic statistic measurement to detect possible SYN flood and/or HTTP flood DDoS attacks. To reduce false positives, further investigation of traffic is done based on valid source IP address scheme and single flow packet scheme to separate legitimate traffic from attack traffic. Once the attack is detected, the security scheme deploys a number of mitigation methods to alleviate the attack. For the SYN flood attack, the mitigation method of Source IP address filtering is used to permit traffic only with valid source IP addresses to enter the network. For HTTP flood attack mitigation, a mitigation method is used to identify the attack sources and discard the traffic from those sources. We test our proposed scheme with other DDoS attacks such as ICMP flood attack and UDP flood attacks. We also compare our scheme with other security schemes found in the literature. The result shows that our proposed scheme can effectively protect controller and other network resources from some common DDoS attacks, and that our scheme allows more legitimate traffic connections with less false positives in comparison with other schemes.

Download Full-text

Detection and mitigation of SYN and HTTP flood DDoS attacks in software defined networks

10.32920/ryerson.14647329 ◽

2021 ◽

Author(s):

Amandeep Singh Dhaliwal

Keyword(s):

Denial Of Service ◽

False Positives ◽

Ddos Attacks ◽

Network Resources ◽

Detection Mechanism ◽

Ip Address ◽

Security Scheme ◽

Ip Addresses ◽

Simple Detection ◽

Mitigation Methods

Download Full-text

IP Traceback using Flow Based Classification

Recent Advances in Computer Science and Communications ◽

10.2174/2213275912666190328200635 ◽

2020 ◽

Vol 13 (3) ◽

pp. 482-490

Author(s):

Yerram Bhavani ◽

Vinjamuri Janaki ◽

Rangu Sridevi

Keyword(s):

Chinese Remainder Theorem ◽

Denial Of Service ◽

False Positives ◽

Ddos Attacks ◽

False Negatives ◽

Ip Address ◽

Attack Graph ◽

Ip Traceback ◽

Ip Addresses ◽

Attack Path

Background:Distributed Denial of Service (DDoS) attack is a major threat over the internet. The IP traceback mechanism defends against DDoS attacks by tracing the path traversed by attack packets. The existing traceback techniques proposed till now are found with few short comings. The victim required many number of packets to trace the attack path. The requirement of a large number of packets resulted in more number of combinations and more false positives.Methods:To generate a unique value for the IP address of the routers in the attack path Chinese Remainder theorem is applied. This helped in combining the exact parts of the IP address at the victim. We also applied K-Nearest Neighbor (KNN) algorithm to classify the packets depending on their traffic flow, this reduced the number of packets to reconstruct the attack path.Results:The proposed approach is compared with the existing approaches and the results demonstrated that the attack graph is effectively constructed with higher precision and lower combination overhead under large scale DDoS attacks. In this approach, packets from diverse flows are separated as per flow information by applying KNN algorithm. Hence, the reconstruction procedure could be applied on each group separately to construct the multiple attack paths. This results in reconstruction of the complete attack graph with fewer combinations and false positive rate.Conclusion:In case of DDoS attacks the reconstruction of the attack path plays a major role in revealing IP addresses of the participated routers without false positives and false negatives. Our algorithm FRS enhances the feasibility of information pertaining to even the farthest routers by incorporating a flag condition while marking the packets. The rate of false positives and false negatives are drastically reduced by the application of Chinese Remainder Theorem on the IP addresses of the router. At the victim, the application of KNN algorithm reduced the combination overhead and the computation cost enormously.

Download Full-text

HULK and DDoS Attacks in Web Applications with Detection Mechanism

International Journal of Emerging Research in Management and Technology ◽

10.23956/ijermt.v6i6.268 ◽

2018 ◽

Vol 6 (6) ◽

pp. 192

Author(s):

Amit Sharma

Keyword(s):

Web Applications ◽

Denial Of Service ◽

Single Server ◽

Distributed Denial Of Service ◽

Ddos Attacks ◽

Application Layer ◽

Detection Mechanism ◽

Plan Execution ◽

Social Affair ◽

Server Application

Distributed Denial of Service attacks are significant dangers these days over web applications and web administrations. These assaults pushing ahead towards application layer to procure furthermore, squander most extreme CPU cycles. By asking for assets from web benefits in gigantic sum utilizing quick fire of solicitations, assailant robotized programs use all the capacity of handling of single server application or circulated environment application. The periods of the plan execution is client conduct checking and identification. In to beginning with stage by social affair the data of client conduct and computing individual user’s trust score will happen and Entropy of a similar client will be ascertained. HTTP Unbearable Load King (HULK) attacks are also evaluated. In light of first stage, in recognition stage, variety in entropy will be watched and malevolent clients will be recognized. Rate limiter is additionally acquainted with stop or downsize serving the noxious clients. This paper introduces the FAÇADE layer for discovery also, hindering the unapproved client from assaulting the framework.

Download Full-text

RESEARCH OF THE ISSUES OF IMPROVEMENT OF PROTECTION SYSTEMS AGAINST DDOS-ATTACKS BASED ON THE COMPREHENSIVE ANALYSIS OF MODERN INTERACTION MECHANISMS

CASPIAN JOURNAL Control and High Technologies ◽

10.21672/2074-1707.2021.53.1.063-074 ◽

2021 ◽

Vol 53 (1) ◽

pp. 63-74

Author(s):

DMITRIY A. BACHMANOV ◽

◽

ANDREY R. OCHEREDKO ◽

MICHAEL M. PUTYATO ◽

ALEXANDER S. MAKARYAN ◽

...

Keyword(s):

Denial Of Service ◽

Comprehensive Analysis ◽

Cyber Attacks ◽

Ddos Attacks ◽

Network Resources ◽

Combined Use ◽

Service Type ◽

Protection Systems ◽

Comparison Criteria

The article presents the results of an analysis of the growth in the development of botnet networks and new cyber threats when they are used by cybercriminals. A review and comparison of the models for the implementation of botnet networks is carried out, as a result of which there are two main types. The main types of attacks carried out using the infrastructure of distributed computer networks are identified and classified, formed into 7 main groups, taking into account the relevance, prevalence and amount of damage. Based on the results of the analysis, it was determined that the most widespread and relevant type of attack is “Denial of Service”. The article presents a classification of services that provide services to ensure the protection of network resources from distributed attacks by the "Denial of Service" type, by the type of deployment, the level of security and the types of services provided. The comparison criteria are given taking into account their infrastructure, availability of technical support and a test period, available types of protection, capabilities, additional options, notification and reporting, as well as licensing. Practically implemented and shown a way to integrate the DDoS-Guard Protection service with an additional module at the application level, which made it possible to expand the methods of protection against DDoS attacks. Various modifications of the combined use of the module and the modified system make it possible to increase the expected level of detection and prevention of cyber - attacks.

Download Full-text

Proposed statistical-based approach for detecting distribute denial of service against the controller of software defined network (SADDCS)

MATEC Web of Conferences ◽

10.1051/matecconf/201821802012 ◽

2018 ◽

Vol 218 ◽

pp. 02012 ◽

Cited By ~ 3

Author(s):

Mohammad A. AL-Adaileh ◽

Mohammed Anbar ◽

Yung-Wey Chong ◽

Ahmed Al-Ani

Keyword(s):

Statistical Analysis ◽

Denial Of Service ◽

Attack Detection ◽

Detection Accuracy ◽

Ddos Attacks ◽

Large Area ◽

Network Resources ◽

Network Resource ◽

High Bandwidth ◽

Sdn Controller

Software-defined networkings (SDNs) have grown rapidly in recent years be-cause of SDNs are widely used in managing large area networks and securing networks from Distributed Denial of Services (DDoS) attacks. SDNs allow net-works to be monitored and managed through centralized controller. Therefore, SDN controllers are considered as the brain of networks and are considerably vulnerable to DDoS attacks. Thus, SDN controller suffer from several challenges that exhaust network resources. For SDN controller, the main target of DDoS attacks is to prevent legitimate users from using a network resource or receiving their services. Nevertheless, some approaches have been proposed to detect DDoS attacks through the examination of the traffic behavior of networks. How-ever, these approaches take too long to process all incoming packets, thereby leading to high bandwidth consumption and delays in the detection of DDoS at-tacks. In addition, most existing approaches for the detection of DDoS attacks suffer from high positive/negative false rates and low detection accuracy. This study proposes a new approach to detecting DDoS attacks. The approach is called the statistical-based approach for detecting DDoS against the controllers of software-defined networks. The proposed approach is designed to detect the presence of DDoS attacks accurately, reduce false positive/negative flow rates, and minimize the complexity of targeting SDN controllers according to a statistical analysis of packet features. The proposed approach passively captures net-work traffic, filters traffic, and selects the most significant features that contribute to DDoS attack detection. The general stages of the proposed approach are (i) da-ta preprocessing, (ii) statistical analysis, (iii) correlation identification between two vectors, and (iv) rule-based DDoS detection.

Download Full-text

An Adaptive Protection of Flooding Attacks Model for Complex Network Environments

Security and Communication Networks ◽

10.1155/2021/5542919 ◽

2021 ◽

Vol 2021 ◽

pp. 1-17

Author(s):

Bashar Ahmad Khalaf ◽

Salama A. Mostafa ◽

Aida Mustapha ◽

Mazin Abed Mohammed ◽

Moamin A. Mahmoud ◽

...

Keyword(s):

Denial Of Service ◽

Attack Behavior ◽

Ddos Attacks ◽

Ip Address ◽

Agent Based ◽

Ddos Attack ◽

Adaptive Protection ◽

Adaptive Agent ◽

Processing Power ◽

Flooding Attacks

Currently, online organizational resources and assets are potential targets of several types of attack, the most common being flooding attacks. We consider the Distributed Denial of Service (DDoS) as the most dangerous type of flooding attack that could target those resources. The DDoS attack consumes network available resources such as bandwidth, processing power, and memory, thereby limiting or withholding accessibility to users. The Flash Crowd (FC) is quite similar to the DDoS attack whereby many legitimate users concurrently access a particular service, the number of which results in the denial of service. Researchers have proposed many different models to eliminate the risk of DDoS attacks, but only few efforts have been made to differentiate it from FC flooding as FC flooding also causes the denial of service and usually misleads the detection of the DDoS attacks. In this paper, an adaptive agent-based model, known as an Adaptive Protection of Flooding Attacks (APFA) model, is proposed to protect the Network Application Layer (NAL) against DDoS flooding attacks and FC flooding traffics. The APFA model, with the aid of an adaptive analyst agent, distinguishes between DDoS and FC abnormal traffics. It then separates DDoS botnet from Demons and Zombies to apply suitable attack handling methodology. There are three parameters on which the agent relies, normal traffic intensity, traffic attack behavior, and IP address history log, to decide on the operation of two traffic filters. We test and evaluate the APFA model via a simulation system using CIDDS as a standard dataset. The model successfully adapts to the simulated attack scenarios’ changes and determines 303,024 request conditions for the tested 135,583 IP addresses. It achieves an accuracy of 0.9964, a precision of 0.9962, and a sensitivity of 0.9996, and outperforms three tested similar models. In addition, the APFA model contributes to identifying and handling the actual trigger of DDoS attack and differentiates it from FC flooding, which is rarely implemented in one model.

Download Full-text

Taxonomy of Distributed Denial of Service (DDoS) Attacks and Defense Mechanisms in Present Era of Smartphone Devices

International Journal of E-Services and Mobile Applications ◽

10.4018/ijesma.2018040104 ◽

2018 ◽

Vol 10 (2) ◽

pp. 58-74 ◽

Cited By ~ 8

Author(s):

Kavita Sharma ◽

B. B. Gupta

Keyword(s):

Defense Mechanisms ◽

Computer Network ◽

Denial Of Service ◽

Distributed Denial Of Service ◽

Ddos Attacks ◽

Dos Attacks ◽

Network Resources ◽

Common People ◽

Ddos Attack ◽

Legitimate User

This article describes how in the summer of 1999, the Computer Incident Advisory Capability first reported about Distributed Denial of Service (DDoS) attack incidents and the nature of Denial of Service (DoS) attacks in a distributed environment that eliminates the availability of resources or data on a computer network. DDoS attack exhausts the network resources and disturbs the legitimate user. This article provides an explanation on DDoS attacks and nature of these attacks against Smartphones and Wi-Fi Technology and presents a taxonomy of various defense mechanisms. The smartphone is chosen for this study, as they have now become a necessity rather than a luxury item for the common people.

Download Full-text

SVM Implementation for Ddos Attacks in Software Defined Networks

International Journal of Innovative Technology and Exploring Engineering - Special Issue ◽

10.35940/ijitee.a8166.1110120 ◽

2020 ◽

Vol 10 (1) ◽

pp. 205-212

Keyword(s):

Detection Rate ◽

Denial Of Service ◽

Support Vector ◽

Software Defined Network ◽

Software Defined Networks ◽

Distributed Denial Of Service ◽

Ddos Attacks ◽

Network Resources ◽

Elapsed Time ◽

Classification Technique

Software Defined Network (SDN) is making software interaction with the network. SDN has made the network flexible and dynamic and also enabled the abstraction feature of applications and services. As the network is independent of any of the devices like in traditional networks there exist routers, hubs, and switches that is why it is preferable these days. Being more preferably used it has become more vulnerable in terms of security. The more common attacks that corrupt the network and hinders the efficiency are distributed denial-of-service (DDOS) attacks. DDOS is an attack that in general leads to exhaust of the network resources in turn stopping the controller. Detection of DDOS attacks requires a classification technique that provides accurate and efficient decision making. As per the analysis Support Vector Machine (SVM), the classifier technique detects more accurately and precisely the attacks. This paper produces a better approach to detecting attacks using SVM classifiers in terms of detection rate and elapsed time of the attack and it also predicts the various types of distributed denial of service attacks that have corrupted the network.

Download Full-text

Detection and Mitigation of Flood Attacks in IPv6 Enabled Software Defined Networks

Advances in Research ◽

10.9734/air/2020/v21i830221 ◽

2020 ◽

pp. 1-9

Author(s):

O. Ashimi Quadri ◽

Adeniji Oluwashola David

Keyword(s):

Network Architecture ◽

Denial Of Service ◽

Cost Effective ◽

Centralized Control ◽

Ddos Attacks ◽

Control Plane ◽

Network Resources ◽

Effective Manner ◽

Data Plane ◽

Experimental Testbed

Software-defined networking (SDN) is an emerging technology, which provides network architecture that decouples the control plane from the data plane. Due to the centralized control, the network becomes more dynamic, and the network resources are managed in a more efficient and cost-effective manner. The centralization of the control plane requires robust and real-time security techniques. The security Techniques will protect it from any sign of vulnerabilities associated with the network such as a distributed denial of service (DDoS) attacks. The problem of the data-plane is that the attack is hard to be tracked by the SDN controlling plane. This makes the switches to be more susceptible against these types of attacks and hence it is very important to have quick provisional methods in place to prevent the switches from breaking down as soon as first signs of an attack are detected. To resolve this problem, the research developed a mechanism that detects and mitigates flood attacks in IPv6 enabled software to define networks. An experimental testbed was developed using sFlow technique, floodlight controller, and OpenFlow version 1.3. A mitigation algorithm was also developed and was tested with a simulation tool Mininet. The real network traffic was tested on the testbed to investigate the effective mitigation of a DDoS attack. The mitigation time performance for IPv6 was 46.6% while IPv4 was 66.6%. Also, The result gathered from the experiment showed that both the response and detection times were 4 secs while the mitigation time was 7secs respectively. The overall control time being 11 secs. The experimental Testbed result shows that the developed testbed outperformed the previous methods with the ability to detect threats on the network faster. The result from the IPv6 testbed is a probable solution to mitigate the threats posed by DDoS attacks on the IPv6 enabled SDN network resources.

Download Full-text

DDoS Protection Method for Servers

Journal of Physics Conference Series ◽

10.1088/1742-6596/2096/1/012040 ◽

2021 ◽

Vol 2096 (1) ◽

pp. 012040

Author(s):

V Kh Fedorov ◽

E G Balenko ◽

E V Vershennik ◽

P V Zakalkin

Keyword(s):

Communication Network ◽

Information Systems ◽

Human Activities ◽

Denial Of Service ◽

Common Type ◽

Ddos Attacks ◽

Ip Address ◽

Protection Method ◽

Filter Rules

Abstract Cyberspace, a global artificial space, has emerged and become part of all human activities, which exposes communication network elements, in particular service servers, to attacks, whether from individual hackers and cyberterrorists or from organized communities. Denial-of-service or DDoS attacks are the most common type. These are intended solely to cause a denial of service in various information systems, including service servers. This paper presents a method that can improve protection of servers that provide various resources (services) by reasonable management of filter rules and IP address lists.

Download Full-text