A Principal Components Analysis-Based Robust DDoS Defense System

Sun, Huizhong; Zhaung, Yan; Chao, H. Jonathan

doi:10.1109/icc.2008.321

Cited by 11 publications

(5 citation statements)

References 14 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…It offers relatively high accuracy with a false-positive rate as low as 10% [15], [16], [17], [18], [19]. The computational demands of FTR depend on the filtering mechanism and the attack strength.…”

Section: B Dns Baa Countermeasuresmentioning

confidence: 99%

Stochastic Game-Based Analysis of the DNS Bandwidth Amplification Attack Using Probabilistic Model Checking

Deshpande

Katsaros

Smolka

et al. 2014

2014 Tenth European Dependable Computing Conference

View full text Add to dashboard Cite

Abstract-The Domain Name System (DNS) is an Internetwide, hierarchical naming system used to translate domain names into numeric IP addresses. Any disruption of DNS service can have serious consequences. We present a formal game-theoretic analysis of a notable threat to DNS, namely the bandwidth amplification attack (BAA), and the countermeasures designed to defend against it. We model the DNS BAA as a two-player, turn-based, zero-sum stochastic game between an attacker and a defender. The attacker attempts to flood a victim DNS server with malicious traffic by choosing an appropriate number of zombie machines with which to attack. In response, the defender chooses among five BAA countermeasures, each of which seeks to increase the amount of legitimate traffic the victim server processes. To simplify the model and optimize the analysis, our model does not explicitly track the handling of each packet. Instead, our model is based on calculations of the rates at which the relevant kinds of events occur in each state. We use our game-based model of DNS BAA to generate optimal attack strategies, which vary the number of zombies, and optimal defense strategies, which aim to enhance the utility of the BAA countermeasures by combining them in advantageous ways. The goal of these strategies is to optimize the attacker's and defender's payoffs, which are defined using probabilistic reward-based properties, and are measured in terms of the attacker's ability to minimize the volume of legitimate traffic that is processed, and the defender's ability to maximize the volume of legitimate traffic that is processed.

show abstract

Section: B Dns Baa Countermeasuresmentioning

confidence: 99%

Stochastic Game-Based Analysis of the DNS Bandwidth Amplification Attack Using Probabilistic Model Checking

Deshpande

Katsaros

Smolka

et al. 2014

2014 Tenth European Dependable Computing Conference

View full text Add to dashboard Cite

show abstract

“…A relatively high packet arrival rate or detection of unusually large sized packets can indicate presence of a BAA [15]. From the algorithms described in [29], [24], [18], [37], [16], [2], [35] we conclude that the filtering offers relatively high accuracy with false positives as low as 10%. Computational cost of FTR depends on the filtering mechanism and the attack strength.…”

Section: Countermeasures Against Dns Baamentioning

confidence: 99%

“…• Percentage deviation C 2 from desired attack probability: Every FTR algorithm [29], [24], [18], [37], [16], [2], [35] is characterized by specific values for the dp and fpp and it is not possible to achieve a zero attack probability for high-volume BAAs. Such a countermeasure can still be a cost-efficient solution if the attack probability is within an acceptable range.…”

Section: A Impact Of Baa On Dns and Dnssecmentioning

confidence: 99%

Formal Analysis of the DNS Bandwidth Amplification Attack and Its Countermeasures Using Probabilistic Model Checking

Deshpande

Katsaros

Basagiannis

et al. 2011

2011 IEEE 13th International Symposium on High-Assurance Systems Engineering

View full text Add to dashboard Cite

Abstract-The DNS Bandwidth Amplification Attack (BAA) is a distributed denial of service attack in which a network of computers (zombies) flood a DNS server with responses to requests that have never been made. Amplification enters into the attack by virtue of the fact that a small 60-byte request can be answered by a substantially larger response of 4,000 bytes or more in size. We use the PRISM probabilistic model checker to introduce a Continuous Time Markov Chain model of the DNS BAA and three recently proposed countermeasures, and to perform an extensive cost-benefit analysis of the countermeasures. Our analysis, which is applicable to both DNS and DNSSec (a security extension of DNS), is based on objective metrics that weigh the benefits for a server in bandwidth usage against the cost incurred by incorrectly dropping legitimate traffic. The results we obtain, gleaned from more than 450 PRISM runs, demonstrate significant differences between the countermeasures as reflected by their respective net benefits. Our results also reveal that DNSSec is more vulnerable than DNS to a BAA attack, and, relatedly, DNSSec derives significantly less benefit from the countermeasures.

show abstract

“…This can be achieved by pre-filtering the legitimate traffic with a throughput at line rate or higher before the traffic is sent to the RegEx detection system. In case of a DDoS attack [33], a DPI can detect the first few packets of an attack before large volume of attack arrives and the large volume of traffic can be handled by separate DDoS prevention systems such as [32,40]. Thus, having a pre-filter that can efficiently filter out legitimate traffic before the traffic reaches to the slower RegEx detection system can increase the overall DPI throughput without losing reliability of the DPI.…”

Section: Introductionmentioning

confidence: 99%

Range hash for regular expression pre-filtering

Bando

Artan

Wei

et al. 2010

Proceedings of the 6th ACM/IEEE Symposium on Architectures for Networking and Communications Systems

View full text Add to dashboard Cite

Recently, major Internet carriers and vendors successfully tested high-speed backbone networks at 100-Gbps line speed to support rapid growth of the Internet traffic demands. In addition, traffic is getting more concentrated to points such as data centers, and demand for protecting such high-speed networks from attack traffic is increasing. Deep Packet Inspection (DPI) with Regular Expression (RegEx) detection is the de facto defense mechanism agains network intrusions. However, current RegEx detection systems cannot keep up with the upcoming high-speed line rate. The RegExes consist of three types of components, exact strings, character classes (CC), and repetitions. Exact string and repetition matching have been widely studied by RegEx research community for better performance. Yet, although more than 55% of RegExes in Snort signature set contain at least one CC, hardware based solutions that focus on CC detection is limited.In this paper we propose a new CC detection architecture called Range Hash that is suitable for high-speed, compact CC detection. Additionally, we propose a practical application of the Range Hash architecture where it can be used as a pre-filter for a Regular Expression detection system to increase overall RegEx detection performance. Based on our hardware prototype design which runs at 250MHz, Range Hash can reach to 100-Gbps CC detection throughput with today's FPGA chips.

show abstract

A Principal Components Analysis-Based Robust DDoS Defense System

Cited by 11 publications

References 14 publications

Stochastic Game-Based Analysis of the DNS Bandwidth Amplification Attack Using Probabilistic Model Checking

Stochastic Game-Based Analysis of the DNS Bandwidth Amplification Attack Using Probabilistic Model Checking

Formal Analysis of the DNS Bandwidth Amplification Attack and Its Countermeasures Using Probabilistic Model Checking

Range hash for regular expression pre-filtering

Contact Info

Product

Resources

About