A Simulation Model for the Analysis of DDoS Amplification Attacks

Furfaro, Angelo; Malena, Giovanna; Molina, Lorena; Parise, Andrea

doi:10.1109/uksim.2015.52

Cited by 9 publications

(3 citation statements)

References 11 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Analysis in this case showed that the similarity between some of the IP addresses implied that the attacker had targeted hosts in the same subnetwork. Furfaro et al [76] cite this exploitation as a common means to perform reflective DDoS attack, with great bandwidth exhaustion power. To avoid this exploitation, Monlist command should not be permitted to public hosts, but only internally, for management purposes, and DPI devices should drop packets with NTP request code equal to 42.…”

Section: Traffic Analysis Of Port 123mentioning

confidence: 99%

Cybersecurity and Network Forensics: Analysis of Malicious Traffic towards a Honeynet with Deep Packet Inspection

et al. 2017

View full text Add to dashboard Cite

Any network connected to the Internet is subject to cyber attacks. Strong security measures, forensic tools, and investigators contribute together to detect and mitigate those attacks, reducing the damages and enabling reestablishing the network to its normal operation, thus increasing the cybersecurity of the networked environment. This paper addresses the use of a forensic approach with Deep Packet Inspection to detect anomalies in the network traffic. As cyber attacks may occur on any layer of the TCP/IP networking model, Deep Packet Inspection is an effective way to reveal suspicious content in the headers or the payloads in any packet processing layer, excepting of course situations where the payload is encrypted. Although being efficient, this technique still faces big challenges. The contributions of this paper rely on the association of Deep Packet Inspection with forensics analysis to evaluate different attacks towards a Honeynet operating in a network laboratory at the University of Brasilia. In this perspective, this work could identify and map the content and behavior of attacks such as the Mirai botnet and brute-force attacks targeting various different network services. Obtained results demonstrate the behavior of automated attacks (such as worms and bots) and non-automated attacks (brute-force conducted with different tools). The data collected and analyzed is then used to generate statistics of used usernames and passwords, IP and services distribution, among other elements. This paper also discusses the importance of network forensics and Chain of Custody procedures to conduct investigations and shows the effectiveness of the mentioned techniques in evaluating different attacks in networks.

show abstract

Section: Traffic Analysis Of Port 123mentioning

confidence: 99%

Cybersecurity and Network Forensics: Analysis of Malicious Traffic towards a Honeynet with Deep Packet Inspection

et al. 2017

View full text Add to dashboard Cite

show abstract

“…Once suspicious flows are found, it estimates the rating association between flow pairs and generates a final alert according to preset thresholds. Angelo Furfaro et al [12] discuss a measure based on Hurst measurement to recognize short -degree DDoS attacks. Alexandre et al [2] present an empirical evaluation of the suitability of various information metrics to recognize both short -degree and high-degree DDoS attacks.…”

Section: Related Workmentioning

confidence: 99%

Rating Association for Short Degree Ddos Attack Recognition

C¹

2017

IJET

View full text Add to dashboard Cite

A short degree Distributed Denial of Service (DDoS) attack has the aptitude to opaque its traffic because it is most parallel to genuine traffic. It can effortlessly avoid present recognition tools. Rating association procedures can enumerate noteworthy variances among attack traffic and genuine traffic centered on their rating values. In this manuscript, we practice dual rating association procedures, namely, Quick Rating Association (QRA) and Fractional Rating Association (FRA) to recognize shortdegree DDoS attacks. These procedures are empirically appraised using three real time datasets. Tentative outcomes display that both procedures can successfully categorize genuine traffic from attack traffic. We catch that FRA achieves better than QRA in recognition of short degree DDoS attacks in footings of positioning between malicious and genuine traffic. Keywords: DDoS attack, short -degree, network traffic, rating association.I. INTRODUCTION With the rapid growth in the number of applications on Internet-connected computers and the devices and the rise in the sophistication of attacks on the application, early recognition of Internet-based attacks is essential to reduce damage to genuine user's traffic. A DDoS attack is a DoS attack that uses multiple distributed attack sources. Typically, attackers use a large number of compromised computers, also called zombies, to launch a DoS attack against a single target or multiple targets with the intention of making one or more services unavailable to intended users [4]. Botnets have become a powerful way to control a large number of hosts, allowing the launching of sophisticated and stealth DDoS attack on target host(s) quickly [3,7].In the recent past, botnets have become more intelligent and capable, and as a consequence the amount of attack traffic has increased targeting servers and components of Internet infrastructure such as firewalls, routers, DNS servers as well as network bandwidth. Regardless of how well secured the victim system may be, its susceptibility to DDoS attacks depends on the state of security in the rest of the global Internet [1,10]. A lot of different tools are used by attackers to bypass security systems, and as a result, researchers have to upgrade their approaches to handle new attacks simultaneously. Some defense mechanisms concentrate on recognizing an attack close to the victim machine, because the recognition accuracy of these mechanisms is high. Network traffic comes in a stream of packets and it is difficult to distinguish genuine traffic from attack traffic. More importantly, the volume of attack traffic can be much larger than the system can handle. The behavior of network traffic is reflected by its statistical properties [13] because such properties summarize behavior. Association procedures can be used on the traffic summary to identify malicious traffic. A network or host can be compromised with DDoS attacks using two types of traffic, namely, high-degree DDoS traffic and short -degree DDoS traffic. High-degree traffic is...

show abstract

“…Zhang and Green [18] propose and test a lightweight defensive algorithm for DDoS attack over an IoT network environment. Furfaro, Malena, Molina, and Parise [19] built a simulation tool for Domain Name Service (DNS)-based AR-DDoS. Hu [20] described DDoS attacks in IoT architectures.…”

Section: Related Workmentioning

confidence: 99%

A Methodological Approach for Assessing Amplified Reflection Distributed Denial of Service on the Internet of Things

Gondim

Albuquerque

Nascimento

et al. 2016

Sensors

View full text Add to dashboard Cite

Concerns about security on Internet of Things (IoT) cover data privacy and integrity, access control, and availability. IoT abuse in distributed denial of service attacks is a major issue, as typical IoT devices’ limited computing, communications, and power resources are prioritized in implementing functionality rather than security features. Incidents involving attacks have been reported, but without clear characterization and evaluation of threats and impacts. The main purpose of this work is to methodically assess the possible impacts of a specific class–amplified reflection distributed denial of service attacks (AR-DDoS)–against IoT. The novel approach used to empirically examine the threat represented by running the attack over a controlled environment, with IoT devices, considered the perspective of an attacker. The methodology used in tests includes that perspective, and actively prospects vulnerabilities in computer systems. This methodology defines standardized procedures for tool-independent vulnerability assessment based on strategy, and the decision flows during execution of penetration tests (pentests). After validation in different scenarios, the methodology was applied in amplified reflection distributed denial of service (AR-DDoS) attack threat assessment. Results show that, according to attack intensity, AR-DDoS saturates reflector infrastructure. Therefore, concerns about AR-DDoS are founded, but expected impact on abused IoT infrastructure and devices will be possibly as hard as on final victims.

show abstract

A Simulation Model for the Analysis of DDoS Amplification Attacks

Cited by 9 publications

References 11 publications

Cybersecurity and Network Forensics: Analysis of Malicious Traffic towards a Honeynet with Deep Packet Inspection

Cybersecurity and Network Forensics: Analysis of Malicious Traffic towards a Honeynet with Deep Packet Inspection

Rating Association for Short Degree Ddos Attack Recognition

A Methodological Approach for Assessing Amplified Reflection Distributed Denial of Service on the Internet of Things

Contact Info

Product

Resources

About