Combining Adaptive Filtering and IF Flows to Detect DDoS Attacks within a Router

Yan, Ruoyu; Zheng, Qinghua; Li, Haifei

doi:10.3837/tiis.2010.06.014

Cited by 9 publications

(5 citation statements)

References 34 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…If the observed values number is N, then space complexity and time complexity are all O (N). (2) Step Ⅱmainly obtain the EWMA statistic series and MR series of ACK traffic. Based on Eq.…”

Section: Algorithm Complexitymentioning

confidence: 99%

“…They disrupt the availability of a system or network by pressure of huge traffic. The challenge in detecting them is the need to deal with the huge traffic in networks [2], which makes the process of detection and prevention very difficult. The harm caused by a denial of service attack, both technologically and economically, cannot be eliminated for a long period after the attacks have ended.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Detecting LDoS Attacks based on Abnormal Network Traffic

Chen¹,

Liu²,

Chen³

2012

KSII TIIS

View full text Add to dashboard Cite

By sending periodically short bursts of traffic to reduce legit transmission control protocol (TCP) traffic, the low-rate denial of service (LDoS) attacks are hard to be detected and may endanger covertly a network for a long period. Traditionally, LDoS detecting methods mainly concentrate on the attack stream with feature matching, and only a limited number of attack patterns can be detected off-line with high cost. Recent researches divert focus from the attack stream to the traffic anomalies induced by LDoS attacks, which can detect more kinds of attacks with higher efficiency. However, the limited number of abnormal characteristics and the inadequacy of judgment rules may cause wrong decision in some particular situations. In this paper, we address the problem of detecting LDoS attacks and present a scheme based on the fluctuant features of legit TCP and acknowledgment (ACK) traffic. In the scheme, we define judgment criteria which used to identify LDoS attacks in real time at an optimal detection cost. We evaluate the performance of our strategy in real-world network topologies. Simulations results clearly demonstrate the superiority of the method proposed in detecting LDoS attacks.

show abstract

“…If the observed values number is N, then space complexity and time complexity are all O (N). (2) Step Ⅱmainly obtain the EWMA statistic series and MR series of ACK traffic. Based on Eq.…”

Section: Algorithm Complexitymentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Detecting LDoS Attacks based on Abnormal Network Traffic

Chen¹,

Liu²,

Chen³

2012

KSII TIIS

View full text Add to dashboard Cite

show abstract

“…The system can observe changes in cached DNS records, and applies machine learning to classify these updates as malicious or benign. Yan et al [26] proposed a new type of unidirectional flow called IF flow. They also introduced two efficient methods in their DDoS attacks detection and evaluation scheme.…”

Section: Related Workmentioning

confidence: 99%

Analysis of Flooding DoS Attacks Utilizing DNS Name Error Queries

Wang¹

2012

KSII TIIS

View full text Add to dashboard Cite

The Domain Name System (DNS) is a critical Internet infrastructure that provides name to address mapping services. In the past decade, Denial-of-Service (DoS) attacks have targeted the DNS infrastructure and threaten to disrupt this critical service. While the flooding DoS attacks may be alleviated by the DNS caching mechanism, we show in this paper that flooding DoS attacks utilizing name error queries is capable of bypassing the cache of resolvers and thereby impose overwhelming flooding attacks on the name servers. We analyze the impacts of such DoS attacks on both name servers and resolvers, which are further illustrated by May 19 China's DNS Collapse. We also propose the detection and defense approaches for protecting DNS servers from such DoS attacks. In the proposal, the victim zones and attacking clients are detected through monitoring the number of corresponding responses maintained in the negative cache. And the attacking queries can be mitigated by the resolvers with a sample proportion adaptive to the percent of queries for the existent domain names. We assess risks of the DoS attacks by experimental results. Measurements on the request rate of DNS name server show that this kind of attacks poses a substantial threat to the current DNS service.

show abstract

“…As they require a large number of coordinated and communicating IDSs distributed over the network, however, they cannot be easily employed in the Internet. Similarly, router‐based DDoS attack detection mechanisms, for example, , require high cooperation from core routers and great changes in core network devices.…”

Section: Introductionmentioning

confidence: 99%

TDPF: a traceback‐based distributed packet filter to mitigate spoofed DDoS attacks

Fallah

Kahani

2013

Security Comm Networks

View full text Add to dashboard Cite

Defense mechanisms against distributed denial-of-service (DDoS) attacks usually mitigate the attack by filtering out the excess traffic targeted at the victim. These defenses should be able to discriminate the attack from the legitimate traffic so that filtering can be selectively applied. The problem is exacerbated when spoofed addresses are used in attack packets. This paper proposes traceback-based distributed packet filter (TDPF), a novel distributed packet filtering mechanism that employs IP traceback as a means for traffic discrimination. In this defense mechanism, packet filters are relocated to the routers nearer the attack sources whenever the traceback algorithm adds such nodes to the attack tree. The filtering probabilities at packet filters are also dynamically adjusted to the volume of traffic the victim receives from each filtering router. In this way, TDPF is able to achieve a high throughput of legitimate traffic while blocking malicious flows. The burden it imposes on a participating router is negligible as well. Moreover, unlike the earlier traceback-based defenses, it can defend against intense DDoS attacks. Experimental results show that TDPF is effective in different attack scenarios.

show abstract

Combining Adaptive Filtering and IF Flows to Detect DDoS Attacks within a Router

Cited by 9 publications

References 34 publications

Detecting LDoS Attacks based on Abnormal Network Traffic

Detecting LDoS Attacks based on Abnormal Network Traffic

Analysis of Flooding DoS Attacks Utilizing DNS Name Error Queries

TDPF: a traceback‐based distributed packet filter to mitigate spoofed DDoS attacks

Contact Info

Product

Resources

About