DDoS detection based on traffic self-similarity

Brignoli, Delio

January 2008

Distributed denial of service attacks (or DDoS) are a common occurrence on the internet and are becoming more intense as the bot-nets, used to launch them, grow bigger. Preventing or stopping DDoS is not possible without radically changing the internet infrastructure; various DDoS mitigation techniques have been devised with different degrees of success. All mitigation techniques share the need for a DDoS detection mechanism. DDoS detection based on traffic self-similarity estimation is a relatively new approach which is built on the notion that undis- turbed network traffic displays fractal like properties. These fractal like properties are known to degrade in presence of abnormal traffic conditions like DDoS. Detection is possible by observing the changes in the level of self-similarity in the traffic flow at the target of the attack. Existing literature assumes that DDoS traffic lacks the self-similar properties of undisturbed traffic. We show how existing bot- nets could be used to generate a self-similar traffic flow and thus break such assumptions. We then study the implications of self-similar attack traffic on DDoS detection. We find that, even when DDoS traffic is self-similar, detection is still possible. We also find that the traffic flow resulting from the superimposition of DDoS flow and legitimate traffic flow possesses a level of self-similarity that depends non-linearly on both relative traffic intensity and on the difference in self-similarity between the two incoming flows.

Developing security services for network architectures

Tham, Kevin Wen Kaye

January 2006

In the last 15 years, the adoption of enterprise level data networks had increased dramatically. This is mainly due to reasons, such as better use of IT resources, and even better coordination between departments and business units. These great demands have fuelled the push for better and faster connectivity to and from these networks, and even within the networks. We have moved from the slow 10Mbps to 1Gbps connectivity for end-point connections and moved from copper-based ISDN to fibre-linked connections for enterprise connections to the Internet. We now even include wireless network technologies in the mix, because of the greater convenience it offers. Such rapid progress is accompanied by ramifications, especially if not all aspects of networking technologies are improved linearly. Since the 1960s and 1970s, the only form of security had been along the line of authentication and authorisation. This is because of the widely used mainframes in that era. When the Internet and, ultimately, the wide-spread use of the Internet influxed in the 1980s, network security was born, and it was not until the late 1980s that saw the first Internet Worm that caused damage to information and systems on the Internet. Fast forward to today, and we see that although we have come a long way in terms of connectivity (connect to anywhere, and anytime, from anywhere else), the proposed use of network security and network security methods have not improved very much. Microsoft Windows XP recently switched from using their own authentication method, to the use of Kerberos, which was last revised 10 years ago. This thesis describes the many problems we face in the world of network security today, and proposes several new methods for future implementation, and to a certain extend, modification to current standards to encompass future developments. Discussion will include a proposed overview of what a secure network architecture should include, and this will lead into several aspects that can be improved on. All problems identified in this thesis have proposed solutions, except for one. The critical flaw found in the standard IEEE802.11 wireless technology was discovered during the course of this research. This flaw is explained and covered in great detail, and also, an explanation is given as to why this critical flaw is not fixable.

secure network architecture

security services

protocols

denial-of-service

network security

worm

denial-of-service

Protocol engineering for protection against denial-of-service attacks

Tritilanunt, Suratose

January 2009

Denial-of-service attacks (DoS) and distributed denial-of-service attacks (DDoS) attempt to temporarily disrupt users or computer resources to cause service un- availability to legitimate users in the internetworking system. The most common type of DoS attack occurs when adversaries °ood a large amount of bogus data to interfere or disrupt the service on the server. The attack can be either a single-source attack, which originates at only one host, or a multi-source attack, in which multiple hosts coordinate to °ood a large number of packets to the server. Cryptographic mechanisms in authentication schemes are an example ap- proach to help the server to validate malicious tra±c. Since authentication in key establishment protocols requires the veri¯er to spend some resources before successfully detecting the bogus messages, adversaries might be able to exploit this °aw to mount an attack to overwhelm the server resources. The attacker is able to perform this kind of attack because many key establishment protocols incorporate strong authentication at the beginning phase before they can iden- tify the attacks. This is an example of DoS threats in most key establishment protocols because they have been implemented to support con¯dentiality and data integrity, but do not carefully consider other security objectives, such as availability. The main objective of this research is to design denial-of-service resistant mechanisms in key establishment protocols. In particular, we focus on the design of cryptographic protocols related to key establishment protocols that implement client puzzles to protect the server against resource exhaustion attacks. Another objective is to extend formal analysis techniques to include DoS- resistance. Basically, the formal analysis approach is used not only to analyse and verify the security of a cryptographic scheme carefully but also to help in the design stage of new protocols with a high level of security guarantee. In this research, we focus on an analysis technique of Meadows' cost-based framework, and we implement DoS-resistant model using Coloured Petri Nets. Meadows' cost-based framework is directly proposed to assess denial-of-service vulnerabil- ities in the cryptographic protocols using mathematical proof, while Coloured Petri Nets is used to model and verify the communication protocols using inter- active simulations. In addition, Coloured Petri Nets are able to help the protocol designer to clarify and reduce some inconsistency of the protocol speci¯cation. Therefore, the second objective of this research is to explore vulnerabilities in existing DoS-resistant protocols, as well as extend a formal analysis approach to our new framework for improving DoS-resistance and evaluating the performance of the new proposed mechanism. In summary, the speci¯c outcomes of this research include following results; 1. A taxonomy of denial-of-service resistant strategies and techniques used in key establishment protocols; 2. A critical analysis of existing DoS-resistant key exchange and key estab- lishment protocols; 3. An implementation of Meadows's cost-based framework using Coloured Petri Nets for modelling and evaluating DoS-resistant protocols; and 4. A development of new e±cient and practical DoS-resistant mechanisms to improve the resistance to denial-of-service attacks in key establishment protocols.

Trestněprávní a kriminologické aspekty kyberkriminality se zaměřením na útoky typu odepření služby / Criminal and criminological aspects of cybercrime with a focus on denial of service attacks

Přívozník, Lukáš

January 2019

Criminal and criminological aspects of cybercrime with a focus on denial of service attacks Abstract The aim of this master thesis is to analyze the criminal law assessment of denial of service (DoS) cyber-attacks and related criminological aspects. The author deals with the technical characteristics and typology of this type of attack. He analyzes its individual variants, as the way of performing the attack, that is reflected in its criminal assessment. The thesis also describes the facts concerning the largest series of DoS attacks that occurred in the Czech Republic in 2013. Next, the author deals with the criminological aspects of cybercrime, namely its expansion and latency, the perpetrators and victims of the denial of service attack and related prevention, including techniques and methods of defense against this attack. In the main part of the thesis, the author analyzes the criminal law aspects of this specific type of crime. The thesis deals with the development of law in this area at international level, within the European Union and at national level. It also deals with the analysis of the factual situation of cybercrime provided for in Sections 230 to 232 of the Criminal Code and the criminal law assessment of individual variants of the attack. The thesis deals with related problematic points,...

Anomaly detection via high-dimensional data analysis on web access data.

January 2009

Suen, Ho Yan. / Thesis (M.Phil.)--Chinese University of Hong Kong, 2009. / Includes bibliographical references (leaves 99-104). / Abstract also in Chinese. / Abstract --- p.i / Acknowledgement --- p.iv / Chapter 1 --- Introduction --- p.1 / Chapter 1.1 --- Motivation --- p.1 / Chapter 1.2 --- Organization --- p.4 / Chapter 2 --- Literature Review --- p.6 / Chapter 2.1 --- Related Works --- p.6 / Chapter 2.2 --- Background Study --- p.7 / Chapter 2.2.1 --- World Wide Web --- p.7 / Chapter 2.2.2 --- Distributed Denial of Service Attack --- p.11 / Chapter 2.2.3 --- Tools for Dimension Reduction --- p.13 / Chapter 2.2.4 --- Tools for Anomaly Detection --- p.20 / Chapter 2.2.5 --- Receiver operating characteristics (ROC) Analysis --- p.22 / Chapter 3 --- System Design --- p.25 / Chapter 3.1 --- Methodology --- p.25 / Chapter 3.2 --- System Overview --- p.27 / Chapter 3.3 --- Reference Profile Construction --- p.31 / Chapter 3.4 --- Real-time Anomaly Detection and Response --- p.32 / Chapter 3.5 --- Chapter Summary --- p.34 / Chapter 4 --- Reference Profile Construction --- p.35 / Chapter 4.1 --- Web Access Logs Collection --- p.35 / Chapter 4.2 --- Data Preparation --- p.37 / Chapter 4.3 --- Feature Extraction and Embedding Engine (FEE Engine) --- p.40 / Chapter 4.3.1 --- Sub-Sequence Extraction --- p.42 / Chapter 4.3.2 --- Hash Function on Sub-sequences (optional) --- p.45 / Chapter 4.3.3 --- Feature Vector Construction --- p.46 / Chapter 4.3.4 --- Diffusion Wavelets Embedding --- p.47 / Chapter 4.3.5 --- Numerical Example of Feature Set Reduction --- p.49 / Chapter 4.3.6 --- Reference Profile and Further Use of FEE Engine --- p.50 / Chapter 4.4 --- Chapter Summary --- p.50 / Chapter 5 --- Real-time Anomaly Detection and Response --- p.52 / Chapter 5.1 --- Session Filtering and Data Preparation --- p.54 / Chapter 5.2 --- Feature Extraction and Embedding --- p.54 / Chapter 5.3 --- Distance-based Outlier Scores Calculation --- p.55 / Chapter 5.4 --- Anomaly Detection and Response --- p.56 / Chapter 5.4.1 --- Length-Based Anomaly Detection Modules --- p.56 / Chapter 5.4.2 --- Characteristics of Anomaly Detection Modules --- p.59 / Chapter 5.4.3 --- Dynamic Threshold Adaptation --- p.60 / Chapter 5.5 --- Chapter Summary --- p.63 / Chapter 6 --- Experimental Results --- p.65 / Chapter 6.1 --- Experiment Datasets --- p.65 / Chapter 6.1.1 --- Normal Web Access Logs --- p.66 / Chapter 6.1.2 --- Attack Data Generation --- p.68 / Chapter 6.2 --- ROC Curve Construction --- p.70 / Chapter 6.3 --- System Parameters Selection --- p.71 / Chapter 6.4 --- Performance of Anomaly Detection --- p.82 / Chapter 6.4.1 --- Performance Analysis --- p.85 / Chapter 6.4.2 --- Performance in defending DDoS attacks --- p.87 / Chapter 6.5 --- Computation Requirement --- p.91 / Chapter 6.6 --- Chapter Summary --- p.95 / Chapter 7 --- Conclusion and Future Work --- p.96 / Bibliography --- p.99

Anomaly detection (Computer security)

Denial of service attacks

Internet searching--Mathematics

Detecting Remote Attacks

Han, Wang-tzu

30 July 2004

With the advanced technology, our life has improved, however, it also brings the new model of crime events. Because the intrusion technique and intrusion tools are developed day by day, many computer crimes such as overstep system authority, intrusion events, computer crime, and network attack incidents are happening everywhere and everyday. In fact, those kinds of animus attack behaviors are troublesome problems. Staffs of network management may have to read security advisory, which is sent out by security organization. For example, they have to subscribe advisories for Computer Emergency Response Team or security mail list to continuously accumulate their security information. In addition, in the security protect system, they may need to spend huge fund to purchase firewall system, intrusion detection system, antivirus system and other related security protect systems. These attack behaviors have been evolved from one computer attacked to heavy attack by new intrusion model such as worm to proceed large scale spread attacking recently. Furthermore, each attack use different communication protocol and port, which is aimed at the system vulnerability, it is not easy to detect these attacks. If we can observe the variation of network traffic to detect the unusual hosts, for controlling the usage of network or occurring extraordinary phenomenon, it could help network managers to discover and solve network attack problems in time. Lately, many intrusion events have been happened increasingly, and the denial-of-service has become the most serious network event of the Computer Crime and Security Survey of FBI/CSI in 2003. Therefore, in various attacking types, we choose vulnerability scan and denial-of-service as our research direction. This research extend to develop IPAudit[16], a network traffic monitor system, which is to detect hosts flows traffic of the local area network. We establish network attack rules by using data miningclassification (C4.5) to analyze attack data, and we estimate the correctness percentage of classification. This study also uses different attack applications for the same attack type to process the cross experiment. The result has shown that the technology of data mining classification (C4.5) can help us to forecast efficiently the same attack type events.

Data mining

classification

network traffic analysis

vulnerability scan

Denial-of-service

Denial of Service attacks: path reconstruction for IP traceback using Adjusted Probabilistic Packet Marking

Dube, Raghav

17 February 2005

The use of Internet has revolutionized the way information is exchanged, changed business paradigms and put mission critical and sensitive systems online. Any dis- ruption of this connectivity and the plethora of services provided results in significant damages to everyone involved. Denial of Service (DoS) attacks are becoming increas- ingly common and are the cause of lost time and revenue. Flooding type DoS attacks use spoofed IP addresses to disguise the attackers. This makes identification of the attackers extremely difficult. This work proposes a new scheme that allows the victim of a DoS attack to identify the correct origin of the malicious traffic. The suggested mechanism requires routers to mark packets using adjusted probabilistic marking. This results in a lower number of packet-markings required to identify the traffic source. Unlike many related works, we use the existing IPv4 header structure to incorporate these markings. We simulate and test our algorithms using real Internet trace data to show that our technique is fast, and works successfully for a large number of distributed attackers.

Denial of Service Attacks

IP traceback

probabilistic packet marking

path reconstruction

Mail-Filter-Funktionen

Leuschner, Jens

27 February 2002

Im Rahmen dieser Studienarbeit wird untersucht, welche Lösungen es momentan zur Filterung von Email mit unerwünschten Schadensfunktionen auf Mailservern gibt. Dabei werden sowohl offene als auch proprietäre Lösungen betrachtet und die momentanen Randbedingungen der TU Chemnitz beachtet.

Email

Mailserver

EXIM

Filterung

Antivirus

Denial of Service

ddc:004

Netzwerk

Αναγνώριση επιθέσεων άρνησης εξυπηρέτησης για την υπηρεσία του παγκόσμιου ιστού (World Wide Web)

Κάκκος, Βασίλειος

28 August 2009

Τα τελευταία χρόνια, ιδιαίτερα μετά το 2000, έχει παρατηρηθεί μια αξιοσημείωτη αύξηση στις διαδικτυακές επιθέσεις εισβολής και στις DDoS επιθέσεις, με ιδιαίτερα σημαντικές οικονομικές επιπτώσεις. Στην παρούσα διπλωματική αναλύουμε εκτενώς το πρόβλημα των DoS και DDoS επιθέσεων και μελετάμε πιθανές μεθόδους αντιμετώπισης του. Ιδιαίτερα ασχολούμαστε με μια πρωτοποριακή μέθοδο ανίχνευσης DDoS επιθέσεων η οποία χρησιμοποιεί παραπλανητικούς υπερσυνδέσμους για να εντοπίζει πιθανά προγράμματα-χρήστες. Επίσης αναλύουμε τα πειραματικά αποτελέσματα που προέκυψαν από προσομοιώσεις επιθέσεων με χρήση αυτής της μεθόδου. / In recent years, especially after the year 2000, there has been observed a sudden increase of Network-based intrusion and DDoS attacks, causing very significant financial losses. The present thesis analyses thoroughly the DoS and DDoS attack problem and studies possible means of countering such attacks. Especially an innovative method is proposed, that uses decoy hyperlinks in order to trace possible attackers. Also the experimental results that derived from the use of this method are analysed.

Άρνηση εξυπηρέτησης

Ιστότοποι

Παγίδες

005.84

Denial of service

Web sites

Traps

Slow rate denial of service attacks on dedicated- versus cloud based server solutions / En jämförelse mellan resursbindande denial of service attacker mot dedikerade och molnbaserade serverlösningar

Andell, Oscar, Andersson, Albin

January 2018

Denial of Service (DoS) attacks remain a serious threat to internet stability. A specific kind of low bandwidth DoS attack, called a slow rate attack can with very limited resources potentially cause major interruptions to the availability of the attacked web servers. This thesis examines the impact of slow rate application layer DoS attacks against three different server solutions. The server solutions are a static cloud solution and a load-balancing cloud solution running on AmazonWeb Services (AWS) as well as a dedicated server. To identify the impact in terms of responsiveness and service availability a number of experiments were conducted on the web servers using publicly available DoS tools. The response times of the requests were measured. The results show that the dedicated and static cloud based server solutions are severely impacted by the attacks while the AWS load-balancing cloud solution is not impacted nearly as much. We concluded that all solutions were impacted by the attacks and that the readily available DoS tools are sufficient for creating a denial of service state on certain web servers.

Denial of Service

DOS

Slow rate

Apache

Cloud

Computer Engineering

Datorteknik