A simulation study of an application layer DDoS detection mechanism

Mekhitarian, Araxi, Rabiee, Amir

January 2016

Over the last couple of years the rise of application layer Distributed Denial of Service (DDoS) attacks has significantly increased. Because of this, many issues have been raised on how organizations and companies can protect themselves from intrusions and damages against their systems and services. The consequences from these attacks are many, ranging from revenue losses for companies to stolen personal data. As the technologies are evolving, application layer DDoS attacks are becoming more effective and there is not a concrete solution that entirely protects against them. This thesis focuses on the available defense mechanisms and presents a general overview of different types of application layer DDoS attacks and how they are constructed. Moreover this report provides a simulation based on one of the defense mechanisms mentioned, named CALD. The simulation tested two different application layer DDoS attacks and showed that CALD can detect and differentiate between the two attacks. This report can be used as a general information source for application layer DDoS attacks, how to detect them and how to defend against them. Furthermore the simulation can be used as a basis on how well a relatively small-scaled implementation of CALD can detect DDoS attacks on the application layer. / Under de senaste åren har ökningen av Distributed Denial of Service (DDoS) attacker på applikationslagret ökat markant. På grund av detta har många frågor uppkommit om hur organisationer och företag kan skydda sig mot intrång och skador mot sina system och tjänster. Konsekvenserna av dessa attacker är många, allt från intäktsförluster för företag till stulen personlig data. Eftersom tekniken utvecklas, har DDoS attacker på applikationslagret blivit mer effektiva och det finns inte en konkret lösning för att hindra dem. Denna rapport fokuserar på de tillgängliga försvarsmekanismer och presenterar en allmän översikt över olika typer av DDoS-attacker på applikationslagret och hur de är uppbyggda. Dessutom bidrar den här rapporten med en redovisning av en simulering baserad på en av de försvarsmekanismer som nämns i rapporten, CALD. Simuleringen testade två olika attacker på applikationslagret och visar att CALD kan upptäcka och skilja mellan de två attackerna. Denna rapport kan användas som en allmän informationskälla för DDoSattacker på applikationslagret och hur man försvarar sig mot och upptäcker dessa. Vidare kan simuleringen användas som utgångspunkt på hur väl en relativt småskalig implementering av CALD kan upptäcka DDoS-attacker på applikationslagret.

Distributed Denial of Service attacks

DDoS

application layer

detection

defense

Distributed Denial of Service attacks

DDoS

application layer

detection

defense

Communication Systems

Kommunikationssystem

Προστασία συστημάτων από κατανεμημένες επιθέσεις στο Διαδίκτυο / Protecting systems from distributed attacks on the Internet

Στεφανίδης, Κυριάκος

17 March 2014

Η παρούσα διατριβή πραγματεύεται το θέμα των κατανεμημένων επιθέσεων άρνησης υπηρεσιών στο Διαδίκτυο. Αναλύει τα υπάρχοντα συστήματα αντιμετώπισης και τα εργαλεία που χρησιμοποιούνται για την εξαπόλυση τέτοιου είδους επιθέσεων. Μελετά τον τρόπο που οργανώνονται οι επιθέσεις και παρουσιάζει την αρχιτεκτονική και την υλοποίηση ενός πρωτότυπου συστήματος ανίχνευσης των πηγών μιας κατανεμημένης επίθεσης άρνησης υπηρεσιών, καθώς και αντιμετώπισης των επιθέσεων αυτών. Τέλος, ασχολείται με το θέμα της ανεπιθύμητης αλληλογραφίας ως μιας διαφορετικού είδους επίθεση άρνησης υπηρεσιών και προτείνει ένα πρωτότυπο τρόπο αντιμετώπισής της. / In our thesis we deal with the issue of Distributed Denial of Service attacks on the Internet. We analyze the current defense methodologies and the tools that are used to unleash this type of attacks. We study the way that those attacks are constructed and organized and present a novel architecture, and its implementation details, of a system that is able to trace back to the true sources of such an attack as well as effectively filter such attacks in real time. Lastly we deal with the issue of spam e-mail as a different form of a distributed denial of service attack and propose a novel methodology that deals with the problem.

Ασφάλεια δικτύων

005.8

Network security

The Current State of DDoS Defense

Nilsson, Sebastian

January 2014

A DDoS attack is an attempt to bring down a machine connected to the Internet. This is done by having multiple computers repeatedly sending requests to tie up a server making it unable to answer legitimate requests. DDoS attacks are currently one of the biggest security threats on the internet according to security experts. We used a qualitative interview with experts in IT security to gather data to our research. We found that most companies are lacking both in knowledge and in their protection against DDoS attacks. The best way to minimize this threat would be to build a system with redundancy, do a risk analysis and revise security policies. Most of the technologies reviewed were found ineffective because of the massive amount of data amplification attacks can generate. Ingress filtering showed promising results in preventing DDoS attacks by blocking packages with spoofed IP addresses thus preventing amplification attacks.

Information Security

Distributed denial of service attacks

Botnet

Computer Sciences

Datavetenskap (datalogi)

PERFORMANCE EVALUATION OF A TTL-BASED DYNAMIC MARKING SCHEME IN IP TRACEBACK

Devasundaram, Shanmuga Sundaram

January 2006

No description available.

Computer Science

IP traceback

distributed denial-of-service attacks

DDoS

DoS

dynamic packetmarking

traceback

Mitigating Network-Based Denial-of-Service Attacks with Client Puzzles

McNevin, Timothy John

04 May 2005

Over the past few years, denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks have become more of a threat than ever. These attacks are aimed at denying or degrading service for a legitimate user by any means necessary. The need to propose and research novel methods to mitigate them has become a critical research issue in network security. Recently, client puzzle protocols have received attention as a method for combating DoS and DDoS attacks. In a client puzzle protocol, the client is forced to solve a cryptographic puzzle before it can request any operation from a remote server or host. This thesis presents the framework and design of two different client puzzle protocols: Puzzle TCP and Chained Puzzles. Puzzle TCP, or pTCP, is a modification to the Transmission Control Protocol (TCP) that supports the use of client puzzles at the transport layer and is designed to help combat various DoS attacks that target TCP. In this protocol, when a server is under attack, each client is required to solve a cryptographic puzzle before the connection can be established. This thesis presents the design and implementation of pTCP, which was embedded into the Linux kernel, and demonstrates how effective it can be at defending against specific attacks on the transport layer. Chained Puzzles is an extension to the Internet Protocol (IP) that utilizes client puzzles to mitigate the crippling effects of a large-scale DDoS flooding attack by forcing each client to solve a cryptographic problem before allowing them to send packets into the network. This thesis also presents the design of Chained Puzzles and verifies its effectiveness with simulation results during large-scale DDoS flooding attacks. / Master of Science

Client puzzles

Denial-of-Service countermeasures

Distributed Denial-of-Service Attacks

Denial-of-Service Attacks

Security related self-protected networks: autonomous threat detection and response (ATDR)

Havenga, Wessel Johannes Jacobus

January 2021

Doctor Educationis / Cybersecurity defense tools, techniques and methodologies are constantly faced with increasing challenges including the evolution of highly intelligent and powerful new generation threats. The main challenges posed by these modern digital multi-vector attacks is their ability to adapt with machine learning. Research shows that many existing defense systems fail to provide adequate protection against these latest threats. Hence, there is an ever-growing need for self-learning technologies that can autonomously adjust according to the behaviour and patterns of the offensive actors and systems. The accuracy and effectiveness of existing methods are dependent on decision making and manual input by human expert. This dependence causes 1) administration overhead, 2) variable and potentially limited accuracy and 3) delayed response time. In this thesis, Autonomous Threat Detection and Response (ATDR) is a proposed general method aimed at contributing toward security related self-protected networks. Through a combination of unsupervised machine learning and Deep learning, ATDR is designed as an intelligent and autonomous decision-making system that uses big data processing requirements and data frame pattern identification layers to learn sequences of patterns and derive real-time data formations. This system enhances threat detection and response capabilities, accuracy and speed. Research provided a solid foundation for the proposed method around the scope of existing methods and the unanimous problem statements and findings by other authors.

(Distributed) denial of service attacks

Traffic capture and packet analysis

Queueing theory

Machine learning

Neural networking

Multi-vector attack detection