Skip to main content
Disciplines
Automotive Business IT + Informatics Construction + Real Estate Electrical Engineering + Electronics Energy + Sustainability Insurance + Risk Finance + Banking Management + Leadership Marketing + Sales Mechanical Engineering + Materials
Events
DE
EN
Books
Journals
Topic Page
Marketing
Start single access now
Access for companies
EXTENDED SEARCH
Log in
Top
Published in:
Introduction Read chapter Read first chapter

2011 | OriginalPaper | Chapter

5. Detection and Mitigation of High-Rate Flooding Attacks

Authors : G. Mohay, E. Ahmed, S. Bhatia, A. Nadarajan, B. Ravindran, A. B. Tickle, R. Vijayasarathy

Published in: An Investigation into the Detection and Mitigation of Denial of Service (DoS) Attacks

Publisher: Springer India

Log in

Activate our intelligent search to find suitable subject content or patents.

search-config
loading …

Abstract

Because high-rate flooding attacks constitute such a potent threat to the delivery of Internet-based services, the early and reliable detection of the onset of such an attack together with the formulation and implementation of an effective mitigation strategy are key security goals. However, the continuously evolving nature of such attacks means that they remain an area of active research and investigation. This chapter focuses largely on our research into attack detection, with some discussion of mitigation through IP address filtering. The chapter outlines leading-edge work on developing detection techniques that have the potential to identify a high-rate flooding attack reliably and in real time or, at least, in near real time. In addition, it formulates an architecture for a DoS Mitigation Module (DMM) to provide a vehicle for integrating the elements of the solution.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

  • über 102.000 Bücher
  • über 537 Zeitschriften

aus folgenden Fachgebieten:

  • Automobil + Motoren
  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Elektrotechnik + Elektronik
  • Energie + Nachhaltigkeit
  • Finance + Banking
  • Management + Führung
  • Marketing + Vertrieb
  • Maschinenbau + Werkstoffe
  • Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

  • über 67.000 Bücher
  • über 390 Zeitschriften

aus folgenden Fachgebieten:

  • Automobil + Motoren
  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Elektrotechnik + Elektronik
  • Energie + Nachhaltigkeit
  • Maschinenbau + Werkstoffe




 

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

  • über 67.000 Bücher
  • über 340 Zeitschriften

aus folgenden Fachgebieten:

  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Finance + Banking
  • Management + Führung
  • Marketing + Vertrieb
  • Versicherung + Risiko




Jetzt Wissensvorsprung sichern!

inform now
previous chapter DDoS Testbed
next chapter Cryptographic Approaches to Denial-of-Service Resistance
Footnotes
1
Unit of time is assumed to be seconds.
 
Literature
1.
2.
3.
4.
5.
6.
Ahmed, E., A. Clark, and G. Mohay. 2008. A novel sliding window based change detection algorithm for asymmetric traffic. In Proceedings of the IFIP International Conference on Network and Parallel Computing, 168–175, Oct 2008.
7.
Ahmed, E., A. Clark, and G. Mohay. 2009. Effective change detection in large repositories of unsolicited traffic. In Proceedings of the Fourth International Conference on Internet Monitoring and Protection, May 2009.
8.
Ahmed, E., G. Mohay, A. Tickle, and S. Bhatia. 2010. Use of IP addresses for high rate flooding attack detection. In Security and Privacy Silver Linings in the Cloud, vol. 330, 124–135. Boston: Springer.
9.
Almotairi, S., A. Clark, G. Mohay, and J. Zimmermann. 2008. Characterization of attackers’ activities in honeypot traffic using principal component analysis. In Proceedings of the IFIP International Conference on Network and Parallel Computing, 147–154, Washington, DC, 2008. IEEE Computer Society.
10.
Almotairi, S., A. Clark, G. Mohay, and J. Zimmermann. 2009. A technique for detecting new attacks in low-interaction honeypot traffic. In Proceedings of the Fourth International Conference on Internet Monitoring and Protection, 7–13, Washington, DC, 2009. IEEE Computer Society.
11.
Argyraki, K. and D.R. Cheriton. 2005. Active internet traffic filtering: Real-time response to denial-of-service attacks. In Proceedings of the Annual Conference on USENIX Annual Technical Conference, ATEC ’05, 10–10, Berkeley, 2005. USENIX Association.
12.
Argyraki, K. and D.R. Cheriton. 2009. Scalable network-layer defense against internet bandwidth-flooding attacks. IEEE/ACM Transactions on Networking 17: 1284–1297.CrossRef
13.
Baldi, M., E. Baralis, and F. Risso. 2004. Data mining techniques for effective flow-based analysis of multi-gigabit network traffic. In Proceedings of IEEE 12th International Conference on Software, Telecommunications and Computer Networks, 330–334, Split, Croatia, 2004.
14.
Baldi, M., E. Baralis, and F. Risso. 2005. Data mining techniques for effective and scalable traffic analysis. In Proceedings of the Ninth IFIP/IEEE International Symposium on Integrated Network Management, 105–118, Nice, France, 2005.
15.
Barford, P. and D. Plonka. 2001. Characteristics of network traffic flow anomalies. In Proceedings of ACM SIGCOMM Internet Measurement Workshop, 2001.
16.
Bloom, B. 1970. Space/time trade-offs in hash coding with allowable errors. Communications of the ACM 13: 422–426.MATHCrossRef
17.
Bocan, V. 2004. Developments in DoS research and mitigating technologiess. Transactions on AUTOMATIC CONTROL and COMPUTER SCIENCE  49(63): 1–6.
18.
Bos, H. and K. Huang. 2005. Towards software-based signature detection for intrusion prevention on the network card. In Proceedings of Eighth International Symposium on Recent Advances in Intrusion Detection, Seattle, WA, 2005.
19.
Bruijn, W.D., A. Slowinska, K. Reeuwijk, T. Hruby, L. Xu, and H. Bos. 2006. Safecard: A gigabit IPS on the network card. In Proceedings of Ninth International Symposium on Recent Advances in Intrusion Detection, Hamburg, 2006.
20.
Carl, G., G. Kesidis, R.R. Brooks, and S. Rai. 2006. Denial-of-service attack - detection techniques. IEEE Internet Computing 10(1): 82–89.CrossRef
21.
Cheng, J., J. Yin, Y. Liu, Z. Cai, and M. Li. 2009. DDoS attack detection algorithm using IP address features. In Frontiers in Algorithmics, eds. X. Deng, J. Hopcroft, and J. Xue, vol. 5598, Lecture notes in computer science, 207–215. Berlin: Springer.
22.
Clark, D.D. 1995. The design philosophy of the darpa internet protocols. SIGCOMM Computter Communication Review 25: 102–111.CrossRef
23.
Deri, L. 2007. High-speed dynamic packet filtering. Journal of Network and Systems Management 15(3): 401–415.CrossRef
24.
Dietterich, T.G. 2000. Ensemble methods in machine learning. In Proceedings of the First International Workshop on Multiple Classifier Systems, MCS ’00, London, 1–15. Springer-Verlag.
25.
Erskin, E., A. Arnold, M. Prerau, and L. Portnoy. 2002. A geometric framework for unsupervised anomaly detection: Detecting intrusions in unlabeled data. In Applications of Data Mining in Computer Security, eds. D. Barbará and S. Jajodia, 77–102. Kluwer.
26.
Fan, L., P. Cao, J. Almeida, and A.Z. Broder. 2000. Summary cache: A scalable wide-area web cache sharing protocol. IEEE/ACM Transactions on Networking 8: 281–293.CrossRef
27.
Farid, D.M., N. Harbi, and M.Z. Rahman. 2010. Combining naive bayes and decision tree for adaptive intrusion detection. CoRR, abs/1005.4496.
28.
Feinstein, L., D. Schnackenberg, R. Balupari, and D. Kindred. 2003. Statistical approaches to ddos attack detection and response. In Proceedings of the DARPA Information Survivability Conference and Exposition, vol. 1, 303–314, 2003.
29.
Ferguson, P. and D. Senie. 2000. Network ingress filtering: Defeating denial of service attacks which employ IP address spoofing, BCP 38, RFC 2827, May 2000.
30.
Floyd, S. and V. Jacobson. 1993. Random early detection gateways for congestion avoidance. IEEE/ACM Transactions on Networking  1(4): 397–413.CrossRef
31.
Floyd, S. and V. Jacobson. 1995. Link-sharing and resource management models for packet networks. IEEE/ACM Transactions on Networking 3(4): 365–386.CrossRef
32.
Gavrilis, D. and E. Dermatas. 2005. Real-time detection of distributed denial-of-service attacks using rbf networks and statistical features. Computer Networks 48(2): 235 – 245.CrossRef
33.
Gil, T.M. and M. Poletto. 2001. Multops: A data-structure for bandwidth attack detection. In Proceedings of the Tenth Conference on USENIX Security Symposium, 3–3. USENIX Association.
34.
35.
Hruby, T., K.V. Reeuwijk, and H. Bos. 2007. Ruler: high-speed packet matching and rewriting on npus. In Proceedings of the Third ACM/IEEE Symposium on Architecture for Networking and Communications Systems, ANCS ’07, 1–10, New York, 2007. ACM.
36.
Jang, J.S.R. 1993. ANFIS: adaptive-network-based fuzzy inference system. IEEE Transactions on Systems, Man and Cybernetics 23(3): 665–685.MathSciNetCrossRef
37.
Jin, S. and D. Yeung. 2004a. A covariance analysis model for DDOS attack detection. In Proceedings of IEEE International Conference on Communications, vol. 4, 1882–1886,20–24 June 2004.
38.
Jin, S.Y. and D.S. Yeung. 2004b. DDoS detection based on feature space modeling. In Proceedings of 2004 International Conference on Machine Learning and Cybernetics, vol. 7, 4210–4215, 2004.
39.
Jung, J., B. Krishnamurthy, and M. Rabinovich. 2002. Flash crowds and denial of service attacks: Characterization and implications for CDNs and web sites. In Proceeding of 11th World Wide Web Conference, 252–262, Honolulu, 2002.
40.
Kang, J., Y. Zhang, and J.B. Jus. 2006. Detecting DDoS attacks based on multi-stream fused HMM in source-end network. In Cryptology and Network Security, vol. 4301, Lecture Notes in Computer Science, eds. D. Pointcheval, Y. Mu, and K. Chen, 342–353. Berlin: Springer.
41.
Khor, K.C., C.T. Ting, and S.P. Amnuaisuk. 2009. From feature selection to building of bayesian classifiers: A network intrusion detection perspective. American Journal of Applied Sciences 6(11): 1949–1960.
42.
Kim, D. and J. Park. 2003. Network-based intrusion detection with support vector machines, Lecture Notes in Computer Science, vol. 2662, 747–756. Springer, Berlin.
43.
Kim, W.J. and B.G. Lee. 1998. Fred – fair random early detection algorithm for tcp over atm networks. Electronic Letters 34(2): 152–153.CrossRef
44.
Kline, J., S. Nam, P. Barford, D. Plonka, and A. Ron. 2008. Traffic anomaly detection at fine time scales with bayes nets. In Proceedings of the Third International Conference on Internet Monitoring and Protection, 37–46, Washington, DC 2008. IEEE Computer Society.
45.
Le, Q., M. Zhanikeev, and Y. Tanaka. 2007. Methods of distinguishing flash crowds from spoofed dos attacks. In Proceedings of the Third EuroNGI Conference on Next Generation Internet Networks, 167–173, 2007.
46.
Lee, H. and K. Park. 2001. On the effectiveness of probabilistic packet marking for ip traceback under denial of service attack. In Proceedings of the IEEE INFOCOM, 338–347, 2001.
47.
Lee, K., J. Kim, K.H. Kwon, Y. Han, and S. Kim. 2008. DDoS attack detection method using cluster analysis. Expert Systems with Applications 34(3): 1659–1665.CrossRef
48.
Lemon, J. 2002. Resisting syn flood dos attacks with a syn cache. In Proceedings of the BSD Conference, BSDC’02, 10–10, Berkeley, 2002. USENIX Association.
49.
Leu, F.Y. and Z.Y. Li. 2009. Detecting dos and ddos attacks by using an intrusion detection and remote prevention system. In Proceedings of the Fifth International Conference on Information Assurance and Security, vol. 2, 251–254.
50.
Li, J., J. Mirkovic, M. Wang, P. Reiher, and L. Zhang. 2002. Save: Source address validity enforcement protocol. In Proceedings of the IEEE INFOCOM, 1557–1566, 2002.
51.
Lin, D. and R. Morris. 1997. Dynamics of random early detection. SIGCOMM Computer Communication Review 27(4): 127–137CrossRef
52.
Liu, X., X. Yang, and Y. Lu. 2008. To filter or to authorize: Network-layer DoS defense against multimillion-node botnets. SIGCOMM Computer Communication Review 38(4): 195–206.CrossRef
53.
Mahajan, R., S.M. Bellovin, S. Floyd, J. Ioannidis, V. Paxson, and S. Shenker. 2002. Controlling high bandwidth aggregates in the network. ACM Computer Communication Review 32: 62–73.CrossRef
54.
Mahoney, M. and P. Chan. 2002. Learning nonstationary models of normal network traffic for detecting novel attacks. In Proceedings of the Eighth ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, KDD ’02, 376–385, New York, 2002. ACM.
55.
McPherson, D., C. Labovitz, M. Hollyman, J. Nazario, and G.R. Malan. 2008. Worldwide infrastructure security report. Technical report, Arbor Networks.
56.
Miercom. 2008. Enterprise firewall: Lab test summary report. Technical report.
57.
Mirkovic, J., G. Prier, and P.L. Reiher. 2002. Attacking DDoS at the source. In Proceedings of the Tenth IEEE International Conference on Network Protocols, ICNP ’02, 312–321, Washington, DC, 2002. IEEE Computer Society.
58.
Mirkovic, J. and P. Reiher. 2004. A taxonomy of DDoS attack and DDoS defense mechanisms. SIGCOMM Computer Communication Review 34:39–53.CrossRef
59.
Mirkovic, J. and P. Reiher. 2005. D_WARD: A source-end defense against flooding denial-of-service attacks. IEEE Transactions on Dependable and Secure Computing 2: 216–232.CrossRef
60.
Molsa, J. 2005. Mitigating denial of service attacks: a tutorial. Journal of Computer Security 13(6): 807–837.
61.
Nazario, J. 2008. Political ddos: Estonia and beyond (invited talk). In Proceedings of the Seventeenth USENIX Security Symposium, San Josa, 2008.
62.
Nguyen, H.V. and Y. Choi. 2009. Proactive detection of DDoS attacks utilizing K-NN classifier in an anti-DDos framework. International Journal of Electrical and Electronics Engineering 4(4): 247–252.
63.
Papadopoulos, C., A.G. Tartakovsky, and A.S. Polunchenko. 2008. A hybrid approach to efficient detection of distributed denial-of-service attacks. Technical Report, June 2008.
64.
65.
Paruchuri, V., A. Durresi, and S. Chellappan. 2008. TTL based packet marking for IP traceback. In Proceedings of the IEEE Global Telecommunications Conference, 2552–2556, Los Angels, 30 Nov–4 Dec 2008. IEEE.
66.
Paxson, V., K. Asanovic, S. Dharmapurikar, J. Lockwood, R. Pang, R. Sommer, and N. Weaver. 2006. Rethinking hardware support for network analysis and intrusion prevention. In Proceedings of the First USENIX Workshop on Hot Topics in Security, 63–68.
67.
Peng, T., C. Leckie, and K. Ramamohanarao. 2004. Proactively detecting distributed denial of service attacks using source IP address monitoring. In Networking Technologies, Services, and Protocols; Performance of Computer and Communication Networks; Mobile and Wireless Communications: NETWORKING 2004, 771–782, 2004.
68.
Peng, T., C. Leckie, and K. Ramamohanarao. 2007. Information sharing for distributed intrusion detection systems. Journal of Network and Computer Applications 30(3): 877–899. 1231771.
69.
Peng, T., C. Leckie, and K. Ramamohanarao. 2007. Survey of network-based defense mechanisms countering the DoS and DDoS problems. ACM Computing Surveys 39(1): 3. 1216373.
70.
71.
Ripeanu, M. and A. Iamnitchi. 2001. Bloom filters – Short tutorial. Technical report, Dept. of Computer Science, University of Chicago.
72.
Seo, J., C. Lee, T. Shon, K.H. Cho, and J. Moon. 2005. A new DDoS detection model using multiple SVMs and TRA. Lecture notes in computer science, vol. 3823, 976–985. Berlin: Springer.
73.
Shanbhag, S. and T. Wolf. 2008. Evaluation of an online parallel anomaly detection system. In Proceedings of the IEEE Global Telecommunications Conference, 1–6, 2008.
74.
Shanbhag, S. and T. Wolf. 2008. Massively parallel anomaly detection in online network measurement. In Proceedings of Seventeenth International Conference on Computer Communications and Networks, 1–6.
75.
Shon, T., Y. Kim, C. Lee, and J. Moon. 2005. A machine learning framework for network anomaly detection using svm and ga. In Proceedings of the Sixth Annual IEEE Information Assurance Workshop, 176–183, 2005.
76.
Simmons, K., J. Kinney, A. Owens, D.A. Kleier, K. Bloch, D. Argentar, A. Walsh, and G. Vaidyanathan. 2008. Practical outcomes of applying ensemble machine learning classifiers to high-throughput screening (hts) data analysis and screening. Journal of Chemical Information and Modeling 48(11): 2196–2206.CrossRef
77.
Sterne, D.F., K. Djahandari, B. Wilson, B. Babsonl, D. Schnackenberg, H. Holliday, and T. Reid. 2001. Autonomic response to distributed denial of service attacks. In Proceedings of the Fourth International Symposium on Recent Advances in Intrusion Detection, RAID ’00, 134–149, London, 2001. Springer-Verlag.
78.
Takada, H.H. and A. Anzaloni. 2006. Protecting servers against DDoS attacks with improved source IP address monitoring scheme. In Proceedings of the Second Conference on Next Generation Internet Design and Engineering, p. 6, 2006.
79.
Tavallaee, M., E. Bagheri, W. Lu, and A.A. Ghorbani. 2009. A detailed analysis of the KDD CUP 99 data set. In Proceedings of the Second IEEE International Conference on Computational Intelligence for Security and Defense Applications, CISDA’09, 53–58, Piscataway, 2009. IEEE Press.
80.
Vijayasarathy, R., B. Ravindran, and S.V. Raghavan. 2011. A systems approach to network modeling for DDoS detection using naive Bayesian classifier. In Proceedings of the Third International Conference on Communication and Networks, 2011.
81.
Wang, H., D. Zhang, and K.G. Shin. 2002. Detecting SYN flooding attacks. In Proceedings of the IEEE Infocom, 1530–1539, 2002. IEEE.
82.
Wang, W. and S. Gombault. 2008. Efficient detection of DDoS attacks with important attributes. In Proceedings of the Third International Conference on Risks and Security of Internet and Systems, 61–67, Oct 2008.
83.
84.
Weng, N. and T. Wolf. 2009. Analytic modeling of network processors for parallel workload mapping. ACM Transactions in Embedded Computing Systems 8(3): 1–29.CrossRef
85.
Xiang, Y. and W. Zhou. 2005. Mark-aided distributed filtering by using neural network for DDoS defense. In Proceedings of the IEEE Global Telecommunications Conference, vol. 3, 5.
86.
Xie, Y. and S. Yu. 2006. A novel model for detecting application layer DDoS attacks. In Proceedings of the First International Multi-Symposiums on Computer and Computational Sciences, IMSCCS ’06, 56–63, Washington, DC, 2006. IEEE Computer Society.
87.
Xu, T., D. He, and Y. Luo. 2007. DDoS attack detection based on RLT features. In Proceedings of the International Conference on Computational Intelligence and Security, 697–701, China, 15–19 Dec 2007.
88.
Xu, X., Y. Sun, and Z. Huang. 2007. Defending DDoS attacks using hidden Markov models and cooperative reinforcement learning. In Intelligence and Security Informatics, Lecture notes in computer science, vol. 4430, 196–207, 2007. Springer, Berlin.
89.
Yan, J., S. Early, and R. Anderson. 2000. The xenoservice – A distributed defeat for distributed denial of service. In Proceedings of the Information Survivability Workshop, Oct 2000.
90.
Yuan, J. and K. Mills. 2005. Monitoring the macroscopic effect of DDoS flooding attacks. IEEE Transactions on Dependable and Secure Computing 2: 324–335.CrossRef
91.
Zargar, G.R. and P. Kabiri. 2009. Identification of effective network features for probing attack detection. In Proceedings of the First International Conference on Networked Digital Technologies, 392–397, July 2009.
92.
Zhou, Z., D. Xie, and W. Xiong. 2009. Novel distributed detection scheme against DDoS attack. Journal of Networks 4: 921–928.
Metadata
Title
Detection and Mitigation of High-Rate Flooding Attacks
Authors
G. Mohay
E. Ahmed
S. Bhatia
A. Nadarajan
B. Ravindran
A. B. Tickle
R. Vijayasarathy
Copyright Year
2011
Publisher
Springer India
Book
An Investigation into the Detection and Mitigation of Denial of Service (DoS) Attacks

Print ISBN: 978-81-322-0276-9

Electronic ISBN: 978-81-322-0277-6

Copyright Year: 2011

DOI
https://doi.org/10.1007/978-81-322-0277-6_5