research-article

Flow level detection and filtering of low-rate DDoS

Authors:

Changwang Zhang,

Jianping YinAuthors Info & Claims

Computer Networks: The International Journal of Computer and Telecommunications Networking, Volume 56, Issue 15

Pages 3417 - 3431

https://doi.org/10.1016/j.comnet.2012.07.003

Published: 01 October 2012 Publication History

Abstract

The recently proposed TCP-targeted Low-rate Distributed Denial-of-Service (LDDoS) attacks send fewer packets to attack legitimate flows by exploiting the vulnerability in TCP's congestion control mechanism. They are difficult to detect while causing severe damage to TCP-based applications. Existing approaches can only detect the presence of an LDDoS attack, but fail to identify LDDoS flows. In this paper, we propose a novel metric - Congestion Participation Rate (CPR) - and a CPR-based approach to detect and filter LDDoS attacks by their intention to congest the network. The major innovation of the CPR-base approach is its ability to identify LDDoS flows. A flow with a CPR higher than a predefined threshold is classified as an LDDoS flow, and consequently all of its packets will be dropped. We analyze the effectiveness of CPR theoretically by quantifying the average CPR difference between normal TCP flows and LDDoS flows and showing that CPR can differentiate them. We conduct ns-2 simulations, test-bed experiments, and Internet traffic trace analysis to validate our analytical results and evaluate the performance of the proposed approach. Experimental results demonstrate that the proposed CPR-based approach is substantially more effective compared to an existing Discrete Fourier Transform (DFT)-based approach - one of the most efficient approaches in detecting LDDoS attacks. We also provide experimental guidance to choose the CPR threshold in practice.

References

[1]

Douligeris, C. and Mitrokotsa, A., DDoS attacks and defense mechanisms: classification and state-of-the-art. Computer Networks. v44. 643-666.

Digital Library

[2]

A. Kuzmanovic, E.W. Knightly, Low-rate TCP-targeted denial of service attacks - (the shrew vs. the mice and elephants), in: ACM SIGCOMM, Karlsruhe, Germany, 2003, pp. 75-86.

Digital Library

[3]

Loukas, G. and Oke, G., Protection against denial of service attacks: a survey. Computer Journal. v53. 1020-1037.

Digital Library

[4]

An approach to reliably identifying signs of DDOS flood attacks based on LRD traffic pattern recognition. Computers & Security. v23. 549-558.

[5]

Chang, R.K.C., Defending against flooding-based distributed denial-of-service attacks: a tutorial. IEEE Communications Magazine. v40. 42-51.

Digital Library

[6]

Peng, T., Leckie, C. and Ramamohanarao, K., Survey of network-based defense mechanisms countering the DoS and DDoS problems. ACM Computing Surveys. v39.

Digital Library

[7]

P. Owezarski, On the impact of DoS attacks on internet traffic characteristics and QoS, in: Proceedings of the International Conference on Computer Communications and Networks (ICCCN), 2005, pp. 269-274.

[8]

M. Delio, New Breed of Attack Zombies Lurk, 2011.

[9]

X. Luo, R.K.C. Chang, On a new class of pulsing denial-of-service attacks and the defense, in: Network and Distributed System Security Symposium (NDSS), San Diego, CA, 2005, pp. 2-5.

[10]

CiscoSystems, NetFlow Services Solutions Guide, 2007. <http://www.cisco.com/en/US/docs/ios/solutions_docs/netflow/nfwhite.pdf>.

[11]

Floyd, S. and Jacobson, V., Random early detection gateways for congestion avoidance. IEEE/ACM Transactions on Networking. v1. 397-413.

Digital Library

[12]

Padhye, J., Firoiu, V., Towsley, D.F. and Kurose, J.F., Modeling TCP Reno performance: a simple model and its empirical validation. IEEE/ACM Transactions on Networking. v8. 133-145.

Digital Library

[13]

Yeom, I. and Reddy, A.L.N., Modeling TCP behavior in a differentiated services network. IEEE/ACM Transactions on Networking. v9. 31-46.

Digital Library

[14]

N. Cardwell, S. Savage, T. Anderson, Modeling TCP latency, in: IEEE INFOCOM 2000.

[15]

Allman, M., Eddy, W.M. and Ostermann, S., Estimating loss rates with TCP, SIGMETRICS Perform. Evaluation Review. v31. 12-24.

Digital Library

[16]

S. McCanne, S. Floyd, The Network Simulator - ns-2, 2008. <http://www.isi.edu/nsnam/ns/>.

[17]

A. Shevtekar, N. Ansari, Do low rate DoS attacks affect QoS sensitive VoIP traffic? in: IEEE International Conference on Communications (ICC), 2006, pp. 2153-2158.

[18]

Collaborative detection and filtering of shrew DDoS attacks using spectral analysis. Journal of Parallel and Distributed Computing. v66. 1137-1151.

Digital Library

[19]

J. Cao, W.S. Cleveland, Y. Gao, K. Jeffay, F.D. Smith, M. Weigle, Stochastic models for generating synthetic HTTP source traffic, in: IEEE INFOCOM, 2004, pp. 1546-1557.

[20]

CERT, Advisory CA-1999-17 Denial-of-Service Tools, 2000. <http://www.cert.org/advisories/CA-1999-17.html>.

[21]

V. Paxson, R. Pang, M. Allman, M. Bennett, J. Lee, B. Tierney, LBNL/ICSI Enterprise Tracing Project (collection), 2007. <http://imdc.datcat.org/collection/1-0132-C=LBNL%2FICSI+Enterprise+Tracing+Project>.

[22]

Fraleigh, C., Moon, S., Lyles, B., Cotton, C., Khan, M., Moll, D., Rockell, R., Seely, T. and Diot, C., Pocket-level traffic measurements from the sprint IP backbone. IEEE Network Magazine. v17. 6-16.

Digital Library

[23]

S. Sarat, A. Terzis, On the effect of router buffer sizes on low-rate denial of service attacks, in: International Conference on Computer Communications and Networks (ICCCN), San Diego, CA, 2005, pp. 281-286.

[24]

Shevtekar, A. and Ansari, N., A router-based technique to mitigate reduction of quality (RoQ) attacks. Computer Networks. v52. 957-970.

Digital Library

[25]

H.B. Sun, J.C.S. Lui, D.K.Y. Yau, Defending against low-rate TCP attacks: Dynamic detection and protection, in: IEEE International Conference on Network Protocols (ICNP), Berlin, GERMANY, 2004, pp. 196-205.

Digital Library

[26]

W. Wei, Y.B. Dong, D.M. Lu, G. Jin, H.L. Lao, A Novel mechanism to defend against low-rate denial-of-service attacks, in: S.Z.D.D.C.H.T.B.W.F.Y. Mehrotra (Ed.), IEEE International Conference on Intelligence and Security Informatics (ISI), San Diego, CA, 2006, pp. 261-271.

Digital Library

[27]

Kuzmanovic, A. and Knightly, E.W., Low-rate TCP-targeted denial of service attacks and counter strategies. IEEE/ACM Transactions on Networking. v14. 683-696.

Digital Library

[28]

A. Kumar, M. Sung, J. Xu, J. Wang, Data streaming algorithms for efficient and accurate estimation of flow size distribution, in: ACM SIGMETRICS, 2004, pp. 177-188.

Digital Library

[29]

C. Cranor, T. Johnson, O. Spataschek, V. Shkapenyuk, Gigascope: a stream database for network applications, in: SIGMOD, 2003, pp. 627-651.

Digital Library

[30]

B. Grot, W. Mangione-Smith, Good memories: enhancing memory performance for precise flow tracking, in: ANCHOR, 2005.

[31]

Thomas, Bloomfilter Calculator, 2009. <http://hur.st/bloomfilter>.

[32]

A. Akella, S. Seshan, A. Shaikh, An empirical evaluation of wide-area Internet bottlenecks, in: ACM SIGCOMM Conference on Internet Measurement (IMC), Miami Beach, FL, USA, 2003, pp. 101-114.

Digital Library

[33]

C. Wei, Y. Dit-Yan, Defending against TCP SYN flooding attacks under different types of IP spoofing, in: Proceedings of the International Conference on Networking, International Conference on Systems and International Conference on Mobile Communications and Learning Technologies (ICNICONSMCL), 2006, pp. 38-38.

Digital Library

[34]

Ehrenkranz, T. and Li, J., On the state of IP spoofing defense. ACM Transactions on Internet Technology. v9.

Digital Library

[35]

P. Ferguson, D. Senie, RFC2827: Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing, 2000.

Digital Library

[36]

F. Wu-Chang, D.D. Kandlur, D. Saha, K.G. Shin, Stochastic fair blue: a queue management algorithm for enforcing fairness, in: IEEE INFOCOM, 2001, pp. 1520-1529.

[37]

RRED: robust RED algorithm to counter low-rate denial-of-service attacks. IEEE Communications Letters. v14. 489-491.

Digital Library

[38]

X.P. Luo, R.K.C. Chang, E.W.W. Chan, Performance analysis of TCP/AQM under denial-of-service attacks, in: IEEE International Symposium on Modeling, Analysis and Simulation of Computer and Telecommunication Systems (MASCOTS), Atlanta, GA, 2005, pp. 97-104.

Digital Library

[39]

M. Guirguis, A. Bestavros, I. Matta, Exploiting the transients of adaptation for RoQ attacks on Internet resources, in: IEEE International Conference on Network Protocols (ICNP), Berlin, Germany, 2004, pp. 184-195.

Digital Library

[40]

Macia-Fernandez, G., Diaz-Verdejo, J.E. and Garcia-Teodoro, P., Evaluation of a low-rate DoS attack against iterative servers. Computer Networks. v51. 1013-1030.

Digital Library

[41]

T.J. Ott, T.V. Lakshman, L. Wong, SRED: stabilized RED, in: IEEE INFOCOM, 1999.

[42]

Kunniyur, S.S. and Srikant, R., An adaptive virtual queue (AVQ) algorithm for active queue management. IEEE/ACM Transactions on Networking. v12. 286-299.

Digital Library

[43]

Luo, X., Chan, E.W.W. and Chang, R.K.C., Detecting pulsing denial-of-service attacks with nondeterministic attack intervals. Eurasip Journal on Advances in Signal Processing.

Digital Library

[44]

Chang, C.-W., Lee, S., Lin, B. and Wang, J., The taming of the shrew: mitigating low-rate TCP-targeted attack. IEEE Transactions On Network Service Management. v7.

Digital Library

[45]

Xiang, Y., Li, K. and Zhou, W., Low-rate DDoS attacks detection and traceback by using new information metrics. IEEE Transactions on Information Forensics and Security. v6. 426-437.

Digital Library

[46]

Macia-Fernandez, G., Diaz-Verdejo, J. and Garcia-Teodoro, P., Mathematical model for low-rate DoS attacks against application servers. IEEE Transactions on Information Forensics and Security. v4. 519-529.

Digital Library

[47]

Defense techniques for low-rate DoS attacks against application servers. Computer Networks. v54. 2711-2727.

Digital Library

[48]

Floyd, S. and Fall, K., Promoting the use of end-to-end congestion control in the Internet. IEEE/ACM Transactions on Networking. v7. 458-472.

Digital Library

[49]

Lin, D. and Morris, R., Dynamics of random early detection. SIGCOMM Computer Communication Review. v27. 127-137.

Digital Library

[50]

R. Mahajan, S. Floyd, D. Wetherall, Controlling high-bandwidth flows at the congested router, in: Proceedings of IEEE International Conference on Network Protocols (ICNP), 2001, pp. 192-201.

Digital Library

[51]

Feng, W.-c., Shin, K.G., Kandlur, D.D. and Saha, D., The blue active queue management algorithms. IEEE/ACM Transactions on Networking. v10. 513-528.

Digital Library

[52]

R. Pan, B. Prabhakar, K. Psounis, CHOKe - a stateless active queue management scheme for approximating fair bandwidth allocation, in: Proceedings of Annual IEEE International Conference on Computer Communications (INFOCOM), 2000, pp. 942-951.

[53]

Lee, P.P.C., Bu, T. and Woo, T., On the detection of signaling DoS attacks on 3G/WiMax wireless networks. Computer Networks. v53. 2601-2616.

Digital Library

Cited By

Kaur SSandhu ABhandari A(2023)Investigation of application layer DDoS attacks in legacy and software-defined networks: A comprehensive reviewInternational Journal of Information Security10.1007/s10207-023-00728-522:6(1949-1988)Online publication date: 7-Aug-2023
https://dl.acm.org/doi/10.1007/s10207-023-00728-5
Fu YDuan XWang KLi B(2022)Low-rate Denial of Service attack detection method based on time-frequency characteristicsJournal of Cloud Computing: Advances, Systems and Applications10.1186/s13677-022-00308-311:1Online publication date: 30-Aug-2022
https://dl.acm.org/doi/10.1186/s13677-022-00308-3
Feibish SLiu ZIvkin NChen XBraverman VRexford J(2022)Flow-level loss detection with Δ-sketchesProceedings of the Symposium on SDN Research10.1145/3563647.3563653(25-32)Online publication date: 19-Oct-2022
https://dl.acm.org/doi/10.1145/3563647.3563653
Show More Cited By

Index Terms

Flow level detection and filtering of low-rate DDoS
1. Networks
  1. Network services
    1. Network monitoring

Index terms have been assigned to the content through auto-classification.

Recommendations

A new metric for flow-level filtering of low-rate DDoS attacks

Low-rate distributed denial-of-service LDDoS attacks dramatically reduce transmission control protocol throughput by exploiting the vulnerability in the transmission control protocol congestion control mechanism. The current study proposes a new metric ...
Smart and Lightweight DDoS Detection Using NFV
ICCDA '17: Proceedings of the International Conference on Compute and Data Analysis

The Distributed Denial of Service (DDoS) attack is a major threat to the network infrastructure. Network providers suffer from various types of DDoS attacks; the attack uses different advanced techniques such as botnets and tools to launch the attacks. ...
Dual-level defense for networks under DDoS attacks
SAC '10: Proceedings of the 2010 ACM Symposium on Applied Computing

DDoS has become one of the thorniest problems in the Internet, and aims to deny legitimate users of the services they should have. In this paper, we introduce novel dual - level attack defense against the DDoS attacks. The macroscopic level detectors ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

Copyright © Elsevier B.V.

Publisher

Elsevier North-Holland, Inc.

United States

Publication History

Published: 01 October 2012

Author Tags

Qualifiers

Research-article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

20
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 22 Sep 2024

Other Metrics

View Author Metrics

Citations

Cited By

Kaur SSandhu ABhandari A(2023)Investigation of application layer DDoS attacks in legacy and software-defined networks: A comprehensive reviewInternational Journal of Information Security10.1007/s10207-023-00728-522:6(1949-1988)Online publication date: 7-Aug-2023
https://dl.acm.org/doi/10.1007/s10207-023-00728-5
Fu YDuan XWang KLi B(2022)Low-rate Denial of Service attack detection method based on time-frequency characteristicsJournal of Cloud Computing: Advances, Systems and Applications10.1186/s13677-022-00308-311:1Online publication date: 30-Aug-2022
https://dl.acm.org/doi/10.1186/s13677-022-00308-3
Feibish SLiu ZIvkin NChen XBraverman VRexford J(2022)Flow-level loss detection with Δ-sketchesProceedings of the Symposium on SDN Research10.1145/3563647.3563653(25-32)Online publication date: 19-Oct-2022
https://dl.acm.org/doi/10.1145/3563647.3563653
Shi WTang DZhan SQin ZWang X(2022)An approach for detecting LDoS attack based on cloud modelFrontiers of Computer Science: Selected Publications from Chinese Universities10.1007/s11704-022-0486-116:6Online publication date: 1-Dec-2022
https://dl.acm.org/doi/10.1007/s11704-022-0486-1
Tang DTang LShi WZhan SYang Q(2021)MF-CNN: a New Approach for LDoS Attack Detection Based on Multi-feature Fusion and CNNMobile Networks and Applications10.1007/s11036-019-01506-126:4(1705-1722)Online publication date: 1-Aug-2021
https://dl.acm.org/doi/10.1007/s11036-019-01506-1
Agrawal NTapaswi S(2019)Defense Mechanisms Against DDoS Attacks in a Cloud Computing Environment: State-of-the-Art and Research ChallengesIEEE Communications Surveys & Tutorials10.1109/COMST.2019.293446821:4(3769-3795)Online publication date: 1-Oct-2019
https://dl.acm.org/doi/10.1109/COMST.2019.2934468
Bhushan KGupta B(2019)Network flow analysis for detection and mitigation of Fraudulent Resource Consumption (FRC) attacks in multimedia cloud computingMultimedia Tools and Applications10.1007/s11042-017-5522-z78:4(4267-4298)Online publication date: 1-Feb-2019
https://dl.acm.org/doi/10.1007/s11042-017-5522-z
Koay AWelch ISeah W(2019)(Short Paper) Effectiveness of Entropy-Based Features in High- and Low-Intensity DDoS Attacks DetectionAdvances in Information and Computer Security10.1007/978-3-030-26834-3_12(207-217)Online publication date: 28-Aug-2019
https://dl.acm.org/doi/10.1007/978-3-030-26834-3_12
Kieu MNguyen DNguyen T(2018)Techniques for Improving Performance of the CPR-Based ApproachProceedings of the 9th International Symposium on Information and Communication Technology10.1145/3287921.3287940(163-168)Online publication date: 6-Dec-2018
https://dl.acm.org/doi/10.1145/3287921.3287940
Haydari AYilmaz Y(2018)Real-Time Detection and Mitigation of DDoS Attacks in Intelligent Transportation Systems2018 21st International Conference on Intelligent Transportation Systems (ITSC)10.1109/ITSC.2018.8569698(157-163)Online publication date: 4-Nov-2018
https://dl.acm.org/doi/10.1109/ITSC.2018.8569698
Show More Cited By

View Options

View options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Issue’s Table of Contents