Results 1 - 10
of
187
Change-Point Monitoring for Detection of DoS Attacks
- IEEE Transactions on Dependable and Secure Computing
, 2004
"... This paper presents a simple and robust mechanism, called Change-Point Monitoring (CPM), to detect denial of service (DoS) attacks. The core of CPM is based on the inherent network protocol behaviors, and is an instance of the Sequential Change Point Detection. To make the detection mechanism insens ..."
Abstract
-
Cited by 76 (0 self)
- Add to MetaCart
(Show Context)
This paper presents a simple and robust mechanism, called Change-Point Monitoring (CPM), to detect denial of service (DoS) attacks. The core of CPM is based on the inherent network protocol behaviors, and is an instance of the Sequential Change Point Detection. To make the detection mechanism insensitive to sites and traffic patterns, a non-parametric Cumulative Sum (CUSUM) method is applied, thus making the detection mechanism robust, more generally applicable and its deployment much easier. CPM does not require per-flow state information and only introduces a few variables to record the protocol behaviors. The statelessness and low computation overhead of CPM make itself immune to any flooding attacks. As a case study, the efficacy of CPM is evaluated by detecting a SYN flooding attack — the most common DoS attack. The evaluation results show that CPM has short detection latency and high detection accuracy.
A Light-Weight DIstributed Scheme for Detecting IP Prefix Hijacks in Real-Time
, 2007
"... As more and more Internet IP prefix hijacking incidents are being reported, the value of hijacking detection services has become evident. Most of the current hijacking detection approaches monitor IP prefixes on the control plane and detect inconsistencies in route advertisements and route qualities ..."
Abstract
-
Cited by 57 (3 self)
- Add to MetaCart
As more and more Internet IP prefix hijacking incidents are being reported, the value of hijacking detection services has become evident. Most of the current hijacking detection approaches monitor IP prefixes on the control plane and detect inconsistencies in route advertisements and route qualities. We propose a different approach that utilizes information collected mostly from the data plane. Our method is motivated by two key observations: when a prefix is not hijacked, 1) the hop count of the path from a source to this prefix is generally stable; and 2) the path from a source to this prefix is almost always a super-path of the path from the same source to a reference point along the previous path, as long as the reference point is topologically close to the prefix. By carefully selecting multiple vantage points and monitoring from these vantage points for any departure from these two observations, our method is able to detect prefix hijacking with high accuracy in a light-weight, distributed, and real-time fashion. Through simulations constructed based on real Internet measurement traces, we demonstrate that our scheme is accurate with both false positive and false negative ratios below 0:5%.
On scalable attack detection in the network
, 2007
"... Current intrusion detection and prevention systems seek to detect a wide class of network intrusions (e.g., DoS attacks, worms, port scans) at network vantage points. Unfortunately, even today, many IDS systems we know of keep per-connection or per-flow state to detect malicious TCP flows. Thus, it ..."
Abstract
-
Cited by 52 (1 self)
- Add to MetaCart
(Show Context)
Current intrusion detection and prevention systems seek to detect a wide class of network intrusions (e.g., DoS attacks, worms, port scans) at network vantage points. Unfortunately, even today, many IDS systems we know of keep per-connection or per-flow state to detect malicious TCP flows. Thus, it is hardly surprising that these IDS systems have not scaled to multi-gigabit speeds. By contrast, both router lookups and fair queuing have scaled to high speeds using aggregation via prefix lookups or DiffServ. Thus, in this paper, we initiate research into the question as to whether one can detect attacks without keeping per-flow state. We will show that such aggregation, while making fast implementations possible, immediately causes two problems. First, aggregation can cause behavioral aliasing where, for example, good behaviors can aggregate to look like bad behaviors. Second, aggregated schemes are susceptible to spoofing by which the intruder sends attacks that have appropriate aggregate behavior. We examine a wide variety of DoS and scanning attacks and show that several categories (bandwidth based, claim-and-hold, port-scanning) can be scalably detected. In addition to existing approaches for scalable attack detection, we propose a novel data structure called partial completion filters (PCFs) that can detect claim-and-hold attacks scalably in the network. We analyze PCFs both analytically and using experiments on real network traces to demonstrate how we can tune PCFs to achieve extremely low false positive and false negative probabilities.
The spoofer project: Inferring the extent of source address filtering on the internet
- In Proceedings of USENIX Steps to Reducing Unwanted Traffic on the Internet (SRUTI) Workshop
, 2005
"... Forging, or ”spoofing, ” the source addresses of IP pack-ets provides malicious parties with anonymity and novel attack vectors. Spoofing-based attacks complicate net-work operator’s defense techniques; tracing spoofing re-mains a difficult and largely manual process. More so-phisticated next genera ..."
Abstract
-
Cited by 44 (3 self)
- Add to MetaCart
(Show Context)
Forging, or ”spoofing, ” the source addresses of IP pack-ets provides malicious parties with anonymity and novel attack vectors. Spoofing-based attacks complicate net-work operator’s defense techniques; tracing spoofing re-mains a difficult and largely manual process. More so-phisticated next generation distributed denial of service (DDoS) attacks may test filtering policies and adaptively attempt to forge source addresses. To understand the current state of network filtering, this paper presents an Internet-wide active measurement spoofing project. Clients in our study attempt to send carefully crafted UDP packets designed to infer filtering policies. When filtering of valid packets is in place we determine the fil-tering granularity by performing adjacent netblock scan-ning. Our results are the first to quantify the extent and nature of filtering and the ability to spoof on the Internet. We find that approximately one-quarter of the observed addresses, netblocks and autonomous systems (AS) per-mit full or partial spoofing. Projecting this number to the entire Internet, an approximation we show is reasonable, yields over 360 million addresses and 4,600 ASes from which spoofing is possible. Our findings suggest that a large portion of the Internet is vulnerable to spoofing and concerted attacks employing spoofing remain a serious concern. 1
StackPi: New Packet Marking and Filtering Mechanisms for DDoS and IP Spoofing Defense
"... Today’s Internet hosts are threatened by large ..."
Mitigating Bandwidth-Exhaustion Attacks Using Congestion Puzzles
- In ACM CCS
, 2004
"... We present congestion puzzles (CP), a new countermeasure to bandwidth-exhaustion attacks. Like other defenses based on client puzzles, CP attempts to force attackers to invest vast resources in order to effectively perform denialof-service attacks. Unlike previous puzzle-based approaches, however, o ..."
Abstract
-
Cited by 42 (2 self)
- Add to MetaCart
(Show Context)
We present congestion puzzles (CP), a new countermeasure to bandwidth-exhaustion attacks. Like other defenses based on client puzzles, CP attempts to force attackers to invest vast resources in order to effectively perform denialof-service attacks. Unlike previous puzzle-based approaches, however, ours is the first designed for the bandwidth-exhaustion attacks that are common at the network (IP) layer. At the core of CP is an elegant distributed puzzle mechanism that permits routers to cooperatively impose and check puzzles. We demonstrate through analysis and simulation that CP can effectively defend networks from flooding attacks without relying on the formulation of attack signatures to filter traffic. Moreover, as many such attacks are conducted by “zombie ” computers that have been silently commandeered without the knowledge of their owners, the overheads that CP imposes on heavily engaged zombies can increase the likelihood that the computer’s owner detects the compromise and takes action to remedy it.
Spoofing prevention method
- In Proc. IEEE INFOCOM
, 2005
"... Abstract — A new approach for filtering spoofed IP packets, called Spoofing Prevention Method (SPM), is proposed. The method enables routers closer to the destination of a packet to verify the authenticity of the source address of the packet. This stands in contrast to standard ingress filtering whi ..."
Abstract
-
Cited by 42 (0 self)
- Add to MetaCart
(Show Context)
Abstract — A new approach for filtering spoofed IP packets, called Spoofing Prevention Method (SPM), is proposed. The method enables routers closer to the destination of a packet to verify the authenticity of the source address of the packet. This stands in contrast to standard ingress filtering which is effective mostly at routers next to the source and is ineffective otherwise. In the proposed method a unique temporal key is associated with each ordered pair of source destination networks (AS’s, autonomous systems). Each packet leaving a source network S is tagged with the key K(S, D), associated with (S, D), where D is the destination network. Upon arrival at the destination network the key is verified and removed. Thus the method verifies the authenticity of packets carrying the address s which belongs to network S. An efficient implementation of the method, ensuring not to overload the routers, is presented. The major benefits of the method are the strong incentive it provides to network operators to implement it, and the fact that the method lends itself to stepwise deployment, since it benefits networks deploying the method even if it is implemented only on parts of the Internet. These two properties, not shared by alternative approaches, make it an attractive and viable solution to the packet spoofing problem.
Passport: Secure and Adoptable Source Authentication
"... We present the design and evaluation of Passport, a system that allows source addresses to be validated within the network. Passport uses efficient, symmetric-key cryptography to place tokens on packets that allow each autonomous system (AS) along the network path to independently verify that a sour ..."
Abstract
-
Cited by 42 (6 self)
- Add to MetaCart
(Show Context)
We present the design and evaluation of Passport, a system that allows source addresses to be validated within the network. Passport uses efficient, symmetric-key cryptography to place tokens on packets that allow each autonomous system (AS) along the network path to independently verify that a source address is valid. It leverages the routing system to efficiently distribute the symmetric keys used for verification, and is incrementally deployable without upgrading hosts. We have implemented Passport with Click and XORP and evaluated the design via micro-benchmarking, experiments on the Deterlab, security analysis, and adoptability modeling. We find that Passport is plausible for gigabit links, and can mitigate reflector attacks even without separate denial-of-service defenses. Our adoptability modeling shows that Passport provides stronger security and deployment incentives than alternatives such as ingress filtering. This is because the ISPs that adopt it protect their own addresses from being spoofed at each other’s networks even when the overall deployment is small. 1.
A self-aware approach to denial of service defence
- Computer Networks
, 2007
"... Denial of service attacks, viruses and worms are common tools for malicious adversarial behaviour in networks. In this paper we propose the use of our autonomic routing protocol, the Cognitive Packet Network (CPN), as a means to defend nodes from Distributed Denial of Service Attacks (DDoS), where o ..."
Abstract
-
Cited by 40 (21 self)
- Add to MetaCart
(Show Context)
Denial of service attacks, viruses and worms are common tools for malicious adversarial behaviour in networks. In this paper we propose the use of our autonomic routing protocol, the Cognitive Packet Network (CPN), as a means to defend nodes from Distributed Denial of Service Attacks (DDoS), where one or more attackers generate flooding traffic from multiple sources towards selected nodes or IP addresses. We use both analytical and simulation modelling, and experiments on our CPN testbed, to evaluate the advantages and disadvantages of our approach in the presence of imperfect detection of DDoS attacks, and of false alarms. 1
On a new class of pulsing denial-of-service attacks and the defense
- IN NETWORK AND DISTRIBUTED SYSTEM SECURITY SYMPOSIUM (NDSS
, 2005
"... In this paper we analyze a new class of pulsing denial-of-service (PDoS) attacks that could seriously degrade the throughput of TCP flows. During a PDoS attack, periodic pulses of attack packets are sent to a victim. The magnitude of each pulse should be significant enough to cause packet losses. We ..."
Abstract
-
Cited by 40 (3 self)
- Add to MetaCart
(Show Context)
In this paper we analyze a new class of pulsing denial-of-service (PDoS) attacks that could seriously degrade the throughput of TCP flows. During a PDoS attack, periodic pulses of attack packets are sent to a victim. The magnitude of each pulse should be significant enough to cause packet losses. We describe two specific attack models according to the timing of the attack pulses with respect to the TCP’s congestion window movement: timeout-based and AIMD (additive-increase-multiplicative-decrease)-based. We show through an analysis that even a small number of attack pulses can cause significant throughput degradation. The second part of this paper is a novel two-stage scheme to detect PDoS attacks on a victim network. The first stage is based on a wavelet transform used to extract the desired frequency components of the data traffic and ACK traffic. The second stage is to detect change points in the extracted components. Through both simulation and testbed experiments, we verify the feasibility and effectiveness of the detection scheme.
