This document describes a proposed SDN-based scheme for detecting and mitigating distributed denial-of-service (DDoS) attacks mounted by botnets. The scheme involves a DDoS blocking application running on an SDN controller that monitors network traffic flows and detects attacks. When an attack is detected, the application installs rules on SDN switches to block traffic from botnet sources while still allowing legitimate traffic. The target server implements CAPTCHA to differentiate legitimate and bot traffic during attacks. The scheme is implemented using the POX SDN controller and OpenFlow standards and tested on the Mininet emulator.
FIRECOL: A COLLABORATIVE PROTECTION NETWORK FOR THE DETECTION OF FLOODING DDO...Deenuji Loganathan
The document describes FireCol, a system for detecting distributed denial-of-service (DDoS) flooding attacks. The core of FireCol is composed of intrusion prevention systems (IPSs) located at internet service providers that form virtual protection rings around hosts. The IPSs collaborate by exchanging selected traffic information to detect DDoS attacks early. FireCol was evaluated using simulations and real data, showing its effectiveness with low overhead and support for incremental deployment.
This document proposes a system called FireCol, which stands for a collaborative protection network for detecting flooding DDoS attacks. FireCol uses a distributed network of intrusion prevention systems located at internet service providers that form virtual protection rings around hosts. These systems collaborate by exchanging selected traffic information to detect DDoS attacks close to the source. The document outlines the architecture of FireCol and experimental results showing its effectiveness at detecting attacks with low overhead. Future work is mentioned to extend FireCol's capabilities.
This document summarizes research on enhancing the DSR routing protocol to prevent distributed denial of service (DDoS) attacks in mobile ad hoc networks (MANETs). It discusses how DDoS attacks work, the challenges they present for MANETs due to their dynamic nature, and existing research on DDoS attack detection and prevention. The document reviews literature on analyzing DDoS attack behaviors and properties, characterizing attack traffic patterns, and using statistical analysis and neural networks to identify attacks. The goal of the research is to develop an enhanced DSR protocol that can detect and mitigate DDoS attacks in MANETs more effectively than previous approaches.
Augmented split –protocol; an ultimate d do s defenderijcsa
Distributed Denials of Service (DDoS) attacks have become the daunting problem for businesses, state
administrator and computer system users. Prevention and detection of a DDoS attack is a major research
topic for researchers throughout the world. As new remedies are developed to prevent or mitigate DDoS
attacks, invaders are continually evolving new methods to circumvent these new procedures. In this paper,
we describe various DDoS attack mechanisms, categories, scope of DDoS attacks and their existing
countermeasures. In response, we propose to introduce DDoS resistant Augmented Split-protocol (ASp).
The migratory nature and role changeover ability of servers in Split-protocol architecture will avoid
bottleneck at the server side. It also offers the unique ability to avoid server saturation and compromise
from DDoS attacks. The goal of this paper is to present the concept and performance of (ASp) as a
defensive tool against DDoS attacks.
This document examines a proposed alternative solution to mitigate distributed denial of service (DDoS) attacks using crowd-sourced bandwidth. It discusses how DDoS attacks work and their impacts on organizations. The proposal aimed to leverage unused bandwidth from multiple clients to filter out malicious traffic and redirect valid traffic. However, the document concludes the concept is not currently feasible due to security, performance, and reliability issues from placing too much trust in clients and relying on slow public DNS propagation. Existing centralized DDoS mitigation solutions from companies are still recommended.
Preventing Distributed Denial of Service Attacks in Cloud Environments IJITCA Journal
Distributed-Denial of Service (DDoS) is a key intimidation to network security. Network is a group of
nodes that interrelate with each other for switch over the information. This information is necessary for
that node is reserved confidentially. Attacker in the system may capture this private information and
distorted. So security is the major issue. There are several security attacks in network. One of the major
intimidations to internet examine is DDoS attack. It is a malevolent effort to suspending or suspends
services to destination node. DDoS or DoS is an effort to create network resource or the machine is busy to
its intentional user. Numerous thoughts are developed for avoid the DDoS or DoS. DDoS occur in two
different behaviors they may happen obviously or it may due to some attackers .Various schemes are
developed defense against to this attack. The Main focus of paper is present basis of DDoS attack, DDoS
attack types, and DDoS attack components, intrusion prevention system for DDoS.
IRJET- EEDE- Extenuating EDOS for DDOS and Eluding HTTP Web based Attacks in ...IRJET Journal
This document proposes a method to detect HTTP GET flooding DDoS attacks in cloud computing environments using MapReduce processing. It involves integrating abnormal HTTP request detection rules analyzed through statistical analysis and thresholds into MapReduce. Suspected IP addresses are sent challenge values, and IP addresses that provide normal responses are initially allowed while abnormal responses are filtered for a period of time. MapReduce is used to analyze packet data and detect abnormal GET requests based on factors like the IP, port, and URI to identify malicious traffic patterns characteristic of DDoS attacks. The goal is to ensure availability of target systems and reliable detection of HTTP GET flooding attacks in cloud services.
PASSWORD BASED SCHEME AND GROUP TESTING FOR DEFENDING DDOS ATTACKSIJNSA Journal
DOS ATTACKS ARE ONE OF THE TOP SECURITY PROBLEMS AFFECTING NETWORKS AND DISRUPTING SERVICES TO
LEGITIMATE USERS. THE VITAL STEP IN DEALING WITH THIS PROBLEM IS THE NETWORK'S ABILITY TO DETECT SUCH
ATTACKS. APPLICATION DDOS ATTACK, WHICH AIMS AT DISRUPTING APPLICATION SERVICE RATHER THAN
DEPLETING THE NETWORK RESOURCE. UP TO NOW ALL THE RESEARCHES MADE ON THIS DDOS ATTACKS ONLY
CONCENTRATES EITHER ON NETWORK RESOURCES OR ON APPLICATION SERVERS BUT NOT ON BOTH. IN THIS PAPER
WE PROPOSED A SOLUTION FOR BOTH THESE PROBLEMS BY AUTHENTICATION METHODS AND GROUP TESTING.
FIRECOL: A COLLABORATIVE PROTECTION NETWORK FOR THE DETECTION OF FLOODING DDO...Deenuji Loganathan
The document describes FireCol, a system for detecting distributed denial-of-service (DDoS) flooding attacks. The core of FireCol is composed of intrusion prevention systems (IPSs) located at internet service providers that form virtual protection rings around hosts. The IPSs collaborate by exchanging selected traffic information to detect DDoS attacks early. FireCol was evaluated using simulations and real data, showing its effectiveness with low overhead and support for incremental deployment.
This document proposes a system called FireCol, which stands for a collaborative protection network for detecting flooding DDoS attacks. FireCol uses a distributed network of intrusion prevention systems located at internet service providers that form virtual protection rings around hosts. These systems collaborate by exchanging selected traffic information to detect DDoS attacks close to the source. The document outlines the architecture of FireCol and experimental results showing its effectiveness at detecting attacks with low overhead. Future work is mentioned to extend FireCol's capabilities.
This document summarizes research on enhancing the DSR routing protocol to prevent distributed denial of service (DDoS) attacks in mobile ad hoc networks (MANETs). It discusses how DDoS attacks work, the challenges they present for MANETs due to their dynamic nature, and existing research on DDoS attack detection and prevention. The document reviews literature on analyzing DDoS attack behaviors and properties, characterizing attack traffic patterns, and using statistical analysis and neural networks to identify attacks. The goal of the research is to develop an enhanced DSR protocol that can detect and mitigate DDoS attacks in MANETs more effectively than previous approaches.
Augmented split –protocol; an ultimate d do s defenderijcsa
Distributed Denials of Service (DDoS) attacks have become the daunting problem for businesses, state
administrator and computer system users. Prevention and detection of a DDoS attack is a major research
topic for researchers throughout the world. As new remedies are developed to prevent or mitigate DDoS
attacks, invaders are continually evolving new methods to circumvent these new procedures. In this paper,
we describe various DDoS attack mechanisms, categories, scope of DDoS attacks and their existing
countermeasures. In response, we propose to introduce DDoS resistant Augmented Split-protocol (ASp).
The migratory nature and role changeover ability of servers in Split-protocol architecture will avoid
bottleneck at the server side. It also offers the unique ability to avoid server saturation and compromise
from DDoS attacks. The goal of this paper is to present the concept and performance of (ASp) as a
defensive tool against DDoS attacks.
This document examines a proposed alternative solution to mitigate distributed denial of service (DDoS) attacks using crowd-sourced bandwidth. It discusses how DDoS attacks work and their impacts on organizations. The proposal aimed to leverage unused bandwidth from multiple clients to filter out malicious traffic and redirect valid traffic. However, the document concludes the concept is not currently feasible due to security, performance, and reliability issues from placing too much trust in clients and relying on slow public DNS propagation. Existing centralized DDoS mitigation solutions from companies are still recommended.
Preventing Distributed Denial of Service Attacks in Cloud Environments IJITCA Journal
Distributed-Denial of Service (DDoS) is a key intimidation to network security. Network is a group of
nodes that interrelate with each other for switch over the information. This information is necessary for
that node is reserved confidentially. Attacker in the system may capture this private information and
distorted. So security is the major issue. There are several security attacks in network. One of the major
intimidations to internet examine is DDoS attack. It is a malevolent effort to suspending or suspends
services to destination node. DDoS or DoS is an effort to create network resource or the machine is busy to
its intentional user. Numerous thoughts are developed for avoid the DDoS or DoS. DDoS occur in two
different behaviors they may happen obviously or it may due to some attackers .Various schemes are
developed defense against to this attack. The Main focus of paper is present basis of DDoS attack, DDoS
attack types, and DDoS attack components, intrusion prevention system for DDoS.
IRJET- EEDE- Extenuating EDOS for DDOS and Eluding HTTP Web based Attacks in ...IRJET Journal
This document proposes a method to detect HTTP GET flooding DDoS attacks in cloud computing environments using MapReduce processing. It involves integrating abnormal HTTP request detection rules analyzed through statistical analysis and thresholds into MapReduce. Suspected IP addresses are sent challenge values, and IP addresses that provide normal responses are initially allowed while abnormal responses are filtered for a period of time. MapReduce is used to analyze packet data and detect abnormal GET requests based on factors like the IP, port, and URI to identify malicious traffic patterns characteristic of DDoS attacks. The goal is to ensure availability of target systems and reliable detection of HTTP GET flooding attacks in cloud services.
PASSWORD BASED SCHEME AND GROUP TESTING FOR DEFENDING DDOS ATTACKSIJNSA Journal
DOS ATTACKS ARE ONE OF THE TOP SECURITY PROBLEMS AFFECTING NETWORKS AND DISRUPTING SERVICES TO
LEGITIMATE USERS. THE VITAL STEP IN DEALING WITH THIS PROBLEM IS THE NETWORK'S ABILITY TO DETECT SUCH
ATTACKS. APPLICATION DDOS ATTACK, WHICH AIMS AT DISRUPTING APPLICATION SERVICE RATHER THAN
DEPLETING THE NETWORK RESOURCE. UP TO NOW ALL THE RESEARCHES MADE ON THIS DDOS ATTACKS ONLY
CONCENTRATES EITHER ON NETWORK RESOURCES OR ON APPLICATION SERVERS BUT NOT ON BOTH. IN THIS PAPER
WE PROPOSED A SOLUTION FOR BOTH THESE PROBLEMS BY AUTHENTICATION METHODS AND GROUP TESTING.
Detection of ICMPv6-based DDoS attacks using anomaly based intrusion detectio...IJECEIAES
Security network systems have been an increasingly important discipline since the implementation of preliminary stages of Internet Protocol version 6 (IPv6) for exploiting by attackers. IPv6 has an improved protocol in terms of security as it brought new functionalities, procedures, i.e., Internet Control Message Protocol version 6 (ICMPv6). The ICMPv6 protocol is considered to be very important and represents the backbone of the IPv6, which is also responsible to send and receive messages in IPv6. However, IPv6 Inherited many attacks from the previous internet protocol version 4 (IPv4) such as distributed denial of service (DDoS) attacks. DDoS is a thorny problem on the internet, being one of the most prominent attacks affecting a network result in tremendous economic damage to individuals as well as organizations. In this paper, an exhaustive evaluation and analysis are conducted anomaly detection DDoS attacks against ICMPv6 messages, in addition, explained anomaly detection types to ICMPv6 DDoS flooding attacks in IPv6 networks. Proposed using feature selection technique based on bio-inspired algorithms for selecting an optimal solution which selects subset to have a positive impact of the detection accuracy ICMPv6 DDoS attack. The review outlines the features and protection constraints of IPv6 intrusion detection systems focusing mainly on DDoS attacks.
IRJET- Detection and Prevention Methodology for Dos Attack in Mobile Ad-Hoc N...IRJET Journal
1) The document discusses detection and prevention of denial of service (DoS) attacks in mobile ad-hoc networks.
2) It focuses on identifying malicious nodes that conduct traffic jamming attacks by disrupting communication.
3) The proposed approach detects malicious nodes using a reliability value determined by broadcast reliability packets, where nodes that don't respond in a set time have their reliability value decreased until it reaches below zero, identifying them as malicious.
The document discusses security mechanisms for spontaneous networks. It begins with an overview of the growth of mobile communications and challenges in configuring services and providing security in spontaneous networks that imitate human relationships. Key management schemes are needed for node authorization and user authentication in mobile ad hoc networks. Existing methods require initial configuration or external authorities. The proposed system aims to reduce dependence on a central authority for re-authentication to avoid possible attacks, increase performance by reducing server utilization, and implement a workload mechanism for efficient server usage.
The document discusses trends in computer networking job roles. It describes several common networking roles including network administrator, network technician, network security specialist, and network manager. For each role it provides details on typical responsibilities and qualifications needed. It also discusses the increasing demand for networking professionals with security skills due to more organizations moving transactions and data online.
Service providers are increasingly playing an important role in DDoS mitigation given the growing scale and sophistication of attacks. They have advantages over enterprise solutions due to their global traffic visibility and ability to filter attacks close to the source. As attacks continue rising in scale and evolving tactics, service providers need intelligent mitigation solutions to protect their infrastructure and ensure customer availability. DDoS mitigation is becoming a key differentiator for service providers to provide more value beyond just connectivity.
This document discusses security considerations for cloud computing. It covers security challenges like privacy, portability, interoperability, reliability and availability. It also discusses security planning, boundaries based on infrastructure as a service (IaaS), platform as a service (PaaS) and software as a service (SaaS) models. Additional topics include data security, software as a service security, security monitoring, and security architecture design.
CREDIT BASED METHODOLOGY TO DETECT AND DISCRIMINATE DDOS ATTACK FROM FLASH CR...IJNSA Journal
The latest trend in the field of computing is the migration of organizations and offloading the tasks to
cloud. The security concerns hinder the widespread acceptance of cloud. Of various, the DDoS in cloud is
found to be the most dangerous. Various approaches are there to defend DDoS in cloud, but have lots of
pitfalls. This paper proposes a new reputation-based framework for mitigating the DDoS in cloud by
classifying the users into three categories as well-reputed, reputed and ill-reputed based on credits. The
fact that attack is fired by malicious programs installed by the attackers in the compromised systems and
they exhibit similar characteristics used for discriminating the DDoS traffic from flash crowds. Credits of
clients who show signs of similarity are decremented. This reduces the computational and storage
overhead. This proposed method is expected to take the edge off DDoS in a cloud environment and ensures
full security to cloud resources. CloudSim simulation results also proved that the deployment of this
approach improved the resource utilization with reduced cost.
The document proposes an economic incentive-based solution using Bitcoin to defend against distributed denial of service (DDoS) attacks. It discusses limitations of existing defense mechanisms and outlines a four-layer actor model architecture with a directory manager and transport manager to facilitate negotiations and cross-domain communication. The current work involves matching policies and proposals using the actor model and designing a protocol for incremental escrow transactions using Bitcoin to establish financial incentives at reduced cost for cooperative DDoS defense.
Iaetsd cloud computing and security challengesIaetsd Iaetsd
This document summarizes security challenges in cloud computing. It discusses how the distributed nature of cloud computing introduces security risks to confidential data and resources. It outlines several types of security threats like data breaches, malware injection, and network attacks. It also examines security requirements like confidentiality, integrity, and authentication. Finally, the document notes challenges like ensuring security, managing resources, and maintaining performance and interoperability remain open issues for cloud computing.
This document discusses network traffic monitoring using the Winpcap packet capturing tool. It begins with an introduction to enterprise network monitoring and requirements. It then provides an overview of Winpcap, including its architecture and how it works. Key aspects covered include the packet capture driver, Packet.dll, and WinPcap.dll libraries. The document also discusses related tools like Jpcap for Java packet capturing. It concludes with an overview of a sample network traffic monitoring application that implements packet capturing using Winpcap.
Design & Implementation of Secure AODV In Multicast Routing To Detect DDOS At...IJNSA Journal
The wireless ad hoc network is particularly vulnerable to DOS attacks due to its features of open medium, dynamic changing topology, cooperative algorithms, decentralization of the protocols, and lack of a clear line of defense is a growing problem in networks today. In Mobile Ad hoc Networks (MANET), various types of Denial of Service Attacks (DOS) are possible because of the inherent limitations of its routing protocols. In this paper we will secure the MANET from the DDOS attack. DDOS attacks are similar to DOS attacks but there is a difference between them and that is DDOS attacks involve breaking in to hundreds or thousands of machines, so for this reason, this attack called Distributed. Very often, systems that use for attack is a part of the networks and users of these systems don’t know about that, their systems used for attack to another systems. This kind of attack, consume more bandwidth and uses more sources in network. . In this work, we study the effect of one of the important attacks that called DDOS in MANET on most vulnerability protocol that named AODV. The product of this study is detection of DDOS attack by
using AODV (adhoc on demand distance vector) protocol. Proposed scheme is distributed in nature it has the capability to prevent Distributed DOS (DDOS) as well..
Study of flooding based d do s attacks and their effect using deter testbedeSAT Publishing House
IJRET : International Journal of Research in Engineering and Technology is an international peer reviewed, online journal published by eSAT Publishing House for the enhancement of research in various disciplines of Engineering and Technology. The aim and scope of the journal is to provide an academic medium and an important reference for the advancement and dissemination of research results that support high-level learning, teaching and research in the fields of Engineering and Technology. We bring together Scientists, Academician, Field Engineers, Scholars and Students of related fields of Engineering and Technology.
Implementing vpn using direct access technologyferasfarag
This document provides an overview of traditional VPN technology and its problems, and proposes Direct Access technology as a better solution for remote access. It defines VPN and how it uses encryption over public networks, but notes issues like optional connections, firewall compatibility, and proprietary software requirements. Direct Access provides always-on, seamless access without user interaction by using Windows technologies like Active Directory and IPsec. It establishes more reliable connections than VPN, enables bidirectional management, and has fewer authentication and licensing requirements. The document concludes Direct Access may be a superior alternative to traditional VPNs for remote access.
The document discusses routing security issues on the internet and proposes solutions through the Mutually Agreed Norms for Routing Security (MANRS) initiative. It outlines how routing works and common issues like route hijacking. It then details the MANRS framework, which establishes baseline security recommendations and builds a community to promote adoption. The goals are to reduce routing incidents through concerted action and make routing more resilient without regulation. Metrics and tools are provided to help operators implement recommendations and measure progress over time.
Evasion Streamline Intruders Using Graph Based Attacker model Analysis and Co...Editor IJCATR
Network Intrusion detection and Countermeasure Election in virtual network systems (NICE) are used to establish a
defense-in-depth intrusion detection framework. For better attack detection, NICE incorporates attack graph analytical procedures into
the intrusion detection processes. We must note that the design of NICE does not intend to improve any of the existing intrusion
detection algorithms; indeed, NICE employs a reconfigurable virtual networking approach to detect and counter the attempts to
compromise VMs, thus preventing zombie VMs. NICE includes two main phases: deploy a lightweight mirroring-based network
intrusion detection agent (NICE-A) on each cloud server to capture and analyze cloud traffic. A NICE-A periodically scans the virtual
system vulnerabilities within a cloud server to establish Scenario Attack Graph (SAGs), and then based on the severity of identified
vulnerability toward the collaborative attack goals, NICE will decide whether or not to put a VM in network inspection state. Once a
VM enters inspection state, Deep Packet Inspection (DPI) is applied, and/or virtual network reconfigurations can be deployed to the
inspecting VM to make the potential attack behaviors prominent.
This volume of the Open Datacenter Interoperable Network (ODIN) describes software defined networking (SDN) and OpenFlow. SDN is used to simplify network control and management, automate network virtualization services, and provide a platform from which to build agile ....
IRJET- Detection of Distributed Denial-of-Service (DDos) Attack on Software D...IRJET Journal
This document discusses detecting distributed denial-of-service (DDoS) attacks on software defined networks (SDNs). It first provides background on SDNs and DDoS attacks. It then reviews related research on DDoS detection methods for SDNs. The document evaluates these methods based on results using the KDD99 dataset in a simulated SDN environment. It finds that the Double P-value of Transductive Confidence Machines for K-Nearest Neighbors (DPTCM-KNN) method achieved the highest true positive rate and lowest false positive rate, making it the most efficient approach for detecting anomalous flows in SDNs.
Encountering distributed denial of service attack utilizing federated softwar...IJECEIAES
This research defines the distributed denial of service (DDoS) problem in software-defined-networks (SDN) environments. The proposes solution uses Software defined networks capabilities to reduce risk, introduces a collaborative, distributed defense mechanism rather than server-side filtration. Our proposed network detection and prevention agent (NDPA) algorithm negotiates the maximum amount of traffic allowed to be passed to server by reconfiguring network switches and routers to reduce the ports' throughput of the network devices by the specified limit ratio. When the passed traffic is back to normal, NDPA starts network recovery to normal throughput levels, increasing ports' throughput by adding back the limit ratio gradually each time cycle. The simulation results showed that the proposed algorithms successfully detected and prevented a DDoS attack from overwhelming the targeted server. The server was able to coordinate its operations with the SDN controllers through a communication mechanism created specifically for this purpose. The system was also able to determine when the attack was over and utilize traffic engineering to improve the quality of service (QoS). The solution was designed with a sophisticated way and high level of separation of duties between components so it would not be affected by the design aspect of the network architecture.
Review Paper on Predicting Network Attack Patterns in SDN using MLijtsrd
Software Defined Networking SDN provides several advantages like manageability, scaling, and improved performance. SDN has some security problems, especially if its controller is defense less over Distributed Denial of Service attacks. The mechanism and communication extent of the SDN controller is overloaded when DDoS attacks are performed against the SDN controller. So, as results of the useless flow built by the controller for the attack packets, the extent of the switch flow table becomes full, leading the network performance to decline to a critical threshold. The challenge lies in defining the set of rules on the SDN controller to dam malicious network connections. Historical network attack data are often wont to automatically identify and block the malicious connections. In this review paper, we are going to propose using ML algorithms, tested on collected network attack data, to get the potential malicious connections and potential attack destinations. We use four machine learning algorithms C4.5, Bayesian Network BayesNet , multidimensional language DT , and Naive Bayes to predict the host which will be attacked to support the historical data. DDoS attacks in Software Defined Network were detected by using ML based models. Some key features were obtained from SDN for the dataset in normal conditions and under DDoS attack traffic. Dr. C. Umarani | Gopalshree Kushwaha "Review Paper on Predicting Network Attack Patterns in SDN using ML" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Volume-4 | Issue-6 , October 2020, URL: https://www.ijtsrd.com/papers/ijtsrd35732.pdf Paper Url: https://www.ijtsrd.com/computer-science/computer-network/35732/review-paper-on-predicting-network-attack-patterns-in-sdn-using-ml/dr-c-umarani
Q-learning based distributed denial of service detectionIJECEIAES
This document summarizes a research paper that proposes a new approach for detecting distributed denial of service (DDoS) attacks in software-defined networks using Q-learning. The proposed approach uses entropy detection and Q-learning to enhance detection and reduce false positives and negatives. Results show the approach detects DDoS attacks faster than entropy detection alone and ensures service continuity for legitimate users by redirecting traffic. The approach increases throughput by up to 50% compared to other methods.
Detection of ICMPv6-based DDoS attacks using anomaly based intrusion detectio...IJECEIAES
Security network systems have been an increasingly important discipline since the implementation of preliminary stages of Internet Protocol version 6 (IPv6) for exploiting by attackers. IPv6 has an improved protocol in terms of security as it brought new functionalities, procedures, i.e., Internet Control Message Protocol version 6 (ICMPv6). The ICMPv6 protocol is considered to be very important and represents the backbone of the IPv6, which is also responsible to send and receive messages in IPv6. However, IPv6 Inherited many attacks from the previous internet protocol version 4 (IPv4) such as distributed denial of service (DDoS) attacks. DDoS is a thorny problem on the internet, being one of the most prominent attacks affecting a network result in tremendous economic damage to individuals as well as organizations. In this paper, an exhaustive evaluation and analysis are conducted anomaly detection DDoS attacks against ICMPv6 messages, in addition, explained anomaly detection types to ICMPv6 DDoS flooding attacks in IPv6 networks. Proposed using feature selection technique based on bio-inspired algorithms for selecting an optimal solution which selects subset to have a positive impact of the detection accuracy ICMPv6 DDoS attack. The review outlines the features and protection constraints of IPv6 intrusion detection systems focusing mainly on DDoS attacks.
IRJET- Detection and Prevention Methodology for Dos Attack in Mobile Ad-Hoc N...IRJET Journal
1) The document discusses detection and prevention of denial of service (DoS) attacks in mobile ad-hoc networks.
2) It focuses on identifying malicious nodes that conduct traffic jamming attacks by disrupting communication.
3) The proposed approach detects malicious nodes using a reliability value determined by broadcast reliability packets, where nodes that don't respond in a set time have their reliability value decreased until it reaches below zero, identifying them as malicious.
The document discusses security mechanisms for spontaneous networks. It begins with an overview of the growth of mobile communications and challenges in configuring services and providing security in spontaneous networks that imitate human relationships. Key management schemes are needed for node authorization and user authentication in mobile ad hoc networks. Existing methods require initial configuration or external authorities. The proposed system aims to reduce dependence on a central authority for re-authentication to avoid possible attacks, increase performance by reducing server utilization, and implement a workload mechanism for efficient server usage.
The document discusses trends in computer networking job roles. It describes several common networking roles including network administrator, network technician, network security specialist, and network manager. For each role it provides details on typical responsibilities and qualifications needed. It also discusses the increasing demand for networking professionals with security skills due to more organizations moving transactions and data online.
Service providers are increasingly playing an important role in DDoS mitigation given the growing scale and sophistication of attacks. They have advantages over enterprise solutions due to their global traffic visibility and ability to filter attacks close to the source. As attacks continue rising in scale and evolving tactics, service providers need intelligent mitigation solutions to protect their infrastructure and ensure customer availability. DDoS mitigation is becoming a key differentiator for service providers to provide more value beyond just connectivity.
This document discusses security considerations for cloud computing. It covers security challenges like privacy, portability, interoperability, reliability and availability. It also discusses security planning, boundaries based on infrastructure as a service (IaaS), platform as a service (PaaS) and software as a service (SaaS) models. Additional topics include data security, software as a service security, security monitoring, and security architecture design.
CREDIT BASED METHODOLOGY TO DETECT AND DISCRIMINATE DDOS ATTACK FROM FLASH CR...IJNSA Journal
The latest trend in the field of computing is the migration of organizations and offloading the tasks to
cloud. The security concerns hinder the widespread acceptance of cloud. Of various, the DDoS in cloud is
found to be the most dangerous. Various approaches are there to defend DDoS in cloud, but have lots of
pitfalls. This paper proposes a new reputation-based framework for mitigating the DDoS in cloud by
classifying the users into three categories as well-reputed, reputed and ill-reputed based on credits. The
fact that attack is fired by malicious programs installed by the attackers in the compromised systems and
they exhibit similar characteristics used for discriminating the DDoS traffic from flash crowds. Credits of
clients who show signs of similarity are decremented. This reduces the computational and storage
overhead. This proposed method is expected to take the edge off DDoS in a cloud environment and ensures
full security to cloud resources. CloudSim simulation results also proved that the deployment of this
approach improved the resource utilization with reduced cost.
The document proposes an economic incentive-based solution using Bitcoin to defend against distributed denial of service (DDoS) attacks. It discusses limitations of existing defense mechanisms and outlines a four-layer actor model architecture with a directory manager and transport manager to facilitate negotiations and cross-domain communication. The current work involves matching policies and proposals using the actor model and designing a protocol for incremental escrow transactions using Bitcoin to establish financial incentives at reduced cost for cooperative DDoS defense.
Iaetsd cloud computing and security challengesIaetsd Iaetsd
This document summarizes security challenges in cloud computing. It discusses how the distributed nature of cloud computing introduces security risks to confidential data and resources. It outlines several types of security threats like data breaches, malware injection, and network attacks. It also examines security requirements like confidentiality, integrity, and authentication. Finally, the document notes challenges like ensuring security, managing resources, and maintaining performance and interoperability remain open issues for cloud computing.
This document discusses network traffic monitoring using the Winpcap packet capturing tool. It begins with an introduction to enterprise network monitoring and requirements. It then provides an overview of Winpcap, including its architecture and how it works. Key aspects covered include the packet capture driver, Packet.dll, and WinPcap.dll libraries. The document also discusses related tools like Jpcap for Java packet capturing. It concludes with an overview of a sample network traffic monitoring application that implements packet capturing using Winpcap.
Design & Implementation of Secure AODV In Multicast Routing To Detect DDOS At...IJNSA Journal
The wireless ad hoc network is particularly vulnerable to DOS attacks due to its features of open medium, dynamic changing topology, cooperative algorithms, decentralization of the protocols, and lack of a clear line of defense is a growing problem in networks today. In Mobile Ad hoc Networks (MANET), various types of Denial of Service Attacks (DOS) are possible because of the inherent limitations of its routing protocols. In this paper we will secure the MANET from the DDOS attack. DDOS attacks are similar to DOS attacks but there is a difference between them and that is DDOS attacks involve breaking in to hundreds or thousands of machines, so for this reason, this attack called Distributed. Very often, systems that use for attack is a part of the networks and users of these systems don’t know about that, their systems used for attack to another systems. This kind of attack, consume more bandwidth and uses more sources in network. . In this work, we study the effect of one of the important attacks that called DDOS in MANET on most vulnerability protocol that named AODV. The product of this study is detection of DDOS attack by
using AODV (adhoc on demand distance vector) protocol. Proposed scheme is distributed in nature it has the capability to prevent Distributed DOS (DDOS) as well..
Study of flooding based d do s attacks and their effect using deter testbedeSAT Publishing House
IJRET : International Journal of Research in Engineering and Technology is an international peer reviewed, online journal published by eSAT Publishing House for the enhancement of research in various disciplines of Engineering and Technology. The aim and scope of the journal is to provide an academic medium and an important reference for the advancement and dissemination of research results that support high-level learning, teaching and research in the fields of Engineering and Technology. We bring together Scientists, Academician, Field Engineers, Scholars and Students of related fields of Engineering and Technology.
Implementing vpn using direct access technologyferasfarag
This document provides an overview of traditional VPN technology and its problems, and proposes Direct Access technology as a better solution for remote access. It defines VPN and how it uses encryption over public networks, but notes issues like optional connections, firewall compatibility, and proprietary software requirements. Direct Access provides always-on, seamless access without user interaction by using Windows technologies like Active Directory and IPsec. It establishes more reliable connections than VPN, enables bidirectional management, and has fewer authentication and licensing requirements. The document concludes Direct Access may be a superior alternative to traditional VPNs for remote access.
The document discusses routing security issues on the internet and proposes solutions through the Mutually Agreed Norms for Routing Security (MANRS) initiative. It outlines how routing works and common issues like route hijacking. It then details the MANRS framework, which establishes baseline security recommendations and builds a community to promote adoption. The goals are to reduce routing incidents through concerted action and make routing more resilient without regulation. Metrics and tools are provided to help operators implement recommendations and measure progress over time.
Evasion Streamline Intruders Using Graph Based Attacker model Analysis and Co...Editor IJCATR
Network Intrusion detection and Countermeasure Election in virtual network systems (NICE) are used to establish a
defense-in-depth intrusion detection framework. For better attack detection, NICE incorporates attack graph analytical procedures into
the intrusion detection processes. We must note that the design of NICE does not intend to improve any of the existing intrusion
detection algorithms; indeed, NICE employs a reconfigurable virtual networking approach to detect and counter the attempts to
compromise VMs, thus preventing zombie VMs. NICE includes two main phases: deploy a lightweight mirroring-based network
intrusion detection agent (NICE-A) on each cloud server to capture and analyze cloud traffic. A NICE-A periodically scans the virtual
system vulnerabilities within a cloud server to establish Scenario Attack Graph (SAGs), and then based on the severity of identified
vulnerability toward the collaborative attack goals, NICE will decide whether or not to put a VM in network inspection state. Once a
VM enters inspection state, Deep Packet Inspection (DPI) is applied, and/or virtual network reconfigurations can be deployed to the
inspecting VM to make the potential attack behaviors prominent.
This volume of the Open Datacenter Interoperable Network (ODIN) describes software defined networking (SDN) and OpenFlow. SDN is used to simplify network control and management, automate network virtualization services, and provide a platform from which to build agile ....
IRJET- Detection of Distributed Denial-of-Service (DDos) Attack on Software D...IRJET Journal
This document discusses detecting distributed denial-of-service (DDoS) attacks on software defined networks (SDNs). It first provides background on SDNs and DDoS attacks. It then reviews related research on DDoS detection methods for SDNs. The document evaluates these methods based on results using the KDD99 dataset in a simulated SDN environment. It finds that the Double P-value of Transductive Confidence Machines for K-Nearest Neighbors (DPTCM-KNN) method achieved the highest true positive rate and lowest false positive rate, making it the most efficient approach for detecting anomalous flows in SDNs.
Encountering distributed denial of service attack utilizing federated softwar...IJECEIAES
This research defines the distributed denial of service (DDoS) problem in software-defined-networks (SDN) environments. The proposes solution uses Software defined networks capabilities to reduce risk, introduces a collaborative, distributed defense mechanism rather than server-side filtration. Our proposed network detection and prevention agent (NDPA) algorithm negotiates the maximum amount of traffic allowed to be passed to server by reconfiguring network switches and routers to reduce the ports' throughput of the network devices by the specified limit ratio. When the passed traffic is back to normal, NDPA starts network recovery to normal throughput levels, increasing ports' throughput by adding back the limit ratio gradually each time cycle. The simulation results showed that the proposed algorithms successfully detected and prevented a DDoS attack from overwhelming the targeted server. The server was able to coordinate its operations with the SDN controllers through a communication mechanism created specifically for this purpose. The system was also able to determine when the attack was over and utilize traffic engineering to improve the quality of service (QoS). The solution was designed with a sophisticated way and high level of separation of duties between components so it would not be affected by the design aspect of the network architecture.
Review Paper on Predicting Network Attack Patterns in SDN using MLijtsrd
Software Defined Networking SDN provides several advantages like manageability, scaling, and improved performance. SDN has some security problems, especially if its controller is defense less over Distributed Denial of Service attacks. The mechanism and communication extent of the SDN controller is overloaded when DDoS attacks are performed against the SDN controller. So, as results of the useless flow built by the controller for the attack packets, the extent of the switch flow table becomes full, leading the network performance to decline to a critical threshold. The challenge lies in defining the set of rules on the SDN controller to dam malicious network connections. Historical network attack data are often wont to automatically identify and block the malicious connections. In this review paper, we are going to propose using ML algorithms, tested on collected network attack data, to get the potential malicious connections and potential attack destinations. We use four machine learning algorithms C4.5, Bayesian Network BayesNet , multidimensional language DT , and Naive Bayes to predict the host which will be attacked to support the historical data. DDoS attacks in Software Defined Network were detected by using ML based models. Some key features were obtained from SDN for the dataset in normal conditions and under DDoS attack traffic. Dr. C. Umarani | Gopalshree Kushwaha "Review Paper on Predicting Network Attack Patterns in SDN using ML" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Volume-4 | Issue-6 , October 2020, URL: https://www.ijtsrd.com/papers/ijtsrd35732.pdf Paper Url: https://www.ijtsrd.com/computer-science/computer-network/35732/review-paper-on-predicting-network-attack-patterns-in-sdn-using-ml/dr-c-umarani
Q-learning based distributed denial of service detectionIJECEIAES
This document summarizes a research paper that proposes a new approach for detecting distributed denial of service (DDoS) attacks in software-defined networks using Q-learning. The proposed approach uses entropy detection and Q-learning to enhance detection and reduce false positives and negatives. Results show the approach detects DDoS attacks faster than entropy detection alone and ensures service continuity for legitimate users by redirecting traffic. The approach increases throughput by up to 50% compared to other methods.
IRJET- Software Defined Network: DDOS Attack DetectionIRJET Journal
This document discusses software defined networks (SDNs) and detecting distributed denial-of-service (DDoS) attacks in SDNs. It provides background on SDN architecture and how DDoS attacks work. The paper aims to address risks of DDoS attacks in SDNs and focuses on detection. It describes existing DDoS attack techniques and solutions. The document proposes using algorithms like TCM-KNN and DPTCM-KNN for detection of attacks in network traffic flows, and compares the two algorithms using parameters like packet length and response time.
IRJET- A Survey on DDOS Attack in ManetIRJET Journal
This document summarizes a survey on distributed denial of service (DDoS) attacks in mobile ad hoc networks (MANETs). It begins by introducing MANETs and some of the key security issues they face, including DDoS attacks. It then discusses different types of DDoS attacks like flooding and amplification/reflection attacks. The document proposes a new defense scheme against amplification attacks, which exploit protocols like DNS and NTP to amplify traffic. It describes using the Network Security Simulator to model and simulate DDoS attacks with master, zombie, and server entities to evaluate defense techniques and compare the impact of protocols like DNS and NTP.
IRJET- A Study of DDoS Attacks in Software Defined NetworksIRJET Journal
This document discusses DDoS attacks in software defined networks. It begins with an overview of SDN architecture and its vulnerabilities. It then describes different types of DDoS attacks, categorizing them as attacks on the data plane or control plane. Volumetric attacks aim to overwhelm the victim with traffic, while protocol exploitation attacks exhaust system resources. The document reviews approaches for detecting and mitigating DDoS attacks in SDN, such as using thresholds to detect sudden traffic increases or inspecting packets for abnormal values. Machine learning algorithms can also be used to classify packets and detect attacks. Specific studies that implemented detection and mitigation techniques using SDN controllers and tools are also summarized.
Security in Software Defined Networks (SDN): Challenges and Research Opportun...Editor IJCATR
In networks, the rapidly changing traffic patterns of search engines, Internet of Things (IoT) devices, Big Data and data centers has thrown up new challenges for legacy; existing networks; and prompted the need for a more intelligent and innovative way to dynamically manage traffic and allocate limited network resources. Software Defined Network (SDN) which decouples the control plane from the data plane through network vitalizations aims to address these challenges. This paper has explored the SDN architecture and its implementation with the OpenFlow protocol. It has also assessed some of its benefits over traditional network architectures, security concerns and how it can be addressed in future research and related works in emerging economies such as Nigeria.
IMPROVING DDOS DETECTION IN IOT DEVICESIRJET Journal
This document discusses improving detection of distributed denial of service (DDoS) attacks in internet of things (IoT) devices. It proposes a DDoS detection model that includes decision tree models tailored for different classes of IoT devices. Four classes of devices are defined based on their typical traffic patterns - high, raised, medium, and low consistency. Testing showed the approach can accurately detect DDoS traffic for these device classes, with accuracy ranging from 99.92% to 99.99%. The approach leverages device classes to more precisely identify DDoS traffic.
A review on software defined network security risks and challengesTELKOMNIKA JOURNAL
Software defined network is an emerging network architecture that separates the traditional
integrated control logic and data forwarding functionality into different planes, namely the control plane and
data forwarding plane. The data plane does an end-to-end data delivery. And the control plane does
the actual network traffic forwarding and routing between different network segments. In software defined
network the networking infrastructure layer is where the entire networking device, such as switches and
routers are connected with the separate controller layer with the help of standard called OpenFlow
protocol. The OpenFlow is a standard protocol that allows different vendor devices like juniper, cisco and
huawei switches to be connected to the controller. The centralization of the software defined network
(SDN) controller makes the network more flexible, manageable and dynamic, such as provisioning of
bandwidth, dynamic scale out and scale in compared to the traditional communication network, however,
the centralized SDN controller is more vulnerable to security risks such as DDOS and flow rule poisoning
attack. In this paper, we will explore the architectures, the principles of software defined network and
security risks associated with the centralized SDN controller and possible ways to mitigate these risks.
Study of flooding based ddos attacks and their effect using deter testbedeSAT Journals
Abstract Today, Internet is the primary medium for communication which is used by number of users across the Network. At the same time, its commercial nature is causing increase vulnerability to enhance cyber crimes and there has been an enormous increase in the number of DDOS (distributed denial of service attack) attacks on the internet over the past decade. Whose impact can be proportionally severe. With little or no advance warning, a DDoS attack can easily exhaust the computing and communication resources of its victim within a short period of time. Network resources such as network bandwidth, web servers and network switches are mostly the victims of DDoS attacks. In this paper different types of DDoS attacks has been studied, a dumb-bell topology have been created and effect of UDP flooding attacks has been analyzed on web service by using attack tools available in DETER testbed. Throughput of web server is analyzed with and without DDoS attacks.
Impact of Flash Crowd Attack in Online Retail ApplicationsIJEACS
This document discusses flash crowd attacks on online retail applications. It begins by introducing denial of service (DoS) and distributed denial of service (DDoS) attacks. It then explains that flash crowd attacks are a type of DDoS attack that aims to overwhelm servers with legitimate-looking requests. The document outlines the network model used to simulate flash crowd attacks and presents results analyzing the impact on server energy levels. It finds that as the number of requests increases, servers experience decreased energy and lifetime. The study aims to minimize these attacks by having servers identify real clients to prioritize sending responses.
The document discusses a study and implementation of unified threat management (UTM) and web application firewall (WAF) at the Defence Research and Development Organisation (DRDO) in India. It describes common internal and external threats organizations face, how UTM provides centralized security functions through a single management console, and how WAF protects against attacks like SQL injection, cross-site scripting, denial of service attacks, and session hijacking that target web applications. The advantages of UTM include reduced complexity, ease of deployment, and integration capabilities, while disadvantages include lower performance and potential vendor lock-in for large organizations.
Software Defined Networking (SDN): A Revolution in Computer NetworkIOSR Journals
Abstract: SDN creates a dynamic and flexible network architecture that can change as the business
requirements change. The growth of the SDN market and cloud computing are very much connected. As the
applications change and the network is abstracted, virtualization become a necessary step and SDN serves as
the fundamental building blocks for the network. Traditional networking devices are composed of an embedded
control plane that manages switching, routing and traffic engineering activities while the data plane forwards
packet/frames based on traffic. In SDN architecture, control plane functions are removed from individual
networking devices and embedded in a centralizedserver. The SDN controller makes all traffic related decisions
in the network without nodes active participation, as opposed to today’s networks.
Keyword-API, cloud computing, IT, middleware, OpenFlow, SDN
Low-rate distributed denial of service attacks detection in software defined ...IAESIJAI
One of the main challenges in developing the internet of things (IoT) is the existence of availability problems originated from the low-rate distributed denial of service attacks (LRDDoS). The complexity of IoT makes the LRDDoS hard to detect because the attack flow is performed similarly to the regular traffic. Integration of software defined IoT (SDN-Enabled IoT) is considered an alternative solution for overcoming the specified problem through a single detection point using machine learning approaches. The controller has a resource limitation for implementing the classification process. Therefore, this paper extends the usage of Feature Importance to reduce the data complexity during the model generation process and choose an appropriate feature for generating an efficient classification model. The research results show that the Gaussian Naïve Bayes (GNB) produced the most effective outcome. GNB performed better than the other algorithms because the feature reduction only selected the independent feature, which had no relation to the other features.
Security and risk analysis in the cloud with software defined networking arch...IJECEIAES
Cloud computing has emerged as the actual trend in business information technology service models, since it provides processing that is both costeffective and scalable. Enterprise networks are adopting software-defined networking (SDN) for network management flexibility and lower operating costs. Information technology (IT) services for enterprises tend to use both technologies. Yet, the effects of cloud computing and software defined networking on business network security are unclear. This study addresses this crucial issue. In a business network that uses both technologies, we start by looking at security, namely distributed denial-of-service (DDoS) attack defensive methods. SDN technology may help organizations protect against DDoS assaults provided the defensive architecture is structured appropriately. To mitigate DDoS attacks, we offer a highly configurable network monitoring and flexible control framework. We present a dataset shift-resistant graphic model-based attack detection system for the new architecture. The simulation findings demonstrate that our architecture can efficiently meet the security concerns of the new network paradigm and that our attack detection system can report numerous threats using real-world network data.
Cybersecurity Threat Detection of Anomaly Based DDoS Attack Using Machine Lea...IRJET Journal
This document discusses machine learning techniques for detecting distributed denial of service (DDoS) attacks. It reviews related work applying methods like decision trees, support vector machines, naive Bayes, and deep learning to identify DDoS attacks based on network traffic patterns. The document evaluates these algorithms based on accuracy metrics and processing time. It also explores feature selection and parameter tuning to optimize model performance and training efficiency for detecting DDoS attacks.
Guide answers the questions like - Which tools are available in the marketplace to mitigate ddos attacks? Is Scrubbing Center enough to mitigate ddos attacks?
PREVENTING DISTRIBUTED DENIAL OF SERVICE ATTACKS IN CLOUD ENVIRONMENTS IJITCA Journal
Distributed-Denial of Service (DDoS) is a key intimidation to network security. Network is a group of nodes that interrelate with each other for switch over the information. This information is necessary for that node is reserved confidentially. Attacker in the system may capture this private information and distorted. So security is the major issue. There are several security attacks in network. One of the major intimidations to internet examine is DDoS attack. It is a malevolent effort to suspending or suspends services to destination node. DDoS or DoS is an effort to create network resource or the machine is busy to
its intentional user. Numerous thoughts are developed for avoid the DDoS or DoS. DDoS occur in two different behaviors they may happen obviously or it may due to some attackers .Various schemes are developed defense against to this attack. The Main focus of paper is present basis of DDoS attack, DDoS
attack types, and DDoS attack components, intrusion prevention system for DDoS.
The document discusses Internet of Things (IoT), which connects physical objects through sensors and software to exchange data over the Internet. It describes how technologies like affordable sensors, connectivity, cloud computing, machine learning, and AI have enabled IoT. The number of connected IoT devices is expected to grow from over 7 billion today to 22 billion by 2025. Network virtualization is also discussed, which abstracts network resources into software to combine or divide physical networks flexibly. This improves agility, security, and efficiency.
Securing BGP: Operational Strategies and Best Practices for Network Defenders...APNIC
Md. Zobair Khan,
Network Analyst and Technical Trainer at APNIC, presented 'Securing BGP: Operational Strategies and Best Practices for Network Defenders' at the Phoenix Summit held in Dhaka, Bangladesh from 23 to 24 May 2024.
Discover the benefits of outsourcing SEO to Indiadavidjhones387
"Discover the benefits of outsourcing SEO to India! From cost-effective services and expert professionals to round-the-clock work advantages, learn how your business can achieve digital success with Indian SEO solutions.
HijackLoader Evolution: Interactive Process HollowingDonato Onofri
CrowdStrike researchers have identified a HijackLoader (aka IDAT Loader) sample that employs sophisticated evasion techniques to enhance the complexity of the threat. HijackLoader, an increasingly popular tool among adversaries for deploying additional payloads and tooling, continues to evolve as its developers experiment and enhance its capabilities.
In their analysis of a recent HijackLoader sample, CrowdStrike researchers discovered new techniques designed to increase the defense evasion capabilities of the loader. The malware developer used a standard process hollowing technique coupled with an additional trigger that was activated by the parent process writing to a pipe. This new approach, called "Interactive Process Hollowing", has the potential to make defense evasion stealthier.
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...APNIC
Adli Wahid, Senior Internet Security Specialist at APNIC, delivered a presentation titled 'Honeypots Unveiled: Proactive Defense Tactics for Cyber Security' at the Phoenix Summit held in Dhaka, Bangladesh from 23 to 24 May 2024.
1. GROUP 18
SDN Oriented DDoS Detection and Mitigation
Scheme for Botnet-Based Attacks
Goutham Prasanna
Electrical Engineering Department
San Jose State University, USA
Class ID: 42
goutham.prasanna@sjsu.edu
Nitish Gupta
Electrical Engineering Department
San Jose State University, USA
Class ID: 20
nitish.gupta@sjsu.edu
Sohail Virani
Electrical Engineering Department
San Jose State University, USA
Class ID: 59
sohail.virani@sjsu.edu
Abstract—Internet has led to the creation of a digital
society, where (almost) everything is connected and is
accessible from anywhere. However, despite their
widespread adoption, traditional IP networks are complex
and very hard to manage. Software-Defined Networking
(SDN) is an emerging paradigm that promises to change
this state of affairs by separating the network’s control
plane from the data plane, thereby promoting (logical)
centralization of network control and introducing the
ability to program the network. However, it has been
proven time and again that the SDN is vulnerable to
various kinds of attacks like DDoS, DoS, dictionary
attacks etc. DDoS attacks mounted by botnets has been
termed as biggest threat to internet security today, they
target a specific service, mobilizing only a small amount of
legitimate looking traffic to compromise the server.
Detecting or blocking such clever attacks by only using
anomalous traffic statistics has become difficult and
devising countermeasures has been mostly left to the
victim server. In this paper, an attack detection and
mitigation application has been implemented in an SDN
environment. Additionally, a mechanism has been
developed on the server side to differentiate between
legitimate and illegitimate users such that service to
former is not affected.
Index Terms— Software Defined Networks (SDN), Denial of
Service (DoS), Distributed Denial of Service (DDoS)
I. INTRODUCTION
The distributed control and transport network protocols
running inside the routers and switches are the key
technologies that allow information, in the form of digital
packets, to travel around the world. Despite their widespread
adoption, traditional IP networks are complex and hard to
manage. To express the desired high-level network policies,
network operators need to configure each individual network
device separately using low-level and often vendor-specific
commands. In addition to the configuration complexity,
network environments have to endure the dynamics of faults
and adapt to load changes. Automatic reconfiguration and
response mechanisms are virtually non-existent in current IP
networks. Enforcing the required policies in such a dynamic
environment is therefore highly challenging.
To make it even more challenging, current networks are
vertically integrated. Hence, the control plane (that decides
how to handle network traffic) and the data plane (that
forwards traffic according to the decisions made by the control
plane) are bundled inside the networking devices resulting in
reducing flexibility, hindering innovation and evolution of the
networking infrastructure. The transition from IPv4 to IPv6
started more than a decade ago and still largely incomplete,
bears witness to this challenge, while in fact IPv6 represented
merely a protocol update. Due to the inertia of current IP
networks, a new routing protocol can take 5 to 10 years to be
fully designed, evaluated and deployed. Likewise, a clean-
slate approach to change the Internet architecture (e.g.,
replacing IP), is regarded as a daunting task – simply not
feasible in practice. Ultimately, this situation has inflated the
capital and operational expenses of running an IP network.
A. Software Defined Networks (SDN)
Software-Defined Networking (SDN) is an emerging
networking paradigm that gives hope to change the limitations
of current network infrastructures [4]. First, it breaks the
vertical integration by separating the network’s control logic
(the control plane) from the underlying routers and switches
that forward the traffic (the data plane) [1]. Second, with the
separation of the control and data planes, resulting network
switches become simple forwarding devices and the control
logic is implemented in a logically centralized controller (or
network operating system), simplifying policy enforcement
and network (re)configuration and evolution. It is important to
emphasize that a logically centralized programmatic model
does not postulate a physically centralized system [1]. In fact,
the need to guarantee adequate levels of performance,
scalability, and reliability would preclude such a solution.
Instead, production-level SDN network designs resort to
physically distributed control planes [4].
2. GROUP 18
Security is expected to be an important application area for the
software defined network (SDN). This is because network
security requires a close coordination of many network
components to defend against an attack [2]. Conventional
routers are so difficult to modify their behavior. SDN
architecture based on OpenFlow specification makes it much
easier to dynamically modify the behavior of network
switches [2]. Moreover, in the traditional Internet architecture,
routers perform routing and control in a distributed manner. It
is hard to elicit an orchestrated network-wide behavior.
However, in SDN, the existence of a central controller makes
the task so much easier. In this paper, we show that SDN
makes it really easy to orchestrate network switches to
perform a defensive flow management. In particular, we take
the example of distributed denial-of-service (DDoS) attack
that relies on a large botnet. By using only the standard
OpenFlow interface, a DDoS blocking system can be
immediately constructed [2].
B. Distributed Denial of Service (DDoS)
As DDoS attack techniques evolve, effective defense is
becoming a challenging task. The representative DDoS attacks
today typically target specific services so that only the
targeted application is disabled while other network
components (e.g. links, switches, routers) are not affected
much [1]. Such a targeted attack can easily hide itself in
normal traffic due to low required attack intensity. For
example, a HTTP GET flooding attack utilizes the
vulnerability of HTTP web server implementation (e.g. the
maximum number of concurrent connections for HTTP) [1].
In particular, modern DDoS attacks exploit a potentially large
number of bots, or compromised hosts. Since these otherwise
innocent hosts issue legitimate looking service requests to the
attacked server, the attack traffic looks like normal traffic in
terms of pps (packets per second), packet size, and packet
contents so that it is harder for existing DDoS solutions to
block them out from normal packets [1]. In the same vein,
signature-based defenses for DDoS attack are not enough to
counteract effectively. Also, because the attack traffic volume
is small, packet block method based on anomalous traffic
statistics does not work, either [1].
C. Botnets
A botnet is a collection of compromised computers often
referred to as “zombies” infected with malware that allows an
attacker to control them [7]. Computers can be co-opted into a
botnet when they execute malicious software. This can be
accomplished by luring users into making a drive-by
download, exploiting web browser vulnerabilities, or by
tricking the user into running a Trojan horse program, which
may come from an email attachment. Many computer users
are unaware that their computer is infected with
bots. Depending on how it is written, a Trojan may then delete
itself, or may remain present to update and maintain the
modules [7].
D. Honeytokens
“A honeypot is an information system resource whose value
lies in unauthorized or illicit use of that resource”. [5]
Note that in the above definition it is stated that a honeypot
does not have to be a computer, but it’s a resource that you
want the bad guys to interact with. A honeytoken can be a
credit card number, Excel spreadsheet, PowerPoint
presentation, a database entry, or even a bogus login.
Honeytokens come in many shapes and sizes; however they
all share the same concept: a digital or information system
resource whose value lies in the unauthorized use of that
resource. Just as a honeypot computer has no authorized
value, no honeytoken has any authorized use. Whatever you
create as a honeytoken, no one should be using or accessing it,
that gives honeytokens the same power and advantages as
traditional honeypots, but extend their capabilities beyond just
physical computers [7].
A honeytoken is just like a honeypot, you put it out there and
no one should interact with it. Any interaction with a
honeytoken most likely represents unauthorized or malicious
activity. What you use as a honeytoken, and how you use it, is
up to you. Maintaining who is authorized to what can be
complex, with false positives becoming a huge problem.
Honeytokens can be used to solve and simplify this problem
[7].
In this paper, we show that the emergence of SDN can reverse
the trend and make the network easily configurable to build a
robust defense against cleverly organized and targeted DDoS
attacks. In particular, we show that the proposed scheme can
effectively block the botnet-based DDoS attacks that do not
exhibit any statistical anomalies that traditional network
anomaly detection schemes can exploit for detection and
blocking. The contributions of this paper can be summarized
as follows:
A DDoS detection and mitigation scheme that uses
only the standard OpenFlow APIs is designed for
operation in general SDN environments.
The scheme is shown to work with minimal support
from the server under attack. In particular, the server
does not have to have a physical replicated service
unlike the URL redirection schemes.
The scheme is implemented as a SDN application
that runs on a popular SDN controller, POX [9].
A CAPTCHA mode is implemented on the server
under attack such that service to legitimate users is
not affected.
The implemented code is tested through emulation on
Mininet [10], where it is shown that DDoS attack
using botnet is effectively blocked.
3. GROUP 18
The rest of the paper is organized as follows. Section II gives
details about the related work in the past. Section III defines
the system architecture considered. It first clarifies the
assumptions as to the behavior of the components in the SDN
controlled network. Then it explains the main ideas, in terms
of the functions and the interactions of the system
components. Finally, it explains different modes of operation
and their respective workflows. Section IV discusses how the
designed system is implemented in Python to run on the POX
[9] controller, along with the standard OpenFlow interfaces
used in the implementation. This section validates the
implemented Python logic using the Mininet [10] emulator.
The emulation shows that the POX application successfully
blocks the DDoS attack traffic besides maintaining service to
legitimate traffic. Ultimately, section V concludes the paper
with a consideration for future work.
II. RELATED WORK
Although security is said to be a “killer app” for the SDN,
most existing security-related works in SDN is focused on the
vulnerabilities of SDN and on how to resolve them and there
is a dearth of work on using SDN to improve security in future
networks. In the literature, there are a couple of prior works
that take resemblance to our work. Jafarian et al. propose to
mutate the server address frequently so that the network
scanning prior to attack delivers an address of the victim that
will be invalidated at the time of the attack [11]. But this
scheme requires support from external network components
such as DNS, and is not scalable. Braga et al. [12] discuss how
to detect DDoS attacks in SDN. In the proposed scheme, the
detection application on the NOX controller computes six
features by obtaining flow statistics from switches through the
OpenFlow interface A shortcoming of the scheme, however, is
that it assumes IP address spoofing by the attacker. The latest
is Lim et al [1] proposes a DDoS blocking scheme applicable
to a SDN-managed network. The scheme requires
communication between the DDoS blocking application
running on the SDN and uses CAPTCHA for giving the
redirection address received from the server. [2] Discusses a
Click inspired programming framework that enables easy
implementation of security applications through modular
composition of security constructs
III. SYSTEM ARCHITECTURE
Fig. 1. System Architecture
Figure 1 shows the simplified illustration of the system
architecture. It is composed of a protected service provided by
the web server, SDN controller (POX) and the applications
running on the controller, OpenFlow switches that are
controlled by the controller through the OpenFlow interface.
In addition, there is 1 legitimate client of the service, 4 bots
and 1 botmaster. For subsequent discussions based on the
system architecture, we make the following assumptions about
the components in this paper.
HTTP server behind the SDN-based network
establishes no communication channels with the
DDoS blocking application that runs on a SDN
controller, e.g. POX. For convenience, this blocking
application is called DDoS Blocking Application
(DBA) in this paper.
The DDoS attack is mounted by a botnet, and the
botnet does not use IP address spoofing. The non-IP
spoofing assumption contrasts to some related works,
and is based on recent trend where most botnets do
not have to rely on IP spoofing to confound any
tracking effort.
Based on these assumptions and the system architecture
depicted in Fig. 1, a SDN-based DDoS blocking scheme and
in particular, the DDoS blocking application (DBA)
component has been designed.
A. Work flow
Fig. 2. New flow arrival (HTTP GET and response) [1]
When a new request from a client arrives at an OpenFlow
switch, it does not match any existing flow. It is reported to
the controller, which directs the switch to create a flow table
entry for the new packet (Fig. 2). When the server responds to
the request from the client, another flow entry is created at the
switch, but in the reverse direction [1].
Using the new flow reports, DBA monitors the total number
of flows at each flow switch. Meanwhile, the server monitors
4. GROUP 18
metrics such as number of requests per interval and number of
requests in last interval to indicate a possible DDoS attack.
When the DBA determines that a DDoS attack has
commenced and the server collapse is imminent, it starts
putting the sources whose requests per interval exceed the
nominal amount and ultimately dropping all the packets that
are destined to the server. Any host address that is present in
the blacklist maintained by the DBA is not able to get through
to the server.
The server also keeps on monitoring the number of requests
coming from the source per interval to determine whether the
attack has been commenced. Once the server detects an attack,
the server goes in the CAPTCHA mode wherein for any
subsequent requests it asks users to authenticate themselves by
entering the CAPTCHA. In this way the legitimate and
illegitimate users are differentiated.
In this paper, CAPTCHA is a randomly generated string that
has a mix of ASCII as well as numeric characters. The length
of CAPTCHA is set to be eight. But any scheme that makes
the bots experience difficulty in understanding the redirect
message will serve the purpose.
Fig. 3. System behavior against repeated bot requests [1].
When a client is classified as a bot, a flow entry with “drop”
as the associated action is installed (Fig. 5, step 11). We will
call such entry the Drop entry for convenience. One problem
is the flow table explosion due to the explosive growth of the
Drop entries that are created by bot requests [1]. Therefore,
DBA instructs all flow switches downstream of the ingress
switch to entirely delete the flow entry for the bot. As a
consequence, Drop entries will remain only in the perimeter
switches.
B. POX and OpenFlow interfaces
The workflow discussed above is implemented in POX, a
Python-based SDN controller. The Python implementation of
the entire DBA logic is approximately 200 lines. The code is
immediately usable on the POX platform, but for a large-scale
test it can be implemented on the Mininet emulator in the next
section.
The following two standards OpenFlow APIs are enough to
implement most of the logic required in the workflow that:
OFPT_PACKET_IN
OFPT_FLOW_MOD
OFPT_PACKET_IN message is used by the OpenFlow switch
to report the arrival of a certain packet. Most typically, it takes
place when the packet does not match any flow in the flow
table.
OFPT_FLOW_MOD message is used in our system. It is used
by the controller to instruct the OpenFlow switch to create,
delete, or modify a flow table entry. In each case, the
command part of the message is one of the following:
OFPFC_ADD
OFPFC_DELETE
OFPFC_MODIFY
OFPFC_ADD is used when a flow table entry should be
created at the flow switch. Obviously, it takes place when a
new flow arrives. Another use of the command is when a
source MAC address is found to be a bot by DBA, and the
flow table entry to drop the packets from the bot should be
installed at the flow switch. Normally, OFPFC_DELETE is
used when a flow terminates. Additionally, in our system, it is
used to purge all unnecessary flow entries after a source MAC
address is determined to be a bot. By the time the event takes
place, there entries created by the requests from the bot, and as
many are entries created by the server issuing the redirection
responses to them. OFPFC_MODIFY is not used in our
system.
When a flow table entry is made, an action is associated with
it. The following actions are used in the system, both of which
are mandatory in the OpenFlow standard:
Output
Drop
Output is the action to forward the packet. Drop is obviously
to drop the given packet. It is used after the flow entry to
match and drop the bot-originated packets that are installed. In
order to find a matching flow in the OpenFlow API, various
fields can be used in the packet, such as IP protocol number,
IPv4 addresses, IPv6 addresses, TCP/UDP port numbers,
incoming switch port, Ether type, and MAC addresses [1]. In
this project, the parameters source and destination MAC
5. GROUP 18
addresses and the source port number are used to match packet
entries.
IV. EXPERIMENTS
In order to validate the correctness of the logic in the proposed
scheme and evaluate its performance, we test the DBA code
for POX. For a massive attack experiment, we choose to use
network emulator called Mininet [10]. Mininet is a network
emulator that can model a network of virtual hosts, switches,
controllers, and links for SDN. Compared to simulators,
Mininet runs real, unmodified code including application
code, OS kernel code, and control plane code (both OpenFlow
controller code and Open vSwitch code), and easily connects
to real networks. In particular, our DBA code that runs on real
POX [9] platform also runs on Mininet in emulation. In
emulation, Mininet hosts run standard Linux network
software, and Mininet switches support OpenFlow [6] for
highly flexible custom routing and software defined
networking. For our experiments, we use Mininet 2.1.0, which
supports OpenFlow v1.3 standard. Also on the Mininet
testbed, we create a large number of bots to mount a DDoS
attack on a protected server in a SDN-managed network.
A. Parameters
Table 1: Mininet emulation parameters
parameter Meaning Default
value
Flow count threshold 40
Ctotal Total No. of possible
connections
100
Cavg No. of average connections per
interval
0
Clast No. of connections in last
interval
0
n No. of legitimate users 1
k No. of bots 4
m No. of master bots 1
- Server refresh rate 2 secs
- Request arrival process Poisson
Table 1 summarizes the parameters used in our experiment.
We assume there are two groups of clients, legitimate and
malicious. Namely, bots are modeled as being more active
than legitimate users, but not as anomalously as can be noticed
by the network. The requests are issued with the exponential
inter-arrival time distribution. Today’s botnets can be huge,
sometimes boasting up to half a million-strong army of bots.
Unfortunately, we could not emulate such a large-scale attack,
due to the Mininet limitation. As Mininet can emulate only up
to certain limited number of nodes we scaled down the server
to have a maximum of Ctotal connections at a time. The server
and the DBA know when a large fraction of the maximum
allowable connections is exceeded. In this paper, we assume
that the server suspects a DDoS attack if the load reaches 50%
of the maximum capacity. We assume that there are n = 1
legitimate users and k = 4 bots that issue requests at their
given intensities. For each request, the server is assumed to be
responsive, so the response is returned in no time.
B. Emulation setup
Honeytokens:
In this project honeytokens are used as a means to lure
malicious users. And hence the web server has two files
namely, ‘asdf.txt’ which is a legitimate file and
‘classified.txt’ is a honeytoken. The server maintains its
own blacklist to track the IP of those users that try to access
the honeytoken.
Attack Mode:
In attack mode, it is assumed that there is no DBA type
application running over the controller side and that it
functions just as a normal layer 2 learning switch. Hence,
whenever the SDN controller (POX) is switched ON,
typical flooding action is observed. The master (m) waits
for all the slaves (bots (k)) to connect to it and once the last
bot connects, it starts issuing commands to bots to start the
flooding attack.
Defense Mode:
In defense mode, DDoS blocking Application (DBA) runs
over POX, which is used for both detection and mitigation
of the attack. DBA keeps on monitoring number of flows
based on (src MAC, dst MAC) pair and once the flow count
> threshold (), the corresponding source and destination
MAC addresses are added to the Blacklist and respective
packets are dropped. Furthermore, the server in this not a
typical web server, it keeps on monitoring Cavg and Clast.
If Clast > Cavg CAPTCHA mode is enabled. Hence, for any
subsequent request the server will respond with a random
string for authentication and if sent. (CAPTCHA) ==
received. (CAPTCHA) user is authenticated and only then
the client will receive its response.
C. Emulation results
In attack mode, since there is no blocking application
running over the SDN controller, the controller instructs
switches to add all the entries into its flow table and forward
them. Hence, the switches forward all the GET request from
the bot towards the server; as a result the server is
overloaded and unable to provide any further service
resulting in Distributed Denial of Service (DDoS).
Therefore, the server shuts down for prevention of any data
loss and has to reboot.
However, in the defense mode there is attack detection and
mitigation application running over POX that keeps track of
flows and once it detects the attack it instructs switches to
6. GROUP 18
drop the particular flows there by reducing the number of
requests reaching to the server. Additionally, the DBA and
server are so finely calibrated in a way that once DBA
detects an attack the serve goes into the CAPTCHA mode
for differentiating legitimate user from the bot and
ultimately preventing illegal access to the data.
Moreover, in the case of honeytokens the probability of an
attack from a blacklisted IP is more therefore, all the IP
addresses in the blacklist are denied access to the actual data
and the administrator can put these users in the controller’s
blacklist thereby preventing any future attacks or malicious
activity.
Finally, from the observations the system provides overall
functionality in an integrated manner wherein attacks are
precisely detected and mitigated, controlled access to the
important data is ensured and prevention of future attacks is
also guaranteed.
D. Discussion
As there are a variety of CAPTCHA techniques and as
many CAPTCHA breakers, the proposed scheme cannot
entirely depend upon the strength of CAPTCHA to deter
bots. It is up to the server to present the redirection
information to legitimate clients in a format machine
decoding is computationally expensive. The drawback of
[1] was that the scheme required communication between
the DDoS blocking application running on the SDN
controller and the server to be protected. But, our approach
reduces the dependence on the pre-arranged cooperation
between the SDN controller and the protected server so that
SDN can provide transparent protection to servers inside it.
V. CONCLUSION
In this project, a DDoS detection and mitigation scheme is
proposed that is applicable in a SDN-managed network. The
scheme does not require communication between the DDoS
blocking application running on the SDN controller and the
server to be protected. Controlled access to the important data
is ensured using CAPTCHA. Furthermore, honeytokens are
used as a mechanism for early detection and confirmation of
advanced insider threats. The proposed scheme culminates in
an application that orchestrates the defense through simple and
few OpenFlow interfaces. The implemented code for POX
controller is validated on Mininet emulator, and is shown to
block DDoS attack from bots.
REFERENCES
[1] Lim, S.; Ha, J.; Kim, H.; Kim, Y.; Yang, S., "A
SDN-oriented DDoS blocking scheme for botnet-
based attacks," Ubiquitous and Future Networks
(ICUFN), 2014 Sixth International Conf on , vol.,
no., pp.63,68, 8-11 July 2014.
[2] S. Shin et al., “FRESCO: Modular Composable
Security Services for Software-Defined Networks,”
Proc. ISOC NDSS, 2013.
[3] Open Networking Foundation, OpenFlow Switch
Specification v.1.4.0, Oct. 2013.
[4] Kreutz, D.; Ramos, F.M.V.; Esteves Verissimo, P.;
Esteve Rothenberg, C.; Azodolmolky, S.; Uhlig, S.,
"Software-Defined Networking: A Comprehensive
Survey," Proceedings of the IEEE , vol.103, no.1,
pp.14,76, Jan. 2015
[5] Spitzner, L., "Honeypots: catching the insider
threat," Computer Security Applications Conference,
2003. Proceedings. 19th Annual , vol., no.,
pp.170,179, 8-12 Dec. 2003
[6] Open Networking Foundation, “Operator network
monetization through OpenFlow-enabled SDN,” Apr.
2013.
[7] Ramneek, Puri (2003-08-08). "Bots & Botnet: An
Overview" (PDF). SANS Institute. Retrieved 12
November 2013.
[8] Honeytokens: The Other Honeypot Lance Spitzner
2003-07-17
[9] About POX, http://www.noxrepo.org/pox/about-
pox/.
[10] Mininet. http://mininet.org/overview.
[11] J. H. Jafarian, E. Al-Shaer, and Q. Duan, “OpenFlow
Random Host Mutation: Transparent Moving Target
Defense using Software Defined Networking,” Proc.
ACM HotSDN, pp. 127-132, 2012.
[12] R. Braga, E. mota, and A. Passito, “Lightweight
DDoS Flooding Attack Detection Using
NOX/OpenFlow,” Proc. IEEE LCN, pp. 408-415,
2010.