Analysis of the resilience of open source smart home platforms to DDoS attacks

Internet of Things (IoT) has facilitated the prosperity of smart environments such as smart homes. Meanwhile, WiFi is a broadly used technology for the wireless connectivity of IoT devices. However, smart home IoT devices are often vulnerable to various security attacks. This article quantifies the impact of distributed denial of service (DDoS) and energy-oriented DDoS attacks (E-DDoS) on WiFi smart home devices and explores the underlying reasons from the perspective of attacker, victim device, and access point (AP). Compared to the existing work, which primarily focus on DDoS attacks launched by compromised IoT devices against servers, our work focuses on the connectivity and energy consumption of IoT devices when under attack. Our key findings are threefold. First, the minimum DDoS attack rate causing service disruptions varies significantly among different IoT smart home devices, and buffer overflow within the victim device is validated as critical. Second, the group key updating process of WiFi may facilitate DDoS attacks by causing faster victim disconnections. Third, a higher E-DDoS attack rate sent by the attacker may not necessarily lead to a victim's higher energy consumption. Our study reveals the communication protocols, attack rates, payload sizes, and victim devices' ports state as the vital factors to determine the energy consumption of victim devices. These findings facilitate a thorough understanding of IoT devices' potential vulnerabilities within a smart home environment and pave solid foundations for future studies on defense solutions.

Modern methods of analyzing and protecting network infrastructure against DDoS (Distributed Denial of Service) attacks are discussed. A DDoS detection model has been developed using statistical techniques, which highlights the main stages of the attacks and key characteristics of network traffic that are crucial for detecting an attack. Potential and attack power are introduced as main concepts in assessing DDoS activity. To identify the type of attack, it is suggested to increase the sensitivity of the model by identifying key characteristics that distinguish between different attack stages. The features of various DDoS attack types, such as UDP Flood, UDP Reflection/Amplification, and TCP SYN Flood, are considered. A framework for modeling DDoS network attacks has been created. DDoS attacks including UDP Flood, UDP Reflection/Amplification and TCP SYN Flood were simulated using traffic data collected via the NetFlow protocol. The proposed attack characteristics, including speed, flow volume, and flow rate, allowed us to evaluate the attack's power and consider how to change the key characteristics of network traffic.

Cyber attacks are continuing to hamper working of Internet services despite increased use of network secu-rity systems such as firewalls and Intrusion protection systems (IPS). Recent Distributed Denial of Service (DDoS) attacks on Dec 8th, 2010 by Wikileak supporters on Visa and Master Card websites made headlines on prime news channels all over the world. Another famous DDoS attacks on Independence Day weekend, on July 4th, 2009 were launched to debilitate the US and South Korean governments’ websites. These attacks raised questions about the capabilities of the security systems that were used in the network to counteract such attacks. Firewall and IPS security systems are commonly used today as a front line defense mechanism to defend against DDoS attacks. In many deployments, performances of these security devices are seldom evaluated for their effectiveness. Different security devices perform differently in stopping DDoS attacks. In this paper, we intend to drive the point that it is important to evaluate the capability of Firewall or IPS secu-rity devices before they are deployed to protect a network or a server against DDoS attacks. In this paper, we evaluate the effectiveness of a security device called Netscreen 5GT (or NS-5GT) from Juniper Networks under Layer-4 flood attacks at different attack loads. This security device NS-5GT comes with a feature called TCP-SYN proxy protection to protect against TCP-SYN based DDoS attacks, and UDP protection feature to protect against UDP flood attacks. By looking at these security features from the equipments data sheet, one might assume the device to protect the network against such DDoS attacks. In this paper, we con-ducted real experiments to measure the performance of this security device NS-5GT under the TCP SYN and UDP flood attacks and test the performance of these protection features. It was found that the Juniper’s NS-5GT mitigated the effect of DDoS traffic to some extent especially when the attack of lower intensity. However, the device was unable to provide any protection against Layer4 flood attacks when the load ex-ceeded 40Mbps. In order to guarantee a measured level of security, it is important for the network managers to measure the actual capabilities of a security device, using real attack traffic, before they are deployed to protect a critical information infrastructure.

The usage of Denial of Service (DoS) and Distributed Denial of Service (DDoS) packets by the assailant may change and dependent on various sorts of administrations and protocols. A flooding DDoS attack depends on an immense volume of assault traffic which is named as a Flooding based DDoS packet. Flooding-based DDoS packet endeavors to block the injured individual's system transfer speed with genuine-looking however undesirable IP information. Because of which Legitimate IP packets can’t arrive at the unfortunate casualty in view of the absence of data transfer capacity asset. Internet Control Message Protocol (ICMP) Flood started by sending countless ICMP packets to a remote host. Thus, the deceived framework's assets will be devoured by taking care of the assaulting packets, which in the long run makes the framework be inaccessible by different customers. In this paper, we distinguish of ICMP Flood DDoS packet by utilizing WireShark.

HTTP flood DDoS (Distributed Denial of Service) attacks send illegitimate HTTP requests to the targeted site or server. These kinds of attacks corrupt the networks with the help of massive attacking nodes thus blocking incoming traffic. Computer network connected devices are the major source to distributed denial of service attacks (or) botnet attacks. The computer manufacturers rapidly increase the network devices as per the requirement increases in the different environmental needs. Generally the manufacturers cannot ship computer network products with high level security. Those network products require additional security to prevent the DDoS attacks. The present technology is filled with 4G that will impact DDoS attacks. The million DDoS attacks had experienced in every year by companies or individuals. DDoS attack in a network would lead to loss of assets, data and other resources. Purchasing the new equipment and repair of the DDoS attacked network is financially becomes high in the value. The prevention mechanisms like CAPTCHA are now outdated to the bots and which are solved easily by the advanced bots. In the proposed work a secured botnet prevention mechanism provides network security by prevent and mitigate the http flooding based DDoS attack and allow genuine incoming traffic to the application or server in a network environment with the help of integrating invisible challenge and Resource Request Rate algorithms to the application. It offers double security layer to handle malicious bots to prevent and mitigate.

Smart devices along with sensors are gaining in popularity with the promise of making life easier for the owner. As the number of sensors in an Internet of Things (IoT) system grows, a question arises as to whether the transmission between the sensors and the IoT devices is reliable and whether the user receives alerts correctly and in a timely manner. Increased deployment of IoT devices with sensors increases possible safety risks. It is IoT devices that are often misused to create Distributed Denial of Service (DDoS) attacks, which is due to the weak security of IoT devices against misuse. The article looks at the issue from the opposite point of view, when the target of a DDoS attack are IoT devices in a smart home environment. The article examines how IoT devices and the entire smart home will behave if they become victims of a DDoS attack aimed at the smart home from the outside. The question of security was asked in terms of whether a legitimate user can continue to control and receive information from IoT sensors, which is available during normal operation of the smart home. The case study was done both from the point of view of the attack on the central units managing the IoT sensors directly, as well as on the smart-home personal assistant systems, with which the user can control the IoT sensors. The article presents experimental results for individual attacks performed in the case study and demonstrates the resistance of real IoT sensors against DDoS attack. The main novelty of the article is that the implementation of a personal assistant into the smart home environment increases the resistance of the user’s communication with the sensors. This study is a pilot testing the selected sensor sample to show behavior of smart home under DDoS attack.

This study is grounded in a comprehensive review of literature on smart homes and Distributed Denial of Service (DDoS) attacks. To evaluate the defensive capabilities of pfSense and Suricata, a simulated Slowloris DDoS attack was performed on a smart home network, both with and without these security measures. Data was collected for each attack instance, followed by an analysis of the attack's effectiveness and the botnets' responses to refine DDoS assault strategies targeting smart home networks. The results revealed that the network was highly vulnerable without defense mechanisms, collapsing under the attack. In contrast, implementing pfSense and Suricata enabled swift detection and mitigation, neutralizing the attack within 15 seconds. Further testing involved five different scenarios, each assessing the ability of these systems to detect and block DDoS attacks. In all cases, the attacks were identified within 60 seconds. Attackers varied HTTP headers to flood IP-based cameras with packets ranging from 500 to 3000. The findings highlight the significant vulnerability of IoT devices in smart homes to cyber threats. However, deploying pfSense and Suricata proved to be a practical approach for detecting and mitigating DDoS attacks. The research underscores the importance of selecting high-quality hardware, evaluating IoT security features, and adopting proactive security practices to bolster smart home security.

DDoS (Distributed Denial of Service) attacks have become a pressing threat to the security and integrity of computer networks and information systems, which are indispensable infrastructures of modern times. The detection of DDoS attacks is a challenging issue before any mitigation measures can be taken. ML/DL (Machine Learning/Deep Learning) has been applied to the detection of DDoS attacks with satisfactory achievement. However, full-scale success is still beyond reach due to an inherent problem with ML/DL-based systems—the so-called Open Set Recognition (OSR) problem. This is a problem where an ML/DL-based system fails to deal with new instances not drawn from the distribution model of the training data. This problem is particularly profound in detecting DDoS attacks since DDoS attacks’ technology keeps evolving and has changing traffic characteristics. This study investigates the impact of the OSR problem on the detection of DDoS attacks. In response to this problem, we propose a new DDoS detection framework featuring Bi-Directional Long Short-Term Memory (BI-LSTM), a Gaussian Mixture Model (GMM), and incremental learning. Unknown traffic captured by the GMM are subject to discrimination and labeling by traffic engineers, and then fed back to the framework as additional training samples. Using the data sets CIC-IDS2017 and CIC-DDoS2019 for training, testing, and evaluation, experiment results show that the proposed BI-LSTM-GMM can achieve recall, precision, and accuracy up to 94%. Experiments reveal that the proposed framework can be a promising solution to the detection of unknown DDoS attacks.

Software Defined Network (SDN) has alleviated traditional network limitations but faces a significant challenge due to the risk of Distributed Denial of Service (DDoS) attacks against an SDN controller, with current detection methods lacking evaluation on unrealistic SDN datasets and standard DDoS attacks (i.e., high-rate DDoS attack). Therefore, a realistic dataset called HLD-DDoSDN is introduced, encompassing prevalent DDoS attacks specifically aimed at an SDN controller, such as User Internet Control Message Protocol (ICMP), Transmission Control Protocol (TCP), and User Datagram Protocol (UDP). This SDN dataset also incorporates diverse levels of traffic fluctuations, representing different traffic variation rates (i.e., high and low rates) in DDoS attacks. It is qualitatively compared to existing SDN datasets and quantitatively evaluated across all eight scenarios to ensure its superiority. Furthermore, it fulfils the requirements of a benchmark dataset in terms of size, variety of attacks and scenarios, with significant features that highly contribute to detecting realistic SDN attacks. The features of HLD-DDoSDN are evaluated using a Deep Multilayer Perception (D-MLP) based detection approach. Experimental findings indicate that the employed features exhibit high performance in the detection accuracy, recall, and precision of detecting high and low-rate DDoS flooding attacks.

Due to the growing dependence of digital services on the Internet, Distributed Denial of Service (DDoS) attacks are a common threat that can cause significant disruptions to online operations and financial losses. Machine learning (ML) offers a promising way for early DDoS attack detection due to its ability to analyze large datasets and identify patterns. However, adding too many features to the ML might reduce its effectiveness in identifying the attacks provided by central network paradigms such as the Software-Defined Network (SDN). In this research, we investigate the effectiveness of the ML methods such as (Random Forest (RF), Naive Base (NB), and K-Nearest Neighbor’s (KNN)) combining SDN to enhance the classification of DDoS attacks. We leverage three diverse datasets: DDoS attack SDN, CICDDoS2019, and SDN-DDOS-TCP-SYN dataset. By leveraging cross-feature selection and feature ranking techniques, such as information gain, gain ratio, and Gini importance, we could identify the most relevant network features for DDoS attacks. We reduced the feature up to 5 effective features without compromising the classification accuracy. The experimental results show that the proposed models achieved an accuracy of 100% for both Random Forest (RF) and K-Nearest Neighbor (KNN), and 99.8% for Naive Bayes (NB). Due to their high accuracy and lower complexity, KNN and NB outperform ML algorithms in this study

In this new era of digital science, networks and their capacities are significantly growing and increasing their market values. Attackers are gradually improving their skill sets by developing powerful tools to stay ahead in the world of black hat. Distributed Denial of Service Attacks (DDoS) are most dangerous attacks with the internet services and networks which is carried out in various forms such as server crashing, router crashing, slow performance of the CPU etc. Attackers implement various techniques to launch DDoS attacks on target computers or networks. In this paper, we discussed TCP syn flooding DDoS attack and its mitigation techniques to reduce attacks effect. We present a mitigation method of the TCP syn flood DDoS attacks on the Apache server by capturing attackers IP addresses and set the TCP – RST over the continues flow of SYN+ACK. It will reduce the effect of syn flooding with customised time duration. Through this method legitimate users can maintain their connection accessibility.

Penelitian bertujuan merancang Unified Threat Management (UTM) berbasis aplikasi open-source yang mampu melakukan Threat Mitigation dan menerapkan manajemen trafik pada jaringan TCP/IP. Metoda Threat Mitigation menggunakan SNORT sebagai Intrusion Prevention System (IPS) untuk melakukan tindakan terhadap ancaman serta melakukan monitoring trafik yang diintegrasikan dengan aplikasi Splunk sebagai Security Information and Event Management (SIEM). Metoda Traffic Policy menggunakan SQUID sebagai Proxy untuk melakukan manajemen trafik. Pengujian perfomansi jaringan dilakukan dengan mengukur parameter Quality of Service (QOS) terlebih dahulu pada setiap perangkat akses untuk melihat performansi jaringan saat terjadi serangan sebelum dan sesudah implementasi UTM. Serangan Distributed Denial of Service (DDOS) berupa Internet Control Message Protocol (ICMP) Flood dan SYN Flood. Setelah melakukan simulasi serangan DDOS selama 5 menit, Threat Mitigation mampu melakukan drop terhadap paket yang berasal dari serangan DDOS sebanyak 232409 paket dengan nilai throughput maksimum 1,823 Mbps, lebih baik dari throughput yang dihasilkan serangan DDOS sebelum implementasi UTM yaitu 869 Mbps. Hasil indeks parameter QOS setiap perangkat akses jaringan memiliki nilai indeks 4, lebih baik dari indeks parameter QOS sebelum implementasi UTM yaitu 2,843. Traffic Policy pada UTM mampu melakukan efisiensi bandwidth sebesar 4,66% atau 943,6645 MB dari total volume cache 20,23 GB, dengan menerapkan web cache untuk akses Hyper Text Transfer Proctocol (HTTP) dan limitasi throughput sebesar 300 KB pada ekstensi file image, audio, video dan executeable berukuran diatas 20 MB. Abstract This final project aims to design Unified Threat Management (UTM) based on open-source application that capable to mitigate threat and implement traffic management on TCP/IP network. Threat Mitigation method uses SNORT as Intrusion Prevention System (IPS) and integrated with Splunk as Security Information and Event Management (SIEM). Traffic Policy method use SQUID as Proxy to implement traffic management. Network performance testing will be carried out by measuring the QOS parameters on each access device to be able to see network performance when an attack occurs before and after UTM implementation. The Denial Distributed of Service attacks was simulated with Internet Control Message Protocol (ICMP) Flood and SYN Flood. After simulating DDOS attack for 5 minutes, Threat Mitigation was able to drop 232409 packet that originating from DDOS attack with a maximum throughput value 1.823 Mbps, was better before implementation of UTM which is 869 Mbps. The result of the QOS index parameters for each access device has an index value is 4, was better than before implementation of UTM, which is 2.843. Traffic Policy was able to perform bandwidth efficiency of 4.66% or 943.6645 MB from a total cache volume of 20.23 GB, by implementing web cache for Hyper Text Transfer Protocol (HTTP) access and limiting throughput of 300 KB of image, audio, video and executable file size above 20 MB.

ABSTRACTThe number of internet users and devices that are in need for more IP addresses to be assigned to them is rapidly increasing. A new protocol named IPv6 was developed in 1998 to overcome the addressing issue and to improve network communications in general. IPv6 is an improved protocol compared to IPv4 in terms of security since it provides built-in security mechanisms, such as IPSec. In addition, it brought new functionalities, such as Neighbour Discovery Protocol (NDP) procedure, which depends on Internet Control Message Protocol version 6 (ICMPv6) protocol messages. However, IPv6 inherited a number of attacks from IPv4 in addition to new attacks it brought within its new features. One of the most common attacks is the Denial of Service (DoS) attack due to its ease of being launched in different ways. A more serious DoS attack can be launched from many hosts called Distributed Denial of Service (DDoS). DoS and DDoS attacks are thorny and a grave problem of today's internet, resulting in economic damages for organizations and individuals. Therefore, this paper is created to study the properties of DoS and DDoS attacks against IPv6 networks using ICMPv6 messages. Additionally, it analyzes the various existing detection and prevention approaches that are proposed to tackle ICMPv6-based DoS and DDoS attacks. Moreover, it explains the existing tools that might be used for performing these attacks.

During the Distributed Denial of Service (DDoS) attacks, computers are made to attack other computers. Newer Firewalls now days are providing prevention against such attack traffics. McAfee SecurityCenter Firewall is one of the most popular security software installed on millions of Internet connected computers worldwide. “McAfee claims that if you have installed McAfee SecurityCentre with anti-virus and antispyware and Firewall then you always have the most current security to combat the ever-evolving threats on the Internet for the duration of the subscription”. In this paper, we present our findings regarding the effectiveness of McAfee SecurityCentre software against some of the popular Distributed Denial Of Service (DDoS) attacks, namely ARP Flood, Ping-flood, ICMP Land, TCP-SYN Flood and UDP Flood attacks on the computer which has McAfee SecurityCentre installed. The McAfee SecurityCentre software has an in built firewall which can be activated to control and filter the Inbound/Outbound traffic. It can also block the Ping Requests in order to stop or subside the Ping based DDoS Attacks. To test the McAfee Security Centre software, we created the corresponding attack traffic in a controlled lab environment. It was found that the McAfee Firewall software itself was incurring DoS (Denial of Service) by completely exhausting the available memory resources of the host computer during its operation to stop the external DDoS Attacks.

In the modern technological world, with the increasing dependency on Internet the security threats are on the rise. Distributed Denial of Service (DDoS) attack is one of the biggest threats. The attackers tend to exhaust the network resources, while ingeniously hiding their identity, making the defense process extremely difficult. Many researchers have proposed various solutions to traceback the true origin of attack. Among them Internet Control Message Protocol (ICMP) traceback was considered an industry standard by Internet Engineering Task Force (IETF). ICMP Traceback (ITrace) does not require any change in the existing infrastructure. However it consumes considerable bandwidth and requires a large number of packets to traceback an attacker. This work proposes a Single Packet ICMP Traceback technique using Router Interface (SPITRI). It traces the origin of flooding attack with a single ICMP packet. The bandwidth overhead incurred by SPITRI is several times lesser than ITrace. SPITRI was simulated over the CAIDA Ark dataset. It can traceback the attackers with high accuracy, with zero false positive and zero false negative result. The efficacy of the proposed scheme is demonstrated by simulating and comparing it with ITrace, and the latest router interface based single packet traceback scheme.