Abstract
Low-rate distributed denial of service (LDDoS) attacks pose more challenging threats that disrupt network security devices and services. Such type of attacks is difficult to detect and mitigate. In LDDoS attacks, attacker uses low-volume of malicious traffic that looks alike legitimate traffic. Thus, it can enter the network in silence without any notice. However, it may have severe effect on disrupting network services, depleting system resources, and degrading network speed to a point considering them as one of the most damaging attack types. There are many types of LDDoS such as application server and ICMP error messages based LDDoS. This paper is solely concerned with the ICMP error messages based LDDoS. The paper proposes a mechanism to mitigate low-rate ICMP error message attacks targeting security devices, such as firewalls. The mechanism is based on triggering a rejection rule to defend against corresponding detected attack as early as possible, in order to preserve firewall resources. The rejection rule has certain adaptive activity time, during which the rule continues to reject related low-rate attack packets. This activity time is dynamically predicted for the next rule activation period according to current and previous attack severity and statistical parameters. However, the rule activity time needs to be stabilized in a manner in order to prevent any additional overhead to the system as well as to prevent incremental loss of corresponding legitimate packets. Experimental results demonstrate that the proposed mechanism can efficiently defend against incremental evasion cycle of low-rate attacks, and monitor rejection rule activity duration to minimize legitimate traffic loss.
Highlights
Interconnected computer systems and networks still suffer from security threats especially Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks
According to Corero research [5], [6], vast majority of DDoS attacks are relatively low-rate with 98% of these attacks were less than 10Gbps, and the average attack duration is short, with 81% lasting less than 10 minutes
This paper proposes a mechanism to defend against lowrate Denial of Firewalling (DoF) attacks that use ICMP error messages
Summary
Interconnected computer systems and networks still suffer from security threats especially Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks. 1) BLACKNURSE ATTACK This attack depends on sending low-rate ICMP error message [Type: (Host unreachable), Code: (Port unreachable)] to the targeted firewall [7]–[9]. These error messages are considered among the most expensive computationally, because they consume much of the processing power of the stateful firewall. Common DoF attacks are mitigated using threshold-based mechanisms, such as Screen features used in Juniper Networks [28] These mechanisms require balanced threshold configurations, as high threshold activation values may allow attack traffic to pass through the firewall as well as low threshold values may introduce legitimate packet loss. TTD(t + 1): is the predicted rule activity time duration in seconds to be used in the observation window t +1, once rule is triggered
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
