High-rate Distributed Denial Of Service Research Articles

HLD-DDoSDN: High and low-rates dataset-based DDoS attacks against SDN.

Software Defined Network (SDN) has alleviated traditional network limitations but faces a significant challenge due to the risk of Distributed Denial of Service (DDoS) attacks against an SDN controller, with current detection methods lacking evaluation on unrealistic SDN datasets and standard DDoS attacks (i.e., high-rate DDoS attack). Therefore, a realistic dataset called HLD-DDoSDN is introduced, encompassing prevalent DDoS attacks specifically aimed at an SDN controller, such as User Internet Control Message Protocol (ICMP), Transmission Control Protocol (TCP), and User Datagram Protocol (UDP). This SDN dataset also incorporates diverse levels of traffic fluctuations, representing different traffic variation rates (i.e., high and low rates) in DDoS attacks. It is qualitatively compared to existing SDN datasets and quantitatively evaluated across all eight scenarios to ensure its superiority. Furthermore, it fulfils the requirements of a benchmark dataset in terms of size, variety of attacks and scenarios, with significant features that highly contribute to detecting realistic SDN attacks. The features of HLD-DDoSDN are evaluated using a Deep Multilayer Perception (D-MLP) based detection approach. Experimental findings indicate that the employed features exhibit high performance in the detection accuracy, recall, and precision of detecting high and low-rate DDoS flooding attacks.

AccFlow: Defending against the Low-Rate TCP DoS Attack in Drones

As drones are widely employed in various industries and daily life, concerns regarding their safety have been gradually emerging. Denial of service (DoS) attacks have become one of the most significant threats to the stability of resource-constrained sensor nodes. Traditional brute-force and high-rate distributed denial of service (DDoS) attacks are easily detectable and mitigated. However, low-rate TCP DoS attacks can considerably impair TCP throughput and evade DoS prevention systems by inconspicuously consuming a small portion of network capacity, and whereas the literature offers effective defense mechanisms against DDoS attacks, there is a gap in defending against Low-Rate TCP DoS attacks. In this paper, we introduce AccFlow, an incrementally deployable Software-Defined Networking (SDN)-based protocol designed to counter low-rate TCP DoS attacks. The main idea of AccFlow is to make the attacking flows accountable for the congestion by dropping their packets according to their loss rates. AccFlow drops their packets more aggressively as the loss rates increase. Through extensive simulations, we illustrate that AccFlow can effectively safeguard against low-rate TCP DoS attacks, even when attackers employ varying strategies involving different scales and data rates. Furthermore, whereas AccFlow primarily addresses low-rate TCP DoS attacks, our research reveals its effectiveness in defending against general DoS attacks. These general attacks do not rely on the TCP retransmission timeout mechanism but rather deplete network resources, ultimately resulting in a denial of service for legitimate users. Additionally, we delve into the scalability of AccFlow and its viability for practical deployment in real-world networks. Finally, we demonstrate the effectiveness of AccFlow in safeguarding network resources.

OPTIMIST: Lightweight and Transparent IDS With Optimum Placement Strategy to Mitigate Mixed-Rate DDoS Attacks in IoT Networks

Distributed denial of service (DDoS) attacks are widespread for Internet of things (IoT) systems that aim to disrupt the availability of a system completely (high-rate DDoS) or partially (low-rate DDoS). Design and placement of Intrusion Detection Systems (IDS) for DDoS attacks on IoT systems are challenging due to the low power and lossy nature of networks. Existing IDSs are designed to handle either high-rate or low-rate DDoS but cannot handle both with good accuracy. Existing IDS placement techniques are mostly non-transparent, making malicious nodes aware of the presence of IDS nodes. Most of the IDS placement strategies are non-optimal, making them energy inefficient. Accordingly, this work proposes a transparent, optimally placed, distributed IDS solution, namely OPTIMIST, which can handle both high-rate and low-rate DDoS attacks with good accuracy. The placement problem is formulated as the weighted minimum vertex cover problem of a K-uniform hypergraph and solved with an approximation algorithm. The IDS module is based on a LSTM model where a novel offline training method for LSTM is proposed using WGAN-generated artificial flows. Extensive experimentation on simulation and testbed shows that the OPTIMIST can best achieve the balance between DDoS detection and energy overhead.

An Efficient Hybrid Protocol Framework for DDoS Attack Detection and Mitigation Using Evolutionary Technique

The ever-increasing use of the Internet has created massive amounts network traffic, causing problems related to its scalability, controllability, and manageability. Sophisticated network-based denial of service (DoS) and distributed denial of service (DDoS) attacks increasingly pose a future threat. The literature proposes various methods that may help stop all HTTP DoS/DDoS assaults, but no optimal solution has been identified so far. Therefore, this paper attempts to fill the gap by proposing an alternative solution known as an efficient hybrid protocol framework for distributed DoS attack detection and mitigation (E-HPFDDM). Such an architecture addresses all aspects of these assaults by relaying on a three-layer mechanism. Layer 1 uses the outer advanced blocking (OAB) scheme which blocks unauthorized IP sources using an advanced backlisted table. Layer 2 is a validation layer that relies on the inner service trackback (IST) scheme to help determine whether the inbound request has been initiated by a legitimate or an illegitimate user. Layer 3 (inner layer) uses the deep entropy based (DEB) scheme to identify, classify and mitigate high-rate DDoS (HR-DDoS) and flash crowd (FC) attacks. The research shows that in contrast to earlier studies, the structure of the proposed system offers effective defense against DoS/DDoS assaults for web applications.

A Survey of Low Rate DDoS Detection Techniques Based on Machine Learning in Software-Defined Networks

Software-defined networking (SDN) is a new networking paradigm that provides centralized control, programmability, and a global view of topology in the controller. SDN is becoming more popular due to its high audibility, which also raises security and privacy concerns. SDN must be outfitted with the best security scheme to counter the evolving security attacks. A Distributed Denial-of-Service (DDoS) attack is a network attack that floods network links with illegitimate data using high-rate packet transmission. Illegitimate data traffic can overload network links, causing legitimate data to be dropped and network services to be unavailable. Low-rate Distributed Denial-of-Service (LDDoS) is a recent evolution of DDoS attack that has been emerged as one of the most serious vulnerabilities for the Internet, cloud computing platforms, the Internet of Things (IoT), and large data centers. Moreover, LDDoS attacks are more challenging to detect because this attack sends a large amount of illegitimate data that are disguised as legitimate traffic. Thus, traditional security mechanisms such as symmetric/asymmetric detection schemes that have been proposed to protect SDN from DDoS attacks may not be suitable or inefficient for detecting LDDoS attacks. Therefore, more research studies are needed in this domain. There are several survey papers addressing the detection mechanisms of DDoS attacks in SDN, but these studies have focused mainly on high-rate DDoS attacks. Alternatively, in this paper, we present an extensive survey of different detection mechanisms proposed to protect the SDN from LDDoS attacks using machine learning approaches. Our survey describes vulnerability issues in all layers of the SDN architecture that LDDoS attacks can exploit. Current challenges and future directions are also discussed. The survey can be used by researchers to explore and develop innovative and efficient techniques to enhance SDN’s protection against LDDoS attacks.

Renyi Joint Entropy-Based Dynamic Threshold Approach to Detect DDoS Attacks against SDN Controller with Various Traffic Rates

The increasing incidence of distributed denial-of-service (DDoS) attacks has made software-defined networking (SDN) more vulnerable to the depletion of controller resources. DDoS attacks prevent the SDN controller from processing all incoming data efficiently, potentially disrupting a network or denying legitimate users access to network services. Thus, the protection of the SDN controller is crucial, especially from the ones that exploit the SDN characteristics. In this paper, the authors propose an efficient detection approach for low- and high-rate DDoS attacks on the controller with a high detection rate and a low false positive rate by adapting a dynamic threshold algorithm rather than a static one and proposing a new rule-based detection mechanism. In addition, the proposed approach was evaluated using eight simulation scenarios representing all potential attacks against the SDN controller in terms of attack traffic rates (low or high), sources (either single or multiple hosts), and targets (single or multiple victims). The experiment results show that the proposed approach is more effective than the existing approaches based on attack detection and false positive rates.

A flexible SDN-based framework for slow-rate DDoS attack mitigation by using deep reinforcement learning

Distributed Denial-of-Service (DDoS) attacks are difficult to mitigate with existing defense tools. Fortunately, it has been demonstrated that Software-Defined Networking (SDN) with machine learning (ML) and deep learning (DL) techniques has a high potential to handle these threats effectively. However, although there are many SDN-based solutions for detecting DDoS attacks, only a few contain mitigation strategies. Additionally, most previous studies have focused on solving high-rate DDoS attacks. For the time being, recent slow-rate DDoS threats are hard to detect and mitigate. In this work, we propose a modular, flexible, and scalable SDN-based framework that integrates a DL-based intrusion detection system (IDS) and a deep reinforcement learning (DRL)-based intrusion prevention system (IPS) to address slow-rate DDoS threats. We incorporated scalability features into this framework, such as data-plane-based traffic monitoring and traffic flow sampling. Moreover, we have designed a lightweight DRL-based IPS to provide rapid mitigation responses. Furthermore, to evaluate the framework, we deployed a data center network using Mininet, Open Network Operating System (ONOS) controller, and Apache Web server. Next, we performed extensive experiments varying the number of attackers and the rate of attack connections. The proposed IDS achieved an average detection rate of 98%, with a flow sampling rate of 30%. In addition, IPS timely mitigated slow-rate DDoS with 100% of success for a few attackers. Taken together, these results show that the proposed framework provides effective responses to malicious and legitimate connections.

Low-rate DDoS attack Detection using Deep Learning for SDN-enabled IoT Networks

Software Defined Networks (SDN) can logically route traffic and utilize underutilized network resources, which has enabled the deployment of SDN-enabled Internet of Things (IoT) architecture in many industrial systems. SDN also removes bottlenecks and helps process IoT data efficiently without overloading the network. An SDN-based IoT in an evolving environment is vulnerable to various types of distributed denial of service (DDoS) attacks. Many research papers focus on high-rate DDoS attacks, while few address low-rate DDoS attacks in SDN-based IoT networks. There’s a need to enhance the accuracy of LDDoS attack detection in SDN-based IoT networks and OpenFlow communication channel. In this paper, we propose LDDoS attack detection approach based on deep learning (DL) model that consists of an activation function of the Long-Short Term Memory (LSTM) to detect different types of LDDoS attacks in IoT networks by analyzing the characteristic values of different types of LDDoS attacks and natural traffic, improve the accuracy of LDDoS attack detection, and reduce the malicious traffic flow. The experiment result shows that the model achieved an accuracy of 98.88%. In addition, the model has been tested and validated using benchmark Edge IIoTset dataset which consist of cyber security attacks.

On the use of information theory metrics for detecting DDoS attacks and flash events: an empirical analysis, comparison, and future directions

A Distributed Denial of Service (DDoS) attack is one of the lethal threats that can cripple down the computing and communication resources of a web server hosting Internet-based services and applications. It has motivated the researchers over the years to find diversified and robust solutions to combat against DDoS attacks and characterization of flash events (a sudden surge in the legitimate traffic) from HR-DDoS (High-Rate DDoS) attacks. In recent times, the volume of legitimate traffic has also magnified manifolds. It results in behavioral similarities of attack traffic and legitimate traffic that make it very difficult and crucial to differentiate between the two. Predominantly, Netflow-based techniques are in use for detecting and differentiating legitimate and attack traffic flows. Over the last decade, fellow researchers have extensively used distinct information theory metrics for Netflow-based DDoS defense solutions. However, a comprehensive analysis and comparison of these diversified information theory metrics used for particularly DDoS attack detection are needed for a better understanding of the defense systems based on information theory. This paper elucidates the efficacy and effectiveness of information theory-based various entropy and divergence measures in the field of DDoS attack detection. As part of the work, a generalized NetFlow-based methodology has been proposed. The proposed detection methodology has been validated using the traffic traces of various real benchmarked datasets on a set of detection system evaluation metrics such as Detection rate (Recall), Precision, F-Measure, FPR, Classification rate, and Receiver-Operating Characteristics (ROC) curves. It has concluded that generalized divergence-based information theory metrics produce more accuracy in detecting different types of attack flows in contrast to entropy-based information theory metrics.

Information Theory-based Approaches to Detect DDoS Attacks on Software-defined Networking Controller a Review

The number of network users and devices has exponentially increased in the last few decades, giving rise to sophisticated security threats while processing users’ and devices’ network data. Software-Defined Networking (SDN) introduces many new features, but none is more revolutionary than separating the control plane from the data plane. The separation helps DDoS attack detection mechanisms by introducing novel features and functionalities. Since the controller is the most critical part of the SDN network, its ability to control and monitor network traffic flow behavior ensures the network functions properly and smoothly. However, the controller’s importance to the SDN network makes it an attractive target for attackers. Distributed Denial of Service (DDoS) attack is one of the major threats to network security. This paper presents a comprehensive review of information theory-based approaches to detect low-rate and high-rate DDoS attacks on SDN controllers. Additionally, this paper provides a qualitative comparison between this work and the existing reviews on DDoS attack detection approaches using various metrics to highlight this work’s uniqueness. Moreover, this paper provides in-depth discussion and insight into the existing DDoS attack detection approaches to point out their weaknesses that open the avenue for future research directions. Meanwhile, the finding of this paper can be used by other researchers to propose a new or enhanced approach to protect SDN controllers from the threats of DDoS attacks by accurately detecting both low-rate and high-rate DDoS attacks.

Entropy-Based Approach to Detect DDoS Attacks on Software Defined Networking Controller

The Software-Defined Networking (SDN) technology improves network management over existing technology via centralized network control. The SDN provides a perfect platform for researchers to solve traditional network’s outstanding issues. However, despite the advantages of centralized control, concern about its security is rising. The more traditional network switched to SDN technology, the more attractive it becomes to malicious actors, especially the controller, because it is the network’s brain. A Distributed Denial of Service (DDoS) attack on the controller could cripple the entire network. For that reason, researchers are always looking for ways to detect DDoS attacks against the controller with higher accuracy and lower false-positive rate. This paper proposes an entropy-based approach to detect low-rate and high-rate DDoS attacks against the SDN controller, regardless of the number of attackers or targets. The proposed approach generalized the Rényi joint entropy for analyzing the network traffic flow to detect DDoS attack traffic flow of varying rates. Using two packet header features and generalized Rényi joint entropy, the proposed approach achieved a better detection rate than the EDDSC approach that uses Shannon entropy metrics.

Low-Rate DDoS Attack Detection Based on Factorization Machine in Software Defined Network

As the Software Define Network (SDN) adopts centralized control logic, it is vulnerable to various types of Distributed Denial of Service (DDoS) attacks. At present, almost all the research work focuses on high-rate DDoS attack against the SDN control layer. Moreover, most of the existing detection methods are effective for high-rate DDoS attack detection of the control layer, while a low-rate DDoS attack against the SDN data layer is highly concealed, and the detection accuracy against this kind of attack is low. In order to improve the detection accuracy of the low-rate DDoS attack against the SDN data layer, this paper studies the mechanism of such attacks, and then proposes a multi-feature DDoS attack detection method based on Factorization Machine (FM). The features extracted from the flow rules are used to detect low-rate DDoS attacks, and the detection of low-rate DDoS attacks based on FM machine learning algorithms is implemented. The experimental results show that the method can effectively detect the low-rate DDoS attack against the SDN data layer, and the detection accuracy reaches 95.80 percent. Because FM algorithm can achieve fine-grained detection for low-rate DDoS attack, which provides a reliable condition for defending against such attacks. Finally, this paper proposes a defense method based on dynamic deletion of flow rules, and carries out experimental simulation and analysis to prove the effectiveness of the defense method, and the success rate of forwarding normal packets reached 97.85 percent.

TCP Low Rate DDoS Attack Detection

Undoubtedly one of the more significant attacks on computer networks is distributed denial of service (DDoS). DDoS assaults can be divided into two groups: high rate attacks and low rate attacks. In the high rate DDoS category, the attacker tries to use all of the bandwidth available on the channel by saturating it with packets. While maintaining a low average transmission rate, the attacker conducts a DDoS attack in the low rate DDoS category (also known as LDDoS). TCP LDDoS is a low-rate DDoS assault in which the attacker takes advantage of the way TCP handles congestion. In this article, we look into a system for stopping a TCP LDDoS attack and suggest a fresh approach. We offer several observations to help distinguish between appropriate behavior and an attack. Our system produces a priority queue of flows, where flows with a high priority are valid and flows with a low priority are suspect. Using the NS2 simulation environment, we assess the suggested system. Results demonstrate that our suggested approach can accurately distinguish between attack flows and genuine flows.

Two-Layer Approach for Mixed High-Rate and Low-Rate Distributed Denial of Service (DDoS) Attack Detection and Filtering

Distributed denial of service (DDoS) attacks are one of the most important attacks due to reducing the performance of computer networks nowadays. In recent years, the number of devices connected to the internet has been increasing. These devices are not only computers, but also objects of everyday use. The concept of internet has accelerated the increase considerably. Therefore, many problems arise in terms of DDoS attacks. One of them is low-rate DDoS attacks. While high-rate DDoS attacks are often performed with computers, low-rate DDoS attacks can be easily performed by computers and internet-connected objects. Therefore, effective defense mechanism against both attacks must be developed. In this study, new approaches are proposed to filter mixed high-rate DDoS and low-rate DDoS attacks. The ns-2 simulation tool was used to evaluate the performance of the proposed methods. Experimental results show that the proposed methods are successfully filtered mixed DDoS attacks.

DyProSD: a dynamic protocol specific defense for high-rate DDoS flooding attacks

High-rate distributed denial of service (HDDoS) flooding attacks pose as a major threat to the Internet. Most present solutions based on machine learning approach are inept for detecting the attacks in real time due to high processing overhead. In this paper, we present a defense solution referred to as DyProSD that combines both the merits of feature-based and statistical approach to handle HDDoS flooding attacks. The statistical module marks the suspicious traffic and forwards to an ensemble of classifiers for ascertaining the traffic as malicious or normal. Our method filters the attack traffic protocol specifically by allocating various protocol specific filter engines dynamically. As and when DDoS attack occurs and the load of a filter engine reaches beyond its capable limit, a new filter engine is recruited dynamically from the idle resource pool for filtering, thus guaranteeing the quality of service for legitimate users concurrently. We establish the effectiveness of DyProSD through several experimental analysis and real-world dataset experiments and the results indicate enough confidence in favour of our solution.

A Novel Protective Framework for Defeating HTTP-Based Denial of Service and Distributed Denial of Service Attacks.

The growth of web technology has brought convenience to our life, since it has become the most important communication channel. However, now this merit is threatened by complicated network-based attacks, such as denial of service (DoS) and distributed denial of service (DDoS) attacks. Despite many researchers' efforts, no optimal solution that addresses all sorts of HTTP DoS/DDoS attacks is on offer. Therefore, this research aims to fix this gap by designing an alternative solution called a flexible, collaborative, multilayer, DDoS prevention framework (FCMDPF). The innovative design of the FCMDPF framework handles all aspects of HTTP-based DoS/DDoS attacks through the following three subsequent framework's schemes (layers). Firstly, an outer blocking (OB) scheme blocks attacking IP source if it is listed on the black list table. Secondly, the service traceback oriented architecture (STBOA) scheme is to validate whether the incoming request is launched by a human or by an automated tool. Then, it traces back the true attacking IP source. Thirdly, the flexible advanced entropy based (FAEB) scheme is to eliminate high rate DDoS (HR-DDoS) and flash crowd (FC) attacks. Compared to the previous researches, our framework's design provides an efficient protection for web applications against all sorts of DoS/DDoS attacks.

An empirical evaluation of information metrics for low-rate and high-rate DDoS attack detection

Distributed Denial of Service (DDoS) attacks represent a major threat to uninterrupted and efficient Internet service. In this paper, we empirically evaluate several major information metrics, namely, Hartley entropy, Shannon entropy, Renyi’s entropy, generalized entropy, Kullback–Leibler divergence and generalized information distance measure in their ability to detect both low-rate and high-rate DDoS attacks. These metrics can be used to describe characteristics of network traffic data and an appropriate metric facilitates building an effective model to detect both low-rate and high-rate DDoS attacks. We use MIT Lincoln Laboratory, CAIDA and TUIDS DDoS datasets to illustrate the efficiency and effectiveness of each metric for DDoS detection.

C2DF: High Rate DDOS filtering method in Cloud Computing

Distributed Denial of Service (DDOS) attacks have become one of the main threats in cloud environment. A DDOS attack can make large scale of damages to resources and access of the resources to genuine cloud users. Old-established defending system cannot be easily applied in cloud computing due to their relatively low competence and wide storage. In this paper we offered a data mining and neural network technique, trained to detect and filter DDOS attacks. For the simulation experiments we used KDD Cup dataset and our lab datasets. Our proposed model requires small storage and ability of fast detection. The obtained results indicate that our model has the ability to detect and filter most type of TCP attacks. Detection accuracy was the metric used to evaluate the performance of our proposed model. From the simulation results, it is visible that our algorithms achieve high detection accuracy (97%) with fewer false alarms.

DDoS: Flood vs. Shrew

Distributed Denial of Service (DDoS) attack is one of the greatest threats to connectivity, continuity, and availability of the Internet. In this paper, two typical types of DDoS attacks, high-rate (Flood) and low-rate (Shrew), are studied on their generation principles, mechanism utilizations, behaviors, signatures, and attack performances. Experiment results show that: (I) high-rate DDoS sends a large amount of traffic to destroy the victim but it is easy to be detected. (II) low-rate DDoS organizes a small quantity of traffic to degrade the service quality at the victim end and it is easy to escape from detection. Comparison of flood with shrew is helpful to detect and defend DDoS attacks efficiently.