Skip to main content
SpringerLink
Log in

DDoSMiner: An Automated Framework for DDoS Attack Characterization and Vulnerability Mining

  • Conference paper
  • First Online:
Applied Cryptography and Network Security (ACNS 2024)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 14584))

Included in the following conference series:

  • 206 Accesses

Abstract

With the proliferation of Internet development, Distributed Denial of Service (DDoS) attacks are on the rise. As rule-based traffic analysis frameworks and Deep Packet Inspection (DPI) defense measures can effectively thwart many DDoS attacks, attackers keep exploring various attack surfaces and traffic amplification strategies to nullify the defense. In this paper, we propose DDoSMiner, an automated framework for DDoS attack characterization and vulnerability mining. DDoSMiner analyzes system call patterns of the TCP-based DDoS attack family, then generates Attack Call Flow Graph (ACFG) by discerning the differences between DDoS attack traffic and benign traffic. Furthermore, DDoSMiner identifies and extracts drop nodes and pivotal TCP states from the distinctive characteristics of attack traffic, then passes to the symbolic execution framework for exploring variants of the DDoS attack. We collectively analyze six types of TCP-based DDoS attacks, construct the corresponding ACFG, and identify a set of attack traffic variants. The attack traffic variants are evaluated on the widely used Network Intrusion Detection System (NIDS) Snort with three popular rule sets. The result shows that DDoSMiner indeed discovers the new DDoS attack trace, and the corresponding attack traffic can bypass all three defense toolkits.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 59.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 79.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Agrawal, N., Tapaswi, S.: Defense mechanisms against ddos attacks in a cloud computing environment: state-of-the-art and research challenges. IEEE Commun. Surv. Tutorials 21(4), 3769–3795 (2019)

    Article  Google Scholar 

  2. Antonakakis, M., April, T., et al.: Understanding the mirai botnet. In: 26th USENIX Security Symposium (USENIX Security 17), pp. 1093–1110 (2017)

    Google Scholar 

  3. Baig, Z.A., et al.: Controlled access to cloud resources for mitigating economic denial of sustainability (edos) attacks. Comput. Netw. 97, 31–47 (2016)

    Article  Google Scholar 

  4. Baldoni, R., Coppa, E., et al.: A survey of symbolic execution techniques. ACM Comput. Surv. (CSUR) 51(3), 1–39 (2018)

    Article  Google Scholar 

  5. Bhale, P., Chowdhury, D.R., Biswas, S., Nandi, S.: Optimist: Lightweight and transparent ids with optimum placement strategy to mitigate mixed-rate ddos attacks in iot networks. IEEE Internet of Things Journal (2023)

    Google Scholar 

  6. Bock, K., et al.: Weaponizing middleboxes for \(\{\)TCP\(\}\) reflected amplification. In: 30th USENIX Security Symposium (USENIX Security 21), pp. 3345–3361 (2021)

    Google Scholar 

  7. Cadar, C., Dunbar, D., Klee, D.E.: Unassisted and automatic generation of high-coverage tests for complex systems programs. In: Proceedings of Operating System Design and Implementation, pp. 209–224

    Google Scholar 

  8. Cadar, C., Sen, K.: Symbolic execution for software testing: three decades later. Commun. ACM 56(2), 82–90 (2013)

    Article  Google Scholar 

  9. Chang, R.K.: Defending against flooding-based distributed denial-of-service attacks: a tutorial. IEEE Commun. Mag. 40(10), 42–51 (2002)

    Article  Google Scholar 

  10. Chipounov, V., Kuznetsov, V., Candea, G.: S2e: a platform for in-vivo multi-path analysis of software systems. Acm Sigplan Notices 46(3), 265–278 (2011)

    Article  Google Scholar 

  11. Chipounov, V., et al.: The s2e platform: design, implementation, and applications. ACM Trans. Comput. Syst. (TOCS) 30(1), 1–49 (2012)

    Article  Google Scholar 

  12. Deshmukh, R.V., Devadkar, K.K.: Understanding ddos attack & its effect in cloud environment. Proc. Comput. Sci. 49, 202–210 (2015)

    Article  Google Scholar 

  13. Doshi, R., Apthorpe, N., Feamster, N.: Machine learning ddos detection for consumer internet of things devices. In: 2018 IEEE Security and Privacy Workshops (SPW), pp. 29–35. IEEE (2018)

    Google Scholar 

  14. Fayaz, S.K., Tobioka, Y., et al.: Bohatei: Flexible and elastic \(\{\)DDoS\(\}\) defense. In: 24th USENIX Security Symposium (USENIX Security 15), pp. 817–832 (2015)

    Google Scholar 

  15. Feamster, N., et al.: The road to sdn: an intellectual history of programmable networks. ACM SIGCOMM Comput. Commun. Rev. 44(2), 87–98 (2014)

    Article  Google Scholar 

  16. Gaurav, A., Gupta, B.B., Alhalabi, W., Visvizi, A., Asiri, Y.: A comprehensive survey on ddos attacks on various intelligent systems and it’s defense techniques. Int. J. Intell. Syst. 37(12), 11407–11431 (2022)

    Article  Google Scholar 

  17. Granberg, N.: Evaluating the effectiveness of free rule sets for snort (2022)

    Google Scholar 

  18. Guha, B., Mukherjee, B.: Network security via reverse engineering of tcp code: vulnerability analysis and proposed solutions. IEEE Netw. 11(4), 40–48 (1997)

    Article  Google Scholar 

  19. Herrera, J.G., Botero, J.F.: Resource allocation in nfv: a comprehensive survey. IEEE Trans. Netw. Serv. Manage. 13(3), 518–532 (2016)

    Article  Google Scholar 

  20. Hong, S., Xu, L., et al.: Poisoning network visibility in software-defined networks: New attacks and countermeasures. In: Network and Distributed System Security Symposium (2015). https://api.semanticscholar.org/CorpusID:12312831

  21. Jin, C., Wang, H., Shin, K.G.: Hop-count filtering: an effective defense against spoofed ddos traffic. In: Proceedings of the 10th ACM Conference on Computer and Communications Security, pp. 30–41 (2003)

    Google Scholar 

  22. Joseph, D.A., et al.: A policy-aware switching layer for data centers. In: Proceedings of the ACM SIGCOMM 2008 Conference On Data Communication, pp. 51–62 (2008)

    Google Scholar 

  23. Kaur, R., Singh, M.: A survey on zero-day polymorphic worm detection techniques. IEEE Commun. Surv. Tutorials 16(3), 1520–1549 (2014)

    Article  Google Scholar 

  24. Keromytis, A.D., et al.: Sos: an architecture for mitigating ddos attacks. IEEE J. Sel. Areas Commun. 22(1), 176–188 (2004)

    Article  Google Scholar 

  25. Krupp, J., Grishchenko, I., Rossow, C.: \(\{\)AmpFuzz\(\}\): Fuzzing for amplification \(\{\)DDoS\(\}\) vulnerabilities. In: 31st USENIX Security Symposium (USENIX Security 22), pp. 1043–1060 (2022)

    Google Scholar 

  26. Lalou, M., Tahraoui, M.A., Kheddouci, H.: The critical node detection problem in networks: a survey. Comput. Sci. Rev. 28, 92–117 (2018)

    Article  MathSciNet  Google Scholar 

  27. Lee, D., Yannakakis, M.: Principles and methods of testing finite state machines-a survey. Proc. IEEE 84(8), 1090–1123 (1996)

    Article  Google Scholar 

  28. Liu, Z., et al.: Jaqen: A \(\{\)High-Performance\(\}\)\(\{\)Switch-Native\(\}\) approach for detecting and mitigating volumetric \(\{\)DDoS\(\}\) attacks with programmable switches. In: 30th USENIX Security Symposium (USENIX Security 21), pp. 3829–3846 (2021)

    Google Scholar 

  29. Liu, Z., Jin, H., Hu, Y.C., Bailey, M.: Practical proactive ddos-attack mitigation via endpoint-driven in-network traffic control. IEEE/ACM Trans. Network. 26(4), 1948–1961 (2018)

    Article  Google Scholar 

  30. Mirsky, Y., Guri, M.: Ddos attacks on 9-1-1 emergency services. IEEE Trans. Dependable Secure Comput. 18(6), 2767–2786 (2020)

    Google Scholar 

  31. Mizrak, A.T., Savage, S., Marzullo, K.: Detecting compromised routers via packet forwarding behavior. IEEE Netw. 22(2), 34–39 (2008)

    Article  Google Scholar 

  32. Moore, D., Shannon, C., Brown, D.J., Voelker, G.M., Savage, S.: Inferring internet denial-of-service activity. ACM Trans. Comput. Syst. (TOCS) 24(2), 115–139 (2006)

    Article  Google Scholar 

  33. Mosenia, A., Jha, N.K.: A comprehensive study of security of internet-of-things. IEEE Trans. Emerg. Top. Comput. 5(4), 586–602 (2016)

    Article  Google Scholar 

  34. Nayak, J., Meher, S.K., Souri, A., Naik, B., Vimal, S.: Extreme learning machine and bayesian optimization-driven intelligent framework for iomt cyber-attack detection. J. Supercomput. 78(13), 14866–14891 (2022)

    Article  Google Scholar 

  35. Nazario, J.: Ddos attack evolution. Netw. Secur. 2008(7), 7–10 (2008)

    Article  Google Scholar 

  36. O’Leary, M., O’Leary, M.: Snort. Cyber Operations: Building, Defending, and Attacking Modern Computer Networks, pp. 605–641 (2015)

    Google Scholar 

  37. Praseed, A., Thilagam, P.S.: Multiplexed asymmetric attacks: Next-generation ddos on http/2 servers. IEEE Trans. Inf. Forensics Secur. 15, 1790–1800 (2019)

    Article  Google Scholar 

  38. Rossow, C.: Amplification hell: Revisiting network protocols for ddos abuse. In: 2014 Network and Distributed System Security Symposium (2014)

    Google Scholar 

  39. Santanna, J.J., van Rijswijk-Deij, R., et al.: Booters-an analysis of ddos-as-a-service attacks. In: 2015 IFIP/IEEE International Symposium on Integrated Network Management (IM), pp. 243–251. IEEE (2015)

    Google Scholar 

  40. Sharafaldin, I., Lashkari, A.H., Hakak, S., Ghorbani, A.A.: Developing realistic distributed denial of service (ddos) attack dataset and taxonomy. In: 2019 International Carnahan Conference on Security Technology (ICCST), pp. 1–8. IEEE (2019)

    Google Scholar 

  41. Shiravi, A., Shiravi, H., Tavallaee, M., Ghorbani, A.A.: Toward developing a systematic approach to generate benchmark datasets for intrusion detection. Comput. Secur. 31(3), 357–374 (2012)

    Google Scholar 

  42. Shoshitaishvili, Y., Wang, R., et al.: Sok:(state of) the art of war: offensive techniques in binary analysis. In: 2016 IEEE Symposium on Security and Privacy (SP), pp. 138–157. IEEE (2016)

    Google Scholar 

  43. Song, H., Liu, J., Yang, J., Lei, X., Xue, G.: Two types of novel dos attacks against cdns based on http/2 flow control mechanism. In: European Symposium on Research in Computer Security, pp. 467–487. Springer (2022)

    Google Scholar 

  44. Song, Z., Zhao, Z., Zhang, F., et al.: I2RNN: An incremental and interpretable recurrent neural network for encrypted traffic classification. IEEE Transactions on Dependable and Secure Computing (2023)

    Google Scholar 

  45. Specht, S., Lee, R.: Taxonomies of distributed denial of service networks, attacks, tools and countermeasures. CEL2003-03, Princeton University, Princeton, NJ, USA (2003)

    Google Scholar 

  46. Srivastava, A., Gupta, B.B., Tyagi, A., Sharma, A., Mishra, A.: A recent survey on ddos attacks and defense mechanisms. In: Nagamalai, D., Renault, E., Dhanuskodi, M. (eds.) Advances in Parallel Distributed Computing: First International Conference on Parallel, Distributed Computing Technologies and Applications, PDCTA 2011, Tirunelveli, India, September 23-25, 2011. Proceedings, pp. 570–580. Springer Berlin Heidelberg, Berlin, Heidelberg (2011). https://doi.org/10.1007/978-3-642-24037-9_57

    Chapter  Google Scholar 

  47. Stephens, N., Grosen, J., et al.: Driller: Augmenting fuzzing through selective symbolic execution. In: NDSS. vol. 16, pp. 1–16 (2016)

    Google Scholar 

  48. Sung, M., Xu, J.: Ip traceback-based intelligent packet filtering: a novel technique for defending against internet ddos attacks. IEEE Trans. Parallel Distrib. Syst. 14(9), 861–872 (2003)

    Article  Google Scholar 

  49. Thing, V.L., Sloman, M., Dulay, N.: Non-intrusive ip traceback for ddos attacks. In: Proceedings of the 2nd ACM Symposium On Information, Computer and Communications Security, pp. 371–373 (2007)

    Google Scholar 

  50. Wagner, D., Kopp, D., et al.: United we stand: Collaborative detection and mitigation of amplification ddos attacks at scale. In: Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security, pp. 970–987 (2021)

    Google Scholar 

  51. Wang, Z., Zhu, S.: Symtcp: Eluding stateful deep packet inspection with automated discrepancy discovery. In: Network and Distributed System Security Symposium (NDSS) (2020)

    Google Scholar 

  52. Xing, J., Wu, W., Chen, A.: Ripple: A programmable, decentralized \(\{\)Link-Flooding\(\}\) defense against adaptive adversaries. In: 30th USENIX Security Symposium (USENIX Security 21), pp. 3865–3881 (2021)

    Google Scholar 

  53. Yaar, A., Perrig, A., Song, D.: Stackpi: new packet marking and filtering mechanisms for ddos and ip spoofing defense. IEEE J. Sel. Areas Commun. 24(10), 1853–1863 (2006)

    Article  Google Scholar 

  54. Yan, Q., et al.: Software-defined networking (sdn) and distributed denial of service (ddos) attacks in cloud computing environments: A survey, some research issues, and challenges. IEEE Commun. Surv. Tutorials 18(1), 602–622 (2015)

    Article  Google Scholar 

  55. Yoachimik, O., Pacheco, J.: DDoS threat report for 2023 q2 (2023). https://blog.cloudflare.com/ddos-threat-report-2023-q2/ Accessed 20 Sept 2023

  56. Zargar, S.T., Joshi, J., Tipper, D.: A survey of defense mechanisms against distributed denial of service (ddos) flooding attacks. IEEE Commun. Surv. Tutorials 15(4), 2046–2069 (2013)

    Article  Google Scholar 

  57. Zhang, M., Li, G., et al.: Poseidon: mitigating volumetric ddos attacks with programmable switches. In: the 27th Network and Distributed System Security Symposium (NDSS 2020) (2020)

    Google Scholar 

  58. Zhang, Z., Yuan, B., Yang, K., Zou, D., Jin, H.: Statediver: Testing deep packet inspection systems with state-discrepancy guidance. In: Proceedings of the 38th Annual Computer Security Applications Conference, pp. 756–768 (2022)

    Google Scholar 

  59. Zhao, Z., Li, Z., et al.: DDoS Family: A Novel Perspective for Massive Types of DDoS Attacks. Comput, Secur (2023)

    Google Scholar 

  60. Zhao, Z., Li, Z., et al.: ERNN: error-resilient RNN for encrypted traffic detection towards network-induced phenomena. IEEE Transactions on Dependable and Secure Computing (2023)

    Google Scholar 

  61. Zhao, Z., Liu, Z., et al.: Effective DDoS mitigation via ML-driven in-network traffic shaping. IEEE Transactions on Dependable and Secure Computing (2024)

    Google Scholar 

  62. Zhao, Z., et al.: CMD: co-analyzed iot malware detection and forensics via network and hardware domains. IEEE Transactions on Mobile Computing (2023)

    Google Scholar 

  63. Zou, Y.H., Bai, J.J., et al.: \(\{\)TCP-Fuzz\(\}\): Detecting memory and semantic bugs in \(\{\)TCP\(\}\) stacks with fuzzing. In: 2021 USENIX Annual Technical Conference (USENIX ATC 21), pp. 489–502 (2021)

    Google Scholar 

Download references

Acknowledgements

This work was supported in part by National Natural Science Foundation of China (62227805, 62072398 and 62172405), by SUTD-ZJU IDEA Grant for visiting professors (SUTD-ZJUVP201901), by the Natural Science Foundation of Jiangsu Province (BK20220075), by the Fok Ying-Tung Education Foundation for Young Teachers in the Higher Education Institutions of China (20193218210004), by State Key Laboratory of Mathematical Engineering and Advanced Computing, and by Key Laboratory of Cyberspace Situation Awareness of Henan Province (HNTS2022001).

Author information

Authors and Affiliations

  1. College of Computer Science and Technology, Zhejiang University, Hangzhou, China

    Xi Ling, Ziming Zhao, Zhihao Zhou, Haitao Xu & Fan Zhang

  2. School of Computing and Information Systems, Singapore Management University, Singapore, Singapore

    Jiongchi Yu

  3. Information Systems Technology and Design, Singapore University of Technology and Design, Singapore, Singapore

    Binbin Chen

  4. Zhengzhou Xinda Institute of Advanced Technology, Zhengzhou, China

    Fan Zhang

Authors
  1. Xi Ling
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Jiongchi Yu
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Ziming Zhao
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Zhihao Zhou
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Haitao Xu
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Binbin Chen
    View author publications

    You can also search for this author in PubMed Google Scholar

  7. Fan Zhang
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Fan Zhang .

Editor information

Editors and Affiliations

  1. New York University Abu Dhabi, Abu Dhabi, United Arab Emirates

    Christina Pöpper

  2. Radboud University Nijmegen, Nijmegen, The Netherlands

    Lejla Batina

Appendices

A Visualization and Analysis of System Calls

The ACFG extracted from the TCP Connect Flood and TCP SYN Flood attacks are shown in Fig. 12. The nodes and edges of ACFG are highlighted in different colors to represent the corresponding types of packets (benign or attack). In the figure, green-colored elements represent syscalls triggered by benign packets, orange-colored elements represent syscalls triggered by attack packets, and blue elements represent syscalls triggered by both types of packets. The red colored nodes are identified as Pivotal Nodes. According to the definition in Sect. 3.2, the following nodes represent the change of TCP state:

  1. (i)

    tcp_v4_syn_recv_sock: This is a critical function for handling client SYN packets. This function checks the current TCP state (for example, whether it is in LISTEN state) to determine if the connection can be established.

  2. (ii)

    tcp_check_req: This function checks whether the SYN packet is valid and whether there are resources available to handle this new connection request. If the SYN packet is invalid, a RST packet will be sent to refuse the connection.

  3. (iii)

    tcp_v4_do_rcv: When the client sends an ACK packet in response to the server’s SYN and ACK, this function processes the ACK packet, thereby advancing the connection state transition process.

  4. (iv)

    tcp_rcv_state_process: This function is crucial in the TCP state machine. Within this function, if the current connection state is SYN_RCVD and an appropriate ACK segment is received, the state transitions to ESTABLISHED. Other state transitions in the TCP connection and the processing of related packets also call this function.

  5. (v)

    tcp_rcv_established: This function handles inputs in the ESTABLISHED state.

  6. (vi)

    tcp_close: This function is used to close a TCP connection. It releases the resources occupied by the connection and changes the connection state.

By comparing the orange nodes in the syscall of TCP Connect Flood and TCP SYN Flood attacks, we can see that the two attacks have different characteristics (detailed analysis in Sect. 5.2).

Fig. 12.
figure 12

Visualization of system calls for TCP Connect Flood Attack and TCP SYN Flood Attack.

Full size image
Table 2. Kernel addresses associated with drop nodes for different attacks
Full size table

B The Kernel Address Corresponding to the Full Drop Nodes for Six Categories of Attacks

We extract the potential drop nodes from the ACFG and then indexed the corresponding addresses in the kernel. These addresses serve as path termination points for symbolic execution. The detailed attack types and the corresponding address we extracted for the experiment are listed in Table 2.

Rights and permissions

Reprints and permissions

Copyright information

© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Ling, X. et al. (2024). DDoSMiner: An Automated Framework for DDoS Attack Characterization and Vulnerability Mining. In: Pöpper, C., Batina, L. (eds) Applied Cryptography and Network Security. ACNS 2024. Lecture Notes in Computer Science, vol 14584. Springer, Cham. https://doi.org/10.1007/978-3-031-54773-7_12

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-54773-7_12

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-54772-0

  • Online ISBN: 978-3-031-54773-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation