Abstract
With the proliferation of Internet development, Distributed Denial of Service (DDoS) attacks are on the rise. As rule-based traffic analysis frameworks and Deep Packet Inspection (DPI) defense measures can effectively thwart many DDoS attacks, attackers keep exploring various attack surfaces and traffic amplification strategies to nullify the defense. In this paper, we propose DDoSMiner, an automated framework for DDoS attack characterization and vulnerability mining. DDoSMiner analyzes system call patterns of the TCP-based DDoS attack family, then generates Attack Call Flow Graph (ACFG) by discerning the differences between DDoS attack traffic and benign traffic. Furthermore, DDoSMiner identifies and extracts drop nodes and pivotal TCP states from the distinctive characteristics of attack traffic, then passes to the symbolic execution framework for exploring variants of the DDoS attack. We collectively analyze six types of TCP-based DDoS attacks, construct the corresponding ACFG, and identify a set of attack traffic variants. The attack traffic variants are evaluated on the widely used Network Intrusion Detection System (NIDS) Snort with three popular rule sets. The result shows that DDoSMiner indeed discovers the new DDoS attack trace, and the corresponding attack traffic can bypass all three defense toolkits.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Agrawal, N., Tapaswi, S.: Defense mechanisms against ddos attacks in a cloud computing environment: state-of-the-art and research challenges. IEEE Commun. Surv. Tutorials 21(4), 3769–3795 (2019)
Antonakakis, M., April, T., et al.: Understanding the mirai botnet. In: 26th USENIX Security Symposium (USENIX Security 17), pp. 1093–1110 (2017)
Baig, Z.A., et al.: Controlled access to cloud resources for mitigating economic denial of sustainability (edos) attacks. Comput. Netw. 97, 31–47 (2016)
Baldoni, R., Coppa, E., et al.: A survey of symbolic execution techniques. ACM Comput. Surv. (CSUR) 51(3), 1–39 (2018)
Bhale, P., Chowdhury, D.R., Biswas, S., Nandi, S.: Optimist: Lightweight and transparent ids with optimum placement strategy to mitigate mixed-rate ddos attacks in iot networks. IEEE Internet of Things Journal (2023)
Bock, K., et al.: Weaponizing middleboxes for \(\{\)TCP\(\}\) reflected amplification. In: 30th USENIX Security Symposium (USENIX Security 21), pp. 3345–3361 (2021)
Cadar, C., Dunbar, D., Klee, D.E.: Unassisted and automatic generation of high-coverage tests for complex systems programs. In: Proceedings of Operating System Design and Implementation, pp. 209–224
Cadar, C., Sen, K.: Symbolic execution for software testing: three decades later. Commun. ACM 56(2), 82–90 (2013)
Chang, R.K.: Defending against flooding-based distributed denial-of-service attacks: a tutorial. IEEE Commun. Mag. 40(10), 42–51 (2002)
Chipounov, V., Kuznetsov, V., Candea, G.: S2e: a platform for in-vivo multi-path analysis of software systems. Acm Sigplan Notices 46(3), 265–278 (2011)
Chipounov, V., et al.: The s2e platform: design, implementation, and applications. ACM Trans. Comput. Syst. (TOCS) 30(1), 1–49 (2012)
Deshmukh, R.V., Devadkar, K.K.: Understanding ddos attack & its effect in cloud environment. Proc. Comput. Sci. 49, 202–210 (2015)
Doshi, R., Apthorpe, N., Feamster, N.: Machine learning ddos detection for consumer internet of things devices. In: 2018 IEEE Security and Privacy Workshops (SPW), pp. 29–35. IEEE (2018)
Fayaz, S.K., Tobioka, Y., et al.: Bohatei: Flexible and elastic \(\{\)DDoS\(\}\) defense. In: 24th USENIX Security Symposium (USENIX Security 15), pp. 817–832 (2015)
Feamster, N., et al.: The road to sdn: an intellectual history of programmable networks. ACM SIGCOMM Comput. Commun. Rev. 44(2), 87–98 (2014)
Gaurav, A., Gupta, B.B., Alhalabi, W., Visvizi, A., Asiri, Y.: A comprehensive survey on ddos attacks on various intelligent systems and it’s defense techniques. Int. J. Intell. Syst. 37(12), 11407–11431 (2022)
Granberg, N.: Evaluating the effectiveness of free rule sets for snort (2022)
Guha, B., Mukherjee, B.: Network security via reverse engineering of tcp code: vulnerability analysis and proposed solutions. IEEE Netw. 11(4), 40–48 (1997)
Herrera, J.G., Botero, J.F.: Resource allocation in nfv: a comprehensive survey. IEEE Trans. Netw. Serv. Manage. 13(3), 518–532 (2016)
Hong, S., Xu, L., et al.: Poisoning network visibility in software-defined networks: New attacks and countermeasures. In: Network and Distributed System Security Symposium (2015). https://api.semanticscholar.org/CorpusID:12312831
Jin, C., Wang, H., Shin, K.G.: Hop-count filtering: an effective defense against spoofed ddos traffic. In: Proceedings of the 10th ACM Conference on Computer and Communications Security, pp. 30–41 (2003)
Joseph, D.A., et al.: A policy-aware switching layer for data centers. In: Proceedings of the ACM SIGCOMM 2008 Conference On Data Communication, pp. 51–62 (2008)
Kaur, R., Singh, M.: A survey on zero-day polymorphic worm detection techniques. IEEE Commun. Surv. Tutorials 16(3), 1520–1549 (2014)
Keromytis, A.D., et al.: Sos: an architecture for mitigating ddos attacks. IEEE J. Sel. Areas Commun. 22(1), 176–188 (2004)
Krupp, J., Grishchenko, I., Rossow, C.: \(\{\)AmpFuzz\(\}\): Fuzzing for amplification \(\{\)DDoS\(\}\) vulnerabilities. In: 31st USENIX Security Symposium (USENIX Security 22), pp. 1043–1060 (2022)
Lalou, M., Tahraoui, M.A., Kheddouci, H.: The critical node detection problem in networks: a survey. Comput. Sci. Rev. 28, 92–117 (2018)
Lee, D., Yannakakis, M.: Principles and methods of testing finite state machines-a survey. Proc. IEEE 84(8), 1090–1123 (1996)
Liu, Z., et al.: Jaqen: A \(\{\)High-Performance\(\}\)\(\{\)Switch-Native\(\}\) approach for detecting and mitigating volumetric \(\{\)DDoS\(\}\) attacks with programmable switches. In: 30th USENIX Security Symposium (USENIX Security 21), pp. 3829–3846 (2021)
Liu, Z., Jin, H., Hu, Y.C., Bailey, M.: Practical proactive ddos-attack mitigation via endpoint-driven in-network traffic control. IEEE/ACM Trans. Network. 26(4), 1948–1961 (2018)
Mirsky, Y., Guri, M.: Ddos attacks on 9-1-1 emergency services. IEEE Trans. Dependable Secure Comput. 18(6), 2767–2786 (2020)
Mizrak, A.T., Savage, S., Marzullo, K.: Detecting compromised routers via packet forwarding behavior. IEEE Netw. 22(2), 34–39 (2008)
Moore, D., Shannon, C., Brown, D.J., Voelker, G.M., Savage, S.: Inferring internet denial-of-service activity. ACM Trans. Comput. Syst. (TOCS) 24(2), 115–139 (2006)
Mosenia, A., Jha, N.K.: A comprehensive study of security of internet-of-things. IEEE Trans. Emerg. Top. Comput. 5(4), 586–602 (2016)
Nayak, J., Meher, S.K., Souri, A., Naik, B., Vimal, S.: Extreme learning machine and bayesian optimization-driven intelligent framework for iomt cyber-attack detection. J. Supercomput. 78(13), 14866–14891 (2022)
Nazario, J.: Ddos attack evolution. Netw. Secur. 2008(7), 7–10 (2008)
O’Leary, M., O’Leary, M.: Snort. Cyber Operations: Building, Defending, and Attacking Modern Computer Networks, pp. 605–641 (2015)
Praseed, A., Thilagam, P.S.: Multiplexed asymmetric attacks: Next-generation ddos on http/2 servers. IEEE Trans. Inf. Forensics Secur. 15, 1790–1800 (2019)
Rossow, C.: Amplification hell: Revisiting network protocols for ddos abuse. In: 2014 Network and Distributed System Security Symposium (2014)
Santanna, J.J., van Rijswijk-Deij, R., et al.: Booters-an analysis of ddos-as-a-service attacks. In: 2015 IFIP/IEEE International Symposium on Integrated Network Management (IM), pp. 243–251. IEEE (2015)
Sharafaldin, I., Lashkari, A.H., Hakak, S., Ghorbani, A.A.: Developing realistic distributed denial of service (ddos) attack dataset and taxonomy. In: 2019 International Carnahan Conference on Security Technology (ICCST), pp. 1–8. IEEE (2019)
Shiravi, A., Shiravi, H., Tavallaee, M., Ghorbani, A.A.: Toward developing a systematic approach to generate benchmark datasets for intrusion detection. Comput. Secur. 31(3), 357–374 (2012)
Shoshitaishvili, Y., Wang, R., et al.: Sok:(state of) the art of war: offensive techniques in binary analysis. In: 2016 IEEE Symposium on Security and Privacy (SP), pp. 138–157. IEEE (2016)
Song, H., Liu, J., Yang, J., Lei, X., Xue, G.: Two types of novel dos attacks against cdns based on http/2 flow control mechanism. In: European Symposium on Research in Computer Security, pp. 467–487. Springer (2022)
Song, Z., Zhao, Z., Zhang, F., et al.: I2RNN: An incremental and interpretable recurrent neural network for encrypted traffic classification. IEEE Transactions on Dependable and Secure Computing (2023)
Specht, S., Lee, R.: Taxonomies of distributed denial of service networks, attacks, tools and countermeasures. CEL2003-03, Princeton University, Princeton, NJ, USA (2003)
Srivastava, A., Gupta, B.B., Tyagi, A., Sharma, A., Mishra, A.: A recent survey on ddos attacks and defense mechanisms. In: Nagamalai, D., Renault, E., Dhanuskodi, M. (eds.) Advances in Parallel Distributed Computing: First International Conference on Parallel, Distributed Computing Technologies and Applications, PDCTA 2011, Tirunelveli, India, September 23-25, 2011. Proceedings, pp. 570–580. Springer Berlin Heidelberg, Berlin, Heidelberg (2011). https://doi.org/10.1007/978-3-642-24037-9_57
Stephens, N., Grosen, J., et al.: Driller: Augmenting fuzzing through selective symbolic execution. In: NDSS. vol. 16, pp. 1–16 (2016)
Sung, M., Xu, J.: Ip traceback-based intelligent packet filtering: a novel technique for defending against internet ddos attacks. IEEE Trans. Parallel Distrib. Syst. 14(9), 861–872 (2003)
Thing, V.L., Sloman, M., Dulay, N.: Non-intrusive ip traceback for ddos attacks. In: Proceedings of the 2nd ACM Symposium On Information, Computer and Communications Security, pp. 371–373 (2007)
Wagner, D., Kopp, D., et al.: United we stand: Collaborative detection and mitigation of amplification ddos attacks at scale. In: Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security, pp. 970–987 (2021)
Wang, Z., Zhu, S.: Symtcp: Eluding stateful deep packet inspection with automated discrepancy discovery. In: Network and Distributed System Security Symposium (NDSS) (2020)
Xing, J., Wu, W., Chen, A.: Ripple: A programmable, decentralized \(\{\)Link-Flooding\(\}\) defense against adaptive adversaries. In: 30th USENIX Security Symposium (USENIX Security 21), pp. 3865–3881 (2021)
Yaar, A., Perrig, A., Song, D.: Stackpi: new packet marking and filtering mechanisms for ddos and ip spoofing defense. IEEE J. Sel. Areas Commun. 24(10), 1853–1863 (2006)
Yan, Q., et al.: Software-defined networking (sdn) and distributed denial of service (ddos) attacks in cloud computing environments: A survey, some research issues, and challenges. IEEE Commun. Surv. Tutorials 18(1), 602–622 (2015)
Yoachimik, O., Pacheco, J.: DDoS threat report for 2023 q2 (2023). https://blog.cloudflare.com/ddos-threat-report-2023-q2/ Accessed 20 Sept 2023
Zargar, S.T., Joshi, J., Tipper, D.: A survey of defense mechanisms against distributed denial of service (ddos) flooding attacks. IEEE Commun. Surv. Tutorials 15(4), 2046–2069 (2013)
Zhang, M., Li, G., et al.: Poseidon: mitigating volumetric ddos attacks with programmable switches. In: the 27th Network and Distributed System Security Symposium (NDSS 2020) (2020)
Zhang, Z., Yuan, B., Yang, K., Zou, D., Jin, H.: Statediver: Testing deep packet inspection systems with state-discrepancy guidance. In: Proceedings of the 38th Annual Computer Security Applications Conference, pp. 756–768 (2022)
Zhao, Z., Li, Z., et al.: DDoS Family: A Novel Perspective for Massive Types of DDoS Attacks. Comput, Secur (2023)
Zhao, Z., Li, Z., et al.: ERNN: error-resilient RNN for encrypted traffic detection towards network-induced phenomena. IEEE Transactions on Dependable and Secure Computing (2023)
Zhao, Z., Liu, Z., et al.: Effective DDoS mitigation via ML-driven in-network traffic shaping. IEEE Transactions on Dependable and Secure Computing (2024)
Zhao, Z., et al.: CMD: co-analyzed iot malware detection and forensics via network and hardware domains. IEEE Transactions on Mobile Computing (2023)
Zou, Y.H., Bai, J.J., et al.: \(\{\)TCP-Fuzz\(\}\): Detecting memory and semantic bugs in \(\{\)TCP\(\}\) stacks with fuzzing. In: 2021 USENIX Annual Technical Conference (USENIX ATC 21), pp. 489–502 (2021)
Acknowledgements
This work was supported in part by National Natural Science Foundation of China (62227805, 62072398 and 62172405), by SUTD-ZJU IDEA Grant for visiting professors (SUTD-ZJUVP201901), by the Natural Science Foundation of Jiangsu Province (BK20220075), by the Fok Ying-Tung Education Foundation for Young Teachers in the Higher Education Institutions of China (20193218210004), by State Key Laboratory of Mathematical Engineering and Advanced Computing, and by Key Laboratory of Cyberspace Situation Awareness of Henan Province (HNTS2022001).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Visualization and Analysis of System Calls
The ACFG extracted from the TCP Connect Flood and TCP SYN Flood attacks are shown in Fig. 12. The nodes and edges of ACFG are highlighted in different colors to represent the corresponding types of packets (benign or attack). In the figure, green-colored elements represent syscalls triggered by benign packets, orange-colored elements represent syscalls triggered by attack packets, and blue elements represent syscalls triggered by both types of packets. The red colored nodes are identified as Pivotal Nodes. According to the definition in Sect. 3.2, the following nodes represent the change of TCP state:
-
(i)
tcp_v4_syn_recv_sock: This is a critical function for handling client SYN packets. This function checks the current TCP state (for example, whether it is in LISTEN state) to determine if the connection can be established.
-
(ii)
tcp_check_req: This function checks whether the SYN packet is valid and whether there are resources available to handle this new connection request. If the SYN packet is invalid, a RST packet will be sent to refuse the connection.
-
(iii)
tcp_v4_do_rcv: When the client sends an ACK packet in response to the server’s SYN and ACK, this function processes the ACK packet, thereby advancing the connection state transition process.
-
(iv)
tcp_rcv_state_process: This function is crucial in the TCP state machine. Within this function, if the current connection state is SYN_RCVD and an appropriate ACK segment is received, the state transitions to ESTABLISHED. Other state transitions in the TCP connection and the processing of related packets also call this function.
-
(v)
tcp_rcv_established: This function handles inputs in the ESTABLISHED state.
-
(vi)
tcp_close: This function is used to close a TCP connection. It releases the resources occupied by the connection and changes the connection state.
By comparing the orange nodes in the syscall of TCP Connect Flood and TCP SYN Flood attacks, we can see that the two attacks have different characteristics (detailed analysis in Sect. 5.2).
B The Kernel Address Corresponding to the Full Drop Nodes for Six Categories of Attacks
We extract the potential drop nodes from the ACFG and then indexed the corresponding addresses in the kernel. These addresses serve as path termination points for symbolic execution. The detailed attack types and the corresponding address we extracted for the experiment are listed in Table 2.
Rights and permissions
Copyright information
© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Ling, X. et al. (2024). DDoSMiner: An Automated Framework for DDoS Attack Characterization and Vulnerability Mining. In: Pöpper, C., Batina, L. (eds) Applied Cryptography and Network Security. ACNS 2024. Lecture Notes in Computer Science, vol 14584. Springer, Cham. https://doi.org/10.1007/978-3-031-54773-7_12
Download citation
DOI: https://doi.org/10.1007/978-3-031-54773-7_12
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-54772-0
Online ISBN: 978-3-031-54773-7
eBook Packages: Computer ScienceComputer Science (R0)