A distributed filtering mechanism against DDoS attacks: ScoreForCore

doi:10.1016/j.comnet.2016.08.023

Computer Networks

Volume 108, 24 October 2016, Pages 199-209

https://doi.org/10.1016/j.comnet.2016.08.023 Get rights and content

Abstract

Traffic filtering is an essential technique that is used as a prevention mechanism against network attacks. This paper presents a proactive and collaborative filtering based defense mechanism against Distributed Denial of Service (DDoS) attacks. Proactivity provides prevention of attacks before it spreads whereas collaboration enables getting knowledge about different points of the network and deciding filters together. The proposed model called ScoreForCore is a statistical mechanism that is inspired from another proactive but individual model. The most distinctive property of our model is the selection of the most appropriate attributes during current attack traffic. We compared our results with the existing model. Our results suggest that the success of system’s behavior on legal and attack packets are increased considerably. In addition, most of the attack packets are stonewalled near the source of the attack.

Introduction

Distributed Denial of Service (DDoS) attacks are generated by flooding a system from several machines. Its aim is to occupy all available services and prevent innocent users accessing resources. Since attackers are also acting as innocent users and attack packets do not have any malicious part, it is not easy to tackle with this problem. In order to avoid these attacks, several defense mechanisms are proposed. These mechanisms broadly include the idea of detection, prevention and countermeasures.

Traffic filtering is a method that is widely utilized as a prevention mechanism. A filter is essentially a rule which permits or prevents a packet to enter the system [1]. They are generally installed on routers since they allow or block packets before they enter a domain. These mechanisms are vital since they intercept an attack posed to give harm to a large number of machines. In our previous work, we classified filtering mechanisms according to their feature of collaboration and response time.

•
Collaboration based classification: In some circumstances, machines or nodes need to cooperate in order to learn and decide about filters. This type of filtering is called cooperative filtering whereas others are called individual filtering.
•
Response time based classification: Filtering mechanisms can also be classified according to the point-in-time of reaction. Filtering defense mechanisms can be active before or after DDoS attack starts. From the filtering perspective, we can have proactive and reactive mechanisms.

According to our analysis, several mechanisms have been proposed which are reactive + cooperative, reactive + individual and proactive + individual. However, according to the best of our knowledge, there are a few works that are both cooperative and proactive in the literature. Proactive and cooperative filtering provides preventive and collaborative mechanisms. If it is possible to deploy this mechanism through the network, it gives an opportunity to block a DDoS attack near the source before it expands. Also, it is inherently more accurate than individual mechanisms since it decides on filters with more visibility and knowledge about the network. However, these scenarios are more challenging since cooperation should be accepted by all peers while no attack is active yet. Therefore, we think that this topic deserves more research. Thus, in this work, we propose a cooperative and proactive model called ScoreforCore that is inspired by PacketScore [2] mechanism.

PacketScore [2] is a statistical filtering mechanism wherein each packet is analyzed according to its attribute values and then scores are calculated according to them. A packet is announced as legitimate if its score value is under a dynamic threshold when they are compared with a baseline profile. This baseline profile is generated based on Bayesian Theorem [3]. In previous works, this type of comparison was applied in detection of DDoS attacks, however PacketScore is the first method that utilizes this comparison for real-time packet filtering against such attacks. It is an individual filtering mechanism since it performs analysis and determines filters on its own. Also, it is proactive since it blocks packets according to a scoring approach that is always active. This filtering mechanism can differentiate legitimate and attack packets via statistical analysis. Therefore, it can deal with new DDoS attack types. Moreover, it works well for non-spoofed attacks since it does not solely utilize source address attribute, but also other attributes helping to find attack packets. However, it has performance drawbacks. They suggest that when the number of attributes enrolled in scoring increases, their model’s ability of filtering increases. But unfortunately, increase in scoring attributes results in huge tables. Actually, the main problem of this model is the lack of appropriate attribute selection for each attack type. In most of the attacks, attack packets have some common properties. For this reason, each type of attack can be detected with specific attributes. Since PacketScore does not have attribute selection property in profile generation, it generates profiles with predetermined fixed attributes. When they increase the number of attributes, probability of enrollment of these attributes in determining several types of attacks increase. However, when the number of attributes increases, profile size increases enormously and it needs huge amount of memory. In order to solve this problem, our model ScoreForCore provides appropriate attribute selection property for current attack traffic. This property is provided by collaboration in ScoreForCore. In our model, PacketScore’s advantages are utilized whereas drawbacks are omitted. In order to show these improvements, we evaluate both PacketScore and ScoreForCore.

The structure of this paper is as follows. Section 2 discusses related work whereas Section 3 presents an overview of ScoreForCore including motivation and design details. Section 4 describes our simulation and dataset details. Section 5 demonstrates performance evaluation and Section 6 provides discussion. Finally, Section 7 concludes the paper.

Section snippets

Related work

As it is mentioned in Section 3, filtering based mechanisms against DDoS attacks can be classified according to their response time and collaboration properties. There are several works which are individual and proactive. The proposed mechanism in [4] is an individual statistical model that utilizes Statistical Segregation Method (SSM). This mechanism samples the flows in an attack free period, then compares these samples with the ones in an attack period. They also sort them according to the

Overview of ScoreForCore

ScoreForCore is a novel filtering mechanism that is preventive and collaborative. In the following subsections we review the underlying motivation and our design issues.

Dataset

In our work, we need a real data of the Internet traffic. We use a real dataset from MAWI Working Group Traffic Archive [17]. MAWILab works on traffic measurement analysis in long-term on global Internet. It was started in 2002 and it is still collecting data from the Internet. The part of the data that we have used in our simulations are collected on Jan 12, 2014. This data is utilized to generate nominal profile.

Simulation environment

We simulated our model ScoreForCore and existing model PacketScore [2], in order

Performance evaluation

In this section we evaluate the performance of ScoreForCore. Firstly, we explain our performance metrics, secondly analyze attribute distribution in the network topology, then compare the results of ScoreForCore and PacketScore. At the end, technical and empirical storage analysis are provided.

Discussion

Packet marking or communication techniques can be utilized to provide collaboration. Initially, we focused on packet marking techniques and generate a cumulative scoring model. However, we noticed that for core routers the cost of marking packets is a considerable burden, since each packet requires checksum recalculations. In addition, cumulative scoring does not always give accurate results since irrelevant attributes are considered and they mislead the statistical analysis. Then, we decided

Conclusion

In this work, we propose a proactive and cooperative filtering model against DDoS attacks. This type of filtering provides an ability of preventing the attack packets before they expand and gives more accurate decisions since they create filters together with more knowledge of the network. The proposed model ScoreForCore is a statistical based model that utilizes several attributes. It can protect against botnets since not only IP address but also several attributes are considered. It can also

Kübra Kalkan received her MS and BS degrees in Computer Science and Engineering department from Sabanci University, Istanbul, Turkey in 2011 and 2009, respectively. Currently she is a Ph.D. candidate in computer engineering, and is working as a researcher at Telematics Research Center (TAM) of Bogazici University. She is also working as a teaching assistant at Istanbul Medeniyet University. Her current research interests include network security, computer networks and wireless networks.

References (21)

D. Seo et al.
APFS: adaptive probabilistic filter scheduling against distributed denial-of-service attacks
Comput. Secur.
(2013)
D. Seo et al.
PFS: probabilistic filter scheduling against distributed denial-of-service attacks
IEEE 36th Conference on Local Computer Networks (LCN)
(2011)
Y. Kim et al.
PacketScore: a statistics-based packet filtering scheme against distributed denial-of-service attacks
IEEE Trans. Dependable Secure Comput.
(2006)
D.S. Sivia
Data Analysis, A Bayesian Tutorial
(1996)
J. Udhayan et al.
Statistical segregation method to minimize the false detections during DDoS attacks
Int. J. Network Secur.
(2011)
ChenQ. et al.
CBF: a packet filtering method for DDoS attack defense in cloud environment
Dependable, Autonomic and Secure Computing (DASC), 2011 IEEE Ninth International Conference on
(2011)
R. Mahajan et al.
Controlling high bandwidth aggregates in the network
ACM SIGCOMM Comput. Commun. Rev.
(2002)
A.D. Keromytis et al.
SOS: an architecture for mitigating DDoS attacks
IEEE J. Sel. Areas Commun,
(2004)
J. François et al.
FireCol: a collaborative protection network for the detection of flooding DDoS attacks
IEEE/ACM Trans. Networking (TON)
(2012)
JinC. et al.
Hop-count filtering: an effective defense against spoofed DDoS traffic
Proceedings of the 10th ACM Conference on Computer and Communications Security, CCS ’03
(2003)

There are more references available in the full text version of this article.

Cited by (46)

E-Had: A distributed and collaborative detection framework for early detection of DDoS attacks
2022, Journal of King Saud University - Computer and Information Sciences
Citation Excerpt :
Whereas it remains in high range, when a large number of attack sources generates small attack traffic. Further, we measure the effectiveness of the E-Had detection system using various detection system evaluation metrics as given by Sachdeva et al. (2016), Kalkan and Alagöz (2016), Tavallaee et al. (2010) (see Table 3). It is to be noted that a detection system classifies two types of events.
During the past few years, the traffic volume of legitimate traffic and attack traffic has increased manifolds up to Terabytes per second (Tbps). Because of the processing of such a huge traffic volume, it has become implausible to detect high rate attacks in time using conventional DDoS defense architectures. At present, the majority of the DDoS defense systems are deployed predominantly at the victim-end domain But these victim-end defense systems themselves are vulnerable to HR-DDoS attacks as the mammoth volume of attack traffic is generated by such type of attacks. The insufficient computational resources further make the problem more crucial at the victim-end. This paper proposed a distributed and collaborative architecture called E-Had that is capable of efficiently processing a large amount of data by distributing it among a number of mappers and reducers in a Hadoop based cluster. The proposed E-Had system has been comprehensively validated using various publicly available benchmarked datasets and real datasets generated in HA-DDoS testbed in terms of various detection system evaluation metrics. The experimental results clearly show that the proposed detection system is capable of early detection of different scenarios of DDoS attacks along with differentiating them from flash crowds.
DDoS attack resisting authentication protocol for mobile based online social network applications
2022, Journal of Information Security and Applications
Citation Excerpt :
This technique ensures protection from DDoS attacks but it is not suitable for a public server. Another way is using different types of filtering techniques, the network traffics can be filtered and DDoS attacks can be prevented [19,20]. But the failure rate and computational overhead of this technique are also high.
The rapid development of smartphone technology and the Internet services in mobile devices facilitates easy access to online social networking (OSN) sites anytime, anywhere. At the same time, this allures the adversaries to exploit the OSNs as a soft target for easy execution of various attacks that can quickly spread to a large number of users. In distributed denial-of-service (DDoS) attacks, an adversary aims to overwhelm the normal traffic of a targeted server with a flood of fake login messages so that the associated Internet service or website turns inoperable. In this paper, we propose a secure and lightweight authentication scheme ( $P R D o S$ ) that resists DDoS and other security attacks in mobile OSN environments. We provide a multi-faceted solution towards the remedy of DDoS attacks in the OSN environment. After a certain threshold, the scheme discards further user login attempts and blocks an adversary who intends to overload the network server. We use the pre-loaded shadow identity and emergency key pairs, and a key-refilling strategy that rebuilds the essential synchronization between a blocked naive user and the OSN server. This technique restores the intended un-linkability property of the protocol. Using NS3 simulation, we study the impact of DDoS attackers on network throughput and network delay. Moreover, we validate and compare the proposed scheme against state-of-the-art solutions using the real attacks and benign datasets. We use the Canadian Institute for Cybersecurity (CIC) DoS dataset 2017, which is generated by capturing the normal and DoS attack packets separately with subsequent pre-processed for testing. We also use the machine learning (ML) algorithms, such as K-Nearest Neighbor (KNN), Gaussian Naive Bayes, and Multilayer Perceptron (MLP) to demonstrate the performance of the proposed solution in a practical attack detection scenario. We observe that these algorithms provide 97.05%, 95.48%, and 96.6% DDoS attack detection accuracy, respectively.
LogDoS: A Novel logging-based DDoS prevention mechanism in path identifier-Based information centric networks
2020, Computers and Security
Citation Excerpt :
For example, several techniques (e.g., Kill-bots (Kandula et al., 2005), phalanx (Dixon et al., 2008), JUST-Google (Al-Duwairi and Manimaran, 2009), SkyShield (Wang et al., 2017a) and Netfence (Liu et al., 2011)) have been proposed to mitigate application-layer DDoS attacks. Other research (e.g., (Krupp et al., 2016; 2017)) focused on identifying the scan sources behind amplification DDoS attacks, or filtering of DDoS attack traffic (e.g., (Gong et al., 2019; Kalkan and Alagöz, 2016; Ramanathan et al., 2018)). DDoS detection and mitigation in cloud environments have received considerable research attention in recent years.
Information Centric Networks (ICNs) have emerged in recent years as a new networking paradigm for the next-generation Internet. The primary goal of these networks is to provide effective mechanisms for content distribution and retrieval based on in-network content caching. Several network architectures were proposed in recent years to realize this communication model. This include Named Data Networks (NDN) and Path-Identifier (PID) based ICN. This paper proposes LogDoS as a novel mechanism to address the problem of data flooding attacks in PID-based ICNs. The proposed LogDoS mechanism is a unique hybrid approach that combines the best of NDN networks and PID-based ICNs, and it is the first to employ Bloom-filter based logging approach in a novel way to filter attack traffic efficiently. In this context, we develop and model three versions of LogDoS with varying levels of storage overhead at LogDoS-enabled routers. Extensive simulation experiments show that LogDoS is very effective against DDoS attacks as it can filter more than 99.98% of attack traffic in different attack scenarios while incurring acceptable storage overhead.
A statistical approach to secure health care services from DDoS attacks during COVID-19 pandemic
2024, Neural Computing and Applications
Investigation of application layer DDoS attacks in legacy and software-defined networks: A comprehensive review
2023, International Journal of Information Security
A Perspicacious Multi-level Defense System Against DDoS Attacks in Cloud Using Information Metric & Game Theoretical Approach
2023, Journal of Network and Systems Management

View all citing articles on Scopus

Fatih Alagöz is a professor in the Department of Computer Engineering, Bogazici University. He received the B.Sc. degree in Electrical Engineering from Middle East Technical University, Turkey, in 1992, and M.Sc. and Ph.D. degrees in Electrical Engineering from The George Washington University, USA, in 1995 and 2000, respectively. His current research interests are in the areas of wireless/mobile/satellite networks. He has contributed/managed ten research projects for the US Army of Intelligence Center, Naval Research Laboratory, UAE Research Fund, Turkish Scientific Research Council, State Planning Organization of Turkey, BAP, etc. He has published more than 150 scholarly papers in selected journals and conferences.

View full text

A distributed filtering mechanism against DDoS attacks: ScoreForCore

Abstract

Introduction

Section snippets

Related work

Overview of ScoreForCore

Dataset

Simulation environment

Performance evaluation

Discussion

Conclusion

Comput. Secur.

PFS: probabilistic filter scheduling against distributed denial-of-service attacks

IEEE 36th Conference on Local Computer Networks (LCN)

PacketScore: a statistics-based packet filtering scheme against distributed denial-of-service attacks

IEEE Trans. Dependable Secure Comput.

Data Analysis, A Bayesian Tutorial

Statistical segregation method to minimize the false detections during DDoS attacks

Int. J. Network Secur.

CBF: a packet filtering method for DDoS attack defense in cloud environment

Dependable, Autonomic and Secure Computing (DASC), 2011 IEEE Ninth International Conference on

Controlling high bandwidth aggregates in the network

ACM SIGCOMM Comput. Commun. Rev.

SOS: an architecture for mitigating DDoS attacks

IEEE J. Sel. Areas Commun,

FireCol: a collaborative protection network for the detection of flooding DDoS attacks

IEEE/ACM Trans. Networking (TON)

Hop-count filtering: an effective defense against spoofed DDoS traffic

Proceedings of the 10th ACM Conference on Computer and Communications Security, CCS ’03