KSII Transactions on Internet and Information Systems (TIIS)

Korean Society for Internet Information (한국인터넷정보학회)
권호 표지
DOI QR코드

DOI QR Code

Detecting LDoS Attacks based on Abnormal Network Traffic

  • Chen, Kai (School of Computer Science & Technology, Huazhong University of Science and Technology) ;
  • Liu, Hui-Yu (School of Computer Science & Technology, Huazhong University of Science and Technology) ;
  • Chen, Xiao-Su (School of Computer Science & Technology, Huazhong University of Science and Technology)
  • Received : 2012.01.12
  • Accepted : 2012.07.17
  • Published : 2012.07.31
Download PDF
⟨ Previous Next ⟩

Abstract

By sending periodically short bursts of traffic to reduce legit transmission control protocol (TCP) traffic, the low-rate denial of service (LDoS) attacks are hard to be detected and may endanger covertly a network for a long period. Traditionally, LDoS detecting methods mainly concentrate on the attack stream with feature matching, and only a limited number of attack patterns can be detected off-line with high cost. Recent researches divert focus from the attack stream to the traffic anomalies induced by LDoS attacks, which can detect more kinds of attacks with higher efficiency. However, the limited number of abnormal characteristics and the inadequacy of judgment rules may cause wrong decision in some particular situations. In this paper, we address the problem of detecting LDoS attacks and present a scheme based on the fluctuant features of legit TCP and acknowledgment (ACK) traffic. In the scheme, we define judgment criteria which used to identify LDoS attacks in real time at an optimal detection cost. We evaluate the performance of our strategy in real-world network topologies. Simulations results clearly demonstrate the superiority of the method proposed in detecting LDoS attacks.

Keywords

References

  1. V. D. Gligor, "A note on denial-of-service in operating systems," Software Engineering, IEEE Transactions on, vol.10, no.3, pp.320-324, May.1984.
  2. Ruoyu Yan, Qinghua Zheng and Haifei Li, "Combining Adaptive Filtering and IF Flows to Detect DDoS Attacks within a Router," KSII Transactions on Internet and Information Systems, vol.4, no.3, pp.428-451, Jun.2010.
  3. A. Kuzmanovic and E.W. Knightly, "Low-rate TCP-targeted denial of service attacks: the shrew vs. the mice and elephants," in Proc. of SIGCOMM, pp.75-86, 2003.
  4. M. Guirguis, A. Bestavros, and I. Matta, "Exploiting the tran-sients of adaptation for RoQ attacks on internet resources," in Proc. of the 12th IEEE International Conference on Network Protocols, pp.184-195, Oct.2004.
  5. Xiaopu Luo and R. K. C. Chang, "On a new class of pulsing denial-of-service attacks and the defense," in Proc. of the Network and Distributed System Security Symposium, pp.1-19, Feb.2005.
  6. Zhang Jing, Hu Huaping and Liu Bo, "Robustness of RED in Mitigating LDoS Attack," KSII Transactions on Internet and Information Systems, Vol.5, no.5, May.2011.
  7. Changwang Zhang, Jianping Yin, Zhiping Cai and Weifeng Chen, "RRED: Robust RED Algorithm to Counter Low - rate Denial -of -Service Attacks," IEEE Communication Letter, vol.14, no.5, pp.489-491, May.2010. https://doi.org/10.1109/LCOMM.2010.05.091407
  8. Jon Postel. RFC 793: Transmission Control Protocol, September 1981. Available from ftp://ftp.rfc-editor.org/in-notes/rfc793.txt as of Aug.2003.
  9. G. Macia-Fernandez, J. E. Diaz-Verdejo, and P. Garcia-Teodoro, "Evaluation of a low-rate DoS attack against iterative servers," Computer Networks, pp. 1013-1030, vol.51, no.4, 2007. https://doi.org/10.1016/j.comnet.2006.07.002
  10. G. Macia-Fernandez, J. E. Diaz-Verdejo, and P. Garcia-Teodoro, "LoRDAS: A low-rate DoS attack against application servers," in Proc. CRITIS'07, vol.5141, pp.197-209, 2008.
  11. G. Macia-Fernandez, J. E. Diaz-Verdejo, and P. Garcia-Teodoro, "Evaluation of a low-rate DoS attack against application servers," Computer Security, vol.27, pp.335-354, 2008. https://doi.org/10.1016/j.cose.2008.07.004
  12. G. Macia-Fernandez, Rafael A, Rodriguez-Gomez and Jesus E. Diaz-Verdejo, "Defense techniques for low-rate DoS attacks against application servers, " Computer Networks, vol.54, no.15, pp.2711-2727, Oct. 2010. https://doi.org/10.1016/j.comnet.2010.05.002
  13. Macia-Fernandez, G., J.E. Diaz-Verdejo and P. Garcia-Teodoro, "Mathematical model for low-rate dos attacks against application servers," Information Forensics and Security, vol.4, no.3, pp.519-529, Sep.2009. https://doi.org/10.1109/TIFS.2009.2024719
  14. Salah K, Sattar K, Sqalli M, et al, "A potential low-rate DoS attack against network firewalls," Security and Communication Networks, vol.4, no.2, pp.136-146, Feb.2011. https://doi.org/10.1002/sec.118
  15. He Yanxiang, "LDoS attack in ad-hoc network," in Proc of 6th International Conference on Wireless On-Demand Network Systems and Services, pp.251-257, Feb.2009.
  16. Guirguis Mina, Bestavros Azer and Matta Ibrahim, "On the impact of low-rate attacks," in Proc. Communications, pp.2316-2321, Jun.2006.
  17. Chen Y and Hwang K, "Collaborative detection and filtering of shrew DDoS attacks using spectral analysis," Journal of Parallel and Distributed Computing, vol.66, no.9, pp.1137-1151, Sep.2006. https://doi.org/10.1016/j.jpdc.2006.04.007
  18. He Yanxiang, Cao Qiang, Liu Tao, Han Yi and Xiong Qi, "A low- rate dos detection method based on feature extraction using wavelet transform," Journal of Software, vol.20, no.4, pp.930-941, Apr.2009.
  19. S. Sarat and A. Terzis, "On the effect of router buffer sizes on low-rate denial of service attacks," in Proc. IEEE ICCCN 05, pp.281-86, 2005.
  20. H. Sun, J. C. S. Lu, and D. K. Y. Yau, "Defending against low-rate TCP attacks: dynamic detection and protection," in Proc. of the 12th IEEE International Conference on Network Protocols, pp.196-205, Oct.2004.
  21. Y. K. Kwok, R. Tripathi, Y. Chen, and K. Hwang, "HAWK: Halting anomalies with weighted choking to rescue well-behaved TCP Sessions from Shrew DDoS attacks," in Proc. of the 3rd International Conference on Computer Network and Mobile Computing, pp.423-432, Aug.2005.
  22. WU Zhi-jun, ZENG Hua-long, and YUE Meng, "Approach of detecting LDoS attack based on time window statistic," Journal on Communications, vol.31, no.12, pp.55-62, Dec.2010.
  23. S Athuraliya, V H Li, S H Low, Q Yin. REM, "Active queue management," IEEE Network, pp.48-53, vol.15, no.3, 2001. Article (CrossRef Link). https://doi.org/10.1109/65.923940
  24. A. Shevtekar, K. Anantharam, and N. Ansari, "Low rate TCP denial-of-service attack detection at edge routers," IEEE Communications Letters, vol.9, no.4, pp.363-365, 2005. https://doi.org/10.1109/LCOMM.2005.1413635
  25. Y. Xu and R. Guerin, "On the robustness of router-based denial-of-service (DoS) defense systems," ACM SIGCOMM Computer Communication Review, vol.35, no.3, pp.47-60, 2005. https://doi.org/10.1145/1070873.1070878
  26. Xiaopu Luo, Edmond W.W. Chan, Rocky K.C. Chang, "Vanguard: A new detection scheme for a class of TCP-targeted denial-of-service attacks," in Proc. of the 10th IEEE/IFIP Network Operations and Management Symposium, pp.507-518, Apr.2006.
  27. Xiapu Luo, Edmond W. W. Chan, and Rocky K.C.Chang, "detecting pulsing denial-of-service attacks with nondeterministic attack intervals," EURASIP Journal on Advances in Signal Processing, vol. 2009, Jan.2009.
  28. Sean McPherson and Antonio Ortega, "Detecting low-rate periodic events in Internet traffic using renewal theory," in Proc. of ICASSP'2011. pp.4336-4339, May.2011.
  29. WU Zhijun, and PEI Baosong, "The detection of LDoS attack based on the model of small signal," ACTA ELECTRONICA SINICA, vol.39, no.6, Jun.2011.
  30. Yang Xiang, Ke Li, and Wanlei Zhou, "Low-Rate DDoS attacks detection and traceback by using new information metrics," IEEE Transactions on Information Forensics and Security, vol.6, no.2, pp.426-437, Jun.2011. https://doi.org/10.1109/TIFS.2011.2107320
  31. W.E.Leland,M. S. Taqqu, W. Willinger, and D.V Wilson, "On the self-similar nature of Ethernet traffic," in Proc.of ACM Sigcomm'93, pp.183-193, Oct.1993.
  32. K. Park and W. Willinger, "Self-similar network traffic and performance evaluation," John Wiley & Sons, JAN. 2002.
  33. Thomas K, Mart M, Michalis F, et al, "Long-range dependence-ten years of Internet traffic modeling," IEEE Internet Computer, vol.8, no.5, pp.57-64, Sept-Oct, 2004. https://doi.org/10.1109/MIC.2004.46
  34. T.Karagiannis, M.Molle, M.Faloutsos, and A. Broido, "A nonstationary poisson view of Internet traffic," in Proc.of INFOCOM 2004, pp.1558-1569, Mar.2004.
  35. K. Fall, K. Varadhan, "The NS manual," http://www.isi.edu/nsnam/ns/, 2009.
  36. Lawrence Berkeley National Laboratory (LBNL) and ICSI, "LBNL's internal enterprise traffic," http://www.icir.org/enterprise-tracing, 2005.
  37. MAWI Working Group, "Packet traces from WIDE backbone," http://tracer.csl.sony.co.jp/mawi, 2006.
  38. Cyber Systems and Technology Group, "1999 DARPA Intrusion Detection Evaluation Data Sets,"http://www.ll.mit.edu/mission/communications/ist/corpora/ideval/data/1999data.html,1999.

Cited by

  1. Accurately Identifying New QoS Violation Driven by High-Distributed Low-Rate Denial of Service Attacks Based on Multiple Observed Features vol.2015, pp.None, 2012, https://doi.org/10.1155/2015/465402