Journal of Network and Information Security

Open Access Open Access  Restricted Access Subscription Access
Open Access Open Access Open Access  Restricted Access Restricted Access Subscription Access

Layered Migrating Overlay for Effectively Sieving Internal DoS/DDoS Attackers-Its Designs and Effectiveness


Affiliations
1 Department of Computer Science, School of Engineering, Southern Illinois University Edwardsville, Edwardsville, Illinois, United States
     

   Subscribe/Renew Journal


Several overlay-based solutions have been proposed to protect network servers from DoS/DDoS attacks. The common objective in the existing solutions is to prevent the attacking traffic from reaching the servers by hiding the location of target server computers. The recent evolutions in DDoS attacks, especially in the increase in the number of bots involved in a DDoS attack and in the degree of control such bots have to the hijacked host computers, pause serious threats to the overlay-based solutions. We designed and assessed the potential of new overlay-based security architecture that addresses the recent evolutions in DDoS attacks. The new security architecture, called “Layered Migrating Overlay (LMO)”, is designed to protect cloud servers (a) when their legitimate users convert to DoS/DDoS attackers or (b) when DDoS attacks are launched from the legitimate users’ host computers that are hijacked by DDoS coordinators. LMO copes with the situations by sieving attacking traffic from the hijacked legitimate users’ host computers using dynamic binary user splits over the migrating entry points to an overlay network. Our discrete event driven simulation suggested that LMO will efficiently sieve DDoS attacking hosts in many different situations, when a small number of attacking hosts hide behind a large legitimate user group, or when a stampede of DDoS attacking hosts occupy the majority of incoming traffic, without requiring a large number of migrating entry points. We also found that how quickly each migrating entry point can detect excess traffic is a key to keep convergence delay short.

Keywords

Network Management, Overlay Networks, Security Management, Denial of Services, Insider Threats.
Subscription Login to verify subscription
User
Notifications
Font Size


  • B. Prabadevi, and N. Jeyanthi, “Distributed denial of service attacks and its effects on cloud environment- A survey,” Proceedings of the International Symposium on Networks, Computers and Communications, pp. 1-5, 2014.

  • M. Durairaj, and A. Persia, “ANM to perceive and thwart denial of service attack in WLAN,” International Journal of Communication Networks and Information Security, vol. 7, no. 6, pp. 59-66, 2015.

  • G. Booth, A. Soknacki, and A. Somayaji, “Cloud Security: Attacks and Current Defenses,” Proceedings of the Annual Symposium on Information Assurance, pp. 56-62, 2013.

  • P. Ferguson, and D. Senie, “Network ingress filtering: Defeating denial of service attacks which employ ip source address spoofing,” RFC-2827, May 2000.

  • J. Ioannidis, and S. M. Bellovin, “Implementing pushback: Router-based defense against DDoS attacks,” Proceedings of Network and Distributed System Security Symposium, pp. 100-108, 2002.

  • M. Darwish, A. Ouda, and L. F. Capretz, “Cloud-based DDoS attacks and defenses,” Proceedings of the International Conference on Information Society, pp. 67-71, 2013.

  • E. Cooke, F. Jahanian, and D. McPherson, “The zombie roundup: Understanding, detecting, and disrupting botnets,” Proceedings of the Steps to Reducing Unwanted Traffic on the Internet on Steps to Reducing Unwanted Traffic on the Internet Workshop, p. 6, 2005.

  • E. Shi, I. Stoica, and D. A. Perrig, “OverDoSe: A generic DDoS protection service using an overlay network,” Carnegie Mellon University Computer Science Department Technical Report CMU-CS-06-114, 2006.

  • S. Khattab, C. Sangpachatanaruk, R. Melhem, D. Moss´e, and T. Znati, “Proactive server roaming for mitigating denial-of-service attacks,” Proceedings of International Conference on Information Technology Research and Education, pp. 286-290, 2003.

  • N. Jeyanthi, N. Ch. S. N Iyengar, P. C. M. Kumar, and A. Kannammal, “An enhanced entropy approach to detect and prevent DDoS in cloud environment,” International Journal of Communication Networks and Information Security, vol. 5, no. 2, pp. 163-173, 2013.

  • T. Okumura, D. Mosse, M. Minami, and O. Nakamura, “Operating system support for network control: A virtual network interface approach for end-host OSS,” Proceedings of IEEE International Workshop on Quality of Service, pp. 170-179, 2002.

  • C. Sangpachatanaruk, S. M. Khattab, T. Znati, R. Melhem, and D. Moss´e, “A simulation study of the proactive server roaming for mitigating denial of service attacks,” Proceedings of the Annual Symposium on Simulation, pp. 7-14, 2003.

  • V. K. Pingali, and J. D. Touch, “Protecting public servers from DDoS attacks using drifting overlays,” Proceedings of the IEEE Computer and Information Technology Workshops, pp. 270-272, 2008.

  • H. Wang, Q. Jia, D. Fleck, W. Powell, F. Li, and A. Stavrou, “A moving target DDoS defense mechanism,” Computer Communications, vol. 46, no. 15, pp. 10-21, June 2014.

  • J. Kurian, and K. Sarac, “Provider provisioned overlay networks and their utility in DoS defense,” Proceedings of IEEE Global Telecommunications Conference, pp. 474-479, 2007.

  • S. Khattab, R. Melhem, D. Moss´e, and T. Znati, “Honeypot back-propagation for mitigating spoof ing distributed denial-of-service attacks,” Proceedings of the IEEE International Parallel and Distributed Processing Symposium, pp. 1152-1164, 2006.

  • S. Khattab, C. Sangpachatanarukz, D. Moss´e, R. Melhemx, and T. Znatixz, “Roaming honeypots for mitigating service-level denial-of-service attacks,” Proceedings of International Conference on Distributed Computing Systems, pp. 328-337, 2004.

  • D. L. Cook, W. G. Morein, A. D. Keromytis, V. Misra, and D. Rubenstein, “Web SOS: Protecting web servers from DDoS attacks,” Proceedings of the IEEE International Conference on Networks, pp. 455-460, 2003.

  • D. G. Anderson, “Mayday: Distributed filtering for internet services,” Proceedings of USENIX Symposium on Internet Technologies and Systems, pp. 3-15, 2003.

  • I. Stoica, R. Morris, D. Karger, M. F. Kaashoek, and H. Balakrishnan, “Chord: A scalable peer-to-peer lookup service for internet applications,” Proceedings of the Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications, pp. 149-160, 2010.

  • M. Canini, D. Fay, D. J. Miller, A. W. Moore, and R. Bolla, “Per flow packet sampling for high-speed network monitoring,” Proceedings of the Communication Systems and Networks and Workshops, pp. 1-10, 2009.

  • A. Broder, and M. Mitzenmacher, “Network applications of bloom filters: A survey,” Internet Mathematics, vol. 1, no. 4, pp. 485-509, November, 2003.


Abstract Views: 254

PDF Views: 1




  • Layered Migrating Overlay for Effectively Sieving Internal DoS/DDoS Attackers-Its Designs and Effectiveness

Abstract Views: 254  |  PDF Views: 1

Authors

Hiroshi Fujinoki
Department of Computer Science, School of Engineering, Southern Illinois University Edwardsville, Edwardsville, Illinois, United States

Abstract


Several overlay-based solutions have been proposed to protect network servers from DoS/DDoS attacks. The common objective in the existing solutions is to prevent the attacking traffic from reaching the servers by hiding the location of target server computers. The recent evolutions in DDoS attacks, especially in the increase in the number of bots involved in a DDoS attack and in the degree of control such bots have to the hijacked host computers, pause serious threats to the overlay-based solutions. We designed and assessed the potential of new overlay-based security architecture that addresses the recent evolutions in DDoS attacks. The new security architecture, called “Layered Migrating Overlay (LMO)”, is designed to protect cloud servers (a) when their legitimate users convert to DoS/DDoS attackers or (b) when DDoS attacks are launched from the legitimate users’ host computers that are hijacked by DDoS coordinators. LMO copes with the situations by sieving attacking traffic from the hijacked legitimate users’ host computers using dynamic binary user splits over the migrating entry points to an overlay network. Our discrete event driven simulation suggested that LMO will efficiently sieve DDoS attacking hosts in many different situations, when a small number of attacking hosts hide behind a large legitimate user group, or when a stampede of DDoS attacking hosts occupy the majority of incoming traffic, without requiring a large number of migrating entry points. We also found that how quickly each migrating entry point can detect excess traffic is a key to keep convergence delay short.

Keywords


Network Management, Overlay Networks, Security Management, Denial of Services, Insider Threats.

References