Defending Networks against Denial of Service Attacks
نویسندگان
چکیده
Denial of service attacks, viruses and worms are common tools for malicious adversarial behaviour in networks. Experience shows that over the last few years several of these techniques have probably been used by governments to impair the Internet communications of various entities, and we can expect that these and other information warfare tools will be used increasingly as part of hostile behaviour either independently, or in conjunction with other forms of attack in conventional or asymmetric warfare, as well as in other forms of malicious behaviour. In this paper we concentrate on Distributed Denial of Service Attacks (DDoS) where one or more attackers generate flooding traffic and direct it from multiple sources towards a set of selected nodes or IP addresses in the Internet. We first briefly survey the literature on the subject, and discuss some examples of DDoS incidents. We then present a technique that can be used for DDoS protection based on creating islands of protection around a critical information infrastructure. This technique, that we call the CPN-DoS-DT (Cognitive Packet Networks DoS Defence Technique), creates a self-monitoring sub-network surrounding each critical infrastructure node. CPN-DoS-DT is triggered by a DDoS detection scheme, and generates control traffic from the objects of the DDoS attack to the islands of protection where DDOS packet flows are destroyed before they reach the critical infrastructure. We use mathematical modelling, simulation and experiments on our test-bed to show the positive and negative outcomes that may result from both the attack, and the CPN-DoS-DT protection mechanism, due to imperfect detection and false alarms.
منابع مشابه
HF-Blocker: Detection of Distributed Denial of Service Attacks Based On Botnets
Abstract—Today, botnets have become a serious threat to enterprise networks. By creation of network of bots, they launch several attacks, distributed denial of service attacks (DDoS) on networks is a sample of such attacks. Such attacks with the occupation of system resources, have proven to be an effective method of denying network services. Botnets that launch HTTP packet flood attacks agains...
متن کاملFramework for Defending against Denial of Service Attacks in Wireless Networks
Wireless mobile nodes have extremely limited resources and are easily vulnerable to Denial of Service (DoS) attacks. The traditional techniques that can detect or prevent DoS attacks in wired networks often require considerable resources such as processing power, memory, and storage space. Hence, it is not possible to deploy the traditional techniques on the wireless nodes. In this paper, we id...
متن کاملDefending against Packet Injection Attacks in Unreliable Ad Hoc Networks
Ad hoc networks are usually unreliable and have limited bandwidth resources. In such networks, packet injection attacks can cause serious denial-of-service via wireless channel contention and network congestion. To defend against this type of injection attacks, we propose SAF, an efficient and effective Source Authentication Forwarding protocol. The protocol can either immediately filter out in...
متن کاملIntrusion Detection Scheme against Sinkhole Attacks in Directed Diffusion Based Sensor Networks
Wireless Sensor Networks (WSNs) detect and report interesting events when they occur in the target region. These networks are vulnerable to security breach due to wireless communication and lack of infrastructure. In sinkhole attacks, an attacker attracts network traffic by forging or replaying routing messages through compromised nodes. Thus attracted traffic is used for selective forwarding, ...
متن کامل