Advertisement

TSA: A Two-Phase Scheme Against Amplification DDoS Attack in SDN

  • Zheng Liu
  • Mingwei Xu
  • Jiahao Cao
  • Qi Li
Conference paper
Part of the Communications in Computer and Information Science book series (CCIS, volume 747)

Abstract

Amplification attack, as a new kind of DDoS attack, is more destructive than traditional DDoS attack. Under the existing Internet architecture, it is difficult to find effective measures to deal with amplification attack. In this paper, we propose a two-phase reference detecting scheme by utilizing Software Defined Infrastructure capabilities: switch side is volume-based and controller side is feature-based. The proposed scheme is protocol-independent and lightweight, unlike most of the existing strategies. It can also detect amplification attack in the request phase for a small price, before these attacks cause actual harm. Upon the architecture, we design detection algorithms and a prototype system. Experimental results with both online and offline data sets show that the detection scheme is effective and efficient.

Keywords

Amplification DDoS attack Software defined network Two-phase detecting Entropy 

Notes

Ackowledgements

The research is supported by the National Natural Science Foundation of China under Grant 61625203, the National Key R&D Program of China under Grant 2016YFC0901605.

References

  1. 1.
    Rossow, C.: Amplification Hell: Revisiting Network Protocols for DDoS Abuse. In: NDSS (2014)Google Scholar
  2. 2.
    Ryba, F.J., Orlinski, M., Whlisch, M., et al.: Amplification and DRDoS Attack Defense-A Survey and New Perspectives. arXiv preprint arXiv:1505.07892 (2015)
  3. 3.
    Fachkha, C., Bou-Harb, E., Debbabi, M.: Fingerprinting internet DNS amplification DDoS activities. In: NTMS, pp. 1–5. IEEE (2014)Google Scholar
  4. 4.
    Tsunoda, H., Ohta, K., Yamamoto, A., et al.: Detecting DRDoS attacks by a simple response packet confirmation mechanism. Comput. Commun. 31(14), 3299–3306 (2008)CrossRefGoogle Scholar
  5. 5.
    Kambourakis, G., Moschos, T., Geneiatakis, D., et al.: A fair solution to DNS amplification attacks. In: WDFIA, pp. 38–47. IEEE (2007)Google Scholar
  6. 6.
    Khrer, M., Hupperich, T., Rossow, C., et al.: Exit from hell? reducing the impact of amplification DDoS attacks. In: Security Symposium, pp. 111–125. USENIX (2014)Google Scholar
  7. 7.
  8. 8.
  9. 9.
    Shin, S., Yegneswaran, V., Porras, P., et al.: Avant-guard: scalable and vigilant switch flow management in software-defined networks. In: SIGSAC, pp. 413–424. ACM (2013)Google Scholar
  10. 10.
    Zaalouk, A., Khondoker, R., Marx, R., et al.: Orchsec: an orchestrator-based architecture for enhancing network-security using network monitoring and SDN control functions. In: NOMS, pp. 1–9. IEEE (2014)Google Scholar
  11. 11.
    Shin, S., Porras, P.A., Yegneswaran, V., et al.: FRESCO: modular composable security services for software-defined networks. In: NDSS (2013)Google Scholar
  12. 12.
    Beitollahi, H., Deconinck, G.: Analyzing well-known countermeasures against distributed denial of service attacks. Comput. Commun. 35(11), 1312–1332 (2012)CrossRefGoogle Scholar
  13. 13.
    Xiang, Y., Li, K., Zhou, W.: Low-rate DDoS attacks detection and traceback by using new information metrics. Trans. Inf. Forensics Secur. 6(2), 426–437 (2011)CrossRefGoogle Scholar
  14. 14.
  15. 15.
    Open Resolver Project. http://openresolverproject.org
  16. 16.
    Feinstein, L., Schnackenberg, D., Balupari, R., et al.: Statistical approaches to DDoS attack detection and response. In: DARPA Information Survivability Conference and Exposition, vol. 1, pp. 303–314. IEEE (2003)Google Scholar
  17. 17.
    Nychis, G., Sekar, V., Andersen, D.G., et al.: An empirical evaluation of entropy-based traffic anomaly detection. In: SIGCOMM, pp. 151–156. ACM (2008)Google Scholar
  18. 18.
    Lall, A., Sekar, V., Ogihara, M., et al.: Data streaming algorithms for estimating entropy of network traffic. In: SIGMETRICS, vol. 34, no. 1, pp. 145–156. ACM (2006)Google Scholar

Copyright information

© Springer Nature Singapore Pte Ltd. 2018

Authors and Affiliations

  1. 1.Department of Computer Science and TechnologyTsinghua UniversityBeijingChina
  2. 2.Graduate School at ShenzhenTsinghua UniversityShenzhenChina

Personalised recommendations