Filtering of shrew DDoS attacks in frequency domain

  title={Filtering of shrew DDoS attacks in frequency domain},
  author={Yu Chen and Kai Hwang and Yu-Kwong Kwok},
  journal={The IEEE Conference on Local Computer Networks 30th Anniversary (LCN'05)l},
  pages={8 pp.-793}
  • Yu Chen, K. Hwang, Yu-Kwong Kwok
  • Published 15 November 2005
  • Computer Science
  • The IEEE Conference on Local Computer Networks 30th Anniversary (LCN'05)l
The shrew distributed denial of service (DDoS) attacks are periodic, bursty, and stealthy in nature. They are also known as reduction of quality (RoQ) attacks. Such attacks could be even more detrimental than the widely known flooding DDoS attacks because they damage the victim servers for a long time without being noticed, thereby denying new visitors to the victim servers, which are mostly e-commerce sites. Thus, in order to minimize the huge monetary losses, there is a pressing need to… 
Detectability of low-rate HTTP server DoS attacks using spectral analysis
  • J. BrynielssonRishie Sharma
  • Computer Science
    2015 IEEE/ACM International Conference on Advances in Social Networks Analysis and Mining (ASONAM)
  • 2015
Investigation of a weakness found within version 2.2 of the popular Apache HTTP Server software that concerns how the server handles the persistent connection feature in HTTP 1.1 shows that disproportionate amounts of energy in the lower frequencies can be detected when the attack is present.
Detection of Low-Rate DoS Attacks againstHTTP Servers using Spectral Analysis
Investigation of a weakness in version 2.2 of the popular Apache HTTP Server software regards how the server handles the persistent connection feature in HTTP 1.1.2 shows that there are disproportionate amounts of energy in the lower frequencies when the attack is present.
Detecting Pulsing Denial-of-Service Attacks with Nondeterministic Attack Intervals
The main contribution is Vanguard, a new anomaly-based detection scheme for this class of PDoS attacks, which is based on three traffic anomalies induced by the attacks, and it detects them using a CUSUM algorithm.
The Taming of the Shrew Srinivas
This work shows how a form of active queue management (AQM) can effectively eliminate the threat posed by Shrew attacks and shows that Differential Congestion Notification, an AQM scheme developed to improve response time of interactive traffic, “tames” the Shrew.
Collaborative detection and filtering of ddos attacks in isp core networks
A distributed scheme over multiple ISP domains is proposed, which relies on ISP network routers monitoring traffic fluctuations and information sharing with peers and a novel spectral template-matching approach is proposed to counter shrew DDoS attacks.
Detecting Pulsing Denial-of-Service Attacks Based on the Bandwidth Usage Condition
This paper proposes a novel and robust PDoS detection method which capitalizes on the bandwidth usage condition of network traffic in distinguishing the congestion due to normal traffic from that due to PDoS attacks.
Thwarting DDoS attacks in grid using information divergence
Dynamically Selecting Defenses to DDoS for DNS (extended)
This work proposes two approaches to DDoS-defense: having a library of defensive filters ready, each applicable to different attack types and with different levels of selectivity, and automatically selecting the best defense mechanism at attack start, and reevaluating that choice during the attack to account for polymorphic attacks.
Spectral Analysis of TCP Flows for Defense Against Reduction-of-Quality Attacks
  • Yu ChenK. Hwang
  • Computer Science
    2007 IEEE International Conference on Communications
  • 2007
This paper explores the energy distributions of Internet traffic flows in frequency domain and finds the spectral shifting of attack flows from that of normal flows, revealing that normal TCP flows can be segregated from malicious flows according to energy distribution properties.
A Novel Mechanism to Defend Against Low-Rate Denial-of-Service Attacks
Through analyzing sampled attack traffic, it is found that there is a stable difference between attack and legitimate traffic in frequency field, especially in low frequency.


Collaborative Defense against Periodic Shrew DDoS Attacks in Frequency Domain
A new digital signal processing (DSP) approach to detecting the shrew attacks embedded in legitimate traffic flows, which detects with the frequency-domain characteristics from the autocorrelation sequence of Internet traffic streams, and develops a network-layer multicast protocol LocalCast to support collaborative detection without burdening the end hosts.
Vanguard: A New Detection Scheme for a Class of TCP-targeted Denial-of-Service Attacks
A new detection system called Vanguard is proposed to identify a wide range of the aforementioned low-rate, DoS attacks, including the traditional flooding-based attacks as a special case and can also detect attacks with randomized attack periods.
On a New Class of Pulsing Denial-of-Service Attacks and the Defense
A novel two-stage scheme to detect PDoS attacks on a victim network based on a wavelet transform used to extract the desired frequency components of the data traffic and ACK traffic and verifies the feasibility and effectiveness of the detection scheme.
Defending against flooding-based distributed denial-of-service attacks: a tutorial
Various DDoS attack methods are described, and a longer-term solution that attempts to intercept attack packets in the Internet core, well before reaching the victim is discussed, dubbed the Internet-firewall approach.
A framework for classifying denial of service attacks
A framework for classifying DoS attacks based on header content, and novel techniques such as transient ramp-up behavior and spectral analysis are introduced, showing that characteristics of attack ramps-up and attack spectrum are more difficult to spoof.
The results show the vulnerability of the Internet to the distributed nature of RoQ attacks, which could be mounted through a relatively small number of zombie clients, motivating the need for the development of counter measures.
Use of spectral analysis in defense against DoS attacks
We propose using spectral analysis to identify normal TCP traffic so that it will not be dropped or rate-limited in defense against denial of service (DoS) attacks. The approach can reduce false
Defending against low-rate TCP attacks: dynamic detection and protection
  • Haibin SunJohn C.S. LuiD. Yau
  • Computer Science
    Proceedings of the 12th IEEE International Conference on Network Protocols, 2004. ICNP 2004.
  • 2004
A distributed detection mechanism which uses the dynamic time warping method to robustly and accurately identify the existence of this sort of attack is proposed and a fair resource allocation mechanism is used.
HAWK: Halting Anomalies with Weighted Choking to Rescue Well-Behaved TCP Sessions from Shrew DDoS Attacks
This work proposes a new stateful adaptive queue management technique called HAWK (Halting Anomaly with Weighted choKing) which works by judiciously identifying malicious shrew packet flows using a small flow table and dropping such packets decisively to halt the attack such that well-behaved TCP sessions can re-gain their bandwidth shares.
Distributed Denial of Service: Taxonomies of Attacks, Tools, and Countermeasures
DDoS attack models are described and taxonomies to characterize the scope of DDoS attacks, the characteristics of the software attack tools used, and the countermeasures available are proposed to assist in the development of more generalized solutions to countering DDoSattacks.