![Introduction (Contd...)
Name of scheme Author Scheme description Limitations
Aggregate based
congestion control and
Pushback (2002)[12]
R. Mahajan, S.M.
Bellovin,
S. Floyd, J. Ioannidis, V.
Paxson, S. Shenker
ACC rate limits the aggregates
rather than IP sources
Not effective against uniformly distributed attack sources
Attack Diagnosis and
parallel-AD (2005)[6]
R. Chen, J.M. Park Combines pushback and packet
marking
AD is not effective against large-scale attacks
TRACK(2006)[7] Zargar, S Taghavi, James
Joshi, D Tipper
Combines IP tracebeck, packet
marking and packet filtering
Not effective for attack traceback
Passport(2008)[8] X. Liu, A. Li, , X. Yang, D.
Wetherall
Makes use of symmetric key
cryptography to put tokens on
packets that verify the source
• Attackers may get capabilities from colluders
• It only prevents the hosts in one AS from spoofing the IP
addresses of other ASs
Defensive Cooperative
overlay mesh (2003)[18]
J. Mirkovic, P. Reiher, M.
Robinson
Defense nodes collaborate and
cooperate together
• Classifier nodes require an inline deployment.
• Unable to handle attacks from legacy networks
Stateless Internet Flow
Filter(2004)[20]
A. Yaar, A. Perrig, D. Song Capability-based mechanism • Always active
•Processing and memory costs overheads
StopIt(2011)[21] X. Liu, X. Yang, Y. Lu Novel closed control and open
service architecture for filters to
be installed
• Vulnerable to attacks in which attacker floods the router
• Needs complex verification/authentication mechanisms
• Challenging to deploy and manage in practice.
Active internet traffic
filtering (2009)[19]
K. Argyraki, D.R. Cheriton Misbehaving sources are policed
by their own ISPs
• Several deployment issues
•If the flooded link is outside victim’s AS, the three way
handshake may not complete](https://image.slidesharecdn.com/finalincentivebased-190819091724/85/Incentive-based-DDoS-defense-3-320.jpg)
![Related Work
Name of
scheme
Author Scheme description Limitations
Reputation
system(2015)[9]
H. Mousa, S. B.
Mokhtar, O. Hasan, O.
Younes, M. Hadhoud, L.
Brunie
Scores are given to nodes on behaving
honestly
• Vulnerable to collusion attacks, sybil attacks and whitewashing
attacks.
• Vulnerable to coordinated gaming strategies due to distributed
rating systems
Usage based
pricing (1999)[13]
A. Gupta, D.O. Stahl, A.
B. Whinston
Ties payments to actual traffic volumes Fails when the attack traffic is not large enough to cause congestion
Tit-for-tat
(2012)[10]
A. Mei, J. Stefa Mobile user cooperate on the principle
of double coincidence of wants
• Restricted to applications with long session duration
• Hard to meet different service requirements of the user
Capacity
provision
network(2005) [14]
X. Geng, R. Gopal, R.
Ramesh, A. B. Whinston
Network of cache servers is owned,
operated and coordinated through
capacity trading
Signing bilateral contracts with each of the cooperating nodes too
costly to be practical
Overlay networks
(1994)[15]
J. O. Ladyard, K.
Sazakaly-Moore
Beside the payment to ISPs, each user
pays fees to utilize a specific Internet
services
• Discrepancy in fee structures among various overlay networks
• Possibility of free riding
Barter
based(2004)[17]
Kostas G Anagnostakis,
Michael B Greenwald
Enforce repeated transactions in a small
subset of the network
Works only in a small network with high footprint
Credit based
(2016)[11]
Y. Wang, Z. Cia, G. Yin,
Y. Gao
Peers earn currency by contributing
resources to the system
• Rely on central authorities
• No explicit provably secure digital currency system used
Internet mapping
(2002)[16]
T. S. E. Ng, H. Zhang Incentives offered based on the
positions of several reference nodes and
delay to each of them
Only effective when the participating nodes are truthfully report their
locations and delay information](https://image.slidesharecdn.com/finalincentivebased-190819091724/85/Incentive-based-DDoS-defense-5-320.jpg)
![References
[1] Zargar, Saman Taghavi, James Joshi, and David Tipper. "A survey of defense mechanisms against distributed denial of service (DDoS)
flooding attacks." IEEE communications surveys & tutorials, 2013.
[2] Huang, Yun, Xianjun Geng, and Andrew B. Whinston. "Defeating DDoS attacks by fixing the incentive chain.“, ACM Transactions on Internet
Technology (TOIT), 2007.
[3] He, Yunhua, "A Bitcoin Based Incentive Mechanism for Distributed P2P Applications." International Conference on Wireless Algorithms ,
Systems, and Applications, Springer, Cham, 2017.
[4] Neudecker, T., Andelfinger, P., and Hartenstein,“A simulation model for analysis of attacks on the bitcoin peer-to-peer network”, IFIP/IEEE
International Symposium on Internet Management, IEEE, 2015.
[5] Andrychowicz, Marcin, "Secure multiparty computations on bitcoin.“, Security and Privacy (SP), 2014 IEEE Symposium on. IEEE, 2014.
[6] R. Chen, and J. M. Park, “Attack Diagnosis: Throttling distributed denial-of-service attacks close to the attack sources”, IEEE Int’l Conference
on Computer Communications and Networks (ICCCN’05), Oct. 2005.
[7] Zargar, Saman Taghavi, James Joshi, and David Tipper. "A survey of defense mechanisms against distributed denial of service (DDoS)
flooding attacks." IEEE communications surveys & tutorials , pp 15.4,2013 .
[8] X. Liu, A. Li, X. Yang, and D. Wetherall, “Passport: secure and adoptable source authentication”, 5th USENIX Symposium on Networked
Systems Design and Implementation (NSDI’08), San Francisco, CA, USA, pp. 365-378, 2008.
[9] Mousa, H., Mokhtar, S.B., Hasan, O., Younes, O., Hadhoud, M., Brunie, L.., “Trust management and reputation systems in mobile
participatory sensing applications: a survey”, IEEE Computer Network,pp 49–73 ,2015.
[10] Mei, A., Stefa, J., ”Give2get: forwarding in social mobile wireless networks of selfish individuals”. IEEE Transactions Dependable and
Secure Computing, vol 9, pp 569–582, 2012.
[11] Li, W., Cheng, X., Bie, R., Zhao, F., “An extensible and flexible truthful auction framework for heterogeneous spectrum markets”, IEEE
Transactions Cognitive Communication Network, vol 2, pp 427–441, 2016.](https://image.slidesharecdn.com/finalincentivebased-190819091724/85/Incentive-based-DDoS-defense-11-320.jpg)
![References (Contd…)
[12] R. Mahajan, S. M. Bellovin, S. Floyd, J. Ioannidis, V. Paxson, and S. Shenker, “Controlling high bandwidth aggregates in the network”,
Computer Communication Review, pp.62-73, 2002.
[13] Gupta, A., Stahl,D.O., Andwhinston,A.B. 1999, “The economics of network management”, Communication, vol 42, pp 57–63, ACM., 1999.
[14] Geng, X., Huang, Y., Whinston, “Defending wireless infrastructure against the challenge of DDoS attacks” , ACM Journal Mobile Network
Applications, vol 7, pp 213–223, 2000.
[15] Ledyard J.O. ,Szakaly-Moore, K., “Designing network organizations for transferring rights”, Joint Economical Behavior, Econometrica, vol
25,pp 167–196, 1994.
[16] NG Tsewang , Zhang H. 2002. ,”Predicting Internet network distance with coordinates-based approaches”, IEEE INFOCOM 2002, New York,
June 2002.
[17] Anagnostakis, Kostas G., and Michael B. Greenwald. "Exchange-based incentive mechanisms for peer-to-peer file sharing.“, Distributed
Computing Systems, 24th International Conference, IEEE, 2004.
[18] J. Mirkovic, P. Reiher, and M. Robinson, “Forming Alliance for DDoS Defense”, New Security Paradigms Workshop, Centro Stefano
Francini, Ascona, Switzerland, 2003.
[19] K Argyraki, and D. R. Cheriton, “Scalable network-layer defense against internet bandwidth-flooding attacks, in IEEE/ACM Trans. Network.,
vol 17, pp. 1284-1297, August 2009.
[20] A Yaar, Abraham, Adrian Perrig, and Dawn Song. "SIFF: A stateless internet flow filter to mitigate DDoS flooding attacks." Security and
Privacy, 2004. Proceedings. 2004 IEEE Symposium on. IEEE, 2004
[21] Liu, Xin, Xiaowei Yang, and Yanbin Lu. StopIt: Mitigating DoS flooding attacks from multi-million botnets. Technical Report 08-05, 2008.
[22]Jamali, Nadeem, and Hongxing Geng. "A mailbox ownership based mechanism for curbing spam." Computer Communications 31.15 (2008):
3586-3593.
[23] Agha, Gul A. Actors: A model of concurrent computation in distributed systems. No. AI-TR-844. MASSACHUSETTS INST OF TECH
CAMBRIDGE ARTIFICIAL INTELLIGENCE LAB, 1985.
[24] Rodrigues, Bruno, Thomas Bocek, and Burkhard Stiller. "Enabling a Cooperative, Multi-domain DDoS Defense by a Blockchain Signaling
System (BloSS)."](https://image.slidesharecdn.com/finalincentivebased-190819091724/85/Incentive-based-DDoS-defense-12-320.jpg)
Incentive based DDoS defense
- 1. Defending against Distributed Denial of Service (DDoS) Attacks using Economic Incentive based Solution Presented By - Prachi Gulihar Roll No.: 31603216 M. Tech (Cyber Security) 3rd Semester Under the Supervision of - Dr. B.B. Gupta Assistant Professor Department of Computer Engineering National Institute of Technology Kurukshetra, Haryana END SEMESTER PRESENTATION OF DISSERTATION PART - 1
- 2. Introduction Distributed Denial of Service is a coordinated cyber attack, generally performed on a massive scale on the availability of services of a target system or network resources. Bitcoin is a purely peer-to-peer version of electronic cash would allow online payments to be sent directly from one party to another without going through a third-party. Figure. 1
- 3. Introduction (Contd...) Name of scheme Author Scheme description Limitations Aggregate based congestion control and Pushback (2002)[12] R. Mahajan, S.M. Bellovin, S. Floyd, J. Ioannidis, V. Paxson, S. Shenker ACC rate limits the aggregates rather than IP sources Not effective against uniformly distributed attack sources Attack Diagnosis and parallel-AD (2005)[6] R. Chen, J.M. Park Combines pushback and packet marking AD is not effective against large-scale attacks TRACK(2006)[7] Zargar, S Taghavi, James Joshi, D Tipper Combines IP tracebeck, packet marking and packet filtering Not effective for attack traceback Passport(2008)[8] X. Liu, A. Li, , X. Yang, D. Wetherall Makes use of symmetric key cryptography to put tokens on packets that verify the source • Attackers may get capabilities from colluders • It only prevents the hosts in one AS from spoofing the IP addresses of other ASs Defensive Cooperative overlay mesh (2003)[18] J. Mirkovic, P. Reiher, M. Robinson Defense nodes collaborate and cooperate together • Classifier nodes require an inline deployment. • Unable to handle attacks from legacy networks Stateless Internet Flow Filter(2004)[20] A. Yaar, A. Perrig, D. Song Capability-based mechanism • Always active •Processing and memory costs overheads StopIt(2011)[21] X. Liu, X. Yang, Y. Lu Novel closed control and open service architecture for filters to be installed • Vulnerable to attacks in which attacker floods the router • Needs complex verification/authentication mechanisms • Challenging to deploy and manage in practice. Active internet traffic filtering (2009)[19] K. Argyraki, D.R. Cheriton Misbehaving sources are policed by their own ISPs • Several deployment issues •If the flooded link is outside victim’s AS, the three way handshake may not complete
- 4. Problem Description In dealing with DDoS attacks the industry and the academia have long ignored the incentive aspect of the problem which turns out to be the key in defeating DDoS attacks. Although we have enough distributed cooperative defense mechanisms but still systems are being victims of ddos attacks. They have rarely been deployed on the Internet because of lack of incremental payment structure which leads to failure of cooperation. The distributed solutions are challenging to deploy and execute due to detection and response located at far away locations.
- 5. Related Work Name of scheme Author Scheme description Limitations Reputation system(2015)[9] H. Mousa, S. B. Mokhtar, O. Hasan, O. Younes, M. Hadhoud, L. Brunie Scores are given to nodes on behaving honestly • Vulnerable to collusion attacks, sybil attacks and whitewashing attacks. • Vulnerable to coordinated gaming strategies due to distributed rating systems Usage based pricing (1999)[13] A. Gupta, D.O. Stahl, A. B. Whinston Ties payments to actual traffic volumes Fails when the attack traffic is not large enough to cause congestion Tit-for-tat (2012)[10] A. Mei, J. Stefa Mobile user cooperate on the principle of double coincidence of wants • Restricted to applications with long session duration • Hard to meet different service requirements of the user Capacity provision network(2005) [14] X. Geng, R. Gopal, R. Ramesh, A. B. Whinston Network of cache servers is owned, operated and coordinated through capacity trading Signing bilateral contracts with each of the cooperating nodes too costly to be practical Overlay networks (1994)[15] J. O. Ladyard, K. Sazakaly-Moore Beside the payment to ISPs, each user pays fees to utilize a specific Internet services • Discrepancy in fee structures among various overlay networks • Possibility of free riding Barter based(2004)[17] Kostas G Anagnostakis, Michael B Greenwald Enforce repeated transactions in a small subset of the network Works only in a small network with high footprint Credit based (2016)[11] Y. Wang, Z. Cia, G. Yin, Y. Gao Peers earn currency by contributing resources to the system • Rely on central authorities • No explicit provably secure digital currency system used Internet mapping (2002)[16] T. S. E. Ng, H. Zhang Incentives offered based on the positions of several reference nodes and delay to each of them Only effective when the participating nodes are truthfully report their locations and delay information
- 6. Current Status of Work Figure. 1 Figure. 2 Phase 1: Matchmaking of Policy and Proposal using Actor Model. Phase 2: Protocol Design for Incremental Escrow Transactions using Bitcoins.
- 7. Current Status of Work(Contd...) Figure 4. Role of transport manager comes on different AA platform Figure 3 . Four-layered Actor Architecture(AA) DIRECTORY MANAGER MESSAGE MANAGER PROSPECTIVE ISP DIRECTORY MANAGER MESSAGE MANAGER TRANSPORT SENDER TRANSPORT RECEIVER MESSAGE MANAGER PROSPECTIVE ISP
- 8. 03-05-04 UIUIC - OSL Directory Manager UAN1:Control broker UAN2:ISP2 UAN3:ISP3 UAN4:ISP4 UAN2, Policy, 120 register UAN3, Policy, 650register UAN4, Policy, 1290register UAN2, Policy, 120 UAN3, Policy, 650 UAN4, Policy 1290 Bitcoins, 650 Bitcoins, 120 ?, Proposal, 700searchAll UAN2, UAN3 Directory Manager Control Broker UAN4 ISP UAN2 ISP UAN1 searchAll UAN1, UAN2 send Current Status of Work(Contd...) Matchmaking mechanism
- 9. Current Status of Work(Contd...) Ladder protocol Deposit transaction ACK, t <locktime P1 P2
- 10. Conclusion and Future Plan • DDOS attack can be prevented by using economic incentive based solutions. Blockchain is an out-of-the box solution which will help achieve the following two main objectives- reducing the complexity of signaling Ddos attack information, means of establishing financial incentives at a reduced operational cost. • Bitcoin is the best choice because it is the most secure cryptocurrency, purely decentralized system of publically available transactions and allows secure multiparty computations. • While substantial work on phase 1 of negotiation of policies and proposals is done using directory manager, the work needs to be extended to the transport manager to achieve cross-communication in AA. • To evaluate DDoS defenses success criteria for each application, defining good benchmarking procedures and a meaningful and concise result aggregation strategy is very important. Our existing methods have some limitations like the ladder protocol is vulnerable to abort attacks and malicious coalitions.
- 11. References [1] Zargar, Saman Taghavi, James Joshi, and David Tipper. "A survey of defense mechanisms against distributed denial of service (DDoS) flooding attacks." IEEE communications surveys & tutorials, 2013. [2] Huang, Yun, Xianjun Geng, and Andrew B. Whinston. "Defeating DDoS attacks by fixing the incentive chain.“, ACM Transactions on Internet Technology (TOIT), 2007. [3] He, Yunhua, "A Bitcoin Based Incentive Mechanism for Distributed P2P Applications." International Conference on Wireless Algorithms , Systems, and Applications, Springer, Cham, 2017. [4] Neudecker, T., Andelfinger, P., and Hartenstein,“A simulation model for analysis of attacks on the bitcoin peer-to-peer network”, IFIP/IEEE International Symposium on Internet Management, IEEE, 2015. [5] Andrychowicz, Marcin, "Secure multiparty computations on bitcoin.“, Security and Privacy (SP), 2014 IEEE Symposium on. IEEE, 2014. [6] R. Chen, and J. M. Park, “Attack Diagnosis: Throttling distributed denial-of-service attacks close to the attack sources”, IEEE Int’l Conference on Computer Communications and Networks (ICCCN’05), Oct. 2005. [7] Zargar, Saman Taghavi, James Joshi, and David Tipper. "A survey of defense mechanisms against distributed denial of service (DDoS) flooding attacks." IEEE communications surveys & tutorials , pp 15.4,2013 . [8] X. Liu, A. Li, X. Yang, and D. Wetherall, “Passport: secure and adoptable source authentication”, 5th USENIX Symposium on Networked Systems Design and Implementation (NSDI’08), San Francisco, CA, USA, pp. 365-378, 2008. [9] Mousa, H., Mokhtar, S.B., Hasan, O., Younes, O., Hadhoud, M., Brunie, L.., “Trust management and reputation systems in mobile participatory sensing applications: a survey”, IEEE Computer Network,pp 49–73 ,2015. [10] Mei, A., Stefa, J., ”Give2get: forwarding in social mobile wireless networks of selfish individuals”. IEEE Transactions Dependable and Secure Computing, vol 9, pp 569–582, 2012. [11] Li, W., Cheng, X., Bie, R., Zhao, F., “An extensible and flexible truthful auction framework for heterogeneous spectrum markets”, IEEE Transactions Cognitive Communication Network, vol 2, pp 427–441, 2016.
- 12. References (Contd…) [12] R. Mahajan, S. M. Bellovin, S. Floyd, J. Ioannidis, V. Paxson, and S. Shenker, “Controlling high bandwidth aggregates in the network”, Computer Communication Review, pp.62-73, 2002. [13] Gupta, A., Stahl,D.O., Andwhinston,A.B. 1999, “The economics of network management”, Communication, vol 42, pp 57–63, ACM., 1999. [14] Geng, X., Huang, Y., Whinston, “Defending wireless infrastructure against the challenge of DDoS attacks” , ACM Journal Mobile Network Applications, vol 7, pp 213–223, 2000. [15] Ledyard J.O. ,Szakaly-Moore, K., “Designing network organizations for transferring rights”, Joint Economical Behavior, Econometrica, vol 25,pp 167–196, 1994. [16] NG Tsewang , Zhang H. 2002. ,”Predicting Internet network distance with coordinates-based approaches”, IEEE INFOCOM 2002, New York, June 2002. [17] Anagnostakis, Kostas G., and Michael B. Greenwald. "Exchange-based incentive mechanisms for peer-to-peer file sharing.“, Distributed Computing Systems, 24th International Conference, IEEE, 2004. [18] J. Mirkovic, P. Reiher, and M. Robinson, “Forming Alliance for DDoS Defense”, New Security Paradigms Workshop, Centro Stefano Francini, Ascona, Switzerland, 2003. [19] K Argyraki, and D. R. Cheriton, “Scalable network-layer defense against internet bandwidth-flooding attacks, in IEEE/ACM Trans. Network., vol 17, pp. 1284-1297, August 2009. [20] A Yaar, Abraham, Adrian Perrig, and Dawn Song. "SIFF: A stateless internet flow filter to mitigate DDoS flooding attacks." Security and Privacy, 2004. Proceedings. 2004 IEEE Symposium on. IEEE, 2004 [21] Liu, Xin, Xiaowei Yang, and Yanbin Lu. StopIt: Mitigating DoS flooding attacks from multi-million botnets. Technical Report 08-05, 2008. [22]Jamali, Nadeem, and Hongxing Geng. "A mailbox ownership based mechanism for curbing spam." Computer Communications 31.15 (2008): 3586-3593. [23] Agha, Gul A. Actors: A model of concurrent computation in distributed systems. No. AI-TR-844. MASSACHUSETTS INST OF TECH CAMBRIDGE ARTIFICIAL INTELLIGENCE LAB, 1985. [24] Rodrigues, Bruno, Thomas Bocek, and Burkhard Stiller. "Enabling a Cooperative, Multi-domain DDoS Defense by a Blockchain Signaling System (BloSS)."