The Internet of Things (IoT) is becoming an integral part of our daily life including health, environment, homes, military, etc. The enormous growth of IoT in recent years has attracted hackers to take advantage of their computation and communication capabilities to perform different types of attacks. The major concern is that IoT devices have several vulnerabilities that can be easily exploited to form IoT botnets consisting of millions of IoT devices and posing significant threats to Internet security. In this context, DDoS attacks originating from IoT botnets is a major problem in today’s Internet that requires immediate attention. In this paper, we propose a Security Information and Event Management-based IoT botnet DDoS attack detection and mitigation system. This system detects and blocks DDoS attack traffic from compromised IoT devices by monitoring specific packet types including TCP SYN, ICMP and DNS packets originating from these devices. We discuss a prototype implementation of the proposed system and we demonstrate that SIEM based solutions can be configured to accurately identify and block malicious traffic originating from compromised IoT devices.
Fast flux networks represent a special type of botnets that are used to provide highly available web services to a backend server, which usually hosts malicious content. Detection of fast flux networks continues to be a challenging issue because of the similar behavior between these networks and other legitimate infrastructures, such as CDNs and server farms. This paper proposes Fast Flux Watch (FF-Watch), a mechanism for online detection of fast flux agents. FF-Watch is envisioned to exist as a software agent at leaf routers that connect stub networks to the Internet. The core mechanism of FF-Watch is based on the inherent feature of fast flux networks: flux agents within stub networks take the role of relaying client requests to point-of-sale websites of spam campaigns. The main idea of FF-Watch is to correlate incoming TCP connection requests to flux agents within a stub network with outgoing TCP connection requests from the same agents to the point-of-sale website. Theoretical and traffic trace driven analysis shows that the proposed mechanism can be utilized to efficiently detect fast flux agents within a stub network.
Web server overload resulting from an application layer–based distributed denial‐of‐service (DDoS) attack or a flash crowd event continues to be a major problem in today's internet because it renders the Web server unavailable in both cases. In this paper, we propose a novel system, called ReCAP, that handles server overload resulting from application layer–based DDoS attacks or flash crowd events. The system is envisioned as a service that can be provided to websites that have limited resources with no infrastructure in place to handle these events. The main goal of ReCAP is to filter attack traffic in case of a DDoS attack event and to provide users with basic information during a flash crowd event. The proposed system is composed of 2 main modules: (1) the HTTPredirect module, which is a stateless Hypertext Transfer Protocol server that redirects Web requests destined to the targeted Web server to the second module, and (2) the distributed Completely Automated Public Turing Test To Tell Computers and Humans Apart (CAPTCHA) service, which comprises a large number of powerful nodes geographically and suitably distributed in the internet acting as a large distributed firewall. All requests to the origin Web server are redirected to the CAPTCHA nodes, which can segregate legitimate clients from automated attacks by requiring them to solve a challenge. Upon successful response, legitimate clients (humans) are forwarded through a given CAPTCHA node to the Web server. These CAPTCHA proxies are envisioned to be placed intrinsically at the edge of the network in the proximity of the clients to curb communication delays, and thus perceived response times, and to relieve the core network from further traffic congestion. In particular, such organization fits squarely in the fifth use case scenario presented in the European Telecommunications Standards Institute Mobile Edge Computing Industry Specification Group's introductory technical paper on Mobile‐Edge Computing. In conclusion, the performance evaluation shows that the proposed system is able to mitigate application‐layer DDoS attacks while incurring acceptable delays for legitimate clients as a result of redirecting them to and via CAPTCHA nodes.
The quality of this reproduction is dependent upon the quality of the copy submitted. Broken or indistinct print, colored or poor quality illustrations and photographs, print bleed-through, substandard margins, and improper alignment can adversely affect reproduction. In the unlikely event that the author did not send a complete manuscript and there are missing pages, these will be noted. Also, if unauthorized copyright material had to be removed, a note will indicate the deletion.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.