Delving Into Internet DDoS Attacks by Botnets: Characterization and Analysis

Wang, An; Chang, Wentao; Chen, Songqing; Mohaisen, Aziz

doi:10.1109/tnet.2018.2874896

Cited by 77 publications

(13 citation statements)

References 26 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…We assume the information found in a given certificate is incorrect if the binary does not have a valid signature and certificate chain. However, we note that those findings are in line with recent findings on understanding the sources of malicious attacks [24].…”

Section: Issuer Origin and Common Namessupporting

confidence: 93%

Chains of Distrust

Alrawi

Mohaisen

2016

Proceedings of the 25th International Conference Companion on World Wide Web - WWW '16 Companion

Self Cite

View full text Add to dashboard Cite

Digital certificates are key component of trust used by many operating systems. Modern operating systems implement a form of digital signature verification for various applications, including kernel driver installation, software execution, etc. Digital signatures rely on digital certificates that authenticate the signature, which then verify the validity of a given signature for a signed binary.Malware attempts to subvert the chain of trust through several techniques to achieve execution, evasion, and persistence. In this paper, we examine a large corpus of malware (3.3 million samples) to extract digital signatures and their corresponding certificates. We examine several characteristics of the digital certificates to study features in the process of malware authorship that will potentially be used for characterizing and classifying malware. We look at many features including the certificate's chain length, the issue and expiration year, the validity duration of a certificate, the issuing country, validity, top issuing certificate authorities (CAs), and others, highlighting potentially discriminatory features.

show abstract

Section: Issuer Origin and Common Namessupporting

confidence: 93%

Chains of Distrust

Alrawi

Mohaisen

2016

Proceedings of the 25th International Conference Companion on World Wide Web - WWW '16 Companion

Self Cite

View full text Add to dashboard Cite

show abstract

“…Thus, the detection of such activity is of high importance. To detect and prevent attacks generated by cloud resources (botclouds), detection approaches for botclouds must meet the following design requirements and challenges: Data volume and velocity: Given the volume and the velocity of data generated by the monitoring probes used by the CSPs, it is essential that we consider effective but inexpensive detection approaches in terms of their resource usage and processing time that can easily scale with these features (volume and velocity). Genericity: Knowing that a botcloud or any other form of malware can cause numerous malicious activities that go beyond the sole DDoS attack, a detection approach must be sufficiently generic and extensible in order to allow the detection of all different types of malicious activities. Avoiding collateral damages: Numerous solutions that can detect attacks with high efficiency have been proposed in the past. However, they require integration with intrusion detection systems close to or even at the target location.…”

Section: Design Challenges Of Detection Approaches For Botcloudsmentioning

confidence: 99%

An empirical investigation of botnet as a service for cyberattacks

Hammi

Zeadally

Khatoun

2018

Trans Emerging Tel Tech

View full text Add to dashboard Cite

During the last years, cloud computing has emerged and imposed itself as a cost‐effective solution for providing high quality Information Technology services. However, beyond a legitimate usage, the benefits of cloud computing are being exploited by attackers in nefarious ways and botnets are among the greatest beneficiaries of this malicious use. This botnet trend is a major issue because it strongly increases the power of massive distributed attacks when leveraging the capabilities of cloud service providers that do not have appropriate detection approaches in place to detect botnets exploiting cloud resources (also referred to as botclouds). We developed a free experimental intra–Cloud Service Provider (CSP) botnet that exploits CSPs' trial versions. We used this intra‐CSP botnet to execute numerous TCP SYN flood and UDP flood attacks during one week. Our empirical results demonstrate that, contrary to what CSPs claim, all the CSPs (with the exception of one) we have tested still cannot detect or issued no warnings when malicious activities were launched from their cloud computing platforms. Besides, CSP's trial versions can easily be exploited to perpetrate large scale cyberattacks. We argue that efficient, cost‐effective, scalable detection approaches that can detect botclouds need to be developed in the future to address this challenge.

show abstract

“…This case is referred to as the Distributed Denial of Service (DDoS) attack . Today, the Internet DDoS attacks are more prevalent with the ease of access to large numbers of infected machines, which are called botnets . As stated earlier, an immediate consequence of a successful DDoS attack is that services will become unavailable to legal customers .…”

Section: Introductionmentioning

confidence: 99%

Design and performance analysis of an efficient single flow IP traceback technique in the AS level

Arjmandpanah-Kalat

Abbasinezhad-Mood

Mahrooghi

et al. 2020

Int J Communication

View full text Add to dashboard Cite

Network security is a major challenge for big and small companies. The Internet topology is vulnerable to Distributed Denial of Service (DDoS) attacks as it provides an opportunity to an attacker to send a large volume of traffic to a victim, which can limit its Internet availability. The main problem in the prevention of the DDoS attack, also known as the flooding attack, is how to find the source of traffic flooding. This is because the spoofed source Internet protocol (IP) address of packets is not affected on its routing. As a result, IP traceback techniques are proposed to find the source of attack and in general, to find the source of any packet. Doing so, the IP traceback techniques can help us to prevent the Denial of Service (DoS) and DDoS attacks. In this paper, we propose an efficient Single Flow IP Traceback (SFT) technique in the Autonomous System (AS) level. Furthermore, a path signature generation algorithm is presented for detecting and filtering the spoofed traffic. Our solution assumes a secure Border Gateway Protocol (BGP)-routing infrastructure for exchanging authenticated messages in order to learn the path signatures, and it uses a marking algorithm in the flow level for transmission of the traceback messages. Because in our technique less bits are required to mark the IP header packet, the required storage space for any unique path to the victim is significantly decreased. Compared with the other existing techniques, the obtained results demonstrate that our technique has the least marking rate, overhead processing on the middle nodes, and destination's computational cost while offering the highest accuracy in tracebacking attack.

show abstract

Delving Into Internet DDoS Attacks by Botnets: Characterization and Analysis

Cited by 77 publications

References 26 publications

Chains of Distrust

Chains of Distrust

An empirical investigation of botnet as a service for cyberattacks

Design and performance analysis of an efficient single flow IP traceback technique in the AS level

Contact Info

Product

Resources

About