Detecting attacks in high-speed networks: Issues and solutions

Gupta, Alka; Sharma, Lalit Sen

doi:10.1080/19393555.2020.1722296

Cited by 11 publications

(3 citation statements)

References 3 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…For example, Nmap performs reverse-DNS resolution for every IP which responds to host discovery probes (i.e., those that are online). Reverse DNS is represented by DNS PTR records in the zone files of authoritative DNS servers and stored in a special zone called .in-addr.arpa [25]. For example, the zone for the PTR record of private address range 10.…”

Section: Detecting Internal Scannersmentioning

confidence: 99%

Detecting Network Scanning Through Monitoring and Manipulation of DNS Traffic

Jafarian¹,

Abolfathi²,

Rahimian³

2023

IEEE Access

View full text Add to dashboard Cite

In this paper, we propose an approach for detecting internal and external network scanning attacks on enterprise networks. In our approach, an inline scan detection system (SDS) monitors the ingress and egress flows of an enterprise network subnet and detects scanning probes based on the correlation of flows with preceding DNS query/responses and reducing TTL values of DNS Resource Records (RR). Through rigorous evaluation, we show that our method is effective against both external and internal port scanners and network worms, its effectiveness is independent of scanning rate or technique, and its deployment incurs negligible overhead on DNS and network response times. While the idea of detecting scans by correlating network flows with preceding DNS query/responses has been proposed in the literature, this work extends the state-of-the-art by offering four contributions: 1) we show that without decreasing TTL values of RRs in DNS responses, attackers can piggyback on cached DNS records to bypass our detection; thus we incorporate a TTL reduction mechanism to enhance the effectiveness of this approach, especially against stealthy and adaptive scanners; 2) while prior works work against internal scanners, we use the relatively new extension of DNS protocol, ENDS0 Client Subnet (ECS) option, to expand this approach toward detecting external scanners; 3) we present a novel adaptive scanning technique, called DNS-cachebased scanning, that exploits local DNS cache to bypass prior detection methods, and shows that, while prior approaches fail to defeat this threat model, our approach is effective against this evolved threat model as well; and 4) contrary to existing work that focuses on defeating fast network scanning worms, this approach is effective against any scanning, including stealthy scanning that uses conservative timing profiles to evade detection.INDEX TERMS Network scanning, intrusion detection, domain name system (DNS), network worm.

show abstract

Section: Detecting Internal Scannersmentioning

confidence: 99%

Detecting Network Scanning Through Monitoring and Manipulation of DNS Traffic

Jafarian¹,

Abolfathi²,

Rahimian³

2023

IEEE Access

View full text Add to dashboard Cite

show abstract

“…These assaults produce a huge amount of network traffic by either forcing the victim to carry out the attacker's commands or cause the system to crash, rendering the service unavailable. SYN flood assault, ICMP flood assault, and UDP flood assault [10] are all common volumetric DDoS assaults. Protocol based attacks make use of Transport Control Protocol (TCP) / Internet Protocol (IP) or User Datagram Protocol (UDP) / IP mechanics to exhaust the CPU and memory resources, rendering the targeted system unable to respond to queries, Fig 1 . shows the DDoS attack scenario.…”

Section: Introductionmentioning

confidence: 99%

NFDLM: A Lightweight Network Flow based Deep Learning Model for DDoS Attack Detection in IoT Domains

Saurabh

Kumar

Singh

et al. 2022

2022 IEEE World AI IoT Congress (AIIoT)

View full text Add to dashboard Cite

In the recent years, Distributed Denial of Service (DDoS) attacks on Internet of Things (IoT) devices have become one of the prime concerns to Internet users around the world. One of the sources of the attacks on IoT ecosystems are botnets. Intruders force IoT devices to become unavailable for its legitimate users by sending large number of messages within a short interval. This study proposes NFDLM, a lightweight and optimised Artificial Neural Network (ANN) based Distributed Denial of Services (DDoS) attack detection framework with mutual correlation as feature selection method which produces a superior result when compared with Long Short Term Memory (LSTM) and simple ANN. Overall, the detection performance achieves approximately 99% accuracy for the detection of attacks from botnets. In this work, we have designed and compared four different models where two are based on ANN and the other two are based on LSTM to detect the attack types of DDoS.

show abstract

“…The problem of detecting attacks on networks has increased much fold after the increased use of botnets and distributed attacks. Two common network attacks are Denial of Service (DoS) and Port Scan [2]. To deal with intrusion on a computer network, an Intrusion Detection System (IDS) is used which is installed on the server.…”

Section: Introductionmentioning

confidence: 99%

Teler Real-time HTTP Intrusion Detection at Website with Nginx Web Server

Tedyyana¹,

Ghazali

2021

JOIV : Int. J. Inform. Visualization

View full text Add to dashboard Cite

Web servers and web-based applications are now widely used, but in this case, the crime rate in cyberspace has also increased. Crime in cyberspace can occur due to the exploitation of how a system works. For example, the way HTTP works are exploited to weaken the webserver. Various tools for attacking the internet are also starting to be easy to find, but so are the tools to detect these attacks. One of the useful tools for detecting attacks and sending warnings against threats is based on the weblogs on the webserver. Many have not reviewed Teler as an intrusion detection system on HTTP on web servers because the existing tools are relatively new. Teler detecting the weblog and run on the terminal with rule resources collected from the community. So here, the researcher tries to implement the use of Teler in detecting HTTP intrusions on a Nginx-based web server. Intrusion is carried out in attacks commonly used by attackers, for example, port scanning and directory brute force using the Nmap and OWASP ZAP tools. Then the detection results will be sent via the Telegram bot to the server admin. From the results of the experiments conducted, it has been found that Teler is still classified as being able to send warning notifications with a delay between the time of detection and the time when the alert is received, no more than 3 seconds.

show abstract

Detecting attacks in high-speed networks: Issues and solutions

Cited by 11 publications

References 3 publications

Detecting Network Scanning Through Monitoring and Manipulation of DNS Traffic

Detecting Network Scanning Through Monitoring and Manipulation of DNS Traffic

NFDLM: A Lightweight Network Flow based Deep Learning Model for DDoS Attack Detection in IoT Domains

Teler Real-time HTTP Intrusion Detection at Website with Nginx Web Server

Contact Info

Product

Resources

About