Preventive Mechanisms Against DoS Attacks
VerifiedAdded on 2023/04/24
|13
|3895
|485
AI Summary
This study material from Desklib discusses the preventive mechanisms against DoS attacks. It covers topics such as filtering spoofed packets, Martian IP filtering, egress/ingress filtering, and more. The study material also includes an introduction to DoS attacks and their types, such as SYN Flood, HTTP Flood, and DDoS attacks.
Contribute Materials
Your contribution can guide someone’s learning journey. Share your
documents today.
DOS ATTACKS
Student name
Course Title
Course Code
Student Code
Submission Date
Student name
Course Title
Course Code
Student Code
Submission Date
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
Table of Contents
Literature Review.......................................................................................................................3
Authentication and Identification...........................................................................................3
Authorization..........................................................................................................................3
Auditing..................................................................................................................................3
Confidentiality........................................................................................................................3
Data integrity..........................................................................................................................4
Introduction................................................................................................................................4
SYN Flood.............................................................................................................................5
HTTP Flood...........................................................................................................................5
Distributed Denial of Service Attacks (Ddos).......................................................................6
Preventive Mechanisms.............................................................................................................6
Filtering Spoofed Packets......................................................................................................6
The Martian IP Filtering and Source IP Validation...............................................................7
Egress/Ingress Filtering..........................................................................................................7
Route -Based Filtering...........................................................................................................7
SAVE Protocol.......................................................................................................................8
Self-certifying IP Addresses..................................................................................................9
The HIPs.................................................................................................................................9
AIP.........................................................................................................................................9
SOS........................................................................................................................................9
Secure Overlay Service........................................................................................................10
Secure-i3..............................................................................................................................10
Network Protective Measures..............................................................................................11
Router installation................................................................................................................11
Bandwidth............................................................................................................................11
Reverse proxy.......................................................................................................................12
Literature Review.......................................................................................................................3
Authentication and Identification...........................................................................................3
Authorization..........................................................................................................................3
Auditing..................................................................................................................................3
Confidentiality........................................................................................................................3
Data integrity..........................................................................................................................4
Introduction................................................................................................................................4
SYN Flood.............................................................................................................................5
HTTP Flood...........................................................................................................................5
Distributed Denial of Service Attacks (Ddos).......................................................................6
Preventive Mechanisms.............................................................................................................6
Filtering Spoofed Packets......................................................................................................6
The Martian IP Filtering and Source IP Validation...............................................................7
Egress/Ingress Filtering..........................................................................................................7
Route -Based Filtering...........................................................................................................7
SAVE Protocol.......................................................................................................................8
Self-certifying IP Addresses..................................................................................................9
The HIPs.................................................................................................................................9
AIP.........................................................................................................................................9
SOS........................................................................................................................................9
Secure Overlay Service........................................................................................................10
Secure-i3..............................................................................................................................10
Network Protective Measures..............................................................................................11
Router installation................................................................................................................11
Bandwidth............................................................................................................................11
Reverse proxy.......................................................................................................................12
Geographical area.................................................................................................................12
Infrastructure defensive measures........................................................................................12
Software status.....................................................................................................................13
Deactivation of Unnecessary server ports............................................................................13
Summary..................................................................................................................................13
Conclusion................................................................................................................................13
Infrastructure defensive measures........................................................................................12
Software status.....................................................................................................................13
Deactivation of Unnecessary server ports............................................................................13
Summary..................................................................................................................................13
Conclusion................................................................................................................................13
Literature Review
A network which refers to a group of two or more devices that can communicate is of great
significance since it enhances communication for instance through emails, sharing of
hardware devices such as printers, data, information and software sharing just to mention a
few and most often our networks are prone to insecurity.
Network security is an activity intended to protect the usability and integrity of data and
network. It comprises of software and hardware technologies. Effective network security
monitors access to the network targeting a number of threats and hinders them from
inflowing on our network.
Most commonly used mechanisms to secure a network include:
Authentication and Identification
Identification refers to the ability of identifying a user of a system uniquely or a software
utility is running in a computing system. On the other hand, Authentication denotes to the
ability to prove that a computer user or software application is honestly who that individual
or what that software application claims to be.
Authorization
Authorization protects resources in a computing system by restricting access only to
authorized clients and their software utilities. It limits the unauthorized use of resources or
the use of resources in a manner which is not unauthorized.
Auditing
Auditing denotes to the process of footage and examining events to detect whether any
unanticipated or illegal activity has taken place, or whether any attempt has been made to do
such action.
Confidentiality
The confidentiality service safeguards sensitive data from illegal disclosure.
Data integrity
The data integrity facility detects just in case there has been unlawful alteration of
information.
It should be noted that DoS is not the only example of network attack, other common
network attacks include:
A network which refers to a group of two or more devices that can communicate is of great
significance since it enhances communication for instance through emails, sharing of
hardware devices such as printers, data, information and software sharing just to mention a
few and most often our networks are prone to insecurity.
Network security is an activity intended to protect the usability and integrity of data and
network. It comprises of software and hardware technologies. Effective network security
monitors access to the network targeting a number of threats and hinders them from
inflowing on our network.
Most commonly used mechanisms to secure a network include:
Authentication and Identification
Identification refers to the ability of identifying a user of a system uniquely or a software
utility is running in a computing system. On the other hand, Authentication denotes to the
ability to prove that a computer user or software application is honestly who that individual
or what that software application claims to be.
Authorization
Authorization protects resources in a computing system by restricting access only to
authorized clients and their software utilities. It limits the unauthorized use of resources or
the use of resources in a manner which is not unauthorized.
Auditing
Auditing denotes to the process of footage and examining events to detect whether any
unanticipated or illegal activity has taken place, or whether any attempt has been made to do
such action.
Confidentiality
The confidentiality service safeguards sensitive data from illegal disclosure.
Data integrity
The data integrity facility detects just in case there has been unlawful alteration of
information.
It should be noted that DoS is not the only example of network attack, other common
network attacks include:
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
i. Distributed denial of service attacks.
ii. Password attack.
iii. Phishing and spear phishing attacks.
iv. Driver-by attack.
v. SQL injection attack.
vi. Eavesdropping attack
vii. Cross-site scripting (XSS) attack.
viii. Malware attack.
ix. Birthday attack
Introduction
For this case study we will focus on DoS. A DoS is a type of attack in which the assailants
attempt to inhibit legitimate clients from access of a computing service. They do so by
targeting your computing device and its network connection, or the CPUs and net of the
website that you are using hence limiting you to access your email.
DoS attacks are a kind of cyber-attack that aims on the reduction or cancellation altogether
the ability of servers or any other computing resources in provision of services (Zhijun, et al.,
2015). A DoS attack can occur in diverse set-ups such as overload of online services by huge
request sending or abusing susceptibilities of utility programs or services so as to suspend a
function completely or to some extent. In such attacks, assailants deploy a number of
techniques and tools in order to hide their identities. This makes it puzzling to find the
perpetrators.
A DoS attack can be exploited in the following ways;
i. Distracting connection between two computing devices, hence thwarting access to a
service
ii. Flooding a network to inhibit genuine network traffic.
iii. Disturbing a service for a particular individual.
iv. Distracting state of information.
v. Inhibiting a specific person from access a service.
There are different types of Denial of Service attacks. Some include:
ii. Password attack.
iii. Phishing and spear phishing attacks.
iv. Driver-by attack.
v. SQL injection attack.
vi. Eavesdropping attack
vii. Cross-site scripting (XSS) attack.
viii. Malware attack.
ix. Birthday attack
Introduction
For this case study we will focus on DoS. A DoS is a type of attack in which the assailants
attempt to inhibit legitimate clients from access of a computing service. They do so by
targeting your computing device and its network connection, or the CPUs and net of the
website that you are using hence limiting you to access your email.
DoS attacks are a kind of cyber-attack that aims on the reduction or cancellation altogether
the ability of servers or any other computing resources in provision of services (Zhijun, et al.,
2015). A DoS attack can occur in diverse set-ups such as overload of online services by huge
request sending or abusing susceptibilities of utility programs or services so as to suspend a
function completely or to some extent. In such attacks, assailants deploy a number of
techniques and tools in order to hide their identities. This makes it puzzling to find the
perpetrators.
A DoS attack can be exploited in the following ways;
i. Distracting connection between two computing devices, hence thwarting access to a
service
ii. Flooding a network to inhibit genuine network traffic.
iii. Disturbing a service for a particular individual.
iv. Distracting state of information.
v. Inhibiting a specific person from access a service.
There are different types of Denial of Service attacks. Some include:
SYN Flood
SYD Flood takes unwarranted on opening gain of the normal way to open the TCP link.
When a client opens a TCP link with the open port of the server, it send out a SYN packet. In
this case, the server receives the packet process it and send back a SYN-ACK packet with the
client’s information being stored in Transmission Control Block table.
HTTP Flood
It is the most widely used for attacking web services and applications. This attack sends out a
complete valid HTTP post request which is specifically designed to exhaust the target server
resources. The attacker sends out several requests to ensure that there is extra legitimate
request that are pulled through the server when it is busy processing fake requests. However,
this task is challenging because differentiating these HTTP requests from those that are valid
and fake.
Distributed Denial of Service Attacks (Ddos)
The Ddos is used to generate traffic on target machine on more than one computer. The
attacker is tasked with the responsibility to manage various compromised computers as well
as other devices at the same time and distributes the task of flooding the target server with
traffic by largely eating on its bandwidth and resources (AminKarami & ManelGuerrero-
Zapata, 2015). Additionally, the attacker is also able to use another person’s computer to
launch attacks on other computers if they are lingering security issues. A Ddos is more
effective and real when compared to DoS.
Denial of Service attacks can cause the following problems:
1. Ineffective services
2. Inaccessible services
3. Interruption of network traffic
4. Connection interference
Due to the side effects of Dos Attacks, preventive mechanisms put in place against DOS
attacks.
Preventive Mechanisms
The aim of denial of service prevention mechanism sis to avert attacks before they can cause
harm. The prevention mechanism comprises self-certifying address, spoofed packet filtering,
network protective measure, secure overlays and infrastructure protective measure.
SYD Flood takes unwarranted on opening gain of the normal way to open the TCP link.
When a client opens a TCP link with the open port of the server, it send out a SYN packet. In
this case, the server receives the packet process it and send back a SYN-ACK packet with the
client’s information being stored in Transmission Control Block table.
HTTP Flood
It is the most widely used for attacking web services and applications. This attack sends out a
complete valid HTTP post request which is specifically designed to exhaust the target server
resources. The attacker sends out several requests to ensure that there is extra legitimate
request that are pulled through the server when it is busy processing fake requests. However,
this task is challenging because differentiating these HTTP requests from those that are valid
and fake.
Distributed Denial of Service Attacks (Ddos)
The Ddos is used to generate traffic on target machine on more than one computer. The
attacker is tasked with the responsibility to manage various compromised computers as well
as other devices at the same time and distributes the task of flooding the target server with
traffic by largely eating on its bandwidth and resources (AminKarami & ManelGuerrero-
Zapata, 2015). Additionally, the attacker is also able to use another person’s computer to
launch attacks on other computers if they are lingering security issues. A Ddos is more
effective and real when compared to DoS.
Denial of Service attacks can cause the following problems:
1. Ineffective services
2. Inaccessible services
3. Interruption of network traffic
4. Connection interference
Due to the side effects of Dos Attacks, preventive mechanisms put in place against DOS
attacks.
Preventive Mechanisms
The aim of denial of service prevention mechanism sis to avert attacks before they can cause
harm. The prevention mechanism comprises self-certifying address, spoofed packet filtering,
network protective measure, secure overlays and infrastructure protective measure.
Filtering Spoofed Packets
Most of the DoS assailants depend on the address hoaxing to hide the source of an outbreak.
Attack likeness and intensification methods depend on IP hoaxing hence filtering mechanism
are built to thwart DoS assault traffic with hoaxed source address from getting to the target by
removing packets with false IPs.
The Martian IP Filtering and Source IP Validation
The Martian address filtering is deployed to specify the router which shouldn’t accerate any
Martian packet. A Martian packet denotes a packet that its origin or end specifies an IP
address directed by the IANA. Modern IPv6 address addresses are defined in IETF RFC
5725. Invalid IP addresses are those which do not have an allocated range and a destination
addresses. The validation of a source address states that a router should execute by filtering
traffic on the basis of comparison illustrated by the source address of a packet. When sifting
is enabled, router is supposed to silently reject a packet in case the interface on which the
packet was received is not the same as the packet that should be accelerated to reach the IP
address in the origin address (Shang, et al., 2017). Therefore, Martian address filtering is used
to eliminate the chances of hoaxing for a minor set of address. Assailant can just avoid
hoaxing Martian addresses. However, origin IP address authentication may eliminate main
source of IP address hoaxing. Though, with quantity of asymmetric paths in Internet, it is
fairly probable that return route to a particular packet’s source IP address might not flow out
of the similar interface as that particular packet came from. Therefore, deploying such
method to filter packets results collateral damage to genuine client’s tra c.ffi
Egress/Ingress Filtering
The resolution of egress or ingress filtering is to permit tra c to go in or go out of theffi
network as long as its origin IP addresses are inside the probable address range. Egress
filtering denotes to the filtering of tra c going out the network whereas Ingress filtering isffi
the filtering of tra c entering a network.ffi
Route -Based Filtering
The route-based distributed packet filtering technique is suggested to filter out hoaxed packet
trains. Distributed packet filtering technique deploys routing information to determine if a
packet coming into a router for instance, edge router, is legal respective to its engraved
origin/destination IP addresses, prearranged the accessibility limitations enforced by routing
and the network protocol. Distributed packet filtering technique employs use of information
Most of the DoS assailants depend on the address hoaxing to hide the source of an outbreak.
Attack likeness and intensification methods depend on IP hoaxing hence filtering mechanism
are built to thwart DoS assault traffic with hoaxed source address from getting to the target by
removing packets with false IPs.
The Martian IP Filtering and Source IP Validation
The Martian address filtering is deployed to specify the router which shouldn’t accerate any
Martian packet. A Martian packet denotes a packet that its origin or end specifies an IP
address directed by the IANA. Modern IPv6 address addresses are defined in IETF RFC
5725. Invalid IP addresses are those which do not have an allocated range and a destination
addresses. The validation of a source address states that a router should execute by filtering
traffic on the basis of comparison illustrated by the source address of a packet. When sifting
is enabled, router is supposed to silently reject a packet in case the interface on which the
packet was received is not the same as the packet that should be accelerated to reach the IP
address in the origin address (Shang, et al., 2017). Therefore, Martian address filtering is used
to eliminate the chances of hoaxing for a minor set of address. Assailant can just avoid
hoaxing Martian addresses. However, origin IP address authentication may eliminate main
source of IP address hoaxing. Though, with quantity of asymmetric paths in Internet, it is
fairly probable that return route to a particular packet’s source IP address might not flow out
of the similar interface as that particular packet came from. Therefore, deploying such
method to filter packets results collateral damage to genuine client’s tra c.ffi
Egress/Ingress Filtering
The resolution of egress or ingress filtering is to permit tra c to go in or go out of theffi
network as long as its origin IP addresses are inside the probable address range. Egress
filtering denotes to the filtering of tra c going out the network whereas Ingress filtering isffi
the filtering of tra c entering a network.ffi
Route -Based Filtering
The route-based distributed packet filtering technique is suggested to filter out hoaxed packet
trains. Distributed packet filtering technique deploys routing information to determine if a
packet coming into a router for instance, edge router, is legal respective to its engraved
origin/destination IP addresses, prearranged the accessibility limitations enforced by routing
and the network protocol. Distributed packet filtering technique employs use of information
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
about the BGP routing protocol to the filter tra c with hoaxed source IP addresses.ffi
However, there are a number of limitation of distributed packet filtering. For example, just in
case several routes are allowed when routing packets from a given source to a particular end,
it come to be paramount easy for assaults that deploy hoaxed origin addresses to evade route-
based filtering. Additionally, distributed packet filtering possibly can drop genuine packets in
case there has remained a route change. Lastly, the filtering guidelines in distributed packet
filtering have a very rough Autonomous System of level granularity, and assailants can still
sidestep the distributed packet filters by prudently selecting the range of addresses to hoax.
SAVE Protocol
To overcome the drawbacks of route-based filtering, Source Address Validity Enforcement
(SAVE) protocol is suggested Issac and Israr. SAVE continually proliferates messages
comprising valid source IP address info from source to every destination (Issac & Israr,
2014). Hence, every router alongside the path constructs an inward bound table which
acquaintances each connection of the router with a number of legal origin IP address blocks.
Once a packet reaches on the interface, a router looks up in its incoming table to decide
whether the packet arrived from appropriate course. SAVE overpowers the irregularity of the
Internet routing through keeping informed arriving tables on every router on periodic basis.
Nevertheless, it requires to alter the routing protocol, this is an intimidating task which takes
a lot of time to achieve. Furthermore, during the process, SAVE filters hoaxed packets in
order to guard other entities, it doesn’t offer direct placement inducements. As compared to
egress or ingress and route-based filtering, once partly set up, assailants can continuously
spoof addresses inside networks that don’t apply SAVE.
Self-certifying IP Addresses
Responsibility problem got little thoughtfulness in the initial phases of design, and it’s only
being well thought-out now. One of the chief difficulties that requests to be addressed is
responsibility of addresses.
The HIPs
The Host Identity Protocol architecture Korzun & Gurtov proposes a fresh namespace named
as Host Identity namespace then a fresh protocol layer known as Host Identity Protocol
among the transport and network layers (Korzun & Gurtov, 2012). Host Identity namespace
protocol comprises of Client Identifiers-Client Identifier is the public key of the symmetric
However, there are a number of limitation of distributed packet filtering. For example, just in
case several routes are allowed when routing packets from a given source to a particular end,
it come to be paramount easy for assaults that deploy hoaxed origin addresses to evade route-
based filtering. Additionally, distributed packet filtering possibly can drop genuine packets in
case there has remained a route change. Lastly, the filtering guidelines in distributed packet
filtering have a very rough Autonomous System of level granularity, and assailants can still
sidestep the distributed packet filters by prudently selecting the range of addresses to hoax.
SAVE Protocol
To overcome the drawbacks of route-based filtering, Source Address Validity Enforcement
(SAVE) protocol is suggested Issac and Israr. SAVE continually proliferates messages
comprising valid source IP address info from source to every destination (Issac & Israr,
2014). Hence, every router alongside the path constructs an inward bound table which
acquaintances each connection of the router with a number of legal origin IP address blocks.
Once a packet reaches on the interface, a router looks up in its incoming table to decide
whether the packet arrived from appropriate course. SAVE overpowers the irregularity of the
Internet routing through keeping informed arriving tables on every router on periodic basis.
Nevertheless, it requires to alter the routing protocol, this is an intimidating task which takes
a lot of time to achieve. Furthermore, during the process, SAVE filters hoaxed packets in
order to guard other entities, it doesn’t offer direct placement inducements. As compared to
egress or ingress and route-based filtering, once partly set up, assailants can continuously
spoof addresses inside networks that don’t apply SAVE.
Self-certifying IP Addresses
Responsibility problem got little thoughtfulness in the initial phases of design, and it’s only
being well thought-out now. One of the chief difficulties that requests to be addressed is
responsibility of addresses.
The HIPs
The Host Identity Protocol architecture Korzun & Gurtov proposes a fresh namespace named
as Host Identity namespace then a fresh protocol layer known as Host Identity Protocol
among the transport and network layers (Korzun & Gurtov, 2012). Host Identity namespace
protocol comprises of Client Identifiers-Client Identifier is the public key of the symmetric
key - pair. Every client can have one or more Client Identifiers, however, no two clients have
the similar Client Identifier.
The di erence between client Identity and client Identifier is that client identity denotes toff
the abstract object that is verified, whereas a client Identifier denotes to the existing bit
pattern that is deployed in the identification practice. Client Identifier, can either be
circulated, in unpublished.
AIP
This protocol is suggested by Xu, et al to offer Internet layer responsibility by use self-
certifying addresses. Accountable Internet Protocol is designed to address absence of safe
binding of a client to its addresses, and absence of safe binding of an Autonomous System
number to the IP address prefixes possessed by that Autonomous System (Xu, et al., 2012).
SOS
Overlay methods purposes to inhibit DoS assaults on inadequate set of networks they
safeguard. This is by routing tra c predestined to a safeguarded network via an overlayffi
network that is built on top of IP. Because the overlay network solely accepts permitted
clients and are prudently designed to offer redundancy together with DoS-resistance, is not
easy for assailants to achieve DoS on a protected server.
Secure overlay methods undertake that overlay network is the solitary way for clients outside
a trusted domain of a sheltered network to interconnect with the safeguarded network. This
example of separation of the protected network from entire Internet is presumed to be
attainable either by hiding the addresses of safeguarded network or else by deploying
distributed firewalls to segregate all inward tra c to the safeguarded network excluding forffi
tra c only from reliable nodes in overlay network.ffi
Secure Overlay Service
This is an overlay network planning projected by Nardelli, et al. to proactively inhibit DoS
attacks. A protected overlay is molded by choosing a set of node scattered all over a WAN,
and are rationally connected via secure tunneling. The objective of secure overlay service
architecture is to permit communication solely among a safeguarded site and a client that is
assumed aforementioned consent to access that site (Nardelli, et al., 2013).
the similar Client Identifier.
The di erence between client Identity and client Identifier is that client identity denotes toff
the abstract object that is verified, whereas a client Identifier denotes to the existing bit
pattern that is deployed in the identification practice. Client Identifier, can either be
circulated, in unpublished.
AIP
This protocol is suggested by Xu, et al to offer Internet layer responsibility by use self-
certifying addresses. Accountable Internet Protocol is designed to address absence of safe
binding of a client to its addresses, and absence of safe binding of an Autonomous System
number to the IP address prefixes possessed by that Autonomous System (Xu, et al., 2012).
SOS
Overlay methods purposes to inhibit DoS assaults on inadequate set of networks they
safeguard. This is by routing tra c predestined to a safeguarded network via an overlayffi
network that is built on top of IP. Because the overlay network solely accepts permitted
clients and are prudently designed to offer redundancy together with DoS-resistance, is not
easy for assailants to achieve DoS on a protected server.
Secure overlay methods undertake that overlay network is the solitary way for clients outside
a trusted domain of a sheltered network to interconnect with the safeguarded network. This
example of separation of the protected network from entire Internet is presumed to be
attainable either by hiding the addresses of safeguarded network or else by deploying
distributed firewalls to segregate all inward tra c to the safeguarded network excluding forffi
tra c only from reliable nodes in overlay network.ffi
Secure Overlay Service
This is an overlay network planning projected by Nardelli, et al. to proactively inhibit DoS
attacks. A protected overlay is molded by choosing a set of node scattered all over a WAN,
and are rationally connected via secure tunneling. The objective of secure overlay service
architecture is to permit communication solely among a safeguarded site and a client that is
assumed aforementioned consent to access that site (Nardelli, et al., 2013).
To accomplish this objective, secure overlay service first accepts a filtered section around a
protected are that is made by inculcating routers at the border of a site to only permit tra cffi
from a small number of overlay clients.
Secure-i3
Khoury and Abdallah proposes that overlay network elucidation known as Secure-i3, on the
basis of Internet Indirection Infrastructure. I3 undertakes utilization set of special ends known
as i3 ends to arrange overlay network on topmost of IP address (Lobna & Faten, 2016). Node
to node communiqué between two clients is routed amongst overlay on the basis of identifiers
instead of IP addresses, and the act of transfer a packet is attained from act of getting it. The
Secure–i3 uses i3 overlay network as its method of hiding address of end client, and
recommends numerous extension lead to provide the receiving host capability to halt in
receipt tra c from a particular despatcherffi (Khoury & Abdallah, 2012).
Network Protective Measures
The chief vector in which a security layer can be deployed is network infrastructure, this
simply because it is the entry route to offered services.
Router installation
Once online services use a company network, one of the chief measures that need to be put
into considered is installation a router between this company network and the ISP. This
installs security layers for instance ACLs, which control network access on the basis of
browsing IP addresses, or firewall, can be easily deployed. Frequently, this router is given by
the ISP, however this is not always the case. For such a case, it is required to install an
internal extra router on corporate network, which may be deployed as a firewall and may
allow to implementation of essential security measures.
In case online services are accommodated on external accommodating servers, dedicated
servers, the defensive measures accessible by the router and defined in the paragraph above
must be deployed virtually, that is to say, with the assistance of the service provider structure
panels (Hu, et al., 2018). Also, the default precautionary measures employed by the service
provider all over his/her network ought to be evaluated.
Bandwidth
It is likewise prudent to have adequate bandwidth. This is both in premise network system
and offered by our ISP. This aid to prevent DoS assaults of ICMP Flood, among other
network protocols. Just in case it is impossible to rise bandwidth, it is worthwhile to device a
protected are that is made by inculcating routers at the border of a site to only permit tra cffi
from a small number of overlay clients.
Secure-i3
Khoury and Abdallah proposes that overlay network elucidation known as Secure-i3, on the
basis of Internet Indirection Infrastructure. I3 undertakes utilization set of special ends known
as i3 ends to arrange overlay network on topmost of IP address (Lobna & Faten, 2016). Node
to node communiqué between two clients is routed amongst overlay on the basis of identifiers
instead of IP addresses, and the act of transfer a packet is attained from act of getting it. The
Secure–i3 uses i3 overlay network as its method of hiding address of end client, and
recommends numerous extension lead to provide the receiving host capability to halt in
receipt tra c from a particular despatcherffi (Khoury & Abdallah, 2012).
Network Protective Measures
The chief vector in which a security layer can be deployed is network infrastructure, this
simply because it is the entry route to offered services.
Router installation
Once online services use a company network, one of the chief measures that need to be put
into considered is installation a router between this company network and the ISP. This
installs security layers for instance ACLs, which control network access on the basis of
browsing IP addresses, or firewall, can be easily deployed. Frequently, this router is given by
the ISP, however this is not always the case. For such a case, it is required to install an
internal extra router on corporate network, which may be deployed as a firewall and may
allow to implementation of essential security measures.
In case online services are accommodated on external accommodating servers, dedicated
servers, the defensive measures accessible by the router and defined in the paragraph above
must be deployed virtually, that is to say, with the assistance of the service provider structure
panels (Hu, et al., 2018). Also, the default precautionary measures employed by the service
provider all over his/her network ought to be evaluated.
Bandwidth
It is likewise prudent to have adequate bandwidth. This is both in premise network system
and offered by our ISP. This aid to prevent DoS assaults of ICMP Flood, among other
network protocols. Just in case it is impossible to rise bandwidth, it is worthwhile to device a
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
content delivery network in the meantime it may be a justly effective resolution once a lump
sum volume of requests arrives and services are delivered to regions that are physically apart.
A CDN denotes a network whose servers are positioned in physically disconnected zones and
are strict copies of each other. This assists to offer a quick reply to web requests. This
increases the capacity of cache memory and decreases system congestion. Deployment a
content delivery network is one of the furthermost competent measures in contradiction of
large denial-of-service assaults by bandwidth excess.
Reverse proxy
This is another probable measure is to device a reverse proxy pointing to a number of servers
in our enterprise network which are a precise copy of services we anticipate to provide. In
this manner, it is probable to stabilize number of requests received by the server by
dispensing them amongst other servers with the similar functionalities; subsequently, this
inhibits the service from being over-burdened (Gope, et al., 2016). This arrangement provides
added benefits. They include but not limited to provision of website with failover abilities
and cache memory. This decreases response time of a service.
It is as well conceivable to execute dissimilar services provided by a network from different
devices, for instance deployment different servers’ e.g. Web and mail services, the latter
being executed in a DMZ in an enterprise network.
Geographical area
Last of all, in case online services are provided singly to a particular topographical area, for
instance a country, measures can be employed as to only permit requests from this particular
region to access the offered services. Whole requests from addresses fitting to other countries
should be well thought-out as potential assailants and obstructed. If a business enterprise falls
victim to a distributed denial-of-service attack, singly botnets in that particular country to
which access is approved can make requests. This can protect business enterprise service
from being attacked, subsequently a botnet is created by computing devices from all over the
globe and botnet members placed in region to which access is approved.
Infrastructure defensive measures
Additional method is protecting infrastructure. Infrastructure comprise of networked servers,
printers, routers switches, and other computing devices
sum volume of requests arrives and services are delivered to regions that are physically apart.
A CDN denotes a network whose servers are positioned in physically disconnected zones and
are strict copies of each other. This assists to offer a quick reply to web requests. This
increases the capacity of cache memory and decreases system congestion. Deployment a
content delivery network is one of the furthermost competent measures in contradiction of
large denial-of-service assaults by bandwidth excess.
Reverse proxy
This is another probable measure is to device a reverse proxy pointing to a number of servers
in our enterprise network which are a precise copy of services we anticipate to provide. In
this manner, it is probable to stabilize number of requests received by the server by
dispensing them amongst other servers with the similar functionalities; subsequently, this
inhibits the service from being over-burdened (Gope, et al., 2016). This arrangement provides
added benefits. They include but not limited to provision of website with failover abilities
and cache memory. This decreases response time of a service.
It is as well conceivable to execute dissimilar services provided by a network from different
devices, for instance deployment different servers’ e.g. Web and mail services, the latter
being executed in a DMZ in an enterprise network.
Geographical area
Last of all, in case online services are provided singly to a particular topographical area, for
instance a country, measures can be employed as to only permit requests from this particular
region to access the offered services. Whole requests from addresses fitting to other countries
should be well thought-out as potential assailants and obstructed. If a business enterprise falls
victim to a distributed denial-of-service attack, singly botnets in that particular country to
which access is approved can make requests. This can protect business enterprise service
from being attacked, subsequently a botnet is created by computing devices from all over the
globe and botnet members placed in region to which access is approved.
Infrastructure defensive measures
Additional method is protecting infrastructure. Infrastructure comprise of networked servers,
printers, routers switches, and other computing devices
Software status
In in the mentioned computing devices above, it is paramount to verify software status on
regular basis. In case a software application is not updated automatically, the version of the
software application on every computing device ought to be the most recent version
proficient of solving any discovered security vulnerability or problem. A number of the DoS
occurrences are carried out by exploitation of computing device security fiascos. It is
therefore for this reason that it is paramount to visit the developer’s official site update
software application in use.
Deactivation of Unnecessary server ports
It required to deactivate all superfluous server ports as soon as the server is completely
projected for hosting web services. For such a case, ports 80 for HTTP requests or 443 for
HTTPS requests ought to be open (Chelladhurai, et al., 2016). In case DNS services are
essential to be hosted, ports 53 has to be open. Above and beyond, it is worthwhile to revoke
all unused services in so as to avoid any impending abuse of such services.
Summary
In summary one of the major network threat is denial of service, we have provided a
complete survey of DoS assaults and their countermeasures. It is also analytically studied a
number of research suggestions in the DoS defense arena, we analyzed their strong point and
flaws. We have suggested promising enhancements to some of resistance solutions.
Conclusion
In conclusion, DOS attacks cannot be completely avoided but putting in preventive
mechanisms discussed such as spoofed packet filtering, self-certifying addresses, Network
protective measures, Infrastructure protective measures and secure overlays can help reduce
the impact of the attack or at times prevent the attack.
In in the mentioned computing devices above, it is paramount to verify software status on
regular basis. In case a software application is not updated automatically, the version of the
software application on every computing device ought to be the most recent version
proficient of solving any discovered security vulnerability or problem. A number of the DoS
occurrences are carried out by exploitation of computing device security fiascos. It is
therefore for this reason that it is paramount to visit the developer’s official site update
software application in use.
Deactivation of Unnecessary server ports
It required to deactivate all superfluous server ports as soon as the server is completely
projected for hosting web services. For such a case, ports 80 for HTTP requests or 443 for
HTTPS requests ought to be open (Chelladhurai, et al., 2016). In case DNS services are
essential to be hosted, ports 53 has to be open. Above and beyond, it is worthwhile to revoke
all unused services in so as to avoid any impending abuse of such services.
Summary
In summary one of the major network threat is denial of service, we have provided a
complete survey of DoS assaults and their countermeasures. It is also analytically studied a
number of research suggestions in the DoS defense arena, we analyzed their strong point and
flaws. We have suggested promising enhancements to some of resistance solutions.
Conclusion
In conclusion, DOS attacks cannot be completely avoided but putting in preventive
mechanisms discussed such as spoofed packet filtering, self-certifying addresses, Network
protective measures, Infrastructure protective measures and secure overlays can help reduce
the impact of the attack or at times prevent the attack.
Reference List
AminKarami & ManelGuerrero-Zapata, 2015. A hybrid multiobjective RBF-PSO method for
mitigating DoS attacks in Named Data Networking. Neurocomputing, 151(13), pp. 1262-
1282.
Chelladhurai, J., Kumar, S. A. & Chelliah, P. R., 2016. Securing Docker Containers from
Denial of Service (DoS) Attacks. San Francisco, IEEE.
Gope, P., Lee, J. & Quek, T. Q. S., 2016. Resilience of DoS Attacks in Designing
Anonymous User Authentication Protocol for Wireless Sensor Networks. IEEE Sensors
Journal, 17(2), pp. 498 - 503.
Hu, S. et al., 2018. Resilient Event-Triggered Controller Synthesis of Networked Control
Systems Under Periodic DoS Jamming Attacks. IEEE Transactions on Cybernetics, 21(6),
pp. 1 - 11.
Issac, B. & Israr, N., 2014. Case Studies in Secure Computing: Achievements and Trends. 2
ed. Boca Raton, Florida: CRC Press.
Khoury, J. S. & Abdallah, . T., 2012. Internet Naming and Discovery: Architecture and
Economics. 5th ed. Berlin/Heidelberg: Springer Science & Business Media.
Korzun, D. & Gurtov, ., 2012. Structured Peer-to-Peer Systems: Fundamentals of
Hierarchical Organization. 4th ed. Berlin/Heidelberg, Germany: Springer Science &
Business Media.
Lobna, D. & Faten, Z. M., 2016. SDN-Guard: DoS Attacks Mitigation in SDN Networks.
Pisa, IEEE.
Nardelli, E., Posadziejewski, . & Talamo, ., 2013. Certification and Security in E-Services.
3rd ed. Berlin: Springer.
Shang, G. et al., 2017. FloodDefender: Protecting data and control plane resources under
SDN-aimed DoS attacks. Atlanta, IEEE.
Xu, L., Bertino, E. & Mu, ., 2012. Network and System Security. 6th ed. Berlin/Heidelberg:
Springer.
Zhijun, W., Liyuan, Z. & Meng, Y., 2015. Low-Rate DoS Attacks Detection Based on
Network Multifractal. IEEE Transactions on Dependable and Secure Computing, 13(5), pp.
559 - 567.
AminKarami & ManelGuerrero-Zapata, 2015. A hybrid multiobjective RBF-PSO method for
mitigating DoS attacks in Named Data Networking. Neurocomputing, 151(13), pp. 1262-
1282.
Chelladhurai, J., Kumar, S. A. & Chelliah, P. R., 2016. Securing Docker Containers from
Denial of Service (DoS) Attacks. San Francisco, IEEE.
Gope, P., Lee, J. & Quek, T. Q. S., 2016. Resilience of DoS Attacks in Designing
Anonymous User Authentication Protocol for Wireless Sensor Networks. IEEE Sensors
Journal, 17(2), pp. 498 - 503.
Hu, S. et al., 2018. Resilient Event-Triggered Controller Synthesis of Networked Control
Systems Under Periodic DoS Jamming Attacks. IEEE Transactions on Cybernetics, 21(6),
pp. 1 - 11.
Issac, B. & Israr, N., 2014. Case Studies in Secure Computing: Achievements and Trends. 2
ed. Boca Raton, Florida: CRC Press.
Khoury, J. S. & Abdallah, . T., 2012. Internet Naming and Discovery: Architecture and
Economics. 5th ed. Berlin/Heidelberg: Springer Science & Business Media.
Korzun, D. & Gurtov, ., 2012. Structured Peer-to-Peer Systems: Fundamentals of
Hierarchical Organization. 4th ed. Berlin/Heidelberg, Germany: Springer Science &
Business Media.
Lobna, D. & Faten, Z. M., 2016. SDN-Guard: DoS Attacks Mitigation in SDN Networks.
Pisa, IEEE.
Nardelli, E., Posadziejewski, . & Talamo, ., 2013. Certification and Security in E-Services.
3rd ed. Berlin: Springer.
Shang, G. et al., 2017. FloodDefender: Protecting data and control plane resources under
SDN-aimed DoS attacks. Atlanta, IEEE.
Xu, L., Bertino, E. & Mu, ., 2012. Network and System Security. 6th ed. Berlin/Heidelberg:
Springer.
Zhijun, W., Liyuan, Z. & Meng, Y., 2015. Low-Rate DoS Attacks Detection Based on
Network Multifractal. IEEE Transactions on Dependable and Secure Computing, 13(5), pp.
559 - 567.
1 out of 13
Related Documents
![[object Object]](/_next/image/?url=%2F_next%2Fstatic%2Fmedia%2Flogo.6d15ce61.png&w=640&q=75){kind=small}
Your All-in-One AI-Powered Toolkit for Academic Success.
+13062052269
info@desklib.com
Available 24*7 on WhatsApp / Email
![[object Object]](/_next/static/media/star-bottom.7253800d.svg)
Unlock your academic potential
© 2024 | Zucol Services PVT LTD | All rights reserved.