Formal Specification and Verification of a Selective Defense for TDoS Attacks

Telephony Denial of Service (TDoS) attacks target telephony services, such as Voice over IP, not allowing legitimate users to make calls. There are few defenses that attempt to mitigate TDoS attacks, most of them using IP filtering, with limited applicability. In our recent work, we proposed to use selective strategies for mitigating HTTP Application-Layer DDoS Attacks demonstrating their effectiveness in mitigating different types of attacks. This paper demonstrates that selective strategies can also be successfully used to mitigate TDoS attacks, in particular, two attacks: the Coordinated Call Attack and the Prank Call attack. We formalize a novel selective strategy for mitigating these attacks in the computational tool Maude and verify these defenses using the statistical model checker PVeStA. When compared to our experimental results (reported elsewhere), the results obtained by using formal methods were very similar. This demonstrate that formal methods is a powerful tool for specifying defenses for mitigating Distributed Denial of Service attacks allowing to increase our confidence on the proposed defense before actual implementation.

[1]  Sanjeev Khanna,et al.  Adaptive SelectiveVerification , 2008, INFOCOM.

[2]  José Meseguer,et al.  Model-Checking DoS Amplification for VoIP Session Initiation , 2009, ESORICS.

[3]  José Meseguer,et al.  Probabilistic Modeling and Analysis of DoS Protection for the ASV Protocol , 2009, Electron. Notes Theor. Comput. Sci..

[4]  José Meseguer,et al.  Statistical Model Checking for Composite Actor Systems , 2012, WADT.

[5]  Vivek Nigam,et al.  A Selective Defense for Mitigating Coordinated Call Attacks , 2016 .

[6]  Mahesh Viswanathan,et al.  On Statistical Model Checking of Stochastic Systems , 2005, CAV.

[7]  Saurabh Bagchi,et al.  SCIDIVE: a stateful and cross protocol intrusion detection architecture for voice-over-IP environments , 2004, International Conference on Dependable Systems and Networks, 2004.

[8]  Saverio Niccolini,et al.  Protecting SIP against Very Large Flooding DoS Attacks , 2009, GLOBECOM 2009 - 2009 IEEE Global Telecommunications Conference.

[9]  S. Khanna,et al.  Adaptive Selective Verification , 2008, IEEE INFOCOM 2008 - The 27th Conference on Computer Communications.

[10]  José Meseguer,et al.  PVeStA: A Parallel Statistical Model Checking and Quantitative Analysis Tool , 2011, CALCO.

[11]  José Meseguer,et al.  Stable Availability under Denial of Service Attacks through Formal Patterns , 2012, FASE.

[12]  Saman Taghavi Zargar,et al.  A Survey of Defense Mechanisms Against Distributed Denial of Service (DDoS) Flooding Attacks , 2013, IEEE Communications Surveys & Tutorials.

[13]  Vivek Nigam,et al.  A Selective Defense for Application Layer DDoS Attacks , 2014, 2014 IEEE Joint Intelligence and Security Informatics Conference.

[14]  Vivek Nigam,et al.  Mitigating High-Rate Application Layer DDoS Attacks in Software Defined Networks , 2015 .

[15]  Catherine A. Meadows,et al.  A formal framework and evaluation method for network denial of service , 1999, Proceedings of the 12th IEEE Computer Security Foundations Workshop.

[16]  José Meseguer,et al.  PMaude: Rewrite-based Specification Language for Probabilistic Object Systems , 2006, QAPL.

[17]  Vitaly Shmatikov,et al.  Game-based analysis of denial-of-service prevention protocols , 2005, 18th IEEE Computer Security Foundations Workshop (CSFW'05).