Detecting and Reacting against Distributed Denial of Service Attacks

Distributed denial of service attacks (DDoS) are becoming a big threat to the Internet. Recently, some DDoS attacks have infected more than 100,000 vulnerable hosts over Internet within 10 minutes. Consequences of these attacks can be devastating toward many companies whose security policy against this kind of attacks relies only on reconfiguring firewalls. It is judicious to note that no computer network is immune from intrusions in general and distributed denial of service attacks in particular. Intrusion detection systems should be geographically distributed to detect distributed and cooperated attacks. In this paper, we use a cooperative approach, which uses the Intrusion Detection Message Exchange Format (IDMEF) defined by the IETF, that can detect coordinated attack scenarios through alert correlation of distributed IDSs. We present our experience in realizing this cooperative system and the different results obtained from its implementation in a real network.

[1]  Frédéric Cuppens,et al.  LAMBDA: A Language to Model a Database for Detection of Attacks , 2000, Recent Advances in Intrusion Detection.

[2]  Frédéric Cuppens,et al.  Managing alerts in a multi-intrusion detection environment , 2001, Seventeenth Annual Computer Security Applications Conference.

[3]  Frédéric Cuppens,et al.  Selecting appropriate counter-measures in an intrusion detection framework , 2004, Proceedings. 17th IEEE Computer Security Foundations Workshop, 2004..

[4]  Frédéric Cuppens,et al.  Alert correlation in a cooperative intrusion detection framework , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[5]  Frédéric Cuppens,et al.  Recognizing Malicious Intention in an Intrusion Detection Process , 2002, HIS.

[6]  Hervé Debar,et al.  Aggregation and Correlation of Intrusion-Detection Alerts , 2001, Recent Advances in Intrusion Detection.

[7]  Peng Ning,et al.  Constructing attack scenarios through correlation of intrusion alerts , 2002, CCS '02.

[8]  Peng Ning,et al.  Learning attack strategies from intrusion alerts , 2003, CCS '03.

[9]  Hervé Debar,et al.  M2D2: A Formal Data Model for IDS Alert Correlation , 2002, RAID.

[10]  Alfonso Valdes,et al.  Probabilistic Alert Correlation , 2001, Recent Advances in Intrusion Detection.

[11]  Frédéric Cuppens,et al.  Enhanced Correlation in an Intrusion Detection Process , 2003, MMM-ACNS.

[12]  Lee Badger,et al.  Security agility in response to intrusion detection , 2000, Proceedings 16th Annual Computer Security Applications Conference (ACSAC'00).