WO2007122495A2 - Cadre conçu pour protéger des dispositifs de réseau à ressources limitées d'attaques par déni de service - Google Patents

Cadre conçu pour protéger des dispositifs de réseau à ressources limitées d'attaques par déni de service Download PDF

Info

Publication number
WO2007122495A2
WO2007122495A2 PCT/IB2007/001052 IB2007001052W WO2007122495A2 WO 2007122495 A2 WO2007122495 A2 WO 2007122495A2 IB 2007001052 W IB2007001052 W IB 2007001052W WO 2007122495 A2 WO2007122495 A2 WO 2007122495A2
Authority
WO
WIPO (PCT)
Prior art keywords
network device
resource constrained
constrained network
dos attack
attack
Prior art date
Application number
PCT/IB2007/001052
Other languages
English (en)
Other versions
WO2007122495A3 (fr
Inventor
Hongquian Karen Lu
Original Assignee
Axalto Sa
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Axalto Sa filed Critical Axalto Sa
Publication of WO2007122495A2 publication Critical patent/WO2007122495A2/fr
Publication of WO2007122495A3 publication Critical patent/WO2007122495A3/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/48Program initiating; Program switching, e.g. by interrupt
    • G06F9/4806Task transfer initiation or dispatching
    • G06F9/4843Task transfer initiation or dispatching by program, e.g. task dispatcher, supervisor, operating system
    • G06F9/485Task life-cycle, e.g. stopping, restarting, resuming execution
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/141Denial of service attacks against endpoints in a network

Definitions

  • the invention relates to a resource-constrained network device, and to a method for protecting such resource-constrained network device against DOS attacks (DOS stands for Denial of Service, a well known class of attacks).
  • DOS Denial of Service
  • Resource-constrained network devices are devices with embedded microprocessors, with very limited computing power and little memory resource, with networking capability, but having relatively low bandwidth.
  • resource-constrained devices is the network smart card described in PCT/US2004/031572.
  • a smart card is a plastic card containing an integrated circuit with some memory and a microprocessor.
  • the physical size of a smart card chip is limited to 25 mm2.
  • the speed of the microprocessor was 3.75 mHz.
  • the smart card had a standard ISO 7816 interface, which is half-duplex, for communication.
  • chip manufacturers have been adding full speed USB to smart card chips and have been making higher speed CPUs.
  • an upcoming smart card chip by ST Microelectronics has a full speed USB interface for communication, an expected 33 mHz CPU, 16K bytes of RAM and 64K bytes of EEPROM. Comparing to the state of the art computers, available resources for these small devices are still very limited.
  • DoS denial-of-service attack
  • DoS attacks The purpose of DoS attacks is to prevent or impair legitimate use of computer or network resources; for example, preventing users from access a popular Internet server.
  • Common targets of resources are bandwidth, processing power, and storage capabilities.
  • the most common DoS attack type is packet-flooding attack, which involves sending a large number of packets to a destination to cause excessive consumptions of resources.
  • DDoS distributed denial-of-service
  • a large number of compromised hosts are organized to send packets to a victim computer to consume excessively its resource and/or its Internet connection.
  • DDoS attacks There are two kinds of DDoS attacks: direct attacks and reflector attacks.
  • direct attack an attacker arranges many compromised hosts to send a large number of packets directly toward a victim.
  • reflector attack the attacker uses intermediary nodes (routers and servers), called reflectors, to launch the attack.
  • the attacker arranges many compromised hosts to send packets that require responses to reflectors such that the packets' source addresses are set to the victim's IP address. Without realizing the plot, reflectors send responses to the victim consuming the victim's resource.
  • TCP packets A flood of TCP packets with various flags set are sent to the victim.
  • Common flags include SYN, ACK, and RST.
  • ICMP echo request/reply also called Ping floods
  • Ping floods A flood of ICMP packets (echo request or echo reply) are sent to the victim.
  • Examples of flooding based attacks comprise SYN flooding and ICMP flooding.
  • Various mechanisms are developed for prevention, detection and response to DoS attacks. This is explained in particular in:
  • firewall and intrusion detection system provide managed security services to enterprises or ISP networks, which consists of routers, servers, and hosts.
  • the Internet infrastructure is hierarchical.
  • the attack detection and attack packets filtering can be done at different levels of the network, for example, at local computer, local network, local ISP network, or upstream ISP network.
  • the effectiveness of the attack detection and packet filtering is dependent on the network level or levels that the defensive mechanisms are executed.
  • the method simplifies the detection and filtering of malicious packets. It should work if a network device has agreed with its client or server on the port hopping mechanism. However, because this method requires both clients and their server implement the port hopping, it does not work if a network device provides a standard service, such as a web server, and allows access from a standard client; or if a network device is a standard client, such as web browser, and is to access a standard server.
  • a standard service such as a web server
  • IDS intrusion detection system
  • Internet Firewalls global defense infrastructures
  • These approaches protect the embedded network devices in the way that they protect the network.
  • the embedded network devices are still in danger if the devices are connected to the Internet via host computers.
  • a host computer may launch, knowingly or unknowingly, DoS attacks against connecting devices.
  • a maliciously installed malware or a computer worm on a host computer may launch such attacks.
  • attack packets may not go to the outer network, defense mechanisms setup at the network level or at routers will not be able to help.
  • the resource constrained network devices much have their own defense mechanisms that can live with the limitations of the devices.
  • the first one is known as packet filtering, and is a network security method, which, as its name says, filters incoming or outgoing packets to let good packets pass and to block suspicious packets. Filter rules specify what packets to pass and what packets to reject, thus controlling the packet filtering behavior. Packet filtering helps to protect network devices from DoS attacks to a certain extent as it can filter out potential DoS attack packets.
  • a multi-stage packet filtering method for resource-constrained network devices is described in US 11/246,736. This method is used as a security measure as well as a memory management scheme to deal with the limited memory resource.
  • SYN Cookies The second method is known as SYN Cookies.
  • Linux kernel and three BSD's Open, Free, Net
  • SYN cookies which is used to prevent SYN flooding attack and was proposed in Bernstein, DJ. , SYN Cookies, http://cr.yp.to/syncookies.html.
  • Zuquete proposed an improvement to SYN cookies along with details of the Linux SYN cookies implementation, as explained in Zuquete, A., "Improving the Functionality of SYN Cookies," http://www.inesc-id.pt/pt/indicadores/Ficheiros/165.pdf.
  • the improvement is significant if all TCP implementations follow TCP specification. Unfortunately, this is not the case. Therefore the success of the improved SYN cookies depends on TCP client implementations. Nevertheless, SYN cookies are suitable for resource-constrained network devices, especially when the device has hardware or efficient software implementation of a hash function.
  • One of the elements encoded in a SYN cookie represents the requesting TCP client's maximum segment size (MSS), which specifies the maximum segment size that the client can receive.
  • MSS maximum segment size
  • the data is a 3-bit encoding of 8 predefined MSS values.
  • the client's MSS is approximated by one of these 8 MSS values.
  • the MSS information is encoded in a SYN cookie because the MSS option only appears in a TCP SYN segment.
  • a resource- constrained network device has very limited memory resource. It is unlikely to exceed its TCP client's MSS. Therefore, the MSS encoding in SYN cookies may not be needed.
  • the Linux SYN cookie includes client's ISN.
  • the client's ISN may be random, which is the case, for example, Firefox web browser.
  • the original reason for including client's ISN is for the cookie to increase at least as fast as the client's ISN. Because it is random, there is no need to include client's ISN.
  • the SYN cookies facility may be turned on dynamically. In normal operation, SYN cookies are not necessary.
  • the network device may use SYN cookies when there is a suspicipn of SYN flooding attack.
  • the model expresses expected operational behaviors and attack-suspicious behaviors of the system. Real-time monitors raise an alarm when the system has deviated from the expected operations or when attack-suspicious behaviors occur.
  • This detection mechanism is embedded inside the network module. This provides real-time detection and conserves memory. The small monitoring code only runs when the code execution passes through there. Therefore, no separate task is required for the detection module and the impact on the system performance is minimum. Additional advantages of this approach include the ability to detect unknown attacks, simplicity, extensibility, and flexibility. The effectiveness of the detection does not depend on known packets probabilities or signatures. Furthermore, the method can be combined with other existing packets based approaches.
  • the invention involves an interrupt-based method for the resource-constrained network devices to respond in particular to flooding-based DoS attacks.
  • the framework according to preferred embodiments of the invention comprises methods for prevention, detection, self-protection, continuation, and mitigation.
  • the problem of better protecting a resource constrained network devices from DoS attacks is solved by having a resource constrained network device comprise detection means for detecting DOS attacks, and data-in interrupt means for notifying the device of network data input requests, and means to disable data-in interrupt means notifications when a DOS attack is detected.
  • detection means for detecting DOS attacks and data-in interrupt means for notifying the device of network data input requests, and means to disable data-in interrupt means notifications when a DOS attack is detected.
  • Figure 1 represents a framework for protecting resource-constrained network devices from DoS attacks
  • Figure 2 represents interactions among the components of the protection framework of Figure 1 and other software modules of a device according to a preferred embodiment of the invention
  • Figure 3 represents operational states illustrating how a response mechanism according to the invention may find enough time to work properly by managing data input interrupts
  • Figure 4 shows how a network module of a device according to a preferred embodiment of the invention may get some CPU time during a self- protection procedure
  • Figure 5 shows some options offered to users of devices according to preferred embodiments of the invention.
  • a framework for protecting resource constrained network devices from DoS attacks consists of several components for prevention, detection, self-protection, continuation, and mitigation, as illustrated in Figure 1.
  • This protection framework interacts with software modules of the resource-constrained network device to protect the system, data, applications, and the services on the device.
  • Figure 2 illustrates the interactions among components of the protection framework and other software modules of the device.
  • the protection module provides measures to prevent DoS attacks, such as packet filtering and TCP Sync cookie.
  • the detection module monitors the whole systems operational behavior to detect possible DoS attacks.
  • the module can also include traditional detection methods by monitoring the statistics or signatures of the packets. Once a possible attack is detected, the detection module informs the operating system, which invokes the self- protection procedure.
  • the network stack may also try to continue legitimate communications to enable applications to continue network activities. The continuation is supported by managing I/O interrupts, active packet filtering and a mitigation method that tries to stop DoS attack.
  • Self-protection aims to protect the data and the applications on the network device. Continuation aims to continue the service if possible. Mitigation tries to stop the DoS attack.
  • the OS when an attack is detected and the alert is sent to the OS, the OS disables the hardware interrupt for data-in. This gives the system CPU to run the self-protection procedures, which are described below. Once such procedures finish, the OS enables the hardware interrupt for data-in. The corresponding interrupt handler and the network module can function again. Because the device is still under attack, the network module actively filters out unwanted packets as early as possible and actively looks, for expected packets for outstanding connections. Once an expected packet arrives, the hardware data-in interrupt is disabled again. The network module processes the packet, and may pass the data to the application. Once the packet is processed and consumed, the hardware data- in interrupt is enabled again, as illustrated on Figure 3. Because the TCP is a reliable transmission protocol and the device can process packet fast enough, missed packets will be limited. Even if packets were missed, they will be retransmitted again from the other end.
  • the network module of the resource-constrained network device detects a network-based attack, it alerts the operating system. It may voluntarily suspend its task to give the CPU to other applications.
  • the operating system invokes self-protection procedures, which alert and schedule the tasks to protect data, files, and applications.
  • the self-protection procedures include securing sensitive in-memory data to secure storage, finishing outstanding file transactions, saving future-needed application contexts, and ending certain tasks or applications.
  • the operating system disables the data input interrupts to gain CPU time for the self-protection procedures.
  • the operating system may choose to execute the self-protection procedures uninterrupted by disabling timer interrupts or to allow some interruptions by allowing timer interrupts. Even in the latter case, very limited timer handlers are enabled. Ir! this case, the network module can set up a timer to get some CPU time.
  • the timer interrupt handler temporarily enables the data-in interrupt to enable the network module to catch incoming packets.
  • the network module drops all incoming packets, except the TCP packets with ACK set for previous sent messages. Such ACK packets free the send buffers. They also enable the network module to release CPU to applications tasks.
  • this enables the socket send() function to return back to its call, as illustrated on Figure 4.
  • the network module should only do some very quick thing in this situation and return control to the operating system.
  • the operating system disables the data-in interrupt to continue the self-protection procedures. Once the self-protection procedures finish, the OS enables the hardware interrupt for data-in.
  • the corresponding interrupt handler and the network module can function again.
  • the network module finishes the queued task as much as it can, for example, send out queued out-going messages. If the network device is a server, it may send a message to its clients, which will be described below.
  • the network module preferably continues dropping all incoming packets as early as possible, for example, at the interrupt level.
  • the network module continues to filter out unwanted packets, performs its network stack work and enables the applications to work, which is described below.
  • a resource-constrained network device when a resource-constrained network device is under a network-based attack, it is still alive.
  • the network module is given some CPU time and may finish sending pending messages.
  • the device might not miss much useful packets even though the incoming packets were dropped.
  • the Internet server or client that the device was connected with will resend the messages, if the connections are not timed out yet, because the TCP is a reliable transmission protocol.
  • the network device can inform the user these options via sending a message, for example, sending a web page to the browser that the user is using.
  • the message can warn the user that the device is under a DoS attack and provide options and instructions to the user.
  • the user can choose to disconnect the device or to continue to use the device. If he chooses to disconnect the device, he does so, for example, by taking out his network device, and tries again some other time or uses a different computer. If he chooses to continue using the device, he has several options: continue with the current session, start a new session, or finish the current session and then start a new session. There are, at least, two ways to start a new session. The continuation method is described below. The new session method is described further below.
  • the network module of the device can start to process the packets again. If the DoS attack has stopped, the device goes back to the normal operation. If the attack is still going on, the network module drops all incoming packets except those from the Internet client or server that the network device is communicating with. With the detection system's feedback, the front-end filter can filter out offending packets. For example, if SYN flooding attack is detected, all SYN packets may be filtered out, except those expected ones. Practically, this is a control system.
  • the data-in interrupt is turned on and off as explained earlier, and as illustrated in Figure 4.
  • the device might be slow, but it should continue to function.
  • the warning message to the user preferably informs the user that the operation might be slow.
  • the device preferably provides the user an opportunity to start a new session.
  • the method may stop the DoS attack.
  • Resource constrained network devices may be implemented in different ways. In most cases, a device can choose its own IP address. A device might even have more than one IP address. From the host perspective, the device is a network. In these cases, when the network device is under a DoS attack and the user has decided to start a new communication session, the device can enable IP hopping, as explained in particular in Jones, J., "Distributed denial of service attacks: Defenses, a special publication," Global Integrity, Technical Report, 2000. It basically discards its current IP address and assigns itself a new IP address. If the DoS attack is a targeted attack, for example, SYN flooding, the device can simple drop the messages for the old IP address initially.
  • a targeted attack for example, SYN flooding
  • the invention solves the two following problems:
  • the network device provides a web server and the user interacts with his device through a standard web browser. As mentioned earlier, when under a DoS attack, the device sends a warning and instruction web page to the browser. We then assume that the user has chosen to start a new session. According to the invention, there are at least two ways for the user to start a new session:
  • the warning and instruction web page contains an http (or https) link that points to the new URL (with the new IP address) of the device. The user can click the link to start a new session.
  • USB network devices such as the Network Smart Card
  • Some USB network devices allow the user to get to the login web page of the device by click an icon through the corresponding mass storage interface. In this case, the user closes the current browser, goes back to the device's mass storage device interface, and clicks the icon to start a new session.
  • the user does not need to know the new IP address of the network device.
  • the device either sets the link in the warning and instruction web page, in method 1 , or changes its address in the startup file that is clicked by the user from the mass storage device interface, in method 2.
  • the browser will use the new address specified in the link or in the startup file to open the device's login page.
  • the host will send an ARP asking who has this IP address.
  • the network device will respond.
  • the host will automatically update its ARP cache and routing table to reflect the device's IP address.
  • the device can now function using the new IP address.
  • the old IP address of the network device will be eventually dropped out from the host's ARP cache and routing table.
  • the flooding packets of the DoS attack will then no longer be sent to the device. This technique thus stops the DoS attack.
  • a Windows XP laptop as a host computer to run a web browser to access the web server in the network device.
  • Two or three minutes after the network device changed its IP address the old IP address was dropped out from the host's ARP cache. This was observed from both "arp -a" shell command and from a protocol analyzer ethereal.
  • IP hopping has advantages over existing IP hopping, which protect a public server, whose clients use Domain Name Server (DNS) to lookup the server's IP address.
  • DNS Domain Name Server
  • clients' messages may be filtered out by a network firewall. The clients cannot reach the server during this period. Therefore, the IP hopping has latencies.
  • the user is actively involved in the process to make decisions and to make the transition happen directly.
  • the actual new IP address is used to make a new connection instead of through DNS.
  • the network device such as a network smart card, may be clients as well as servers, both of which can take advantage of IP hopping.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computing Systems (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

La présente invention concerne un dispositif de réseau à ressources limitées qui comprend un système de détection conçu pour détecter des attaques par déni de service (DOS), ainsi qu'un système d'interruption d'entrée de données conçu pour notifier au dispositif des requêtes d'entrée de données de réseau. Le dispositif comprend aussi un système conçu pour désactiver les notifications du système d'interruption d'entrée de données lorsqu'une attaque DOS est détectée.
PCT/IB2007/001052 2006-04-21 2007-04-23 Cadre conçu pour protéger des dispositifs de réseau à ressources limitées d'attaques par déni de service WO2007122495A2 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US79393406P 2006-04-21 2006-04-21
US60/793,934 2006-04-21

Publications (2)

Publication Number Publication Date
WO2007122495A2 true WO2007122495A2 (fr) 2007-11-01
WO2007122495A3 WO2007122495A3 (fr) 2008-01-17

Family

ID=38552022

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IB2007/001052 WO2007122495A2 (fr) 2006-04-21 2007-04-23 Cadre conçu pour protéger des dispositifs de réseau à ressources limitées d'attaques par déni de service

Country Status (1)

Country Link
WO (1) WO2007122495A2 (fr)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7805762B2 (en) 2003-10-15 2010-09-28 Cisco Technology, Inc. Method and system for reducing the false alarm rate of network intrusion detection systems
US7886357B2 (en) 2002-03-29 2011-02-08 Cisco Technology, Inc. Method and system for reducing the false alarm rate of network intrusion detection systems
US20120297479A1 (en) * 2010-02-02 2012-11-22 Giesecke & Devrient Gmbh Method for executing an application
US20200153858A1 (en) * 2016-10-25 2020-05-14 Fortress Cyber Security, LLC Security appliance

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1732650A (zh) * 2002-12-26 2006-02-08 松下电器产业株式会社 网络终端装置、通信超负荷避免方法及程序
US20060067231A1 (en) * 2004-09-27 2006-03-30 Matsushita Electric Industrial Co., Ltd. Packet reception control device and method

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1732650A (zh) * 2002-12-26 2006-02-08 松下电器产业株式会社 网络终端装置、通信超负荷避免方法及程序
US20060067231A1 (en) * 2004-09-27 2006-03-30 Matsushita Electric Industrial Co., Ltd. Packet reception control device and method

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
LUIGI RIZZO: "Device Polling support for FreeBSD" INTERNET, pages 1-7, XP002454334 10.12.2002 Retrieved from the Internet: URL:http://info.iet.unipi.it/~luigi/polling/> *

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7886357B2 (en) 2002-03-29 2011-02-08 Cisco Technology, Inc. Method and system for reducing the false alarm rate of network intrusion detection systems
US7805762B2 (en) 2003-10-15 2010-09-28 Cisco Technology, Inc. Method and system for reducing the false alarm rate of network intrusion detection systems
US20120297479A1 (en) * 2010-02-02 2012-11-22 Giesecke & Devrient Gmbh Method for executing an application
US9171186B2 (en) * 2010-02-02 2015-10-27 Giesecke & Devrient Gmbh Method for executing an application
US20200153858A1 (en) * 2016-10-25 2020-05-14 Fortress Cyber Security, LLC Security appliance
US11575705B2 (en) * 2016-10-25 2023-02-07 Fortress Cyber Security, LLC Security appliance
US11985163B2 (en) * 2016-10-25 2024-05-14 Fortress Cyber Security, LLC Security appliance

Also Published As

Publication number Publication date
WO2007122495A3 (fr) 2008-01-17

Similar Documents

Publication Publication Date Title
US8881259B2 (en) Network security system with customizable rule-based analytics engine for identifying application layer violations
Kargl et al. Protecting web servers from distributed denial of service attacks
US8091132B2 (en) Behavior-based traffic differentiation (BTD) for defending against distributed denial of service (DDoS) attacks
US8904535B2 (en) Proactive worm containment (PWC) for enterprise networks
US20160182542A1 (en) Denial of service and other resource exhaustion defense and mitigation using transition tracking
US11032315B2 (en) Distributed denial-of-service attack mitigation with reduced latency
Householder et al. Managing the threat of denial-of-service attacks
AU2004282937A1 (en) Policy-based network security management
KR20120060655A (ko) 서버 공격을 탐지할 수 있는 라우팅 장치와 라우팅 방법 및 이를 이용한 네트워크
Kavisankar et al. A mitigation model for TCP SYN flooding with IP spoofing
JP2005073272A (ja) Tcpステートレス・ホグによるtcpサーバに対する分散サービス妨害攻撃を防御する方法および装置
Surisetty et al. Is McAfee securitycenter/firewall software providing complete security for your computer?
Arafat et al. A practical approach and mitigation techniques on application layer DDoS attack in web server
Fakeeh An overview of DDoS attacks detection and prevention in the cloud
Shaar et al. DDoS attacks and impacts on various cloud computing components
WO2007122495A2 (fr) Cadre conçu pour protéger des dispositifs de réseau à ressources limitées d'attaques par déni de service
Khosravifar et al. An experience improving intrusion detection systems false alarm ratio by using honeypot
De Donno et al. A taxonomy of distributed denial of service attacks
Jain et al. Mitigation of denial of service (DoS) attack
Meena et al. Distributed denial of service attacks and their suggested defense remedial approaches
Jhi et al. PWC: A proactive worm containment solution for enterprise networks
Ribin et al. Precursory study on varieties of DDoS attacks and its implications in cloud systems
WO2007125402A2 (fr) Procédé pour protéger les serveurs locaux contre les attaques par saturation
CN108471428B (zh) 应用于CDN系统内的DDoS攻击主动防御技术及装备
Salah et al. Boosting throughput of Snort NIDS under Linux

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 07734370

Country of ref document: EP

Kind code of ref document: A2

NENP Non-entry into the national phase in:

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 07734370

Country of ref document: EP

Kind code of ref document: A2