IJRIT International Journal of Research in Information Technology, Volume 1, Issue 8, August, 2013, Pg. 192-196

International Journal of Research in Information Technology (IJRIT)

www.ijrit.com

ISSN 2001-5569

An Efficient Methodology to Study Distributed Denial of Service Attack in Internet Community Pabbati Suresh1, P.D.Chidambara Rao2 1

M.Tech(SE), Sri Kottam Tulasi Reddy Memorial College of Engineering Kondair, Mahabubnagar, Andhra Pradesh, India 2 Assistant Professor, Dept. of CSE, Sri Kottam Tulasi Reddy Memorial College of Engineering Kondair, Mahabubnagar, Andhra Pradesh, India 1

[email protected]

Abstract Distributed Denial of service (DDoS) attack is causing most serious threats to the Internet services. DDoS attack is a system anomaly or misuse from which abnormal behavior is imposed on network traffic. We need to address two major requirements such as to quickly and accurately locate the potential attackers and to filter attack packets so that a host can resume the normal service to legitimate clients for effective trace back. In order to model and detect such DDoS error then we need to observe the network traffic continuously. Network traffic characterization with behavior modeling could be a good indication of attack detection which can be performed via abnormal behavior identification. Moreover, it is hard to distinguish the difference of an unusual high volume of traffic which is caused by the attack or occurs when a huge number of users occasionally access the target machine at the same time. The proposed distributed traceback methodology can also complement and leverage on the existing ICMP traceback so that a more efficient and accurate traceback can be obtained. We carry out simulations to illustrate that the proposed methodology can locate the attackers in a short period of time. In this paper we study an efficient and effective methodology to determine how much extend the internet and their users are getting disturbed. We also study the snapshot algorithm which helps to observe the network traffic and identify the system causing vulnerabilities.

Keywords: DDoS, Network traffic, Modeling and Detection, Traceback Methodology, Vulnerabilities.

Pabbati Suresh, IJRIT

192

1. Introduction The emergence of the Internet as a most efficient form of communication has led to the enormous deployment of e-business and information resource distribution services. However, the success of the Internet also attracts malicious attackers to abuse system resources and exposes the inherent security problems. Distributed denial-ofservice (DDoS) attack is one of the most pressing problems on the Internet. In recent years, well-known commercial sites such as Yahoo, Amazon and eBay were being attacked and were out of service for many hours due to the DDoS attack on February 2000. Since then, DDoS attacks have increased in size, frequency, sophistication and severity. Two basic requirements to counter DDoS attack are trace- back property and filtering property. Traceback property refers to the capability to determine the possible locations of the attackers. Filtering property refers to the capability to eliminate the attacking traffic from the victim site so that regular services can be maintained. If the attackers are using non-spoofed packets in their attacks, there is no traceback problem because the source addresses in the packets are valid and can be traced easily. However, the attackers often use fake or spoofed IP source addresses in their attack packets. Real attacks, like the TCP SYN attack, are using spoofed packets in order to bring about the desired damage. Also, compromised machines are precious resources for the hackers, and hackers like to protect these resources so others will not discover that these hosts are compromised. Therefore, IP spoofing is often used. Moreover, because of the stateless nature of the Internet, it is a difficult task to determine or to trace the source of these attackers’ packets and thereby locate the potential locations of these attackers. Self-propagating malicious codes known as computer worms spread themselves without any human interaction and launch the most destructive attacks against computer networks like launching massive Distributed Denial-of-Service(DDoS) attacks that disrupt the Internet utilities, access confidential information that can be misused through large-scale traffic sniffing, key logging etc., They destroy data that has a high monetary value , and distribute large-scale unsolicited advertisement emails (as spam) or software (as malware). These worms include Camouflaging worm (C-Worm in short), Code-Red worm, Slammer worm, Witty/Sasser worms and Morris Worm. In order to measure and collect the traffic intensities from the routers that are participating in the DDoS attack traceback mechanism, we propose a novel approach by applying the snapshot algorithm suggested. The snapshot approach provides means to coordinate all the participating routers in the traffic measurement and the data collecting procedures. It also provides a way to measure the traffic intensity correctly. The advantages of our approach are (i) easy to implement without a large modification of the routers and (ii) fast; the approach requires only a few seconds in measuring the traffic intensities of the router.

2. Problem Identification In this section, we first present the overview of our approach, and then we present a network model and some of its important components. We define three important concepts namely the transit traffic, the local traffic and the outgoing traffic of a participating router. We also illustrate why one needs a distributed algorithm to correctly perform the traceback under a DDoS attack. One way to eliminate the detrimental effect of the flood-based DDoS attack is to trace the location of the attacker and to filter out all the malicious packets leaving that host. Since the attacker is sending a huge amount of packets compared with those of the normal users, one can easily notice the large portion of traffic from the attacker on the victim side through a traffic intensity measuring mechanism. However, this approach is infeasible since the attackers are usually spoofing the source address of the malicious packets. One can hardly measure the traffic intensity of a particular host based on the source addresses of the outgoing packets. Alternatively, we suggest measuring the intensity of the outgoing traffic towards the victim on the routers. Certainly, this scheme neither measures the traffic intensity of an individual user nor traceback to a particular attacker. Nevertheless, it aims to identify a number of routers which have high volume of outgoing traffic towards the victim site. This indicates that the origins of the attack are from the domains of those routers. In order to measure and collect the traffic intensities from the routers that are participating in the DDoS attack traceback mechanism, we propose a novel approach by applying the snapshot algorithm suggested. The snapshot approach provides means to coordinate all the participating routers in the traffic measurement and the data collecting procedures. It also provides a way to measure the traffic intensity correctly. The advantages of our approach are (i) easy to implement without a large modification of the routers and (ii) fast; the approach requires only a few seconds in measuring the traffic intensities of the router.

Pabbati Suresh, IJRIT

193

Let us first define our network model. In Figure 1, a directed acyclic graph (DAG) rooted at V represents a network topology, and the root node V represents a victim site. The DAG is composed of routers and local area networks (LANs). For the simplicity of illustration, the DAG only shows the net- work components that are participating in transmitting and forwarding traffics to the victim site V. Let Ri be an upstream router of V and the DAG a map of all routers which forward traffics to V.

Figure 1: Network Topology example A LAN contains a number of end hosts which include some legitimate clients of V and possibly some attackers of V. The traffics sending to V generated by the clients and the attackers are forwarded by routers. For example, in Figure 1, router R1 serves as a gateway of LAN0 and LAN1, and these two LANs are regarded as the ‘local administrative domain’ (or ‘domain’ in short) of R1. A router is responsible for forwarding traffics generated from its domain, as well as traffics generated from the domains of its ‘upstream routers’. For example, in Figure 1, routers R3, R4 and R5 are considered as the upstream routers of R1. Particularly, routers R3 and R4 are regarded as the ‘immediate upstream routers’ ofR1. We say that a router is a leaf router if it is not connected to any upstream routers, for instance, R2, R3 and R5 in Figure 1. Other routers such as R1 and R4 are called internal routers. In reality, a router in this model represents the border router of an ISP or an AS while the corresponding LAN represents the domain of the ISP/AS. Throughout this paper, we let U(Ri) be the set of upstream routers of Ri, U(Ri) be the set of immediate upstream routers of Ri, D(Ri) be the set of downstream routers of Ri and D(Ri) be the set of immediate downstream routers of Ri. In our work, we classify three types of traffics: they are the transit traffic the local traffic and the outgoing traffic. The transit traffic of Ri is the traffic forwarded from the immediate upstream routers of Ri while the local traffic of Ri represents the traffic generated from the local administrative domain of Ri. Eventually, the outgoing traffic of Ri is the sum of the transit traffic and the local traffic of Ri. To illustrate, let us consider the following example using Figure 1. Part of the traffic to V was generated in LAN5, and the packets have to pass through routers R5, R4 and R1 before reaching V. The traffic from LAN5 is considered as the transit traffic of router R4. On the other hand, the clients in LAN4 also generate traffic to V and this traffic is considered as the local traffic of R4. The union of these two streams of traffics generated in LAN4 and LAN5 is considered as the outgoing traffics of R4. We assume that each router maintains a counter which records the accumulative (for the ease of presentation, let us ignore the counter wraparound problem. It can be resolved by a distributed coordinated reset) volume of the outgoing traffic (in units of packet) towards the victim site V.

3. Attack Detection Process By penetrating into a large number of machines and stealthily installing malicious pieces of code, a distributed denial of service (DDoS) attack constructs a hierarchical network and uses it to launch coordinated assaults. DDoS attacks often exhaust the network bandwidth, processing capacity and in- formation resources of victims, thus, leading to unavailability of computing systems services. Various defense mechanisms for the

Pabbati Suresh, IJRIT

194

detection, mitigation and/or prevention of DDoS attacks have been suggested including resource redundancy, traceback of attack origins, and identification of programs with suspicious behavior. Contemporary DDoS attacks employ sophisticated techniques including formation of hierarchical networks, one-way communication channels, encrypted messages, dynamic ports allocation, and source address spoofing to hide the attackers’ identities; such techniques make both detection and tracing of DDoS activities a challenge and render traditional DDoS defense mechanisms ineffective. DDoS attacks can be identified with the attack detection principle and its process as shown in the figure 2.

Figure 2: DDoS Flood Attack Detection

4. Distributed Algorithm In this section, we study the snapshot distributed algorithm to identify and measure the local traffic of every router. We first define the notion of correctness for measuring the local traffic of each participating router and demonstrate how one can effectively achieve the required correctness.

Pabbati Suresh, IJRIT

195

5. Future Work The proposed approach still requires some extra features including the distributed authentication and the packet drop- ping calculation. In our primary approach, we allow any par- ties to register the trace back service. However, an attacker can exploit this vulnerability by generating arbitrary requests to the routers in order to initiate another level of denial of service attack. Thus, the distributed authentication among the group of participating routers is urgently necessary. One of the potential solutions is to adopt the group key management approach. Every victim site before registering the service has to verify its identity. Thus, one can stop attackers from exploiting the trace back approach. On the other hand, the original snapshot algorithm proposed assumes the network (or the channels) is reliable, i.e. without packet loss. However, in the DDoS scenarios, the packet loss rate is huge because the routers are usually filled up with malicious packets and is forced to drop further incoming packets. The packet dropping process may ruin the trace back result because the packets that are counted in the upstream routers may not reach the downstream routers and the victim site. A primary approach is to measure the packets dropped at each router’s interface and make use of the packet dropping counter to complement the equations in calculating the local traffic. Lastly, we believe that our proposed approach is not only providing a theoretical foundation in traffic measurement, but also foreseeing that our approach can become a form of network tomography. This requires further research in finding possible applications.

6. Conclusion In this paper, we proposed a distributed trace back methodology for DDoS attack such that a victim site can locate attackers who sent dominating flows of attack packets. We only need to keep track of the number of packets forwarded to a victim site and the number of transit packets for its entire incoming links during the recording of the router’s local state. By providing these two pieces of information, a victim site can accurately determine the intensity of a router’s local traffic. We also presented an efficient algorithm so that a victim site can accurately determine the bounds of the number of packets from each router which arrived during the victim’s measurement interval. Based on this information, the victim can determine the locations of attackers with dominating flows no matter the attack packets are spoofed or non-spoofed within a short measurement interval. Moreover, we discussed the limitations of our methodology to show the impact of DDoS in internet community.

7. References [1] Jéerôme François, Issam Aib, and Raouf Boutaba – “FireCol: A Collaborative Protection Network for the Detection of Flooding DDoS Attacks”, IEEE 2012 Transaction on Networking, Volume, PP, Issue:99, p.p.no 114. [2] Zhengmin Xia, Songnian Lu and Jianhua Li – “Enhancing DDoS Flood Attack Detection via Intelligent Fuzzy Logic”, Informatics 34 (2010) p.p.no 497-507. [3] Jerome Francois , Adel ElAtawy, Ehab Al-Shaer, Raouf Boutaba – “A Collaborative Approach for Proactive Detection of Distributed Denial of Service Attacks”, "IEEE Workshop on Monitoring, Attack Detection and Mitigation - MonAM’2007, Toulouse : France (2007) p.p.no 1-6. [4] T. Y. Wong, K. T. Law, John C. S. Lui and M. H. Wong – “An Efficient Distributed Algorithm to Identify and Traceback DDoS Traffic”, The Computer Journal Vol. 49 No. 4, 2006, p.p.no 418-442. [5] Zhongrong Chen, Alex Deli – “An Inline Detection and Prevention Framework for Distributed Denial of Service Attacks”, July 18, 2006, p.p.no 1-44. [6] Nagaraju Mamillapally, Venkatesh Gadege – “A Behavioral Study of Various Worms and their Detection Schemes”, Journal of Engineering, Computers & Applied Sciences (JEC&AS) Volume 1, No.3, December 2012, p.p.no 9-15.

Pabbati Suresh, IJRIT

196

An Efficient Methodology to Study Distributed Denial of Service ... - IJRIT

Denial of Service Attack in Internet Community. Pabbati Suresh1, P.D.Chidambara .... The DAG is composed of routers and local area networks (LANs). For the ...

855KB Sizes 7 Downloads 265 Views

Recommend Documents

An Efficient Methodology to Study Distributed Denial of Service ... - IJRIT
In order to measure and collect the traffic intensities from the routers that are .... DDoS attacks often exhaust the network bandwidth, processing capacity and in- ...

Distributed Denial of Service Attacks and istributed Denial of Service ...
Hence, ingress and egress filtering are ineffective to stop DDoS attacks. 2) Router based packet filtering. Route based filtering, proposed by Park and Lee [23], extends ingress filtering and uses the route information to filter out spoofed IP packet

Distributed Denial of Service Attacks and istributed Denial of Service ...
1,2Patiala, Punjab, India. 147002 ... number of hosts can generate a lot of traffic at and near the target machine, clogging all the routes to the victim. Protection against such large scale .... handler program installed on a network server, an IRC

Adaptive Response System for Distributed Denial-of-Service Attacks
itself. The dissertation also presents another DDoS mitigation sys- tem, Traffic Redirection Attack Protection System (TRAPS). [1], designed for the IPv6 networks.

A Survey of Bots Used for Distributed Denial of Service ...
websites of banking and financial companies, online gambling firms, web retailers and government [4-8] to ... their increase in number and their ability to exploit common system vulnerabilities such as the DCOM ..... 2005. 15. Felix C. Freiling, Thor

Efficient Distributed Quantum Computing
Nov 16, 2012 - 3Dept. of Computer Science & Engineering, University of Washington, .... fixed low-degree graph (see Tab. 2 ... With degree O(log N) the over-.

Efficient Distributed Quantum Computing
Nov 16, 2012 - tum circuit to a distributed quantum computer in which each ... Additionally, we prove that this is the best you can do; a 1D nearest neighbour machine .... Of course there is a price to pay: the overhead depends on the topology ...

Denial Of Service Attacks
90's decade became the Internet age (WWW). ▫ Massive .... Unlimited number of sources can be used. ➢ Worldwide .... DDOS attacks in wireless Networks.

010- Denial of Service + Botnet.pdf
Whoops! There was a problem loading more pages. 010- Denial of Service + Botnet.pdf. 010- Denial of Service + Botnet.pdf. Open. Extract. Open with. Sign In. Details. Comments. General Info. Type. Dimensions. Size. Duration. Location. Modified. Create

An Efficient Genetic Algorithm Based Optimal Route Selection ... - IJRIT
Wireless sensor Network (WSN) is getting popular especially for applications where installation of the network infrastructure is not possible, such as.

An Efficient Genetic Algorithm Based Optimal Route Selection ... - IJRIT
infrastructure, but imposes some drawbacks and limitations (mainly on .... Networks”, http://www.monarch.cs.rice.edu/monarch-papers/dsr-chapter00.pdf.

An Energy-efficient Matrix Multiplication Accelerator by Distributed In ...
Email:[email protected] ... power consumption from additional AD-conversion and I/Os ... interface of logic crossbar requires AD/DA conversions, which.

An efficient secure distributed anonymous routing ...
Available online 30 September 2004. Abstract. An ad hoc wireless network ... communicate with each other without the intervention of any centralized administration or established infrastructure. Due to the limited transmission range ..... neighboring

Advance Java Study - IJRIT
IJRIT International Journal of Research in Information Technology, Volume 2, Issue 9, September 2014, Pg. ... Java and Object-Oriented technology are a major.

Advance Java Study - IJRIT
interpreter, and that is indistinguishable in speed from C++.Java offers two flavors of programming, Java applets and Java application. Applets are small Java programs (mostly) that can be downloaded over a computer network and run from a web page by

Fault Tolerance in Distributed System - IJRIT
Fault-tolerant describes a computer system or component designed so that, in the event that a component fails, a backup component or procedure can immediately ... millions of computing devices are working altogether and these millions of ...

Fault Tolerance in Distributed System - IJRIT
Fault Tolerance is an important issue in Distributed Computing. ... The partial failure is the key problem of the distributed system, .... architecture and design.

Text Extraction Using Efficient Prototype - IJRIT
Dec 12, 2013 - Various data mining techniques have been proposed for mining useful Models ... algorithms to find particular Models within a reasonable and ...

Improved Mining of Outliers in Distributed Large Data Sets ... - IJRIT
achieve a large time savings and it meets two basic requirements: the reduction of the ... of real data sets and in the prevalence of distributed data sources [11].

Improved Mining of Outliers in Distributed Large Data Sets ... - IJRIT
Abstract- In Data Mining, a distributed approach for detecting distance-based ... of all the data sets is widely adopted solution requires to a single storage and .... This implementation is portable on a large number of parallel architectures and it

Text Extraction Using Efficient Prototype - IJRIT
Dec 12, 2013 - as market analysis and business management, can benefit by the use of the information ... model to effectively use and update the discovered Models and apply it ..... Formally, for all positive documents di ϵ D +, we first deploy its

The Relevance of Effective Database System for Efficient Office ... - IJRIT
Keyword: Database Security, Database System, Office Management, Oracle 11g, SQL, ... describe the nesting, and a sort field to keep the records in a particular order in .... Proper Documentation: Program flowcharts serve as a good program ...

The Relevance of Effective Database System for Efficient Office ... - IJRIT
Oracle database 11g comes in handy to solve and enhance data storage and retrieval offering ..... A hard disk minimum size of 50GB. 2. A minimum of duo core ...