Characterization, Detection and Mitigation of Low-Rate DoS attack Harsh Kumawat
Gaurav Meena
Department of Computer Science & Engineering Central University of Rajasthan, Ajmer +91-1463-238755
Department of Computer Science Central University of Rajasthan, Ajmer +91-1463-238717
[email protected]
[email protected] 1. INTRODUCTION ABSTRACT Now a day’s web services become key aspect of life. Unfortunately there are several threats to these services. These threats are phishing, e-mail borne viruses, Trojan horse programs, Denial of Service etc. Among of them Distributed Denial of Service attack is a strong and more energetic attack on the Internet. Launching of DDoS attack is an explicit attempt to exhaust the resources of server to prevent legitimate users to access services. The common flooding DDoS attacks can be detected and mitigated by some mechanisms easily cause of the characteristics as flow rate, size of attack packets, but still it is difficult to detect and identifies the Low-Rate DoS attack because the attacker periodically send short burst packets which behave as legitimate traffic to the server. The attack is only detected when the server goes down. So an efficient detection system is required which effectively Characterize the legitimate and attack traffic to detect the attack and stop it to mitigate the effect of these sort of threats. In this article we proposed a complete framework for "Characterization, Detection and Mitigation of Low-Rate DoS Attacks“ which effectively characterize the flows as attack or legitimate, detects the low-rate DoS attack on the basis of characteristics of low rate and mitigate the effect of this by stopping the attack flow near the source. The effectiveness of this approach have validated by simulation in ns-2, with Shell scripting, on a Linux platform.
Categories and Subject Descriptors [Information Security]: DDOS, Characterization, Detection and Mitigation NS-2.
General Terms Algorithms, Measurement, Documentation, Performance, Design, Experimentation, Security, Theory, Verification
Keywords DDoS Attacks, Low-Rate DoS attack, RTT, RTO.
ICTCS '14, November 14 - 16 2014, Udaipur, Rajasthan, India Copyright is held by the owner/author(s). Publication rights licensed to ACM.ACM978-1-4503-3216-3/14/11 $15.00 http://dx.doi.org/10.1145/2677855.2677924
This is the world of web services and there are several threats also with these services. The Denial of Service attack is one of the most hazardous attacks in these threats. This attack prevents the legitimate user to access the server's services. In this attack, attacker may either disrupt the user’s connectivity by exhausting the network resources or disrupt user’s access by exhausting the server resources. Generally DoS attacks are flooding attacks as SYN flooding, UDP flooding, DNS flooding, ICMP flooding etc. That contains useless traffic which is continuously flood by attacker to victim and exploits that. These attacks have some common characteristics like flood rate, packet size etc. such that these can be detected by some existing mechanisms and the effect of these can be mitigated but it is more difficult to detect a different kind of DoS attack known as Low-rate DoS [1] in which attacker periodically send short burst of packets to elude the detection. The Low-Rate DoS attack also known as shrew attack [1]. It targets the TCP protocol and exploits the TCP’s retransmission time out mechanism by sending small burst packets to the victim. It is able to elude detection of attack traffic because the traffic much like normal traffic. To launch Low-Rate DoS attack, the attacker sends short burst packets to attack the legitimate users traffic flow through exploiting the vulnerabilities of TCP congestion control mechanism. According to TCP congestion control mechanism when the network congestion happens then TCP deceases their congestion window by one and before resending packet again it waits for a retransmission time out(RTO), further if TCP losses its packets then it doubles the RTO and this RTO is doubled for every packet loss. From the above facts, to perform a low- rate DoS attack, an attacker manipulate RTO of attack traffic and periodically send attack traffic to overflow a router's buffer so it forces other TCP sources to go into retransmission timeout state and since a TCP will wait for a RTO to recover from the congestion before resend but the attacker again sent attack traffic at the time of other TCP sources retransmission. Like this an attacker exploits the TCP congestion control mechanism. In [2], author presented a mathematical model of Low-rate DoS attacks. This model describes that a low-rate DoS attack is a periodic flow which exploits the minimum retransmission of TCP flows. In this attack, attacker sends a short burst which has magnitude normalized with routers capacity so that it will fill routers buffer for this short duration so that the router discards other legitimate TCP flows. And the attack burst is kept as small as those detection techniques cannot detect this attack on the basis
of high volume traffic. Proposed paper emphasizes on the characterization of traffic flow as either legitimate or malicious flow. After finding malicious flow we detect the low-rate DoS attack by comparing the characteristics proposed by [1] [2] [3]. According to these characteristics, a periodic stream is categorized as low- rate DoS attack on the basis of two criteria known as burst length and attack period. Let there are N TCP flows connected to a server with the RTTs, RTT1, RTT 2 ....and RTTN, then for periodic stream 1) Burst length ≥ MAX (RTT1, RTT2 ....RTT N). 2) Attack period = fixed minimum RTO. If the flow matches above two conditions then the flow will be low-rate attack flow. Finally, mitigate the effect of low-rate DoS attack by discarding the attack flow near the source. The organization of remaining paper is as follows. The background of Distributed Denial of service attack is presented in section 2. Related work in detection of low-rate DoS attack is in section 3. The proposed model is described in section 4. Section 5, shows the experimental setup and results. Finally, in the last section we discuss conclusion and future aspects.
2. BACKGROUND 2.1 Denial of Service Attack Denial of service attack prevents the legitimate users to access the services. A DDoS attack works same as DoS attack but the difference is only of scope of attack. In the DoS attack, an attacker performs attack through a single machine but in distributed denial of service attack, attacker creates an army of zombies to launch a DDoS attack. To create an army, attacker searches a vulnerable system in the network and install a malicious software in that system, after that the malicious software searches other vulnerable systems in the network and install the same copy of the software. In this way an army is created and remotely controlled by the attacker to launch a DDoS attack. This army is look like a masterslave architecture in which real attacker remotely controls the master system; master systems control the slave systems called zombies. In this scenario the attack is performed by the zombies. The below figure shows this attack scenario:
There are several Denials of Service attacks as given below:
2.1.1 SYN Flooding It is one of the type of protocol attack. SYN flood [4] attack exploits the weakness in TCP protocol (Three way handshaking) [5]. SYN packet is a type of request packet to create a connection. In the attack scenario, attacker send SYN request packet with spoofed IP address which doesn’t exists in the network, but according to property of TCP protocol the server responds with the SYN/ACK packet and send it to the address given in the request packet and wait for ACK packet to complete the connection but there is no host of that address so the ACK packet will never come and the connection remains incomplete. Since the attacker send floods numerous SYN request packets to the server and the server responds with SYN/ACK according every SYN request and wait for ACK packet to complete the connection thus there are remained many incomplete connections the server buffer capacity become full so the server can’t accept the legitimate users request.
2.1.2 UDP Flooding This is a kind of Volume based [6] DDoS attack. It uses characteristics of connectionless (User Datagram Protocol) UDP protocol. In this attacker continuously send UDP packets to random port of the targeted host, cause of this target continuously checks for applications which are listening at that port, if there is no application then reply with an ICMP packet which inform the client that destination is unreachable due to some reason. Thereby for a large no. of UDP packets the target system will be forced to reply with many ICMP packets, therefore leading it to unreachable to other clients.
2.1.3 ICMP Flooding The ICMP is a volume based [6] DDoS attack. An ICMP flood attack is carried out by sending large no. of ICMP Echo request (ping) packets to the target server. Since for each ICMP Echo request packet, the server response with ICMP Echo reply packet causing server become slowdown. Ping flood is a type of ICMP flooding in which attacker effectively overwhelms its target with ping packets. In this, generally the attacker’s bandwidth is larger than its target. A Smurf attack is better way of ICMP flooding [2]
2.1.4 Reflection or Amplification Attack A DNS reflection/amplification attack [7] is a kind of DDoS attack. In this attack, the attacker generates a large no. of small DNS queries and sends to the public DNS server. Because the DNS response messages may be sufficiently larger than the DNS query so these DNS queries can generate a large volume of network traffic. Generally to carry out such type of attack the attacker spoofed the source IP address to targeted victims IP address and sends the DNS queries to many public DNS servers. When a DNS servers receives the request they reply with the DNS response but the reply is directed to the forged IP address(victims IP address) is called reflection. This will remain unknown to victim that who originated the attack. If the small queries generate larger responses, then the attack is said to be amplified. Unless the responses are larger than the requests, a reflection attack does not get amplified.
Fig: 1 Attack Scenario
2.1.5 Application-level DDoS Attack This type of attack focuses on the disrupting the legitimate users services by exhausting the server resources (socket, memory, CPU cycles, Disk, and I/O bandwidth). In application-level attack [7] the attacker makes excessive logins and search requests to overload the server.
2.1.6 Ping of Death Since the maximum frame size of Data Link Layer is less than a network layer packet. In the transmission of IP packet, it is splits into multiple frames and sends by the sender, and at the receiver end the frames are reassembled by the recipient into a complete IP packet. To carry out a Ping of Death attack [6], attacker maliciously manipulates the fragment contents such that at the recipient ends the generated IP packet will be larger than the maximum size of packet (e.g. 65,535 bytes) when reassembled. Cause of larger size than IP packet, memory buffer allocated to the packet is overdosed by this packet and either system will be crash or become unavailable to legitimate users.
2.2 Entropy Entropy is a good way to observe the variation of traffic flow in a network [8] [9] [10]. It is a concept of information theory. It defines randomness or uncertainty associated with a random variable. The more random variable contains more entropy and more concentration of variable contains less entropy. Shannon defined the entropy H of a discrete random variable X with possible values x1,x2,....xN and probabilities distribution P = p1,p2,....,pN is defined as: Hi(X) = −∑
Pi
log Pi
Where 0 ≤pi≤ 1 and ∑pi=1 The value of entropy varies from 0 to log2 N. From the above entropy calculation we check the randomness of traffic flow and observe the variation in network flow behavior.
attacks. The proposed mechanism based on entropy calculation, they observed the attack by differentiating the entropy variation between normal and DDoS attack traffic. In [13], authors proposed a lightweight software based approach to detect LDoS attack. This approach doesn’t require any modification to existing protocol and it can be easily deployed without any extra cost. It acts upon aggregate traffic without flow separation. Most of the detection schemes assume network parameters but this approach is based on real time traffic and works on application layer. A Low-rate DDoS attack detection and traceback method is proposed in [14] by using the new information metrics: Generalized entropy metric and information distance metric. In this paper, authors measured the difference between attack and legitimate traffic and detected attacks. They detected attack several hops earlier by proposed generalized metric and the proposed information distance metric can increase distance between legitimate and attack traffic so that they effectively detect the low rate DDoS attack. Hereby, they decrease the false positive rate and by the proposed an IP traceback algorithm they find out the attacks and source of attack also to discard the attack flow near the source.
4. PROPOSED WORK 4.1 Framework In this section, a complete framework to effectively characterize, detect and mitigate the Low-rate DoS attack is presented. Our framework includes three phases. First phase characterize the traffic flows as normal and malicious flow, second detect highrate attack by observing entropy of flow (larger entropy for highrate DoS attack) and low-rate DoS attack by matching the characteristics of low-rate DoS attack to the low entropy flow, and last mitigation in which the effect of attack is mitigated by stopping attack flow near the source on the basis of flow id. The proposed framework is shown in fig.2 below:
3. RELATED WORK Researchers have proposed several methods to detect and mitigate the low-rate DoS attacks. In [2], authors proposed a dynamic detection and protection method to defend against Low-rate DoS attack. They identify the low-rate DoS attack accurately by using dynamic time warping method in the proposed distributed detection mechanism. This method detects attacks accurately and once the attack is detected, authors introduced a fair resource allocation method to minimize the TCP flows which are affected and provide enough resource protection for affected TCP flows. In [3], a detection method is applied at the edge routers by the researchers. They designed a simple data structure to store the information about traffic flow at edge routers and the traffic flow is matched with the properties of low-rate DoS attack to marked a periodic flow is whether malicious or not. If the properties [1] [2] [3] matched with the flow, it is marked as malicious and discarded. Any modification of congestion control mechanism is not required in this. A new approach of detecting low- rate DDoS attack based on self similarity is proposed by authors in [11], they detect low-rate DDoS attack by a measure based on the Hurst coefficient. This measure can detect DDoS intrusion which is hired in normal traffic in real time. In [12], authors proposed an adaptive IP traceback mechanism to detect low-rate DDoS
Fig.2 A complete framework of Low-rate DoS attack detection
4.2 Detection Algorithm The detection algorithm contains three phases named as Characterization, Detection and Mitigation.
In the proposed method, an anomaly based detection scheme [10] is used in which first model the normal network traffic behavior then to characterize incoming traffic flow as either malicious or normal flow, deploy this model to compare differences with the incoming traffic.
1. Set sampling period T and obtain a normal network behavior model at each upstream router on the basis of entropy and set attack detection thresholds σ1, σ2, σ3...etc.
UDP traffic generator. The TCP traffic generator send TCP packets by following AIMD process which avoid the congestion at the router but the UDP traffic generator continuously send UDP packets to the victim. In our detection process we have monitored queues (Q V0-R1, Q V0-R2, QR1-R3, QR1-R4, QR2-R5 and Q R2-R6), sampling network traffic passing through these queues for each sampling time period and calculate entropy by the formula Hi(X) = −∑ Pi log P i
Characterization 2. On the upstream routers connected to the victim’s router, sampling the network traffic. 3. Calculate the entropy of traffic flow at router i in sampling period T by the formula Hi(X) = −∑
Pi
log P i
4. Compare the entropy with detection threshold as follows if (H i(X) > σi || Hi(X) < σi) Then characterize malicious flow. Otherwise normal flow. Fig.3 Network Simulation Detection 5. Detection phase of attack as follows if (Hi(X) >σi) Raise alarm that High-rate DoS attack. Otherwise, match the properties of low-rate DoS attack to low entropy flow. if matched Then raise alarm that low-rate DoS attack Otherwise, direct flow to normal flow. Mitigation 6. According to alarm stop the attack flow near the source on the basis of flow id. 7. Repeat above three phases to each sampling.
In this way we have calculated entropy to model a normal traffic behavior for particular queue. From the entropy calculation result we set DoS attack detection thresholds σ 1, σ2, σ3, σ4, σ5 and σ6 for queues QV0-R1, Q V0-R2, QR1-R3, Q R1-R4, QR2-R5 and QR2-R6 respectively. To characterize flow whether it is legitimate or not, the model observes the substantial variation in the entropy value of flow passing through Q i by comparing with corresponding detection threshold σi. In this process a flow with enough variation in entropy value considered as malicious flow. After the characterization phase legitimate flow will be by pass and malicious flow directs to the detection phase. In detection phase, the entropy value of flow is compared with the corresponding threshold value, with the larger entropy value than detection threshold detection phase detects a high rate DoS attack and raise an alarm and for lesser entropy value of flow we match the following characteristics [1] [2] [3]: 1. Flow has a periodic pattern and RTT of the flow is greater than or equal to the RTTs of other TCP flows. 2. The time period is equal to fixed minimum RTO.
5. EXPERIMENT SETUP AND RESULTS 5.1 Simulation Environment: NS2 is used to simulate the network. It is an open source eventdriven (means all the events in an entire simulation do not created at the time of initialization rather one event induces by another event) simulator [15] [16] which is designed for research in communication networks. NS2 provides a way of designing network protocols and simulating their corresponding behaviors. Through the NS2 we can create a Simulation network either wired or wireless. In our experiment, a wired simulation is created which shows wired connections between nodes in the network. In our simulation, node 0 with yellow color is victim node, nodes with green boxes are intermediate routers in the path from traffic generator to victim and circle nodes are the traffic generators. We have simulated two types of traffic generators names TCP and
If the above characteristics match with the flow then it will consider a low-rate DoS attack and an alarm will be raised. Otherwise, flow will be directed to legitimate flow. After this, in the mitigation phase attack flow is stopped corresponding to flow id near the source. The purpose of DoS attack is to prevent legitimate user to access the services. To prevent legitimate user’s access attacker force to drop legitimate user’s packet. Also in low rate DoS attack, attacker send packet normalized with router’s capacity and fills the router buffer so that it drops the legitimate TCP source packets and force to go into RTO state. The no. of dropped packets during attack and without attack in different queues is shown in figure 4:
The false positive rate of flow is also reduced by observing attack flow in both characterization and detection phase. In this work, the attacks are detected on the assumed traffic. In future, this framework can be applied in real time network traffic scenario.
7. REFERENCES [1] A. Kuzmanovic and E .Knightly, “Low-rate tcp-targeted denial of service attacks (the shrew vs. the mice and elephants).” ACMSIGCOMM 2003, 2003, pp. 75–86. [2]
Fig.4. Packet drop under Attack v/s Normal flow
J. C. S. L. H. Sun and D. K. Y. Yau, “Defending against low-rate tcp attacks: Dynamic detection and protection.” IEEE Conference on Network Protocols (ICNP2004), 2004, pp. 196–205.
[3] N. A. A. Shevtekar, K. Anantharam, “Low rate tcp denial-ofservice attack detection at edge routers,” vol. 9, no. 4. IEEE Communication Letters, 2005, pp. 363–365. [4] A. Y. S. Sanmorino, “Ddos attack detection method and mitigation using pattern of the flow,” 2013. [5] X. J. Nashat, Dalia and S. Horiguchi, “Router based detection for low-rate agents of ddos attack.” International Conference on High Performance Switching and Routing, IEEE, 2008. [6] Incapsula. (2011) Distributed denial of service attacks. [Online]. Available: http://www.incapsula.com/ddos/ddosattacks [7] S. T. Joshi James Tipper David Zargar, “A survey of defense mechanisms against distributed denial of service (ddos) flooding attacks,” vol. 15, 2013.
Fig.5. Attack v/s legitimate flow entropy In the figure 5, we can see the entropy difference in attack flow and legitimate flow. According to our observation entropy of high-rate DoS attack will be always greater than the normal flow and for a low-rate DoS attack entropy will be always less to normal flow. Also comparison of normal flow model thresholds of different queues to attack flow entropy is defined in below table: Queues
Attack flow entropy
Normal flow entropy
QV0-R1
1.16847756
1.167380865
QV0-R2
1.16848974
1.167289416
QR1-R3
1.16995628
1.169390656
QR1-R4
1.16979748
1.168334632
QR2-R5
1.16970135
1.169235407
QR2-R6
1.17002204
1.167864671
Table: Entropy value under Attack v/s Normal flow
6. CONCLUSION AND FUTURE ASPECTS In this work, a complete framework is proposed to characterize, detect and mitigate the Low-rate DoS attack. The low-rate as well as high-rate DoS attacks are detected by calculating entropy of traffic flow on the basis of flow rate of traffic and also the effect of attack flows is mitigated by discarding these to near the source.
[8] B. Kashyap and S. K. Jena, “Ddos attack detection and attacker identification,” 2012. [9] S. Yu and W. Zhou, “Entropy-based collaborative detection of ddos attacks on community networks.” Sixth Annual IEEE International Conference on Pervasive Computing and Communications, PerCom 2008, IEEE, 2008. [10] R. C. J. Kumar, Krishan and Kuldip Singh, “A distributed approach using entropy to detect ddos attacks in isp domain.” International Conference on Signal Processing, Communications and Networking, 2007. ICSCN’07.IEEE, 2007. [11] S. Zhang, “Detection of low-rate ddos attack based on selfsimilarity.” Int. Workshop on Education Technology and Computer Science, 2010, pp. 333–336. [12] T. G. Baskar, M. and S. Saravanan, “Adaptive ip traceback mechanism for detecting low rate ddos attacks.” Emerging Trends in Computing, Communication and Nanotechnology (ICE-CCN), 2013 International Conference on. IEEE, 2013 [13] R. Mathew and V. Katkar, “Software based low rate dos attack detection mechanism,” 2011. [14] K. L. Xiang, Yang and W. Zhou, “Low-rate ddos attacks detection and traceback by using new information metrics,” vol. 6, no. 2. IEEE Transactions on Information Forensics and Security, 2011, pp. 426–437. [15] T. Issariyakul and E. Hossain, Introduction to network simulator NS2. Springer, 2011. [16] The network simulator ns-2: Documentation. [Online]. Available: http://www.isi.edu/nsnam/ns/ns-documentation.ht
