2014 3rd International Conference on Advanced Computer Science Applications and Technologies
Detecting TCP SYN based Flooding Attacks by Analyzing CPU and Network Resources Performance Abdulaziz Aborujilah Malaysian Institute of Information Technology (MIIT) University Kuala Lumpur Malaysia
[email protected] Mohd Nazri Ismail Faculty of Defence Science and Technology National Defence University of Malaysia Malaysia
[email protected]
Shahrulniza Musa Malaysian Institute of Information Technology (MIIT) University Kuala Lumpur kuala lumpur, Malaysia
[email protected]
II. RELATED WORK
Abstract—The flooding based Denial-of-service attacks is one of the most common DoS attack targeting the web servers. Availability of the web server under this kind of attacks in danger. this attacks also cause bad influence on the networks bandwidth or in computing resources (CPU, Memory, Storage). Therefore, this paper will focus on studying the effects of (DoS) attacks on CPU power performance and in network bandwidth.so, in this study real flooding attack is implemented in different scenarios in order to evaluate the CPU and bandwidth power performance Finally, the results are presented in all scenarios. Additionally, the most influential factors on a CPU performance and bandwidth power performance are highlighted in comparison method.
In [2], they suggest that detecting flooding based attack by paying more attention on IP spoofing used in that attack. This approach is fulfilled firstly by monitoring all kinds of IP spoofing acts , secondly the statistical information gathered by routers for all SYN packets sent by client and all SYN/ACK packets send by server is also monitored. In one more research [3] they carried out an experiment in victim’s side to detect TCP SYN flooding attacks, by using entropy measure in order to determine balance change in TCP flags based on TCP handshakes rule. in [4] payload and unusable area used as indicator to TCP SYN anomaly. Moreover, they have made experiments using what they termed as program slicing reverse engineering technique to detect several TCP state-transition vulnerabilities. The experiments results has shown that, payload can be used to detect TCP SYN flooding attack. In [5] they utilize linear time series models to detect TCP SYN attack by analyzing the traffic in edge router. In [6],the new mechanisms has been proposed to enhance TCP performance in wireless network which relies on proxy performance enhancement. In [7] common behaviors to TCP SYN Packets has been described, this is illustrated by choosing three parameters to study TCP SYN behaviors. The first was packet per second rate , total TCP packets every in 10ms and numbers of received SYN packets in every 10 ms. In this method they divided their mechanism into two groups: first group describes traffic data distribution using statistical tool, then they applied their algorithm to discover any change in that distribution and their results involves qualitative and quantities description , in qualitative part they give arising TCP connection characteristics with number of TCP SYN packets and in quantitative part they determine the suitable and appropriate description to the SYN traffic. In [8], the
Keywords-TCP SYN attack; CPU performance and bandwidth power performance ; DoS attack influence factors;
I. INTRODUCTION Transmission Control Protocol (TCP) is the main protocol site to connect computers to the Internet in a trusted and reliable way. In order to achieve the Internet communication, the TCP protocol divides the dialog between client and server into three stages: first, the client sends a request to the server to start the dialog by sending SYN request, then the server receives that request and send back the SYN and ACK to inform the client about receiving its request in order to build the connection. Finally, the client informs the server that its ACK has arrived and in that moment the connection has been established [1]. Therefore the two sides of communication can start in new session with any web application protocols such as HTTP , FTP or telnet and etc. It has become obvious nowadays that crimes via the Internet is widespread. Currently, denial of service attack is one of most harmful threats to network bandwidth and resources. This kind of attack utilizes a spyware threat, virus, worm, or Trojan to launch attack. 978-1-4799-1845-4/15 $31.00 © 2015 IEEE DOI 10.1109/ACSAT.2014.34
158 157
V. EXPERIMENTS PARAMETERS
TCP SYN attack can be detected by scanning all half open connections in every source side, they mention that their technique is computationally effective and can be used in online flooding attack detection. Finally, it can be concluded the most of TCP SYN researches give more attention to TCP SYN attacks detecting process. However, there is no enough effort has been offered to clarify the most effective parameters to detect TCP SYN attacks. However the last research as in [7] has given brief description of these factors. In this study, the focus will be on analyzing the influence of TCP SYN based attack on CPU performance and on network bandwidth. Moreover, the experiments will determine and clarify the most important factors on CPU performance and in network bandwidth. III. REGULATIONS
FOR
the experiments depends on observing the effect of changing a several parameters on CPU and network resource performance. moreover, the parameters used in this experiment are: firstly, the amount of packets sent per second or packet limits. Secondly, the sending delay parameter, which is the duration between every two sequential packets sent. The last parameter is the sending duration which is the time elapsed from the beginning of sending time until the packets reach their destination. In the other side, CPU performance and bandwidth will be measured in different scenarios based on the change of these parameters. In addition, the time of experiments performing has been determined as 60 seconds in each experiment.
DOS PRACTICES
VI. EXPERIMENTS SCENARIOS
According to US law, essentially there are two distinct kinds of law related with DoS attack practices: criminal law and civil law. Depending on the situation of a DDoS attack, criminal and/or civil actions possibly will be brought [4]. One of those laws state fines the attacker as follow: 1) 18 U.S.C. 1951 (extortion that affects commerce) 2) 18 U.S.C. 875 (threats transmitted in interstate commerce) 3) 18 U.S.C. 876 (mailing threatening communications) 4) 18 U.S.C.877 (mailing threatening communication from a foreign country) 5) 18 U.S.C.880 (receipt of the proceeds of extortion)
The goal of this study is to measure the performance of the CPU and bandwidth under the normal and attacks conditions. So, the packets limit, sending delay and ending duration parameters are used in different scenarios as in the following: A. Scenario 1 Parameters packets limit= 100-1000; sending delay=1000-3000 ms; duration=10000-15000 ms.
IV. EXPERIMENTS TESTBAD In this study, two virtual machines have been used, one as an attacker machine and the other as victim as demonstrated in the following the figure2.
Figure 2: CPU Performance Free of Attacks
Figure 1: Experiments Testbad A. Experiments Methodology In the experiment, we depend on monitor the CPU performance and network traffic amount before the attack (in normal case). Then, using DoS attack tool such as LOIC , the attacking traffic is generating targeted the victim machine. Thus, the performance of CPU and network resources is measured. Several scenarios have been implemented with different parameter values. Moreover, in every experiment the performance of CPU and network resource has been evaluated.
Figure 3: Bandwidth Performance Free of Attacks The figures 2 and 3 show that the performance of CPU and network bandwidth in normal Internet browsing case.
158 159
it is clear that there is no over usage of the CPU and network bandwidth in this scenario.
Figure 7: Network Bandwidth Free of Attacks Figure 4: CPU Performance Under Attacks The figures 6 and 7 show that the performance of CPU and network bandwidth in normal Internet browsing case. It is clear that there is no over usage of the CPU and network bandwidth.
Figure 5: Network Bandwidth Under Attacks The figures 4 and 5 show that the performance of CPU and network bandwidth under the flooding attack using the scenario 1 Parameters. It is clear that there is over usage of the CPU and network bandwidth in this scenario. Moreover, in the time from 55-60 seconds, CPU load was in its highest level.
Figure 8: CPU Performance Under Attacks
B. Scenario 2 Parameters packets limit=100 ;sending delay =1000 ms;sending duration=10000 ms,
Figure 9: Network Bandwidth Under Attacks The figures 8 and 9 show that the performance of CPU and network bandwidth under the flooding attack using the scenario 2 parameters. It is clear that there is over usage of the CPU and network bandwidth but not as in the scenario 1. This is because in the scenario 1, the rate of packets limit,sending delay and sending duration is high.
Figure 6: CPU Performance Free of Attacks
C. Scenario 3 Parameters
.
packets limit= not limited; sending delay=1000 ms; duration=not limited.
159 160
Figure 10: CPU Performance Free of Attacks Figure 13: Network Bandwidth Under Attacks
packets and there is no limited duration of attacks in this scenario. VII. CONCLUSION TCP SYN attack as one of the dangerous attack in Internet world. Many methods has been suggested to detect such attacks. However, most of these methods give little attention to detect TCP SYN attack by analysis of the attack effects on CPU and network performance which are significantly affected by such attack. In this study, more attention has been paid to detect TCP SYN attack by analysis its effects on CPU and network performance through performing several experiments with different parameters. By looking the result of this study, it can be concluded that, the third scenario was the west. In this scenario, the packets number was not limited ,sending delay was equal 1000 ms and duration of attack was not limited. The CPU and network bandwidth power were at the lowest level. Therefore, it can be concluded that, the most influential factor in CPU and network performance is the duration of the attacks and number of packets used in each attack.
Figure 11: Network Bandwidth Free Attacks The figures 10 and 11 show that the performance of CPU and network bandwidth in normal Internet browsing case. It is clear that there is no over usage of the CPU and network bandwidth in this scenario.
ACKNOWLEDGMENT I would like to thank my beloved parents,wife ,kids and supervisor. REFERENCES [1] A. Sharif, “Combining ontology and folksonomy: an integrated approach to knowledge representation,” in World Library and Information Congress (IFLA General Conference and Assembly), Milan, Italy, 2009.
Figure 12: CPU Performance Under Attacks The figures 12 and 13 show that the performance of CPU and network bandwidth under the flooding attack scenario 3. It is clear there is over usage of CPU and network bandwidth more than as in the scenario 1 and 2. This is because of this scenario use unlimited number of
[2] D. Nashat, X. Jiang, and S. Horiguchi, “Detecting syn flooding agents under any type of ip spoofing,” in e-Business Engineering, 2008. ICEBE’08. IEEE International Conference on. IEEE, 2008, pp. 499–505. [3] M. Bellaiche and J.-C. Gregoire, “Syn flooding attack detection based on entropy computing,” in Global Telecommunications Conference, 2009. GLOBECOM 2009. IEEE. IEEE, 2009, pp. 1–6.
160 161
[4] B. Guha and B. Mukherjee, “Network security via reverse engineering of tcp code: vulnerability analysis and proposed solutions,” Network, IEEE, vol. 11, no. 4, pp. 40–48, 1997. [5] C. James and H. A. Murthy, “Time series models and its relevance to modeling tcp syn based dos attacks,” in Next Generation Internet (NGI), 2011 7th EURO-NGI Conference on. IEEE, 2011, pp. 1–8. [6] Y. Zhang, “A multilayer ip security protocol for tcp performance enhancement in wireless networks,” Selected Areas in Communications, IEEE Journal on, vol. 22, no. 4, pp. 767–776, 2004. [7] S.-w. Shin, K.-y. Kim, and J.-S. Jang, “Analysis of tcp syn traffic: an empirical study,” in Advanced Communication Technology, 2005, ICACT 2005. The 7th International Conference on, vol. 1. IEEE, 2005, pp. 652–657. [8] K. Shah, S. Bohacek, and A. Broido, “Feasibility of detecting tcp-syn scanning at a backbone router,” in American Control Conference, 2004. Proceedings of the 2004, vol. 2. IEEE, 2004, pp. 988–995.
161 162
