SHORT PAPER International Journal of Recent Trends in Engineering, Issue. 1, Vol. 1, May 2009
Fusion of Detection, Traffic Control and Traceback Technique for DDoS attacks r A.R. Patil Bhagat1, S. Basak1, C. Godbole1, and U. Shrawankar2 1 Yeshwantrao Chavan College of Engineering, Nagpur, India { bhagatavi, sumitshere, chinmay.god }@gmail.com 2 G. H. Raisoni College of Engineering, Nagpur, India
[email protected]
Abstract - Denial-of-Service (DoS) and Distributed Denial-ofService (DDoS) attacks typically generate huge amount of adverse traffic to a target server and make the server unavailable for services. Several works had put lots of efforts to find novel and effective techniques to detect and prevent such attacks. However, most studies were conducted using offline data or via simulation. Only a few studies address the issues of server survivability when under DDoS attacks and perform real experiments to measure the effectiveness of filtering such malicious traffic since capturing and analyzing real attacking traffic on the fly would be an enormous task. This paper proposes a model to measure the effectiveness of filtering malicious traffic while actual attacks aim at a target server. The model performs a simple anomaly detection using the rates of input traffic which is classified into normal, suspicious and malicious traffic based on the pre-defined threshold values. If the input traffic is regarded as suspicious or malicious, the model will substantially drop part of the input traffic to an acceptable level so that only the small amount of traffic is allowed to pass and reach the target server. As a result, the server survives the attacks. When packets marked as normal and suspicious are allowed passing through then we employ a recursive based IP traceback method used to locate the original source node producing malicious packets. These packets could be produced by attackers deliberately or by Botnets and Zombies which are autonomously driven software producing malicious packets in the traffic.
attacker can greatly reduce the quality of a target internet service or even can completely break the network connectivity of a server generally to achieve resource overloading; a DDOS attacker will first compromise a large number of hosts and subsequently instruct this compromised host to attack the service by exhausting a target resource. Due to lack of built in security mechanism in the current internet infrastructure an attacker can easily get access to a large number of insecure computers with exploit/attack programs such as trinoo, TFN etc.
Fig. 1 DDoS Attack
Keywords- Botnets, Bloom filter, Detection analysis, Traffic control, Traceback.
I. INTRODUCTION Distributed denial of service attack poses a major threat to the availability of internet services. CERT defined the term DOS as follows, • Occupancy of limited resources of difficult to renew such as network bandwidth, data structure or memory of a system. • Changeable or damage network data, for instance delete system configuration, shutdown web services. • Changeable or damage physical information DDOS attack can be organized from the following factors. • Lack of security in the whole internet • Launching attack tools has more capability to launch sophisticated attack. • Network bandwidth or resource attack can inevitably be avoided. • Any host on the internet can be a victim of attack. DDOS means there are more than one object which is DOS attacker (either automated tools or human). A DDOS
In Feb. 2000, a string of DDOS attacks crippled popular web sites including CNN.com, yahoo.com, eBay.com for several hours. In 2003, for example, one honey pot research project saw 15,164 unique zombies from a large botnet within days. In 2004, the witty worm created 12,000 zombies within 45min. IP spoofing has often been exploited by DDOS attack to 1) conceal flooding sources and dilute localities in flooding traffic 2) coax legitimate host into becoming reflectors redirecting and amplifying flooding traffic. IP spoofing is commonly associated with malicious network activities, such as DDOS attacks, which block legitimate access by either exhausting victims severs resources or saturating stud networks access links to the internet. On the other hand, defending against DDOS attack is extremely difficult because there is usually no explicit attack pattern to distinguish legitimate packets from malicious ones. Moreover to hide the source of attack programs generally fill IP header fields, specially the 32-bit source IP address, with randomized values. This IP spoofing technique has made the detection and filtering of DDOS traffic extremely difficult and it has become a common feature of the many DDOS attack tools.
II. RELATED WORK Currently there are several mechanisms to counter DOS and DDOS attack. These schemes can be roughly categorized into four classes: attacker-end based, network-
643 © 2009 ACADEMY PUBLISHER
SHORT PAPER International Journal of Recent Trends in Engineering, Issue. 1, Vol. 1, May 2009 based, victim-end based, and hybrid. The attacker-end based approaches [8, 9] attempt to identify DDOS attack traffic or spoofed IP packets at attack sources. Once DDOS attack traffic or spoofed packets are detected, proactive filtering mechanisms are activated to stop attack traffic from entering the Internet. The network-based approaches count on Internet routers to defend against DDOS attacks in a cooperative manner. Schemes in this category perform either the trace back of the attack traffic or complex filtering operations on routers. IP traceback schemes [10, 11,12,13,14, 15, 16, 17, and 18] focus on identifying the origins of spoofed DDOS attacks, rather than stopping these attacks. The victim-end approaches [19, 20, 21] try to enhance the resilience of Internet servers against DDOS attacks. The advantages of the victim-end approaches are that they do not require support from the Internet routing infrastructure and that they strongly motivate the victim to deploy these schemes owing to the direct benefit to the victim itself. Schemes in the fourth category can be considered a hybrid of network-based and victim-based approaches. These schemes require support from the Internet routing infrastructure and from the victim or victim network. In these schemes, routers mark each incoming IP packet in a deterministic or probabilistic manner. Then, in victims or victim networks, attack packets are identified and discarded on a per packet basis according to marks left by internet routers [22, 23, 24]. An IP traceback method is employed to construct the attack graph, and subsequently IP packets marked with one of network edges in the attack graph are discarded [22, 23]. In another scheme [24], each participating router marks some bits (one or two bits) in the Identification field of an IP packet according to the router’s IP address and the TTL value in the IP header. In this way, an IP packet will arrive at its destination along with a unique identifier representing the path it has traversed.
III.PROPOSED WORK
Incoming packets
Detection analysis phase
Traffic Control phase
Traceback phase
Fig 2. 3 phases of detecting DDoS attacks
According to Figure 1, first the incoming packets are screened at the detection analysis phase where the packets are classified into normal, suspicious and malicious ones according to the packet arrival rate calculated in packets per
second. Then these packets are passed through the traffic control phase where the malicious ones are dropped using a filtering technique. The others go through the traffic shaping module where the suspicious ones are dropped. Then the normal packets arrive at the traceback phase where the legitimate packets are allowed to pass through, and the remaining ones are traced back to its origin to detect any malicious activity. IV. IMPLEMENTATION
Fig 3. Detection and Traffic Control Phase
A. Detection Analysis Phase This phase analyzes incoming packets and classifies those packets according to their arrival rates. For packet analysis, the information of all incoming packets is kept in a data structure, called Income_packet, which contains five packet attributes: arrival time, source IP, destination IP, source port and destination port. Such packet information is then statistically analyzed and kept in another structure, called Statistic_info, having the following attributes: the arrival time of the first packet, the arrival time of the latest packet, source IP, destination IP, service port, total number of packets and packet status. The format and an example of packet statistics kept in Statistic_info are given below. Format: [yyyymmddHHMMss] [yyyymmddHHMMss] [source ip] [destination ip] [service port] [total packet] [status {Normal, Suspicious, Malicious}] Example: 20081231140933 20081231140934 10.22.1.3010.22.1.1 80 1000 Suspicious (Packets first arrived: 31/12/2008 at 14:09:33; last arrived 31/12/2008 at 14:09:34; from: 10.22.1.30, to: 10.22.1.1, Port: 80, total: 1000 packets, status: suspicious.) Based on packet statistics in Statistic_info, the traffic arrival rate in packets per second (pps) from one source IP to one service port is computed. Consequently, the traffic status is determined as normal, suspicious, and malicious. The classification uses two threshold values, say x and y, for the following criteria: • Normal Packet: Packet arrival rate is less than x pps. • Suspicious Packet: Packet arrival rate falls between x and y pps. • Malicious Packet: Packet arrival rate is more than y pps.
644 © 2009 ACADEMY PUBLISHER
SHORT PAPER International Journal of Recent Trends in Engineering, Issue. 1, Vol. 1, May 2009 Note that the threshold values are pre-determined by preliminary experimental results. These thresholds could be varied from one system to another. B. Traffic Control Phase This phase is designed for controlling the amount of outgoing traffic in such a way that the amount of attacking traffic would be reduced before reaching the target server. This stage is specifically targeted to control Botnets and Zombies which may disrupt the normal traffic. After packet status is determined, individual packets would be redirected to different paths. Packets with normal status are allowed to reach the target server with unlimited bandwidth. Hence, legitimate users could use the services as usual. Packets with suspicious status are considered as moderate attacks, and part of them are sent to the traffic shaping module to be filtered while others will reach the target server. Thus, the bandwidth of suspicious traffic would be greatly reduced. Finally, all packets with malicious status will be dropped out of the system before having a chance to attack the target server. Filtering traffic in the traffic shaping module using any standard filtering technique is considered as the prevention mechanism since it would reduce the suspicious and malicious traffic substantially to a level that allows the target server to survive the attack. The amount of reduced traffic depends on the applied filtering rate. For example, if the filtering rate is 1/100, only 1 packet is allowed to reach the server while other 99 packets will be dropped. Thus the traffic arrives in a controlled manner thus avoiding congestion. Thus this stage is primarily used for dropping packets marked as malicious. The server timeout is measured to see the effects of attacking and filtering.
Figure 4 Server timeout without filtering.
In this experiment, the server timeout is measured when the attacker generates various attacking rates while the filtering rate is fixed at 1/1000. The results in Figure 4 are plotted together with the results of this experiment as shown in Figure 5.
Figure 5 Server timeout with and without filter.
As we can see that the server survives much longer than the previous experiment. Another significant observation is that the filtering rate must be really high for the server to survive the attack. Moreover, we also apply various filtering rates of 1/100, 1/250, 1/500, 1/750, and 1/1000 for traffic with different attacking rates. Furthermore, the server timeout decreases faster at high filtering rate than that at low filtering rate. However, they are all converged to some certain values. Thus, these results imply that high filtering rate has a significant impact to the server timeout. After this phase comes the traceback technique. C. Traceback Phase This method is used to trace the source of each individual packet marked as normal and suspicious which are passed over from previous stage. The method is based on packetmarking approach to avoid storing state at routers. Instead of inserting its entire IP address into the packet, each node inserts only the part of the IP address to indicate its presence on the path. In order to reduce the required space on each packet and to reduce the cost of appending data to packets, the attack route is stored in a built-in Bloom filter (Bloom, 1970) integrated into the packet. To avoid packet fragmentation this filter is employed, by reducing and limiting the size of information inserted into the packet. A generalized Bloom filter is used to prevent forgery and backtracking failures by the attacker. The marking algorithm for this is very simple. Just before forwarding a packet, the router inserts the IP address of its output interface into the filter of the packet. In this router inserts its outer-interface IP address into the forward packet. Upon receiving an attack packet, the victim disposes of a filter whose elements are the routers that compose the attack path. To reconstruct the attack path, the following procedure is used. Initially the victim checks for the presence of all neighbor routers in the Bloom filter of the received attack packet. The router that is recognized as an element of the filter is identified as the upstream router and is therefore integrated into the attack path as shown in the Figure 6 and hence the traceback procedure is continued.
.
R R
R
R
R
R
Figure 6 IP traceback- Reconstruction of path to check whether adjacent routers are present in the filter.
645 © 2009 ACADEMY PUBLISHER
SHORT PAPER International Journal of Recent Trends in Engineering, Issue. 1, Vol. 1, May 2009 Afterwards, this selected router receives from the victim a request to continue the path-reconstruction procedure along with the respective Bloom filter thus reducing false-positive probability. It then verifies its authenticity and checks which neighbor router is also recognized as an element of the filter, identifying the next upstream router. This process is recursively repeated on each upstream router to reconstruct the actual path traversed by the packet. When a router does not recognize any neighbor router as an element of the filter, the process stops and this router may be considered the source of the attack. Thus this method can easily detect spoofed attacks generated by attackers and botnets using the novel path-reconstruction method in case of packets which may appear normal. The complete route of each packet can be individually determined .Furthermore; information is needed to be stored in network. An attack can also be traced long after it is over without help from network operators. V. CONCLUSION This paper proposes a model to measure the effectiveness of filtering malicious traffic alongwith an effective traceback technique to control DDOS attacks generated. This algorithm which follows the Detection –Analysis and Traffic control phase so that the DDoS attacks are avoided alongwith the infiltration of botnets and IP spoofed attacks. REFERENCES [1] B. H. Bloom, “Space/Time Trade-offs in Hash Coding with Allowable Errors,” Communications of the ACM, vol. 7, no. 13, pp. 442–426, July 1970. [2]Rafael P. Laufer , Pedro B. Velloso, Daniel de O. Cunha, Igor M. Moraes, Marco D. D. Bicudo, Marcelo D. D. Moreira, and Otto Carlos M. B. Duarte, "Towards Stateless Single-Packet IP Traceback," 32nd IEEE Conference on Local Computer Networks - LCN'2007, Dublin, Ireland, October 2007.
[9] Mirkovic J, Prier G, Reiher P. Attacking DDoS at the source. In: Australia: The University of Melboume; 2002. Tech.http://www.ee.mu.oz.au/pgrad/taop/research/detection.pdf Proceedings of international conference on network protocols;Nov. 2002. p. 312e21 [10] Belenky A, Ansari N. IP traceback with deterministic packet marking. IEEE communications Letters April 2003;7(2): 162e4. [11] Bellovin S, Leech M, Taylor T. ICMP traceback messages [Online]. Available from: http://www.ietf.org/internet-drafts/draftietf - itrace- 04.txt; Feb. 2003. [12] Dean D, Franklin M, Stubblefield, A. ‘‘An algebraic approach to IP traceback’’. ACM Transactions on Information and System Security May 2002;5(2):119e37. [13] Sanchez LA, Milliken WC, Snoeren AC, Tchakountio F, Jones CE, Kent ST, et al. Hardware support for a hash-based IP traceback. In: Proceedings of the second DARPA information survivability conference; June 2001. p. 146e52. [14] Savage S, Wetherall D, Karlin AR, Anderson T. Practical network support for IP traceback. In: Proceedings of SIGCOMM conference; Aug. 2000. p. 295e306. [15] Savage S, Wetherall D, Karlin AR, Anderson T. Network support for IP traceback. IEEE/ACM Transactions on Networking June 2001;3:226e37. [16] Snoeren AC, Partridge C, Sanchez LA, Jones CE, Tchakountio F, Kent ST, et al. Hash-based IP traceback. In: Proceedings of the ACM SIGCOMM conference; Aug. 2001. p. 3e14. [17] Snoeren AC, Partridge C, Sanchez LA, Jones CE, Tchakountio F, Schwartz B, et al. ‘‘Single-packet IP traceback’’. IEEE/ACM Transactions on Networking 2002; 10(6) :721e34. [18] Song D, Perrig A. Advanced and authenticated marking schemes for IP traceback. In: Proceedings of IEEE INFOCOM conference; Apr. 2001. p. 878e86.
[3]Rafael P. Laufer, Pedro B. Velloso, Otto Carlos M. B. Duarte, "Generalized Bloom Filters," Technical Report GTA-05-43, COPPE/UFRJ, September 2005.
[19] Jin C, Wang H, Shin KG. Hop-count filtering: an effective defense against spoofed ddos traffic. In: Proceedings of ACM conference on computer and communications security; Oct. 2003. p. 30e41.
[4]Rafael P. Laufer, Pedro B. Velloso, Daniel de O. Cunha, IgorMoraes, Marco D. D. Bicudo, Marcelo D. D. Moreira, Otto Carlos M. B. Duarte, "Towards Stateless Single-Packet IP Traceback," Technical Report GTA06-38, COPPE/UFRJ, December 2006.
[20] Peng T, Leckie C, Ramamohanarao K. Detecting distributed denial of service attacks using source IP address monitoring.
[5] T. Peng et.al, “Survey of Network-based Defense Mechanisms Countering the DoS and DDoS Problems”, ACM Computing Surveys, vol. 39(1), 2007.p. 878e86. [6] D. X. Song and A. Perrig, "Advanced and authenticated marking schemes for IP Traceback," IEEE Infocom 2001. [7] T. Darmohray and R. Oliver, "Hot spares for DDoS attacks,"http://www.usenix.org/publications/login/2000/apropos.html. [8] Li J, Mirkovic J, Wang M, Reiher P, Zhang L. Save: source address validity enforcement protocol. In: Proceedings of IEEE INFOCOM, vol. 3; June 2001. p. 1157e566.
[21] Peng T, Leckie C, Ramamohanarao K. Protection from distributed denial of service attacks using history-based IP filtering. In: Proceedings of IEEE international conference on communications, vol. 1; May 2003. p. 482e6. [22] Sung M, Xu J. IP traceback-based intelligent packet filtering: a novel technique for defending against internet DDoS attacks. In: Proceedings of international conference on network protocols; Nov. 2002. p. 302e11. [23] Sung M, Xu J. IP traceback-based intelligent packet filtering: a novel technique for defending against internet DDoS attacks. IEEE Transactions on Parallel and Distributed Systems Sep. 2003;14(9):861e72. [24] Yaar A, Perrig A, Song D. Pi: a path identification mechanism to defend against DDos attacks. In: Proceedings of the IEEE symposium on security and privacy; May 2003. p. 93e109
646 © 2009 ACADEMY PUBLISHER
