Framework for Statistical Filtering Against DDoS Attacks in ... - CiteSeerX

87 downloads 149402 Views 245KB Size Report
automated statistical filtering in wired networks and ... mitigate DDoS attacks in wired networks. ..... must be addressed before we can port the advantages.
Framework for Statistical Filtering Against DDoS Attacks in MANETs

1

Hwee-Xian Tan1,2 Winston K. G. Seah2,1 Department of Computer Science, School of Computing, National University of Singapore 2 Networking Department, Institute for Infocomm Research (I2R), A*STAR, Singapore {stuhxt, winston} @ i2r.a-star.edu.sg

Abstract A DDoS (Distributed Denial-Of-Service) attack is a distributed, large-scale attempt by malicious users to flood the victim network with an enormous number of packets. This exhausts the victim network of resources such as bandwidth, computing power, etc. The victim is unable to provide services to its legitimate clients and network performance is greatly deteriorated. There are many proposed methods in the literature which aim to alleviate this problem; such as hop-count filtering, rate-limiting and statistical filtering. However, most of these solutions are meant for the wired Internet, and there is little research efforts on mechanisms against DDoS attacks in wireless networks such as MANETs. In this paper, we study the vulnerability of MANETs to DDoS attacks and provide an overview of statistical filtering, which is commonly used as a security mechanism against DDoS attacks in wired networks. We then propose a framework for statistical filtering in MANETs to combat DDoS attacks.

1. Introduction Mobile Ad Hoc Networks (MANETs) are multi-hop wireless networks that do not require any central administration or existing infrastructure. All nodes in the network act as hosts as well as packet-forwarding routers. While such networks have potential commercial viability, the main deployment of MANETs is still mainly for disaster-relief emergencies and military expeditions in hostile terrains. Such applications involving information-retrieval and datasensitive transactions require some level of cyber security to be provided to users. One of the most common forms of security breaches is the Distributed Denial-Of-Service (DDoS) attack, in which the aggressors swamp a victim node (or a set of victim nodes) with a vast number of incoming packets. This expends the network elements of resources and the

victim is unable to handle requests from legitimate clients. While there have been many proposed methods in the literature which aim to alleviate the effectiveness of DDoS attacks, most of these solutions are meant for the wired Internet and are not directly applicable to wireless scenarios. In addition, due to the dynamic characteristics and transient states of MANET environments, the effects of DDoS attacks can be quite different from that experienced by wired networks. Therefore, different mechanisms have to be employed to alleviate the effects of DoS attacks. In this paper, we look into how statistical filtering – one of the reactive mechanisms to combat DDoS attacks – can be deployed in MANETs. We will also discuss the effectiveness of DDoS attacks on automated statistical filtering in wired networks and propose a framework to adopt such statistical filtering mechanisms in MANETs. The rest of the paper is organized as follows. The next section discusses the features of MANETs which make them vulnerable to security attacks. Section 3 provides an overview of statistical filtering methods used against DDoS attacks in wired networks. In Section 4, we show the effects of DDoS on MANETs and outline the issues involved with statistical filtering in MANETs. We then propose a framework for using statistical filtering to combat DDoS attacks in MANETs in Section 5, and conclude with directions for future work in Section 6.

2. Security Issues in MANETs MANETs are a unique class of wireless multi-hop network comprising of autonomous mobile nodes. This causes the network topology to be dynamically changing, which gives rise to a wide range of characteristics such as transient links, unpredictable resource availability and complex route maintenance. In addition, nodes in MANETs have limited battery life, which is expended by packet transmission and reception. Although security threats exist in both wired

Proceedings of the Second International Conference on Embedded Software and Systems (ICESS’05) 0-7695-2512-1/05 $20.00 © 2005

IEEE

and wireless networks, the inherent nature of wireless networks such as MANETs results in them being more vulnerable to attacks. In the following, we describe how some of these MANET features cause the network to be more susceptible to threats. Nodes in MANETs do not have any central base station to coordinate the transmission and authentication of packets. Thus, the delivery of data packets from source to destination nodes in the network is dependent on the cooperation of the (intermediate) nodes in the network. Most of the existing architecture and routing protocols that are built for MANETs assume that all nodes in the network are cooperative and willingly forward packets for other nodes. This assumption is likely to become invalid when the network is deployed in real-life scenarios, and can be especially critical if the MANET is being used for military missions or data-sensitive transactions. The wireless channel in MANETs is a shared broadcast medium, unlike in wired scenarios whereby the channel can be configured to provide dedicated access to any particular user group. Therefore, nodes in wireless networks are often subject to interference (whether deliberate or not) from neighbouring nodes within the transmission and interference ranges. In addition, the wireless links that are being used offers little protection towards authentication and confidentiality of data packets. Each transmitted packet can easily be overheard and/or intercepted by all neighbouring nodes, and each node will also inevitably hear all packets that are sent from its neighbours. The mobility of the nodes in the network also increases the challenge of node authentication, because nodes can easily venture into and out of the network. Consequently, nodes in the network have a higher probability of being compromised, and it is difficult to detect intruding or misbehaving nodes in such mobile, decentralized architectures. In the literature, there are many proposed mechanisms and protocols that aim to provide security in wired networks, such as via cryptography techniques, data encryption and decryption, shared private/public infrastructures, etc. Compared to wired networks, there are relatively fewer viable solutions for security in wireless networks, particularly MANETs. Existing work relating to security measures in MANETs typically address the issue of selfish or malicious nodes in the network. A selfish node is one that attempts to make use of its neighbours to forward packets without offering the same services – which could be a measure to conserve its limited battery supply. In contrast, a malicious node is one which may attempt to modify packet information, provide false routing information, impersonate other nodes or even

do passive eavesdropping. Some of the proposed methods in the literature include replication and threshold cryptography schemes [1], intrusion detection and response mechanisms [2], use of a fair MAC protocol [3] and secure routing protocols with in-built authentication procedures. However, none of these protocols are very effective against DDoS attacks in MANETs. In the next section, we describe the operational behaviour of statistical filtering, which is a relatively effective mechanism that can be used to mitigate DDoS attacks in wired networks. We will then explore how statistical filtering can be adopted in wireless networks, in subsequent sections.

3. Statistical Filtering in Wired Networks The major causes of concern in conventional DDoS defense mechanisms are that they often require human intervention and are slow in response. These can increase the extent of the attack and cause more damage to the victim’s network. Consequently, there is a class of reactive mechanisms (also known as Early Warning Systems) such as statistical filtering that aims to detect DDoS attacks and provide timely response. The general class of filtering DDoS defense mechanisms such as in [4] comprises of three components: (i) detecting the attack; (ii) identification of the attacking sources; and (iii) suppression of the attacking traffic via filtering of suspicious packets. In statistical filtering, a set of packet statistics such as the TTL (time-to-live), source IP address, destination IP address, protocol type, etc., are collected and monitored by the defense system. In addition, it is often assumed that the system has access to a set of normal (and stable) traffic characteristics; otherwise it would be almost impossible to identify when a network is being attacked. The system monitors the incoming data packets and identifies abnormal traffic behaviour by comparing the incoming statistics with the normalized network traffic profile. Suspicious packets are then discarded based on some filtering rules, such as the source address, service and/or destination address. Filtering policies can be deterministic or probabilistic. In the former, packets are dropped or accepted if they satisfy some fixed, predetermined criteria. In contrast, probabilistic policies will filter packets according to some random probabilities. In both cases, packet discarding is often based on a dropping threshold, which can be either fixed or dynamic. While statistical filtering does not offer a guaranteed solution in rejecting the illegitimate packets and accepting the legitimate packets completely, they

Proceedings of the Second International Conference on Embedded Software and Systems (ICESS’05) 0-7695-2512-1/05 $20.00 © 2005

IEEE

are still able to offer an automated defense mechanism against DDoS attacks. However, the effectiveness of the filter also depends on a number of factors, such as the ability of the “ideal” filter to [5]: ƒ Detect attacks even if it is being implemented on a single router along the line of attack; ƒ Adapt dynamically to a variety of network environments; ƒ Detect attacks accurately; ƒ Deploy intelligent packet discard mechanisms; and ƒ Show effectiveness and robustness against a wide variety of existing and future DDoS attacks. According to [6], packet traces are often analyzed offline and any new filtering rules are manually installed into the routers. Therefore, filtering is often ineffective and has slow response time. As such, the authors have proposed and presented a defense mechanism against DDoS, which is based on distributed detection and automated on-line attack characterization. The scheme, called the PacketScore approach, comprises of the following three mechanisms: ƒ Detection of impending attacks and identification of victims by monitoring key traffic statistics of each protected target; ƒ Differentiating between legitimate and attacking packets using the Conditional Legitimate Probability (CLP) metric; and ƒ Discarding packets selectively based on a dynamic threshold, which is adjusted according to the (i) distribution of CLP of all suspicious packers; and (ii) congestion level of the victim. Li et al in [7] study the effectiveness of sophisticated DDoS attacks on statistical filtering in wired networks. Through simulation results, which seem to represent attacks of much lower intensity than what is indicated by the parameters, the authors discovered that an adaptive filter may not be able to perform as well as expected especially in the face of sophisticated and erratic attackers. These attackers change their attack policies frequently and trick the filter into learning a wrong attack profile. In most cases, the filter that assumes a wrong profile often performs worse than one which drops packets randomly. As such, future algorithms should exploit the correlation between the packet attributes such as the packet size, protocol type and port numbers to improve the performance of the filter.

4. DDoS Attacks in MANETs As DDoS attacks are both distributed and denial-ofservice attacks [8], they are often large-scale in nature and can greatly deteriorate the performance of the

victim network. In a typical DDoS attack, the malicious users first build a network of vulnerable hosts which are used to launch the attack. The vulnerable nodes, known as zombies, are then installed with attack tools, which allow them to carry out attacks under the control of the attacker. J. Mirkovic and P. Reiher in [9] provide a comprehensive overview of the DDoS problem and design space by proposing taxonomies of DDoS attack and defense mechanisms. There are many proposed methods in the literature which aim to handle DDoS attacks and mitigate their level of damage. Some of these include reactive attack response strategies such as filtering, which allows a certain class of datagrams to pass through while blocking all other datagrams. In the case of DDoS attacks, its effects are more severe in shared wireless channels because attacks are no longer directed to a single node. Each illegitimate packet that is generated by the attacker may cause collisions at multiple neighbouring nodes as well as nodes within the interference range (which can often be twice as large as the transmission range), resulting in increased retransmissions and contention for channel access. In this section, we study the performance of the network when it is subject to DDoS attacks. We use GloMoSim [10], which provides a scalable simulation platform for wireless networks, to perform our simulations. The common parameters that we have used in our simulations are given in Table 1. Table 1. Summary of simulation parameters Parameter Terrain size Mobility model [Min, Max] speeds Routing protocol Nominal traffic type Nominal traffic interval

We consider the case whereby the attackers are compromised hosts in the network, i.e., they will still continue to forward packets for other neighbouring nodes in the network and they do not modify packet contents deliberately. The following performance measures are compared: ƒ Packet Delivery Ratio (PDR) – number of successfully delivered legitimate packets as a ratio of the number of generated legitimate packets; and ƒ Average end-to-end delay – average time taken to deliver a legitimate packet successfully from its source to destination.

Proceedings of the Second International Conference on Embedded Software and Systems (ICESS’05) 0-7695-2512-1/05 $20.00 © 2005

IEEE

Value 2000 × 2000 metres Random Waypoint [10 ms-1, 20 ms-1] AODV [11] Constant Bit Rate (CBR), 10 connections 120 ms

4.1. Effect of DDoS attacks with different attack intensities Figure 1 and Figure 2 show the performance of the network when there is one slave attacker in a network with 50 legitimate hosts. When the attack intensity is 1, the network performance does not seem to deteriorate significantly as traffic has not reached saturation point. However, as the attack intensity increases, there are more packets (both legitimate and illegitimate) which compete for channel access in the shared wireless medium. This leads to a drop in the packet delivery ratio and also causes an increase in the delay of the network. Thus, we can predict that as the intensity of the attacks increases, the performance of the network will deteriorate even further.

attacking slave nodes, which models the distributed behaviour of DDoS attacks. The number of attackers is varied from 1 to 5. The PDR of the network decreases rapidly when it is subject to attacks. This degradation of the network performance is more significant when the intensity of the attack is increased, and seems to suggest that high attack intensity is more effective than distributed attacks (with greater numbers of attackers). In Figure 4, we can see that with an attack of intensity 1, the delay of the network is lower than that without any attacks. This is because of the lowered packet delivery ratio of the network. However, when the intensity of the attacks is increased to 5, the delay becomes very much higher due to the length of time before any node actually gains access to the channel. pkt delivery ratio

In our simulations, we will study the effect of DDoS attacks under the following conditions: ƒ Different attack intensities, which is the rate at which attack packets are being sent as a ratio of the nominal traffic rate. The attack intensity is varied by shortening the interval time which the attacker sends the attack packets. ƒ Different number of attackers; and ƒ Different node mobilities.

50 legitimate nodes

1

0.9

without attacks with attacks of intensity 1 with attacks of intensity 5

0.8 1

2 3 4 number of attackers

5

Figure 3. PDR with varying number of attackers 50 legitimate nodes

0.89

without attacks with attacks

0.88 1

2

3 4 attack intensity

5

Figure 1. PDR with 1 slave attacker 50 legitimate nodes, 1 slave attacker 0.25 delay (s)

without attacks with attacks of intensity 1 with attacks of intensity 5

0.12

0.9

delay (s)

pkt delivery ratio

50 legitimate nodes, 1 slave attacker 0.91

without attacks with attacks

0.2

0.1 0.08 0.06 1

2 3 4 number of attackers

5

Figure 4. Delay with varying number of attackers

4.3. Effect of DDoS attacks under different node mobilities

0.15 0.1 0.05 1

2

3 4 attack intensity

5

Figure 2. Delay with 1 slave attacker

4.2. Effect of DDoS attacks with different number of attackers Figure 3 and Figure 4 show the effects of DDoS attacks on MANETs with different numbers of

In this set of experiments, we evaluate the effect of DDoS attacks when the nodes in the network move at different speeds. We use the Random Waypoint mobility model with a pause time of 0s, which emulates continuous random motion. There are 5 slave attackers in the network, and attack intensities of 1 and 5 are also simulated. Figure 5 and Figure 6 show the comparative performances of DDoS attacks when the speeds of the nodes are increased. As node mobility increases, link breakages occur more frequently and lead to route

Proceedings of the Second International Conference on Embedded Software and Systems (ICESS’05) 0-7695-2512-1/05 $20.00 © 2005

IEEE

repairs and maintenance. This increases the overhead in the network, thus causing the network performance to deteriorate. However, it is interesting to note that at low or no mobility, the performance of the network does not seem to deteriorate significantly even when under DDoS attacks with an intensity of 5. Therefore, static nodes or nodes with low mobilities may not be very much affected by DDoS attacks (especially if traffic rate is low). pkt delivery ratio

50 legitimate nodes, 0s pause time 1 0.9

0.7 0

5

10 speed

15

20

Figure 5. PDR with varying node mobility

delay (s)

0.3

50 legitimate nodes, 0s pause time without attacks with attacks of intensity 1 with attacks of intensity 5

0.2 0.1 0 0

5

10 speed

15

In the previous section, we have studied the effects of DDoS attacks in distributed, decentralized and mobile networks under varying network conditions and attacking scenarios. As expected, DDoS attacks can cause significant deterioration in network performance. In wired networks, statistical filtering has shown to be an effective mechanism against DDoS attacks because of its reactive nature. We will now explore how statistical filtering can be adapted to MANETs to counter DDoS attacks.

5.1. Issues of Concern

without attacks with attacks of intensity 1 with attacks of intensity 5

0.8

5. Statistical Filtering in MANETs

20

Figure 6. Delay with varying node mobility From our preliminary experimental studies, we have seen that DDoS attacks can deteriorate the performance of MANETs significantly. Depending on the different attack intensity, number of attacking nodes and node mobility, the impact of these effects can be quite different. Our second set of experiments shows that higher attack intensity seems to have a greater impact than the increased number of attackers. This could be attributed to the fact that in wireless medium, there is often spatial reuse of the channel. Therefore, a distributed attacker may be less effective than an aggressive attacker, especially in cases where traffic is not saturated. In addition, our third set of experiments shows that attackers are more effective in highly mobile scenarios. This can be attributed to the fact that as node mobility increases, more nodes move into the vicinity of the attacker nodes during packet transmission and/or reception. Hence, effects of DDoS attacks are more pronounced in highly mobile scenarios.

Conventional statistical filtering methods that are used in wired networks cannot be adopted directly in wireless networks because the latter has unique constraints and characteristics which are not present in the former. As such, a new set of issues of concern must be addressed before we can port the advantages of statistical filtering over to MANETs. 5.1.1. Which node(s) in the network will have filtering capabilities? It is a known fact that nodes in MANETs are mobile and have limited energy capacities. As such, it is difficult to determine which particular node(s) in the network should be equipped with filtering capabilities. A logical solution might be to install such capabilities in all the nodes, but this is not energy efficient as filtering takes up a lot of processing and computational power. In addition, the filter also has to store nominal traffic profiles in a database, thus requiring more storage overhead. 5.1.2. What is the nominal traffic profile and how should it be maintained? A nominal traffic profile is the set of traffic characteristics that are assumed to be stable during normal traffic conditions. Traffic anomalies can then be detected by comparing the inconsistencies of traffic statistics between the nominal traffic profile and the current traffic profile. While traffic profiles for the Internet can be obtained by monitoring the various types of packets passing through the routers and possibly the proxies in the network, these traffic profiles vary according to the time of the day, as well as the router location from which these data is collected. In wired networks such as the Internet, obtaining the nominal profile is already a challenge; in networks with dynamic topology such as MANETs, this problem is further elevated. In addition, it was discovered in [6] that mismatching the different daily legitimate traffic profiles can cause the filter to perform worse than

Proceedings of the Second International Conference on Embedded Software and Systems (ICESS’05) 0-7695-2512-1/05 $20.00 © 2005

IEEE

expected. In MANETs, due to the inherent dynamic nature and storage limitations of the nodes, it might not even be possible to obtain and/or maintain a stable nominal traffic profile. 5.1.3. What are the likely characteristics of an attacking node in a MANET? As like in wired networks, an attacking node may deploy static or dynamic strategies when launching its attacks. In MANETs, these attacking nodes can also be static or mobile, and can affect more than one destination node. A single illegitimate packet can have a profound effect on the neighbouring nodes as well as other intermediate nodes which forward the illegitimate packets. However, the intensity of the DDoS attacks in MANETs is likely to be lower than that in wired networks, as the attackers themselves might also be energy-constrained as like the other nodes in the network. These attackers are likely to initiate other forms of DDoS attacks that do not generate high volumes of traffic, such as SYN attacks, Teardrop and the Ping-of-Death, because these expend less energy. We assume that attackers in MANETs are not as sophisticated as those in the Internet and have limited capabilities. As such, they are likely to be able to generate only packets with different traffic rates, dummy destination nodes, different traffic types, and different packet sizes. Furthermore, they are unlikely to know the source addresses of the nodes in the network. 5.1.4. What type of filtering policy should be adapted in the network? Filtering policies can be quite sophisticated, as in [6] and [7]. While a complex and intelligent filter can be relatively effective against DDoS attacks, it also requires more storage and computing power. Filtering policies can also be static or dynamic, probabilistic or deterministic. Each of these has its own advantages and disadvantages, with the general trend being that a more accurate and effective policy usually requires more overhead and power, which are also crucial constraints in MANETs. 5.1.5. How should the filtering policy be enforced throughout the network? MANETs have decentralized architecture and any filtering policy that is being undertaken by the nodes is likely to be based on independent decisions by each node on whether a particular packet is allowed to be received or retransmitted. It is also likely that nodes in the network cooperate together to use a common filtering policy by propagating traffic pattern information to all other nodes with filtering capabilities in the network. However, this might not be feasible because it is hard

for an infrastructure-less peer-to-peer network to make centralized decisions. Adaptive filters may make use of filtering information from their neighbours or destination nodes to refine their filtering policies. Alternatively, these filters can make decisions independently of other nodes in the network. While filters in wired networks monitor traffic characteristics such as TTL, protocol type, source and destination numbers, etc to execute their filtering policies, based on the limited capabilities of the attackers in MANETs, filters in MANETs are likely to monitor a smaller subset of characteristics such as traffic rates, traffic types, packet sizes, and source addresses and destination addresses. We have looked at certain issues of concern which arise when we try to introduce statistical filtering mechanisms in a dynamic environment such as MANETs. In the next section, we develop a framework for wireless statistical filtering while taking these factors into consideration.

5.2. Framework We assume that there is a fixed number of legitimate nodes Nlegitimate in the MANET, each identified by its own unique IP address. It is not necessary that each node in the network has knowledge of the set of legitimate IP addresses and this would pose scalability problems as the network size increases. Furthermore, IP addresses can be spoofed by attacker nodes making IP addresses unreliable for the authentication of nodes and packets. The number of attackers in the network and the attack intensity is also unknown. There are a total of Nfilter filters in the network, where Nfilter ” Nlegitimate. Each of these filters function like the other legitimate nodes in the network to forward packets to other neighbours, but are equipped with more processing and storage capabilities to do filtering. They may deploy similar or variant forms of statistical filtering policies, and make independent, autonomous decisions on packet handling and filterenhancing policies. In addition, they may use similar or different nominal traffic profiles. 5.2.1. Nominal traffic profiles. Nominal traffic profiles can be learnt during a pre-specified learning window size, Wlearn. Otherwise, it will be impossible to deploy any form of statistical filtering mechanism in the network if a nominal traffic profile cannot be obtained. After the learning period, aggressive nodes may initiate attacks at any point in time. The updating of the nominal traffic profile is online, at specific

Proceedings of the Second International Conference on Embedded Software and Systems (ICESS’05) 0-7695-2512-1/05 $20.00 © 2005

IEEE

interval. Iceberg histograms are maintained for the monitored traffic statistics.

Increasing sophistication

5.2.2. Attackers. Attacker nodes may be static or mobile within the network. They may help to forward packets as like legitimate nodes, and can employ a range of DDoS attacks such as: ƒ Buffer overflow attacks – flooding the network with a large number of illegitimate packets to waste its resources; ƒ SYN attacks – rapidly sending a large number of connection requests and then failing to respond to the reply; ƒ Teardrop or Ping-of-Death attacks – putting an incorrect offset value in packet fragments of large pieces of data; and ƒ Smurf attacks – sending many ping packets with the victim’s IP address as the destination.

1. 2. 3. 4. 5. 6.

Adaptive malicious attacker with feedback Adaptive slave with feedback Adaptive malicious attacker Adaptive slave Static attacker Static slave

updating the nominal traffic profile and monitoring the key traffic characteristics. Cluster-heads are rotated at regular intervals of time for load-sharing purposes so that no node will expend all its energy on routing and filtering. In addition, each new cluster-head has to be authenticated by the previous cluster-head. This can be done through private/public key sharing within the group. 5.2.4. Filters. As like [7], filters can be static (using the same filtering policy all the time) or adaptive (modifies its filtering policy according to the traffic characteristics of the attack packets). We have also added another class of filters – adaptive filters with feedback. This class of filters can obtain feedback from the victim nodes in the network regarding the type of attack packets that are being received as well as the congestion level of the network (based on the average end-to-end delay of legitimate packets), and thus is able to refine its adaptive filtering policy. This information is obtained at the application level, which discards attack packets and propagate this information down to the lower level layers, as shown in Figure 8. Application Layer 2. Application layer identifies illegitimate packets that are not part of data traffic.

Transport Layer

Figure 7: Sophistication levels of filters Figure 7 shows the sophistication levels of the attackers in the network. We differentiate between a “malicious attacker” and “slave” by the following definitions: (i) a malicious attacker is a node that is deliberately planted into the network to launch DDoS attacks, and is not obliged to forward packets to other neighbouring nodes; and (ii) a slave is a compromised legitimate host that can generate illegitimate packets when it is under the control of an attacker, but still performs the normal routing mechanisms for other nodes in the network. An adaptive attacker/slave can also obtain feedback on the type of packets that can pass through the filter, and adjust its attack policy accordingly. 5.2.3. Filter selection. We consider a hierarchicalbased filtering structure, whereby nodes in the network are typically grouped into clusters. Each cluster has a cluster-head, which is responsible for filtering and routing within the cluster. This is similar to clusterbased routing protocols such as in [12] and [13]. The cluster-head is also responsible of maintaining and

1. Filters packets and sends unfiltered packets to transport layer

IEEE

4. Network layer uses feedback information to adjust filtering policy.

Network Layer Figure 8: Feedback mechanism of filters Figure 9 shows the various sophistication levels of the filters. The filter adopts a probabilistic approach – it drops packets with a probability p, based on the current traffic profile and the nominal traffic profile. In addition, adaptive filters with feedback capabilities can also change the value of p by monitoring changes in the delay being experienced by the destination nodes. This helps to offer some level of support for overload control in the wireless network.

Proceedings of the Second International Conference on Embedded Software and Systems (ICESS’05) 0-7695-2512-1/05 $20.00 © 2005

3. Application layer feedbacks this information to network layer.

1. 2. 3.

Adaptive filter with feedback Adaptive filter Static filter

Figure 9: Sophistication levels of filters 5.2.5. Performance evaluation. Due to the probabilistic nature of the filter, it may actually drop legitimate packets or allow illegitimate packets to pass through (i.e., be forwarded) through the network. We denote the false reject rate Į as the total number of legitimate packets that have been dropped by the filter over the total number of packets passing through the filter, and the false accept rate ȕ as the total number of illegitimate packets that have been allowed to pass through the filter. We compute the effectiveness of the DDoS attack by e = kĮ + (1-k)ȕ, where 0” k ”1. The main objective of the filter is thus to minimize the effectiveness of the DDoS attack.

6. Conclusion and Future Work There are many DDoS defense techniques in the literature. Statistical filtering is one of the reactive mechanisms to combat DDoS attacks via the use of traffic profiling for detection and filtering. It has been shown to be effective in mitigating the effects of such attacks in the wired networks. In this paper, we have discussed the various security issues and DDoS attacks in MANETs. We have also provided an overview of statistical filtering, both in wired and wireless networks, and proposed a framework for statistical filtering in MANETs which make use of a cluster-based approach. We have also simulated some DDoS attacks in MANETs without any filtering mechanisms to explore and understand the effects of such attacks on the performance of the network. As part of future work, we will implement filtering mechanisms in cluster-based routing protocols in MANETs to counter DDoS attacks, and evaluate their effectiveness through simulations. In addition, it may be possible to make use of statistical filtering to It would also be interesting to compare the performance of such hierarchical-based filtering mechanisms with flat filtering schemes.

[2] Y. Zhang and W. Lee, Intrusion Detection in Wireless Ad Hoc Networks, Proceedings of the 6th International Conference on Mobile Computing and Networking, Boston, Massachusetts, United States, 2000. [3] V. Gupta, S. Krishnamurthy and M. Faloutsos, Denial of Service Attacks at the MAC Layer in Wireless Ad Hoc Networks, Proceedings of the Military Communications Conference (MICOM 2002), California, Oct 2002. [4] B. Bencsath and I. Vajda, Protection Against DDoS Attacks Based On Traffic Level Measurements, Proceedings of the 2004 International Symposium on Collaborative Technologies and Systems (CTS 2004), San Diego, CA, USA, Jan 18-23, 2004. [5] L. Feinstein, D. Schnackenberg, R. Balupari and D. Kindred, Statistical Approaches to DDoS Attack Detection and Response, Proceedings of the DARPA Information Survivability Conference and Exposition (DISCEX ’03), Apr 2003. [6] Y. Kim, W. Lau, M. Chuah and J. Chao, PacketScore: Statistical-based Overload Control against Distributed Denial-of-Service Attacks, Proceedings of the 23rd Conference of the IEEE Communications Society (INFOCOM 2004), Hong Kong, Mar 7-11, 2004. [7] Q. Li, E-C. Chang and M. C. Chan, On the Effectiveness of DDoS Attacks on Statistical Filtering, Proceedings of the 24th Annual Conference of the IEEE Communications Society (INFOCOM 2005), Miami, Mar 13-17, 2005. [8] C. Patrikakis, M. Masikos and O. Zouraraki, Distributed Denial of Service Attacks, The Internet Protocol Journal, Vol. 7, No. 4, Dec 2004. [9] J. Mirkovic and P. Reiher, A Taxonomy of DDoS Attack and DDoS Defense Mechanisms, ACM Sigcomm Computer Communications Review, Vol. 34, No. 2, Apr 2004. [10] L. Bajaj, M. Tekai, R. Ahuja, K. Tang, R. Bagrodia and M. Gerla, GloMoSim: A Scalable Network Simulation Environment, UCLA Computer Science Department Technical Report 990027, 1999. [11] C. E. Perkins, E. M. Belding-Royer and I. Chakeres, Ad Hoc On Demand Distance Vector (AODV) Routing, IETF RFC 3561, Jul 2003. [12] Z. J. Haas and M. R. Pearlman, Determining the Optimal Configuration for the Zone Routing Protocol, IEEE JSAC, Special Issue on Ad-Hoc Networks, Vol. 17, No. 8, Aug 1999. [13] M. Jiang, J. Li and Y. C. Tay, Cluster Based Routing Protocol (CBRP), Internet Draft, draft-ietf-manet-cbrpspec-01.txt, Aug 1999.

7. References [1] L. Zhou and Z. J. Haas, Securing Ad Hoc Networks, IEEE Network Magazine, Special Issue on Network Security, Vol. 13, No. 6, 1999.

Proceedings of the Second International Conference on Embedded Software and Systems (ICESS’05) 0-7695-2512-1/05 $20.00 © 2005

IEEE