runtime dynamic path identification for preventing ddos ...journalstd.com/gallery/3-oct2019.pdf ·...
TRANSCRIPT
Runtime Dynamic Path Identification for Preventing DDoS Attacks
1Shaik Zahanath Ali, 2Shobini.B and 3G.Shiva Krishna
1 Computer science and Engineering ,Swathi Institute of Technology & Sciences Near Ramoji Film
City Beside Kothagudem 'X' Roads, Hyderabad, Telangana 501512
2 Computer science and Engineering, Swathi Institute of Technology & Sciences Near Ramoji Film
City Beside Kothagudem 'X' Roads, Hyderabad, Telangana 501512
3Computer science and Engineering, Swathi Institute of Technology & Sciences Near Ramoji Film
City Beside Kothagudem 'X' Roads, Hyderabad, Telangana 501512
,[email protected] ,[email protected] ,[email protected]
Abstract
Cyber security is a biggest Challenge. Protecting our digital lives is an issue of paramount
importance. DDOS attacks are launched by adversaries using botnet, an army of compromised nodes
hidden in the network. Compromised nodes are a set of nodes controlled by a botnet.DDOS attack is a
most popular threat and is categorized as volumetric attack where the target destination is
overwhelmed with large number of requests leading to impossibility of serving any users. In DDOS
attack large number of machines act cooperatively under the supervision of one or more bot masters.
These bots may be malicious users by themselves or maybe preliminarily infected.In recent years,
there are increasing interests in using path identifiers (PIDs) as inter-domain routing objects.
However, the PIDs used in existing approaches are static, which makes it easy for attackers to launch
distributed denial-of service (DDoS) flooding attacks. To address this issue, we present the design,
implementation, and evaluation of dynamic path identification based approach or a framework that
uses PIDs negotiated between neighboring domains as inter-domain routing objects. We built an
application to show the effectiveness and the results revealed usefulness of our framework.
Key Words –DDoS attack, flooding DDoS, dynamic path identification, cyber security
1. INTRODUCTION
Security plays vital role in any communication system. In the history of computing there were many
instances in which large scale attack on made for many reasons. Denial of Service (DoS) is one of the
attacks that ensure disruption of legitimate communication between two systems. When such attack is
made in large scale, it is known as DDoS attack whose impact is more on the victim server and
corresponding business in distributed environment.
DDoS attack, when compared with other attacks is complex in nature and adversaries compromise
vast number of nodes in order to launch distributed DoS attack. Many companies like Facebook,
Google and Twitter are victims of such attacks. The HTTP flooding attacks include session flooding
attacks, request flooding attacks, asymmetric attacks, slow request or response attacks, HTTP
fragmentation attack, slow post attack, and slow reading attack. Zargar, Joshi, and David (2013) made
a review of different DDoS flooding attacks. The motivation these attacks is classified into financial
Science, Technology and Development
Volume VIII Issue X OCTOBER 2019
ISSN : 0950-0707
Page No : 16
gain, revenge, ideological belief, intellectual challenge, and cyber warfare. This way many other
researchers contributed towards preventing DDoS attacks. As far as flooding-based DDoS attacks is
concerned, it is understood from the literature that there needs to be further research to be carried out.
In this paper we proposed a methodology that caters to the needs of a system which can use runtime
path-based solution to detect and prevent flooding DDoS attacks.
1.1 Bandwidth DDoS
Bandwidth Distributed Denial of Service (BW-DDoS) attack results in network congestion as it
consumes more bandwidth. Such attacks are explored in they include UDP Flood, DNS Reflection
and ACK Storm to mention few. There is a specific procedure in which attackers make DDoS attacks.
First, they need to identify and select agents, then take steps to compromise the agents, then perform
needed communication and launch attacks. In such attacks are described as scalability problem.
1.2 DDoS Flooding Attacks
A review is made in on DDoS flooding attacks. The reasons for the attacks include cyber warfare,
ideological belief, revenge, financial gain and intellectual challenge. These attacks may be made at
network level or transport level. Application level attacks are meant for spending resources at server
side. There are different kinds of flooding attacks. They include HTTP flooding attacks and
reflection-based flooding attacks.
Figure 1: Botnet for Causing DDoS Attacks
As presented in Figure 1, handlers are the machines used by adversaries indirectly to launch flooding
attacks. Bots are nothing but machines that are compromised by attackers. Botnets can be of many
kinds. They include IRC-based, P2P based and web-based. The response to such attacks can be
maintained at different locations as explored.
Science, Technology and Development
Volume VIII Issue X OCTOBER 2019
ISSN : 0950-0707
Page No : 17
Figure 2: Possible DDoS detection and response locations
As presented in Figure 2, detection of DDoS is made at different locations. The locations may be
various intermediate networks or attack destinations. The normal packets in case of DDoS attacks
increases from bottom to top. Similarly, the response mechanisms are better from bottom to top. On
the other hand, the detection accuracy increases from top to bottom.
1.3 Other DDoS Attacks and Botnet Detection Techniques
SYN flooding kind of DDoS attack is explored. It is made for monetary gains. There is vulnerability
in TCP 3-way handshake which is exploited by SYN flood attacks. Different kinds of bots used in the
attacks are studied. Net Flow is the solution employed in to handle bonnets. DDoS attacks in
distributed P2P networks are explored in while counter measures for the same are found. From the
literature it is understood that flooding DDoS attacks need further research to have runtime path
identification-based solution. The remainder of the paper is as follows. Section 2 reviews literature.
Section 3 presents the proposed framework. Section 4 provides results and section 5 concludes the
paper.
2. RELATED WORK
This section provides review of literature pertaining to DDoS attacks and the methods to detect and
prevent them. The performance of the methods depends on network conditions and is influenced by
many parameters. There should be a generic method to defend most of the attacks irrespective of the
protocol used; A trace back mechanism should be implemented with customization support. It should
be cost effective without compromising Quality of service [9].
A mathematical model to detect shrew attacks was proposed by taking into account the explicit
behavior of TCP’s congestion window adaptation mechanism [3]. It can evaluate attack effect from
attack pattern and network environment. The analytical results instruct how to tune the attack
parameters to improve attack effect in a given network and how to configure the network resources to
mitigate a given shrew attack [16]. Information distance is calculated between attack traffic and
legitimate traffic [3]. Methods to identify DDOS attacks not only at edge routers but also at core of
the network by computing entropy and frequency sorted distribution [1], A detailed discussion of
botnet relationship between network visibility, botnet invariant behavior and existing botnet based
techniques is carried out.
Volumetric attacks have a severe impact on data plane but not on controller. The impact is visible
only in attack phase [9]. Protocol exploitation doesn’t have effect on network band width. The effect
Science, Technology and Development
Volume VIII Issue X OCTOBER 2019
ISSN : 0950-0707
Page No : 18
is on consumption of resources like logical ports. More detailed detection system is proposed which
will analyze where the attack occurred either in transit or source. The dynamic nature of the stealthy
attacks is studied because the technique benefits from increased correlation arising under shifting
patterns in network traffic [2]. More investigation is required to evaluate the trade - -offs among space
and time granularity of monitoring the number of observations and the ability to detect attacks under
decreasing levels of intensity [2].
TCP SYN attack consumes data structure on the server operating system[3]. Retransmission leads to
severe congestion and finally time out. Once a malicious host is detected the packets are filtered and
the services get resumed. Anomaly detection is done by various statistical methods, machine learning
and softcomputing.Routers can be configured via the access control list to access the network and
drop suspected traffic If you filter all incoming ICMP traffic to broad cast address at the router none
of the machines will respond and the attack will not work.
Based on macroscopic level a hierarchical method is proposed in order to capture traffic patterns with
spatial-temporal domains [2]. Macroscopic characteristics found in network traffic are one of the
ways to detect DDoS. When this approach is coupled with a dynamic monitoring capabilities, it will
have higher utility. The solution in [2] could provide warnings when detection is made. The model
used to launch attack was made with minimal cost and attacks are prevented for showing the
performance of the approach. From the literature [1]- [16], it is found that there is need for further
investigation on handling DDoS attacks.
3. PROPOSED FRAMEWORK
The proposed framework includes the design, implementation and evaluation of D-PID, a
framework that dynamically Changes path identifiers (PIDs) of inter-domain paths in order to
prevent DDoS flooding attacks.When PIDs are used as inter-domain routing objects. We have
described the design Details of D-PID and implemented it in a 42-node prototype to verify its
feasibility and effectiveness. We have presented numerical results from running experiments
on the prototype.The results show that the time spent in negotiating and distributing PIDs are
quite small (in the order of ms) and D-PID is effective in preventing DDoS attacks. We have
also conducted extensive simulations to evaluate the cost in launching DDoS attacks in D-
PID and the overheads caused by D-PID. It is implemented as a distributed system of various
nodes and the nodes are arranged in different groups. Runtime path IDs are dynamically
obtained in order to prevent DDoS attacks. The inter-domain connectivity is kept secret and it
will change dynamically.
Science, Technology and Development
Volume VIII Issue X OCTOBER 2019
ISSN : 0950-0707
Page No : 19
Figure 3: Proposed framework for preventing DDoS attacks
As shown in Figure 3, the proposed system has many modules. User is one module. In this user is
sharing the information from one place to another place.Attacker is another module. Here, attacker is
attacking for information in network. Attacker is doing to attacks on original data.Network manager is
another module. Here the manager controlling the sharing of information in the network. Provide
security from the attackers.
Figure 4:The flow of activities in the proposed system
As presented in Figure 4, there are different processes involved in the system. There are different
components like source, router, group manager and destination. The data flow through router from
Science, Technology and Development
Volume VIII Issue X OCTOBER 2019
ISSN : 0950-0707
Page No : 20
source to destination is safeguarded from DDoS attacks. This is achieved with the help of the
proposed algorithm.
Figure 5: Sequence of events in the proposed system
As presented in Figure 5, it is evident that there are many objects among which interactions
are made. They include source, router, group manager and destination. The data sent from the
source is reaching the destination with proper means and routing from the router. It also
ensures that DDoS attacks are detected and prevented with dynamic path at runtime.
Algorithm: Dynamic Path based Prevention for DDOS Attacks
Input: Wide Area Network(WAN)
Output: Communication with Ddos Prevention.
1.Divide network into Sub groups
2.Generate dynamic key for inter group communication
3.Generate Signature for unique identification of groups
4.For each subnetwork in WAN
5.For each node in subnetwork
6.Ensure that id for path construction changes
7. End For
Science, Technology and Development
Volume VIII Issue X OCTOBER 2019
ISSN : 0950-0707
Page No : 21
8.End For.
9.Repeat steps from 4-8 iteratively and Periodically
10.Ensures that attacker will not succeed in establishing paths to target server.
End
Algorithm 1:Dynamic Path based Prevention for DDOS Attacks
The proposed system is implemented with simulated parties involved in the network to demonstrate
proof of the concept. It is implemented as a distributed system of various nodes and the nodes are
arranged in different groups. Runtime path IDs are dynamically obtained in order to prevent DDoS
attacks. The inter-domain connectivity is kept secret and it will change dynamically.By using dynamic
PIDs, it is possible to detect DDoS attacks and prevent them as well.It reduces chances of causing
DDoS attacks. It has provision to show the probability of attack and also prevention.
4. IMPLEMENTATION AND RESULTS
This section provides implementation details and results. The prototype is developed in Java
programming language with GUI to have intuitive interface. It simulates the distributed environment
and provides various components to demonstrate proof of the concept.
Figure 6: Router Screen
As can be seen in Figure 6, there is schematic simulation that contains source and destination with
many intermediate nodes. There will be routers to forward packets and take care of security issues.
There is network group manager in order to coordinate. The network is divided into groups to have
better control on the runtime path generation dynamically to deceive attackers.
Science, Technology and Development
Volume VIII Issue X OCTOBER 2019
ISSN : 0950-0707
Page No : 22
Figure 7: Source Screen
As presented in Figure 7, the source screen provides interface to choose path of a file to be sent to
destination. Before that it has mechanisms to assign group key and assign signature according to the
proposed algorithm.
Figure 8: Shows the simulation of the file transferred to destination successfully
As presented in Figure 8, the file is transferred to destination successfully. It is possible through
runtime path identification and avoid DDoS attacks.
Science, Technology and Development
Volume VIII Issue X OCTOBER 2019
ISSN : 0950-0707
Page No : 23
Figure 9: User Receive a File from Source Screen
As can be seen in Figure 9, user receives file sent from the source. This is the evidence that there is
proper communication and mechanism to transfer data even in presence of DDoS attacks.
Figure 10:Identify Attacker Screen
Science, Technology and Development
Volume VIII Issue X OCTOBER 2019
ISSN : 0950-0707
Page No : 24
This screen shows how the attacker is identified. This will help in preventing attacks and ensure that
the system works as expected.
Figure 11:Different Transaction Upload Delay Details Graph Screen
As shown in Figure 11, it is understood that the upload delay is presented with different experiments.
The horizontal axis shows different experiments while the vertical axis shows the total delay causes in
milliseconds.
Science, Technology and Development
Volume VIII Issue X OCTOBER 2019
ISSN : 0950-0707
Page No : 25
Figure 12:Different Transaction Upload Throughput Details Graph Screen
As can be seen in Figure 12, it is clear that different experimentsare made and the throughput is
recorded. The system is found to be good to prevent attacks and ensure that that given data is reaching
the destination every time.
5. CONCLUSION AND FUTURE WORK
Distributed Denial of Service (DDoS) attacks in wide area networks are attacks made by adversaries
with the help of thousands of compromised nodes or zombies. Thus DDoS attacks are essentially
made with large scale denial of service intentions. Thus DDoS attacks became potential risk to
Internet wide applications. In this paper we proposed a framework to detect flooding DDoS attacks
and also provided algorithm to handle it. DDoS attack detection method is proposed based on
dynamic path identification.The nodes in Wide Area Network are organized into groups where PIDs
are dynamically generated and the concept of signatures is used in order to detect DDoS attacks.An
attacker module is introduced along with other modules like source, router and
destination.Visualization of normal flow and attack scenario provide proof of the concept.In future, it
can be extended to detect other kinds of DDoS attacks.
Science, Technology and Development
Volume VIII Issue X OCTOBER 2019
ISSN : 0950-0707
Page No : 26
References
[1] Laura Feinstein, Dan Schnackenberg and RavindraBalupari, Darrell Kindred. (2003). Statistical
Approaches to DDoS Attack Detection and Response1. IEEE, p1-12.
[2] Jian Yuan and Kevin Mills, Senior Member, IEEE. (2005). Monitoring the Macroscopic Effect of
DDoS Flooding Attacks. IEEE TRANSACTIONS ON DEPENDABLE AND SECURE
COMPUTING. 2, p324-335.
[3] JingtangLuo, Xiaolong Yang, Senior Member, IEEE, Jin Wang, Member, IEEE, JieXu, Member,
IEEE, Jian Sun, Member, IEEE, and Keping Long, Senior Member, IEEE. (2014). On a
Mathematical Model for Low-Rate Shrew DDoS. IEEE TRANSACTIONS ON
INFORMATION FORENSICS AND SECURITY. 9, p1069-1083.
[4] Ashish Dutt, MaizatulAkmar Ismail, and TututHerawan. (2016). A Systematic Review on
Educational Data Mining. IEEE, p1-15.
[5] AmeyaAgaskar, Ting He, Member, IEEE, and Lang Tong, Fellow, IEEE. (2010). Distributed
Detection of Multi-Hop Information Flows With Fusion Capacity Constraints. IEEE
TRANSACTIONS ON SIGNAL PROCESSING. 58, p3373-3383.
[6] Mauro Barni and Fernando P´erez-Gonz´alez. (2013). COPING WITH THE ENEMY:
ADVANCES IN ADVERSARY-AWARE SIGNAL PROCESSING. IEEEp1-5.
[7] Mauro Barni, Fellow, IEEE, and BenedettaTondi, Student Member, IEEE. (2014). Binary
Hypothesis Testing Game With Training Data. TRANSACTIONS ON INFORMATION
THEORY. 60, p4848-4866.
[8] Ting He, Member, IEEE, and Lang Tong, Fellow, IEEE. (2008). Distributed Detection of
Information Flows. IEEE TRANSACTIONS ON INFORMATION FORENSICS AND
SECURITY. 3 , p390-403.
[9] NazrulHoque, Dhruba K Bhattacharyya and Jugal K Kalita. (2015). Botnet in DDoS Attacks:
Trends and Challenges. IEEE., p1-29.
[10] BhavyaKailkhura, Student Member, IEEE, Swastik Brahma, Member, IEEE, BerkanDulek,
Member, IEEE, Yunghsiang S Han, Fellow, IEEE, Pramod K. Varshney, Fellow, IEEE.
(2015). Distributed Detection in Tree Networks: Byzantines and Mitigation
Techniques. IEEE., p1-13.
[11] Stefano Marano, Vincenzo Matta, and Lang Tong, Fellow, IEEE. (2009). Distributed Detection
in the Presence of Byzantine Attacks. IEEE TRANSACTIONS ON SIGNAL PROCESSING. 57
, p16-29.
[12] Stefano Marano, Vincenzo Matta, Ting He, Member, IEEE, and Lang Tong, Fellow, IEEE.
(2013). The Embedding Capacity of Information Flows Under Renewal Traffic. IEEE
TRANSACTIONS ON INFORMATION THEORY. 59 , p1724-1739.
Science, Technology and Development
Volume VIII Issue X OCTOBER 2019
ISSN : 0950-0707
Page No : 27
[13] MortezaMardani, Student Member, IEEE, Gonzalo Mateos, Member, IEEE, and Georgios B.
Giannakis, Fellow, IEEE∗. (2011). Dynamic Anomalography: Tracking Network Anomalies
via Sparsity and Low Rank†. IEEE., p1-37.
[14] MortezaMardani, Student Member, IEEE, and Georgios B. Giannakis, Fellow, IEEE. (2015).
Estimating Traffic and Anomaly Maps via Network Tomography. IEEE,p1-15.
[15] ParvathinathanVenkitasubramaniam, Member, IEEE, Ting He, Member, IEEE, and Lang Tong,
Fellow, IEEE. (2008). Anonymous Networking Amidst Eavesdroppers. IEEE
TRANSACTIONS ON INFORMATION THEORY. 54 , p2770-2784.
[16] Yang Xiang, Member, IEEE, Ke Li, and Wanlei Zhou, Senior Member, IEEE. (2011). Low-Rate
DDoS Attacks Detection and Traceback by Using New Information Metrics. IEEE
TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY. 6, p426-437.
Science, Technology and Development
Volume VIII Issue X OCTOBER 2019
ISSN : 0950-0707
Page No : 28