DDOS DEFENCE MECHANISM

Rahul Kumar(B.Tech ),Rahul Karanam(B.Tech)

School of Computing Science, Vellore Institute of Technology University

Vellore,TamilNadu,India rahul.seith@gmail.com,rahul_karnam141@yahoo.co.in

Abstract- In this paper we overview the different types of DDoS attacks, and their defense mechanism proposed till now , and propose a new approach. In this paper we propose a simple-to-integrate DDoS destination based defense method, which aims at mitigating an attack’s effect on the victim side. In this method, heavy traffic is channelized” before being forwarded to its destination node, thus preventing congestion at the node’s access link .This method is simple to integrate, cheap and most important it requires no collaboration between nodes.

I. INTRODUCTION

In past DDoS attack has been successfully been able to damage the companies like YAHOO, AMAZON,etc.. Both in terms of services and finance. In DDoS attack, attacker fills the networks bandwidth with large amount of request packets, thus consuming the bandwidth and thereby making it difficult for the legitimate user to access the service.It is quite difficult to detect the initial stage of attack thereby making it difficult to tackle the problem. In this paper we see different attacks and different mechanism that has been proposed till now and will propose a method which is simple in implementation and wont require collaboration among nodes.[1][2]

II. DDOS ATTACK

Mainly five techniques have came into light for implementing DDoS attack . A)Smurf Attack: In this ICMP echo request to the victim’s network is send using Victim’s address as the source address, this causes the computers present on the same network to reply to victim’s address and thus floods the bandwidth. B)TCP SYN attack in this attacker sends the connection request to the host using unreachable network address, as a result host tries to establish the connection (3 way handshake) by sending ACK waits for SYN-ACK packet , thereby causing unnecessary delay and consumption of bandwidth .UDP,TCP,ICMP attacks floods the victim by continuously sending the packet at high rate and thereby requesting replies and hence flooding the network. All of the above attacks uses IP spoofing technique in order to hide the identity of attacker. Based on the ways of attacking we can classify the attacks.. like attacks like Smurf and TCP-SYN uses

Rahul Chowdary Bobba(B.Tech), Raghunath. S (B.Tech)

School of Computing Science, Vellore Institute of Technology University

Vellore,TamilNadu,India

protocols are called protocol attack and attacks like TCP,UDP ,ICMP etc directly attacks the victim are called direct attack.[10]

III. DDOS DEFENCE MECHANISM

Five principles have been outlined in order to design an effective strategy to overcome the problem of DDoS. DDoS attack could be carried out from three different levels: the source, the intermediate network, and the victim. Simplest detection of the attack is that which is carried out at Victim’s end as it generates heavy traffic at victim’s end, thereby easy to identify. Thus the first principle is to implement a distributed defense that collaborates between the victim and source ends. Second, it is primal that a defense system conserves legitimate traffic while in action, thus preventing collateral damage. Third, a DDoS defence method should provide secure communication channels as well as authentication and control mechanisms between defence nodes. Fourth, it is beneficial to adopt a practical defence strategy consisting of autonomous components to be implemented partially and incrementally without disturbing the general network flow. Fifth, a defence system must take into account future compatibility issues such as interfacing with other systems and negotiating different defence policies. By taking into account the different guidelines and different types of attack techniques our classification will be based on following grounds. First is the site of action which we also discussed above i.e.. the level from which it is carried out – i) Source ii) Intermediate node iii) Victim’s end. Second is based on the the level of c o m p l e x i t y o f i t s i m p l e m e n t a t i o n i n r e a l t i m e .

IV. DEFENCE METHODS

A. Hop-Count Filtering: An Effective Defence against Spoofed DDoS Traffic [1] It is Source based solution. Principle working of this method is that number of hops between the source and destination can be used to assess the authenticity of packet. In this hop is counted from TTL field in the IP header and then is stored a table. In

2009 International Conference on Future Networks

978-0-7695-3567-8/09 $25.00 © 2009 IEEE

DOI 10.1109/ICFN.2009.37

254

the case of attack, if major difference occurs in the number of hops in the table, then the packet is discarded. However this method mainly depends on assumption, which makes it unreliable. This method will become ineffective if the hackers chooses IP address of re la t ive ly same hop count . B. Router Based Solution [7] In this routers are modified or made intelligent by providing them capability of encryption, digital signature, ability of tracing the source and many other new things which enables the whole system to stop the traffic at the nearest intelligent router. Collaborating routers is called a “hardened network”. The hardened routers should be implemented at the border and access point of an Autonomous System. Whenever any packet arrives at the first hardened router then packet is encrypted along with one byte of IP address and then forwarded, this continues till it reaches its destination .This feature enables us to find the source of attack and stop it from there. From the working architecture of this method we can say that it is very effective method,, but it has got its own disadvantages like complexity is very high , due to induction new intelligent routers its cost is also high. Since the packets are encrypted, any single point of failure can lead to unacceptable loss which puts it into the class of unreliable section of defense method. C. StackPi[2]: StackPi mainly aims to detect IP spoofing. It consists of two parts : Marking and Filtering. Marking consists of concatenating the MD5 hash of the next node’s IP address with the current node’s IP address. The result is computed on each router and placed in the IP identification field of the IP header, with newer values replacing older ones when the field’s 16 bits are entirely used. This gives a unique marking for each source-destination pair, which is stored in a table at the host end. Meanwhile, the filtering scheme is responsible for detecting illegitimate traffic based on the marking scheme, where access is allowed if the marking on the packet matches the database entry and if doesn’t matches , then packets are dropped . D. Implementing Pushback: Router-Based Defense [6] It is Network based Solution. Whenever the congestion level increases threshold value, then the router starts dropping packets sends a message to nearby router to lessen the traffic flow. Router also tries to identify the legitimate packet, by counting the number of times the packets are dropped, as we know that attacker uses the spoofed IP . One major disadvantage of this method is that router takes time to identify the legitimate user and initially drops all the packets. E. Differential Packet Filtering This method is highly a probabilistic one , as in case of attack, risky packet (determined on the basis of probability) are dropped while safe packets are delayed which means dropping of some legitimate packets also.But it adaptive to traffic change and always tries to provide the quality of service .

V. CLASSIFICATION

The region of action plays important role in determining the defense method to be used.

Region of Action

By looking at the above table we see that none of the method has been implemented for Victim’s Network on single. As it is well known that how good a method could be, it wont be implemented if the resource requirnment will be large. Now comes the issue of complexity, from the study of different defense methods, defense methods can be put in following order. Hardened Network > Stack-Pi > PushBack >Hop-Count > Diff. packet filtering

VI. PROPOSED DEFENCE MECHANISM

Our main aim of this method is not to prevent the DDoS attack from occurring instead to mitigate it at a place where it won’t be able to cause much damage, thereby losing its motive. A. Motivation We mainly aim to develop a technique which will be easy in implementation and most important should not drop any legitimate packet and should avoid the congestion at the servers end. This mechanism is developed by taking into account that every attack uses the spoofed IP address. B. Features Main feature on which we will be focusing more is that the IP address which will be occurring at regular interval will be favored over the IP address with flash occurrence , since attacker uses the spoofed IP .Several different object defined in this are: user as different IP address, capacity as average number of user that can access the server another one is based on the Timeout Value which will be used for classifying whether IP address is of flash occurrence or not. C. Description This method is applied on the victim’s end . In this method will be applied on the the device which will connect the server with the global network. We will maintain table which will take into account all the active user and their respective timeout value. Whenever a new packet comes from the active

255

user , then its timeout value is reset . If new packet doesn’t arrive within timeout period then , connection with that user will be automatically terminated, next user will be given access. This table will be of limited capacity, whenever this capacity will increase , then the newly arriving user will be stored in 2D Array of dimension [2XN]. This 2D Array will be composed of two dimensions containing the IP address and the number or size of packets. Whenever an active user is timeout then , big question arises that who should be allowed to access from the 2D Array. Answer of this question will depend on several factors like: a)FIFO: First In First Out b)Size/number of the packets of user c)Trusted user who have been accessing the server from long period of time. d)Emergency service required. Based on all the factors the priority order will be decided and according to that access will be given. If, in case this 2D Array also gets full, then all the newly arriving packets(new IP address) will be dropped.

Fig1: Flowchart of working model of Defence Mechanism D. Expected Behavior Behavior will greatly depend on the parameter chosen, so we need to choose the parameter very carefully. Size of the table should be like that maximum users could be accommodated and connected without developing any delay.. The timeout value will vary from the services offered, the kind of server running, and the number of users excepted. It should be such that no packet sit idle for long time and packets shouldn’t be delayed for longer period of time. Behavior will greatly depend on these parameter, while in future new parameters could be added or can be modified for better performances. There is a huge chance of including new parameters for selecting the next IP as, providing to service to the IP who requires most is the major concern during attack. Again, since it doesn’t require the collaboration among different nodes, it is easy in implementation which reduces the complexity, feature.

Quality of service will depend on the server speed, i.e..i f server speed i s s low then delay can be caused.

E. Experimental Behaviour By analysing its behaviour on real-time system, we observed that it allows the connection till the threshold value of bandwidth, When the connection request increases this value, newly arriving packets are stored in a waiting queue. Its most important feature, which makes it useful is that whenever the connection request from the most trusted users comes, it allows the connection to them instead of the fact that the connection request has already increased the threshold value. Assumption: 1.Threshold Value if about 70% of maximum bandwidth. 2.IP address of trusted or important user is stored in database. Test Case: Output of Demo Code: No. of Client Request:50 Count of Request

Expected Behavior

Message Result

1 to 35 Connected Accepted Connected

35 to 45 Wait In Queue Waiting

46 (IP 198.168.0.202)

Connected Accepted Connected (as a imp. request)

47 to 50 No Connection

--------------------

Packets Dropped

F. Future Enchancement This method can be further extended to be implemented at every network level, where every network router will be provided with digital signature which will keep track of the packets coming from particular source by marking it with ID of the source , if the source ID of the packet of same request differs, while defragmenting (available in IPv4 not in IPv6) then packet will be discarded by the router itself, hence packet wont reach to the destination network, hence bandwidth will b e s a v e d f r o m t h e m a l i c i o u s a t t a c k o f a t t a c k e r . Hence by using the the two stages first with the help of array defence system, we can keep the server working in case of DDoS attack, secondly by implementing the router defence system, we can our bandwidth free from malicious attackers , thereby reducing the damage of attack to great extent, hence nul l i fying the hackers a t tempt o f server f looding

256

VII CONCLUSION As we have seen that different defence mechanism are capable of coping with different attacks classified above. Some of them are good for direct attack, some of them are good of protocol attack, some of costly, or some of them complex or difficult in implantation. The method we have proposed to tackle DDoS attack will be easy in implementation and its implementation cost is expected to be less in comparison to other methods.

REFERENCES

[1] Jin C., Wang H., and Shin K.G. Hop-Count Filtering: An E f f e c t i v e D e f e n s e a g a i n s t S p o o f e d T r a f f i c . http://www.eecs.umich.edu/~hxw/paper/filter.pdf

[2] Perrig A.,Song D.,Yaar A.StackPi: A New Defense. Mechanism against IP Spoofing and DDoS Attacks. School of Computer Science, Carnegie Melon University. 5 F e b r u a r y 2 0 0 3 . A v a i l a b l e o n l i n e : ht tp : / /www.ece.cmu.edu/~ayaar /StackP i_TR.pdf.

[3] Zhaole C., Lee M. An IP Traceback Technique against De n ia l -o f -Se r v ic e A t t a ck s . Co mp ut e r S c i e nc e & Engineering Department, the Chinese Univ. of HongKong. h t t p : / / w w w . a c s a c . o r g / 2 0 0 3 / p a p e r s / 1 0 0 . p d f

[4] Tanachaiwiwat, S. and Hwang, K. “Differential packet f i l t e r i n g a g a i n s t D D o S f l o o d a t t a c k s . ” A C M Conference on Computer and Communications Security ( C C S ) . W a s h i n g t o n , D C , O c t o b e r 2 0 0 3

[5] Peng Tao, Leckie C. , and Ramamohanrao K. , Survey of Network Based Defense Mechnanisms countering.The DoS and DDoS Problems Dept. Of computer science and software engineering, The University of Melbourne, Australia.ACM computing surveys vol 39, No 1 , Article 3, April ’07.

[6] John Ioannidis , M. Bellovin , AT&T Labs Research A T & T L a b s R e s e a r c h I m p l e m e n t i n g P u s h b a c k : R o u t e r - B a s e d D e f e n s e A g a i n s t D D o S A t t a c k s .

[7] Zhang, S. and Dasgupta, P. “Denying denial-of-service attacks: a router based solution.” International Conference o n I n t e r n e t C o m p u t i n g , J u n e 2 0 0 3 .

[8] Bencsath, B. and Vajda, I. “Protection against DDoS a t t a c k s b a s e d o n t r a f f i c l e v e l m e a s u r e m e n t s . ” Western Simulation MultiConference. San Diego, Jan 2004.

[9] H.R Nagesh, Chandra Sekaran K. Department of Computer Engineering, P.A. College of Engineering, Mangalore, Karnataka, INDIA Department of Computer Engineering, National Institute of Technology Karnataka, Surathkal, Karnataka, INDIA. IJCSNS International Journal of Computer Science and Network Security, VOL.7 No.7, July 2007

[10]Protecting webservers from DDoS/flooding attack.A t echn ica l ove rv iew . I nt e rna t io na l co nfer ence onw e b M a n a g e m e n t O c t o b e r 2 0 0 2 .

257