Title of Project:

DDOS MITIGATION IN WSN USING LEAKY

BUCKET ALGORITHM AND TTL PACKET
FILTERING.
______________________________________________
_____

Name: IRSHAD AHMAD WANI

Enrolment No: 1602CUKMR12

Programme: M.Tech. IT Semester: 4th

Course Code: MTIT C 401

Date: 20/03/2018

Signature: __________
Problem definition:

DDoS attacks are really hard to defend due to their multifaceted natures, dynamic attack
rates, various kinds of targets, large scale of botnets, etc. A complete and comprehensive
defence solution (if there is any) might even not be achievable.
In this thesis the research is focussed on mitigating the impact of DDoS attack using leaky
bucket algorithm and TTL packet filtering.
Objective and scope:

Distributed denial of service (DDoS) attacks has become a major threat and one of the
hardest problems to overcome. Various activities, such as telecommunication, online
banking, and online shopping, have recently been integrated through the Internet, yet the
Internet is now plagued by more than 10 million infected hosts (or zombies) . Internet
security includes aspects such as confidentiality, authentication, message integrity and
nonrepudiation . One of the main aspects of Internet security is availability. DDoS attacks
pose a big threat to availability of services on the Internet. DDoS attacks have consequently
become a serious threat.

According to the WWW Security a DoS attack can be described as an attack designed to
render a computer or network incapable of providing normal services. A DoS attack is
considered to take place only when access to a computer or network resource is intentionally
blocked or degraded as a result of malicious action taken by another user. These attacks don‘t
necessarily damage data directly or permanently, but they intentionally compromise the
availability of the resources. The most common DoS attacks target the computer network‘s
bandwidth or connectivity. Bandwidth attacks flood the network with such a high volume of
traffic that all available network resources are consumed and legitimate user requests cannot
get through, resulting in degraded productivity. Connectivity attacks flood a computer with
such a high volume of connection requests, that all available operating system resources are
consumed and the computer can no longer process legitimate user requests.

A Distributed Denial of Service (DDoS) attack uses many computers to launch a coordinated
DoS attack against one or more targets. Using client/server technology, the perpetrator is able
to multiply the effectiveness of the Denial of Service significantly by harnessing the
resources of multiple unwitting accomplice computers which serve as attack platforms.
Typically a DDoS master program is installed on one computer using a stolen account. The
master program, at a designated time, then communicates to any number of "agent"
programs, installed on computers anywhere on the internet. The agents, when they receive
thecommand, initiate the attack. Using client/server technology, the master program can
initiate hundreds or even thousands of agent programs within seconds.
In the famous Confidentiality, Integrity, and Availability ―Security Triangle‖, DDoS attacks
target availability, preventing legitimate users from accessing the services provided by a
targeted network device [4]. There are numerous motivations for such attacks, ranging from
fun to financial extortion, political protest, and even warfare. Those attempting to carry out
attacks are not necessarily highly skilled hackers, as many tools have been developed that
allow even the least experienced users to perform complex attacks.
DDoS attacks are comprised of packet streams from different sources. These attacks engage
the power of a vast number of coordinated hosts to consume some critical resource at the
target and deny the service to legitimate clients [5]. The traffic is usually so aggregated that it
is difficult to distinguish legitimate packets from attack packets. More importantly, the attack
volume can be larger than the system can handle. Unless special care is taken, a DDoS victim
can suffer from damages ranging from system shutdown and file corruption, to total or partial
loss of services.
There are no apparent characteristics of DDoS streams that could be directly and
wholesomely used for their detection and filtering. The attacks achieve their desired effect by
the sheer volume of attack packets, and can afford to vary all packet fields to avoid
characterization and tracing.
Extremely sophisticated, ‗‗user-friendly‘‘ and powerful DDoS toolkits are available to
potential attackers increasing the danger of becoming a victim in a DoS or a DDoS attack.
DDoS attacking programs have very simple logic structures and small memory sizes making
them relatively easy to implement and hide. Attackers constantly modify their tools to bypass
security systems developed by system managers and researchers, who are in a constant alert
to modify their approaches to handle new attacks.
The DDoS field is evolving quickly, thus becoming increasingly hard to grasp a global view
of the problem. Although there is no panacea for all flavours of DDoS, there are several
countermeasures that focus on either making the attack more difficult or on making the
attacker accountable
Literature Review

1.NETWORK DEFENCE
Today, the world is being computerized at an astonishing speed. To support this phenomenal
growth, service providers are trying their best to provide the utmost quality of service. In this
competitive environment, an aspect that stands out is security, which is indeed an extremely
serious topic of concern. Modelling a system for DDoS attacks has not been easily viable to
researchers and the search for an optimal system is still on .An intrusion or attack may be fast
or slow. We refer to a DDoS attack as fast when it generates a large number of packets or
extremely high-volume traffic within a very short time, say a fraction of a minute, to disrupt
service. An attack is referred to as a slow attack, if it takes minutes or hours to complete the
process. Despite the increasing deployment of devices for traffic analysis and mitigation, the
number of Distributed Denial of Service (DDoS) attacks deployed every year is increasing at
an astonishing rate.
To counter the rapid emergence of external and internal threats to networks and resources,
researchers have looked at a variety of approaches such as intrusion detection system (IDS),
intrusion prevention system (IPS), intrusion response system (IRS), and intrusion tolerance
system (ITS). Among these, IDS and IPS are important components of a layered security
infrastructure. To execute an attack on a network or a system, an attacker generally follows
four main steps:
1) The attacker scans the whole network to find and recruit vulnerable host(s);

2) The vulnerable hosts are then compromised for exploitation by the attacker using malware
or backdoor programs;

3) The attacker infects the compromised hosts to create a base for effective launching of an
attack, and

4) Finally, the attack is launched using the compromised hosts.

2.MODULES OF A DDoS DEFENCE SOLUTION:
A generic DDoS defence solution is comprised of three modules, viz., monitoring, detection,
and reaction:
Monitoring: This module allows one to monitor services being used on a network and to
match against activities that we should see. To perform such monitoring activities, it collects
necessary information on the state of the network at various points within the network. This
module also helps identify unauthorized services within a network. For identification of such
unauthorized services, one should look not only at external traffic but also at internal traffic.
Otherwise, one will miss internal hosts involved in unauthorized activities.
Detection: This module aims to identify any misuse or anomalous behaviour in a network
and generate reports to the administration. The module may also try to stop an intrusion
attempt, but this is neither required nor expected. Intrusion detection is primarily focused on
identifying possible intrusive patterns, incidents, or activities, and reporting them in a timely
and meaningful manner. Typically, a detection module analyses relevant network traffic
information to identify possible security breaches, which include both misuses and
anomalies, either by using a supervised approach (using prior knowledge of intrusions) or by
using an unsupervised approach (without using prior knowledge of intrusions).
Reaction: A reaction module of a DDoS defence system typically reacts with two basic
components, viz., a passive and an active component. The passive component, composed of a
set of procedures, is involved in the inspection of the system's configuration files to detect
inadvisable settings, inspection of the password files to detect inadvisable passwords, and
inspection of other system areas to detect policy violations. In contrast, the active component,
which is composed of another set of procedures, reacts to known methods of attack and
generates system responses. It can respond to suspicious events in several ways, which
include displaying an alert, logging the event, or even paging an administrator.
2.2 DDoS DETECTION
Detection of distributed denial-of-service attacks is broadly studied in two categories [22]:
anomaly-based detection and misuse detection. Misuse detection searches for definite
patterns (i.e., signatures, rules, or activities) in the captured network traffic to identify
previously known DDoS intrusion types. Such detection techniques usually exhibit high
detection rates with low numbers of false alarms. However, a misuse detection technique fails
to detect unknown DDoS intrusion types. Anomaly-based DDoS detection techniques aim to
identify novel intrusion types in addition to detection of known types. Such techniques
analyse network traffic behaviour and attempt to detect unusual patterns at an early stage.
Anomaly-Based DDoS Detection: Anomaly-based detection techniques first establish the
normal behaviour of a subject, which may be a user or a system. If an action is found to
deviate significantly from the normal behaviour or pattern, it is recognized as anomalous or
intrusive. So, if the defender can properly establish a normal activity profile for a system, it
can also flag all system states that vary from the normal profile significantly. So, in an
anomaly-based detection approach, two distinct possibilities may arise:

intrusive,

ch are anomalous activities that are flagged as non-intrusive but are

intrusive. The main advantage of anomaly detection is that it can detect unknown attacks.

In addition to these software-based DDoS defence solutions, a large number of hardware-

based network security solutions have also evolved. To counter DDoS attacks that use both
low-rate and high-rate traffic, researchers use a variety of approaches such as statistical,
machine learning and data mining, soft computing, and knowledge-based.
Misuse Detection: In misuse detection, the defenders initially define the abnormal system
behaviour and then they define other behaviour as normal. . In contrast, an anomaly detection
approach uses the reverse approach, defining normal system behaviour first and defining any
other behaviour as abnormal. In other words, anything we don't know as bad is normal in
misuse detection. Using attack signatures in IDSs is an example of this approach. The
performance of IDS in terms of detection accuracy depends entirely on how adequate the
knowledge of known attacks is and how well the detection engine can use it during detection.
A defender with well-crafted knowledge of known attacks can make an effective use of this
detection approach and can achieve high detection accuracy and low false alarms.
2.3 DDoS PREVENTION
An intrusion prevention system (IPS) is considered an ―upgraded" version of an intrusion
detection system. Both monitor network traffic and/or system activities for malicious activity;
however, unlike IDS, an intrusion prevention system is able to actively block intrusions that
are detected. Typically, an IPS does so by generating alarms, dropping malicious packets,
resetting the connection, and/or blocking traffic from the offending IP addresses. The
managing system, monitoring component, and detection component are almost similar to
those in IDS, but instead of the reaction component in this system, prevention procedures are
applied. The prevention engine applies a set of procedures based on the pattern of behaviour
of the suspicious traffic by working closely with the managing system. The responsibility of
the managing system is to manage the traffic flow and to apply the procedures provided by
the prevention engine.
A good number of DDoS prevention methods have been developed recently. Most prevention
methods act upon detection of DDoS attacks in one or more of the following ways:

attacks,

possible attack
packets, or

avoid occurrence of future attacks.

However, for effective DDoS prevention, identification of true attack source(s) is an essential
task. Although identification of the true source of attack is a daunting task due to open and
decentralized structure of wireless sensor networks as well as internet, several novel
approaches have evolved in the recent past. IP traceback is one such powerful candidate
among the mechanisms used to identify the true source of attacks in a network.
2.3.1 IP TRACEBACK
In a DDoS attack, attackers mostly use zombies or reflectors to send attack packets to the
victim machine using spoofed IP addresses. One can attempt to detect the attack source
manually as well as automatically. It may be performed either at the victim end or from
intermediate routers and traced back to the original source end. Typically, a hop-by-hop
traceback mechanism is used from router to router. Therefore, for successful identification on
of the attack source, co-operation among networks is highly essential. However, manual
traceback is a tedious and time-consuming process. To expedite the process, researchers have
introduced automated traceback schemes.
Packet Marking: Packet marking is a significant recent addition to the techniques used for
identification of the origin of DDoS attacks. In a packet-marking scheme, routers mark
forwarding packets either deterministically or probabilistically, with their own addresses. So,
when an attack occurs, the victim uses the marked information associated with the packet to
trace back to the attack source. Packet-marking-based traceback schemes have been
developed in two ways:
1) Deterministic packet marking, commonly known as DPM schemes, and

2) Probabilistic packet marking, also known as PPM schemes.

The probabilistic packet-marking (PPM) scheme does not require prior knowledge of the
whole network to build an attack tree, i.e., a map of the routers along the path of the attack.
One can use this marking during an attack or even after an attack has occurred. In this
scheme, the IP header has only a single field to store the marking information. Each router on
the path from the source to the destination writes down its unique identifier in the entry in the
packet header with some probability. By writing into the field, routers overwrite any previous
entry that was present there. The victim can reconstruct the path from the source to itself on
receiving a large number of packets.
Packet Logging: In the packet logging approach, routers store packet information so that
such information can be used to trace an attack long after the attack has completed. One can
use data mining techniques on the logged packet data to determine the path that the packets
may have traversed. Many variations of packet logging methods have been proposed. This
method needs a significant amount of memory to store the logged information. To overcome
this problem, Broder and Mitzeamacher have proposed the use of bloom filters to minimize
storage overhead significantly. The main advantages of this method are

It stores packet log information historically for future investigation,

to store historic data, and also has high network overhead and high management overhead

ICMP traceback messages: In this mechanism, the router generates ICMP traceback
messages that include the content of forwarded packets along with information about adjacent
routers and sends them to the destination. When flooding attacks occur, the victim uses these
ICMP messages to construct attack graphs back to the attacker. The traceback messages help
the victim find the original source of the attack. This mechanism relies on an input debugging
capability that is not enabled in many router architectures. As a result, it may be difficult to
establish a connection between a participating router and a non-participating router. ICMP
traceback is effective in terms of network overhead as it incurs low management cost.
Moreover, the approach can be distributed easily and is able to effectively detect attack paths
during flooding attacks. However, this approach generates high additional network traffic and
creates many false ICMP messages. ICMP messages can be distinguished easily and hence
may be filtered or rate limited differently from normal traffic.
2.4 BOTNET TECHNOLOGY
A botnet is defined as a large group of malware-infected machines, referred to as zombies,
which are controlled by a malicious entity, referred to as the bot-master. The bot-master is
used to control the zombies remotely and to instruct them through commands to perform
malicious activities. Bots are controlled using botnet architecture and a command-and-control
system, which may be based on P2P, HTTP or DNS [17]. People with malice intentions can
use botnets to commit cyber-crimes such as launching DoS attacks, sending spam mail or
stealing personal and valuable data such as login IDs and passwords for mail accounts or
bank credentials [18]. It is common knowledge that a majority of email traffic is spam and
most of the messages are sent through botnets.
2.4.1 BOTNET CHARACTERISTICS
Typically, botnets are characterized by the type of Command-and-Control (C&C) system
used for communication. Communications between the bot-master and the bots take place
according to the specification of the C&C system. Among the various C&C systems,
centralized and distributed mechanisms are commonly used for communication. Both types
have their own advantages as well as limitations. To address these limitations, attacker
masterminds have introduced another botnet technology of late, referred to as peer-to-peer
botnet, which is considered more effective and difficult to defend against. To counter such
botnet-based DDoS attacks, a network defender has to know the malware code and the
possible enhancements that may have been incorporated in such code. Further, the topologies,
protocols, and the botnet architectures used by the attackers need to be carefully studied
during development of a DDoS defence. With the recent successful convergence of
traditional telecommunication services and the Internet, the possibility of botnet-based DDoS
attacks over essential network services, including 3G, 4G, and 5G wireless networks, has
increased substantially.
PROPOSED METHODOLOGY

The final setup formulates the use of ‗Leaky Bucket Algorithm‘ and ‗TTL packet filtering‘
in wireless sensor networks for mitigating the effect of DDoS attack. There are numerous
nodes in the network that comprise of normal, suspicious and malicious nodes. Nodes desire
to send packets to the base station. A genuine node will transmit packets in normal way
whereas a malicious node will forward traffic violently in a short span of time. Before the
packets are transmitted to the base station, leaky bucket algorithm and TTL packet filtering
mechanisms are invoked due to the threshold set on incoming traffic.
Tools and Techniques

SYSTEM REQUIREMENTS
-2.35.

-2.35 under Linux environment.

Our proposed methodology makes use of NS-2 as test-bed because of following reasons:
• NS-2 is a discrete event driven simulator used for wired cum wireless network research. Internet
based applications are also event-driven in nature

• NS-2 is an open source tool and is extensible

• Wide use of NS-2 in research work as test bed for validation and performance comparison of
different approaches.

• It has support for network protocols such as TCP and UDP, network traffic sources such as
HTTP,

and CBQ.

• Support for various servers and clients HTTP, FTP server and client is available with provision
of trace driven simulations.

• A C++ user in NS can modify and/or create protocols, agents, and nodes etc. as per
requirements of proposed approach.
3 parameters will be analysed
cket loss

Observation is done against three scenarios:

a) A network without leaky bucket Algorithm (without TTL).

b) A network with TTL check as a packet filtering mechanism (only TTL).

c) A network with leaky bucket and TTL check and implementation (LB+TTL).

Plot will be obtained between following parameters:

Case 1:- A network with CBR traffic source without node mobility.
Case 2:- A network with CBR traffic source with node mobility.
Case 3:-Performance metrics for VBR traffic with exponential distribution:
Case 4:- Performance metrics for VBR traffic with Pareto distribution:
Conclusion

DDoS attacks have become very prevalent. It has emerged as a huge threat. Therefore more
attention is required to overpower the attack whose objective is to overload the network as
well as the base station with tremendous traffic.
In this thesis we have presented a performance comparison of three different networking
systems under four variable cases. The networking systems are
A. Simple network i.e. a network without any application of leaky bucket algorithm or TTL
filtering.
B. Network with TTL filtering mechanism.
C. Network on which both leaky bucket algorithm and TTL filtering is implemented.
The four cases are:
1 . A network with CBR traffic source
without node mobility.
2 . A network with CBR traffic source
with node mobility.
3. A network with VBR traffic source
(Exponential) with stationary nodes.
REFERENCES

1.Taranpreet Kaur, Dr. Krishan Kumar Saluja, Dr Anuj Kumar Sharma, ―DDOS Attack in
WSN: A Survey‖, IEEE International Conference on Recent Advances and Innovations in
Engineering (ICRAIE-2016), December 23-25, 2016, Jaipur, India

2.Syed Mujtiba Hussain, Ghulam Rasool Beigh, ―Impact of DDoS Attack (UDP Flooding)
on Queuing Models‖, 4th International Conference on Computer and Communication
Technology (ICCCT), 2013

3. L.D. Stein, J.N. Stewart, The World Wide Web Security FAQ, version 3.1.2, February 4,
2002, Available from <http://www.w3.org/Security/Faq>.

4. Monika Sachdeva, Gurvinder Singh, Krishan Kumar, and Kuldip Singh, ―A

Comprehensive Survey of Distributed Defense Techniques against DDoS Attacks‖, IJCSNS
International Journal of Computer Science and Network Security, VOL.9 No.12, December
2009

5. Monika Sachdeva, Krishan Kumar Gurvinder Singh Kuldip Singh,―Performance Analysis

of Web Service under DDoS Attacks‖, 2009 IEEE International Advance Computing
Conference (IACC 2009) Patiala, India, 6-7 March 2009

6.Ranjan S, Karrer R, Knightly E: Wide area redirection of dynamic content by internet data
centres. Proc IEEE INFOCOM 2004, 816-826.

7. Al-Sakib Khan Pathan, Hyung-Woo Lee, Choong Seon Hong,―Security in Wireless

Sensor Networks: Issues and Challenges‖

8. Blackert, W.J., Gregg, D.M., Castner, A.K., Kyle, E.M., Hom, R.L., and Jokerst, R.M.,
―Analyzing interaction between distributed denial of service attacks and mitigation
technologies‖, Proc. DARPA Information Survivability Conference and Exposition, Volume
1, 22-24 April, 2003, pp. 26 – 36.

9. Wang, B-T. and Schulzrinne, H., ―An IP traceback mechanism for reflective DoS
attacks‖, Canadian Conference on Electrical and Computer Engineering, Volume 2, 2-5 May
2004, pp. 901 – 904.

10. Pfleeger, C. P. and Pfleeger, S. L., ―Security in Computing‖, 3rd edition, Prentice Hall
2003.