Professional Documents
Culture Documents
Prop Cuk
Prop Cuk
Prop Cuk
Date: 20/03/2018
Signature: __________
Problem definition:
DDoS attacks are really hard to defend due to their multifaceted natures, dynamic attack
rates, various kinds of targets, large scale of botnets, etc. A complete and comprehensive
defence solution (if there is any) might even not be achievable.
In this thesis the research is focussed on mitigating the impact of DDoS attack using leaky
bucket algorithm and TTL packet filtering.
Objective and scope:
Distributed denial of service (DDoS) attacks has become a major threat and one of the
hardest problems to overcome. Various activities, such as telecommunication, online
banking, and online shopping, have recently been integrated through the Internet, yet the
Internet is now plagued by more than 10 million infected hosts (or zombies) . Internet
security includes aspects such as confidentiality, authentication, message integrity and
nonrepudiation . One of the main aspects of Internet security is availability. DDoS attacks
pose a big threat to availability of services on the Internet. DDoS attacks have consequently
become a serious threat.
According to the WWW Security a DoS attack can be described as an attack designed to
render a computer or network incapable of providing normal services. A DoS attack is
considered to take place only when access to a computer or network resource is intentionally
blocked or degraded as a result of malicious action taken by another user. These attacks don‘t
necessarily damage data directly or permanently, but they intentionally compromise the
availability of the resources. The most common DoS attacks target the computer network‘s
bandwidth or connectivity. Bandwidth attacks flood the network with such a high volume of
traffic that all available network resources are consumed and legitimate user requests cannot
get through, resulting in degraded productivity. Connectivity attacks flood a computer with
such a high volume of connection requests, that all available operating system resources are
consumed and the computer can no longer process legitimate user requests.
A Distributed Denial of Service (DDoS) attack uses many computers to launch a coordinated
DoS attack against one or more targets. Using client/server technology, the perpetrator is able
to multiply the effectiveness of the Denial of Service significantly by harnessing the
resources of multiple unwitting accomplice computers which serve as attack platforms.
Typically a DDoS master program is installed on one computer using a stolen account. The
master program, at a designated time, then communicates to any number of "agent"
programs, installed on computers anywhere on the internet. The agents, when they receive
thecommand, initiate the attack. Using client/server technology, the master program can
initiate hundreds or even thousands of agent programs within seconds.
In the famous Confidentiality, Integrity, and Availability ―Security Triangle‖, DDoS attacks
target availability, preventing legitimate users from accessing the services provided by a
targeted network device [4]. There are numerous motivations for such attacks, ranging from
fun to financial extortion, political protest, and even warfare. Those attempting to carry out
attacks are not necessarily highly skilled hackers, as many tools have been developed that
allow even the least experienced users to perform complex attacks.
DDoS attacks are comprised of packet streams from different sources. These attacks engage
the power of a vast number of coordinated hosts to consume some critical resource at the
target and deny the service to legitimate clients [5]. The traffic is usually so aggregated that it
is difficult to distinguish legitimate packets from attack packets. More importantly, the attack
volume can be larger than the system can handle. Unless special care is taken, a DDoS victim
can suffer from damages ranging from system shutdown and file corruption, to total or partial
loss of services.
There are no apparent characteristics of DDoS streams that could be directly and
wholesomely used for their detection and filtering. The attacks achieve their desired effect by
the sheer volume of attack packets, and can afford to vary all packet fields to avoid
characterization and tracing.
Extremely sophisticated, ‗‗user-friendly‘‘ and powerful DDoS toolkits are available to
potential attackers increasing the danger of becoming a victim in a DoS or a DDoS attack.
DDoS attacking programs have very simple logic structures and small memory sizes making
them relatively easy to implement and hide. Attackers constantly modify their tools to bypass
security systems developed by system managers and researchers, who are in a constant alert
to modify their approaches to handle new attacks.
The DDoS field is evolving quickly, thus becoming increasingly hard to grasp a global view
of the problem. Although there is no panacea for all flavours of DDoS, there are several
countermeasures that focus on either making the attack more difficult or on making the
attacker accountable
Literature Review
1.NETWORK DEFENCE
Today, the world is being computerized at an astonishing speed. To support this phenomenal
growth, service providers are trying their best to provide the utmost quality of service. In this
competitive environment, an aspect that stands out is security, which is indeed an extremely
serious topic of concern. Modelling a system for DDoS attacks has not been easily viable to
researchers and the search for an optimal system is still on .An intrusion or attack may be fast
or slow. We refer to a DDoS attack as fast when it generates a large number of packets or
extremely high-volume traffic within a very short time, say a fraction of a minute, to disrupt
service. An attack is referred to as a slow attack, if it takes minutes or hours to complete the
process. Despite the increasing deployment of devices for traffic analysis and mitigation, the
number of Distributed Denial of Service (DDoS) attacks deployed every year is increasing at
an astonishing rate.
To counter the rapid emergence of external and internal threats to networks and resources,
researchers have looked at a variety of approaches such as intrusion detection system (IDS),
intrusion prevention system (IPS), intrusion response system (IRS), and intrusion tolerance
system (ITS). Among these, IDS and IPS are important components of a layered security
infrastructure. To execute an attack on a network or a system, an attacker generally follows
four main steps:
1) The attacker scans the whole network to find and recruit vulnerable host(s);
2) The vulnerable hosts are then compromised for exploitation by the attacker using malware
or backdoor programs;
3) The attacker infects the compromised hosts to create a base for effective launching of an
attack, and
intrusive,
attacks,
possible attack
packets, or
However, for effective DDoS prevention, identification of true attack source(s) is an essential
task. Although identification of the true source of attack is a daunting task due to open and
decentralized structure of wireless sensor networks as well as internet, several novel
approaches have evolved in the recent past. IP traceback is one such powerful candidate
among the mechanisms used to identify the true source of attacks in a network.
2.3.1 IP TRACEBACK
In a DDoS attack, attackers mostly use zombies or reflectors to send attack packets to the
victim machine using spoofed IP addresses. One can attempt to detect the attack source
manually as well as automatically. It may be performed either at the victim end or from
intermediate routers and traced back to the original source end. Typically, a hop-by-hop
traceback mechanism is used from router to router. Therefore, for successful identification on
of the attack source, co-operation among networks is highly essential. However, manual
traceback is a tedious and time-consuming process. To expedite the process, researchers have
introduced automated traceback schemes.
Packet Marking: Packet marking is a significant recent addition to the techniques used for
identification of the origin of DDoS attacks. In a packet-marking scheme, routers mark
forwarding packets either deterministically or probabilistically, with their own addresses. So,
when an attack occurs, the victim uses the marked information associated with the packet to
trace back to the attack source. Packet-marking-based traceback schemes have been
developed in two ways:
1) Deterministic packet marking, commonly known as DPM schemes, and
The probabilistic packet-marking (PPM) scheme does not require prior knowledge of the
whole network to build an attack tree, i.e., a map of the routers along the path of the attack.
One can use this marking during an attack or even after an attack has occurred. In this
scheme, the IP header has only a single field to store the marking information. Each router on
the path from the source to the destination writes down its unique identifier in the entry in the
packet header with some probability. By writing into the field, routers overwrite any previous
entry that was present there. The victim can reconstruct the path from the source to itself on
receiving a large number of packets.
Packet Logging: In the packet logging approach, routers store packet information so that
such information can be used to trace an attack long after the attack has completed. One can
use data mining techniques on the logged packet data to determine the path that the packets
may have traversed. Many variations of packet logging methods have been proposed. This
method needs a significant amount of memory to store the logged information. To overcome
this problem, Broder and Mitzeamacher have proposed the use of bloom filters to minimize
storage overhead significantly. The main advantages of this method are
It stores packet log information historically for future investigation,
to store historic data, and also has high network overhead and high management overhead
ICMP traceback messages: In this mechanism, the router generates ICMP traceback
messages that include the content of forwarded packets along with information about adjacent
routers and sends them to the destination. When flooding attacks occur, the victim uses these
ICMP messages to construct attack graphs back to the attacker. The traceback messages help
the victim find the original source of the attack. This mechanism relies on an input debugging
capability that is not enabled in many router architectures. As a result, it may be difficult to
establish a connection between a participating router and a non-participating router. ICMP
traceback is effective in terms of network overhead as it incurs low management cost.
Moreover, the approach can be distributed easily and is able to effectively detect attack paths
during flooding attacks. However, this approach generates high additional network traffic and
creates many false ICMP messages. ICMP messages can be distinguished easily and hence
may be filtered or rate limited differently from normal traffic.
2.4 BOTNET TECHNOLOGY
A botnet is defined as a large group of malware-infected machines, referred to as zombies,
which are controlled by a malicious entity, referred to as the bot-master. The bot-master is
used to control the zombies remotely and to instruct them through commands to perform
malicious activities. Bots are controlled using botnet architecture and a command-and-control
system, which may be based on P2P, HTTP or DNS [17]. People with malice intentions can
use botnets to commit cyber-crimes such as launching DoS attacks, sending spam mail or
stealing personal and valuable data such as login IDs and passwords for mail accounts or
bank credentials [18]. It is common knowledge that a majority of email traffic is spam and
most of the messages are sent through botnets.
2.4.1 BOTNET CHARACTERISTICS
Typically, botnets are characterized by the type of Command-and-Control (C&C) system
used for communication. Communications between the bot-master and the bots take place
according to the specification of the C&C system. Among the various C&C systems,
centralized and distributed mechanisms are commonly used for communication. Both types
have their own advantages as well as limitations. To address these limitations, attacker
masterminds have introduced another botnet technology of late, referred to as peer-to-peer
botnet, which is considered more effective and difficult to defend against. To counter such
botnet-based DDoS attacks, a network defender has to know the malware code and the
possible enhancements that may have been incorporated in such code. Further, the topologies,
protocols, and the botnet architectures used by the attackers need to be carefully studied
during development of a DDoS defence. With the recent successful convergence of
traditional telecommunication services and the Internet, the possibility of botnet-based DDoS
attacks over essential network services, including 3G, 4G, and 5G wireless networks, has
increased substantially.
PROPOSED METHODOLOGY
The final setup formulates the use of ‗Leaky Bucket Algorithm‘ and ‗TTL packet filtering‘
in wireless sensor networks for mitigating the effect of DDoS attack. There are numerous
nodes in the network that comprise of normal, suspicious and malicious nodes. Nodes desire
to send packets to the base station. A genuine node will transmit packets in normal way
whereas a malicious node will forward traffic violently in a short span of time. Before the
packets are transmitted to the base station, leaky bucket algorithm and TTL packet filtering
mechanisms are invoked due to the threshold set on incoming traffic.
Tools and Techniques
SYSTEM REQUIREMENTS
-2.35.
Our proposed methodology makes use of NS-2 as test-bed because of following reasons:
• NS-2 is a discrete event driven simulator used for wired cum wireless network research. Internet
based applications are also event-driven in nature
• Wide use of NS-2 in research work as test bed for validation and performance comparison of
different approaches.
• It has support for network protocols such as TCP and UDP, network traffic sources such as
HTTP,
and CBQ.
• Support for various servers and clients HTTP, FTP server and client is available with provision
of trace driven simulations.
• A C++ user in NS can modify and/or create protocols, agents, and nodes etc. as per
requirements of proposed approach.
3 parameters will be analysed
cket loss
c) A network with leaky bucket and TTL check and implementation (LB+TTL).
Case 1:- A network with CBR traffic source without node mobility.
Case 2:- A network with CBR traffic source with node mobility.
Case 3:-Performance metrics for VBR traffic with exponential distribution:
Case 4:- Performance metrics for VBR traffic with Pareto distribution:
Conclusion
DDoS attacks have become very prevalent. It has emerged as a huge threat. Therefore more
attention is required to overpower the attack whose objective is to overload the network as
well as the base station with tremendous traffic.
In this thesis we have presented a performance comparison of three different networking
systems under four variable cases. The networking systems are
A. Simple network i.e. a network without any application of leaky bucket algorithm or TTL
filtering.
B. Network with TTL filtering mechanism.
C. Network on which both leaky bucket algorithm and TTL filtering is implemented.
The four cases are:
1 . A network with CBR traffic source
without node mobility.
2 . A network with CBR traffic source
with node mobility.
3. A network with VBR traffic source
(Exponential) with stationary nodes.
REFERENCES
1.Taranpreet Kaur, Dr. Krishan Kumar Saluja, Dr Anuj Kumar Sharma, ―DDOS Attack in
WSN: A Survey‖, IEEE International Conference on Recent Advances and Innovations in
Engineering (ICRAIE-2016), December 23-25, 2016, Jaipur, India
2.Syed Mujtiba Hussain, Ghulam Rasool Beigh, ―Impact of DDoS Attack (UDP Flooding)
on Queuing Models‖, 4th International Conference on Computer and Communication
Technology (ICCCT), 2013
3. L.D. Stein, J.N. Stewart, The World Wide Web Security FAQ, version 3.1.2, February 4,
2002, Available from <http://www.w3.org/Security/Faq>.
6.Ranjan S, Karrer R, Knightly E: Wide area redirection of dynamic content by internet data
centres. Proc IEEE INFOCOM 2004, 816-826.
8. Blackert, W.J., Gregg, D.M., Castner, A.K., Kyle, E.M., Hom, R.L., and Jokerst, R.M.,
―Analyzing interaction between distributed denial of service attacks and mitigation
technologies‖, Proc. DARPA Information Survivability Conference and Exposition, Volume
1, 22-24 April, 2003, pp. 26 – 36.
9. Wang, B-T. and Schulzrinne, H., ―An IP traceback mechanism for reflective DoS
attacks‖, Canadian Conference on Electrical and Computer Engineering, Volume 2, 2-5 May
2004, pp. 901 – 904.
10. Pfleeger, C. P. and Pfleeger, S. L., ―Security in Computing‖, 3rd edition, Prentice Hall
2003.