ISSN (Print) : 0974-6846

Indian Journal of Science and Technology, Vol 9(21), DOI: 10.17485/ijst/2016/v9i21/85014, June 2016 ISSN (Online) : 0974-5645

Investigation of UDP Bot Flooding Attack

Bijalwan Anchit* and Singh Harvinder
Department of Computer Science and Engineering, Uttarakhand Technical University, Dehradun - 248007,
Uttarakhand, India; anchit.bijalwan@gmail.com, sachin_ats@rediffmail.com

Abstract
Background/Objectives: This paper presents the analysis of Bot flooding attack which leads to DDOS (Distributed Denial
of Service) using a lab experiment in a networked environment creating a real DDOS attack like scenario. Methods: To study
the DDOS attack through UDP (User Datagram Protocol) Bot flooding, a lab setup is done in a networked environment. A
UDP flood attack starts by sending a huge number of UDP packets from different IP addresses. The experimentation is
performed using NS2. The results generated are used as evidences to prove that a machine is victimized and is facing DDOS
attack. Graphical evidence is also presented for the DDOS attack using UDP packets flooding. Findings: The evidences
collected from the lab experimentation clearly show the demarcation between the normal network traffic and the traffic
containing UDP Bot flood. By making the comparison between normal and abnormal network traffic through the UDP flow
graph the possibility of DDOS is predicted.

Keywords: Botnet, Botnet Forensics,DDoS, Internet Security,Random UDP Bot Flooding

1.  Introduction particular computer system takes it to shut down process,

In past few years we have witnessed a very fast paced
growth in Internet and its related services. It has revolu-
tionized the lives of many people and it appears next to
impossible to survive in its absence. The use of Internet on
one hand has provided us with the beneficial services and
on the other hand given invitation to many challenging
and troublesome situations. Some of the awkward situ-
ations sometimes faced by the internet users are DDOS,
rootkits, viruses, worms, ransomwares and many more.
Botnets are widely used as platforms for spreading
different types of threats. A Botnet is a huge network of
compromised computers which are remotely controlled by
a person with malicious intent called botmaster. Though,
a Botnet is responsible for performing different types of
malicious activities but our main focus in this paper is on
DDoS attack.
A Distributed Denial-of-Service (DDoS) attack is a
kind of cyber attack in which multiple compromised com-
puters attack a single computer system as a target, which
results indenyingits services for users of that particular
system. The ample number of messages coming to that
and hence its services are denied to the legitimate users.
Botnets are used for all DDOS (Distributed Denial
of Service) attacks, Spam, click fraud, information theft,
phishing attack, and distribution of other malware.
Random-UDP bot flooding attack1 is a kind of attack in
which the strikerkeeps on sending multiple UDP data-
grams of distinct sizes at a time. This results in denial of
service to that computer system as well as its resources.
A Botnet simulator is used to simulate DDoS flood
attack in testbed, where to deploy easily the attacker may
use randomizer. The different sizes of datagram can eas-
ily read the characteristics of UDP datagram and enter in
the users network to make them bot. The bot is continu-
ously sending the UDP datagrams with different sizes and
­create tough situation for the users.
In2 proposed testbed framework for realistic DDoS
attack from two way traffic generation named Botloader.
In3segregated the IP spoofing for the flooding attack into
three categories that are as follows: 1. Random spoofing,
2. Subnet spoofing and 3. Fixed spoofing. He proposed an
easy and thorough method to find the presence of TCP
SYN flooding attacks and its mitigation using ­different

*Author for correspondence

 Investigation of UDP Bot Flooding Attack
types of spoofing methods. His simulation method shows
the mitigation of TCP based flooding attacks. In4 explores
the energy distributions of Internet data traffic flow in
frequency domain. Normal flow of TCP traffic presents
recurrence because of the vey behavior of protocol. He
showed the comparison between normal TCP flows with
malicious TCP flows as per their energy distribution vari-
ance difference that normal TCP flows can be differentiated
from malicious flows as per the energy. In 5proposed the
defense method named FDIDS against denial of services
attacks. Single failure can be avoided through FDIDS.
Flooding denial of service can be detected through traf-
fic matrices which can be built with the help of traffic
tables. To reduce the overhead, local methods and global
methods for communication are suggested.In6showed the
method to suppress the DDoS attack scenario through
real time estimation. He set the method named ANN to
find out the number of bot systems in DDoS assault. This
technique gave the flexibility in estimation either in low
or high detection stability. In7 used the different queuing
algorithm for the efficiency on flooding attack on net-
work. He observed Stochastic Fair Queuing technique
(SFQ) is better than other queuing techniques for UDP
traffic. In8 proposed the webserver safety method against
HTTP GET attacks. This method can efficiently discover
HTTP GET flooding attacks. It is applied in Gigabit
Ethernet secure Network Interface Controller (GEINIC)
to ensure safety against DDoS attack. In9 presented Novel
Random Flow network model. This is a general and novel
framework for preventing from distributed denial of ser-
vice attack. Its hows the related nessamidst some metrics
deduced from the model. Kumar et al. studied the distrib-
uted denial of services attack in which large number of
packets created computational overhead. He distributed
these overheads into POPs of the ISPs. In10 the authors
experimented their work on NS2 and indicated that the
available bandwidth is comparatively more easily inun-
dated by UDP attack than by TCP attack. They introduce
the concept of time of attack and intensity of attack.
In11 the author surveyed the spotting and extenuation
of denial of service assault. He created DoS Mitigation
Module (DMM) to provide the way for maintaining the
components. In12 the author analyzed DDoS attack from
a few number of zombies using a web server. He sets up a
Botnet system to analyze the DDoS bot behavior in order
to test the strength against such attacks.In13 created the
defense environment against the UDP flooding attack.
He showed, the defense system can effectively spot and
2 Vol 9 (21) | June 2016 | www.indjst.org
sense the fake IP addresses without increasing the detec-
tion time. In14 proposed a detection strategy which uses
SYN traffic forecasting to find out whether SYN flooding
attacks happen at the initial phase. In15 proposed SNMP
based algorithm for detection of data traffic that leads to
flooding attacks which minimized the detection time,
processing time and network overheads and also provide
high rate of detection. In16 surveyed on clustering algo-
rithm characteristics for big data mining. In17 the author
is introducing the new threats that can be utilized by
malware developers as a persistence mechanism. In18 the
author elaborately discusses about seriousness of Botnet
problem and project the importance of online malware
analysis in Botnet defense research. In19 the proposed sys-
tem uses an algorithm in which the detection is based on
anomaly and based on signature mapped to AIS called
“Generation of Detector (Genetic Algorithm)” to detect
DDoS attacks. Every time an attack is spotted, a new gen-
eration is summed up with the detectors dataset to detect
the invasion. In20 the authors have computed the valid-
ity of available routing protocols against the malicious
attacks and find the quality and effect of security improve-
ments and have suggested a dependable solution to deal
with DDoS attacks in MANETS. In21 effect of the DDoS
attack on the cloud environment is thoroughly studied.
Therefore, a framework for attack based on the DDoS
is prepared, and then authors have created imitation of
a cloud system on the experimental environment. The
experiments show that the cloud environment is defense-
less to this kind of attack.
In this paper we have analyzed the attacking scenario
using NS2 and generated flow graphs for the random
UDP bot flooding attack. We have designed the algo-
rithm to detect and analyze the UDP bot flooding attack.
This includes three phases i.e. analysis of UDP Flooding
using NS2, UDP Flow graph under both normal & attack-
ing scenario and comparison of traffic flow rate. In this
section we review the existing techniques including the
introduction. The rest of the paper is organized as follows:
The analysis of UDP Bot Flooding attack is presented
in section 2. The proposed framework and results are
explained in section 4. The work is concluded in section 5
along with scope for future work.
2.  Traffic Flow Analysis
It is mandatory to analyze the data whether it is normal
traffic or infected data after identification of UDP bot
Indian Journal of Science and Technology

flooding attack. We traced ddos bot clues using BoNeSi in
a test bed wired, collected through Wireshark. The curves
plotted are of Time to Packet Queue, Time is on the X axis
and Packet Queue is on the Y Axis. There are 2 graphs
provided, an attack flow graph and a normal flow graph.
2.1  Normal Traffic Flow
Figure1 shows the normal flow where system obtained the
result between TCP wait queue versus time. X axis depicts
the time and Y axis depicts queue length in terms of no.
packets. In normal attack no. of packets in buffer is 75.
When we look at the normal flow graph we witness the
graph very different, there is too much entropy. The queue
is unreliable; it increases with the increase in traffic and
falls when the system has processed traffic. (Figure 1)
2.2  Under Attack Traffic Flow
Figure 2 shows attack flow ddos bot attack. Where graph
shows linear increase in no. of packets. The number of
packets constantly increase and 160* 103 packets in peak
position. In next snapshots shows the under attack sce-
nario with the help of network simulator2 are shown in
Figure 2.
Figure 1.  Normal Flow analysis through NS2.
Figure 2.  Under attack Flow Analysis through NS2.
Vol 9 (21) | June 2016 | www.indjst.org
Bijalwan Anchit and Singh Harvinder
From the attack flow graph we can deduce that the
packet queue is continuously increasing with respect
to time. This means that the packets are arriving at the
­system but the system is unable to process them (reached
the bottleneck limit) and is now increasing the packet
queue over time rendering the system unusable and
thereby justifying that it’s a DoS/DdoS Attack. Contrary
to the attack graph.
2.3  Observation
The normal flow was generated by getting the system to
connect with multiple websites over a short period of
time, with some of them being video streaming websites.
this shows us a basic comparison between normal and
attack scenarios in case of a network attack, The queue
length is generally a good measure to detect if there is any
bottleneck or not, In case there is we need to develop pro-
cedures to remove the malware or useless packets from
the queue and free the server queue in case of these attacks
and start monitoring incoming packets and remove them
in a realtime environment.
We have collected the data from various attack
­scenarios generating a large data pool, to which we will
be applying big data analysis and find the parameters
that change the most or can help us with identification
between legit and forced packets.
We are also looking into this to implement the IP
Spoofing detection to clean out traffic directly from
spoofed IP’s in a realtime environment.
3.  Results and Findings
Our experiments on DDoS bot attack behaves like the
normal flow. For this purpose we use randomizer func-
tion. These results and findings are based on further
investigation of authors work. The flow graph presents
the connection start procedure between the server and
the client. Once the connection is constituted, the data
frames begin to flow. The necessary features of a frame
are shown in the flow graph. We can clearly observe, for
example, the time of transmission, the size of the frame,
the sequence number of the frame and the TCP ports
used for the constituting the connection. The viewer can
also go through the graph from starting to the end and
observe if finds any re-transmits because of packet loss
or timeouts.
Indian Journal of Science and Technology 3
 Investigation of UDP Bot Flooding Attack

The flow graph property can give a fast and effective

way for checking of connections between a client com-
puter and a server computer. It can also show if there
are any problems with a TCP connection. The various
­problems may be: 1. Timeouts, 2. Re-transmitted frames
and 3. Dropped connections.
Here two flow graphs are presented, One containing
the captures when the attack was running and other con-
tains flow graph under normal flow. The segregation has
been done to the protocols for easy read and analysis, as
most of the time UDP and ICMP activity is almost zero
under normal circumstances.

3.1 Investigation of Flow Graph under

Attack Scenarios
Investigation of flow graph under attack scenario shows
the denial of services bot attack. Figure 3 shows the
bot infected web server throws many of packets from
different IP’s to the user’s system which cause floodin-
Figure 4.  Analysis of Normal UDP Flow Graph.
gattack. Hence user is unable to perform other activity
(Figure 3).

3.2  Investigation of Normal Flow Graph

Investigation of flow graph under normal scenario shows
the communication of the user to the respective system.
Herein Figure 4 and in Figure 5, user’s communicated IP
and responds IP. This shows the two way communica-
tion. First image depicts the request and communication
of the sender and in second image depicts the response
and communication of receiver (Figure 5).

Figure 5.  Analysis of Normal UDP Flow Graph.

Figure 3.  Analysis of UDP Flow Graph under attack

scenario. Figure 6.  Average Flow Graph.

4 Vol 9 (21) | June 2016 | www.indjst.org Indian Journal of Science and Technology
 Bijalwan Anchit and Singh Harvinder

3.3  Investigation of Average Flow Graph The main features to look here are the packet size,
which is considerably lower in the attacking scenario
Figure 6 depicts the average flow graph of UDP bot in
when compared to normal scenario.
which communication is from both side (Figure 6).
This also causes the average. Bytes per second to drop
down when compared with the normal scenario.
3.4 Comparison between Vital Elements
Related to Network Traffic
Here we can see that the difference between attack
4.  Conclusion
and normal flow isn’t that much significant. The simu- This paper gives the implementation of UDP bot flooding
lation algorithm used is pure efficient due to the use through different tools such as NS2 and wireshark. We
of randomizer that there are not much differentiating implemented two different scenarios for NS2 and for the
parameters between normal and attack flow. It’s very Wireshark. We used RED script and made a clone simi-
hard to come up with an algorithm to differentiate this lar to BoNeSi script and used it in NS2. We showed the
on a single use case basis. It is why we require to imple- comparison between normal scenario and attack scenario
ment big data and machine learning in this to optimize after the analysis of random bot flooding attack.
the efficiency in packet separation (malicious) to pre- We can implement an HPC (High Performance
vent the denial of service bot attack to become an issue Computing) cluster for big data collection for analysis in
(Figure 7). future. The cluster is created on a Linux kernel using the
From the values above we can compare that majority PelicanOS on multiple hardware machines.Since the data
of the packets falls into the 40-79 packet length category, to be computed is so large, a single system would be inef-
the only differentiating parameter being the rate which fective against it. This cluster will provide us with data
is much lower when compared to the normal scenario which can lead to develop machine learning algorithms
(Figure 8). to be applied to filter out the unwanted traffic from a net-
Here we can see the average information between the work. In future, we need to apply forensics that is post
various scenarios, as it would be expected. The DDoS bot mortem or investigation process to the obtained results
algorithm makes sure not to flag out the avg. Packets/sec and work in the direction to mitigate the problem.
parameter, when compared to the attack scenario it is
lower than that of normal scenario which is really not the
case with the non-randomized simulators.
5.  References
1. Bijalwan A, Wazid M, Pilli ES, Joshi RC. Forensics of
Random-UDP Flooding Attacks. Journal of Networks.
Attack S cenario Normal S cenario
Packet Length Count Rate (ms) Percent Packet Length Count Rate (ms) Percent
2015; 10(5):287–93.
0-19 0 0 0 0-19 0 0 0 2. Bhatia S, Schmidt D, Mohay G, Tickle A. A framework for
20-39 0 0 0 20-39 0 0 0 generating realistic traffic for Distributed Denial-of-Service
40-79 195773 0.016205 46.94 40-79 35096 0.23204 44.61
80-159 25150 0.002082 6.03 80-159 8379 0.00554 10.65
attacks and Flash Events. Computers & Security. 2014;
160-319 84553 0.006999 20.27 160-319 2148 0.00142 2.73 40:95–107.
320-639 111567 0.009235 26.75 320-639 5272 0.003486 6.7 3. Chen W, Yeung D-Y. Defending against TCP SYN flood-
640-1279 0 0 0 640-1279 3204 0.002118 4.07
1280-2559 0 0 0 1280-2559 24575 0.016248 31.24
ing attacks under different types of IP spoofing. 2006 IEEE
2560-5119 0 0 0 2560-5119 0 0 0 International Conference on Networking, Systems and
5120-4294967295 0 0 0 5120-4294967295 0 0 0 Mobile Communications and Learning Technologies (ICN/
ICONS/MCL); 2006.
Figure 7.  Comparison chart of Bot Investigation.
4. Chen Y, Hwang K. Spectral analysis of TCP flows for
defense against reduction-of-quality attacks. 2007 IEEE
Attack S cenario Normal S cenario International Conference on Communications (ICC’07);
Avg. P ackets / s ec 34.521 52.016 2007.
Avg. P acket s ize 200.444 580.134 5. Chuiyi X, Yizhi Z, Yuan B, Shuoshan L, Qin X. A ­distributed
Avg. B ytes / s ec 6919.486 30176.302 intrusion detection system against flooding denial of ser-
Avg Mbits / s ec 0.055 0.241
vices attacks. 2011 13th IEEE International Conference on
Figure 8.  Traffic flow in different environment. Advanced Communication Technology (ICACT); 2011.

Vol 9 (21) | June 2016 | www.indjst.org Indian Journal of Science and Technology 5
 Investigation of UDP Bot Flooding Attack
  6. Gupta BB, Joshi RC, Misra M. ANN Based Scheme to
Predict Number of Zombies in a DDoS Attack. IJ Network
Security. 2012; 14(2):61-70.
  7. Hussain SM, Beigh GR. Impact of DDoS attack (UDP
Flooding) on queuing models. 2013 4th IEEE International
Conference on Computer and Communication Technology
(ICCCT); 2013.
  8. Kim H, Kim B, Kim D, Kim I-K, Chung T-M.
Implementation of GESNIC for web server protection
against HTTP GET flooding attacks. Springer: Information
Security Applications; 2012. p. 285–95.
  9. Kong J, Mirza M, Shu J, Yoedhana C, Gerla M, Lu S. Random
flow network modeling and simulations for DDoS attack
mitigation. 2003 ICC’03 IEEE International Conference on
Communication; 2003.
10. Li M, Li J, Zhao W, editors. Simulation study of flood ­attacking
of ddos. 2008 IEEE International Conference on Internet
Computing in Science and Engineering (ICICSE’08); 2008.
11. Mohay G, Ahmed E, Bhatia S, Nadarajan A, Ravindran B,
Tickle AB, et al. Detection and mitigation of high-rate flood-
ing attacks. Springer:An Investigation into the Detection
and Mitigation of Denial of Service (DoS) Attacks. 2011;
p. 131–81.
12. Moustis D, Kotzanikolaou P. Evaluating security con-
trols against HTTP-based DDoS attacks. 2013 4th IEEE
International Conference on Information, Intelligence,
Systems and Applications (IISA); 2013.
13. Rui X, Wen-Li M, Wen-Ling Z. Defending against UDP
flooding by negative selection algorithm based on eigen-
value sets. 2009 5th IEEE International Conference on
Information Assurance and Security (IAS’09); 2009.
6 Vol 9 (21) | June 2016 | www.indjst.org
14. Wang S, Sun Q, Zou H, Yang F. Detecting SYN ­flooding
attacks based on traffic prediction. Security and
Communication Networks. 2012; 5(10):1131–40.
15. Park J-S, Kim M-S. Design and implementation of an SNMP-
based traffic flooding attack detection system. Springer:
Challenges for Next Generation Network Operations and
Service Management; 2008. p. 380–9.
16. Sajana T, Sheelarani CM, Narayana KV. A survey on
­clustering technique for big data mining. Indian Journal of
Science and Technology. 2016 Jan; 9(3).
17. Milad T, Hassan H. CBC2: A Cloud-based Botnet Command
and Control. Indian Journal of Science and Technology.
2015 Sep; 8(22). DOI: 10.17485/ijst/2015/v8i22/59773.
18. Vidhya S, Sheik Abdul Khader P. Deployment of Proposed
Botnet Monitoring Platform Using Online Malware
Analysis for Distributed Environment. Indian Journal of
Science and Technology. 2014 Jan; 7(8). DOI: 10.17485/
ijst/2014/v7i8/48583.
19. Mueen U, Raed A, Maha A. Intrusion Detection System
to Detect DDoS Attack in Gnutella Hybrid P2P Network.
Indian Journal of Science and Technology. 2013 Feb; 6(2).
DOI: 10.17485/ijst/2013/v6i2/30585.
20. Tariq A, Abdullah A. Detection and Defense Mechanism
against DDoS in MANET. Indian Journal of Science and
Technology. 2015 Dec; 8(33). DOI: 10.17485/ijst/2015/
v8i33/80152.
21. Mohammad SA, Amirgholipour SK, Mehdi A, Shakeri
AB, Mohammad G. Availability Challenge of Cloud
System under DDOS Attack. Indian Journal of Science
and Technology. 2012 Jun; 5(6). DOI: 10.17485/ijst/2012/
v5i6/30488.
Indian Journal of Science and Technology