PREVENTION OF SEVERE DENIAL- OF-SERVICE

THREATS USING
WRAPS

Guided by
Mrs. R.BHARATHI M.E.. (PhD),

Done by
N . Michael Franklin
 ABSTRACT
 critical application areas, the information transmission must be kept secret
and confidentiality should be ensured

 DDos attack - An attempt to make a computer resource unavailable to its

intended users.

 Typically target sites or services such as banks, credit card payment gateways.

 WRAPS will defend against attacks by granting privilege URL to legitimate clients,
thereby ensuring protection against such attacks

 Enables legitimate clients to connect to a website smoothly in spite of very

intensive flooding attack.

 Implemented on the websites edge routers at the cost of small overheads.

 Implemented and tested with .NET 3.5 Framework

 INTRODUCTION
20,000+ zombies issue requests that mimic legitimate
browsing
GET File.zip

DO DBQuery

www.annauniv.edu.in

Requests
RequestsLook
LookLegitimate
Legitimate**Standard
Standardfilters
filtersdon’t
don’thelp
help
 FACTORS MOTIVTED DDos Attack

 Revenue Loss

 Slow Network Performance

 Service Unavailability

 Service Disruption

 Processing Power Costs

 Communication Overhead
 ATTACK MODEL
 Assumed that adversaries can modify at most a small fraction of legitimate
packets destined for the target website

 Attackers capable of tampering packets on a large scale.

 The attacker can launch a DDos attack by simply destroying these packets.
 EXISTING SYSTEM
 DoS attacks seek to render target systems inoperable and/or target networks
inaccessible.
 "Traditional" DoS attacks, generate a large amount of traffic from a given host or
subnet and it is possible for a site to detect such an attack in progress and defend
themselves.
 Distributed DoS attacks are designed as a coordinated attack from many sources
simultaneously against one or more targets.

 Types of DoS attack control approaches

1. Overlay-Based Approaches
2. Capability-Based Approaches
 EXISTING SYSTEM
Drawbacks

 Set of dedicated nodes collaborate to protect an important website, and need

to modify protocols and client-side software.

 Substantial difficulties for deployment.

 Overlay routing could increase end-to-end latency.

 All existing Capability-based approaches require modifications to client-side

software.
 PROPOSED SYSTEM

 Effective defense against DDoS attacks is well known to be a challenging

task because of the difficulty in eliminating the vulnerabilities introduced
during the design and implementation of different network components,
which can be potentially exploited by the adversary.

 In this paper, WRAPS technique is aimed at “raising the bar,” making a

DDoS attack harder to launch and easier to contain.
 WRAPS DESIGN
WRAPS – Web Referral Architecture for Privileged Services

Privileged url Privileged channel

Client Edge Router A
acquisition establishment

W
E
A Queues Firewall b
S
E
R
V
E
r
 DESIGN
Privilege URL
 Sample url format : http://<host>:<port>/<urlpath>

 Known as fictitious url. They do not address a web service.

 Contains secret Capability Token

 Verified at the Edge Routers

 Translated by the edge routers.

 Hides capability token inside the suffix of the destination IP field and the
whole destination port field.

Privilege URL Fields

 Key Bit ( 1 bit)

 Priority Field

 Message Authentication Code (MAC)

Key Bit
 Used to indicate authentication key ( k )

 Target websites shares this key with its edge routers

 Periodically updates its edge routers

Priority Field
 Optional Filed

 Allows website to define more than one service priority

 Enable priority for different services for a particular user

 This project uses only one priority field for clarity of presentation
Message Authentication Code (MAC)
 MAC prevents adversaries from forging a capability token

 MAC gets message and secret key (k) as input

 Produces Mac using SHA-1 algorithm

 MAC generation based on cryptographically strong pseudorandom

function(PRF)

 For a previlidged client i, MAC is denoted by

MAC (k, IPi)
k – Secret key
Ipi- Clients i’s IP address
Message Authentication Code
Protection Mechanism - Privilege Acquisition

Ti(t)=bt || Pi || MAC (K(t),Ipi)

Ti = Capability Token
Protection Mechanism – Privileged Channel Establishment
 DESIGN

Referral Protocol

A.B.C.Tr = Client referrer request to server

A.B.C.Ti = fictitious url

 IMPLEMENTATION
WRAPS elements –packet forwarding
 IMPLEMENTATION

Modules used

Attacker
Client
Edge Router
Firewall
Queue
Server
 ADVANTAGES

 WRAPS does not require installing anything on a Web

client.
 WRAPS allows referral websites to offer a very
lightweight referral service.
 WRAPS also alters neither protocols nor client software.
 WRAPS does not change packets’ routing paths
 LIMITATION

 Supports only clients that use fixed IP addresses.

 WRAPS is not transparent to users, and would require
client-side modifications to make it transparent.
 WRAPS requires modifying edge routers to add
mechanism for capability verification and it may affect its
deployment.
 FUTURE ENHANCEMENT

 The confidentiality of the privilege URL should be

maintained by the client, if violated leads to cross site
scripting attacks.
 Multi-tier architecture is the basis of this project. Every
future computer development is based on n-tier
applications.
 Suits well for distributed enterprise application.

 To control traffic replication of middle-tier can be done.

 Re-compilation of the components not needed.
 High processing speed.
 REFERRENCES

• J. Wu and K. Aberer, “Using Siterank for p2p Web Retrieval,”

Technical Report IC/2004/31, Swiss Fed. Inst. Technology,
Mar.2004.

• X. Wang and M. Reiter, “Wraps: Denial-of-Service Defense

through Web Referrals,” Proc. 25th IEEE Symp. Reliable Distributed
Systems (SRDS), 2006.

• L. von Ahn, M. Blum, N.J. Hopper, and J. Langford,

“CAPTCHA: Using Hard AI Problems for Security,” Advances
in Cryptology—EUROCRYPT ’03. SpringerVerlag, 2003.