TRIBHUVAN UNIVERSITY
INSTITUTE OF ENGINEERING
PULCHOWK CAMPUS
Thesis No: 068/MSI/619
DISTRIBUTED DENIAL OF SERVICE (DDOS) ATTACK
DETECTION IN CLOUD ENVIRONMENT
By
Shalik Ram Subedi
(CRN: 068/MSI/619)
A MID TERM THESIS REPORT
SUBMITTED TO MASTERS OF SCIENCE IN INFORMATION AND
COMMUNICATION ENGINEERING
DEPARTMENT OF ELECTRONICS AND COMPUTER ENGINEERING
March, 2015
1
DISTRIBUTED DENIAL OF SERVICE (DDOS) ATTACK
DETECTION IN CLOUD ENVIRONMENT
By
Shalik Ram Subedi
(CRN: 2068/MSI/619)
Thesis Supervisor
Prof. Dr. Subarna Shakya
Department of Electronics and Computer Engineering
Institute of Engineering, Pulchowk Campus
A thesis submitted in partial fulfillment of the requirement for the degree of
Master of Science in Information and Communication Engineering
Department of Electronics and Computer Engineering
Institute of Engineering, Pulchowk Campus
Tribhuvan University
Lalitpur, Nepal
March, 2015
2
COPYRIGHT ©
The author has agreed that the library, Department of Electronics and Computer
Engineering, Institute of Engineering, Pulchowk Campus, may make this thesis freely
available for inspection. Moreover the author has agreed that the permission for extensive
copying of this thesis work for scholarly purpose may be granted by the professor who
supervised this work recorded herein or, in their absence, by the Head of Department,
wherein this thesis was done. It is understood that the recognition will be given to the
author of this thesis and to the Department of Electronics and Computer Engineering,
Pulchowk Campus in any use of the material of this thesis. Copying of publication or
other use of this thesis for financial gain without approval of the Department of
Electronics and Computer Engineering, Institute of Engineering, Pulchowk Campus and
author’s written permission is prohibited.
Request for permission to copy or to make any use of the material in this thesis in whole
or part should be addressed to:
Head of Department
Department of Electronics and Computer Engineering
Institute Of Engineering
Pulchowk Campus
Lalitpur, Nepal
3
Recommendation
The undersigned certify that it has been read and recommended to the Department of
Electronics and Computer Engineering for acceptance, a thesis entitled “Distributed
Denial of Service (DDoS) Attack Detection in Cloud Environment” , submitted by
Shalik Ram Subedi in partial fulfillment of the requirement for the award of the degree
of “Master of Science in Information and Communication Engineering”.
……………………………………….
Supervisor: Prof. Dr. Subarna Shakya
Department of Electronics and Computer Engineering,
Institute of Engineering,
Pulchowk Campus
4
Executive Summary
Cloud computing is a recent computing model based on service oriented architecture.
It has revolutionized the IT world by providing dynamic resource provisioning
mechanism that enables service providers to allocate computing and storage resources to
subscriber as per their need. The resource allocation is scalable and costs as per-use basis.
This model has reduced the investment of corporate houses on IT infrastructure and the
software license. Many researchers have studied the security issues of the cloud to
maintain data confidentiality, data integration and availability. Confidentiality and data
integrity issues are maintained by application of digital signature and certificates. To
maintain access-control firewall, proxies and authentication servers are used. The issues
of maintaining availability is sometimes questioned by denial of service attack by IP
spoofing and flooding. Intrusion detection and prevention systems have been designed
and applied. Categorically the systems are signature based and anomaly based detectors.
Signature based detectors are faster and accurate but can’t detect the anomalous
behaviors. Anomaly based detectors used features analysis of IP packets like IP
addresses, ports, flow labels, hop counts etc. This thesis work focuses on the
implementation of the intrusion detection system based on the calculation of the entropy
of the incoming traffic. The features of the packets captured from the incoming flows are
extracted and entropy of the source Ip address is calculated for number of packets in
different window size. If normalized entropy is deviated from the threshold, attack is
suspected. Then the cluster entropy of the traffic is calculated to see whether the entropy
changes are due to Flash event. In the mean time is flash event is not confirmed attack
alert is generated.
5
Acknowledgement
Many people have contributed in various ways to make this work up to this stage without
their constant support and motivation it would not be a success. First and foremost, I
would like to express my sincere thanks and gratitude to my supervisor Prof. Dr. Subarna
Shakya for his constant guidance, empowerment and support. His vision to the research
work and friendly manner always encourage me to move forward. Secondly, I appreciate
support and encouragement from my family members, specially my wife Sabina and son
Shirshastha who never let me feel alone.
During the study and inception period many friends have given ideas to make the
framework of the thesis. My thanks goes to Kamal Chapagain, Devnarayan Paudel,
Niranjan Baral for their support. I would like to thank DETER lab for providing me the
online experimentation facility.
I am grateful to all the members of faculty in the Department of Electronics and
Computer Engineering , specially, Prof. Dr. Sashidharram Joshi for his encouragement in
this area of research and Asst. Prof. Dayasagar Baral for his support to capture the normal
real-time traffic in the server of Centre for Information Technology. Last but not least, I
would like to thank program coordinator Asso. Prof. Surendra Shrestha for his guidance.
6
Contents
Acknowledgement……………………………………………………..5
Executive Summary………………..…………………………………6
List
of
Figures……………………………………………………………………9
List of
Tables……………………………………………………………………..10
Abbreviation…………………..………………………………………………
…11
1. Introduction……………………………………………………………
…..12
1.1 Background and
Motivation………………………………………………………..13
1.2 Objectives and
Scope……………………………………………………………….14
1.3 Organization of
Thesis……………………………………………………………...14
2. Background and Related
Works…………………………………………...16
2.1 Overview of Cloud
Computing…………………………………………………….16
2.2 Cloud Security
Issues………………………………………………………………..18
2.3 Distributed Denial-of-Service (DDoS)
Attacks…………………………………….22
2.3.1 Classification of DDoS
Attacks…………………………………………..23
7
2.3.1.1 High-Rate Flooding (HRF)
Attack……………………………..24
2.3.1.2 Semantic
Attacks……………………………………………….27
2.3.2 Target of DDoS
Attack…………………………………………………..28
2.3.3 DDoS Attack
Tools………………………………………………………29
2.4 Flash
Events…………….……………………………………………………….....30
2.5 DDoS Attack Detection
.……………………………………………………….....31
2.5.1 Network Traffic Feature Analysis Based DDoS
Detection….….………32
2.5.2 SNMP MIB Data Analysis Based DDoS Detection
……………………33
3. Research
Methodology…………………………………………………..35
3.1 Data
Collection……………………………………………………………………35
3.2 Block
Diagram……………………………………………………………………37
3.3 Algorithm for Entropy
Calculation……………………………………………….38
3.3.1
Entropy…………………………………………………………………38
3.3.2 Algorithm
………………………………………………………………..39
3.4 Experimental
Setup……………………………………………………………40
8
4. Results and
Discussion………………………………………………..41
4.1 Entropy of Normal
Traffic…………………………………………………….41
4.2 Entropy of Attack
Traffic……………………………………………………..42
4.3 Discussion and Remaining
Works……………………………………………43
5. Bibliography…………………………………………………………44
9
List of Figures
2.1 NIST visual model of cloud computing definition …………………………… 17
2.2 Taxonomy of DDoS Attack…………………………………………………. 23
2.3 Three way handshake of TCP connection…………………………………. .34
3.1 Block diagram of DDoS detection system……………………………………..37
3.2 Experiment setup in DETER test-bed………………………………………….41
4.1 Graph showing entropy of source IP address of traffic of IOE web server…… 42
4.2 Graph showing entropy of source IP address of attack traffic…………………43
10
List of Tables
2.1 Cloud computing security issues identified by cloud security alliance………..…19
2.2 Cloud computing security issues identified by ENISA………………………… .20
2.3 Cloud computing security issues identified by NIST…………………………… .21
2.4 Common tools for launching DDoS attack……………………………………… 22
2.5 Commonly used SNMP MIB variables…………………………………………34
3.1 Basic statistics of normal traffic of IOE web server………………………… ...36
3.2 Basic statistics of attack traffic taken from CAIDA dataset………………… ...37
4.1 Mean and standard deviation of normal traffic in different window size………42
4.2 Mean and standard deviation of attack traffic in different window size……… .43
11
Abbreviations
CAIDA
CC
CDN
CLC
CNN
CSA
DDoS
DoS
DSTER
EC2
ENISA
FE
GAE
HRF
HTTP
IaaS
ICMP
IDS
IP
IPS
JSON
MIB
NC
NE
NIST
PaaS
PoD
RBF
SaaS
SEER
SIP
SNMP
SOAP
SSL
UDP
VM
WS
XML
Centre for Applied Internet Data Analysis
Cluster Controller
Content Distribution Network
Cloud Controller
Cable News Network
Cloud Security Alliance
Distributed Denial of Service
Denial of Service
Cyber defense technology experimental research
Elastic Cloud Computing
European Network and Information Security Agency
Flash Event
Google App Engine
High Rate Flooding
Hypertext Transfer Protocol
Infrastructure as a Service
Internet control message protocol
Intrusion detection system
Internet Protocol
Intrusion Prevention System
JavaScript Object Notation
Management Information Base
Node Controller
Normalized Entropy
National Institute of Science and Technology
Platform as a Service
Ping of Death
Radial Basis Function
Software as a Service
Security Experimentation Environment
Session Initiation Protocol
Simple Network Management Protocol
Simple Object Access Protocol
Socket Security Layer
User Datagram Protocol
Virtual Machine
Web Service
Extensible Markup Language
12
1. Introduction
Cloud has changed the computing paradigm, shifting the conventional in-house
infrastructure based computing into computing as utility from service provider. The cloud
service providers provide infrastructure, platform or software as service and the users pay
per-use basis [1]. The high investment in hardware, system software, application software
and the cost of maintenance have been greatly reduced due to the adoption of cloud
services in social and business corporations. The revenue of Cloud computing has been
rising and will be major in coming years.
Though adoption of cloud is increasing, business organizations raise concerns about the
security of the data they store in the system they don’t own. Cloud service providers have
adopted various security measures like authentication, encryption, digital certificates,
firewalls, intrusion detection systems and intrusion-prevention systems. But the system is
still vulnerable to various attack that compromise confidentiality, data integrity and
availability [2]. Among the vulnerabilities, threat against availability is the most serious
because it causes the service unavailable and hampers the customer satisfaction index.
Denial of Service (DoS) attack occurs whenever access to a network resource or service
is intentionally prevented or degraded as a result of a malicious action. Resource
exhaustion has been the most popular method to materialize a DoS attack by flooding the
network with malicious requests or messages. The intensity of such attack is increased by
employing a set of compromised computers over the internet forming a network called as
Botnet and the attack so launched is called as Distributed DoS (DDoS). Various
approaches have been proposed and utilized to maintain high availability of the services
preventing them from Denial of Service (DoS) attack. Broadly, Intrusion detection
systems can be divided into two types signature based and anomaly based. The signature
based detectors use a rule set to apply against each access or packets and blocks the
access from unauthorized or un-trusted source. This thesis focuses on the anomaly based
13
intrusion detection technique to detect the denial of service attack in cloud environment.
To detect the anomaly in the incoming stream of network traffic source address entropy
and traffic cluster entropy of the normal and attack traffic are compared. Proposed
intrusion detection system will be placed near cluster controller and in VM to see the
detection overhead.
The rest of this chapter is organized as follows. Section 1.1 briefly describes the DoS and
DDoS attacks. Section 2.2 outlines the motivations of the research work in the area of
security of Cloud Services. Next, section 1.3 illustrates the objectives and scope of the
study and finally section 1.4 outlines overall structure of the thesis.
1.1 Background and Motivation
The first recorded DoS attack occurred in 1974 at the Computer-based Education
Research Laboratory (CERL), at the University of Illinois Urbana-Champaign. The attack
was carried by forcing 31 computers to power-off simultaneously exploiting the default
configuration of PLATO terminals running the TUTOR programming language [4]. In
1998, Morris worm, a computer program written by a graduate student of Cornell
University, paralyzed the Internet in its preliminary stage [5].
Two years later, in 2000, commercial websites of eBay, CNN and Yahoo were flooded
with a large number of malicious requests forcing them down and causing a significant
financial loss [6]. Such attacks use the potentials of hundreds and sometime thousands of
compromised computers in Internet, forming a botnet. The attack is then termed as High
Rate Flooding (HRF) attack or Distributed Denial of Service (DDoS) attack. The
magnitude, complexity and frequency of DDoS attacks have been increasing day by day
with number of attack tools and techniques. Prolexic inc., a DDoS detection and
mitigation company has claimed to record a DDoS attack of peak bandwidth 4.63 Gbps
in third quarter of 2013 [7]. The reports highlighted the rising of DDoS attacks.
14
Service hosted by Cloud Service Provider, has a set of allocated memory, CPU usage,
network bandwidth and file input/output capacity based on the Service Level Agreement
(SLA) between the client and the CS provider. Clients have to pay on the pay-per-use
basis. DDoS attack may breach the SLA of the service which directly causes financial
loss of the Cloud Service Users. So, DDoS detection and mitigation always remains an
active area of research.
1.2 Objectives and scope
Maintaining the data confidentiality, data integrity and availability is the main concern of
any cloud service providers. This thesis focuses on the availability aspect of the cloud
service. Availability is always threatened by denial of service attack. The main aim of the
thesis is to study the implementation of the anomaly detection mechanism based on the
entropy of the incoming traffic flow. Thus, this thesis work has following objectives.
1.2.1 General Objective
To study the detection of DDoS attack by calculating entropy of the incoming network
traffic in cloud environment.
1.2.2 Specific Objectives
1. To implement entropy based DDoS attack detection mechanism by capturing the
incoming traffic to a server in cloud environment.
2. To differentiate DDoS attack from Flash Event traffic.
1.3 Organization of Thesis
Illustrating introduction and motivation, chapter one concludes with the objectives of the
thesis work. Rest of the thesis is organized as follows: Chapter two highlights the existing
15
research and literature in the area of network and cloud intrusion detection system.
Theoretical concept of cloud, DDoS attack, tools for executing attack, and techniques of
attack detection are illustrated. Chapter three presents the approach for DDoS detection
based on the entropy of source IP address of the incoming traffic. This chapter also
highlights the difference between high rate flooding attack and legitimate high rate traffic
in a network. The results and inferences are depicted in chapter four. Chapter five
highlights the contributions and further works of the research in the area of DDoS
detection in cloud environment.
16
2. Background and Related Works
In 1961, John McCarthy envisioned that “computation may someday be organized as a
public utility.” We can view the cloud computing paradigm as a big step toward his
dream. Cloud Computing is an emerging approach of providing computing resources
being changed and altered to a new model consisting of services that are commoditized
and delivered in a style similar to conventional utilities such as water, gas, electricity, and
telephony service. In such a model, customers access services based on their
requirements without knowing where the services are hosted or how they are delivered.
According to the official National Institute of Science and Technology (NIST) definition,
"cloud computing is a model for enabling ubiquitous, convenient, on-demand network
access to a shared pool of configurable computing resources (e.g., networks, servers,
storage, applications and services) that can be rapidly provisioned and released with
minimal management effort or service provider interaction" [1].
2.1 Overview of Cloud Computing
The combination of virtualization, distributed computing and the service-oriented
architecture creates a new computing paradigm, called Cloud Computing. Based on the
level of abstraction, there are three major scenarios in cloud computing [2].
 Infrastructure as a Service (IaaS) refers to service that exposes the hardware
resources to users. Amazon EC2 is a successful IaaS implementation in the market.
 Platform as a Service (PaaS) provides computational resources as high level
application platforms. Google App Engine (GAE) and Amazon Web Service (AWS) are
examples of PaaS.
17
 Software as a Service (SaaS) focuses on exposing software functions as services (i.e.
WS). Many service providers including Google, Yahoo, and Amazon offers their
software functions as WS. Programmable Web collected thousands of Web APIs from
various categories.
Broad Network
Access
Rapid
Elasticity
Measured
Service
On-Demand
Self-Service
Essential
Characteristics
Resource Pooling
Software as a
Service (SaaS)
Public
Platform as a
Service (PaaS)
Private
Community
Infrastructure as
a Service (IaaS)
Hybrid
Service
Models
Deployment
Models
Figure 2.1: NIST visual model of cloud computing definition
Cloud services can be deployed in one of the four models: public, private, community
and hybrid cloud. The cloud infrastructure which is made available to the general public
or a large industry group is termed as public cloud. It is owned by an organization selling
cloud services. On the other hand, private cloud infrastructure is operated solely for a
single organization. It may be managed by the organization or a third party, may exist onpremises or off- premises. The cloud infrastructure is shared by several organizations and
supports a specific community that has shared concerns (e.g., mission, security
requirements, policy, or compliance considerations) falls in community cloud category.
Hybrid cloud deployment is a composition of two or more clouds (private, community, or
public) that remain unique entities but are bound together by standardized or proprietary
18
technology that enables data and application portability (e.g., cloud bursting for loadbalancing between clouds).
2.2 Cloud Security Issues
The security-related issues that should be taken into account while adopting cloud
computing are outlined mainly by three institutions namely: Cloud Security Alliance
(CSA), European Network and Information Security Agency (ENISA), National Institute
of Standards and Technology (NIST). CSA is founded by industry representatives like
Google, Microsoft, IBM, Salesforce.com, VMware etc. ENISA and NIST are government
funded institutions from Europe and USA respectively.
Security issues identified by CSA are documented in a guideline document "Security
Guidance for Critical Areas of Focus in Cloud Computing". The document highlights
twelve major issues and elaborated some of the issues by sub-issues which are
summarized as follows. CSA has also identified top seven security threats to cloud
computing. Those threats include: abuse and nefarious use of Cloud Computing, insecure
application
programming
interfaces,
malicious
insiders,
shared
technology
vulnerabilities, data loss/leakage, account, service & traffic hijacking and unknown risk
profile [8]. The reasons why DDoS attack is a serious threat to cloud computing
environment are: it is devastating attack, so many attackers are involved to exploit the
loop holes of the system and the attackers usually disguise or spoof the IP address field of
the source packet header.
Security Issues
Discussed Sub-Issues
1. Governance and Enterprise Risk
1.1 Governance
Management
1.2 Enterprise Risk Management
1.3 Information Risk Management
1.4 Third Party Management
2. Legal and Electronic Discovery
19
3. Compliance and Audit
4. Information Lifecycle Management
4.1 Data Security
4.2 Data Location
4.3 Data Remanance
4.4 Data Commingling
4.5 Data Backup/Recovery
4.6 Data Discovery
4.7 Data Aggregation
5. Portability and Interoperability
6. Traditional Security, Business Continuity
and Disaster Recovery
7.Data Center Operations
8. Incident Response, Notification and
Remediation
9.Application Security
10.Encryption and Key Management
10.1 Encrypting Data in Transit
10.2 Encrypting Data at Rest
10.3 Encrypting Backup Data
10.4 Secure Key Stores
10.5 Access to Key Stores
10.6 Key Backup and Recovery
11.Identity and Access management
11.1 Identity Provisioning
11.2 Authentication
11.3 Federation
11.4 Authorization and User
Profile
Management
12.Virtualization
Table 2.1: Cloud computing security issues identified by cloud security alliance
20
The document for cloud security issues put forwarded by European Network and
Information Security Agency (ENISA) is entitled as “Cloud Computing: Benefits, risks
and recommendations for information security”. The overall issues are divided into three
categories: 1) Policy and Organizational Issues 2) Technical Issues and 3) legal issues
[8]. Distributed Denial of Service attack is one of the technical issues. The summary of
the issues are given in table below.
Policy and Organizational Issues
1. Lock-in
2. Loss of governance
3. Compliance challenges
4. Loss of Business Reputation due to Co-Tenant Activities
5. Cloud Service Termination or Failure
6. Cloud Provider Acquisition and 7. Supply Chain Failure
Technical Issues
8. Resource Exhaustion
9. Isolation Failure
10. Cloud Provider Malicious Insider
11. Management Interface Compromise
12. Intercepting Data in Transit
13. Data Leakage on Up/Download
14. Insecure or Ineffective Deletion of Data
15. Distributed Denial of Service and Economic Denial of Service
16. Loss of Encryption Keys
17. Undertaking Malicious Probes or Scans
18. Compromise Service Engine
19.Conflicts between Customer Hardening Procedures and Cloud Environment
Legal Issues
21. E-Discovery and Risk from Changes of Jurisdiction
23. Data Protection and Licensing Risks
Table 2.2: Cloud computing security issues identified by ENISA
21
NIST has prepared a document for adoption of cloud computing in all walks of life. The
document entitled "Guidelines on Security and Privacy in Public Cloud Computing"
discusses nine prominent issues which are presented below.
Security Issues
Discussed Sub-Issues
1. Governance
2. Compliance
2.1 Data Location Compliance
2.2 Electronic Discovery
3. Trust
3.1 Insider Access
3.2 Data Ownership
3.3 Composite Services
3.4 Visibility
3.5 Risk Management
4. Architecture
4.1 VM Monitor Protection
4.2 Virtual Network Protection
4.3 Ancillary Data Protection
4.4 Client-Side Protection
4.5 Server-Side Protection
5. Identity and Access
Management
6. Software Isolation
5.1 Authentication
5.2 Access Control
6.1 VM Monitor Quality
6.2 Threats from Co-Tenant VMs
7. Data Protection
7.1 Data Isolation
7.2 Secure Deletion of Data
8. Availability
8.1 Outages
8.2 DDoS Attacks
8.3 Availability Threats from Data Collocation
9. Incident Response
Table 2.3: Cloud computing security issues identified by NIST
22
One of the major issues of NIST document is Availability which is again described by 3
sub-issues: outages, DDoS attacks and availability threat from data Collocation. Thus all
the documents have highlighted denial of service attack as one of the major security issue
of cloud computing.
2.3 Distributed Denial-of-Service (DDoS) Attacks
Denial of service (DoS) attacks attempt to make Internet resources as well as services
unavailable to its intended users. A very common method of DoS attack involves
saturating the victim machine with external communication requests such that it cannot
respond to legitimate traffic. Moreover, distributed denial of service (DDoS) attacks
attempt to do so by sending these external requests from many compromised machines
(zombies, daemons, agents, slaves, etc.) distributed around the world. These legitimate
looking requests bring down the victim server by consuming scarce resources, for
example, CPU cycles, memory, and bandwidth of the victim machine or network. DDoS
attacks are launched almost every day. Even the most prominent websites like Twitter,
Facebook, Google, and so forth could not escape themselves from being hit by it, which
caused millions of their users to be affected. The most prominent cases were the DDoS
incidents that targeted White House, Federal Trade Commission, Department of the
Treasury Washington Post, and the New York Stock exchange, NASDAQ etc [10]. The
intensity of the attack has been increasing day by day in terms of volume of attack traffic
and number of attacks.
23
2.3.1 Classification of DDoS Attacks
Mirkovic et al. classified DDoS attack based on: degree of automation, exploited
weakness, attack rate dynamics, source address validity, spoofing techniques, impacts
victim type and persistence [10]. This thesis focuses on High-Rate Flooding (HRF)
DDoS attack against the computing and networking resources. Some examples
DDOS Attack
Attack Type
Semantic
High Rate Flooding
TCP/IP layer
Application Layer
Network Layer
Examples
ICMP
Teardrop
s
HTTP
floodZ
Ping of death
High Rate Flooding
SSL
Deeply nested XML
Semantic
Figure 2.2: Taxonomy of DDoS
Attack
of such attack is given in figure 2.2. High-Rate Flooding and Semantic attacks, both, can
occur, either in TCP/IP layer or application layer of the TCP/IP protocol stack. ICMP
echo flood, HTTP flood, SSL flood are examples of HRF whereas teardrop, ping of
death, deep nested XML are examples of semantic attack.
24
2.3.1.1 High-Rate Flooding (HRF) Attack
The main aim of HRF attack is to flood unwanted traffic victim service in cloud thus
consuming bandwidth and computing power allocated to the service, thus compromising
its ability to deliver services to its legitimate clients. Some of the common flooding
attacks are mentioned below.
Server S
Client C
SYNc
ACKc+SYNs
ACKs
Figure: 2.3 Three way handshake of TCP connection
TCP SYN Flood Attacks
A SYN flood attack utilizes a vulnerability of the TCP three way handshake, such that a
server must contain a large data structure for incoming SYN packets regardless of
authenticity. During SYN flood attacks, SYN packets are sent by the attacker with
unknown or non-existent source IP addresses. The three-way handshake occurs when the
server stores the request information from the client into the memory stack and then waits
for client confirmation. Given that the source IP addresses in SYN flood attacks are
unknown or non-existent, confirmation packets for the requests created by the SYN flood
attack are not received. Each half-open connection accumulates in the memory stack until
25
it times out. Hence, the memory stack becomes full. Consequently, no requests can be
processed, and the services of the system are disabled. Thus, SYN flood attacks are
considered one of the most powerful flooding methods [11].
UDP Flood Attack
Another example of a transport layer flooding attack is the ‘UDP flooding attack’. In this
form of attack, the adversary sends a large number of UDP packets to random ports on
the target machine, usually from spoofed IP address [12]. As a result, the target host
checks for applications running on the ports specified in the incoming packets. If no
application is listening on those ports, it replies with an ICMP Destination Unreachable
packet. Thus, for a large number of incoming UDP packets on random ports, the target
machine can be forced to send a large number of ICMP packets, provided no application
is listening on those ports, and so use up its connection bandwidth and eventually become
unreachable by its clients.
ICMP Flood Attacks
ICMP is based on the IP protocol that can diagnose the status of the network. An ICMP
flood attack is a bandwidth attack that uses ICMP packets that can be directed to an
individual machine or to an entire network. When a packet is sent from a machine to an
IP broadcast address in the local network, all machines in the network receive the packet.
When a packet is sent from a machine to the IP broadcast address outside the local
network, the packet is delivered to all machines in the target network. Other types of
ICMP flood attack are the SMURF and the Ping-of-Death attacks [11].
App-DDoS Attacks
Attack power can be amplified by forcing the target to execute expensive operations.
These attacks can consume all available corporate bandwidth and fill the pipes with
illegitimate traffic. Routing protocols can also be affected and services are disrupted by
either resetting the routing protocols or offering data that harm server operation [12].
26
HTTP Flood Attacks
An attack that bombards Web servers with HTTP requests is called an HTTP flood
attack. HTTP flood attacks are common in most Botnet software programs. To send an
HTTP request, a valid TCP connection that requires a genuine IP address has to be
established. Attackers send an HTTP request through the IP address of a bot and then
formulate the HTTP requests in different ways to maximize the attack power or to avoid
detection [12]. An attacker, for example, can manipulate the Botnet to send HTTP
requests to download a large file from the target. The file is then read by the target from
the hard disk, stored in the memory, and finally loaded into the packets, which are sent
back to the Botnet. Hence, a simple HTTP request can significantly consume resources
in the CPU, memory, input/output devices, and outbound Internet link. However, the
behavior of HTTP requests from the abovementioned example can be obvious. Repetitive
requests for a large file can be detected and can then be blocked. Attackers mimic
legitimate traffic by instructing the Botnet to send an HTTP request to the target Web
site, analyze the replies, and then recursively follow the links. The HTTP requests from
the attacker consequently become very similar to normal Web traffic, thus explaining the
extreme difficulty in filtering this type of HTTP flood.
Session Initiation Protocol (SIP) Flood Attacks
The SIP is a widely supported standard for call set-up in Voice-over IP (VoIP). SIP proxy
servers generally require public Internet access to accomplish the standard in accepting
call set-up requests from any VoIP client. For scalability, SIP is typically implemented
with UDP to become stateless. The attacker can flood the SIP proxy in one attack using
SIP INVITE packets that pose as genuine source IP addresses. To avoid counter-hacking
mechanisms, attackers can also launch the flood from a Botnet through a legitimate
source IP address. Two victim categories emerge in this attack scenario. The first type
comprises the SIP proxy servers with depleted server resources as a result of the
processing of SIP INVITE packets, while their network capacity is consumed by the SIP
INVITE flood. The SIP proxy server subsequently becomes incapable of providing VoIP
service. The second type of victim is the call receiver, who becomes overwhelmed by
fake VoIP calls and encounters difficulty in reaching legitimate callers [12].
27
2.3.1.2 Semantic Attacks
Semantic attacks exploit a specific design flaw or implementation bug of some protocol
or application installed at the victim in order to consume excess amounts of its resources.
It makes semantic attacks difficult to execute compared to high-rate flooding attacks,
because they require an adversary to have a thorough understanding of the protocol or
application being targeted. However, since semantic attacks are ‘stealthy’ in nature,
taking advantage of imperfections at various levels, they can be successfully launched
even with a disproportionate allocation of resources, in terms of bandwidth or processing
capacity, between an attacker and a target.
Ping of Death (PoD) is a type of denial of service attack in which an attacker attempts to
crash, destabilize, or freeze the targeted computer or service by sending malformed or
oversized packets using a simple ping command. PoD attacks exploit legacy weaknesses
which may have been patched in target systems. However, in an unpatched system, the
attack is still relevant and dangerous. Recently, a new type of PoD attack has become
popular. This attack, commonly known as a Ping flood, the targeted system is hit with
ICMP packets sent rapidly via ping without waiting for replies [11].
Teardrop attacks exploit the reassembly of fragmented IP packets. In the IP header, one
of the fields is the fragment offset field, which indicates the starting position, or offset, of
the data contained in a fragmented packet relative to the data of the original
unfragmented packet. When the sum of the offset and size of one fragmented packet
differ from that of the next fragmented packet, the packets overlap, and the server
attempting to reassemble the packet can crash, especially if it is running an older
operating system that has this vulnerability [11].
A recently published application layer semantic attack exploits the Simple Object Access
Protocol (SOAP) format which allows deeply nested Extensible Markup Language
28
(XML) to be embedded into the message body [12]. When such a message is sent to a
web-service provider, it forces the XML parser within the service to process the
document, thereby causing memory exhaustion and leading to a DoS attack.
2.3.2 Targets of DDoS Attack
Motives behind DDoS attack is to disrupt or degrade smooth operation of the online
services by injecting malicious traffic to target network or application. The attack may
target any one of the application, host, resource, network and infrastructure. The impact
of attack targeting network may be different than that of targeting an application but both
have intension of disrupting or degrading the services delivered to the client. A networkbased DDoS attack may exhaust the network bandwidth with the flood of the packets
with large volume where as application-based DDoS attack may send relatively low
volume of the attack packets but it compromise the resource allocation policy of the
scheduler in cloud . An attacker launching network-based DDoS attack may spoof her IP
address to prevent herself from detection or tracking. TCP SYN, UDP, ICMP floods are
examples of network-based attacks. The attacks based on the application layer of the
TCP/IP protocol stack are in rising these days. They use the design flaw or
implementation bug of the application. HTTP flood , DNS amplification attacks are some
examples of application-based attack. This thesis focuses on both network-based and
application-based attack.
29
2.3.3 DDoS Attack Tools
Various malicious programs are available as free and open source that can be used to
launch DDoS and DDoS attack exploiting particular facility of the services in Cloud [10].
Some of such tools are listed below.
Attack Tools Description
DDoS condition
Trinoo (UDP
Bandwidth depletion through coordinated
Floods)
UDP flood via a buffer overflow exploit
Launches UDP flood, fragment flood, SYN
Trinity
flood, RST flood, random flags flood, ack
flood, establish flood and null flood
TFN
Targa
Link congestion
Launches ICMP flood, SYN flood, UDP
Link congestion
flood, and Smurf style attacks
Resource exhaustion
Sends malformed IP packets with invalid
unknown/unexpected field values
Besides TFN Flooding, TFN2K includes
TFN2K
Resource exhaustion
Teardrop and Land attacks that cause end
point crashes.
End-point crash
Resource exhaustion
Link congestion
Shaft
UDP, TCP SYN, and ICMP flooding
Link congestion
Mstream
TCP ACK floods
Resource exhaustion
Nimda
Exploits vulnerability in IIS Web servers
SQL
Slammer
Agobot
Exploits a buffer overflow vulnerability
Link congestion
End-point corruption
Flooding
Route instability
Spreads in multiple ways, opens backdoors,
Link congestion
shuts down services. It can launch HTTP,
End-point resource
UDP, SYN and Ping flood.
exhaustion
Table 2.4: Common tools for launching DDoS attack
30
2.4 Flash Event
The delivery of an online service can also be degraded as a result of legitimate user
activity, without any malicious intent. Such situations arise when a large number of
users concurrently access a web-server, either following some newsworthy event (e.g.,
the Olympics, the 9/11 attacks), or as a result of redirection from widely followed
websites such as Slashdot or other social media like Facebook or Twitter. These
situations are called Flash Events (FEs). Both DDoS attacks and FEs represent anomalies
in the normal internet traffic, and share a number of similar characteristics, such as a
substantial increase in the incoming network traffic, the overloading of the servers, and
degradation in the delivery of service [13].
Although FE and DDoS share similar characteristics and are hard to tell from one
another, it is of great interest to be able to distinguish them, because very different actions
need to be taken in rectifying these two events. In the case of a FE, the server
administrator may want to quickly enable or increase the number of CDNs (Content
Distribution Networks), load sharing mechanisms, and etc [13]. so that more users can be
accommodated. In the case of a DDoS attack, the server administrator may want to
quickly deploy/enable filters at the border gateway to filter out attack traffic so that
legitimate requests are not dropped.
One aspect in which DDoS and FE differ most is the distribution of distinct clients among
clusters, which are constructed by the network-aware client clustering technique. Second,
the number of distinct clusters during the FE is much smaller than the number of distinct
clients. Third, a large number of clusters active during an FE had also visited the sites
before the event [14].
31
2.5 DDoS Attack Detection
Section 2.2 highlights the security issues documented by three prominent bodies, the
types and general tools used for DDoS attack. Since DDoS attack hinders the
performance of the cloud services, early detection and mitigation is an essential
requirement. One concept that cloud can provision any amount of resource to an service
is sometime misleading the understanding of DDoS attack. Though rapid elasticity is one
of the key features of cloud computing, In reality, every cloud infrastructure has a finite
set of resources that can be provisioned to services. Provisioning more resources to a
service may hinder the performance of other services and the victim application owner
has to pay more for pay-per-use model. So, there is always a Service Level Agreement
(SLA) that clearly mentions the upper level of resource provisioning. Thus, DDoS attack
detection and mitigation remains always a concern of research and development in the
field of cloud security.
The classical signature based attack detection techniques are now limited to detect the
anomalies occur in the network traffic. Signature based approach for attack detection was
introduced based on the knowledge of known attack pattern. Generally signature based
approach (SBA) works in following order: 1) find a pattern or signature of an attack, 2)
generate attack signature and save them in attack filter database and 3) update the
database if new attack signature is found. This approach is efficient and easy to
implement. Snort and Bro are two examples of widely used signature based change
detection tools. But, since DDoS attack has no attack signature SBA can’t work
efficiently in detecting them. More dynamic approaches which can detect the anomalies
in the traffic patterns are more useful in place of a set of static rules (signatures) applied
in packet filtering. This section describes the two major approaches: network traffic
feature analysis and SNMP MIB (Simple Network Management Protocol Management
Information Base) data analysis based DDoS detection.
32
2.5.1 Network Traffic Feature Analysis Based DDoS Detection
Analysis of packet header of the network traffic can reveal trends and patterns of traffic
flow. Besides volume of the incoming traffic, header fields of IP packet for example
source IP address can furnish valuable information about the patterns of the incoming
traffic and the inherent anomalies. Different researchers use IP address along with other
fields of the IP packets for devising a technique to differentiate anomalous behavior of
the incoming traffic from normal one. He et. al. proposed a SYN flooding detection
mechanism by using a Bloom filter which maintains a list of client IP address [15]. If a
SYN request from a client appeared in the traffic monitored, a corresponding counter was
incremented and if a FIN+ACK was observed from the same client then the counter was
decremented. Thus using the counters for each client, SYN flood could be detected.
Wang et. al. employed a similar approach using the ratio of SYN and FIN+ACK counts
from each client [16]. Since the intention of the intruder is to overwhelm the network
bandwidth and computing power of the server by creating a large number of half open
TCP connections in victim, this ratio could be an indicator.
In a similar research, Peng et. al. used history based source IP address filtering at edge
router [17]. Their proposed a mechanism maintains a historical database of all valid IP
addresses i.e. those completing the three-way TCP handshake. This database is updated
using a sliding window in order to store the most recent addresses. Whenever the edge
router gets overloaded, the IP address database is then used to decide whether to accept
the incoming packets. During an attack, only packets originating from source IP
addresses present in the database are allowed access. However, the database can be
corrupted by the source IP addresses which first complete a three-way handshake and
later on participate in the attack.
Bakshi et. al presented an idea to detect DDoS attack in cloud by applying intrusion
detection system in virtual machine level [18]. Their mechanism logs the inbound and
outbound traffic and check if there is spike in graph. In case a spike is found the
mechanism checks whether SYN+ACK received or not. If the SYN connection is half
33
open then IDS calls a honey pot to ping the IP address to see if the host in that IP address
reply. No reply means DDoS attack then the packets from the IP is blocked. Move the
server in another virtual server and update the routing table.
Entropy based approaches to network intrusion detection were introduced and turn out to
be a powerful network anomaly detection scheme. A. Warner highlighted the benefits of
entropy based approach in intrusion detection [19]: 1) use of entropy can increase
sensitivity of anomaly detection, 2) the use of traffic features provides additional
diagnostic information into the nature of anomalous incidents, and 3) entropy of traffic
features provides useful information to measure the distance among the clusters of traffic.
2.5.2 SNMP MIB Data Analysis Based DDoS Detection
A management information base (MIB) is a database used for managing the entities in a
communications network. Most often associated with the Simple Network Management
Protocol (SNMP), the term is also used more generically in contexts such as in
OSI/ISO Network management model [20]. SNMP is implemented at the application
layer and runs over the UDP. The SNMP manager has the ability to collect management
data that is provided by the SNMP agent but does not have the ability to process this data.
The SNMP server maintains a database of management variables called the management
information base (MIB) variables. These variables contain information related to the
different operations performed by the network devices.
Cabrera et.al. proposed a network intrusion detection system based on the analysis of
SNMP MIB database [22]. The attack dataset were synthetically achieved using Trinoo
and TFN2K tools. In total, 91 MIB variables used from classes- ip, icmp, tcp, udp and
snmp colleted at a 5 second sampling period for 2 hour interval were able to detect UDP
and ICMP flooding attack. Common SNMP MIB variables are depicted in table below.
34
MIB Group
SNMP MIB Object
ip ip.ipInReceives
ip.ipInDelivers
ip.ipOutRequests
ip.ipOutDiscards
tcp tcp.tcpAttemptFails
tcp.tcpOutRsts
udp udp.udpInErrors
icmp icmp.icmpInMsgs
icmp.icmpInErrors
icmp.icmpInDestUnreachs
icmp.icmpOutMsgs
icmp.icmpOutErrors
icmp.icmpOutDestUnreachs
Table 2.5: Commonly used SNMP MIB variables
35
3. Research Methodology
Previous chapter describes the works in the area of detecting and classifying network
intrusions and presented two approaches for the detection of DDoS attack. To achieve the
goal of this thesis work the approach “network traffic feature analysis based DDoS
detection” is selected because the traffic features like source IP address, destination IP
address, source port and destination port provide effective quantitative measure to
differentiate normal traffic from attack traffic and surge of legitimate access. Source IP
address is the main feature utilized to find out the randomness of the incoming traffic.
Moreover, the entropy of the source IP address is calculated applying an algorithm
discussed later in this chapter. Though attack traffic traces are not readily available, some
traces from centre for applied internet data analysis (CAIDA) dataset are used. Emulation
of system and captured real time traffic traces of institute of engineering (IOE) web
server have been used to achieve the practical essence of the experiment.
Rest of the chapter is organized as follows: section 3.1 illustrates the data set used in the
analysis, section 3.2 illustrates the block diagram of the system, section 3.3 lists the
algorithm to calculate entropy using sliding window. Section 3.4 describes the
experiment setup in cyber-defense technology experimental research laboratory (DETER)
test-bed.
3.1 Data Collection
Three types of datasets are used in the experiment, namely normal traffic traces, DDoS
attack traffic traces and flash event traffic traces. Normal traffic traces of one hour
duration are captured from IOE web server. Attack traffic traces are obtained from
CAIDA data repository and flash event traffic of FIFA world cup football 1998 day 29.
36
Normal Traffic Trace
Normal traffic of 6 hours duration has been captured from the web server of ioe.edu.np
on 2013-08-16. Out of the trace, for the purpose of analysis one hour traffic of 642 MB
between 15:08 PM to 16:08 PM is taken. The traffic set is cleaned by removing packets
other than http protocol. The real IP addresses are anonymized for the sake of
confidentiality. This set has been divided into 12 bins of packets each comprising the
number of packets captured in 5 minutes of interval. Since, the incoming packets towards
web server are of importance; only packets towards the web server are filtered and given
to entropy calculation module of proposed system. Basic statistics of this dataset is
summarized as follows.
S.N. Particulars
Measurement
1
Total no. of Packets (in 1 hour traffic capture)
750670 packets
2
Average packets per second
210.418 packets
3
Average packet size
839.963 bytes
4
Average bytes per second
176743 bytes
5
No. of unique source IP address
415
Table 3.1: Basic statistics of normal traffic of IOE web server
DDoS Attack Traffic Trace
This dataset is taken from the CAIDA. For analysis purpose attack traffic subset of 1 hour
duration is selected and preprocessed for entropy calculations. Packets, which are not
destined to the server address, are removed. Basic statistics of the dataset is as table 4.2.
37
S.N. Particulars
Measurement
1
Total no. of Packets (in 1 hour traffic capture)
1650732 packets
2
Average packets per second
458.539 packets
3
Average packet size
160.963 bytes
4
Average bytes per second
73661 bytes
5
No. of unique source IP address
139
Table 3.2: Basic statistics of attack traffic taken from CAIDA dataset
3.2 Block Diagram
The DDoS detection system consists of four modules: packet filter, traffic capture
module, feature extraction module and detection module.
Packet Filter
Incoming traffic
Suspicious
source IP
Address
packets
Traffic Capture
Module
Updating module
packets
Attacker ip
address
features
Normal traffic
Entropy based
DDoS detection
module
Feature Extraction
module
packets
packets
Traffic Aggregation
module
Alert generation
module
Attack traffic
Figure 3.1: Block diagram of DDoS detection system
38
alerts
Packet filter module blocks packets from suspected source IP addresses. The suspicious
source IP list gets regularly updated from the information from detection module.
Traffic capture module captures incoming packets for further processing and sends
packets to feature extraction module. Feature extraction module extracts the features of
the IP packets. The features like sources and destination IP address, source and
destination port number, flow label are then provided to entropy based anomaly detection
module. This is the main part of the system which computes the entropy of the packets
and compares the normalized entropy with the threshold.
3.3 Algorithm for entropy calculation
3.3.1 Entropy
Let X denotes a random variable representing the distribution of values of a particular
traffic feature (e.g., the source address) can take. Let x1 . . . xN denote the range of
values that X can take. For each xi, let p(xi) represent the probability that the random
variable X takes the value xi, i.e., p(xi) = Pr[X = xi]. The entropy of the random variable
X is then defined as:
H(X) = - ∑𝑁
𝑖=1 p(xi) log p(xi) ……………………………………… (4.1)
Normalized Entropy: Since some items may not appear during a single measurement
interval, we define N0 to be the number of distinct items that are actually present in the
given measurement interval. Intuitively, the entropy is a measure of the diversity of the
data coming over the stream. The entropy attains its minimum value of zero when all the
items coming over the stream are the same and its maximum value of log (N0) when each
item in the stream appears exactly once. Across measurement intervals we might observe
a different number of distinct items (N0). Thus, we normalize H to be between zero and
one by computing the normalized entropy: H/ logN0.This normalization measures the
relative randomness within each measurement interval, and allows us to quantitatively
39
compare entropy values across time. For the remainder of the discussion we will use this
definition of normalized entropy.
Normalized Entropy = H/ logN0……………………………
(4.2)
3.3.2 Algorithm
The overall entropy calculation process is based on slot of some duration. This slot is
termed here as window and the source IP addresses within this window are taken for the
computation of entropy. This window is shifted towards right i.e. to cover new packets
one by one .The effect of addition of new packet and deletion of first packet of the queue
is calculated and adjusted in entropy sum.
1.
Capture the packet from the incoming stream.
2.
Compute the entropy of the first W packets with reference to source IP address.
3.
Isolate the term in the summation corresponding to the probability of the first
symbol in the window (label this symbol with i=1) and also the value for the
corresponding probability (pi1).
4.
Slide the window so the new first term was previously the second term and the
next W-1 consecutive terms are contained in the window.
5.
Isolate the term in the summation corresponding to the probability of the symbol
acquired from shifting the window.
6.
Subtract off the terms isolated in steps 3 and 5 from the value computed in step 1.
7.
Re compute the affected probabilities for the current window of data. That is, re
compute pi-1 and the probability of the symbol that was added by sliding the
window.
8.
Using the values computed in step 7, add the two terms missing from the entropy
summation back in and compare this new entropy value to the previous entropy
computations.
9.
Repeat steps 3-8 to determine subsequent entropy values.
10.
Calculate the overall probability distribution in the captured flow for the window .
40
11.
Normalized Entropy (NE)= H/logN
Where N is the number of distinct feature values in the given time window.
12.
Compare NE with threshold, note the deviations.
13.
If deviation is more than the threshold, mark flow as suspected, raise an alert.
14.
Continue
3.4 Experimental Setup
The experiment of research work in cyber security area can have three alternatives: live
network, simulation and emulation. All these techniques have pros and cons so are
competitive approaches. Live network experimentation is not possible to conduct DDoS
attack and see the behavior due to following constraints: often difficult or too expensive
to create a real test environment of any significant size; real environment tests also tend
to not be reproducible, making it difficult to analyze problems when found. Simulation
provides a repeatable and controlled environment for network experimentation. It is easy
to configure and allow a protocol to be constructed at some level of abstraction, making
simulation a rapid prototype and evaluation environment. Ease of use also allows for
exploration of large parameter spaces. On the other hand in case of simulation the hosts,
network devices, and operating systems are not real so results differ considerably from
actual one. Moreover synthetic environment may also poorly represent real one.
41
LAN7
LAN6
CC
CLC
LAN5
R4
R5
LAN4
R3
R0
LAN3
R2
R6
NC0
LAN2
NC1
R1
LAN1
LAN0
Figure 3.2: Experiment setup in DETER test-bed
This research work utilizes hybrid technique. Cyber defense technology experimental
research (DETER) test bed has been used to set up the experimental network. Synthetic
traffic generation work is done by using traffic generators provided by security
experimentation environment (SEER). Network topology of the experiment is as given in
figure 4.2.
42
4. Results and Discussion
In experimentation so far, entropies of source IP address of normal traffic and attack
traffic taken from dataset are calculated with four window sizes: 5000, 10000, 15000 and
20000.
4.1 Entropy of normal traffic
Normalized Entropy
Normal traffic of IOE web server traces show following entropies.
Normalized entropy of source IP of normal traffic of IOE web
server
1
0,9
0,8
0,7
0,6
0,5
0,4
0,3
0,2
0,1
0
0
10
20
30
40
50
60
70
80
Window of 5000 packets
Figure 4.1: Graph showing entropy of source IP address of traffic of IOE web server
Normalized entropy values
Window Size (packets)
Mean
5000
0.816378
10000
0.828972
0.04897835
15000
0.839772
0.0438409
20000
0.839667
0.04470784
Standard deviation
0.051798326
Table 4.1: Mean and standard deviation of normal traffic in different window size
43
4.2 Entropy of attack traffic
Normalized Entropy of attack traffic
0,9
Normalized Entropy
0,8
0,7
0,6
0,5
0,4
0,3
0,2
0,1
0
0
10
20
30
40
50
60
70
80
Window of 5000 packets
Figure 4.2: Graph showing entropy of source IP address of attack traffic
Normalized entropy values
Window Size (packets)
Mean
Standard deviation
5000
0.715621
0.06598
10000
0.692142
0.06553
15000
0.642537
0.06489
20000
0.642231
0.06459
Table 4.2: Mean and standard deviation of attack traffic in different window size
44
4.3 Discussion and Remaining Works
The entropy values of normal and attack traffic obtained from the experiment indicates
that entropy could be a strong measure to differentiate normal traffic from attack traffic.
Detection of the entropy variation and corresponding attack in cloud environment needs
to be completed by mixing the normal traffic and attack traffic. To validate the concept,
synthetic traffic generated by traffic generators will be applied and corresponding traffic
traces will be captured at cloud controller level for entropy calculation. Entropy
calculation module has been implemented and the experiment network setup is created
which will help to perform experiment forward. Remaining works will be completed by
the final submission of the thesis report.
45
5. Bibliography
[1] NIST web site http://www.nist.gov/itl/csd/cloud-102511.cfm, retrieved on 24 April
2013
[2] L.M. Vaqueror, “A break in the clouds: towards a cloud definition,” SIGCOMM
Computing and Commuunication, vol. 39, 2009, pp. 50–55.
[3] S. Roschke, F. Cheng and C. Meinel, “An Advanced IDS Management”, Journal
of Information Assurance and Security 5, 2010, pp. 246-255
[4] B.L. Dear,” Perhaps the First Denial-of-Service Attack?” http://www .platohistory
.org/blog/2010/02/perhaps-the-first-denial-of-service-attack.html, 2010 retrieved
on 26 September 2013
[5] L. Garber, “ Denial-of-service Attacks Rip the Internet”. Computer, 2000, vol. 33(4),
pp.12–17.
[6] Corey Grice,” How a Basic Attack Crippled Yahoo.”, Technical report, CNET
News, 2000.
[7] “Prolexic Quarterly Global DDoS Attack Report – Q4 2013”, Technical report,
Prolexic, 2013.
[8] D. Catteddu and G. Hogben, “Cloud Computing Security Risk Assessment.”,
Technical report, European Network and Information Security Agency,
November 2009.
[9] W. E. Burr, D. F. Dodson, and W. T. Polk, “Electronic Authentication Guideline.”,
Technical report, National Institute of Standards and Technology, April 2006.
[10] J. Mirkovic and P. Reiher, ” A Taxonomy of DDoS Attack and DDoS Defense
46
Mechanisms”, ACM SIGCOMM Computer Communication Review, vol. 34(2),
page 39–53, 2004.
[11] D. C. Wyld, "Trends in Network and Communications", Journal of
Communication, vol. 45, page 33-37, 2011.
[12] S. Roschke, F. Cheng and C. Meinel, “An Advanced IDS Management”,Journal
of Information Assurance and Security, vol. 5, pp. 246-255, 2010.
[13] J. Jung, B. Krishnamurthy, M. Rabinovich,” Flash crowds and denial of service
attacks: Characterization and implications for CDNs and web sites”, World
Wide Web, (May 2002)
[14] P. Barford and D. Plonka,” Characteristics of Network Traffic Flow Anomalies”,
Proceedings of the 1st ACM SIGCOMM Workshop on Internet Measurement, pp.
69–73, ACM, 2001.
[15] Y. He, W. Chen, and B. Xiao,” Detecting SYN Flooding Attacks Near Innocent
Side”, Mobile Ad-hoc and Sensor Networks, pp. 443–452, 2005.
[16] H. Wang, D. Zhang, and K.G. Shin,” Detecting SYN Flooding Attacks”,
IEEE Proceedings of Twenty-First Annual Joint Conference of the IEEE Computer
and Communications Societies, vol. 3, pp. 1530–1539, IEEE, 2002
[17] T. Peng, C. Leckie, and K. Ramamohanarao,” Protection from Distributed
Denial of Service Attacks Using History-based IP Filtering”, IEEE
International Conference on Communications, 2003. ICC’03, pages 482–486,
2003.
[18] A. Bakshi, B. Yogesh, “Securing Cloud from DDoS Attack using Intrusion
Detection System in Virtual Machine”, IEEE Second International Conference
on Communication Software and Networks, 2010.ICC’10, pp. 260-264,2010.
47
[19] A. Warner, 2008, “Entropy-Based Worm Detection for Fast IP Networks”, Ph.D.
dissertation, Swiss Federal Institute of Technology, Zurich, Switzerland.
[20] http://en.wikipedia.org/wiki/Management_information_base#IEEE_maintained
[21] J.B.D. Cabrera, L. Lewis, X. Qin, W. Lee, and R.K. Mehra,” Proactive Intrusion
Detection and Distributed Denial of Service Attacks: A Case Study in Security
Management”, Journal of Network and Systems Management, vol 10(2), pp. 225–
254, 2002.
48