Paper Title (use style: paper title)
advertisement
Mitigating DDoS Attack: An Efficient Approach to Detect and Reduce Flooding Attack Vikas B O 1 Post Graduate Student, Dept of CS&E, SCE Bangalore, India.Email-id:vikasbo104@gmail.com Abstract—The use of internet is increasing day by day in the 1.1 Need for Intrusion Detection System An Intrusion detection system (IDS) is a security system that monitors computer systems network traffic and analyzes that traffic for possible attacks originating from outside the organization and also for system misuse or attacks originating from inside the organization[4]. Intrusion detection system’s main role in a network is to help computer systems to prepare and deal with the network attacks. The classification of intrusion detection system [2] is defined based on the four categories such as approaches, protected systems, architecture and behavior [3]. The intrusion detection approaches can be classified into anomaly based and signature based which are most widely used. The taxonomy is based on the two types of protected systems named as Host Based IDS and Network based IDS. Architecture is divided into centralized and distributed systems. Intrusion detection system behavior is classified into active and passive behavior. The most harmful and common attack on internet today is Distributed Denial of Service (DDOS) Attack. It is very difficult to detect and reduce DDOS attack as it is becoming more harmful as attacker uses wide range of flooding requests on a server or system. The issue can be reduced if DDOS attacks are in low volume, otherwise the attacked cannot be reduced. The DDOS attacks mainly target on OSI layers, many focus on application layer such as HTTP flooding. Attacks on network layer include ICMP flooding, SYN flooding and UDP flooding. The most vulnerable layer which leads to wide range of threats is application layer. This is a type of attack where attacker attacks a single target from a network of computers which is generally a server and it results in Denial of service on that server. The attack is performed by installing a malware on a system without user’s knowledge. A group of such systems is called zombie attacks [3]. As duplicate request attacks are performed in huge numbers it will affect network bandwidth of a system, also results in server crash. This makes the users get no response from target server. Hence the users are denied to use the requested service. Thus the term “Distributed Denial of Service” modern world. Usage of internet in large numbers creates several security issues. Issues related to security attacks are enormous as well as sophisticated types of attacks are occurring, it is very effective and not easy to detect, reduce these attacks. Flooding attack is one common mechanism of attack where huge requests are sent to the server or site, which leads to server down, also server will be unable to process such large requests. This type of flooding attack is called Distributed Denial of Service(DDoS) attack. Detection and reduction against DDoS attack is currently discussed widely. Since many years, DDoS attackers carried out attacks on network later. Enormous studies has been done to prevent attack on network layer( such as anomaly detection or measuring network ). Hence, it is not an easy task for attackers to attack on network layer. This led the attackers to attack on application layers and establishing efficient DDoS attack called Flooding HTTP requests. The occurrence and importance to provide prevention against DDoS attack on application layer led my work to provide effective and efficient mechanism which can act as defense for DDoS Flooding attack. Here, the main goal is to detect and reduce the effect of DDoS flooding attack against application layer. The proposed method that utilizes the entropy calculation to differentiate between DDoS traffic and normal traffic on a web server. Increasing the availability of service to the legitimate users is my main goal. Keywords--Distributed Denial of Service (DDoS) Attack, Flooding Attack, Web Server, Application layer attack. I. INTRODUCTION The rapid growth of the computers which are interconnected with the internet is increasing the attack rate and detection of those attacks has become the important problem now. Many organizations, institutions and governments are completely dependent on the computer networks which play a major role in their daily operations. Hence the necessity for protecting those operations and networked system has been increased. Attacks such as compromised server, phishing and destroying privacy information of user is rapidly evolving. The intrusion need not be a massive intrusion; it can be a single intrusion which results in loss of important data. Intrusion behavior can be classified based on different attack types [1]. As a countermeasure, intrusion detection systems have to realize the attacks, alert the administrator about the type of attack and protect the system. 1 ICMP flood II. RELATED WORK SYN flood Mirkovic, Jelena, and Peter Reiher. "A taxonomy of DDoS attack and DDoS defense mechanisms."[3] Have divided scanning techniques into host scanning and vulnerability scanning strategies. Host scanning is further divided into random, signpost, permutation, hit list and local subnet scanning strategies. These entire methods major goal is to choose address of potentially vulnerable machines and attack them. Vulnerability scanning is further divided into horizontal, coordinate, vertical and stealthy scanning. These methods major advantage is, it searches for specific vulnerable machine and attack which acts as an advantage over host scanning technique. Tear drop Peer to Peer Starvation METHODS OF DDOS ATTACKS Permanent DDOS Application level Nuke HTTP DDOS RUDY Slow Read A. Different types of DDOS attacks Distributed Types of DDOS attack Reflected/ Spoofed Advanced Persistent DOS Network Layer attack Application Layer attack Table 1: Methods of DDOS attacks Douligeris, Christos, and Aikaterini Mitrokotsa. "DDoS attacks and defense mechanisms: classification and state-ofthe-art."[8] Peer to Peer system can be utilized to initiate DDOS attacks as it can be manipulated by attacker. Here, attacker informs the client of huge network of peer to peer systems to disconnect from their network and connect to website of victim. As a result of this huge request, victim’s server/system crashes. Starvation attack is a type of attack which consumes resources of victim computer. Sterne, Dan, et al. "Autonomic response to distributed denial of service attacks."[9][13] Have said the permanent DOS attacks are also known as phlashing that attacks the system so badly which requires re-installation or replacement of hardware. Phlashing attacker will request for system of the victim and deploy upgrade mechanisms of hardware, software. Once the upgrade process is accepted by victim it damages the devices make them unbootable or non-flash able. Hence called phlashing attack. Srivatsa, Mudhakar, et al. "Mitigating application-level denial of service attacks on Web servers: A clienttransparent approach."[11] said that the DOS causes buffer overflow which makes the server running software to get confused and fill disk space or consume all available memory and cpu time. Burke, Robin, et al. "Classification features for attack detection in collaborative recommender systems."[12] states that a nuke attack is a DOS attack against computer network consisting of fragmented or invalid ICMP packet sent to target, which will slow down the affected computer. Figure 1: Types of DDOS attack Zargar, Saman Taghavi, James Joshi, and David Tipper. "A survey of defense mechanisms against distributed denial of service (DDoS) flooding attacks"[4] have divided DDOS type of attacks into application layer and network layer attacks. Here, the availability of service has to be enhanced, hence an efficient mechanism to detect and reduce the application-ddos and network-ddos flooding attacks has to be developed. The flooding attack defense mechanism has been summarized in the table 1. Yadav, Kalpana, et al. "Modeling SYN Flooding DoS Attacks using Attack Countermeasure Trees and Finding Optimal Set of Countermeasure using a Greedy Algorithm."[6] have said that SYN flood is a form of DOS attack in which an attacker sends a TCP connection requests to target systems in an attempt to consume all the resources of server which leads to no response for genuine users. Chowdhary, Mahak, Shrutika Suri, and Mansi Bhutani. "Comparative Study of Intrusion Detection System."[7] Have identified tear drop attack where the attack works by sending message fragments into multiple UDP packages. Normally, the OS has the ability to re-assemble packets into a complete message by referencing data in each UDP packet. The tear drop attack corrupts the offset in UDP packets which makes the system to rebuild the original packets. As the OS is unable to handle the data corruption, the most likely outcome leads to system crash. 2 Gruschka, Nils, and Norbert Luttenberger. "Protecting web services from dos attacks by soap message validation."[14] have said the attack on HTTP POST header, which includes a content length field to specify the size of the message body to follow. Attacker send message at extremely slow rate (eg 1 byte/100 seconds). Hence slow down the system Pavithra, K. C., Snitha Shetty, and H. R. Nagesh. "A comprehensive study on distributed denial of service attacks and defense mechanisms."[15] proposes the RUDY attack as “R-U-Dead-Yet”. The attack targets web applications by starvation of available sessions. Rudy keeps sessions at halt using never-ending POST transmission and send large content-length which leads to system crash. Campus, Giani Zail Singh PTU. "A Survey on Distributed Denial of Services (DDOS)."[16] noted the slow read attacks when the application layer requests but read response very slowly, thus trying to exhaust server’s connection. Kührer, Marc, et al. "Hell of a handshake: abusing TCP for reflective amplification DDoS attacks."[17] proposes that the DOS is performed by sending forged requests to systems using internet protocol address spoofing, the source address is set to that of targeted victim, which means all replies will go to the target and thru flood begins. Lau, Felix, et al. "Distributed denial of service attacks."[18] states that the persistent DOS attack is and massive network layer DDOS attack through application layer (HTTP Flood) followed by repeated flooding attacks using SYN attack. Defense Mechanism 1.DDOS shield 2.CAPCHA 3.Sinkhole 4.Black hole B. Different phases of DDOS attacks Ground work The approach authenticates the user requests with different questions, images and prevent from DDOS attack. To prevent from DDOS attack it rejects all the bad packets and sends to a nonexistent server. In black hole method, DDOS traffics are routed to a nonexistent server. Limitations It is not clear that genuine traffic is given another chance to access the service, once the user is rejected. Genuine users have to solve questions in order to authenticate which introduce more delay to the service. Malware detection is not performed by this approach. Here, there are chances that genuine users get blocked in the future requests. As the ISP doesn’t have visibility over application layer, it is unable to prevent the traffic. It is costeffective to deploy multiple servers. Utilizes ACL (Access Control List) on the user’s router at 5.Up- Stream Filtering the ISP level, preventing from huge number of requests. This mechanism utilizes multiple servers. If the traffic increases 6.Cloud based in particular Detection server, it will reroute to another server and provide service. Table 2: Comparison of Defense Mechanism in DDOS attacks [12][13] Phases of DDoS Attacks Target acquisition Functionality This mechanism uses a ratelimiting factor to detect the http flood traffic and prevent from flooding attacks. Actual attack Figure 2: Different phases of DDOS attacks DDOS attacks consists of 3 phases [1] Mirkovic, Jelena, and Peter Reiher. "A taxonomy of DDoS attack and DDoS defense mechanisms.”[3] proposes the ddos attacks and classified the phases of attacks into three phases. Target acquisition, the first phase of DDOS attacks in which the attacker gains the knowledge of network and gets the IP address of the victim. In the second phase called Ground work, the attacker creates a large network with several compromised systems and then installs the malware software into the system without the knowledge of user. Using the compromised system the flooding of network traffic is performed. Third phase is the actual attack where the main control over the whole network of compromised systems gets the command to flood the network with huge number of packets or requests which produce huge traffic and slowdown the service or almost the server gets destructed. III. CHALLENGES FOR DDOS ATTACK DEFENSE MECHANISM It has been observed that defense mechanisms developed against application layer and network layer only detect attacks and prevent the attack but still the DDOS attacks are increasing day by day and no such efficient mechanism has been proposed. 3 Request Traffic As reported [12], in application layer as well as network layer, if the server is down the user is denied with the service. Even though the user is genuine, the service for the particular user is denied. There is no differentiation between normal traffic and DDOS traffic attack. Due to this legal user has to wait more time for service, high false alarms, more time consuming. III. Methodology The solution to detect and reduce DDOS attacks can be divided into 3 phases 1. DDOS attack identification 2. Differentiate between DDOS attack traffic and normal traffic 3. Reduce the effect of DDOS attack System Architecture Description Initially, the request traffic is sniffed from http request packet sniffer. The request packets are sent to the DDOS Detector. Here, the DDOS attack detection is performed with the help of system resource monitor. The monitoring stage helps in differentiating between normal traffic and DDOS traffic. The DDOS detector contains the history of information upon HTTP requests to the web application, the algorithm of entropy is utilized to calculate entropy value of each input requests. The entropy value is given a particular threshold depending upon the web server, which decides whether the input request is from a normal user or DDOS attacker. Once the DDOS attack is detected, the particular request client is sent to the black list. Architecture Figure 3 shows the system architecture for DDoS Attack detection and reduction mechanism. The Quality of Service (QoS) to the normal users is not affected and given a chance to access the web server. Once the DDOS attack is detected, the sessions are closed for the particular DDOS attacker. The Black List clients contain the information of DDOS attack requests. These requests sessions are closed for a particular time interval, once the time interval is elapsed, the client is removed from the black list. Shannon Entropy Algorithm: Using the below mathematical formula, the calculation of entropy values for DDoS attackers and normal users is performed: H=-∑p(x) log(x) (1) Http Request Packet Sniffer System Resource Monitor DDoS Detector NO Is DDoS Detected? YES Application Services Close Session Black List Client Web Application Web Server Figure 3: System Architecture Data Flow Diagram Data flow diagram description Step 1: User/ attackers are external entities providing input to the HTTP request handler by sending HTTP requests(users). Step 2:The HTTP Request handler will send the input log message to HTTP request logger and Application resource monitor where the processing takes place to provide alert/alarm during server load as well as log monitoring. Step 3: If the server load increases above load threshold, the process send log messages to DDoS detector to differentiate between DDoS attack and normal user sessions. Step 4: Based upon the value provided by DDoS detector, the requested log messages are handled by the HTTP request handler, which has two conditions that is either close the session or provide request to normal user sessions. where, H= entropy value p(x)= Probability of character number X from the stream of input character. Figure 4: Data Flow Diagram 4 Pseudo code Pseudo Code 1: Detection Algorithm Step 1: Read HTTP Request Packet and Extract Features like “SourceIP”, “DestinationIP” , " Port number ", "Time stamp" Step 2: If ((SourceIP is Blacklisted) then If(BlackListPeriod is Elapsed) then RemoveFromBlackList(SourceIP); Else AttackDetected = True; Return AttackDetected; EndIf EndIf Step 3: RequestEntropy= UpdateEntropy(HTTPRequestFeature) Step 4: If(SystemLoad >= LOAD_THRESHOLD) then If(RequestEntropy<= ENTROPY_THRESHOLD) then AttackDetected = True; Return AttackDetected; Else AttackDetected = False; EndIf EndIf Pseudo Code 2: Application Pre-Processing Step 1: AppUnderAttack = GetAttackDetected(); Step 2: If(AppUnderAttack = True) then CloseSession( ); Else ServeRequest( ); EndIf Pseudo Code 3: Calculating Entropy to detect and reduce DDoS attack Step 1 Step 2 Step 3 Step 4 Step 5 Testing The table 2 provides test cases before performing DDoS attack on Web Server. Number of Requests (users) Number Response of Number Time per Test Memory CPU Thread of request Case Consumption Usage Count HTTP per sessions second 1 5 10M 12% 60 16 6236 0.3456ms 2 10 12M 17% 120 25 9540 0.4657ms 3 25 23M 19% 300 43 15456 0.5543ms Note: The units of the values are "k" for kilo, "M" for megabytes, "ms" is milliseconds. The number of requests(user) access the web server in a time interval of five seconds. The table 2.4 provides test cases after performing DDoS attack on Web Server Number of HTTP hits per minute Table 2:Different test cases before DDOS attack Test Case 1 2 3 4 Number of Requests (users) 10 30 100 500 Memory Consumption CPU Usage Number of HTTP hits/minute Number of Thread Count/second Number of HTTP sessions Response Time per request 495M 498M 500M 500M 92% 94% 94% 96% 6k 8k 12k 17k 58 85 124 167 176488 224687 453290 524365 69ms 95ms 185ms 321ms 501M 97% 25k 225 2400891 30086ms 1000 5 Table 3: Different test cases after DDOS attack The table 4 provides different test cases providing entropy value for DDoS sessions and user sessions Test Case 1 2 3 Number of Requests (users) 80 120 150 Entropy value of DDoS Attack sessions Entropy value of Normal user sessions 4.871196187287 4.685328664259 4.256934543322 7.932954644036 7.311396665338 6.636044645992 Table 4: Different test cases showing entropy value between Normal user and DDoS Attack. The table 5 provides test cases after performing DDoS Mitigation on Web Server 4 Number of Request (users) 10 30 100 500 5 1000 Test Case 1 2 3 Read HTTP request packet and extract Log messages Create a HashMap<Character, Integer> set for ( Log_Message=0; Log_Message < Log.length ) if Log_Message repeats increment the count else create a new entry in HashTable endif for (Map.Entry <Character, Integer> entry: HashMapSet) find probability p = entry.getValue/total number of Log_Message calculate Entropy = p * log2(p) return Entropy if (Entropy <= Entropy_threshold) then AttackDetected = true; else AttackDetected=false; end if Response Time per request 8 12 14 21 Number of HTTP session 4401 6087 7290 19365 25 36891 0.9657ms Memory Consumption CPU Usage Number of HTTP hits/minute Number of Thread Count/sec 95M 98M 100M 106M 45% 48% 46% 52% 600 740 860 1k 112M 53% 3k 0.3456ms 0.3957ms 0.5543ms 0.7456ms Table 5: Different test cases after DDOS Mitigation Results The table 2 and table 3 showing the effect before and after DDoS attack on web server leads to Denial of Service for normal users. The response time before DDoS attack and after DDoS attack shows a clear results in denial of service to genuine users. Based on the results obtained from table 3 which provided DDoS attack on a web server demonstrates the loading of web server with different parameters that slows down the performance of CPU by CPU usage, Memory consumption resulting in Distributed Denial of Service to the normal users accessing the web server. As the number of HTTP hits , HTTP threads counts and HTTP sessions increases, the web server load increases, the demonstration with different number of requests per machine(slaves) shows the DDoS Attack is in large volume.Hence the proposed methodology of Shannon Entropy algorithm applied to DDoS logs shown in table 4 differentiates between normal users and DDoS attackers. 5 As soon as the web server load increases above the particular load threshold, the DDoS Detector will close sessions for those HTTP requests having least entropy value. DDoS detector closes sessions of the least entropy value until the web server load reduces below the load threshold. Response Time per request The graphical representation of DDoS Attack at test cases is as shown in below figures : Figure 9: shows the analysis of DDoS Mitigation mechanisms woth respect to response time per request Figure 5: shows the snapshot of Memory Consumption under DDoS Attack IV. CONCLUSION The discussion on different types of DDoS attack, in which Flooding attack is the major concern to the Internet service providers and security maintenance industries. Lack of security mechanism in Internet design leads to vulnerability of web server. Every year millions of users access the web server, these legitimate users need to get proper access and availability of service has to be enhanced. As discussed, types of DDoS attacks is increasing day by day. Thus, the proposed mechanism of entropy value calculation(1) is performed upon HTTP request traffic that differentiates between normal user traffic and DDoS traffic. Also, it will restrict the HTTP requests having lower entropy threshold to access the web server and provide service to higher entropy threshold who are legitimate users. Figure 6: shows the snapshot of Memory Consumption after DDoS Mitigation V. ACKNOWLEDGEMENT I am thankful to ‘Mr.Rajeev Bilagi’, Associate Professor, Dept of CSE for his valuable advice and support extended without which i could not have been able to complete the paper. I express deep thanks to ‘Dr. Prashanth C M’, Head of Department (CS&E) for warm hospitality and affection towards me. I thank the anonymous referees for their reviews that significantly improved the presentation of this paper. Words cannot express our gratitude for all those people who helped directly or indirectly in my endeavor. I take this opportunity to express my sincere thanks to all staff members of CS&E department of SCE for the valuable suggestion. Figure 7: shows the snapshot of Entropy value for DDoS attack session and Normal web session REFERENCES [1] Mirkovic, Jelena, and Peter Reiher. "A taxonomy of DDoS attack and DDoS defense mechanisms." ACM SIGCOMM Computer Communication Review34.2 (2004): 39-53. Figure 8: shows the analysis of DDoS Attack with respect to 6 [2] McDermott, James P. "Attack net penetration testing." Proceedings of the 2000 workshop on New security paradigms. ACM, 2001. [3] Mirkovic, Jelena, and Peter Reiher. "A taxonomy of DDoS attack and DDoS defense mechanisms." ACM SIGCOMM Computer Communication Review34.2 (2004): 39-53. [4] Zargar, Saman Taghavi, James Joshi, and David Tipper. "A survey of defense mechanisms against distributed denial of service (DDoS) flooding attacks."Communications Surveys & Tutorials, IEEE 15.4 (2013): 2046-2069. [5] Peng, Tao, Christopher Leckie, and Kotagiri Ramamohanarao. "Survey of network-based defense mechanisms countering the dos and ddos problems."ACM Transactions on Computational Logic 2.3 (2006): 09. [6] Yadav, Kalpana, et al. "Modeling SYN Flooding DoS Attacks using Attack Countermeasure Trees and Finding Optimal Set of Countermeasure using a Greedy Algorithm." International Journal on Recent Trends in Engineering & Technology 10.1 (2014). [7]Chowdhary, Mahak, Shrutika Suri, and Mansi Bhutani. "Comparative Study of Intrusion Detection System." (2014). [8] Douligeris, Christos, and Aikaterini Mitrokotsa. "DDoS attacks and defense mechanisms: classification and state-ofthe-art." Computer Networks 44.5 (2004): 643-666. [9] Sterne, Dan, et al. "Autonomic response to distributed denial of service attacks." Recent Advances in Intrusion Detection. Springer Berlin Heidelberg, 2001. [10] Kotkar, Ajit, et al. "Network Attacks and Their Countermeasures." Network 1.1 (2013). [11] Srivatsa, Mudhakar, et al. "Mitigating application-level denial of service attacks on Web servers: A client-transparent approach." ACM Transactions on the Web (TWEB) 2.3 (2008): 15. [12] Burke, Robin, et al. "Classification features for attack detection in collaborative recommender systems." Proceedings of the 12th ACM SIGKDD international conference on Knowledge discovery and data mining. ACM, 2006. [13] Fysarakis, Konstantinos, et al. "Embedded Systems Security Challenges."PECCS. 2014. [14] Gruschka, Nils, and Norbert Luttenberger. "Protecting web services from dos attacks by soap message validation." Security and privacy in dynamic environments. Springer US, 2006. 171-182. [15] Pavithra, K. C., Snitha Shetty, and H. R. Nagesh. "A COMPREHENSIVE STUDY ON DISTRIBUTED DENIAL OF SERVICE ATTACKS AND DEFENCE MECHANISMS." [16] Campus, Giani Zail Singh PTU. "A Survey on Distributed Denial of Services (DDOS)." [17] Kührer, Marc, et al. "Hell of a handshake: abusing TCP for reflective amplification DDoS attacks." USENIX Workshop on Offensive Technologies (WOOT). 2014. [18] Lau, Felix, et al. "Distributed denial of service attacks." Systems, Man, and Cybernetics, 2000 IEEE International Conference on. Vol. 3. IEEE, 2000. 7
