DDos System: A Disparagement System with Cache Based and Question Generation in Client-Server Application

Transcription

1 DDos System: A Disparagement System with Cache Based and Question Generation in Client-Server Application Dr. V. Naga Lakshmi 1 Professor and HOD, Department of Computer Science, GITAM University, Visakhapatnam. Andhra Pradesh, India -id: vn_lakshmi8@yahoo.com Shameena Begum 2 Assistant Professor, Department of IT, Sasi Institute of Technology & Engineering, Tadepalligudem, Andhra Pradesh, India -id: sameenazm@gmail.com A B S T R A C T Any web application or server requires the use of Distributed Denial of Service (DDoS) service in order to achieve high security from various attacks. A client server application plays a major role for any application like healthcare application to prepare distributed applications while reducing the cost and executing the high performance computing devices. The distributed system in client server application undergoes many security risks including DDoS. These client server applications are based on HTTP connection. Thus, the aim of HTTP based connection allows us to make less vulnerable system against all possible DDOS attack. This system incorporates with Source Checking, Counting, Attack Detection and Prevention module with Turing test module to detect the malicious node. In this paper we are proposing a multi-stage detection system which includes cache based information Turing and question generation pool Turing tests to challenge the suspicious intruders more effectively and efficiently. The proposed system is executed to check the efficiency of proposed work and to judge how effectively the proposed system is capable to mitigate the DDoS traffic from network. Keywords: DDos, Turing test, Question generation, VC (virtual cluster). I. INTRODUCTION A. DDoS Attack in Network Distributed Denial of Service (DDoS) is the main security concern in present time against network security [1]. DDoS attacks control various machines all around the network. These DDoS attacks are called as zombies. The main aim of DDoS is to prevent a legal user to access the network resources or services from the victim server. Thus user will not be able to access its services like web, etc. in network. Mainly DDoS attacks specially focus the network availability i.e. network bandwidth and server s computing capability. DDoS attack is launched producing huge volume of traffic in the network that causes the interrupt in network services. Though, it is complex to identify the DDoS attacks and normal traffic in the network. Thus DDoS attacks have been taken as serious issues in network security. DDoS attack may cause to serious loss in any organization , IJAFRC All Rights Reserved

2 To resolve the DDoS attack, previous works [2-5] done for minimizing the DDoS attack traffic and mitigate its effect in network. B. Types of Dos Attacks Generally, DDoS attacks are classified into two main parts. In first part, DDoS attacks use maximum bandwidth in network to break the network. In second part is resource depletion which uses the CPU, network resources and services for which user are not able to access the network resources. The attack generally begins from various sources to focus at a single target. These attacks are given below: SYN Flood Attack: These attacks are belongs to TCP-based network services. These attacks causes the server harass which leads system crash [6]. TCP Reset Attack: These types of attacks use the properties of TCP protocol. Attackers listens the TCP connection and send a fake TCP RESET packet to the victim. Due to these attacks the victim to casually close its TCP connection [7]. ICMP Attack: These types of attacks use ICMP echo request packets for victim and attacks start via ping. Attackers use ICMP datagram to produce these types of attack [8]. UDP Storm Attack: These types of attacks are produces in UDP connection. When there is connection made between two parties then they will generate large number of packets on the network due to this attack happen. DNS Request Attack: These types of attacks are produced by using UDP-based DNS requests and causes in network bandwidth. Attackers use spoofed source IP address to communicate with server [9]. CGI Request Attack: In this attack, an attacker sends CGI request to server which uses huge CPU resources in network. Result of this attack causes close the services of server. Mail Bomb Attack: In this attack, an attacker sends numerous amounts of mail to target server which can be tough to handle by server. Due to this attack server can stop working. ARP Storm Attack: This attack produces by huge ARP request to target system which can badly affect its system. Algorithmic Complexity Attack: It s a class of low-bandwidth DDoS attacks that exploit algorithmic deficiencies in the worst case performance of algorithms used in many mainstream applications. Spam Attack: This type of attack is focusing for organization as well as public users. Huge amount of mails are sending through the attacker side at a time. C. Client-Server Application Client- server application is an application in which client can request for accessing services or available resources to remote server. A wireless local area network (WLAN) is an application in which two or more system or devices are connected through an access point. User can move around the network coverage. In the given network coverage system will be remain connected via wireless connection. Various Current , IJAFRC All Rights Reserved

3 WLANs are based on IEEE standards, marketed under the Wi-Fi brand name. It is a type of localarea network with the aim of high-frequency radio waves rather than wires to communicate between nodes [10]. II. RECENT RELATED WORK Fei Wang, Xiaofeng Hu and Jinshu Su [11] have suggested an unfair rate limiting mechanism which was used to handle DDoS attacks. They have focused on the traffic increasing patterns. In the proposed work, they categorized port-flows into three subsets with various decreasing priorities. In simulation section, port-flows that most likely contain DDoS attack traffic compressed most. To avoid drawback of LoURL, they have presented CoURL to enhance DDoS mitigation in an efficient manner. They have proved an outstanding performance for their given approach. Md.Khamruddin and Dr Ch. Rupa [12] have proposed an approach to detect various types of DDoS attacks. In the given approach, they have balanced the load on the victim machine by replicating servers. For mitigate the traffic on victim machine, attack signature has pushed back to upstream routers. The main goal of their mechanism is to mitigate the traffic on the victim machine so that the legal users have got the services from remote server. Yonghong Chen et. al. [13] modeled a network DDoS intrusion detection approach which is generally based on pre-processing network traffic predicted approach. Moreover, chaos theory has been come in their research. Their approach detected an anomaly caused due to any reason either by burst legal traffic or by DDoS flooding attacks. They efficiently used the neural network to execute the proposed approach in order to differentiate between DDoS attacks from unusual traffic. Their results have been based on the DARPA network traffic data which showed that the given DDoS detection method got high detection probabilities. B.S. Kiruthika Devi et. al. [14] described the classification of attack and effectual traffic monitored online. They have measured performance metrics like Latency, Link utilization and Throughput. They have used IBRL approach to reduce the attack traffic so that legal users were able send their packets without any congestion. The research design and the execution carried out on a simulated testbed. The experimental result showed that the rate limiting was efficient in reducing a network from DDoS attacks. They suggested enhancements in future contain weight based performance metrics to group the impact of DDoS attacks and quantify at various attack strengths. Jin Wang et. al. [15] explained two web applications DDoS detection approach. The given approach focused on large deviation theory i.e. LD-IID and LD-MP. LD-IID distinguished a user s access actions with , IJAFRC All Rights Reserved

4 experimental click-ratio distribution, and chosen huge deviation to estimate the deviation of each continuous user s access actions to the priori click-ratio distribution of a website. LD-MP provided the connection of a user s sub-sequent web-pages accessed. The proposed approach provided huge deviation theory to estimate the uniformity of user s experimental access action to the priori website s access action. In result section, LD-IID detected web app-ddos precisely, yet one-order Markov process makes LD-MP has high false negatives. III. PROBLEM STATEMENT A. The main issue to keep DDoS mitigation system relevant against growing the attackers. B. In the case, attackers get the control of user datagram protocol (UDP) like domain name server; user is not able to access the services from remote server. C. The mentioned methodology was not much cost effective. D. Some research was not focusing on packet loss in DDoS mitigation system. IV. RESEARCH METHODOLOGY The proposed system architecture is shown in figure 1. The packet coming from user side will arrived in Source Checking and Counting Module, where user is verified. If user is suspicious then the user is redirected to the Cache-Based Turing Module. In Cache-Based Turing Module, user is verified by the server through cache information of user saved in temporary file (user s system). The Detection section will be used for finding any other DDoS attack. The Source Checking and Counting Module takes care the all the essential information regarding attack detection. Moreover, we have Question generation module which is also used for DDoS prevention. A. Source Checking and Counting Module This module serves as a coordinator module for another module. In this module we have Source Checking Module and Counting Module 1. Source Checking Module This module is responsible for categorization of packets based on their status. This module acts as a coordination for other module. By using this module, packets are categorized into following list: Black list: In this section, Source Checking Module verifies the user s address. If it is exist in black list database then it will block the packet with the given user s address. Otherwise, it will send the packet to pink list or white list. Pink list: In this section, packets will be again verified by Cache Based Turing Test. It will check whether the packet is suspicious or not based on cache information. If packet is suspicious, it will send it to black list else in white list , IJAFRC All Rights Reserved

5 White list: In this list, only authorized user address will be store after the complete verification by Cache Based Turing Test. 2. Counting Module The counting module stores the address of source and destination packet. It also store the arrival time of request. The default mode of counting module is to be disabled. Whenever any suspicious packet identified by DDoS Attack Detection Module, its value change to enable from disable by DDoS Attack Detection Module. The counting module reset its value periodically. Lists (Black, White.) Source Checking DDoS Attack Detection VC VC Turing Test Caching Based Turing Question Generation VC Figure 1: Packet Flow in the Proposed DDoS system B. DDoS Attack Detection Module The main aim of this module is to find suspicious source and send this suspicious source address to black list repository. Moreover, the given source is authorized by the Cache-Based Turing Module by challenging the source to receive the question. It takes four steps for detecting the suspicious source which are given below: 1. Stage 0: In this section, the detection module act as a monitor mode which is responsible for detecting the source actions and collects its information in the form of average, and maximum value of connection/incoming packets/incoming bytes per second. The stored data represents each VC s network actions which can be used for identifying the suspicious source. 2. Stage 1: In this stage, the process in Stage 0 is still running to gather the instant VC traffic data for identifying malicious source. At this section, attack detection module check for each virtual controller, compare the value between current traffic and the previous statistic one. If the current , IJAFRC All Rights Reserved

6 traffic value is greater than the previous statistic one then the detection status moved to the Stage 2 and the Counting Module enable to count the incoming traffic of the particular virtual controller. 3. Stage 2: Four essential parameters are used which are given below: TH: This is nothing but the maximum threshold value. This value can be the connection set establish between the virtual controller and user. NUM_Period: In this section a threshold value set during the packets sent by user is more than the threshold value given. In this case the DDoS Attack Detection Module attached the certain IP address into the Pink list database. After that authentication section is achieved by the Cache-Based Turing Module. MXTH: It is also a threshold value which is set in the condition whether the number of connection time is greater than MXTH. In such condition the certain IP address is attached to the Pink list database on the same time if its value is 90 % of the Apache s Server performance or TH. Node_TH: It is also a threshold value which is set in the condition when the number of IP source connection greater than the given limit. In such condition system immediately switch 50% of the IP connection to the Pink list database. The given section must have to be done to ignore the congestion on the virtual controller; else in such condition the system may crash. There may be some condition, in which no IP attached into the Pink list for NUM_Period value, and then in this situation the DDoS Attack Detection Module status is again move to Stage 1 and further the Counting Module become disabled. 4. Stage 3: In this section, due to traffic from or to virtual controller is extremely huge that it takes % of the virtual controller inbound or outbound network bandwidth. Any analysis in this situation may lead to a system crash or busier. Thus, to avoid this condition, we attached the public IP to destination block list to block the incoming HTTP connections coming from the user. The public IP of virtual controller is consecutive attached and blocked incoming HTTP connections until its traffic is down. Till then the traffic is switch to the Cache-Based Turing Section where authentication of the client is happened. 5. Cache-Based Turing Cache is such a verification technology in which less effort is needed and a secure side service in included. This enables user to verify through a secure server. Although a number of transaction of service is needed. It includes a few number of secure data migration. This technology is as per the result secure as well as most reliable. This Turing is done for rapid information about the user. The destination address stores a number of secure other destinations (3n 3 ). The user is being asked for give access to these destination addresses. If it is found there it moved from the black list to white list , IJAFRC All Rights Reserved

7 Black/White Sender First Attempt Service Provider Other Attempt Limited Service Pink List Full verification (Cache Based Turing Verification) Black List White List Full Service Figure 2: Authenticating User on Basis of White Pink and Black List Concept Server Existing Server User Data in Cache The Cache based Turing consist of following steps: Step 1: Server connects to the user and gets the existing users connection in the cache with a secure server side. Server User Data in Cache , IJAFRC All Rights Reserved

8 Whenever user wants a service, it is processed in request response form. The request from user, hits to the server where user verification is done. At this stage, server looks for information stored in cache in user system. These caches information are stored in text format as temporary file in system directory where the data stored in form of name value pair. The information filled by the user is matched with these caches data. When the information in cache is correctly matched with information filled by the user then user is authorize to access the legitimate service. Step 2: Server contacts with the existing user with the credential received from the user Server Existing Server In this stage user is verified with the help of existing server. Existing server already verified the user through cache information stored in system. Step 3: Existing server once again verified with the user data present in cache. Existing Server Data in Cache Step 4: In strategy the status is given to the server from the existing server, than according to the status received by the server it decide whether to share with the user or not than its updating once again the cache. V. RESULT AND DISCUSSIONS This paper is implemented using NetBean 6.8 and Spring tool suit IDE. Apache tomcat 7.0 running as web server. Here we are using Java SE, Servlet and Html as web technology. For robot attack, we are using Swing technology. The result and discussions part are describe below: , IJAFRC All Rights Reserved

9 Figure 3: Verifying User through Answering Question In Figure 3 user is verifying through answering the security question. If user gives correct answer then user will be able to login successfully. In the case of wrong answering, user will not have access to login. Figure 4: Successfully login by user In Figure 4, user has given correct answer. Thus he/she is authorized for further services , IJAFRC All Rights Reserved

10 Figure 5: Access Denied for Wrong Answer In Figure 5, user has given wrong answer. Thus user is not authorized for login. In this case, user is not able to get the services for further use. Figure 6: Authorized user successfully login In Figure 6, already verified user wants to register. In this case, user will directly login without any security question , IJAFRC All Rights Reserved

11 Figure 7: User blocked for wrong answering In Figure 7, user 5 again wants to login but giving wrong answer. In this case, user will be block permanently. Figure 8: Register and Blocked User Figure 8 shows the information for list of registered user and list of blocked user. VI. CONCLUSION This paper presented a multi-stage detection system which includes cache based information Turing and question generation pool Turing tests to challenge the suspicious intruders more effectively and efficiently. In this paper, we identified the attacker through cache information. Users have to answer the security question at the time of logging. Once the user gives correct answer for the given security question. She/he is able to login successfully and can use the further services. Instead of wrong , IJAFRC All Rights Reserved

12 answering by attacker, user is not able to login and hence access will be denied for further services. Thus each time verified user will login, she/he is able to use the further services. In the case of wrong answering by attacker will result the block the user permanently. Thus only verified user will have access to use the given services. VII. REFERENCES [1] The top five DDoS attacks of [Online]. Available: [2] M. Goldstein, M. Reif, A. Stahl, and T. Breuel, High performance traffic shaping for DDoS mitigation, in Proceedings of the 2008 ACM CoNEXT Conference, ser. CoNEXT 08. ACM, [3] X. Liu, X. Yang, and Y. Lu, To filter or to authorize: Network-layer DoS defense against multimillion-node botnets, in ACM SIGCOMM, [4] S. H. Khor and A. Nakao, DaaS: DDoS mitigation-as-a-service, in Proceedings of the 2011 IEEE/IPSJ International Symposium on Applications and the Internet, ser. SAINT 11. IEEE Computer Society, 2011, pp [5] T. Peng, C. Leckie, and K. Ramamohanarao, Survey of network-based defense mechanisms countering the DoS and DDoS problems, ACM Comput. Surv., vol. 39, April [6] S. M. Khattab, C. Sangpachatanaruk, R. Melhem, D. Mosse, and T. Znati, Proactive Server Roaming for Mitigating Denial-of-Service Attacks, in Proceedings of the 1st International Conference on International Technology: Research and Education (ITRE 03), pp , Aug [7] Robert Vamosi, Study: DDoS attacks threaten ISP infrastructure, Online at CNET News, Nov [8] Internet World Stats, Internet User Statistics The Big Picture: World Internet Users and Population Stats, [9] A. Yaar, A. Perrig, and D. Song, PI: A path identification mechanism to defend against DDoS attacks, in proceedings of the IEEE symposium on Security and Privacy, pp , May [10] Mofreh Salem, Amany Sarhan and Mostafa AbuBakr, A DOS Attack Intrusion Detection and Inhibition Technique for Wireless Computer Networks, ICGST- CNIR, Volume (7), Issue (I), July [11] Fei Wang, Xiaofeng Hu and Jinshu Su, Unfair Rate Limiting for DDoS Mitigation Based on Traffic Increasing Patterns, IEEE, [12] A. Md.Khamruddin and B. Dr Ch. Rupa, A Rule Based DDoS Detection and Mitigation Technique, Nirma University International Conference on Engineering, [13] Yonghong Chen, Xinlei Ma, Xinya Wu, DDoS Detection Algorithm Based on Preprocessing Network Traffic Predicted Method and Chaos Theory, IEEE Communications Letters, VOL. 17, NO. 5, MAY , IJAFRC All Rights Reserved

13 [14] S. Kiruthika Devi, G. Preetha, S. Mercy Shalinie, DDoS Detection using Host-Network based Metrics and Mitigation in Experimental Testbed, IEEE, [15] Jin Wang, Xiaolong Yang, Keping Long, Web DDoS Detection Schemes Based on Measuring User s Access Behavior with Large Deviation, IEEE Globecom, , IJAFRC All Rights Reserved