ATTACK PATTERNS FOR DETECTING AND PREVENTING DDOS AND REPLAY ATTACKS

Transcription

1 ATTACK PATTERNS FOR DETECTING AND PREVENTING DDOS AND REPLAY ATTACKS A.MADHURI Department of Computer Science Engineering, PVP Siddhartha Institute of Technology, Vijayawada, Andhra Pradesh, India. A.RAMANA LAKSHMI, Associate Professor, Department of Computer Science Engineering, PVP Siddhartha Institute of Technology, Vijayawada, Andhra Pradesh, India. Abstract In this paper, we discuss the methods for detecting and preventing the DDoS Attacks and Replay Attacks, which have been posing the problems for the Internet. We explained a scheme AMFDR (Attack Patterns for Marking Filtering DoS and Replay attacks) that identifies the attack packets from the packets that are sent by legitimate users and filters the attack packets. A Denial of service attack is generally launched to make a service unavailable even to an unauthorized user. If this attack uses many computers across the world, it is called Distributed Denial of service attack. Replay attack is retransmission of a data transmission which used to gain authentication in a fraudulent manner. These replayed packets or attack packets are identified. This scheme is less expensive and the implementation of this scheme needs minimal interaction with routers. The scheme is like firewall system, so that the occurrence of an attack is recognized quickly and a punitive action is taken without any loss genuine packets. Key words:attack patterns,denial of Service attacks, Replay attacks. 1.INTRODUCTION Nowadays Internet has been a part of life for day to day activities, since if offers many essential services in business, commercial and house hold applications. The Internet usage has been increased the ratio of users and systems been used, had been increased the same ratio, etc. from millions to billions. This gives rise to the necessity of providing security to users of the Internet about their information. Any malicious user can exploit the design weakness of Internet to create havoc in its operation. An interruption of service provided by Internet causes inconvience to users. These interruption activities are DDoS attacks, Replay attacks. In the DDoS attacks, attacker floods huge amount of packets to the weak vulnerable host, which reduces the service provided over the Internet. This attack involves saturating the target (victim) machine with external communications requests, such that it cannot respond to legitimate traffic, or responds so slowly as to be rendered effectively unavailable. In general terms, DoS attacks are implemented by either forcing the targeted computer(s) to reset, or consuming its resources so that it can no longer provide its intended service or obstructing the communication media between the intended users and the victim so that they can no longer communicate adequately. IP-address spoofing disguise the attack flow containing spoofed source addresses is a gain unauthorized access to computers, hacker must first find an IP address of a trusted host. Once this information is gotten, then the hacker can use this information to make the recipient think that the hacker is the trusted sender. Replay Attack is a form of network in which data transmission is maliciously or fraudulently repeated or delayed. These overwhelming disturbing effects of Denial of service attacks and Replay Attacks had leaded the researchers to propose the mechanisms to handle them. So, there is inevitability for reorganizing the details of the attack and also the attacker to prevent the attack in further. In this paper, we present and analyze Marking and Filtering in DDoS Attacks and Replay Attacks (AMFDR) Scheme and also analyze attacker s view by using attack patterns. ISSN:

2 Fig What are Attack Patterns? Attack patterns are descriptions of common methods for exploiting software. They derive from the concept of design patterns. Attack patterns help identify and qualify the risk that a given exploit will occur in a software system. Attack Pattern is a process of identifying attackers view, gives the information about the type of attack, prerequisites of an attack, weakness of attack, the knowledge required to perform an attack and all the information about the attack that had been happened in the network. These patterns are used to identify the attack and also the type of attack. 2.1 How attack patterns are useful These patterns give the descriptive information about the attack. The following attack pattern is an example for a Denial of Service attack and replay attacks. Pattern name and classification: Denial of Service and Replay attack Attack Prerequisites: The application in which the security is required for the information. For the attack to be maximally effective if the secret information is replayed. Description: The attacker captures and retransmits data and data in the form packets are flooded to the victim. Related Vulnerabilities or Weaknesses: CWE-Data Amplification Method of Attack: By maliciously crafting data and sending it to the target over anyprotocol (e.g., e- mail, HTTP, FTP). Resources Required: No special or extensive resources are required for these attacks. Attack Motivation-Consequences: The attacker wants to deny the target access to certain resources Context Description: Any application that performs online-transactions and business operations. References: Replay attack vulnerabilities, DDoS vulnerabilities. 3. Existing approaches to counter the Replay and DDoS attacks Counter measures are classified into three categories. They are: Preventive Methods Tracking Methods Reactive Methods ISSN:

3 3.1 Preventive Methods These methods helps the systems in improving the resistance and thus prevents the attacks from not entering the system, moreover it provides high level security for a computer system network. A proactive roaming server scheme comprises of several distributed individual servers. It has an active server which roams among the servers using a secure roaming algorithm only the valid users know the server s roaming time and new server. These solutions are very expensive and difficult to prevent attacks for real time applications. 3.2Tracking Methods These methods track the sources causing the attacks, so that immediate action can be taken against the victim Packet marking method: Packet marking schemes have been proposed, for encoding path information inside IP packets, as they are routed through the internet. The idea is first put forward by Savage et al. [21], called probabilistic packet marking (PPM), in which the routers insert path information into the Identification field of IP header in each packet with certain probability, such that the victim can reconstruct the attack path using these markings and thus track down the sources of offending packets. Message trace back method: In this method routers generate ICMP trace back messages for some of received packets and send with them. By combining the ICMP packets with their TTL differences, the attack path can be determined. Some factors are considered to evaluate the value of an ICMP message, such as how far is the router to the destination, how quick the packet is received after the beginning of attack, and whether the destination wishes to receive it. These measures in tracking method are designed in such a way that an action is performed only after the attack has been performed. 3.3 Reactive Methods In these methods attack is being identified and measures are taken to control it which also reduces the effect of the attack. D-WARD method is designed to be deployed at the source network. It monitors the traffic between the internal network and outside and looks for the communication difficulties by comparing with predefined normal models. A rate-limit will be imposed on any suspicious outgoing flow according to its offensive. Packet Score scheme estimates the legitimacy of packets and computes scores for them by comparing their attributes with the normal traffic. Packets are filtered at attack time basing on the score distribution and congestion level of the victim. The Pushback method generates an attack signature after detecting congestion, and applies a rate limit on corresponding incoming traffic. This information is then propagated to upstream routers, and the routers help to drop such packets, so that the attack flow can be pushed back. These methods success depends on the clear distinction between valid packet and malicious packets. Some other approaches to counter the replay attack are: Digital Signatures: A replay attack can be prevented using strong digital signatures that include time stamps and inclusion of unique information from the previous transaction such as the value of a constantly incremented sequence number. Nonces: Nonces a random or pseudo-random number issued in an authentication protocol to ensure that old communications cannot be reused in replay attacks. Nonces should include in Message Authentication Code (MAC). 4. Effects of AMFDR Scheme Our scheme detects the attack in time and spontaneous reaction is provided to prevent the depletion of resources at vulnerable host. This scheme ensures that the genuine user s packets are successfully received, and the service to the genuine users is not ruined. Any deprivation in service causes would indicate fractional success for the denial of service attack Implementation is less expensive, this scheme require minimal participation of third party networks. Most of the users posed the threats by DDoS and Replay attacks are difficult to get cooperation and investment is more. ISSN:

4 In this scheme attack patterns analyze the exploits and the information is captured for each attack pattern. Moreover the concept of design pattern is applied on real world exploits so that these patterns are generated from in depth analysis. Marking Process Packet Marking method make a distinction between the genuine packets and the attack packets. The IP addresses are spoofed to make the attacker hide his identity. Packet Marking Method is used to recognize the replayed packet and genuine packets. Marking method provides each packet has some mark using that mark recognition of attack packets.ppm Marking Scheme used for packet marking to trap the sources from which the attack occurs. Marking field is part of the header in an IP packet. Fragmentation of ID field to insert a mark does not affect the transmission of IP packets. Generation of Mark in the packet. Routers generate the mark by placing hash function into its IP address. Hash function of a router IP address generates a random number which is placed in the ID field of the packet. If the attacker spoofs the marking of the packet by knowing the hash function, i.e. performed on the router IP address since the IP address of a router is known for all the users in the network. To overcome this, assume some random number as a key i.e. to be added to the hash value of an IP address. Exclusive OR is performed to key and hash function of an IP address. The packets that pass through same routers on two different routes have similar marking. In order to make successful marking scheme, each router must perform Cyclic Shift Left operation on the old marking which generates new marking for the router. Filtering Process Our scheme acts as a protection layer for the router that scans the marking field of each and every replayed packet. Each router has complete information about the route of the packet it traverses. AMFDR scheme proposes five phases in scanning out the legitimate packets from malicious packets. They are Initial phase, Normal Filter phase, Marking phase, Detection phase and Change in route phase. Initial Phase In this phase spoofed packets are identified, the firewall keeps track of the genuine markings. In this phase router gain knowledge of about the correct markings of the packets for the packets sent from legitimate IP addresses. Filter table contains IP-address, marking are the fields which on later used to verify each incoming packet and sorts out the spoofed ones. This phase continues until all the entries of the filter table are filled up. Normal Filtering Phase This phase performs normal filtering process i.e., when a packet arrives at the router then it checks the records in the filter table if the marking is accurate then it is accepted otherwise the packets are dropped. If the packet of new IP address appears it is accepted with probability p, and is added to CList (Checking list) has same fields in filter table. For every occurrence of the new IP address p is decremented according to the packet arrival rate. Marking Phase The markings in the CList are verified, a random echo messages are sent periodically to the source address for each record in CList, and counter is maintained to keep track of echo messages that have been sent it. The imitation of the reply by an attacker is done by comparing the content of the echo messages in CList with content of the replayed messages. The counter in CList records the echo messages that have been sent to an IP address is greater than 10 then that IP address is deleted from the Filter table. Since in this situation, this source IP must be neither not active nor does not exist, so that the packets received with the source address are coming from the attacker need to be rejected. Detecting Phase This phase identifies the attacks at starting stage by using the counter called Mismatching counter, which counts the packets which have been mismatched. This includes the packets with both unknown IP addresses and incorrect markings that are not in filter table. When the mismatched counter value is greater than threshold, then it is the occurrence of attacks. Change in Route Phase The routes in which packets traverses are considered to be stable, if there is a change in route there will be change in the marking that does not exist in the filter table then the packets are dropped since these does not exist in filter table. To overcome this SC counter is used to maintain the record of number of mismatching packets. If the SC value is at cut-off value then it is added to CList. If the new marking is verified by the CList verification process, the marking for this IP address is updated in the Filter table. Otherwise, the original marking is retained. ISSN:

5 In general AMFDR scheme performs the following tasks: Identification and filtering the replayed packets or attack packets from legitimate packets by verifying the marking of each packet in the filter table. Defending measures that are taken in our scheme prevents from serious damage that helps in detecting the happening the attack. Attack patterns are used to have descriptive information about the Replay and DDoS attacks. Even though the route changes the genuine packets have not been dropped that determines successfulness of our scheme. This scheme provides marking and filters the replayed packets or spoofed packets and also the descriptive communication of attacker s view. Simulation of Internet Traffic A packet generator process is used to simulate the normal Internet traffic, which periodically ends packets from a randomly selected internet user. Then the packet marking process is simulated, by computing the markings for each cooperating router on the route for this particular user. Finally, the marked packet is inserted into a packetqueue at the firewall of the victim. Attackers usually have two methods to disguise the source locations: spoofing a genuine host s IP address or inserting a randomly generated IP address into source address field. We simulated different types of attacks, called Spoofed attack, Replay attack and Randomized attack respectively. Packets are generated from each attacker to simulate the attack traffic. So, higher the number of attackers more will be the volume of the attack flow. In the simulation of Spoofed attack, for each replayed packet, one of the legitimate user is randomly selected and its IP address is used as the spoofed value of the source address. The marking field is initially filled with a random value and the marking process is simulated, as before. 5. RESULTS 5.1 Attack Patterns for Replay Attacks Fig 2 Fig 2 is the source window gives us the complete details about the path establishment i.e., source address, destination, type of data transmitted and the routers that are in the path of the packet traversal. ISSN:

6 Fig 3 is the destination window in which the attack has been identified and the attack is repeated to indicate clearly about the replay attack occurrence. Initially the file.txt has been sent and the same file.txt is captured and replayed. Fig 4, Fig 5, Fig 6 represent the complete knowledge about the routers and also if the attack is performed on the router it is identified with the series of entries in the router table and helps to know the adjacent routers in the route of the packet transmission. The attacker spoofs the source address and performs the replay attack. Fig 3 Fig 4 Fig 5 ISSN:

7 5.2 Attack Patterns for Denial of Service Attacks Fig 6 Denial of service attacks floods the huge amount of packets to the weak vulnerable host and this is represented in the results. The source and destination windows has the source IP address and the destination, the routers that are involved in the path, marking for each packet is calculated,hop count gives the number of hops each packet makes to reach destination and the request represents the data to be transmitted. Fig 7, 8 are the source and destination windows for the packets to travel. Fig 7 ISSN:

8 Fig 8 Fig 9 is the router window gives the packet forwarding information Fig 10 is also the router window since packet traverses through two routers i.e., Router550 and Router543. After the attacker had performed the DDoS attack by flooding the packets of file file.txt to the router, that is represented in the router table Router550 that the attack has happened and in the destination gives information of filtering the legitimate packets and the genuine packets in the last window Fig 11 is the attacker window by which he performs the attack on the Router550. ISSN:

9 Fig 12 is the Router550 window on which the attack is performed which is identified by series of same entries in the router table. Fig 13 is the destination window gives the distinction between legitimate packets and the attack packets and also details about the attack. 6. CONCLUSION In this paper, we have proposed a low-cost and efficient scheme called AMFDR, for defending against DDoS attacks, The AMFDR scheme is composed of three parts: descriptions of common methods for exploiting software, marking process and filtering process. The marking process requires the participation of routers in the Internet to encode path information into packets. We suggest the use of a hash function and secret key to reduce collisions among packet-markings. The scheme also includes mechanisms of identifying and preventing Replay and DDoS attack in a timely manner. Our scheme can effectively and efficiently differentiate between legitimate and genuine packets under replayed attack when the routers participation rate is as low, so the deployment cost of our scheme is very low. Also, most good packets are accepted even under the most severe attack. At the same time, the bad packet acceptance ratio is maintained at a low level. Our scheme performs well even under massively distributed DoS attacks and also Replay attacks involving thousands of attackers. Under both Replay attacks and spoofed DDoS attacks, the AMFDR scheme detected the occurrence of attack precisely within few seconds. The quick detection is valuable to the victim so that appropriate actions can be taken to minimize the damage caused by a Replay attack. ISSN:

10 7. REFERENCES [1] A. Belenky and N. Ansari, IP traceback with deterministic packet marking, IEEE Communications Letters, vol. 7, no. 4, pp , Apr [2] A. Belenky and N. Ansari, Tracing multiple attackers with deterministic packet marking (DPM), in 2003 IEEE Pacific Rim Conference on Communications, Computers and Signal Processing (PACRIM 03), pp , Aug [3] S. Bellovin, ICMP Traceback Messages, Internetdraft, work in progress, Mar [5] H. Burch and B, Cheswick, Tracing anonymous packets to their approximate source, in Proceedings of the 14th Systems Administration Conference(LISA 00), pp , Dec [4] Y. Chen, S. Das, P. Dhar, A. E. Saddik, and A.Nayak, An effective defence mechanism against massively distributed denial of service attacks, in the 9th World Conference on Integrated Design & Process Technology (IDPT 06), San Diego, June [5] B. Cheswick and H. Burch, Internet Mapping Project, Cooperative Association for Internet Data Analysis, Skitter, ( [6] D. Dean, M. Franklin, and A. Stubblefield, An algebraic approach to IP trackback, in Proceedings of the 2001 Network and Distributed System Security Symposioum, pp. 3-12, Feb [7] Internet System Consortium, ISC Domain Survey: Number of Internet Hosts, [8] Internet World Stats, Internet User Statistics The Big Picture: World Internet Users and Population Stats, [9] J. Ioannidis and S. M. Bellovin, Implementing pushback: router-based defense against DDoS attacks, in Proceedings of the Network and Distributed System Security Symposium (NDSS 02), pp. 6-8, Feb [10] S.M. Khattab, C. Sangpachatanaruk, R. Melhem, D.Mosse, and T. Znati, Proactive server roaming for mitigating denial-of-service attacks, in Proceedings of the 1st International Conference on International Technology: Research and Education (ITRE 03), pp , Aug ISSN: