DDoS Attack Trends and Countermeasures A Information Theoretical Metric Based Approach

Transcription

1 DDoS Attack Trends and Countermeasures A Information Theoretical Metric Based Approach Anurag Kochar 1 1 Computer Science Engineering Department, LNCT, Bhopal, Madhya Pradesh, India, anuragkochar99@gmail.com Abstract Distributed denial-of-service (DDoS) attacks are a real-and growing-threat to businesses worldwide. Designed to elude detection by today's most popular tools, these attacks can quickly incapacitate a targeted business, costing victims thousands, if not millions, of dollars in lost revenue and productivity. By adopting new purpose-built solutions designed specifically to detect and defeat DDoS attacks, businesses can keep their business operations running smoothly. It is discovered that the there is an increase in complex application layer based attacks that imitate legitimate flows. At first we take into account the attacks trends and further describe the DDoS methods. We also evaluate two existing detect and filter approaches and further suggest the deployment of a scheme that is independent to any past pattern based detection Keywords: DDoS Attacks, DDA, DDoS detection, Flow entropy *** INTRODUCTION DDoS attack tools has made it easier for attacker to target the victim system. With tools, such as Nmap, it becomes With advancements in networking technologies that have easy to identify the vulnerable systems, to be compromised aided the development of more feasible collaborative with, by scanning for open TCP and UDP ports and the applications secured and seamless connectivity becomes specific operating system vulnerabilities. core element for any development. Some of the most common threats in this collaborative environment include access control attacks, injection, and execution of malicious software that would jeopardize the very aim towards our application. One such threat is Distributed Denial of Service attack. DDoS attack which purports to deny a victim for the legitimate use of services by exploiting the computer design vulnerabilities. DDoS attacks target on exhausting the network bandwidth, operating system data structures, computing power and so on. To launch a DDoS attack, malicious users first establish a network of computers which is known as botnet or army, which is controlled by botmasters to generate the volume of traffic needed to deny services of victim. In order to organize a botnet, attackers vulnerable sites or hosts on the network to gain access to them. Attackers generally use variety of techniques to search vulnerable services. The next step for the attacker is to install new programs on the compromised hosts. So for this, bots or zombies [1] implement these attack tools. A DDoS is a co-ordinate attack that consists of an army of a master and slaves zombies where the attacker coordinates and orders, master zombies which in turn trigger the slaves zombies. Thus activating all attack process on the bots that had been in hibernation for the appropriate command to trigger the attack. By doing so, the slaves zombies begin to send huge of volume packets to the victim flooding its system with useless load.researchers have proposed a number of methods to defend against DDoS attacks. Despite these efforts still remains a huge threat. The distributed domain of attack makes it difficult to detect and filter them. Further, the availability of easy to implement Fig - 1: DDoS attack architecture The rest of the paper analysis major flood based DDoS attack trends and their targets. After that the paper addresses the detection and filtering mechanisms. 2. ATTACK TRENDS Security firms prolexic technologies and NS focus found that in 2013 the use of Distributed Denial of service( DDOS ) attacks were on an upward trend as criminal 1

2 evolved in the ability to target victims[2][3].i n some cases criminals carry out attacks to blackmail companies and in more recent cases has been used as a form of protest[2].the most remarkable trends of 2013 were that there was a increase of 32.34% in attacks in 2013 to that of 2012.High bandwidth volumetric infrastructure layer attacks increased approximately 30% with growing attack sizes. The largest accountable attack was the Spamhaus attack(march 2013) with a bandwidth upto300gbps :In the Spamhaus case, the attacker was sending requests for the DNS zone file for ripe.net to open DNS resolvers. The requests were likely approximately 36 bytes long and the response was approximately 3,000 bytes, translating to a 100x amplification factor. Over 30,000 unique.dns resolvers involved in the attack. This translates to each open DNS resolver sending an average of 2.5Mbps. Thus it becomes evident that DDOS attacks are significant security threat that ISPs face. The attacks lead to revenue loss invariably slow network performance and service unavailability. Even the very well equipped networks, had been the victims of these DDOS attack. This is clearly depicted in table 1. Table -1: Major DDOS Attacks based attacks is to congest a victim s incoming link. In these the victims usually respond with the RST packets. ICMP messages and UDP packets can also be used. The second flooding attack method is reflector attack. It is an indirect attack in the intermediary nodes (routers and servers), known as reflectors. An attacker sends packets that require responses to the reflectors with the packets inscribed source addresses set to a victim s address. Without realizing that the packets are actually address-spoofed, the reflectors return response packets to the victim according to the types of the attack packets. Classic example of reflector attack is a smurf attack. A smurf attack, as the name suggests, work as a smurf, who shift illicit money from place to place to conceal its origin, often in small transactions. In similar way the smurf attack is operated in misconfigured network devices which allow packets to be sent to all computer hosts on a particular network via the broadcast address(a logical address at which all devices connected to a multiple-access communications network are enabled to receive datagrams ) of the network, rather than a specific machine. The network then work as a smurf amplifier. In such an attack, the perpetrators will send large numbers of IP packets with the source address faked to appear to be the address of the victim. The network's bandwidth is quickly used up; preventing legitimate packets from getting through to their destination summary of some reflector attacks is depicted in table 2. Table 2: A summary of some reflector attack SYN and ICMP floods were the attack vectors that showed most declines in use. Reflected amplification attacks emerged as a very popular attack method. Mobile devices and apps began participating in DDOS campaigns. 2.1) Attack Methods There are two types of flooding attack methods: Direct attack and reflector method. In direct attack, large number of attack packets is directly sent to a victim by the attacker. Direct attack generally includes TCP, ICMP, UDP packets or a mixture of them.syn flooding is the well known method of TCP packets. In this an attacker sends a large number of SYN requests to a victim to consume enough server resources to make the victim unresponsive to the legitimate user. Generally a TCP connection is set up in which an attacker requests a connection by sending SYN message to the victim. Victim responded by sending SYN- ACK packets. Since the source address in these packets is generally spoofed, causing the victim to send the SYN-ACK packets to a falsified address. The another variant of TCP 2.2) How DDoS Attacks Exploit Layers Of The OSI Model There are three types of DDoS attacks. They are either layer 3 or layer 4 or layer 7 based attacks. Layer 3/4 DDoS attacks: The majority of DDoS attacks focus on targeting the transport and network layers. These types of attacks are usually comprised of volumetric attacks that aim to overwhelm the target machine, denying or consuming resources until the server goes offline. In these types of DDoS attacks, malicious traffic (TCP / UDP) is used to flood the victim. Taking it one step further, these attacks also drive to saturate the entire network with malicious traffic until it is rendered temporarily obsolete. While these types of attacks can be a disruptive force for Volume: 02 Issue: 02 Mar-2014, Paper id - IJRETM

3 businesses, once the attack ceases or has been mitigated, there is no lasting damage. The present day hardware system are competitive to handle such attacks but are ineffective to handle the application layer attacks i.e. the layer 7 attack. Layer 7 DDoS attacks: Application-layer DDoS attacks are a bit more complicated. Layer 7 DDoS attacks are some of the most difficult attacks to mitigate against because they mimic human behavior as they interact with the user interface. A sophisticated Layer 7 DDoS attack may target specific areas of a website, making it even more difficult to separate from normal traffic. For example, some types of Layer 7 DDoS attacks will target website elements, like your logo or a button, and repeatedly download resources hoping to exhaust the server. Still another example is when an attacker targets a download on a website and proceeds to go through the process just described above. A Layer 7 DDoS attack uses the seventh protocol of the OSI Model to target the application interface, in the process mimicking real, human behavior that is harder to detect and mitigate. The sophistication and volume of complex Layer 7 DDoS attacks is on the rise, according to security researchers from companies like Rivalhost and Prolexic. The State of the Internet Report, published by Akamai, reported an increase of 54% in DDoS attacks in the first quarter of Numbers are definitely trending upward. 3. COUNTER MEASURES FOR DDOS For the defense mechanism against the DDOS attack, a comprehensive solution should include three lines of defense against DDOS attacks, which should take place at three different phases of attack. Prevention and preemption (before the attack), detection and filtering (during the attack), counteract mechanisms (after and during the attack). 3.1) Attack Prevention and Preemption In the defense mechanism, primary line is to obstruct the DDOS attacks from taking place. The flow and network anomalies can be used to identify attacks over network. There are indeed signatures and scanning procedures. There should also control over attack traffic. 3.2) Points of Vulnerability In a DDOS attack, packets are generated in a dispersed area while these dispersed attacks are all converged onto a victim on the network. This is clearly depicted in figure 2. Fig 2: Possible locations for Detection and Filtering Thus attacks are easy to classify at the victims end however its more effective to filter packets closer to the source of packets because if filtering is done nearer to the victim than there is a great possibility to reject the normal packet flow. Thus here s a trade off to be made.also ingress filtering for spoofed packets at source is not economically feasible. The conventional way of doing DDoS mitigation is using network heuristics, looking at the packet header or looking at the aggregate of the packet and seeing how that compares to the known good behavior. It is important that our system is capable of handling a DDoS attack regardless of the fact the layer it exploits. However detection and filtering of layer 3/4 based attack is relatively much easier to those based on application layer. An application-level attack is a DDoS attack that overloads an application server, such as by making excessive log-in, database-lookup or search requests. Application attacks, also called Layer 7 attacks, are harder to detect than other kinds of DDoS attacks, because the connection has already been established and the requests may appear to be from legitimate users. However, once identified, these attacks can be stopped and traced back a specific source more easily than other types of DDoS attacks. 4. MAJOR DETECT AND FILTER APPROACHES The paper focuses on two detect and filter approaches: one is Distributed Attack Detection (DAD) [8]and the other is Information Metric based filtering. The approach that extends the packet filtering function to the internet core is distributed attack detection (DAD).It is a internet firewall approach that extends typical intrusion system functions to the internet core. The DAD approach detects DDOS attacks based on network anomalies and misuses observed from a set Volume: 02 Issue: 02 Mar-2014, Paper id - IJRETM

4 of distributed detection system(dss).the DAD approach is heuristic based anomaly detection technique that determine whether the packet flow is legitimate or not. The DAD approach incorporates deployment of DSs at a few selected strategic locations on the internet and they non intrusively monitor and analyze the traffic passing through the network. Since each detection system can analyze only partial anomalies, the DSs cooperatively detect DDOS attacks by exchanging attack information derived from local observation. As a result, the dad approach requires sophisticated mechanism to correlate the information received from packets passing through the DSs and a separate channel for the DS s to communicate. This attack high level DS architecture is depicted in figure-3. Fig - 3: High level DS architecture Thus designing an effective and deployable architecture for DAD approach[8] is a challenging task that Involves Complex algorithmic and engineering design issues. For example, optimal placement of DSs.due to the typical nature of DDoS attack, each DS can observe only partial traffic anomalies. As a result, the entire detection process consists of two levels local detection and global detection.the state diagram of 2-level attack detection is depicted in figure-4 from other DSs to make global decision. If a DDOS attack is confirmed, DS notifies the packet filtering component to install the packet filters for the corresponding packet stream. However, the DAD [8]involves the several deployment difficulties.dad Is heuristic in nature and is specific attack pattern based detection, that cannot help in real time scenarios due to attackers mimicking attempts which make it susceptible to, it is very easy for hackers to simulate the features of legitimate network traffic to fool detection algorithms. New enhanced attack flows. Often the DSs are not able to differentiate flash crowds and an attack footprint. Another anomaly detection technique is based on flow entropy and Information Distance [5][7] which may serve as a more robust solution to the problem. It doesn t rely over previously observed flow statistics. And thus, real time solution to the problem. The method uses the traffic flow as a element of measurement to make decisions. Thus we do not need the knowledge of DDoS flooding attacks and we can perform detection in real time fashion.this approach uses an Information Distance algorithm[7] to discriminate DDOS attacks from flash crowd. This method is novel and effective on the fact that DDOS attack flows generally possess stronger similarities than flash crowd. According to the approach once there is an attack or flash crowds, the flow entropy drops dramatically because there is either one or a number of flows dominating on the routers. In this case, the detecting algorithm treats the dominant flow or flows as suspicious flows. Every local router samples the number of packets from the suspicious flows in a given time interval. The sampling results will be submitted to the downstream routers. Once the sampling results hit junction routers, like router R1 or R3 in Figure 1, the information distance among suspicious flows is calculated there. If the information distance is less than a given threshold, the DDoS attack is confirmed, and the routers start discarding related packets from the suspicious flows before they reach the victim. Radical fall in the entropy. Thus indicating a suspicious flow on the network. The entropy of a discrete random variable X is defined as[7] Where χ is the sample space of X. The entropy of a random variable X measures the uncertainty of X in the unit of bits. Abstract distance is usually applied to measure similarities amongst objects, such as images or data sequences. For two given flows with distributions p(x) and q(x). The Sibson distance[7] is further developed based on the Jeffrey distance, which is defined as follows Fig - 4: State diagram of 2 level attack detection As soon as the local detection system supports H1,it floods an attack alert to all other DSs, signaling a possible DDOS attack. Each DS then independently consolidates and analyses its local detection result with attack alerts received Metrics indicates that the Sibson distance is the best for DDoS detection in terms of data sensitivity and statistical features [7]. In this paper, we use the Sibson distance as a metric for the information distance measurement[5][7]. Volume: 02 Issue: 02 Mar-2014, Paper id - IJRETM

5 In the entropy based approach we are able to detect the attack packets at the victims end and filter the packets nearer to its source. 5. PROPOSED ARCHITECTURE AND CHALLENGES We propose a generic architecture scheme based on the locality of deployment, DDoS defence schemes can be divided into three classes : victim end, source end and intermediate router defence mechanisms. may appear to be from legitimate users. Thus an attack genre independent approach is needed. Further it requires installation of attack specific firewalls at real time. We firmly realized one such approach is the information metric based. This approach has been implemented over LAN by installing detection and filter software on every router in the LAN and the results affirm its effectiveness [5][8][6].We propose a generic architecture to be deployed to put this scheme over the internet. The second conclusion is that to implement it all over the internet we should not implement the software on all routers, rather shall implement the software only at strategic locations of the networks like that done in DAD. We believe scheme will work out in the real world scenario. It is a detection method that is independent of network topology. Yet another challenge pertains. If we want to put the proposed architecture over the internet then locating the source precisely would still remain a big challenge because in LAN this architecture can be put on all the routers (so detection of source can be done) but on internet we would install it only on strategic locations. Thus exactly determining the location of source still remains an adequately difficult challenge; but this technique can still give a very fair idea of source network. Fig 5: generic architecture for intermediate network based DDoS defence mechanism. The reference data stores the information about intrusion signatures or profiles of normal behavior. This information is updated by the processing elements as new knowledge about observed behavior is recorded. We suggest a throthling component to propose rate limit on outgoing connections. The observation engine does the detection by monitoring their entropy while the rate limiting mechanism helps to put the filtering mechanism. The final filtering decision is based on a global decision system i.e. observations from other routers are paid heed upon. The security managers helps maintain the filtering and implements rate limiting rules on the throttling component. 6. CONCLUSIONS The fact we observed in our study and analysis through the topic is that attack flows and information distance are the essential features to any flooding attack. This feature cannot be changed or disguised by attackers. We further observed that different attack flows for one attack session are generated by the same attack tools and therefore they possessed great information similarity, (the fact to be exploited), as to that by flash crowds. We derive two conclusions from our research study. The first is that the DAD approach cannot handle the application layer attacks because in case of an application layer attack a 3 way handshake would have been completed and the flow will be treated as legitimate by the DSs. Application attacks are harder to detect than other kinds of DDoS attacks, because the connection has already been established and the requests 7. RESEARCH PROSPECTS The paper was to analyze the DDoS trends and the Detection techniques. This may serve as a review work and also used to further demonstrate the flow based detection on the internet. In future we are interested to work on following issues Designing efficient captcha bypassing algorithms that can help imitate human response to puzzles. First, devising and organizing a super botnet with sufficiently large number of live bots to beat the proposed method. Investigation on the economic and computational feasibility of detection accuracy and cost. Third make new techniques to imitate humans better and to enable the bots to override the discussed approach Fourth, to discover new parameters and properties in attack flows that can be exploited to detect them. 8. REFERENCES [1]. T. Peng, C. Leckie, K. Ramamohanarao, Survey of network-based defense mechanisms countering the dos and DDoS problems, ACM Computing Survey 39 (1). [2]. NSFOCUS technologies Ltd., NS FOCUS Mid year DDOS threat report Volume: 02 Issue: 02 Mar-2014, Paper id - IJRETM

6 [3]. news 24 report link, DDoS-attack-trends-of-2013-identified [4]. S.Gibson, The Strange tale of the Denial of Service Attacks Against GRC.COM, Mar [5]. yuan tao, Shui yu DDOS attack detection at local area networks using information theoretical metrics, ieee international conference of trust 12 th IEEE conference, 2013 [6]. S.Yu, T. Thapngam, J. Liu, S. Wei, W. Zhou, Discriminating DDoS flows from flash crowds using information distance, in: Proceedings of the 3 rd International Conference on Network and System Security, 2009, pp [7]. S. Yu, T. Thapngam, J. Liu, S. Wei, W. Zhou, Discriminating DDoS flows from flash crowds using information distance, in: Proceedings of the 3 rd International Conference on Network and System Security, 2009, pp [8]. K. K. Wan and R. Chang, Engineering of a Global Defense Infrastructure for DDoS Attacks, Proc. IEEE Int l. Conf. Net., Aug Volume: 02 Issue: 02 Mar-2014, Paper id - IJRETM