MITIGATION OF FLOODING DDOS ATTACKS IN MULTICLIENT APPLICATIONS

Transcription

1 MITIGATION OF FLOODING DDOS ATTACKS IN MULTICLIENT APPLICATIONS P. Alaguvathana Assistant Professor Department of CSE Kalaivani College of Technology, Coimbatore Abstract Consideringthe network-based applications, a weak point is they commonly open some known communication port(s), for communication purpose making themselves targets for denial of service (DoS) attacks. Adversaries can eavesdrop and launch directed DoS attacks to the applications open ports. Previous solutions for this problem are based on port-hopping between pairs of processes. Here, port hopping is extended to support multiparty applications; each application server communicates with multiple clients in a porthopping manner with limited scalability issues. Further, in port hopping, the hopping period is considered dynamic, for enabling hopping when the communicating parties have clocks with variable clock drifts that is the clients automatically adjust its clock with respect to the server s. The core of FireCol is composed of intrusion prevention systems (IPSs) located at the Internet service providers (ISPs) level. The IPSs form virtual protection rings around the hosts to defend and collaborate by exchanging selected traffic information. The evaluation of FireCol using extensive simulations and a real dataset is presented, showing FireCol effectiveness and low overhead, as well as its support for incremental deployment in real networks. Index Terms Denial of service attack, Data communication, Application, Port hopping. 1. INTRODUCTION Distributed denial-of-service (DDoS) attacks still constitute a major concern [1] even though any works have tried to address this issue in the past (ref. survey in [2]). As they evolved from relatively humble megabit beginnings in 2000, the largest DDoS attacks have now grown a hundredfold to break the 100 gb/s, for which the majority of ISPs today lack an appropriate infrastructure to mitigate them [1]. Most recent works aim at countering DDoS attacks by fighting the underlying vector, which is usually the use of botnets [3]. A botnet is a large network of compromised machines (bots) controlled by one entity (the master). The master can launch synchronized attacks, such as DDoS, by sending orders to the bots via a Command & Control channel. Unfortunately, detecting a botnet is also hard, and efficient solutions may require to participate actively to the botnet itself [4], which raises important ethical issues, or to first detect botnetrelated malicious activities (attacks, infections, etc.), which may delay the mitigation. A single intrusion prevention system (IPS) or intrusion detection system (IDS) can hardly detect such DDoS attacks, unless they are located very close to the victim. However, even in that latter case, the IDS/IPS may crash because it needs to deal with an overwhelming volume of packets (some flooding attacks reach Gb/s). In addition, allowing such huge traffic to transit through the Internet and only detect/block it at the host IDS/IPS may severely strain Internet resources. Service (DoS) attack which sometimes even crash the server.most of the time, the attacker collects many (could be millions) of zombie machines or botswhich are the compromised machines to flood packets simultaneously, which forms a DistributedDenial of Service(DDoS) attack.

2 These attacks may be from many unexpected origins. One of the major threats among the hardest security problems in today s InternetisDoS (Denial of Service) and DDoS (Distributed DoS) attacksand these constitute a very basic category of attack in the world of security engineering, and also can be used in several scenarios. This term is applied to any situation where an adversary attempts to prevent the use or delivery of a valued resource or service to its intended audience or customer of that particular service.at any given time,routers and servers can handle a finite amount of traffic based on factors such as hardware performance, memory and bandwidth. If this particular limit or rate is exceeded, new requests beyond the limit will be rejected. As a result, traffic by real user s will be ignored and thus the object's users will be denied access.when turned against essential targets, such as root DNS servers or time server s, the attacks made by the adversaries can be very serious in nature. These attacks are being simple to set up, difficult to stop and control, and very efficient. There are various types of such attacks. Some groupsseparate attacks into three categories: bandwidth attacks, attacks based on communication protocols where the flaws in the protocol are found out and attacks are carried out, and logic attacks which uses various logic s. Bandwidth attacks are comparatively straightforward attempts to consume the resources, such as bandwidth or equipment throughput provided for particular application or service. Large-data- volume attacks can consume all usable bandwidth between an ISP and particularwebsite. Timeouts may occur, which causes retransmission, generating even more traffic in the network. An attacker can consume bandwidth by creating any traffic by flooding the packets at all on a network connection. A basic flood attack might use UDP or ICMP packets forconsuming all available bandwidth and other resources. For this purpose, an attack made by the attackers could consist of varioustcp or raw IP packets, as long as the traffic is created to the network. [2] DDoS attacks are a difficult problem to solve completely. There are no mutual characteristics of DDoS streams that can be used for their detection and defense. Furthermore, the disseminated nature of DDoS attacks makes them extremely hard to combat or trace back. Most of the methods that defends the various system from DoS and DDoS attacks focus mainly on mitigating the bandwidth consumption caused by flooding, as this is the most simple and common method followed by attackers. Those methods makes DDoS attacks less severe reactively by identifying the malicious traffic and informing the upstream routers to filter or rate-limit the matching traffic [3], [4], [5], [6], [7], [8]; those methods may also mitigate DDoS attacks by deploying secure overlays [9], [10], [11], [12], or by recognizing the legitimate traffic with valid network capabilities [13], [14], [15], [16].It is impossible to prevent or stop DDoS completely but minimizes the impact of the attack. Mitigating DoS/DDoS attacks at the origin or within core of the internet seems to be an impossible task but can be limited to some extent. The defensemethods and solutionsremarked above are thefiltering mechanisms for the bandwidth attacks. These may help, but might not be effective and exact with respect to a certain application as the attackers are changing the scheme of attack and thus trying to attack the application directly, particularly when the application involves composite computations. Attacker groups understandthat the upholding application s availability is a highpriority for most of the organizations as the availability of particular application is that influencingthe application s revenue and thus any reduction in the quality of service of the application can reduce revenue as well as harm the organization s reputation. Looking at thenumerous applications all around, it would be expensive and impractical for trafficmonitors and various protective measures to hold information for every application in and around.with a little volume of messages, it could also be easier toconsumetheapplication sresources as these have complex computations.considering all these application based mitigation is centered here. 2. RELATED WORK Many network-based countermeasures have been proposed to address the problem of DoS/DDoS.

3 These measures usually use routers or overlay networks to filter malicious traffic. A survey about network-based defense mechanisms against DDoS attacks is presented by Peng et al. [20]. The approach is based on content-filtering. a peer-to-peer approach is introduced, mobile-agents are leveraged to exchange newly detected threats. FireCol provides a simpler solution in the sense that it uses simple metrics, while the former approaches can be costly in terms of resource consumption. Other approaches promoting the use of simple statistics are not distributed. Manisha et al. [17] proposed a lightweight mechanism which is to mitigate session flooding and request flooding in app-ddosattacks on web servers.trust is used to distinguish legitimate users from the attackers. Trust is assessed to the client based on the visiting history of particular client and requests are planned in the diminishing order of trust. Request flooding attacks are also mitigated by using Client Puzzle Protocol. The server may be under the request flooding attack during which source throttling is done by enforcing cost on client which is gathered in terms of CPU cycles. In a DoS resistant communication mechanism is proposed for end-hosts by using acknowledgments. Another solution relies on tokens delivered to each new TCP flow. Each router between the source and the destination marks the path to detect spoofed addresses. Detection of specific SYN flooding attacks at the router level is investigated. The correlation between the requests and replies to detect flooding attacks to limit overhead. The observation of past attacks or legitimate traffic in order to create a community of interest is another alternative. Information sharing about DDoS attacks is also addressed, but from a high-level perspective where a trusted network of partners (networks) is built. Detecting DDoS attacks by detecting IP spoofing is addressed and is related to our work as the goal is to speed up and limit the costs of packet filtering, especially in the case of DoS attack. Moreover, statistics on the network traffic are used like the entropy. There are also DDoS countering techniques dedicated to specific applications such as Web servers or clouds. Detecting the DDoS attacks at the ISP level was also studied, but these approaches analyze all traffic, unlike FireCol, which is based on a local mechanism enhanced by the collaboration when needed. Shares information between different network nodes to mitigate efficiently flooding attacks, FireCol leverages ring semantic in order to enhance the analysis of shared information. Another port-hopping method for the clientserver mode is suggested by Lee and Thing [22]. A mechanism used by them is that which divides the time is into discrete time slots. A pseudorandom function is shared out by the clients and the server to compute which ports should be employed for communication in a particular time slot. The time offset plus the message delay is bounded by aconstant value l is the assumption made by the author s, and so no time synchronizationmechanism needed. Rather, the valid open time of thecommunication port is prolonged both backward and forward by 1/2l for a time slot. This strategy shows that this is basically idea of the time-based port hopping; anyhow it is still based on the synchronized clock values of the communication parties.both the detection and filtering of malicious attacks packets are simplified and that the mechanism used by the author s does not involve any change to the existing protocols.port hopping technique can be implemented using the socket communications for the UDP protocol and for setting up TCP communications and thus it is used compatible with the UDP and TCP protocols. Srivatsa et al. [23] proposed aclient-transparent approach, similar as port-hopping where JavaScript approach is usedto secure authentication code into the TCP/IP layer of the networking stack, so that the messages with invalid authenticationcode will be filtered by the server s firewall. In order to fight the DoS attacks,the authentication code used by the authorchanges periodically. To ensure that the communication is secure a challenge server is deployed for the purpose of issuing keys, and its main aim is assuring the number of clientsconnected with the server and synchronizing the client s withthe server as well. Thusprotection of the challenge server is quiteimportant and defending against attacks to the server is also

4 necessarysince this approach relies on the challenge server. The paper cites that a cryptographicbasedmechanism can be used to protect the challenge server from the attack,although this was notdiscussed in detail. Andthus in this work, any third party is not used for time synchronization. Zhang Fu et al. [19] proposed the port hopping in multiparty applications with the presence of fixed clock drifts. In order to deal with hopping in the presence of clock-rate drifts, the Hopping-Period- Align and- Adjust algorithm, or HOPERAA for brevity, which is an adaptive algorithm is also proposed, which is executed by each client to adjust its hopping period length and align its hopping time with the server.to enable multiparty communication with port-hopping, the BIGWHEEL algorithm is proposed for a serverto support hopping with many clients, without the serverneeding to keep state for each client individually. The basicidea in both algorithms is that each client interactsindependently with the server and considers the server sclock as the point of reference; moreover, the server does notneed to keep a state for each client, since the mainobligationfor the coordination is assigned to the client(s). The protocols are analyzed in the various aspects of the adversaries. As per the properties of the algorithm, there is no need for group synchronization which elicits scalability issues. Thus in this work the scalability issues are limited by extending thebigwheel algorithmand the hopping period (roughly the time thatcommunication ports remain open) is considereddynamic and variable clock drifts are also considered. 3. PROBLEM AND SYSTEM MODEL DEFINITIONS The problem that an attacker wants to undermine the communicationof client-server application by attackingtheir communication channels or, for brevity, ports. Some port must be open at every time at the server side toreceive the messages sent from legitimate clients. At theserver side, there can be many ports available and thus size of port number space is considered, meaning that there are some constant ports that the server can use for communication.the server and the lawful clients share a pseudorandomfunctionf which generates the port numbers which will be used in the communication by the communicating parties. It is assumed that there exists a preceding authentication procedure which enables the server to distinguish the messages from the legitimate clients. Also assume that every client is honest which means any execution of the client is based on the protocol and clients will not reveal the random function to the adversary. Also assume that when the adversary attacks a certain port of the server then this port cannot receive any message from the clients. By identifying some flaws in the application the attacker can listen in the client s contents and can get the particular number of the port that is being utilized for communication at a certain time, from the client s still it aims approximately some time to get this port number and the attacker to get ready to establishthe directed attack to the particular port which got caught; this vulnerable part isnamed as the delay and it is limited or bounded by some time units. And thus by port hopping that is by changing the communications portsrandomly; onecan fix the attacker s power to set up directed attacksin effect. In port-hopping it is important that the communicating parties should know which port is being opened at present and should transmit via that, thus synchronization of ports during communication between the parties is important. Synchronization mechanisms that are presented in the previouswork are, one is based on acknowledgment and the other onedepends upon synchronized clocks between the parties. In the acknowledgmentbased strategy, the dropped or lost acknowledgement arrives at a position wherea port may remain open for a particular time interval which would be long enoughfor an eavesdropping attacker to identify and cause a directed attack to a port which is specifically found from the eavesdropped message. Having synchronized clocks at the both side of the communicating parties mean need for synchronization server which also may be a third party, this becomes the weak point in the system of networks as the system have to be defended against the DoS attacks. Thus, these promotechallenges forfurtheractivity to spread the

5 schemein mutual networkingsystems, particularly when ensuringmultiplecommunicationpartiessuch as the clients and server are involved. The above mentioned consequences have to be rectified to some extend thuswith these synchronization issues in mind, goals in thiswork are to support port-hopping 1) in the presence variable clock-rate drifts which could be with timing uncertainty, implying that clock values can change arbitrarily much with time; and 2) in multiclientcommunication with dynamic hopping period.the solution is general, as themechanisms and algorithms are based on the clients and server. This is a complementary mechanism to the ones againstbandwidth attacks as this is focused on the application based. As the hoping period is dynamic, the situation that the attacker is able to launch a directed attack to the application s ports after eavesdropping is limited. The communication parties have theirlocal clock, and their clock rate of each local clock is constant. Here the server s clock is utilized as the reference point; in general clock drift is clearly characterized as the difference in reading between a clock and relating it to a perfect reference clock per unit of time of the referenceclock; client s clock drift is defined as the proposition of its own clock rate and the server s clock rate. When the variable clock drift is selected, automatically the time is adjusted based on how often it synchronizes with time sources to attempt to keep the clock within the threshold limit that has been set.under heavy and/or variable load that is when number of clients increase causes the clock to drift by significant amounts on an irregular basis.various aspects are used to represent the clock value and clock drift of the client and the server. The hopping period of the ports is also considered dynamic. The solution mitigates DoS attacks at the application layer, and so it cannot fight the bandwidth-based attacks. So adopting the assumptions of previous work [18], [26], it is also assumed that the network is always available and usableintending that there are no bandwidth-based attacks. Still, the chances are there for the network that it may lose messages. Due to which there may be delay in the message delivery.and thus, for the investigation of this, it is assumed that the maximum delivery latency for messages is. This can be a set up parameter of the protocol where hopping period is regarded dynamic, depending upon the deployment. 4. MITIGATION A. Mitigation Shields When an attack is detected, FireCol rings form protection shields around the victim. In order to block the attack as close as possible to its source(s), the IPS that detects the attack informs its upper-ring IPSs (upstream IPSs), which in turn apply the vertical communication process and enforce the protection at their ring level (Algorithm 2). To extend the mitigation, the IPS that detects the attack informs also its peer IPSs on the same ring to block traffic related to the corresponding rule. This is done by forwarding the information in the same manner as done by the collaboration manager (Algorithm 1). Only traffic from suspected sources (i.e., triggered some rule ) is blocked as shown in Fig.1 This process entails the potential blocking of benign addresses. However, this is a temporary cost that is difficult to avoid if a flooding attack is to be stopped. Potential alternatives are described in the next section. It may be impossible to determine all attack sources during a single detection window due to inherent network delays and/or resource limitations. The attacker can also invoke an attack scenario from different machines at different times to reduce

6 the risk of detection. For this, after the detection and mitigation of an attack against some host, FireCol continues the detection process looking for some additional attack sources. Furthermore, in order to limit the effect of potentially additional attack sources, after the blocking period elapses, the IPS may activate a cautious mode phase wherein a rate limitation of packets corresponding to the triggered rule is applied. initiation of the contact, C has the seed λ for the pseudorandom function f to compute the sequence of the worker ports. The new worker port will be opened µ time units previous than the closing time of the old one. client Port client server client B. Careful Mitigation This section gives an overview of common techniques to improve attack mitigation by blocking only attacks- related IP sources. Only those associated to high packet rates or that have opened most of the sessions recently might be blocked like in [14]. Moreover, identifying not-yet-seen IP addresses is another way to detect the potential spoofed addresses or zombies used to perform a DDoS attack [15]. The authors in propose other heuristics based on the difference between incoming and outgoing traffic. A solution could be to capture all traffic associated with a triggered alert by the score manager and use signatures to clearly identify an attack. A general blacklist can be imported from external databases, like SpamHaus, which stores IP addresses related to Spam, meaning that they are probably zombie computers. Nona s-signed IP addresses or abnormal source IP addresses (multicast, private addresses, ) could be also a starting point of such blacklisting DATA COMMUNICATION C sends data messages to the worker ports of S.Once C gets the reply from the server in the Fig. 1. Multiple clients with their local clocks As shown in Fig. 1. The clients communicate with the server via the poets which change periodically and the server s clock is considered as the reference point but then the variable drift is used where the drift is adjusted by them based on the history of the drifts between the client and the server. S will send the reply message at the time when the next worker port is opened, when S receives the contactinitiation messages from C. When C gets the integer σ from S s reply, it will send the data messages directly to the port calculatedfrom. C has a timer Tc which will be allotted to 0 when C receives the comeback message from S. Tc increments at the same rate as the local clock of C. Whenever necessary the destination port number of the data messages will be recomputed. The server can distinguish the contact initiation messages from data messages whenever the worker port collides with one of the guard ports. 4.2 DYNAMIC HOPPING PERIOD Client C has a clock drift c related to the server. During the data transmission stage, the hopping

7 time of C can drift apart from the server s time. This causes C to send messages to a port that is already closed or is not opened yet, depending on whether C s clock is slower or faster than S s. Growth of abnormality of hopping times would involve additional message loss, so C has to adjust the hopping time at adaptively selected time intervals, to control the occurrence. These are called the HOPERDA execution-intervals.however; the client has no notionabout its clock drift. A methodis suggested that exchanges messages (which are piggybacked) with information about the sending and receiving times (timestamped with local clock values) betweencand S, to estimate the clock drift. But since the bounds of the drift improve monotonically, the HOPERDA execution interval keeps growing with the number of HOPERDA executions. This means that the client does not have to do the alignment of the hopping time (which is HOPERDA execution) frequently. The message and time overhead involved in the HOPERDA executions will be repaid within the big HOPERDA execution intervals. Thus the hopping period is dynamically estimated with respect to the server s clock. 5. EXTENSION TO MULTIPLE CLIENTS The extension to multiple clients per server is achieved here. Keeping the server s clock as reference the point interaction can be made with the server independently of the other clients. For limiting scalability it is required that the server has more than one workerports open in each time period (but still a small constant number of those), so as to balance the load among the server and the clients. Moreover, by having the dynamic hopping period and different phases in the corresponding hopping sequences, such a method can manage to limit the better time it takes for each client to initiate contact with the server. Here the BIGWHEEL algorithm is extended as such it also considers the content based request. Content aware request distribution is deployed in server, it is a strategy which takes into account the service content requested when deciding which client should serve a response. In order to pay attention to more clients and also reduce the maximum waiting time for a client, the server will open worker ports as per multiple hopping sequences. These sequences are estimated by the same pseudorandom function but with various different seeds. Based on this mechanism, when the server receives an initiation message for communication from a client, it will send the reply at the nearest opening time of a worker port, containing the seed for the matching sequence. 6. CONCLUSION To defend against application layer DDoS attack is pressing problem of the Internet. Interested by the fact that it is very essential for service provider to accommodate good users and customers when there is scarcity in resources, here the application-level protection against DoS attacks is inspected. The port hopping scheme is investigated especially for enabling the multiparty communication with dynamic hoping period and in the presence of clock drifts. a scalable solution for the early detection of flooding DDoS attacks. Belief scores are shared within a ring-based overlay network of IPSs. It is performed as close to attack sources as possible, providing a protection to subscribed customers and saving valuable network resources. Experiments showed good performance and robustness of FireCol and highlighted good practices for its configuration. REFERENCES [1] Z. Fu, M. Papatriantafilou, and P. Tsigas, Mitigating Distributed Denial of Service Attacks in Multiparty Applications in the Presence of Clock Drifts, Proc. IEEE Int l Symp. Reliable Distributed Systems (SRDS), Oct [2] CERT Advisory CA IP Denial-of- Service Attacks, ww.cert.org/advisories/ca html, [3] K. Argyraki and D.R. Cheriton, Active Internet Traffic Filtering: Real-Time Response to Denial-of-Service Attacks, Proc. Ann.Conf. USENIX Ann. Technical Conf. (ATEC 05), p. 10, 2005.

8 [4] R. Mahajan, S.M. Bellovin, S. Floyd, J. Ioannidis, V. Paxson, and S.Shenker, Controlling High Bandwidth Aggregates in the Network, ACM SIGCOMM Computer Comm. Rev., vol. 32, no. 3, pp , [5] D. Dean, M. Franklin, and A. Stubblefield, An AlgebraicApproach to IP Traceback, ACM Trans. Information and System Security, vol. 5, no. 2, pp , [6] D.X. Song and A. Perrig, Advanced and Authenticated Marking Schemes for IP Traceback, Proc. IEEE INFOCOM, vol. 2, pp , [7] S. Savage, D. Wetherall, A. Karlin, and T. Anderson, PracticalNetwork Support for IP Traceback, ACM SIGCOMM ComputerComm.Rev., vol. 30, no. 4, pp , [8] X. Liu, X. Yang, and Y. Lu, To Filter or to Authorize: Network-Layer DoS Defense against Multimillion-node Botnets, Proc.SIGCOMM, pp , [9] A.D. Keromytis, V. Misra, and D. Rubenstein, SOS: SecureOverlay Services, ACM SIGCOMM Computer Comm. Rev., vol. 32,no. 4, pp , [10] D.G. Andersen, Mayday: Distributed Filtering for InternetServices, Proc. Fourth Conf. USENIX Symp. Internet Technologiesand Systems (USITS 03), p. 3, [11] X. Fu and J. Crowcroft, GONE: An Infrastructure Overlay forresilientdos- Limiting Networking, Proc. Int l Workshop Networkand Operating Systems Support for Digital Audio and Video(NOSSDAV), [12] A. Stavrou and A.D. Keromytis, Countering Dos Attacks withstateless Multipath Overlays, Proc. 12th ACM Conf. Computer andcomm.security (CCS), pp , [13] T. Anderson, T. Roscoe, and D. Wetherall, Preventing InternetDenial of Service with Capabilities, Proc. Workshop Hot Topics innetworks (HotNets-II), Nov [14] A. Yaar, A. Perrig, and D. Song, SIFF: A Stateless Internet FlowFilter to Mitigate DDoS Flooding Attacks, Proc. IEEE Symp.Security and Privacy, pp , [15] X. Yang, D. Wetherall, and T. Anderson, A DoS-LimitingNetwork Architecture, Proc. ACM SIGCOMM, Aug [16] X. Liu, X. Yang, and Y. Xia, NetFence: Preventing Internet Denialof Service from Inside Out, Proc. SIGCOMM, pp , [17] Ms. Manisha, M.Patil and U.L. Kulkarani Mitigating App-DDoSAttackks on Web Servers International Journal of Computer Science and Telecommunications, Vol. 2, Issue 5, Aug [18] G. Badishi, A. Herzberg, and I. Keidar, Keeping Denial-of-ServiceAttackers in the Dark, IEEE Trans. Dependable and SecureComputing, vol. 4, no. 3, pp , July-Sept [19] Z. Fu, M. Papatriantafilou, and P. Tsigas, Mitigating Distributed Denial of Service Attacks in Multiparty Applications in the Presence of Clock Drifts, IEEE Trans. Dependable and Secure Computing, vol. 9, no. 3, [20] T. Peng, C. Leckie, and K. Ramamohanarao, Survey of Network-Based Defense Mechanisms Countering the DoS and DDoSProblems, ACM Computing Survey, vol. 39, no. 1, p. 3, [21] K. Hari and T. Dohi, Sensitivity Analysis of Random PortHopping, Proc. Seventh Int l Conf. Ubiquitous Intelligence Computingand Seventh Int l Conf. Autonomic and Trusted Computing (UIC/ATC), pp , Oct [22] H. Lee and V. Thing, Port Hopping for Resilient Networks, Proc.IEEE 60th Vehicular Technology Conf. (VTC2004-Fall), vol. 5,pp , [23] M. Srivatsa, A. Iyengar, J. Yin, and L. Liu, A Client-TransparentApproach to Defend against Denial of Service Attacks, Proc. IEEE25th Symp.Reliable Distributed Systems (SRDS 06), pp , 2006.

9