DDoS Attack Detectio ad Attacker Idetificatio Brajesh Kashyap Departmet of Computer Sciece ad Egieerig Natioal Istitute of Techology Rourkela- 769008 S.K.Jea Departmet of Computer Sciece ad Egieerig Natioal Istitute of Techology Rourkela- 769008 ABSTRACT DDoS attack is a form of DoS attack i which attacker uses authorized user IP address to attack o a particular victim. Of the two types of attack it falls i the active category. The mai aim of the attacker is to jam the resources i order to dey services to the recipiet. The attacker ca use several strategies to achieve this goal, oe of which is by floodig the etwork with bogus requests. The attack is distributed because the attacker is usig multiple computers to lauch the deial of service attack. I this paper we have first idetified the types of DoS ad DDoS attack. The we have provided the solutio for those attacks o the basis of attacker s idetificatio. Mai focus of this paper is to idetify the actual attacker, who has performed attack by sittig behid a forged System. For that purpose first we prevet IP forgery by usig seder autheticatio process, the calculate TCP flow rate ad from it we idetify whether packets are or- mal packet or malicious packet. We detect attack o receiver proxy server by usig etropy ad ormalize etropy calculatio o receiver proxy server. If attack is detected the we drop packets, get their mark value ad trace them back to the source. Fially we use the cocept of ISP ad IANA to idetify the actual attacker. NS2 has bee used to simulate the proposed methods. Geeral Terms Normal packet: packets that are sad by authetic user, Attack packet: packets that are sad by attacker to perform attack o particular victim. Keywords: Deial of Service (DoS), Distributed Deial of Service (DDoS), Iteret Assig Number Authority (IANA), Iteret Service Provider (ISP) INTRODUCTION The Iteret was iitially desiged for opeess ad scalability. The ifrastructure is certaily workig as evisioed by that yardstick. However, the price of this success has bee poor security. O the Iteret, ayoe ca sed ay packet to ayoe without beig autheticated, while the receiver has to process ay packet that arrives to a provided service. The lack of autheticatio meas that attackers ca create a fake idetity, ad sed malicious traffic with impuity. All systems coected to the Iter- et are potetial targets for attacks sice the opeess of the Iteret makes them accessible to attack traffic.[3] 1.1 Deial of service (DoS) attack: A Deial of Service (DoS) attack aims to stop the service provided by a target. It ca be lauched i two forms. The first form is to exploit software vulerabilities of a target by sedig malformed packets ad crash the system. The secod form is to use massive volumes of useless traffic to occupy all the resources that could service legitimate traffic. While it is possible to protect the first form of attack by patchig kow vulerabilities, the secod form of attack caot be so easily preveted. The targets ca be attacked simply because they are coected to the public Iteret.[3] A DoS attack is a malicious attempt by a sigle perso or a group of people to disrupt a olie service. DoS attacks ca be lauched agaist both services, e.g., a web server, ad etworks, e.g., the etwork coectio to a server.[3] Types of DoS attack: TCP Sy Flood Attack UDP flood attack Pig of death attack Teardrop attack 1.2 Distributed Deial of service (DDoS) attack: I the distributed form of DoS attacks (called DDoS), the attacker first takes cotrol of a large umber of vulerable hosts o the iteret, ad the uses them to simultaeously sed a huge flood of packets to the victim, exhaustig all of its resources. There are a large umber of exploitable machies o the iteret, which have weak security measures, for attackers to lauch DDoS at- tacks, so that such attacks ca be executed by a attacker with limited resources agaist the large, sophisticated sites.[2] Types of DDoS attack: A) Badwidth Attacks: The badwidth attack ca be defied as ay activity that aims to disable the services provided by the victim by sedig a excessive volume of useless traffic A.1) IP Spoofed Attack: I this type of attack The attackers i DDoS attacks always modify the source addresses i the attack packets to hide their idetity, ad makig it difficult to distiguish such pack- ets from those set by legitimate users.[2] A.2) Distributed Reflector Attacks: I these attacks, the attacker (also referred to as a slave from ow o; may slaves carry out a attack o behalf of the real attacker: a huma) does ot flood the victim directly, but uses iocet servers as reflectors to achieve its goal. A reflector may be ay IP host that will retur a reply packet whe set a request packet. For example, all web servers, DNS servers ad routers ca be reflectors sice they would reply with SYN ACK or RST packets i respose to SYN packets. A slave spoofs the source address of the request packets with the address of the victim ad seds them to the reflectors. The reflectors the sed reply packets to the victim (apparet source of the request packets). 27
A.3) Forged Source Attack: I this type of DDoS attack attacker first set the aget software ad gathers commad ad cotrol server ad with the help of commad ad cotrol server they have gather zombie pc s i the etwork ad perform DDoS attack with the help of that systems. Systems those perform DDoS attack i this type of attack are ot actual system these are the system that is cotrolled by the commad ad cotrol server ad perform attack. Fig 1: DDoS Attack Process 2. DDoS ATTACK DETECTION AND PREVENTION: To detect the DDoS attack o victim proxy server, we use the cocept of etropy calculatio o victim proxy server. As we kow that attacker does t play ay role i Network path determiatio it is totally doe by the router dyamically. To detect DDoS attack we use the cocept of symmetric shared key. We assume that each router is havig commo shared secret key. Router used that key to ecrypt ad decrypt markig value with the help of this shared symmetric key. Ma i middle attack performed by the attacker by treatig himself as a router because it is easy to forge router ip address i a etwork.this attack ca be very well removed by this 2.1 Etropy: Etropy is a importat cocept of iformatio theory, which is a measure of the ucertaity or radomess. associated with a radom variable or i this case data comig over the etwork. The more radom it is, the more etropy it cotais. The value of sample etropy lies i rage [0, log]. The etropy value is smaller whe the class distributio is pure i.e. belogs to oe class. The etropy value is larger whe the class distributio is impure i.e. class distributio is more eve. Hece comparig the value of etropy of some sample of packet header fields to that of aother sample of packet header fields provides a mechaism for detectig chages i the radomess. The etropy H (X) of a radom variable X with possible values x1, x2,..., x ad distributio of probabilities P = p 1, p 2,..., p with elemets, where 0 p i 1 ad pi = 1 ca be calculated as. H (X) = - P (x i ) log P (x i ) 2.2 Seder Autheticatio: With the help of give approach, we are able to protect IP Spoofed DDoS Attack. For that, we follow the followig steps: 1). Seder will sed Markig M to the receiver proxy server. Markig value M is a 24 bit Radom umber geerated by the source. Fig 2: Seder Autheticatio Process 2). Receiver Proxy server will receive that Markig value M ad sed Echo message to verify that markig value. 3). If markig value is correct ad if it is saded by a source the they will provide positive ackowledgemet else egative ackowledgemet. 28
4). If Receiver receive Positive ackowledgemet, the they will set ew markig digest to source associated with ew higher sequece umber (S,j+1,h(S j+1 M k(x))) to seder otherwise discard the request. 5). seder will put that 24 bit digest(h(s j+1 M k(x))) value to the optio field of the packet ad the sed packet. 2.3 Packet Trasmissio: 1). Suppose ay seder wats to sed a packet to a receiver firstly they will sed packet to edge Router without puttig ay markig value i a Idetificatio field. 2). Whe edge router receive packet first they examie the packet ad the check the idetificatio field. If packets come without ay mark the they will calculate the mark: Mark calculatio is doe i followig way: Suppose IP is a ip of edge router The h(e)= H(16Sip) ʘ T(16Sip) ʘ H(16Dip) ʘ T(16Dip) M = E (h(e) K(x)) Put it to the digest table associated with source IP. Else if already Mark i a packet, the router first decrypt the packet usig formula: P = D (M K(x)) The router will calculate h(e) by usig the Ip of source where the packet was arrived h (e)= H(16Sip) ʘ T(16Sip) ʘ H(16Dip) ʘ T(16Dip) The Check if (P==h (e)) Calculate h(e)by usig their ow IP address ad their eighbor IP address through which they wat to sed packet to particular destiatio. Repeat above Steps util Fial Destiatio reach. We are able to solve the problem that whe attacker has already filled the mark value ad by usig above strategy if we decrypt it, we will ever get their eighbor IP addresses (those addresses attacker forged ad treat himself as a eighbor). Fig 3: IP Packet format Table 1: Digest Table S.No. Source IP Digest Timestamp 1 X.X.X.X Dig 1 1 mi 2 ---- Dig 2 1 mi 3 ---- Dig 3 1 mi 4 ---- Dig 4 1 mi 5 ---- Dig 5 1 mi 6 ---- Dig 6 1 mi 7 ---- Dig 7 1 mi 8 ---- Dig 8 1 mi 9 ---- Dig 9 1 mi 10 ---- Dig 10 1 mi 2.4 DDoS Detectio: Idetify the ormal packet ad attack packet. For the purpose of idetificatio, we calculate TCP flow rate for each packet. TCP Flow Rate Calculatio: We kow that ormal user sed either 3 or 4 packet successively. After that they wait for some time for receiver reply ad the start sedig packet. But attacker s behavior is differet ad they wo t wait for such amout of time. They sed packets cotiuously without ay delay because if they do t do so the are ot able to perform attack. If they wated to perform like ormal user the they eed to acquire lakh of systems which is very tough for attacker as most of the systems i a etwork are secure. Systems check aget software registratio iformatio ad easily kow that it is a attack. So o the basis of above assumptio, we derive the formula for tcp flow rate: Suppose t p is a propagatio time ad B is Chael Badwidth. Normal user set maximum 3 or 4 packet cosecutively. After that he waits for t p time to get the reply from receiver. So Normal flow rate= (t p + t p )/4 = t p /2. Ad we kow that total capacity of chael is = B*t p. So attacker try to sed this much of packet to utilize badwidth fully. If S1, S2, S3, S4... are successive packets cotaiig same markig value. Calculate time duratio (TD) betwee successive packets If ((t p /2)< TD) The packets are ormal packets: Else Packets are attack packets: Detectio Procedure: 1). Calculate etropy o receiver proxy server: H (X) = - Where P (x i ) log P (x i ) P (x i ) = (Number of attack or ormal packet)/ Total No of packet. 29
3) Normalized Etropy NE = H/log 0 Table 2. Traced Data Where 0 = o of source ode i particular Time Iterval 4) If NE < threshold ( ) idetify suspected attack. Time Iterval Normal Packet M1 M2 M3 Attack Packet M1 M2 M3 Normalize Etropy 2.5 Simulatio ad Results: The simulatio was doe usig NS-2 simulator to evaluate the performace of our DDoS detectio algorithm with results obtaied from the experimet. We tested our aomaly detectio algorithm i liux (Ubutu 10) eviromet. This sectio itroduces the experimetal setup ad reports performace results. 1) Experimetal setup: Our simulatio icludes 3 source, 2 itermediate routers ad 1 destiatio odes as show i figure. The badwidth of legitimate traffic is set costat ad the simulatio of attack traffic is achieved by radomly geeratig may pairs of Costat Bit Rate (CBR) UDP flows i NS2. The legitimate user sed packets i a iterval of 0.20 secod ad the attacker starts sedig attack traffic after 0.0 secod frequetly. The experimet lasts for 2 secods. We traced umber of packets received i every 0.5 secod iterval. The traced data is show below: 0-0.5 25 38 32 91 78 101 1.54 0.5-1.0 38 29 4 131 148 431 0.98 1.0 1.5 39 31 8 104 126 396 1.03 1.5 2.0 27 32 29 132 112 142 1.32 2) Etropy: H (X) = - P (x i ) log P (x i ) Where P (xi) = (Number of attack or ormal packet)/ Total No of packet. Calculatio: 0-0.5: P (M1) = - = 0.225 (25/116)log(25/116) + (91/116) log(91/116) Fig 4: Scree shot of Setup We assume here our threshold value 1.1 because if some packets are reachig destiatio slowly due to etwork delay the we are also able to idetify attacker. P(M2) = 0.273 P(M3) = 0.238 NE = (0.225+0.273+0.238)/log3 = 1.54 0.5-1: Performace Evaluatio: To evaluate the performace of our algorithm, we plot the evaluatio graph which cotais time value i X-axis ad ormalize etropy value i Y-axis. With the help of graph show below, we are easily able to coclude that if we take threshold value1.1, it ca easily detect the attack. P(M1) = 0.230 P(M2) = 0.192 P(M3) = 0.048 NE = 0.98 30
Fig 5: Effect of DDoS Attack B. IP Trackback: 1) If attack is there the first idetify the packets, get there source IP address ad mark value ad cotact to that seder who is sedig those packets to receiver. 2) Itermediate router matches those digest value to their digest table eateries ad get the IP address of particular seder router. 3) These process will cotiue util we reach the source of attack. 3.2 Actual Attacker Idetificatio: The attackers that we have idetified earlier are ot actual attackers but they are simple hosts who are occupied by the attacker i distributed eviromet by sedig ad executig aget software o their systems: To idetify the actual attacker, we use the IANA ad ISP. IANA: The Iteret Assiged Numbers Authority (IANA) is a departmet of ICANN resposible for coordiatig some of the key elemets that keep the Iteret ruig smoothly. Whilst the Iteret is reowed for beig a worldwide etwork free from cetral coordiatio, there is a techical eed for some key parts of the Iteret to be globally coordiated - ad this coordiatio role is udertake by IANA.Specifically, IANA allocates ad maitais uique codes ad umberig systems that are used i the techical stadards ("protocols") that drive the Iteret. IANA s various activities ca be broadly grouped i to three categories: 1) Domai Names: IANA maages the DNS root, the.it ad.arpa domais, ad a IDN practices resource. 2) Number Recourses: IANA coordiates the global pool of IP ad AS umbers, providig them to Regioal Iteret Registries. 3) Protocol Assigmet: Iteret protocols umberig systems are maaged by IANA i cojuctio with stadards bodies.table 3. IANA Table ISP Domai Name Number Resources IP AS Protocol Fig 6: Scree shot of packet drop A x.x.x.x w S 2.5 DDoS prevetio: To prevet DDoS attack if NE value is less the threshold (1.1), the simply drops all packets cotaiig the same path for particular time iterval. 3. ATTACKER IDENTIFICATION: 3.1 Spoofed Attacker Idetificatio I our approach, there are two ways to idetify the attacker. A. Router Etropy: 1) If attack is there i receiver proxy server, it meas NE < threshold ( ) The calculate etropy for each dowstream router to idetify suspected attack flow. 2) Those routers whose NE rate is less tha threshold we suspect it as attack router. 3) Further, calculate the NE rate for each Neighbor router of that attack router util we reach the source of attack. ISP 1 B y.y.y.y l T C z.z.z.z t U.... ISP 2 ------------ ----------- ---------- ---------- ISP 3 ----------- ----------- --------- ---------- 31
ISP: It refers to a compay that provides Iteret services, icludig persoal ad busiess access to the Iteret. For a mothly fee, the service provider usually provides a software package, userame, password ad access phoe umber. Equipped with a modem, you ca the log o to the Iteret ad browse the World Wide Web ad USENET, ad sed ad receive e-mail. For broadbad access you typically receive the broadbad modem hardware or pay a mothly fee for this equipmet that is added to your ISP accout billig. IP Address User ame Table 4. ISP Table pass Logi time/date Software package PAC IP To idetify the actual attacker, we follow the followig steps: 1). Get the Iformatio from spoofed attacker related to aget software such as that software s istallig date ad time. 2). Cotact to spoofed attacker s ISP ad ask him about that software s istallatio date ad time ad they will provide iformatio about who is sedig that software. 3). Also through spoofed attacker s ISP we go to the IANA ad equiry them about that particular attacker s IP address. 4). IANA provide Iformatio related o which ISP that IP belogs. 5). Fially we reach attacker s ISP ad idetify the origial attacker. X.X.X.X ABC 123 2:23AM/1/1/12 P1 X.Y.Z.A Y.Y.Y.Y DEF 321 5:22AM/2/1/12 P2 Y.X.Y.A Z.Z.Z.Z GHI 136 3:40PM/2/1/12 P3 X.Z.T.A ------ ----- ----- ---------------- -------------- ------ ----- ----- -------------- -------------- Fig 7: DDoS Attacker Idetificatio Proces 32
4. CONCLUSION I this paper we have proposed ad simulated a ew Markig ad etropy based approach for seder autheticatio ad DDoS detectio. We have also used the cocept of IANA ad ISP to idetify the actual attacker who is sittig behid forged systems. I fact, all the metioed requiremets have to be developed ad applied to curret iformatio techology eviromet. Otherwise, DDoS attack will remai a pereial threat to iformatio techology. 5. REFERENCES [1] Yag-Seo Choi, Ji-Tae Oh, Jog-Soo Jag,Jae-Cheol Ryou. Itegrated DDoS Attack Defese Ifrastructure for Effective Attack Prevetio. Iformatio Techology Covergece ad Services (ITCS), 2010 2d Iteratioal Coferece, pages 1-6, 23 September 2010. [2] Yao Che, Shatau Da, Pulak Dhar, Abdulmotaleb El Saddik, ad Amiya Nayak Detectig ad Prevetig IPspoofed Distributed DoS Attacks Iteratioal Joural of Network Security,Vol.7, No.1,, pages 70-81, July 2008. [3] Tao Peg, Defedig Agaist Distributed Deial of Service Attacks IEEE 2002. [4] Mopari, I.B. ; Pukale, S.G. ; Dhore, M.L.. Detectio ad defece agaist DDoS attack with IP spoofig. Computig, Commuicatio ad Networkig, 2008. ICCC 2008. Iteratioal Coferece, pages 1 5, 24 February 2009. [5] Wei-Tsug Su ; Tzu-Chieh Li ; Chu-Yi Wu ; Jag- Pog Hsu ; Yau-Hwag Kuo. A O-lie DDoS Attack Trace back ad Mitigatio System Based o Network Performace Moitorig. Advaced Commuicatio Techology, 2008. ICACT 2008. 10 th Iteratioal Coferece, pages 1467-1472, 22 April 2008. [6] Aru Raj Kumar, P. ad S. Selvakumar Distributed Deial-of-Service (DDoS) Threat i Collaborative Eviromet - A Survey o DDoS Attack Tools ad Trace back Mechaisms 2009 IEEE Iteratioal Advace Computig Coferece (IACC 2009), pages 1275-1280,Patiala, Idia, 6-7 March 2009. [7] Jie Wag ; Pha, R.C.-W. ; Whitley, J.N. ; Parish, D.J. DDoS attacks traffic ad Flash Crowds traffic simulatio with a hardware test ceter platform. Iteret Security (WorldCIS), 2011 World Cogress o, pages 15-20, 21-23 Feb. 2011. [8] Jiere Cheg; Jiapig Yi ; Yu Liu ; Zhipig Cai ; Chegku Wu. DDoS Attack Detectio Usig IP Address Feature Iteractio. 2009 Iteratioal Coferece o Itelliget Networkig ad Collaborative Systems, pages 113-118,4-6 Nov. 2009. [9] El Defrawy, K. ; Markopoulou, A. ; Argyraki, K. Optimal Allocatio of Filters agaist DDoS Attacks. Iformatio Theory ad Applicatios Workshop, 2007, pages 140-149, Ja. 29 2007 Feb. 2 2007. [10] Xiag Yag ; Li, Zhogwe. A Aalytical Model for DDoS Attacks ad Defese. Iteratioal Multi- Coferece o Computig i the Global Iformatio Techology., page 66,Aug. 2006 [11] Walei Zhou. Keyote III: Detectio ad Traceback of DDoS attacks. 8th IEEE Iteratioal Coferece o Computer ad Iformatio Techology, page 3,8-11 July 2008. [12] Thig, V. ; Sloma, M. ; Dulay, N. Network domai etry poit /path determiatio for DDoS attacks. Network Operatios ad Maagemet Symposium, 2008. NOMS 2008. IEEE, pages 57-64, 7-11 April 2008. [13] Shui Yu ad Walei Zhou. Etropy-Based Collaborative Detectio of DDOS Attacks o Commuity Networks Sixth Aual IEEE Iteratioal Coferece o Pervasive Computig ad Commuicatios, pages 566-571,17-21 March 2008. ABOUT AUTHOR: S. K. Jea: was bor i 28April, 1954. He received his Ph.D. from Idia Istitute of Techology, Bombay ad M.tech from Idia Istitute of Techology, Kharagpur. He has joied Natioal Istitute of Techology as Professor i the Departmet of Computer Sciece ad Egieerig i 2002.He has more tha 70 publicatios i Iteratioal Jourals ad cofereces. His research areas of Iterest are Database Egieerig, Distributed Computig, Parallel algorithm, Iformatio Security ad Data Compressio. Brajesh Kashyap: was bor i 15 Ja 1988. He is pursuig his M. Tech i Iformatio Security(CSE) from Natioal Istitute of Techology, Rourkela ad B.E. i Computer Sciece & Egieerig from Govt Egg College Bilaspur i 2010.He is selected as a Software Egieer i IBM Pvt.Ltd. 33