Review of DDoS and Flooding Attacks in MANET

Review of DDoS and Flooding Attacks in MANET Mohan K Mali 1, Pramod A Jadhav 2 Dept. of Information Tchnology, Bharati Vidyapeeth Deemed University College of Engineering, Pune-43 Abstract-- The flooding and DDoS (Distributed Denial of Service) attacks are acts as major threats for MANET because of its ability to create huge amount of unwanted traffic. It is very difficult to detect and respond to flooding and DDoS attacks due to large and complex network environments. In this paper, we introduce dynamic counter-based broadcast technique for detecting and controlling flooding attack, average distance estimation technique for detecting and rate limiting technique for controlling DDoS attack. Dynamic counter-based technique proposed to reduce redundant rebroadcasts in order to overcome the broadcast storm problem. The average distance estimation detects DDoS attacks by analyzing distance values. In the average distance estimation DDoS detection technique, the prediction of mean distance value is used to define normality. The mean absolute deviation (MAD)-based deviation model provides the legal scope to separate the normality from the abnormality for average distance estimation techniques. Keywords - MANET, Flooding attack, DDoS attack, Counter-Based, Broadcast Storm Problem. I. INTRODUCTION Broadcasting in MANETs is a fundamental data transmission mechanism, in which a source node sends the same packet to all the nodes that are within its transmission radius in the network. e.g. route query process in many routing protocols, address resolution and diffusing information to the whole network. Broadcasting in MANET has been based on flooding, which overwhelm the network with large number of rebroadcast packets. In broadcasting, each node receiving a broadcast packet simply re-transmits it to all its neighbors. The only optimization that could be applied to this approach is that nodes remember packets received during the flooding operation, and do not act if they receive repeated copies of the same packet. However, a straightforward broadcasting by flooding is usually costly and which results in serious transmission redundancy and collisions in the network; such a scenario has often been referred to as the broadcast storm problem [1, 2]. A number of researchers [1, 2] have identified this problem by showing how serious it is through simulations and analysis. They have proposed several schemes to reduce redundant rebroadcasts and differentiate timing of rebroadcasts to alleviate this problem. 480 We have proposed dynamic counter-based technique to reduce redundant rebroadcasts in order to overcome the broadcast storm problem. In dynamic counter-based technique each individual node can dynamically adjust the counter value using neighborhood information to achieve good performance (e.g. high saved broadcasts and high reachability) in MANETs. All Internet Service Providers (ISPs) face the problem of increasing unwanted traffic. Unwanted traffic is malicious or unproductive traffic that attempts to compromise vulnerable hosts, propagate malware, spread spam, or deny valuable services [6]. It decreases the service quality of networks. Unwanted traffic can be generated due to a DDoS attack. A DDoS attack is a malicious attempt to make a server or a network resource unavailable to users, usually by temporarily interrupting or suspending the services of a host connected to the Internet. Unlike a Denial of Service (DoS) attack, in which one computer and one internet connection is used to flood targeted resource with packets, a DDoS attack uses many computers and many Internet connections, often distributed globally to flood targeted resource with packets. Today s DDoS detection techniques center on detecting sustained traffic congestion on communication links [7], anomalous changes of traffic attributes [8], [9], or imbalance between incoming and outgoing traffic volume on routers [10]. Unfortunately, due to complex computation or weak connection between selected attributes, the time required for detection of DDoS attacks is large and detection scheme is ineffective. To deal with DDoS attack first we need to detect it and control it. There are several DDoS detection and control techniques but we focus on average distance estimation technique for detecting DDoS attack and rate limiting technique for controlling DDoS attack. This paper is organized as follows. In Section II, the related flooding and DDoS detection techniques are presented. In Section III, we present proposed dynamic counter based broadcast flooding attack detection and control technique, average distance estimation DDoS attack detection technique and Rate limiting DDoS attack control technique. Finally, Section IV provides a summary of this paper.

II. RELATED WORK Williams and Camp [3] have classified the broadcast protocols into flooding, probability based, counter -based, Distance-based. A. Flooding: In flooding each node receiving a broadcast packet simply re-transmits it to all its neighbors. The only optimization that could be applied to this approach is that nodes remember packets received during the flooding operation, and do not act if they receive repeated copies of the same packet. However, a straightforward broadcasting by flooding is usually costly and results in serious transmission redundancy and collisions in the network; such a scenario has often been referred to as the broadcast storm problem [1, 2]. Drawbacks: Redundant rebroadcasts: When a mobile host decides to rebroadcast a broadcast message to its neighbors, all its neighbors already have the message. Contention: After a mobile host broadcasts a message, if many of its neighbors decide to rebroadcast the message, these transmissions (which are all from nearby hosts) may severely contend with each other. Collision: Because of the deficiency of back off mechanism, the lack of RTSKTS dialogue, and the absence of CD, collisions are more likely to occur and cause more damage. B. Probability-Based: An intuitive way to reduce rebroadcasts is to use probabilistic rebroadcasting. On receiving a broadcast message for the first time, a host will rebroadcast it with probability P. Clearly, when P = 1, this Scheme is equivalent to flooding. Note that to respond to the contention and collision problems we should insert a small random delay (a number of slots) before rebroadcasting the message. So the timing of rebroadcasting can be differentiated C. Counter-based: Counter-based scheme inhibits the rebroadcast if the packet has already been received for more than a given number of times. When a host tries to rebroadcast a message, the rebroadcast message may be blocked by busy medium, back off procedure, and other queued messages. There is a chance for the host to hear the same message again and again from other rebroadcasting hosts before the host actually starts transmitting the message. Specifically, a counter c is used to keep track of the number of times the broadcast message is received. A counter threshold C is chosen. Whenever c >= C, the rebroadcast is inhibited. The scheme is formally derived below. Sl. Initialize counter c = 1 when a broadcast message msg is heard for the first time. In S2, if msg is heard again, interrupt the waiting and perform S4. S2. Wait for a random number of slots. Then submit msg for transmission and wait until the transmission actually starts. S3. The message is on the air. The procedure exits. S4. Increase c by one. If c < C, resume the interrupted waiting in S2. Otherwise c = C, proceed to SS. S5. Cancel the transmission of msg if it was submitted in S2. The host is prohibited from rebroadcasting msg. Then exits. D. Distance-based: a node rebroadcasts the packet only if the distance between the sender and the receiver is larger than a given threshold. In the previous scheme, a counter is used to decide whether to drop a rebroadcast or not. In this scheme, we will use the relative distance between hosts to make the decision. In our distance-based scheme, we will use dmin as the metric to evaluate whether to rebroadcast or not. If dmin is smaller than some distance threshold D, the rebroadcast transmission of H is cancelled. The scheme is formally derived below Sl. When a broadcast message msg is heard for the first time, initialize dmin, to the distance to the broadcasting host. If dmin < D, proceed to S5. In S2, if msg is heard again, interrupt the waiting and perform S4. s2. Wait for a random number of slots. Then submit msg for transmission and wait until the transmission actually starts. s3. The message is on the air. The procedure exits. s4. Update dmin if the distance to the host from which tn. rg is heard is smaller. If dmin < D, proceed to S5. Otherwise, resume the interrupted waiting in S2. S5. Cancel the transmission of msg if it was submitted in S2. The host is inhibited from rebroadcasting msg. Then exits. 481

E. IP Attributes-based DDoS Detection: Anomalies in the mobile network can be found out by considering deviations in a number of IP attributes, e.g., source IP address [8], TTL [9], and the combination of multiple attributes [12]. TTL is used by Jung et al. for the analysis of Internet Website load performance [13]. A DDoS attack usually creates network congestion and changes the statistical distribution of the TTL attribute in traffic. Based on this idea, Talpade et al. [9] propose a TTL-based statistical model to detect anomaly created by DDoS attacks. Unfortunately, the performance is not satisfactory because the changes in final TTL value cannot reflect the anomalous changes in the traffic topology directly. In our distance-based techniques, we use TTL to compute distance value. In [12], Kim et al. construct a baseline profile on a number of attribute combinations, such as IP protocol-type and packet-size, source IP prefix and TTL values, as well as server port number and protocol-type, etc. However, these combinations cannot improve the performance if the combined attributes are not related with the anomalous changes created by the DDoS attacks. Moreover, a combination of the attributes definitely will make computation more complex and possibly increase false positive rate. F. Traffic Volume-based DDoS Detection: In [14], Gil and Poletto propose a heuristic data structure MULTOPS (Multi-Level Tree for Online Packet Statistics). They use a multi-level tree that keeps packet rate statistics for subnet prefixes at different aggregate levels. Normal traffic usually has a proportional rate to or from hosts and subnets. Therefore, an attack will be detected when MULTOPS observes a disproportional rate of traffic. To directly detect anomalies in traffic rate, Jiang et al. [15] develop an anomaly-tolerant non stationary traffic prediction technique. A similar idea is used by Lee et al. [16] except that they use the exponential smoothing technique to predict traffic rate and the mean absolute deviation (MAD) model to detect anomalous changes of traffic rate. Unfortunately, they do not get satisfactory results because the exponential smoothing technique is too simple to be applied for the prediction of the complex and dynamic traffic rate. However, some highly accurate techniques are not suitable for real time traffic volume computation due to the high computational complexity. III. PROPOSED WORK A. Dynamic Counter based broadcast technique: Dynamic counter based broadcast algorithm is one of the solutions proposed to reduce redundant rebroadcasts in order to alleviate the broadcast storm problem [5]. They are simpler and easier to implement than their deterministic counterparts. In most existing counter based approaches that have been proposed in the literature [1, 2], the threshold at a given node is fixed which leads to redundant rebroadcasts and poor reachability. To achieve good performance (e.g. high saved broadcasts and high reachability) in MANETs where topology changes frequently, the threshold c should be set low at nodes in low density areas and high at the nodes in high density areas. So the threshold c at every node must be dynamically adjusted. We have suggested a new counter-based algorithm that can dynamically adjust the threshold value of node using one-hop neighborhood information.the information on one-hop neighbors is collected by exchanging short Hello packets, and is used to adjust the threshold at a given node. Dynamic counter based broadcast Algorithm: Dynamic counter based broadcast algorithm is based on a counter c that is used to keep track of the number of times the broadcast packet is received. A counter threshold is decided based on neighboring information. That is a low density area has a different threshold than a medium or high area, we call them c1, c2 and c3, respectively. When c is greater than or equal to the threshold, then rebroadcast is inhibited Dynamic counter based broadcast Algorithm: Main broadcast function is to deal with a specific packet and decide to rebroadcast it or not according to neighborhood information 1 On hearing a broadcast packet m at node X 2 Get the Broadcast ID from the packet; n1 Minimum numbers of neighbors and n2maximum Number of neighbors; 3 Get degree n of node X (number of neighbors of node X); 4 If n < n1 then 4.1 low density area 4.2 Node X has a low degree: the low Threshold value (threshold = c1); 5 Else If n n1 and n n2 then 5.1 Medium density area 5.2 Node X has a medium degree: the Medium threshold value (threshold = c2); 6 Else If n> n2 then 482

6.1 high density area 6.2 Node X has a high degree: the high Threshold value (threshold = c3); 7 End if 8 counter = 1 9 While (not hearing a message) Do 9.1 Wait for a random number of slots. 9.2 Submit the packet for transmission and wait until the transmission actually start 10 End while 11 Increment c 12 If (c < threshold) 12.1 Goto step 9 13 Else 13.1 exit algorithm 14 End if End B. The average distance estimation DDoS detection technique: The average distance estimation DDoS detection technique has been used to detect anomalous changes of mean distance values based on the exponential smoothing estimation technique [11]. Distance value means number of hops required for packet to reach from source to destination. The distance information of packet can be taken from TTL value of IP header. The exponential smoothing estimation technique predicts the mean distance value and the mean absolute deviation (MAD) value at next time interval. Therefore, we can provide a clear scope for a legal value at the next time interval. Any values which are out of the legal scope can be thought as anomalous. The MAD-based deviation prediction model defines the scope of normality to detect anomalous changes of the mean distance value and the traffic arrival rate. Central to this technique is the computation of the distance 1) Computing Distance: The distance has been calculated based on the TTL field of IP header. During transit, each intermediate router deducts one from the TTL value of an IP packet. Therefore, the distance of the packet is the final TTL value subtracted from the initial value. The challenge in distance calculation is how the victim derives the initial TTL value from the final TTL value. Fortunately, most of the operating systems use only a few selected initial TTL values: 30, 32, 60, 64, 128, and 255, according to [17]. Most of the Internet hosts can be reached within 30 hops. Therefore, the initial value can be determined by choosing the smallest initial value of all the possible values which are larger than the final TTL value. For example, if the final TTL value is 100, the initial TTL value is 128 which are the smallest of 128 and 255. 2) Estimating Mean Distance The detection of anomaly relies on the description of normality and deviation. The exponential smoothing estimation model predicts the mean value of distance d t +1 at time t+1 using the following equation. t t t t Here, dt is a distance value at time t predicted at time t-1, Mt is the measured distance value at time t, w is a smoothing gain, and Mt dt is the error in that prediction at time t. 3 ) Estimating Deviation To determine whether the current distance value is abnormal or not, mean absolute deviation (MAD) can be utilized. Where, n is the number of all past errors and e t is the prediction error at time t. However, it is not realistic to maintain all the past errors. Therefore, we use the exponential smoothing technique to calculate MAD based on the approximation equation as defined below. t t t Where, MADt is the MAD value at time t. r is a smoothing gain. based on predicted distance value dt+1, MADt, and user input option thr, a legal scope of a real distance value at the next moment is defined as follows. t t t t t Where, thr is an adjustable threshold parameter to define the scope of the distance values. If the real value at the next moment is out of the legal scope, an anomaly situation is detected. t 483

C. Rate limiting DDoS control technique: To drop attack packets relatively, a distance-based attack traffic rate limit control will be triggered in the source-end edge network after receiving an alert message from the defense system of the victim-end edge network. DDoS Defense Frame work: The current network systems can simply be divided into two domains. Core network: It consists of high speed core routers. Core network is responsible for transmitting traffic among multiple edge networks. Edge network: it is another domain which is connected to a core network through edge routers. An edge network represents a single customer network. As shown in fig.1 DDoS defense system is deployed in each edge router of the protected network. While distributed denial of service (DDoS) attack traffic is being transmitted across the network towards the victim, the defense system in the victim end edge network can easily detect the attack because attack traffic creates a larger set of anomalies at the victim end than at the source ends. However, it is impossible for the defense system to react to the attacks in the victim-end edge network when the attacks are heavy. Therefore a second line of defense is proposed in the source-end edge networks to react to the attacks. In defense framework, the detection of DDoS attacks happen at edge routers. Fig 1. DDoS Defense Framework IV. CONCLUSIONS In this paper, we introduce techniques for detecting and controlling flooding and DDoS attacks in MANET. The dynamic counter- based broadcast technique for detecting and controlling flooding attack, average distance estimation technique for detecting DDoS attack and rate limiting technique for controlling DDoS attack. The dynamic counter-based broadcast technique enable a given node to dynamically adjust its counter based threshold values depending on whether it is located in a low, medium or a high density areas. The average estimation DDoS detection technique uses a simple but effective exponential smoothing technique to predict the mean value of distance in the next time period. The rate limiting DDoS controlling technique exponentially decreases the traffic sending rate from the source end routers. REFERENCES [1] S.-Y. Ni,Y.-C. Tseng,Y.-S Chen and J.-P. Sheu. The broadcast storm problem in a mobile ad hoc network. Proceedings Of ACM/IEEE Mobicom 99,pages 5-162, August 1999. [2] S.-Y. Ni, Y.-C.Tseng, Y.-S.Chen,and J.-P. Sheu. The broadcast storm problem in a mobile ad hoc network, Wireless Networks, volume 8 (2), pages 153-167, 2002. [3] B. Williams and T. Camp. Comparison of broadcasting techniques for mobile ad-hoc networks. 194 205, 2002. [4] M. Bani Yassein, A. Al- Dubai, M. Ould Khaoua and Omer M. Aljarrah. New Adaptive Counter Based Broadcast Using Neighborhood information in MANETS.IEEE Conference on Parallel and Distributed Processing Pages 1-7, May 2009. [5] Y.-C. Tseng,S.-Y. Ni, and En-YU Shih. Adaptive approaches to relieving broadcast storm in a wireless Multihop mobile ad hoc network. IEEE Transactions on Computers, volume 52(5), pages 545-557, May 2003. [6] K. Xu, Z.-L. Zhang, and S. Bhattacharyya, Reducing unwanted traffic in a backbone network, in Steps to Reducing Unwanted Traffic on the Internet Workshop (SRUTI), 2005, pp. 9 15 [7] R. Mahajan, S. Floyd, and D. Wetherall, Controlling highbandwidth flows at the congested router, in Proceedings of ACM 9th International Conference on Network Protocols (ICNP), 2001, pp. 192 201. [8] T. Peng, C. Leckie, and R. Kotagiri, Proactively detecting DDoS attack using source ip address monitoring, in Proceedings of the Third International IFIP-TC6 Networking Conference, 2004, pp. 771 782. [9] R. R. Talpade,G. Kim, and S. Khurana, Nomad: traffic based network monitoring framework for anomaly detection, in the Fourth IEEE Symposium on Computers and Communications, 1999, pp. 442 451. [10] G. Carl, G. Kesidis, R. Brooks, and S. Rai, Denial-of-service attack detection techniques, IEEE Internet Computing, vol. 10, no. 1, January 2006, pp. 82 89. [11] Yonghua You; Zulkernine, M. ; Haque, A. Detecting Flooding- Based DDoS Attacks. IEEE International Conference on Communications 2007,ICC 07. June 2007, Page(s): 1229-1234 [12] Y Kim,J.-Y. Jo, and K. K. Suh, Baseline profile stability for network anomaly detection, in Proceedings of the 3rd International Conference on Information Technology: New Generations, 2006, pp. 720 725. [13] J. Jung, A.Berger,and H Balakrishnan, Modeling TTL-based internet caches, in Proceedings of the Twenty-Second Annual Joint Conference of the IEEE Computer and Communications Societies, 2003, pp. 417 426. 484

[14] T.Gil and M. Poleto, Multops: a data-structure for bandwidth attack detection, in Proceedings of 10th Usenix Security Symposium, 2001, pp.23 38. [15] J.Jiang and S. Papavassiliou, Detecting network attacks in the internet via statistical network traffic normality prediction, Journal of Network and System Management, vol. 12, no. 1, 2004, pp. 51 72. [16] S. Lee, H. Kim, J. Na, and J. Jang, Abnormal traffic detection and its implementation, Advanced Communication Technology, vol. 1, February 2005, pp. 246 250. [17] The Swiss Education and Research Network, Default TTL values in TCP/IP, Available at http://secfr.nerim.net/docs/fingerprint/en/ttldefault.html, 2002. [18] C-K. Toh. Ad hoc mobile wireless networks, protocols and systems, Prentice-H 485