Software Puzzle Counterstrike for Denial of Service Attack



Similar documents
Flexible Deterministic Packet Marking: An IP Traceback Scheme Against DDOS Attacks

International Journal of Emerging Technologies in Computational and Applied Sciences (IJETCAS)

TIME SCHEDULE. 1 Introduction to Computer Security & Cryptography 13

A Hybrid Approach for Detecting, Preventing, and Traceback DDoS Attacks

A Novel Packet Marketing Method in DDoS Attack Detection

MITIGATION OF DISTRIBUTED DENIAL OF SERVICE ATTACKS BY USING SOFTWARE PUZZLE

An Efficient Filter for Denial-of-Service Bandwidth Attacks

Single Sign-On Secure Authentication Password Mechanism

How To Protect Your Network From A Ddos Attack On A Network With Pip (Ipo) And Pipi (Ipnet) From A Network Attack On An Ip Address Or Ip Address (Ipa) On A Router Or Ipa

IMPROVED SECURITY MEASURES FOR DATA IN KEY EXCHANGES IN CLOUD ENVIRONMENT

Dr. Arjan Durresi Louisiana State University, Baton Rouge, LA DDoS and IP Traceback. Overview

Outline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures

Analysis on Some Defences against SYN-Flood Based Denial-of-Service Attacks

CS 356 Lecture 16 Denial of Service. Spring 2013

MANAGING OF AUTHENTICATING PASSWORD BY MEANS OF NUMEROUS SERVERS

Taming IP Packet Flooding Attacks

Distributed Denial of Service

MONITORING OF TRAFFIC OVER THE VICTIM UNDER TCP SYN FLOOD IN A LAN

Mathematical Model of System of Protection of Computer Networks against Attacks DOS/DDOS

Secure Authentication of Distributed Networks by Single Sign-On Mechanism

A Review of Anomaly Detection Techniques in Network Intrusion Detection System

Proceedings of the UGC Sponsored National Conference on Advanced Networking and Applications, 27 th March 2015

SY system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users.

Final exam review, Fall 2005 FSU (CIS-5357) Network Security

CMSC 421, Operating Systems. Fall Security. URL: Dr. Kalpakis

Wireless Sensor Networks Chapter 14: Security in WSNs

Signature Amortization Technique for Authenticating Delay Sensitive Stream

Analysis on Secure Data sharing using ELGamal s Cryptosystem in Cloud

Packet-Marking Scheme for DDoS Attack Prevention

ptcp: A Client Puzzle Protocol For Defending Against Resource Exhaustion Denial of Service Attacks

CS 758: Cryptography / Network Security

Client Server Registration Protocol

Journal of Electronic Banking Systems

Development of enhanced Third party Auditing Scheme for Secure Cloud Storage

CS5008: Internet Computing

Secure Software Programming and Vulnerability Analysis

Distributed Denial of Service Attacks & Defenses

Dual Mechanism to Detect DDOS Attack Priyanka Dembla, Chander Diwaker 2 1 Research Scholar, 2 Assistant Professor

CRYPTOGRAPHY AND NETWORK SECURITY

Analysis of Automated Model against DDoS Attacks

CRYPTOGRAPHY IN NETWORK SECURITY

Chapter 1: Introduction

Thwarting Selective Insider Jamming Attacks in Wireless Network by Delaying Real Time Packet Classification

DENIAL OF SERVICE IN WIRELESS SENSOR NETWORKS: ISSUES AND CHALLENGES

Chapter 10. Network Security

DDoS Overview and Incident Response Guide. July 2014

An Improved Authentication Protocol for Session Initiation Protocol Using Smart Card and Elliptic Curve Cryptography

Vulnerability Analysis of Hash Tables to Sophisticated DDoS Attacks

Monitoring Performances of Quality of Service in Cloud with System of Systems

SECURE SIGNATURE BASED CEDAR ROUTING IN MOBILE ADHOC NETWORKS

CRYPTOG NETWORK SECURITY

Capture Resilient ElGamal Signature Protocols

Schnorr Signcryption. Combining public key encryption with Schnorr digital signature. Laura Savu, University of Bucharest, Romania

Implementation of P2P Reputation Management Using Distributed Identities and Decentralized Recommendation Chains

International Journal of Scientific & Engineering Research, Volume 6, Issue 5, May ISSN

DoS: Attack and Defense

3-6 Toward Realizing Privacy-Preserving IP-Traceback

Computer Networks. Network Security and Ethics. Week 14. College of Information Science and Engineering Ritsumeikan University

Cryptosystems. Bob wants to send a message M to Alice. Symmetric ciphers: Bob and Alice both share a secret key, K.

Security. Friends and Enemies. Overview Plaintext Cryptography functions. Secret Key (DES) Symmetric Key

Comparing Two Models of Distributed Denial of Service (DDoS) Defences

SENSE Security overview 2014

Depth-in-Defense Approach against DDoS

An Anomaly-Based Method for DDoS Attacks Detection using RBF Neural Networks

RIGOROUS PUBLIC AUDITING SUPPORT ON SHARED DATA STORED IN THE CLOUD BY PRIVACY-PRESERVING MECHANISM

Firewalls and Intrusion Detection

Keywords Cloud Storage, Error Identification, Partitioning, Cloud Storage Integrity Checking, Digital Signature Extraction, Encryption, Decryption

DATA SECURITY IN CLOUD USING ADVANCED SECURE DE-DUPLICATION

Secure Large-Scale Bingo

SOFTWARE ENGINEERING 4C03. Computer Networks & Computer Security. Network Firewall

: Network Security. Name of Staff: Anusha Linda Kostka Department : MSc SE/CT/IT

Provider-Based Deterministic Packet Marking against Distributed DoS Attacks

ANALYSIS OF RSA ALGORITHM USING GPU PROGRAMMING

Split Based Encryption in Secure File Transfer

Overview of Cryptographic Tools for Data Security. Murat Kantarcioglu

SCTP-Sec: A secure Transmission Control Protocol

The Feasibility and Application of using a Zero-knowledge Protocol Authentication Systems

Forensics Tracking for IP Spoofers Using Path Backscatter Messages

Security vulnerabilities in the Internet and possible solutions

Chapter 11 Security+ Guide to Network Security Fundamentals, Third Edition Basic Cryptography

Breaking Generalized Diffie-Hellman Modulo a Composite is no Easier than Factoring

Protecting Privacy Secure Mechanism for Data Reporting In Wireless Sensor Networks

Application of Automatic Variable Password Technique in Das s Remote System Authentication Scheme Using Smart Card

SECURITY FLAWS IN INTERNET VOTING SYSTEM

Network Security. Computer Networking Lecture 08. March 19, HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23

One Time Password Generation for Multifactor Authentication using Graphical Password

Cloud SQL Security. Swati Srivastava 1 and Meenu 2. Engineering College., Gorakhpur, U.P. Gorakhpur, U.P. Abstract

Transcription:

Software Puzzle Counterstrike for Denial of Service Attack Deepu. S. D, Dr. Ramakrishna. M.V 4th Sem M.Tech Student, Department of ISE, SJBIT, Bangalore, India Professor, Department of ISE, SJBIT, Bangalore, India ABSTRACT: This paper reports on a project in which we propose a software puzzle scheme to deal with Denial of Service (DoS) attacks of certain types. When a client request comes in, the server generates a software puzzle for the client to solve. The algorithm is such that an attacker is unable to solve the puzzle in time. This approach looks promising based on the results presented and thus this paper is addressing the issue of network security. KEYWORDS: Denial of Service attack, software puzzle, client puzzle, GPU programming. I. INTRODUCTION A Denial of Service (DoS) attack does not steal or damage the server but blocks or prevents access to the server or website. Such DoS attacks target the network bandwidth or connectivity. Such attacks floods the network degrading the service provided to a genuine user who is not able to send or receive response from server. The attacker consumes most or all of the resources of the computer and operating system. A counterstrike is an action or process that prevents or mitigates the effects of the attack. In this paper we report on a project we have implemented based on the ideas of Yongdong Wu, Zhigang Zhao [13] where a software puzzle based counterstrike is used to deal with DoS attacks. There are basically three Types of DOS attacks: Smurf, UDP flood and SYN flood attacks. Despite the significant varieties of attacks there is a common objective amongst all types of DoS attacks. The attackers aim to exhaust the resources of the system that includes cpu cycles, memory, disk space and network bandwidth. The attackers generate too many requests which is feasible since they pay very little or nothing to request a service. Often their cost is only of sending the request on the network. However the attack can vary significantly in many aspects including the target and protocol layer of the network, distribution of attack sources, the strategy employed and the impact. In this paper we propose cryptographic puzzles as a counterstroke on the attackers which brings a better balance to the computational load of the client and server. In a cryptographic puzzle scheme, a client is required to solve a cryptographic puzzle and submit the puzzle solution as proof of work before the server commits substantial resources to its request. The malicious client that does not follow the rules of the puzzle scheme. Requires moderate amount of cryptographic operations from the solver, and the amount of work required is guaranteed by the security of both the puzzle construction method and the cryptographic algorithm used. In most puzzle schemes, each puzzle requires an approximately fixed number of cryptographic operations, such as hashing, modular multiplication, or modular exponentiation, to compute the puzzle solution. Thus, the more an attacker wants to overwhelm the server, the more puzzles she has to compute, consequently the more computational resources of her own she needs to consume. The construction and verification of the puzzle are designed to be very efficient to avoid DoS on the puzzle scheme itself. II. RELATED WORK Christos et.al presents a structural approach to the DDoS problem by developing a classification of DDoS attacks and DDoS defence mechanisms [1]. Furthermore, important features of each attack and defense system category are described and advantages and disadvantages of each proposed scheme are outlined. The goal of the paper is to give some order into the existing attack and defense mechanisms, so that a better understanding of DDoS attacks can be achieved and subsequently more efficient and effective algorithms, techniques and procedures to combat these attacks may be developed. Copyright to IJIRCCE DOI: 10.15680/IJIRCCE.2016. 0404315 8061

Jeff Green et.al examines various such schemes in view of GPU-based attacks and identifies characteristics that allow defense mechanisms to withstand attacks[2]. In particular, they demonstrate hash-reversal schemes which adapt solely on server load are ineffective under attack by GPU utilizing adversaries; whereas, hash reversal schemes which adapt based on client behavior are effective even under GPU based attacks. Yves Igor et.al introduces a novel scheme for client puzzles which relies on the computation of square roots modulo a prime[3]. Modular square root puzzles are non-parallelizable, i.e., the solution cannot be obtained faster than scheduled by distributing the puzzle to multiple machines or CPU cores, and they can be employed both interactively and non-interactively. There puzzles provide polynomial granularity and compact solution and verification functions. Benchmark results demonstrate the feasibility of our approach to mitigate DoS attacks on hosts in 1 or even 10 GBit networks. In addition, they also show how to raise the efficiency of our puzzle scheme by introducing a bandwidthbased cost factor for the client. Qiang Tang et.al have proposed such a security model and formally define two properties, namely the determinable difficulty property and the parallel computation resistance property[4]. III. PROPOSED SYSTEM We are proposing puzzle based scheme for DOS defense. In our proposed system, before engaging in any resource consuming operations, the server first generates a key to the client and a puzzle and then sends its description to the client that is requesting service from the server. The client has to solve the puzzle and send the result back to the server. The server continues with processing the request of the client, only if the client s response to the puzzle is correct. A. Key Generation: When a client request service from the server initially server creates a key to the client using two different keys one public and one private. The public key can be shared with everyone, whereas the private key must be kept secret. B. Puzzle seeds Generation: The puzzle seeds are a sequence of pseudo-random numbers generated by a server, which periodically releases a new seed to the overlay network. Also server estimates the time required to solve to the puzzle i.e., time lock puzzle. Requested client as to solve the puzzle within the estimated time. C. Generating and solving puzzles. After receiving the latest puzzle seed s, the client picks a random puzzle and tries to solve it. At this time sever generates encryption for this sequence and use it as puzzle. D. Encryption using AES: Cryptography is the art of implementing science for providing information and communication security. Cryptography produces secret codes for enabling the security for the data through communicating through an insecure channel. It protects the information from unauthorized parties by preventing unauthorized alteration of use. The encryption process consists of the combination of various classical techniques such as substitution, rearrangement and transformation encoding techniques. The encryption and decryption modules include the Key Expansion module which generates Key for all iterations. The modifications include the addition of an arithmetic operation and a route transposition cipher in the attacks iterative rounds. The Key expansion module is extended to double the number of iterative processing rounds in order to increase its immunity against unauthorized attacks E. Puzzle verification. Upon receiving a connection setup request with a puzzle solution, an overlay node first verifies that the puzzle seed s contained in the request packet is one that has been recently released by the server. Server verifies the result generated whether it is correct and decrypted within the time estimated.if so secure communication is established. F. Finding Attacker Node: Initially the key is generated only to the valid clients, and the puzzles must be solved within the estimated time. Using these two parameters we can find malicious client. Copyright to IJIRCCE DOI: 10.15680/IJIRCCE.2016. 0404315 8062

IV. RESULTS In this section explains the output of our proposed system. Figure 2(a) shows the key distribution from server node to all client nodes. (b) Shows the request passing from client node to the server node for establishing communication. In Figure 2(c) Server node passing the puzzle to the requested client node. In Figure 2(d) Puzzles are solved by the client and sent back to the sever. Same is repeated from client2 & results are cross checked by the server.puzzles received from client1 and clent2 was correct and received within the time. Puzzle received from client 3 was time out and key is not distributed, so client 3 is attacker node. This is showed in figure4. Figure 1: Proposed Architecture. (a) (b) Copyright to IJIRCCE DOI: 10.15680/IJIRCCE.2016. 0404315 8063

(c) (d) Figure 2: (a) Key Distribution (b) Client Request (c) Puzzle Request (d) Solved Puzzle Figure 3: (a) & (b) shows the authenticated clients (c) attacker node V. CONCLUSION We have presented the results of our project which aims to defend a server against Denial-of-Service attacks using a technique based on client puzzles. We developed a new model for puzzle distribution using a robust service and solutions to the puzzles allow clients to access communication channels. Here we also generate the key only for the valid clients and clients must solve the puzzle within the estimated time. Using these two we can find the spoofing node. This is shown by our experimental results. REFERENCES 1) Christos Douligeris, DDoS attacks and defense mechanisms: classification and state-of-the-art, Department of Informatics, University of Piraeus, 80 Karaoli and Dimitriou Str, Piraeus 18534, 13 October 2003. 2) Jeff Green, Joshua Juen, Omid Fatemieh, Ravinder Shankesi, Dong Jin, Carl A. Gunter, Reconstructing Hash Reversal-Based Proof of Work Schemes University of Illinois at Urbana-Champaign 3) Yves Igor Jerschow Martin Mauve, Non-Parallelizable and Non-Interactive Client Puzzles from Modular Square Roots, Institute of Computer Science, Heinrich Heine University, D usseldorf, Germany. 4) Kaiser and W.-C. Feng, mod_kapow: Mitigating DoS with transparent proof-of-work, in Proc. ACM CoNEXT Conf., pp. 7,2007. 5) Qiang Tang* and Arjan Jeckmans, Towards a security model for computational puzzle schemes, International Journal of Computer Mathematics Vol. 88, No.11,pp. 2246 2257, July 2011. 6) S Savage, D. Wetherall, A. Karlin, and T. Anderson, Practical network support for IP traceback. In ACM SIGCOMM 2000, pp. 295 306, 2000. 7) C.-P. Schnorr and M. Jakobsson, Security of discrete log cryptosystems in the random oracle and generic model. In The Mathematics of Public-Key Cryptography. The Fields Institute, 1999. 8) IP Security Protocol Charter. Web site at http://www.ietf.org/html.charters/ipsec-charter.html. D. X. Song and A. Perrig, Advanced and authenticated marking schemes for IP traceback. In IEEE INFOCOM, pp. 878 886, 2001. 9) R. Stone, CenterTrack: An IP overlay network for tracking DoS floods. In USENIX Security 00, 2000. Copyright to IJIRCCE DOI: 10.15680/IJIRCCE.2016. 0404315 8064

10) L. von Ahn, M. Blum, N.J. Hopper, and J. Langford, CAPTCHA: Using hard AI problems for security. In E. Biham, editor, Eurocrypt 03, pp. 294 311., 2003. 11) X. Wang and M. K. Reiter, Defending against denial-of-service attacks with puzzle auctions, In IEEE Symposium on Security and Privacy, pp. 78 92, 2003. 12) A. Yaar, A. Perrig, and D. Song, Pi: A path identification mechanism to defend against DDoS attacks. In IEEE Symposium on Security and Privacy,pp.93 109,2003. 13) Yongdong Wu, Zhigang Zhao, Feng Bao, and Robert H. Deng, Software puzzle: A Countermeasure to Resource-Inflated Denial-of-Service Attacks, IEEE transaction on information forensics and security, vol. 10. no. 1, January 2015. Copyright to IJIRCCE DOI: 10.15680/IJIRCCE.2016. 0404315 8065

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information