ATTACK PATTERNS FOR DETECTING AND PREVENTING DDOS AND REPLAY ATTACKS



Similar documents
A Hybrid Approach for Detecting, Preventing, and Traceback DDoS Attacks

Flexible Deterministic Packet Marking: An IP Traceback Scheme Against DDOS Attacks

A Novel Packet Marketing Method in DDoS Attack Detection

Packet-Marking Scheme for DDoS Attack Prevention

Firewalls and Intrusion Detection

NEW TECHNIQUES FOR THE DETECTION AND TRACKING OF THE DDOS ATTACKS

DDoS Protection Technology White Paper

How To Protect Your Network From A Ddos Attack On A Network With Pip (Ipo) And Pipi (Ipnet) From A Network Attack On An Ip Address Or Ip Address (Ipa) On A Router Or Ipa

Security vulnerabilities in the Internet and possible solutions

Efficient Detection of Ddos Attacks by Entropy Variation

International Journal of Emerging Technologies in Computational and Applied Sciences (IJETCAS)

Dr. Arjan Durresi Louisiana State University, Baton Rouge, LA DDoS and IP Traceback. Overview

Active Internet Traffic Filtering to Denial of Service Attacks from Flash Crowds

TECHNICAL NOTE 06/02 RESPONSE TO DISTRIBUTED DENIAL OF SERVICE (DDOS) ATTACKS

Analysis of Automated Model against DDoS Attacks

Entropy-Based Collaborative Detection of DDoS Attacks on Community Networks

Survey on DDoS Attack Detection and Prevention in Cloud

DDoS Attack and Defense: Review of Some Traditional and Current Techniques

A Practical Method to Counteract Denial of Service Attacks

MONITORING OF TRAFFIC OVER THE VICTIM UNDER TCP SYN FLOOD IN A LAN

Frequent Denial of Service Attacks

CS 356 Lecture 16 Denial of Service. Spring 2013

Final exam review, Fall 2005 FSU (CIS-5357) Network Security

Internet Protocol trace back System for Tracing Sources of DDoS Attacks and DDoS Detection in Neural Network Packet Marking

Dual Mechanism to Detect DDOS Attack Priyanka Dembla, Chander Diwaker 2 1 Research Scholar, 2 Assistant Professor

Keywords Attack model, DDoS, Host Scan, Port Scan

Distributed Denial of Service(DDoS) Attack Techniques and Prevention on Cloud Environment

Survey on DDoS Attack in Cloud Environment

Provider-Based Deterministic Packet Marking against Distributed DoS Attacks

DDOS WALL: AN INTERNET SERVICE PROVIDER PROTECTOR

1. Introduction. 2. DoS/DDoS. MilsVPN DoS/DDoS and ISP. 2.1 What is DoS/DDoS? 2.2 What is SYN Flooding?

Malicious Mitigation Strategy Guide

Tracing the Origins of Distributed Denial of Service Attacks

Behavior Analysis of TCP Traffic in Mobile Ad Hoc Network using Reactive Routing Protocols

Defending against Flooding-Based Distributed Denial-of-Service Attacks: A Tutorial

A Novel Distributed Denial of Service (DDoS) Attacks Discriminating Detection in Flash Crowds

A Novel Technique for Detecting DDoS Attacks at Its Early Stage

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Proceedings of the UGC Sponsored National Conference on Advanced Networking and Applications, 27 th March 2015

Outline. CSc 466/566. Computer Security. 18 : Network Security Introduction. Network Topology. Network Topology. Christian Collberg

A Review of Anomaly Detection Techniques in Network Intrusion Detection System

Network Security. Dr. Ihsan Ullah. Department of Computer Science & IT University of Balochistan, Quetta Pakistan. April 23, 2015

DETECTING AND PREVENTING THE PACKET FOR TRACE BACK DDOS ATTACK IN MOBILE AD-HOC NETWORK

Tema 5.- Seguridad. Problemas Soluciones

INTERNATIONAL JOURNAL OF PURE AND APPLIED RESEARCH IN ENGINEERING AND TECHNOLOGY

Preventing DDOS attack in Mobile Ad-hoc Network using a Secure Intrusion Detection System

SY system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users.

How To Defend Against A Distributed Denial Of Service Attack (Ddos)

Classification of Firewalls and Proxies

Proving Distributed Denial of Service Attacks in the Internet

ATTACKS ON CLOUD COMPUTING. Nadra Waheed

A Study of DOS & DDOS Smurf Attack and Preventive Measures

An Efficient Filter for Denial-of-Service Bandwidth Attacks

How To Mark A Packet With A Probability Of 1/D

Transport Layer Protocols

Pi: A Path Identification Mechanism to Defend against DDoS Attacks

Design and Experiments of small DDoS Defense System using Traffic Deflecting in Autonomous System

Högskolan i Halmstad Sektionen för Informationsvetenskap, Data- Och Elektroteknik (IDÉ) Ola Lundh. Name (in block letters) :

Attack Diagnosis: Throttling Distributed Denialof-Service Attacks Close to the Attack Sources

Federal Computer Incident Response Center (FedCIRC) Defense Tactics for Distributed Denial of Service Attacks

Radware s Behavioral Server Cracking Protection

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design

Agenda. Taxonomy of Botnet Threats. Background. Summary. Background. Taxonomy. Trend Micro Inc. Presented by Tushar Ranka

Filtering Based Techniques for DDOS Mitigation

E-BUSINESS THREATS AND SOLUTIONS

Prevention, Detection and Mitigation of DDoS Attacks. Randall Lewis MS Cybersecurity

Security in Ad Hoc Network

Strategies to Protect Against Distributed Denial of Service (DDoS) Attacks

Acquia Cloud Edge Protect Powered by CloudFlare


Abstract. Introduction. Section I. What is Denial of Service Attack?

Large-Scale IP Traceback in High-Speed Internet

V-ISA Reputation Mechanism, Enabling Precise Defense against New DDoS Attacks

CloudFlare advanced DDoS protection

1. Firewall Configuration

DDoS Overview and Incident Response Guide. July 2014

A Survey of IP Traceback Mechanisms to overcome Denial-of-Service Attacks

Implementing Secure Converged Wide Area Networks (ISCW)

Security Technology White Paper

Secure Software Programming and Vulnerability Analysis

Chapter 11 Cloud Application Development

Symantec Endpoint Protection 11.0 Network Threat Protection (Firewall) Overview and Best Practices White Paper

Bandwidth based Distributed Denial of Service Attack Detection using Artificial Immune System

CS5008: Internet Computing

co Characterizing and Tracing Packet Floods Using Cisco R

Transcription:

ATTACK PATTERNS FOR DETECTING AND PREVENTING DDOS AND REPLAY ATTACKS A.MADHURI Department of Computer Science Engineering, PVP Siddhartha Institute of Technology, Vijayawada, Andhra Pradesh, India. A.RAMANA LAKSHMI, Associate Professor, Department of Computer Science Engineering, PVP Siddhartha Institute of Technology, Vijayawada, Andhra Pradesh, India. Abstract In this paper, we discuss the methods for detecting and preventing the DDoS Attacks and Replay Attacks, which have been posing the problems for the Internet. We explained a scheme AMFDR (Attack Patterns for Marking Filtering DoS and Replay attacks) that identifies the attack packets from the packets that are sent by legitimate users and filters the attack packets. A Denial of service attack is generally launched to make a service unavailable even to an unauthorized user. If this attack uses many computers across the world, it is called Distributed Denial of service attack. Replay attack is retransmission of a data transmission which used to gain authentication in a fraudulent manner. These replayed packets or attack packets are identified. This scheme is less expensive and the implementation of this scheme needs minimal interaction with routers. The scheme is like firewall system, so that the occurrence of an attack is recognized quickly and a punitive action is taken without any loss genuine packets. Key words:attack patterns,denial of Service attacks, Replay attacks. 1.INTRODUCTION Nowadays Internet has been a part of life for day to day activities, since if offers many essential services in business, commercial and house hold applications. The Internet usage has been increased the ratio of users and systems been used, had been increased the same ratio, etc. from millions to billions. This gives rise to the necessity of providing security to users of the Internet about their information. Any malicious user can exploit the design weakness of Internet to create havoc in its operation. An interruption of service provided by Internet causes inconvience to users. These interruption activities are DDoS attacks, Replay attacks. In the DDoS attacks, attacker floods huge amount of packets to the weak vulnerable host, which reduces the service provided over the Internet. This attack involves saturating the target (victim) machine with external communications requests, such that it cannot respond to legitimate traffic, or responds so slowly as to be rendered effectively unavailable. In general terms, DoS attacks are implemented by either forcing the targeted computer(s) to reset, or consuming its resources so that it can no longer provide its intended service or obstructing the communication media between the intended users and the victim so that they can no longer communicate adequately. IP-address spoofing disguise the attack flow containing spoofed source addresses is a gain unauthorized access to computers, hacker must first find an IP address of a trusted host. Once this information is gotten, then the hacker can use this information to make the recipient think that the hacker is the trusted sender. Replay Attack is a form of network in which data transmission is maliciously or fraudulently repeated or delayed. These overwhelming disturbing effects of Denial of service attacks and Replay Attacks had leaded the researchers to propose the mechanisms to handle them. So, there is inevitability for reorganizing the details of the attack and also the attacker to prevent the attack in further. In this paper, we present and analyze Marking and Filtering in DDoS Attacks and Replay Attacks (AMFDR) Scheme and also analyze attacker s view by using attack patterns. ISSN: 0975-5462 4850

Fig 1. 2. What are Attack Patterns? Attack patterns are descriptions of common methods for exploiting software. They derive from the concept of design patterns. Attack patterns help identify and qualify the risk that a given exploit will occur in a software system. Attack Pattern is a process of identifying attackers view, gives the information about the type of attack, prerequisites of an attack, weakness of attack, the knowledge required to perform an attack and all the information about the attack that had been happened in the network. These patterns are used to identify the attack and also the type of attack. 2.1 How attack patterns are useful These patterns give the descriptive information about the attack. The following attack pattern is an example for a Denial of Service attack and replay attacks. Pattern name and classification: Denial of Service and Replay attack Attack Prerequisites: The application in which the security is required for the information. For the attack to be maximally effective if the secret information is replayed. Description: The attacker captures and retransmits data and data in the form packets are flooded to the victim. Related Vulnerabilities or Weaknesses: CWE-Data Amplification Method of Attack: By maliciously crafting data and sending it to the target over anyprotocol (e.g., e- mail, HTTP, FTP). Resources Required: No special or extensive resources are required for these attacks. Attack Motivation-Consequences: The attacker wants to deny the target access to certain resources Context Description: Any application that performs online-transactions and business operations. References: Replay attack vulnerabilities, DDoS vulnerabilities. 3. Existing approaches to counter the Replay and DDoS attacks Counter measures are classified into three categories. They are: Preventive Methods Tracking Methods Reactive Methods ISSN: 0975-5462 4851

3.1 Preventive Methods These methods helps the systems in improving the resistance and thus prevents the attacks from not entering the system, moreover it provides high level security for a computer system network. A proactive roaming server scheme comprises of several distributed individual servers. It has an active server which roams among the servers using a secure roaming algorithm only the valid users know the server s roaming time and new server. These solutions are very expensive and difficult to prevent attacks for real time applications. 3.2Tracking Methods These methods track the sources causing the attacks, so that immediate action can be taken against the victim. 3.2.1Packet marking method: Packet marking schemes have been proposed, for encoding path information inside IP packets, as they are routed through the internet. The idea is first put forward by Savage et al. [21], called probabilistic packet marking (PPM), in which the routers insert path information into the Identification field of IP header in each packet with certain probability, such that the victim can reconstruct the attack path using these markings and thus track down the sources of offending packets. Message trace back method: In this method routers generate ICMP trace back messages for some of received packets and send with them. By combining the ICMP packets with their TTL differences, the attack path can be determined. Some factors are considered to evaluate the value of an ICMP message, such as how far is the router to the destination, how quick the packet is received after the beginning of attack, and whether the destination wishes to receive it. These measures in tracking method are designed in such a way that an action is performed only after the attack has been performed. 3.3 Reactive Methods In these methods attack is being identified and measures are taken to control it which also reduces the effect of the attack. D-WARD method is designed to be deployed at the source network. It monitors the traffic between the internal network and outside and looks for the communication difficulties by comparing with predefined normal models. A rate-limit will be imposed on any suspicious outgoing flow according to its offensive. Packet Score scheme estimates the legitimacy of packets and computes scores for them by comparing their attributes with the normal traffic. Packets are filtered at attack time basing on the score distribution and congestion level of the victim. The Pushback method generates an attack signature after detecting congestion, and applies a rate limit on corresponding incoming traffic. This information is then propagated to upstream routers, and the routers help to drop such packets, so that the attack flow can be pushed back. These methods success depends on the clear distinction between valid packet and malicious packets. Some other approaches to counter the replay attack are: Digital Signatures: A replay attack can be prevented using strong digital signatures that include time stamps and inclusion of unique information from the previous transaction such as the value of a constantly incremented sequence number. Nonces: Nonces a random or pseudo-random number issued in an authentication protocol to ensure that old communications cannot be reused in replay attacks. Nonces should include in Message Authentication Code (MAC). 4. Effects of AMFDR Scheme Our scheme detects the attack in time and spontaneous reaction is provided to prevent the depletion of resources at vulnerable host. This scheme ensures that the genuine user s packets are successfully received, and the service to the genuine users is not ruined. Any deprivation in service causes would indicate fractional success for the denial of service attack Implementation is less expensive, this scheme require minimal participation of third party networks. Most of the users posed the threats by DDoS and Replay attacks are difficult to get cooperation and investment is more. ISSN: 0975-5462 4852

In this scheme attack patterns analyze the exploits and the information is captured for each attack pattern. Moreover the concept of design pattern is applied on real world exploits so that these patterns are generated from in depth analysis. Marking Process Packet Marking method make a distinction between the genuine packets and the attack packets. The IP addresses are spoofed to make the attacker hide his identity. Packet Marking Method is used to recognize the replayed packet and genuine packets. Marking method provides each packet has some mark using that mark recognition of attack packets.ppm Marking Scheme used for packet marking to trap the sources from which the attack occurs. Marking field is part of the header in an IP packet. Fragmentation of ID field to insert a mark does not affect the transmission of IP packets. Generation of Mark in the packet. Routers generate the mark by placing hash function into its IP address. Hash function of a router IP address generates a random number which is placed in the ID field of the packet. If the attacker spoofs the marking of the packet by knowing the hash function, i.e. performed on the router IP address since the IP address of a router is known for all the users in the network. To overcome this, assume some random number as a key i.e. to be added to the hash value of an IP address. Exclusive OR is performed to key and hash function of an IP address. The packets that pass through same routers on two different routes have similar marking. In order to make successful marking scheme, each router must perform Cyclic Shift Left operation on the old marking which generates new marking for the router. Filtering Process Our scheme acts as a protection layer for the router that scans the marking field of each and every replayed packet. Each router has complete information about the route of the packet it traverses. AMFDR scheme proposes five phases in scanning out the legitimate packets from malicious packets. They are Initial phase, Normal Filter phase, Marking phase, Detection phase and Change in route phase. Initial Phase In this phase spoofed packets are identified, the firewall keeps track of the genuine markings. In this phase router gain knowledge of about the correct markings of the packets for the packets sent from legitimate IP addresses. Filter table contains IP-address, marking are the fields which on later used to verify each incoming packet and sorts out the spoofed ones. This phase continues until all the entries of the filter table are filled up. Normal Filtering Phase This phase performs normal filtering process i.e., when a packet arrives at the router then it checks the records in the filter table if the marking is accurate then it is accepted otherwise the packets are dropped. If the packet of new IP address appears it is accepted with probability p, and is added to CList (Checking list) has same fields in filter table. For every occurrence of the new IP address p is decremented according to the packet arrival rate. Marking Phase The markings in the CList are verified, a random echo messages are sent periodically to the source address for each record in CList, and counter is maintained to keep track of echo messages that have been sent it. The imitation of the reply by an attacker is done by comparing the content of the echo messages in CList with content of the replayed messages. The counter in CList records the echo messages that have been sent to an IP address is greater than 10 then that IP address is deleted from the Filter table. Since in this situation, this source IP must be neither not active nor does not exist, so that the packets received with the source address are coming from the attacker need to be rejected. Detecting Phase This phase identifies the attacks at starting stage by using the counter called Mismatching counter, which counts the packets which have been mismatched. This includes the packets with both unknown IP addresses and incorrect markings that are not in filter table. When the mismatched counter value is greater than threshold, then it is the occurrence of attacks. Change in Route Phase The routes in which packets traverses are considered to be stable, if there is a change in route there will be change in the marking that does not exist in the filter table then the packets are dropped since these does not exist in filter table. To overcome this SC counter is used to maintain the record of number of mismatching packets. If the SC value is at cut-off value then it is added to CList. If the new marking is verified by the CList verification process, the marking for this IP address is updated in the Filter table. Otherwise, the original marking is retained. ISSN: 0975-5462 4853

In general AMFDR scheme performs the following tasks: Identification and filtering the replayed packets or attack packets from legitimate packets by verifying the marking of each packet in the filter table. Defending measures that are taken in our scheme prevents from serious damage that helps in detecting the happening the attack. Attack patterns are used to have descriptive information about the Replay and DDoS attacks. Even though the route changes the genuine packets have not been dropped that determines successfulness of our scheme. This scheme provides marking and filters the replayed packets or spoofed packets and also the descriptive communication of attacker s view. Simulation of Internet Traffic A packet generator process is used to simulate the normal Internet traffic, which periodically ends packets from a randomly selected internet user. Then the packet marking process is simulated, by computing the markings for each cooperating router on the route for this particular user. Finally, the marked packet is inserted into a packetqueue at the firewall of the victim. Attackers usually have two methods to disguise the source locations: spoofing a genuine host s IP address or inserting a randomly generated IP address into source address field. We simulated different types of attacks, called Spoofed attack, Replay attack and Randomized attack respectively. Packets are generated from each attacker to simulate the attack traffic. So, higher the number of attackers more will be the volume of the attack flow. In the simulation of Spoofed attack, for each replayed packet, one of the legitimate user is randomly selected and its IP address is used as the spoofed value of the source address. The marking field is initially filled with a random value and the marking process is simulated, as before. 5. RESULTS 5.1 Attack Patterns for Replay Attacks Fig 2 Fig 2 is the source window gives us the complete details about the path establishment i.e., source address, destination, type of data transmitted and the routers that are in the path of the packet traversal. ISSN: 0975-5462 4854

Fig 3 is the destination window in which the attack has been identified and the attack is repeated to indicate clearly about the replay attack occurrence. Initially the file.txt has been sent and the same file.txt is captured and replayed. Fig 4, Fig 5, Fig 6 represent the complete knowledge about the routers and also if the attack is performed on the router it is identified with the series of entries in the router table and helps to know the adjacent routers in the route of the packet transmission. The attacker spoofs the source address and performs the replay attack. Fig 3 Fig 4 Fig 5 ISSN: 0975-5462 4855

5.2 Attack Patterns for Denial of Service Attacks Fig 6 Denial of service attacks floods the huge amount of packets to the weak vulnerable host and this is represented in the results. The source and destination windows has the source IP address and the destination, the routers that are involved in the path, marking for each packet is calculated,hop count gives the number of hops each packet makes to reach destination and the request represents the data to be transmitted. Fig 7, 8 are the source and destination windows for the packets to travel. Fig 7 ISSN: 0975-5462 4856

Fig 8 Fig 9 is the router window gives the packet forwarding information Fig 10 is also the router window since packet traverses through two routers i.e., Router550 and Router543. After the attacker had performed the DDoS attack by flooding the packets of file file.txt to the router, that is represented in the router table Router550 that the attack has happened and in the destination gives information of filtering the legitimate packets and the genuine packets in the last window Fig 11 is the attacker window by which he performs the attack on the Router550. ISSN: 0975-5462 4857

Fig 12 is the Router550 window on which the attack is performed which is identified by series of same entries in the router table. Fig 13 is the destination window gives the distinction between legitimate packets and the attack packets and also details about the attack. 6. CONCLUSION In this paper, we have proposed a low-cost and efficient scheme called AMFDR, for defending against DDoS attacks, The AMFDR scheme is composed of three parts: descriptions of common methods for exploiting software, marking process and filtering process. The marking process requires the participation of routers in the Internet to encode path information into packets. We suggest the use of a hash function and secret key to reduce collisions among packet-markings. The scheme also includes mechanisms of identifying and preventing Replay and DDoS attack in a timely manner. Our scheme can effectively and efficiently differentiate between legitimate and genuine packets under replayed attack when the routers participation rate is as low, so the deployment cost of our scheme is very low. Also, most good packets are accepted even under the most severe attack. At the same time, the bad packet acceptance ratio is maintained at a low level. Our scheme performs well even under massively distributed DoS attacks and also Replay attacks involving thousands of attackers. Under both Replay attacks and spoofed DDoS attacks, the AMFDR scheme detected the occurrence of attack precisely within few seconds. The quick detection is valuable to the victim so that appropriate actions can be taken to minimize the damage caused by a Replay attack. ISSN: 0975-5462 4858

7. REFERENCES [1] A. Belenky and N. Ansari, IP traceback with deterministic packet marking, IEEE Communications Letters, vol. 7, no. 4, pp. 162-164, Apr. 2003. [2] A. Belenky and N. Ansari, Tracing multiple attackers with deterministic packet marking (DPM), in 2003 IEEE Pacific Rim Conference on Communications, Computers and Signal Processing (PACRIM 03), pp. 49-52, Aug. 2003. [3] S. Bellovin, ICMP Traceback Messages, Internetdraft, work in progress, Mar. 2000.[5] H. Burch and B, Cheswick, Tracing anonymous packets to their approximate source, in Proceedings of the 14th Systems Administration Conference(LISA 00), pp. 319-327, Dec. 2000. [4] Y. Chen, S. Das, P. Dhar, A. E. Saddik, and A.Nayak, An effective defence mechanism against massively distributed denial of service attacks, in the 9th World Conference on Integrated Design & Process Technology (IDPT 06), San Diego, June 2006. [5] B. Cheswick and H. Burch, Internet Mapping Project, http://research.lumeta.com/ches/map/.[10] Cooperative Association for Internet Data Analysis, Skitter, 2000. (http://www.caida.org/tools/measurement/skitter/) [6] D. Dean, M. Franklin, and A. Stubblefield, An algebraic approach to IP trackback, in Proceedings of the 2001 Network and Distributed System Security Symposioum, pp. 3-12, Feb. 2001. [7] Internet System Consortium, ISC Domain Survey: Number of Internet Hosts, http://www.isc.org/index.pl?/ops/ds/host-counthistory.php. [8] Internet World Stats, Internet User Statistics The Big Picture: World Internet Users and Population Stats, http://www.internetworldstats.com/stats.htm [9] J. Ioannidis and S. M. Bellovin, Implementing pushback: router-based defense against DDoS attacks, in Proceedings of the Network and Distributed System Security Symposium (NDSS 02), pp. 6-8, Feb.2002. [10] S.M. Khattab, C. Sangpachatanaruk, R. Melhem, D.Mosse, and T. Znati, Proactive server roaming for mitigating denial-of-service attacks, in Proceedings of the 1st International Conference on International Technology: Research and Education (ITRE 03), pp.500-504, Aug. 2003. ISSN: 0975-5462 4859

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information