ETM: a novel Efficient Traceback Method for DDoS Attacks Chirala Lokesh 1, B. Raveendra Naick 2, G. Nagalakshmi 3, 1 M.Tech Student, 2 Asst. Prof, 3 Assoc. Prof 1, 2, 3 Department of CSE, Siddharth Institute of Engineering & Technology, Puttur, Andhrapradesh, India, Abstract Distributed Denial-of-Service (DDoS) attacks are a dangerous hazard to the web. On the other hand, the memory less quality of the Internet routing technique makes it enormously solid to trace back to the source of these attacks. As a result, there is no successful and proficient technique to deal with this issue so far. In this paper, we recommend a novel efficient traceback technique for DDoS attacks that is based on entropy variations between ordinary and DDoS attack traffic, which is basically diverse from frequently used package marking techniques. In assessment to the existing DDoS traceback techniques, the projected approach possesses a number of advantages; it is memory non-intensive, proficiently scalable, fullbodied beside package effluence, and sovereign of attack traffic patterns. The outcome of broad experimental and simulation studies is presented to exhibit the usefulness and efficiency of the projected technique. Keywords: DDos, traceback, I. INTRODUCTION It is an astonishing dispute to traceback the source of Distributed Denial-of-Service (DDoS) attacks in the network. In DDoS attacks, intruders produce a vast quantity of requests to victims through compromised computers (zombies), with the hope of denying regular service or demeaning of the quality of services. It has been a foremost hazard to the Internet since year 2000, and a recent review [1] on the major 70 Internet operators in the world demonstrated that DDoS attacks are escalating dramatically, and personage attacks are further muscular and difficult. Additionally, the review also originate that the peak of 40 gigabit DDoS attacks nearly doubled in 2008 compared with the previous year. The main cause after this phenomena is that the network security community does not have successful and efficient traceback methods to locate intruders as it is easy for attackers to disguise themselves by taking advantages of the vulnerabilities of the World Wide Web, such as the energetic, stateless, and unspecified nature of the Internet [2], [3]. IP traceback means the potential of identifying the tangible source of any packet sent across the network. Because of the defenselessness of the inventive design of the network, we may not be able to find the actual intruders at current. IP traceback techniques are painstaking prosperous if they can identify the zombies from which the DDoS attack packets entered the network. Research on DDoS recognition [4], [5], [6], [7], [8], [9], alleviation [10], [11], [12], and filtering [13], [14], [15], [16], [17], [18] has been conducted earlier. But, the efforts on IP traceback are limited. A number of IP traceback techniques have been suggested to identify intruders [19], [20], and there are two major methods for IP traceback, the probabilistic packet marking (PPM) and the deterministic packet marking (DPM). Both of these techniques necessitate routers to infuse inscription into individual packets. Moreover, the PPM strategy can only operate in a local range of the ISP network, where the protector has the ability to manage. But, this kind of ISP networks is normally pretty small, and we cannot traceback to the assault sources situated out of the ISP network. The DPM technique requires all the network routers to be updated for packet marking. But, with only 25 standby bits accessible in as IP packet, the scalability of DPM is a huge problem. Furthermore, the DPM technique poses an astonishing challenge on storage for packet sorting for routers. So, it is infeasible in practice at present. Further, both PPM and DPM are susceptible to hacking, which is referred to as packet contamination. IP traceback techniques must be sovereign of packet pollution and different attack patterns. We found that the comparison of attack flows is much elevated than the similarity between justifiable flows, e.g., flash crowds. Entropy rate, the entropy growth rate as the length of stochastic progression increases, was engaged to find the comparison between two flows on the entropy growth pattern, and comparative entropy, an intangible coldness between two probabilistic collection distributions, was taken to measure the instant dissimilarity between two flows. In this paper, we intend a novel technique for IP traceback using information hypothetical parameters, and there is no packet marking in the planned technique; we, consequently, can shun the innate shortcomings of the packet marking techniques. We classify packets that are transient through a router into flows, which are distinct by the upstream router where a packet came from, and the destination address of the packet. Throughout non-attack periods, routers are requisite to scrutinize and evidence entropy variations of local flows. In this paper, we utilize flow entropy variation technique or entropy disparity techniques interchangeably. Once a DDoS attack has been recognized, the sufferer initiates the following pushback process to identify the locations of zombies: the sufferer initially identifies which of its upstream routers are in Chirala Lokesh et.al. 449 www.ijcsmr.org
the attack tree based on the flow entropy variations it has accumulated, and then submits requests to the related immediate upstream routers. The upstream routers spot where the assault flows came from based on their limited entropy variations that they have monitored. Once the instant upstream routers have recognized the attack flows, they will frontward the requests to their abrupt upstream routers, correspondingly, to spot the assailant sources further; this process is repetitive in a equivalent and detached manner until it reaches the attack source(s) or the unfairness limit between attack flows and valid flows is satisfied. II. RELATED WORK DDoS attacks are embattled at fatiguing the victim s resources, such as network bandwidth, computing power, and operating system data structures. To launch a DDoS attack, the attacker(s) first establishes a network of computers that will be used to generate the huge volume of traffic needed to deny services to legitimate users of the victim. To create this attack network, attackers discover vulnerable hosts on the network. Vulnerable hosts are those that are either running no antivirus or out-of-date antivirus software, or those that have not been properly patched. These are exploited by the attackers who use the vulnerability to gain access to these hosts. The next step for the attacker is to install new programs (known as attack tools) on the compromised hosts of the attack network. The hosts running these attack tools are known as zombies, and they can be used to carry out any attack under the control of the attacker. Numerous zombies together form an army or botnet [3], There are two categories of DDoS attacks, typical DDoS attacks and Distributed Reflection Denial-of-Service (DRDoS) attacks. In a typical DDoS attack, the master computer instructions the zombies to run the attack tackle to throw giant quantity of packets to the fatality, to fatigue the victim s resources. Contrasting the archetypal DDoS attacks, the services of a DRDoS attack consists of master zombies, slave zombies, and reflectors. The disparity in this type of attack is that slave zombies are led by master zombies to send a stream of packets with the victim s IP address as the source IP address to other uninfected apparatus (known as reflectors), exhort these apparatus to connect with the victim. Then the reflectors send the sufferer a great volume of traffic, as a reply to its catchphrase for the aperture of a new connection, because they believe that the sufferer was the host that asked for it. It is apparent that hunting down the intruders (zombies), and further to the hackers, is significant in solving the DDoS attack confronts. In general, the traceback techniques are based on packet marking. Packet marking techniques contain the PPM and the DPM. The PPM technique tries to mark packets with the router s IP address information by prospect on the home router, and the sufferer can rebuild the paths that the attack packets went through. The PPM technique is defenseless to intruders, as intruders can drive spoofed marking information to the victim to deceive the victim. The correctness of PPM is a further problem since the marked messages by the routers who are closer to the leaves (which means far away from the sufferer) could be overwritten by the downstream routers on the attack tree. At the same time, nearly all of the PPM algorithms experience from the storage space problem to store large amount of marked packets for reconstructing the attack tree. In addition, PPM requires all the network routers to be concerned in marking. The deterministic packet marking method tries to mark the auxiliary space of a packet with the packet s original router s information, e.g., IP address. Consequently, the recipient can classify the source position of the packets once it has adequate information of the marks. The major problem of DPM is that it involves modifications of the current routing software, and it may require extremely huge quantity of marks for packet renovation. Snoeren et al. projected a technique by logging packets or digests of packets at routers. The packets are digested using bud filter at all the routers. Based on these logged information, the sufferer can traceback the leaves on an attack tree. The techniques can still traceback a single packet. But, it also places a important damage on the cargo space capability of intermediate routers.. III. SYSTEM MODELING FOR IP TRACEBACK ON ENTROPY VARIATIONS A. A sample network with DDoS attack In order to visibly depict our traceback technique, we use Fig. 1 as a example network with DDoS attacks to demonstrate our traceback approach. Figure 1 A example network with DDoS attack In a DDoS attack situation, as shown in Fig. 1, the flows with target as the sufferer embrace genuine flows, such as f3, and a amalgamation of assault flows and legal flows, such as f1 and f2. Compared with non-attack cases, the volumes of Chirala Lokesh et.al. 450 www.ijcsmr.org
some flows increase considerably in a very short time period in DDoS assault cases. Observers at routers R1, R4, R5, and V will notice the staged changes; but, the routers who are not in We denote jfijðui; dj; tþj as the count number of packets of the the assault paths, such as R2 and R3, will not be able to sense flow fij at time t. For a given time interval _T, we define the the variation. Therefore, once the sufferer realizes an ongoing variation of the number of packets for a given flow as follows: attack, it can push back to the LANs, which caused the changes based on the information of flow entropy variations, and therefore, we can identify the locations of intruders. The traceback can be done in a matching and disseminated mode in our proposed scheme. In Fig. 1, based on its information of entropy variations, the sufferer knows that intruders are somewhere behind router R1, and no intruders are behind router R2. Then the traceback demand is delivered to router R1. Similar to the sufferer, router R1 knows that there are two groups of intruders, one group is behind the link IV. TRACEBACK MODEL ANALYSIS to LAN0 and another group is behind the link to LAN1. B. System modeling In this paper, we classify the packets that are transient through a router into flows. A flow is definite by a pair the upstream router where the packet came from and the destination address of the packet. Entropy is an information theoretic concept, which is a measure of randomness. We spend entropy distinction in this paper to measure modifications of arbitrariness of flows at a router for a given time period. We observe that entropy variation is only one of the possible metrics. Chen and Hwang used a numerical feature, change point of flows, to identify the anomaly of DDoS attacks [6]; But, intruders could trick this feature by escalating attack strength slowly. We can also employ other statistic metrics to measure the randomness, such as standard variation or high-order moments of flows. We choose entropy variation rather than others in this paper because of the low computing workload for entropy variations We name the router that wearer investigating now as a home router. In the rest of the paper, we use I as the set of positive integers, and R as the set of real numbers.wedenote a flow on a home router by <ui; dj; t>; i; j 2 I; t 2 R, where ui is an upstream router of a local router Ri, dj is the destination address of a group of packets that are passing through the local router Ri, and t is the current time stamp. For example, the local router Ri in Fig. 2 has two different incoming flows the ones from the upstream routers Rj and Rk, respectively. We name this kind of flows as transit flows. Another type of incoming flows of the local router Ri is YU ET AL.: TRACEBACK OF DDOS ATTACKS USING ENTROPY VARIATIONS 415 Fig. 1. A sample network with DDoS attacks. generated at the local area network; we call these local flows, and we use L to represent the local flows. We name all the incoming flows as input flows, and all the flows leaving router Ri are named as output flows. We denote ui; i 2 I as the Immediate upstream routers of the local router Ri, and set U as the set of incoming flows of router Ri. Therefore, U ¼ fui; i 2 Ig þ flg.we use a setd ¼ fdi; i 2 Ig to represent the destinations of the packets that are passing through the local router Ri. If v is the victim router, then v 2 D. Therefore, a flow at a local router can be defined as follows: In this segment, we first assess the proposed model with the existing proposals in order to show the reward of the proposed mechanism. A. Comparisons of traceback models In order to show the recompense of the proposed technique, we evaluate our projected model with the legislature of DPM and PPM algorithms. The constraints and complex situation for the proposed algorithm are the same as that of DPM and PPM respectively, in the comparisons. It chooses one source (intruders) and one destination randomly from a tier-one ISP made up of roughly 70 backbone routers with links ranging from T1 to OC-3. There are some improvements for DPM by distributing logging information among routers and PPM by reducing the prospect of example. But, there are no essential changes, and the improvements are limited compared to our projected approach. B. Analysis of Entropy-Variation-Based Traceback Model For a home router, believe that the number of flows is N, and the probability division is P {p1; p2;... ; pn}. We can simplify the expression of entropy of (4) as follows: We separate our timeline into two parts for the following examination: before DDoS attack and under DDoS attack. The home router s entropy variation is, therefore, denoted by HF and H - (F), H + (F) correspondingly. Let ð be a logical threshold, and C be the mean of H - (F), and the standard disparity of H_ðFÞ be _. We know that H_ðFÞ is quite stable for a long time period. We justify our threshold ð to make the following equation holds with high prospect: Chirala Lokesh et.al. 451 www.ijcsmr.org
C. Traceback model algorithm In this section, we intend the associated algorithms according to our previous modeling and study. There are two algorithms in the proposed traceback suite, the local flow monitoring algorithm and the IP traceback algorithm. Figure 3 Home flow monitoring algorithm Figure 2 IP traceback algorithm V. PERFORMANCE EVALUATION In this section, we appraise the effectiveness and efficiency of the projected entropy variation based on IP traceback technique. Our first task is to show that the flow entropy variation is constant for non-attack cases, and find out the hazards for normal situations; the second task is to reveal the connection between the drop of flow entropy variation and the augment of attack strength, so that we can identify the entry for identifying assault sources; we further simulate the whole attack tree for traceback, and evaluate the total traceback time. Figure 4 Entropy variation against no of flows Chirala Lokesh et.al. 452 www.ijcsmr.org
The fig 4 shows the simulation results for the system we proposed VI. CONCLUSION Distributed Denial-of-Service (DDoS) attacks are a dangerous hazard to the web. On the other hand, the memory less quality of the Internet routing technique makes it enormously solid to trace back to the source of these attacks. As a result, there is no successful and proficient technique to deal with this issue so far. In this paper, we recommend a novel efficient traceback technique for DDoS attacks that is based on entropy variations between ordinary and DDoS attack traffic, which is basically diverse from frequently used package marking techniques. In assessment to the existing DDoS traceback techniques, the projected approach possesses a number of advantages; it is memory non-intensive, proficiently scalable, full-bodied beside package effluence, and sovereign of attack traffic patterns. The outcome of broad experimental and simulation studies is presented to exhibit the usefulness and efficiency of the projected technique. REFERENCES [1] IP Flow-Based Technology, ArborNetworks, http://www.arbornetworks.com, 2010. [2] C. Patrikakis, M. Masikos, and O. Zouraraki, Distributed Denial of Service Attacks, The Internet Protocol J., vol. 7, no. 4, pp. 13-35, 2004. [3] T. Peng, C. Leckie, and K. Ramamohanarao, Survey of Network Based Defense Mechanisms Countering the DoS and DDoS Problems, ACM Computing Surveys, vol. 39, no. 1, p. 3, 2007. [4] Y. Kim et al., PacketScore: A Statistics-Based Packet Filtering Scheme against Distributed Denial-of-Service Attacks, IEEE Trans. Dependable and Secure Computing, vol. 3, no. 2, pp. 141-155, Apr.- June 2006. [5] H. Wang, C. Jin, and K.G. Shin, Defense against Spoofed IP Traffic Using Hop-Count Filtering, IEEE/ACM Trans. Networking, vol. 15, no. 1, pp. 40-53, Feb. 2007. [6] Y. Chen and K. Hwang, Collaborative Detection and Filtering of Shrew DDoS Attacks Using Spectral Analysis, J. Parallel and Distributed Computing, vol. 66, pp. 1137-1151, 2006. [7] K. Lu et al., Robust and Efficient Detection of DDoS Attacks for Large-Scale Internet, Computer Networks, vol. 51, no. 9, pp. 5036-5056, 2007. [8] R.R. Kompella, S. Singh, and G. Varghese, On Scalable Attack Detection in the Network, IEEE/ACM Trans. Networking, vol. 15,no. 1, pp. 14-25, Feb. 2007. [9] P.E. Ayres et al., ALPi: A DDoS Defense System for High-Speed Networks, IEEE J. Selected Areas Comm., vol. 24, no. 10, pp. 1864-1876, Oct. 2006. [10] R. Chen, J. Park, and R. Marchany, A Divide-and-Conquer Strategy for Thwarting Distributed Denial-of-Service Attacks, IEEE Trans. Parallel and Distributed Systems, vol. 18, no. 5, pp. 577-588, May 2007. [11] A. Yaar, A. Perrig, and D. Song, StackPi: New Packet Marking and Filtering Mechanisms for DDoS and IP Spoofing Defense, IEEE J. Selected Areas Comm., vol. 24, no. 10, pp. 1853-1863, Oct.2006. [12] A. Bremler-Bar and H. Levy, Spoofing Prevention Method, Proc.IEEE INFOCOM, pp. 536-547, 2005. [13] J. Xu and W. Lee, Sustaining Availability of Web Services under Distributed Denial of Services Attacks, IEEE Trans. Computers, vol. 52, no. 2, pp. 195-208, Feb. 2003. [14] W. Feng, E. Kaiser, and A. Luu, Design and Implementation of Network Puzzles, Proc. IEEE INFOCOM, pp. 2372-2382, 2005. [15] X. Yang, D. Wetherall, and T. Anderson, A DoS-Limiting Network Architecture, Proc. ACM SIGCOMM, pp. 241-252, 2005. [16] Z. Duan, X. Yuan, and J. Chandrashekar, Controlling IP Spoofing through Interdomain Packet Filters, IEEE Trans. Dependable and Secure Computing, vol. 5, no. 1, pp. 22-36, Jan.-Mar. 2007. [17] F. Soldo, A. Markopoulou, and K. Argyraki, Optimal Filtering of Source Address Prefixes: Models and Algorithms, Proc. IEEE INFOCOM, 2009. [18] A. El-Atawy et al., Adaptive Early Packet Filtering for Protecting Firewalls against DoS Attacks, Proc. IEEE INFOCOM, 2009. [19] T. Baba and S. Matsuda, Tracing Network Attacks to Their Sources, IEEE Internet Computing, vol. 6, no. 2, pp. 20-26, Mar. 2002. [20] A. Belenky and N. Ansari, On IP Traceback, IEEE Comm.Magazine, pp. 142-153, July 2003. Chirala Lokesh et.al. 453 www.ijcsmr.org