NEW TECHNIQUES FOR THE DETECTION AND TRACKING OF THE DDOS ATTACKS Iustin PRIESCU, PhD Titu Maiorescu University, Bucharest Sebastian NICOLAESCU, PhD Verizon Business, New York, USA Rodica NEAGU, MBA Outpost24, Suedia Abstract: DDoS attacks are unsophisticated but extremely hard for publicly available resources like websites to defend against. The attacker may direct a high volume of traffic surge to its target, overwhelming the site's servers and making it hard for legitimate users to access the site. If the early forms of DoS attacks had been concerned on impacting a larger Internet population, and so getting a lot of coverage in the media, over the years it has been observed its more refined use towards a targeted population. The paper focuses on techniques that can be used to identify and trace the DDoS attacks. Key words: network security, DDOS attack, detection, traceback, centertrack 1. Introduction In denial-of-service attacks, hackers typically use hijacked computers, which often belong to unwitting home users, to flood targeted Web sites or networks with traffic in an effort to shut them down. Today distributed denial of service (DDoS) attacks are causing major problems to conduct online business over the Internet. Recently several schemes have been proposed on how to prevent some of these attacks, but they suffer from a range of problems, some of them being impractical and others not being effective against these attacks. Unfortunately, DDoS attacks are becoming harder to stop. In particular, newer types of attacks often target the Web application layer. Instead of overwhelmingly a network with packets, attackers can employ a smaller number of specially crafted requests -- using HTTP, HTTPS, SMTP, FTP, and similar protocols -- to produce a denial of service. For example, Slowloris [1], a free tool released in 2009, uses time-delayed HTTP headers to prevent HTTP connections from expiring, until servers simply run out of bandwidth. The Trustware Report shows that DDoS attack frequency increases [2]. As shown in Figure 1, the attacker infects handlers (reflector) by the packets which have the modified source addresses. While the attacker commands handlers to send a large volume of packets simultaneously, the victims services are suspended. Fig.1 Tipicaly DDoS Attack 83
IP spoofing attack leads not to retain TCP connection by the packets which have the modified source addresses. The attacker arranges N zombie to attack the victim's system and network availability. 2. Approaches used to track the DDoS attacks As attacks are becoming more complex and distributed, cooperation and communication between Internet Service Providers (ISP s) is critical in order to contain the attacks more quickly and trace them to their sources more effectively, as shown in Figure 2 [3]. This necessity has represented the motivation behind the alliance founded in 2005 by a group of 18 global communications services providers and network operators to confront large-scale hacker attacks by using a centralized, automated system for sharing information about attacks [4]. Fig. 2 The Evolving Threat against DataCenters There are mainly two approaches used to track the DDoS attacks: extended flow information - where each network device sends to the destination some identifying information along with the normal flow, and the destination. Destination recovers identification information and tries to determine the path to packets sources; tracing back flows - from the destination under attack, the sources are determined recursively among immediate neighbors. 3. Detection and Tracking the DDOS attacks An effective strategy to build defenses against DoS attacks combine several techniques to cover the following aspects: prevention, detection, monitoring traffic flows or aggregated packages created by DDoS and attacks suppression. In developing techniques and methods of detection, tracking and countering DDoS attacks largely authors used the following assumptions: A1. Attackers can send any type of package A2. Different attackers can act together A3. Attackers can known DoS prevention scheme A4. Routers between stations are generally stable A5. Packets may be reordered or lost A6. Routers can perform intensive computational operations per pack A7. Routers are not compromised A8. All routers must participate Anti-DoS detection and tracking can be divided into the following classes: 84
3.1 Marking of packages This set of techniques is to overwrite one or more fields of the IP packet header, to keep information about the path followed by each packet from source to destination. Destination will use this information to reconstruct the path and identify the attacker. The efficiency of each technique in this class can be measured by different parameters such as number of packets needed to reconstruct the path marked by the attacker, the accuracy of determining the path (the probability of truth of the path determined), the number of paths that can be determined simultaneously, the resources (space and time complexity) used to calculate the path to the destination station, the resources used to determine the code path in each router, and the need for additional information such as network topology. The method involves expanding IP header field with a fixed size (and records), and any router will score each received a registration package consists of the IP address and source interface [Doe00]. Considering the network diameter r> s, then there will be some collisions (destination station will not have records of all routers on the route). Knowing and attackers can hide their identity by selecting a r> s. To avoid this, the authors propose that writing records by routers to perform the non-deterministic algorithm using the following: Let p = s / r, Let (At, Rn) (interface / IP address) of the current router Rn found in n bumpy landing Choose random x such that 0 x <1 If x <p then mark the record i = [x * r] with (In, Rn) of Rn current router. The probability that packet to reach destination router with the stamp of the recording and Rn is M = p * (1 - p / s) (n-1) = p * (1-1 / r) (n-1) (1) The probability that at least one entry in the destination to reach and unmarked by any of the routers on the route is: Pnmark = (1 - (1 - (1 - p) r) By choosing a small s, the attacker is less likely to submit false information in the field of marking, but will require a large neighboring routers to identify the attacker. It considers the following example in Figure 3 characterized by the following parameters: r = 3, s = 2, p = 2 / 3. Fig. 3. Example of coding address (Doeppner) Based on formula (1) is determined for each router marking frequencies (likelihood of the final package to find the stamp of that router): - R3 = p = 2 / 3 - R1 = p (1-1 / r) = 4 / 9 - R0 = p (1-1 / r) 2 = 8 / 27 Based on these frequencies are determined number of packets to be received for each router to determine the appeal and by ordering marks obtained by the frequency of marking the path to stop the attack. This technique has several limitations such as: - The implementation packages that include such a marking field would be very similar to IP packets using RR option (Record Route). It is therefore likely that marking packages to be treated with low probability that any package option. - Associated overhead is relatively large marking field. Packet of 64 bytes and s = 4, 30% of the package marking as information only. - There are no clearly defined method results in the case of multiple attackers. 85
3.2 Control path These approaches based on the way were among the first proposed control. They bring a number of improvements to the package header rewriting: - Control path-based approaches do not require changes in existing fields in the packet header semantics. This is important because the rewriting semantics can change packages (eg [6] shows that the use TOS field in conjunction with the ID field can cause problems with diff_serv section). Even proposals that use only the ID field may have problems when packet fragmentation occurs or when IPsec AH is used. Not clearly show whether rewriting-based approaches can handle IPv6 packets because: larger address may result in higher collision rates or complex algorithm for determining the path IPv6 does not include the ID field. - Rewriting approaches based on package require high-speed route calculation functions in routers, since each package must be marked. It is shown that the proposed functions are fast enough for terabit routers existing or emerging. - Methods based on rewriting packets are relatively ineffective against attacks that use reflectors, marking information is lost because the reflector. Unlike the methods of marking packets, the path control approach involves the transmission of information about DoS attacks in additional packages. These packages should be sent at a rate much lower than the traffic handled by routers packages. Existing proposals in this category are divided into two classes: ICMP-based approach routing approach 3.3 ICMP Traceback Bellovin [7] proposed that the routers on the route between attacker and victim to help the victim in the process of tracking packages by generating and sending a low probability to the destination of a message tracking (traceback) for each received packet traffic. By using tracking information from the message, the victim may assign a package tracking DoS the messages and determine the path to the attacker on routers addresses in messages. In terms of protocol implementation mechanism, package tracking information may include one or two liaison. Each connection can be described by a pair of MAC addresses, IPv4 or IPv6 or an identifier interface / connection. Tracking Packages include a time stamp, a portion of the package contents followed, the likelihood and router ID. Also, Bellovin [7] recommend to use an authentication mechanism to prevent the attacker to generate fake messages tracking. Authentication is achieved through a field of authentication of the track package includes a key identifier, a time stamp and data authentication. Authentication keys are distributed in packages after tracking a pre-defined time. As a result, messages can be authenticated only follow later, after the authentication keys were made available in package tracking [8]. 3.4 CenterTrack An overlay network is created in order to redirect DDoS attacks to a router where the attack can be analyzed and the attack origin can be located. The basic idea is to build tunnels between each edge router in the network, and one or several central routers (called tracking routers) [9] [11]. Fig.4 CenterTrack Architecture (where Ai attackers, Rj routers, Vk victims) 86
When an attack is detected a signature of the attack is constructed by the victim and sent to the network operator. The traffic directed to the victim is then redirected through a modification of the routing topology from edges routers to central tracking routers using existing tunnels. Input debugging is then performed on the tracking router the closest to the victim in order to know from which ingress edge router the attack is coming from. In the case of a single level topology (each edge router would be directly connected to a single tracking router) the operation is quite simple. However, in the case that several tracking routers have to be used, the operation has to be repeated hop by hop until the edge ingress router is found (Fig. 4). 4. Conclusions The incidents have shown that global defenses against DDoS attacks, and a successful defense can be built only by the combination of technological measures (such as: avoid counterfeits the TCP / IP (address spoofing), package tracking aggregate network flow when spoofed addresses are used, flow control aggregate bandwidth allocated, the detection limit of resources or overbooking), the social nature (good security policies and procedures, responsible behavior from users) [10]. In this paper we presented the design of traceback methods used by major ISPs (Internet Service Providers) to determine the source of the DDoS attacks. First group of methods presented were the ones based on router logging information, widely used in operator networks (Netflow, IP packet tracer). These are reactive in nature, and require a lot of manual work. The second group consists of automated methods without pattern reevaluation (CenterTrack, ICMP). By consolidating the characteristic parameters of each of the methods presented can build a monitoring architecture that would allow detection and tracking DDoS attacks. REFERENCES [1]. Slowloris, http://www.funtoo.org/wiki/slowloris_dos_mitigation_guide, 2010 [2]. Trustwave Report, www.trustware.com, 2010 [3]. R. Wray, DDOS Attack Trends Through 2010, www.arbornetworks.com, 2011 [4]. I. Priescu, V.V. Patriciu, S. Nicolaescu, Data Analysis Types Employed in Network Security Monitoring, The 7th International Conference on Technical Informatics, IEEE Romania, pages 252-255, Bucharest, 2006 [5]. T. Doeppner, P. Klein, A. Koyfman Using Router Stamping to Identify the Source of IP Packets ACM Computer and Communications Security Conference, 2000 [6]. D. Dean, M. Franklin, A. Stubblefield - An Algebraic Approach for IP Traceback, IEEEINFOCOM 01, 2001 [7]. Steve Bellovin, Marcus Leech, Tom Taylor ICMP Traceback Messages, Internet Draft, 2001 [8]. A.Vasilios Siris, Ilias Stavrakis, Provider based deterministic packet marking against distributed DoS attacks Source, Journal of Network and Computer Applications, Volume 30, Issue 3, pages 858-876, 2007 [9]. D. Park, A Study of Packet Analysis regarding a DoS Attack in WiBro Environments, IJCSNS International Journal of Computer Science and Network Security, VOL.8 no.12, pages 398-402, 2008 [10]. I. Priescu, V.V. Patriciu, S. Nicolaescu The Viewpoint of E-Commerce Security in the Digital Economy, International Conference on Future Computer and Communication, Kuala Lumpur, Malaysia, IEEE Computer Society, ISBN 978-1-4244-3754-2, 2009 [11]. I. Priescu, I. Bica, S. Nicolaescu Design of Traceback Methods for Tracking DoS Attacks, Computer Science and Information Technology - Spring Conference, 2009. IACSITSC '09, pages 117-121, Singapore, IEEE Computer Society, 978-0-7695-3653-8, 2009 87