QoS Adoption And Protect It Against DoS Attack by ijcsiseditor

VIEWS: 123 PAGES: 10

									                                                                  (IJCSIS) International Journal of Computer Science and Information Security,
                                                                                                                Vol. 10, No. 9, September 2012

                                 QoS Adoption And Protect It
                                    Against DoS Attack
            DR. MANAR Y. KASHMOLA                                                     RASHA SAADALLAH GARGEES
            Computer Sciences Department                                               Software Engineering Department
       Computer Sciences and Mathematics College                                   Computer Sciences and Mathematics College
                   Mosul University                                                            Mosul University
                      Mosul, Iraq                                                                 Mosul, Iraq
             manar_kashmola@yahoo.com                                                           rasha_sg@yahoo.com

Abstract— The enormous growth of the internet and the variation              enables the network to differentiate and handle traffic based on
in the needs of its applications resulted in the great interest in the       policy. This means providing consistent, predictable data
recent years in the Quality of Service (QoS). Since it must meet             delivery to users or applications that are supported within the
the QoS in all circumstances, another challenge has emerged                  network.[4] Quality of service will be of central importance in
which represents a hindrance to achieve the QoS. And this
                                                                             modern domestic infrastructures, crossed by multiple digital
challenge was represented by the emergence of some types of DoS
that aim at exhausting the bandwidth and eventually violating the            streams for many kinds of user services[5].
agreements of the QoS.
                                                                             Guaranteeing QoS means providing the requested QoS under
In this research a system was constructed to achieve the QoS                 all circumstances, including the most difficult ones. Among
depending on the Diffserv technology, as the bandwidth is                    the most difficult circumstances are denial of service (DoS)
distributed on the various applications according to the                     attacks. Because of this, protection against DoS is a defining
specifications and the requirements of the application, giving the           characteristic for guaranteed QoS mechanisms[6].
priority to certain applications as well as providing protection to
them from the DoS attacks. The model of Anomaly Detection was                Denial of service (DoS) attacks pose many threats to the
adopted to detect the attack, and then prohibiting the attack                networking infrastructure. They consume network resources
detected by means of dropping the attack flow.
                                                                             such as network bandwidth and router CPU cycles with the
The system prove efficiency in improving the QoS for the                     malicious objective of preventing or severely degrading
applications with critical requirements, through measuring a set             service to legitimate users [7].
of factors that affect the QoS and the efficiency degree of halting
the DoS attack manifested by means of the available bandwidth,               The Denial-of-Service attack (DOS attack) is an attempt from
and eventually preserving the bandwidth in the cases of such                 the attacker to prevent legitimate users from accessing system
attacks.                                                                     resources. DOS attack has been one of the most serious and
                                                                             successful methods of attacking computer networks [8].
   Keywords: QoS, DoS, Bandwidth, DiffServ, attack.
                                                                             Our aim is to Develop a system implemented on Linux
       I. INTRODUCTION                                                       platform to achieve the QoS to distinguish between different
                                                                             types of network services and to give high priority and
Internet was initially designed for providing the best effort                bandwidth for certain services depending on their
delivery of application data since average performance                       requirements, at the expense of other less important services,
guarantees were sufficient for initial types of applications [1].            as is bandwidth management is to be invisible to the user,
But the widespread growth of the Internet and the                            without the need to increase the overall bandwidth of the
development of streaming applications, and the advance of                    network. And we also Protect the security of QoS from DoS
technologies in multimedia compression, have guided the                      attacks, which drains bandwidth, it is classified traffic to
Internet society to focus on the design and development of                   normal and abnormal, by establishing a system for intrusion
architectures and protocols, that would guarantee a level of                 detection and prevention, and be lightweight and quick to
Quality of Service. QoS is defined as the collective effect of               detect DoS attacks and prevent them in real time and without
the service performance, which determines the degree of                      the need for access and analysis the contents of packets.
satisfaction of a user of the service, or a measure of how good
a service is, as presented to the user and manifests itself in a             This paper is organized as follows: section 2 refers to related
number of parameters, all of which have either subjective or                 work; section 3 describes Major QoS Framework, Functions
objective values[2][3]. Also we can define it as a set of                    and parameter. Effect of Dos Attack on QoS, Attack
techniques to manage network resources in a manner that                      Scenarios, Intrusion Detection System and Intrusion

                                                                         8                              http://sites.google.com/site/ijcsis/
                                                                                                        ISSN 1947-5500
                                                             (IJCSIS) International Journal of Computer Science and Information Security,
                                                                                                           Vol. 10, No. 9, September 2012
Prevention System describe in section 4, in section 5 our               done in cellular networks, the idea is to initiate a
system model is presented. Section 6 evaluates performance of           selective video handoff procedure, either from the server side,
our system. Section 7 is the conclusion and future work.                when the DOS attack is detected, or from the user side
                                                                        when QoS degradation occurs. All of that should happen
       II.   RELATED WORK                                               without interrupting the user (i.e. while the video is
                                                                        playing). They make use of the SIP protocol stack for
In [9] researcher Myung-Sup Kim and et al presented a flow-             signaling, QoS negotiation, and session management.
based abnormal network traffic detection method and its
system prototype. This method is efficient, since it can reduce         In [13] presents a virtual inline technique which is based on
system overhead in the processing of packet data by                     the technique of the Man in the Middle attack (MITM), it
aggregating packets into flows.                                         combines the NIDS and NIPS together in providing all-wave
                                                                        protection to networks. This technique integrates the
In [10] Wen-Shyang Hwang and Pei-Chen Tseng proposed a                  advantages of both IDSs and IPSs, and avoids their shortages;
QoS-aware Residential Gateway (QRG) with real-time traffic              it also avoids those problems baffle our researchers in this
monitoring and a QoS mechanism in order to initiate DiffServ-           field.
QoS bandwidth management during network congestion.
                                                                               III. QUALITY OF SERVICE
And in [11] proposed a secure and adaptive multimedia
transmission framework to maintain the quality of service                    A. Major QoS Framework
(QoS) of the multimedia streams during the Denial-of-Service            The IP QoS architecture development began with the IntServ
(DoS) attacks The proposed framework consists of two                    concept, and The scalability problem led to the design and
components: intrusion detection and adaptive transmission               introduction of DiffServ architecture [14]
management, The results of preliminary simulations in NS2
show that the quality of the multimedia stream can still be
                                                                         Integrated Services
maintained during an attack.
                                                                        Integrated Services (IntServ) works at the granuIarity of the
In [5] investigated QoS issues in such scenario, considering            individual application or flow. It invoIves path setup and
the delivery of a digital terrestrial television transport stream       resource reservation (RSVP) when the application starts. This
for home entertainment, in the presence of video surveillance,          preliminary dialogue between the sender and receiver nodes
automation data and Internet data streams. They have verified           ensures trouble free communication for the session[15].
that the introduction of a quality of service router permits to         Typically, applications (such as a VoIP gateway, for example)
effectively regulate the priority and bandwidth assigned to             originate RSVP messages; intermediate routers process the
each service, through the definition of proper QoS rules.               messages and reserve resources, accept the flow or reject the
                                                                        flow [16].
In [3] presented an Optimal Smooth Quality Adaptation (OS-
QA) strategy which gracefully adapts to network bandwidth               While this is an ideal solution, capable of providing rigorous
fluctuations to protect the service quality with relative               QoS guarantees, it is very complex and places a substantial
consistent QoS. They set up a mathematical model and derive             processing burden on intermediate routers. Scalability
the optimal conditions to maximize the system overall                   becomes a problem with increasing number of flows. Also,
resource utilization and minimize the average QoS variance of           incremental deployment is virtually impossible. Work is in
the requests from their ideal QoS requirements under the                progress to extend RSVP to allow flow aggregation, explicit
resource constraints. Results show that their OS-QA is                  route setup and QoS negotiation [15].
effective in providing QoS spacing for different quality classes
and adapting the QoS smoothly to ensure less perceived QoS              RSVP messages take the same path that IP packets take, which
jitter.                                                                 is determined by the routing tables in the IP routers. RSVP
                                                                        provides several reservation styles [17].
In [12] proposes a system for lightweight detection of DoS
attacks, called LD2. The system detects attack activities by             Differentiated Services
observing flow behaviors and matching them with graphlets               Enabling thousands of reservations via multi-field
for each attack type and defines appropriate threshold levels           classification means that a table of active end-to-end flows and
for each DoS attack. The proposed system is lightweight                 several table entries per flow must be kept. Memory is limited,
because it does not analyze packet content nor packet                   and so is the number of flows that can be supported in such a
statistics. The system implemented based on the concept of              way. In addition, maintaining the state in this table is another
BLINC.                                                                  major difficulty, The only way out of this dilemma appeared
                                                                        to be aggregation of the state: the Differentiated Services
In [8] propose a new mechanism to guarantees QoS during                 (DiffServ) architecture[16].
DOS attacks for IPTV networks, they introduce the concept
of “video stream handoff” analogous to the “soft handoff”

                                                                    9                              http://sites.google.com/site/ijcsis/
                                                                                                   ISSN 1947-5500
                                                               (IJCSIS) International Journal of Computer Science and Information Security,
                                                                                                             Vol. 10, No. 9, September 2012
Unlike IntServ where the RSVP signaling is used to reserve              Network delay is caused by the combination of network
bandwidths along the path, QoS in DiffServ is provided by               propagation delay, processing delays and variable queuing
provisioning rather than reservation[18].                               delays at the intermediate routers on the path to the destination
Primary goal of the Differentiated Services (DS) architecture
is to provide a simple, efficient, and thus scalable mechanism
                                                                        2)Delay variation ( jitter)
that allows for better than best effort services in the
Internet[19]                                                            Delay variation is usually caused by the buffers built up on
                                                                        routers during periods of increased traffic, and less often by
It involves a more coarse grained approach, grouping IP                 changes of routing due to failures or routing table updates.
packets into a relatively small
number of classes. This option has always been available                3)Packet loss
(though seldom used) in the ToS field of the IPv4 header. The           Packet loss is typically the result of excessive congestion in
DiffServ approach formalises this by defining a set of packet           the network. Packet loss is defined as the fraction (or
forwarding criteria (Per Hop Behaviours - PHB) based on the             percentage) of IP data packets, out of the total number of
DSCP (Differentiated Services Code Point). Thus a variety of            transmitted packets.
classes can be defined, providing a priority scheme, but not at
the level of individual applications[15].                               4)Bandwidth
DiffServ push the flowbased traffic classification and                  This signifies the portion of the available capacity of an end-
conditioning to the edge router of a network domain. The core           to-end network path that is accessible to the application or data
of that domain is only having a responsibility of forwarding            flow. Consequently, the number of bits that are injected into
the packets according to the PHB associated with each traffic           the network by the various flows of an application have to be
class[14].                                                              adjusted accordingly.

    B.Network QoS Functions                                                    IV. DENIAL OF SERVICE
To provide QoS over the IP network, the network must
perform the following two basic tasks [18]:                                  A.Effect of Dos Attack on QoS
                                                                        while the adaptive transmission management component is
                                                                        designed to improve QoS of the video via the efficient
                                                                        utilization of the network resources. With the detection of the
                                                                        DoS attacks, the bandwidth occupied by the attacks can be
                                                                        reduced and protected for video transmission[11]. The most
                                                                        common DoS attacks target the computer network's bandwidth
                                                                        or connectivity[22]. Since DoS will inject a large amount of
                                                                        traffic to the network and occupy the bandwidth resources,
                                                                        another issue is how to maintain the quality of service (QoS)
                                                                        of the servers during the DoS attack[11].
                                                                        Denial of Service (DoS) attacks are then more efficient in a
                                                                        guaranteed multi-services network than in the ”old” best effort
                                                                        Internet. Indeed, with best effort services, a DoS attack has to
                                                                        forbid the target of the attack to communicate. With a multi-
                                                                        services network, it is sufficient to make the network not
                                                                        respect the SLA (Service Level Agreement) committed with
                                                                        clients, what is easier and can be performed using simple
                                                                        flooding attacks [23].
           Figure. 1: IP QoS generic functional requirements
                                                                             B. Attack Scenarios
     C. Network QoS parameter                                           The first attack scenario targets Storage and Processing
The most important metrics that characterise the performance            Resources. This is an attack that mainly targets the memory,
of an IP network, and that are the most significant factors that        storage space, or CPU of the service provider [24].
influence the end-to-end quality of an application, are
[20][21]:                                                               The second attack scenario targets bandwidth. is designed to
                                                                        flood the victim network with unwanted traffic that prevents
1) Delay                                                                legitimate traffic from reaching the primary victim[25].
                                                                        Consider the case where an attacker located between multiple
Network delay corresponds to the time it takes for application          communicating nodes wants to waste the network bandwidth
data units to be carried by the network to the destination.             and disrupt connectivity. The malicious node can continuously

                                                                   10                               http://sites.google.com/site/ijcsis/
                                                                                                    ISSN 1947-5500
                                                           (IJCSIS) International Journal of Computer Science and Information Security,
                                                                                                         Vol. 10, No. 9, September 2012
send packets with bogus source IP addresses of other nodes,            designed to examine all traffic that passes through it to detect
thereby overloading the network. This consumes the resources           and stop undesired access, malicious content and inappropriate
of all neighbours that communicate, overloads the network,             transaction rates from penetrating or adversely affecting the
and results in performance degradations[24]. bandwidth                 availability of critical IT resources[13] Intrusion prevention
attacks may be caused by traffic that looks entirely normal            system (IPS): is software that has all the capabilities of an
except for its high volume[26].                                        intrusion detection system and can also attempt to stop
                                                                       possible incidents[33].
     C .Intrusion Detection System
                                                                       IPSs work inline, the Network based IPS (NIPS) are typically
An Intrusion Detection System (IDS) is an entity devoted to            deployed at the border of the intranet, and the Host based IPS
the detection of both non-authorized uses and misuses of a             (HIPS) are typically installed in endpoints[13].
system. Usually, it does not attempt to stop intrusion upon its
detection, but rather alerts some other system component                      V.    PROPOSED SYSTEM
[27],and depending on their source of input, IDSs can be
classified into Host-based Intrusion Detection System(HIDS),                A. General structure of the quality of service system
Network-based Intrusion Detection System(NIDS) and Hybrid
                                                                       The system was implemented on Linux platform to achieve
Intrusion Detection System[28].
                                                                       the quality of service based on the concept of Diffserv, and
                                                                       passes the set of stages as they are first read the incoming
    IDS analysis: According to the detection model, the IDS
                                                                       packets to the Network Interface Card (NIC) and analyze
   techniques can be classified into :
                                                                       packet headers. Then they will be classified according to the
                                                                       type of application which belongs to it and that depending on
     Signatures-based detection                                       the type of protocol and port number, then give each
The signature approach to intrusion detection, which traces            application the particular priority by changing the TOS field in
back to the early 1990s [29], which is also called misuse-based        the packet's header of Internet Protocol, depending on the
or pattern detection approaches store the signatures of the            definition of the TOS field. Finally is the distribution of the
known attacks in a database. Then the current traffic is               data in the queues and given a certain percentage of bandwidth
compared with the database to find the patterns matching. The          for each queue according to an CBQ algorithm . Figure (2)
obvious drawback of misused detection approaches is, that it           show the overall structure of the system.
can only detect known attack patterns and is not for detecting
new attacks that do not match with stored patterns [30].
Signatures are almost useless in network-based IDSs when
network traffic is encrypted. As well as some attacks do not
have single distinguishing signatures, but rather a wide range
of possible variations. Each variation could conceivably be                                                           Classify       Marking
                                                                                        Read         Analysis
incorporated into a signature set, but doing so inflates the                            packet        packets         packets        Packets
number of signatures, potentially hurting IDS performance                                 s
      Anomaly-based detection
Anomaly detection approaches build models from the normal                      Figure 2: General structure of the system quality of service
data, and any deviation from the normal model in the new data
is detected as anomaly. Anomaly detection has the advantage            The process of giving precedence to packets is done by
of detecting new types of attacks, while suffering from a high         marking packets as they are encoded in a particular field to
false alarm rate[31].                                                  change the ToS header located in the Internet Protocol
                                                                       Version4. Table (1) show the type of encoding used for each
Anomaly detectors construct profiles representing normal
                                                                       application with the type of protocol and port number. Fig (3)
behavior of users, hosts, or network connections. These
                                                                       show the steps of proposed QoS algorithm.
profiles are constructed from historical data collected over a
period of normal operation[32].                                                      Table 1: ToS field values and port numbers
                                                                              Application Type       Protocol Port         Coded type
                                                                                   Audio               UDP       1071           EF
     D. Intrusion Prevention System                                                Video               UDP       2979         AF31
The majority of current IDSs stops with flagging alarms and                        Telnet              TCP         23          CS4
relies on manual response by the security administrator or                        HTTPS                TCP        443         AF21
                                                                                   HTTP                TCP         80         AF22
system administrator. This results in delays between the
                                                                                                                   21         AF12
detection of the intrusion and the response which may range                         FTP                TCP
                                                                                                                   20         AF13
from minutes to months. The Intrusion Prevention Systems                            Ping              ICMP          -          CS6
(IPSs) are tried to solve this problem. IPSs solutions are                          other                -          -           BE

                                                                  11                                   http://sites.google.com/site/ijcsis/
                                                                                                       ISSN 1947-5500
                                                                                 (IJCSIS) International Journal of Computer Science and Information Security,
                                                                                                                               Vol. 10, No. 9, September 2012
                   Begin                                                                  focus of this research on the types of DoS attack that consume
                                                                                          bandwidth they affect the quality of the service, the system is
                                                                                          working neighborhood (Online) has been taking into account
            Read packets                                                                  that the system is fast and light so does not constitute a burden
                                                                                          on the network, capturing packets as soon as they (On the
   Analysis packages and determines
                                                                                          fly),flowing types of attack addressed in this research.
         the type of protocol
                                                                                                          UDP Flood Attack
                                                                                                          ICMP Flood Attack
     Is protocol
                                   Is protocol
                                                               Is protocol                                SYN Flood Attack
         TCP                          UDP                         ICMP

        Y                            Y                                                          2. DoS Attack Detection and Prevention System
                                                                 Y                             Architecture
                                                                                          We have been designing a DoS attack detection system on
    Does it belong                 Does it belong     N
     to one of the
                           N                                  Does it belong              Linux platform based on Anomaly Detection model, and the
                                    to one of the              to one of the
      designated                     designated                 designated                detected attack prevented by dropping the attack flow. The
    ports of TCP                    ports of UDP              ports of ICMP               system consists of six units: (Packet Sniffer Unit, Packet
       protocol?                      protocol?                  protocol?
                                                                                          Analysis Unit, Training Unit, Intrusion Detection Unit,
                                                                                          Intrusion Prevention Unit, and Reports Generator Unit).
      Y                                      Y                                            Packet Sniffer Unit read the network packets in real time, and
                                                                                          then sends these packets to the Packet Analysis Unit, which
                                                                                          analyzes the packets headers and extract information from
                                                                                          them. Then packets are collected to flow based on five fields
                                     coded ToS field depending on the protocol
                                                                                          (the source address, the destination address, the type of
                                                 and port number                          protocol, source port, the destination port). And each flow will
                                                                                          be known by these five fields. The Training Unit are based on
                                                                                          finding the appropriate threshold limit values for each type of
                                          Account Checksum of IP header
                                                                                          the three protocols and stored in a text file. The system also
                                                                                          includes an intrusion detection unit that can detect a DoS
                                         Distribution of data in the queues               attack, depending on the values of the threshold obtained from
                                         according to the value field ToS                 the Training Unit, and in the case of the detecting DoS attack
                                                                                          it is prevented by Intrusion Prevention Unit. dropping all the
                                    Pass the data from each queue according to
                                                                                          flows of the attack and then inform they prevent the attack,
                                                a certain percentage                      Reports Generator Unit issue a report on the attacks that have
                                                                                          occurred and some details of it, as will be mentioned later, all
                                                                                          this is a light and fast, so that no delay or burden on the
                                                                     End                  network

                       Figure. 3: proposed QoS algorithm

                                                                                                                              Training              Threshold
                                                                                               Packet     Packet
    B. DoS Prevention System                                                                   Sniffer   analysis
                                                                                                           unit                                                        flow
     1. DoS Attack
Because of the impact on the quality of services can be                                                                       Attack           Attack
                                                                                              Packet      Packet
provided to users by Denial of service attacks bandwidth. The                                 Sniffer    analysis            detection        prevent
                                                                                                                               unit           ion unit    Drop
system was designed for the purpose of protecting the quality                                              unit
of service of such attacks, and several research puts a lot of
efforts to find many new and effective techniques to detect and                                                     Report generator             Report
prevent such attacks. However, most studies were conducted,                                                              unit
                                                                                                                                                            Attack   flow
such as [34] [26] [22] [31] using Offline data where used as a
database of readily available data or by simulation. Having
examined the studies only a few issues of the survivability of                                                           Figure. 4: DoS system
the server when it is exposed to DoS attacks and testing in a
real measure of the effectiveness of the liquidation of such a
movement of malignant and longer capture and analyze the
real attack if it occurs (On the fly) a difficult task, has been the

                                                                                     12                                        http://sites.google.com/site/ijcsis/
                                                                                                                               ISSN 1947-5500
                                                                                      (IJCSIS) International Journal of Computer Science and Information Security,
                                                                                                                                    Vol. 10, No. 9, September 2012

                                       Begin                                                                                               Begin

                                                                         Thresholds                                                       Count=0
                           Read Thresholds Values

                                                                                                                                        Read Packets
                          Save Threshold Values in parameters

                                                                                                                                N       Time > Period?       Y
                                Read incoming packets

                                                                                                                                                          Count the number of
                                                                                                                                          Y                Packets per flow
                      N                                                                                      N     Is it belonging to
                                    Are the incoming                                                               an existing flow?
                                   packets belonging to
                                      attack flows?                                                                                                      Count maximum value of
                                                                                                                                                          UDP, ICMP, and TCP
                                                                                                            Start new Count          Increment
  N        Is it belonging to         Y                   Drop Packets of                                    for New Flow           Count of Flow
           an existing flow?                               Attack flow
                                                                                                                                                            Save the Values
                                                                                                                                                              in text file

Start new counter            Increment counter
  for new flow                of existing flow                Inform
                                                           that attack                                                                  Threshold File            Stop
                                                           is stopped
                                                                                                                    Figure. 6: Training Algorithm
            Forward packet
                                                                                               Report Generator Unit generates report to administrator
                                            N                                                  illustrates the attacks that took place depending on information
              Time> Period                                                                     gained from detection unit. Figure (7), shows a model of the
                                                                                               attack report, the report includes the IP used by the attacker ,
                            Y                                                                  IP of the victim, source port , destination port , type of
                                                                                               protocol, and the date and time of the attack. The report will
       Count the flows larger than threshold
                                                                                               be arranged automatically by the date and time of the attack.

          Add these flows to attack flows

          Save them in File                         Attack file

           Reset parameters


              Figure. 5: Dos Attack Detection and Prevention Algorithm
                                                                                                                 Figure. 7 model of the attack report

                                                                                                      VI. RESULTS AND DISCUSSION
  We proposed training algorithm to obtain the values of the
  threshold appropriate to each of the three protocols UDP, SYN                                     A. Test1:
  and ICMP, as these values will vary depending on network
  size and the type of data the passers-by , fig (6) shows steps of                            In this test was for 5 minutes send a video of Avi type with the
  the proposed training algorithm.                                                             flow of HTTP type from server to a normal computer, with
                                                                                               the video specifications as follows:
                                                                                               Frame rate= 24 frames/second
                                                                                               Frame width =240 Pixel
                                                                                               Frame height =136 Pixel
                                                                                               It has been re-tested twice, with and without QoS, the
                                                                                               outcomes were compared and it was as follows:

                                                                                          13                                   http://sites.google.com/site/ijcsis/
                                                                                                                               ISSN 1947-5500
                                                                         (IJCSIS) International Journal of Computer Science and Information Security,
                                                                                                                       Vol. 10, No. 9, September 2012
Decrease delay rate of time, as the delay rate without QoS was
equal to 11.0 ms , while with QoS, it became 10.3 ms. (Figure
8a) and (Figure 8b) show the delay in the video packet with
and without QoS.

                                                                                       Figure. (10): used bandwidth (a) without the QoS (b) with the QoS

                                                                                       B. Test2:
                                                                                  The impact of an ICMP Flood attack on the natural flow of
                                                                                  Ping was tested. The ICMP Flood attack from attacking
                                                                                  computer to the server by sending a group of ICMP packets
                                                                                  with different sizes to the server, and at the same 50 ping
                                                                                  request sent such as normally flow by the network. Results
                                                                                  were observed with existence of the attack and after
                                                                                  preventing it, as shown in Figures (11 a) and (11 b), since the
                                                                                  rate of data loss with an attack was 56%, where as the rate of
                                                                                  data loss after preventing the attack 0%, also decrease in the
                                                                                  rate of Round trip time (RTT) as it was before to prevent the
                                                                                  attack 115 ms and after it was stopped 7 ms. Figures (12 a)
                                                                                  and (12 b) shows down in the Response Time of Ping flow
                                                                                  before and after stopping an ICMP Flood attack.
     Figure (8): delay in the video packet (a) without QoS (b)with QoS

The percentage of data loss without QoS was 6.33%, and after
appling QoS it has become 0.41%, which makes the video
presents a clearer view at the recipient. Figure (9a) and Figure
(9 b) show snapshot of the video taken with and without the
quality of service system.                                                                                                                                (a)
                                                                                    Figure. (11): Impact of ICMP flood attack on ICMP flow (a) no. of send
                                                                                                       received and loss packet (b) RTT

                        (a)                          (b)
   Figure. (9): snapshot of the video (a) without the QoS (b) with the QoS

From Figure (10 a) and (10 b) the bandwidth rate used by the
video without QoS was equal to 994040.53 bits / sec and for
HTTP was 811308.82bits/sec, while they become 1056430.58                                                                (a)
bits / sec and for HTTP 513732.26 bits / sec when QoS was

                                     (a)                                            Figure. (12): Response Time (a) in presence of attack (b) after stop attack

                                                                             14                                    http://sites.google.com/site/ijcsis/
                                                                                                                   ISSN 1947-5500
                                                                           (IJCSIS) International Journal of Computer Science and Information Security,
                                                                                                                         Vol. 10, No. 9, September 2012
     C.Test3                                                                                D. Test4
UDP Flood attack was sent for two minutes from the attacking                               The last test was made to know the impact of an Syn
PC to the server and the impact of the attack on the video sent                        Flood attack on normal traffic of HTTP. It was sent Syn Flood
through the network was measured with loss of data, 10.94 %                            attack for 3 minutes, with HTTP flow as the normal flow and
and delay rate was 11.5ms. While after prevent the attack the                          measured productivity and Round Trip Time (RTT) for HTTP
loss of data has become 0% and the delay rate was ms10.3.                              flow. As shown in figures (16 a,16 b), (17 a,17 b) that in the
The packet delay in the video shown in Figures (13a, 13b),                             existence of the attack, throughput was between (10000-70000
Figures (14a , 14 b) shows the effect on the video snapshot.                           B/S) and it was with a scatter, and the highest value of Round
                                                                                       Trip Time equal 1 sec. While after stopping the attack
                                                                                       throughput is between (25000-70000) B/S and almost in a
                                                                                       straight line, while the highest value of Round Trip Time is
                                                                                       equal 0.5 Sec.



      Figure. (13): delay in the video packet (a) in presence of UDP flood (b)
                                 after stop UDP flood

                                                                                        Figure. (16): HTTP Throughput (a) in presence of SYN flood (b) after stop
                                                                                                                     SYN flood

              (a)                                             (b)
Figure. (14): snapshot of the video (a) in presence of UDP flood (b) after stop
                                  UDP flood

Used bandwidth have been measured, with bit rate for the
video as shown in Figures (15a,15b). The bit rate of the video                                                             (a)
was equal 941103.12 bits / sec with the presence of attack,
and equal 1056052.25 bits / sec after preventing the attack.

                   (a)                                 (b)
Figure. (15): used bandwidth (a) in presence of UDP flood (b) after stop UDP                                                (b)
                                     flood                                               Figure. (17): RTT (a) in presence of SYN flood (b) after stop SYN flood

                                                                                  15                                   http://sites.google.com/site/ijcsis/
                                                                                                                       ISSN 1947-5500
                                                                         (IJCSIS) International Journal of Computer Science and Information Security,
                                                                                                                       Vol. 10, No. 9, September 2012
 Figure (18 a) and (18 b) show the used bandwidth, The                                  Streaming”, IEEE , International Conference on Multimedia and Expo
                                                                                        ICME, ISBN: 978-1-4244-2570-9 , PP. 429 – 432.
 average bandwidth of the video with an attack was equal to
                                                                                 [4]    Agrawal V. , December (2005) “Establishment of QoS enabled
 322220.65 bits / sec, But it was equal 497897.17 bits / sec                            multimedia collaboration Grid over native IPv6 fabric”, MSc thesis,
 after stopping the attack.                                                             Birla Institute of Technology and Science, India.
                                                                                 [5]    Baldi, M.; Morichetti, S.; and Gambi, E. , Sept. (2007),“Quality of
                                                                                        Service in Local Area Networks intended for Home Entertainment and
                                                                                        Domotic Applications”, IEEE 15th International Conference on
                                                                                        Software, Telecommunications and Computer Networks SoftCOM,
                                                                                        ISBN: 978-953-6114-93-1, PP. 1 – 5.
                                                                                 [6]    Owezarski, P.; and Larrieu, N. , Aug. (2006) “Measurement Based
                                                                                        Approach of Congestion Control for enforcing a robust QoS in the
                                                                                        Internet”, IEEE International Conference on Internet Surveillance and
                                                                                        Protection, ISBN: 0-7695-2649-7.
                                                                                 [7]    Havary-Nassab, V.; Koulakezian, A.;and Ganjali, Y., (2009) “Denial of
                                                                                        Service Attacks in Networks with Tiny Buffers”, IEEE, ISBN: 978-1-
                                                                                 [8]    Moh’d, A.; Tawalbeh, L.;and sowe, A., (2009) “A Novel Method to
                                     (a)                                                Guarantee QoS during DOS Attacks for IPTV using SIP”, IEEE Second
                                                                                        International Conference on the Applications of Digital Information and
                                                                                        Web Technologies, 2009. ICADIWT '09., ISBN: 978-1-4244-4456-4,PP.
                                                                                        838 - 842 .
                                                                                 [9]    Kim, M.; Kang, H.; Hong,S.; Chung, S.; and Hong, J. W. , (2004) “A
                                                                                        Flow-based Method for Abnormal Network Traffic Detection”, IEEE,
                                                                                        Network Operations and Management Symposium, 2004. NOMS 2004.
                                                                                        IEEE/IFIP, vol.1,ISBN: 0-7803-8230-7,PP.599 - 612.
                                                                                 [10]   Hwang W. and Tseng, P., AUGUST (2005) “A QoS-aware Residential
                                                                                        Gateway with Bandwidth Management”, IEEE Transactions on
                                                                                        Consumer Electronics, Vol. 51, No. 3,PP 840 - 848.
                                                                                 [11]   Luo, H. and Shyu, M., (2005), “The Protection of QoS for Multimedia
                                                                                        Transmission against Denial of Service Attacks”, Multimedia, Seventh
                                                                                        IEEE International Symposium on.
                                        (b)                                      [12]   Pukkawanna, S.; Pongpaibool, P.; and Visoottiviseth, V. , (2008) “LD2:
 Figure. (18): used bandwidth (a) in presence of SYN flood (b) after stop SYN           A System For Lightweight Detection Of Denial-Of-Service Attacks”,
                                      flood                                             IEEE, Military Communications Conference, MILCOM 2008,
                                                                                        ISBN: 978-1-4244-2676-8,PP.1-7.
                                                                                 [13]   Wu, Z.; Xiao, D.; Xu, H.; Peng, X.; and Zhuang, X. , (2009), “Virtual
         VII. CONCLUSION:                                                               Inline: A Technique of Combining IDS and IPS Together in Response
                                                                                        Intrusion”, IEEE First International Workshop on Education Technology
 Because of widespread growth of the Internet and the                                   and Computer Science,vol.1, ISBN: 978-1-4244-3581-4, PP. 1118 –
 development of streaming applications, Quality of service will                         1121.
 be of primary importance in the IP-based networks. In this                      [14]   Elshaikh, M. A.; Othman, M.; Shamala, S. and J. Desa, November
                                                                                        (2006) “A New Fair eighted Fair Queuing Scheduling Algorithm in
 paper a system was constructed to achieve the quality of                               Differentiated Services Network”, IJCSNS International Journal of
 service depending on the Diffserv technology, giving the                               Computer Science and Network Security, VOL.6 No.11.
 priority to certain applications as well as providing protection                [15]   Frangiskatos, D. and Agrawal, S., M., (2004), “Quality Of Service In
 to them from the DoS attacks. The model of Anomaly                                     Tcp/Ip Networks: A Diffserv Testbed”, Telecommunications Quality of
                                                                                        Services: The Business of Success.
 Detection was adopted to detect the attack and then
                                                                                 [16]   Welzl, M., (2005), “Network Congestion Control Managing Internet
 prohibiting the attack detected by means of dropping the                               Traffic”,Wiley Series in Communication networking & Distributed
 attack flow. From tests we verified effectively the QoS in IP-                         System.
 based network, and the system successes to guarantee QoS for                    [17]   Park, S. and DeDourek J., (2009), “Quality of Service (QoS) for Video
 IP networks During DOS attacks. Our future work will use a                             Transmission”, IEEE, First International Conference on Ubiquitous and
 cross platform language and develop a system to detect and                             Future Networks , ISBN: 978-1-4244-4215-7,PP. 142 – 147.
 prevent distributed DOS attacks and other types of attacks.                     [18]   Park, K., I., (2005), “QOS in Packet Networks”, Springer.
                                                                                 [19]   Bechler, M.; Ritter, H.; Schafer, G.; Schiller, J., (2001), “Traffic Shaping
                              REFERENCES:                                               in End Systems Attached to QoS-supporting Networks”, IEEE.
                                                                                 [20]   Miras, D., (2002), “Network QoS Needs of Advanced Internet
[1]   M. Aykut Yigitel, Ozlem Durmaz Incel, and Cem Ersoy ,(2011), “QoS-
                                                                                        Applications A Survey”, Internet2 QoS Working Group.
      aware MAC protocols for wireless sensor networks: A survey”,
      Computer Networks, Volume 55, Issue 8, Pages 1982-2004.                    [21]   Gargees, R.S., (2011), “QoS Adoption and Secure it by Preventing DoS
                                                                                        Attack”, M.Sc. Thesis, Mosul University, Iraq.
[2]   Jayashree , P.; Easwarakumar, K.S. ; Gokul, B.; and Harishankar, S.
      ,(2008) “Providing QoS as a Means for Defending DoS Attacks in             [22]   Douligeris, C. and Mitrokotsa, A., (2003), “DDoS attacks and defense
      Active Networks”, IEEE 16th International Conference on Advanced                  mechanisms: classification and state-of-the-art”, Elsevier B.V.
      Computing and Communications ADCOM, ISBN: 978-1-4244-2962-2,               [23]   Owezarski , P. , (2005) “On the Impact of DoS Attacks on Internet
      PP. 406 – 409.                                                                    Traffic Characteristics and QoS”, IEEE, 14th International Conference
[3]   Li, X.; Chuah, E.; Tham, J., Y.; and Goh, K. H., (2008) “An Optimal               on Computer Communications and Networks ICCCN, ISSN: 1095-2055
      Smooth QoS Adaptation Strategy for QoS Differentiated Scalable Media              , PP. 269 – 274.

                                                                                16                                   http://sites.google.com/site/ijcsis/
                                                                                                                     ISSN 1947-5500
                                                                           (IJCSIS) International Journal of Computer Science and Information Security,
                                                                                                                         Vol. 10, No. 9, September 2012
[24]   Denko, M., K., (2006), “ Detection and Prevention of Denial of Service
       (DoS) Attacks in Mobile Ad Hoc Networks using Reputation-Based
       Incentive Scheme”, Journal of Systemics,Cybernetics and Informatics,
       VOLUME 3 - NUMBER4.
[25]   Specht, S., M.; Lee, R. B., (2004), “Distributed Denial of Service:
       Taxonomies of Attacks, Tools and Countermeasures”, 17th International
       Conference on Parallel and Distributed Computing Systems.
[26]   Gil, T., M., (2000), “MULTOPS: a data structure for denial-of-service
       attack detection ”, PhD thesis, VRIJE UNIVERSITEIT.
[27]   Cotroneo, D.; Peluso, L.; Romano, S.P. and G. Ventre, (2002), “An
       Active Security Protocol against DoS attacks”, IEEE, Proceedings of the
       Seventh International Symposium on Computers and Communications
       (ISCC’02). ISBN: 0-7695-1671-8 PP. 496 – 501.
[28]   Ying, L.; Yan, Z. and Yang-Jia, O., (2010), “The Design and
       Implementation of Host-based Intrusion Detection System”, IEEE, Third
       International Symposium on Intelligent Information Technology and
       Security Informatics, ISBN: 978-1-4244-6730-3,PP. 595 – 598.
[29]   Endorf, C.; Schultz, E. and Mellander, J., (2004), “Intrusion Detection &
       Prevention”, McGraw-Hill.
[30]   Malliga, s.; Tamilarasi, A. and Janani, M., (2008), “Filtering spoofed
       traffic at source end for defending against DoS / DDoS attacks”, IEEE,
       Proceedings of the 2008 International Conference on Computing,
       Communication and Networking (ICCCN 2008), ISBN: 978-1-4244-
       3594-4,PP. 1 – 5.
[31]   Luo', H. and Shyu, M., (2007) “Differentiated Service Protection Of
       Multimedia Transmission Via Detection Of Traffic Anomalies”, IEEE
       International Conference on Multimedia and Expo , ISBN: 1-4244-1016-
       9,PP. 1539 - 1542 .
[32]   Pukkawanna, S., (2008), “Lightweight Detection Of Dos Attacks”,
       M.Sc.Thesis in Computer Science, Mahidol University.
[33]   Mirashe, S., P. and Kalyankar, N., V., (2010), “3Why We Need the
       Intrusion Detection Prevention Systems (IDPS) In IT Company”, IEEE,
       2nd International Conference on Computer Engineering and
       Technology, Volume 7, ISBN: 978-1-4244-6347-3, PP.V7-112 - V7-
[34]   N., M.; Parmar, A. and Kumar, M. , (2010), “A Flow based Anomaly
       Detection System using Chi-square Technique”, IEEE, 2nd International
       Advance Computing Conference, PP.285 – 289, ISBN: 978-1-4244-

                                                                                   17                           http://sites.google.com/site/ijcsis/
                                                                                                                ISSN 1947-5500

To top