Docstoc

Optimizing the Application-Layer DDoS Attacks for Networks

Document Sample
Optimizing the Application-Layer DDoS Attacks for Networks Powered By Docstoc
					                                   (IJCSIS) International Journal of Computer Science and Information Security,
                                   Vol. 8, No. 3, June 2010




Optimizing the Application-Layer DDoS
         Attacks for Networks
     P.Niranjan Reddy               K.Praveen Kumar                        M .Preethi
     Head, Dept. of CSE             Lecturer, Dept, of CSE                 Lecturer, Dept, of CSE
     KITS, Warangal                 KITS, Warangal                         KITS, Warangal
     A.P. , INDIA.                  A.P. , INDIA.                          A.P. INDIA.
     npolala@yahoo.co.in            praveen_kumar35@yahoo.co.in            preethi_0290@yahoo.co.in




                                                          a worm like program is created to simulate
Abstract – The main aim of the proposed
framework is to implement the Application-
                                                          self-propagation onto many hosts on a
Layer DDoS Attacks Optimizing for Popular                 network.
Websites that employing legitimate HTTP                       When the simple Net-DDoS attacks fail,
requests to flood out victim resources and to             attackers shift their offensive strategies to
implement an effective method to identify                 application-layer attacks and establish a more
whether the surge in traffic is caused by App-            sophisticated type of DDoS attacks.
DDoS attackers or by normal Web surfers.
                                                              To overreach detection, the attackers
Keywords: Terms – Application-layer, distributed          attacking the victim web servers by HTTP
denial of service (DDoS), popular website.                GET requests (e.g., HTTP flooding) and
                                                          pulling large image files from the victim server
            I.       INTRODUCTION                         in overwhelming numbers. In another instance,
                                                          attackers run a massive number of queries
    Distributed Denial of Service (DDoS)                  through the victim's search engine or database
attack is an attempt to make a computer                   query to bring the server down [4]. Such
resource unavailable to its intended users. This          attacks called as application-layer DDoS (App-
attack has caused severe damage to servers and            DDoS) attacks. The MyDoom worm [23] and
will cause even greater intimidation to the               the CyberSlam [3] are all instances of this type
development of new Internet services.                     attack.
Traditionally, DDoS attacks are carried out at
the network layer, such as ICMP flooding,                     On the web, “flash crowd”[6],[7] refers to
SYN flooding, and UDP flooding, which are                 the situation when a very large number of
called Net-DDoS attacks. The intent of these              users simultaneously access a popular
attacks is to consume the network bandwidth               website[13], which produces a surge in
and deny service to legitimate users of the               traffic[8] to the Website and might cause the
victim systems. Among these floodings                     site to be virtually unreachable. Because burst
another attack is Botnet[21] which is a network           traffic and high volume are the common
of compromised hosts or bots, under the                   characteristics of App-DDoS attacks and flash
control of a human attacker known as the                  crowds, it is not easy for current techniques to
botmaster. Botnets are used to perform                    distinguish them merely by statistical
malicious actions, such as launching DDoS                 characteristics of traffic.
attacks, sending spam or phishing emails and
                                                                     II.        RELATED WORK
so on. Thus, botnets have emerged as a threat
                                                              The researchers made an attempt to detect
to internet community. Peer to Peer (P2P) is a
                                                          DDoS attacks from three different layers: IP
relatively new architecture of botnets. These
                                                          layer, TCP layer, and application layer. From
botnets are distributed, and small. So, they are
                                                          all of these views, researchers are looking into
difficult to locate and destroy.
                                                          various approaches to differentiate normal
    Since many studies have noticed this type             traffic from the attack one.
of attacks and have proposed different schemes
                                                              Maximum DDoS-related research has
(e.g., network measure or anomaly detection)
                                                          concentrated on the IP layer. These techniques
to protect the network and equipment from
                                                          attempt to detect attacks by analyzing specific
bandwidth attacks, it is not as easy as in the
                                                          features, e.g., arrival rate or header
past for attackers to launch the DDoS attacks
                                                          information. For example, Cabrera et al. [9]
based on network layer. To implement DDoS,
                                                          used the management information base (MIB)
                                                          data which include parameters that indicate




                                              198                             http://sites.google.com/site/ijcsis/
                                                                              ISSN 1947-5500
                                   (IJCSIS) International Journal of Computer Science and Information Security,
                                   Vol. 8, No. 3, June 2010




different packet and routing statistics from                        III.    App-DDoS ATTACKS
routers to achieve the early detection. Yuan et               In our opinion, the DDoS attack detection
al. [14] used the cross-correlation analysis to           approaches in different scenario can be
capture the traffic patterns and then to decide           clustered as:
where and when a DDoS attack possibly
arises. Mirkovic et al. [15] monitored the                     •    Net-DDoS attacks           versus     stable
asymmetry of two-way packet rates and to                            background traffic.
identify attacks in edge routers. Other                        •    Net-DDoS attacks versus flash crowd.
statistical approach for detection of DDoS
attacks includes IP addresses [16] and time-to-                •    App-DDoS attacks           versus     stable
live (TTL) values [17].                                             background traffic.
   One of the most important research area is                  •    App-DDoS attack versus flash crowd.
TCP layer for detecting DDoS attack. For
                                                              The first two scenarios have been well
example, authors [9] mapped ICMP, UDP, and
                                                          studied and can be dealt with by most existing
TCP packet statistical abnormalities to specific
                                                          DDoS detection schemes while the other two
DDoS attacks based on MIB. Wang et al. [18]
                                                          groups are quite different from the previous
used the TCP SYN/FIN packets for detecting
                                                          ones.
SYN flooding attacks. In [18], DDoS attacks
were discovered by examining the TCP packet                   This is a simple comparison between the
header against the welldefined rules and                  existing system and proposed system.
conditions and differentiated the difference
between normal and abnormal traffic. Noh et               Existing System             Proposed System
al. [19] attempted to detect attacks by                   Consume the network         Bandwidth                 is
computing the ratio of TCP flags (including               bandwidth and deny          effectively used
FIN, SYN, RST, PSH, ACK, and URG) to
TCP packets received at a Web server.                     Service to legitimate       Service to all users if
                                                          users.                      and only if the
    Ranjan et al. [11] used statistical methods                                       resource is available.
to detect characteristics of HTTP sessions and
employed rate-limiting as the primary defense
mechanism. Yen et al. [12] defended the                   Abnormalities       are     Identifying
application DDoS attacks with constraint                  identified and denied       abnormalities     and
random request attacks by the statistical                                             serve     them      in
methods. Other researchers combated the App-                                          different     priority
DDoS attacks by “puzzle,” see, e.g., [20]. Jung                                       queues.
et al.’s work [7] he used two properties to
distinguish the DoS and normal flash crowd: 1)            Large amount of data        Identifies
a DoS event is due to an increase in the request          is required to train.       abnormalities with
rates for a small group of clients while flash                                        small amount of
crowds are due to increase in the number of                                           training data
clients and 2) DoS clients originate from new
client clusters as compared to flash crowd                Only positive data’s        More           accurate
clients which originate from clusters that had            are used to train           identification
been seen before the flash event.                         Identifying abnormal        Identifying     most
                                                          traffic and filter the      abnormal traffic and
                                                          network                     filter    when    the
                                                                                      network is heavily
                                                                                      loaded.


                                                                   IV.       DETECTION PRINCIPLE
                                                              We can cluster the Web surfers and
                                                          evaluate their contributions to the anomalies in
                                                          the aggregate Web traffic. Here the DDoS
                                                          attack is caused only by the authenticated users
                                                          of the Website. Then, different priorities are
                                                          given to the clusters according to their
                                                          abnormalities and serve them in different
                                                          priority queues. The most abnormal traffic
                                                          may be filtered when the network is heavy
Fig 1. How the attacker can perform attacks on            loaded. Here the priority level of the cluster is
App-layer.                                                given based on the access time only. The




                                              199                             http://sites.google.com/site/ijcsis/
                                                                              ISSN 1947-5500
                                   (IJCSIS) International Journal of Computer Science and Information Security,
                                   Vol. 8, No. 3, June 2010




different modules in the implementation are               Number of tables needed for the application
given below in the next section.                          has to be decided and the tables are created for
                                                          that.
                 V.      MODULES
Web Server Module                                         F.        Attacker Module:
     •   Login                                                This module consists of webpage through
     •   Registration                                     which Attackers attack the victim Web servers
                                                          by HTTP GET requests (e.g., HTTP Flooding)
     •   Database Design                                  and pulling large image files from the victim
                                                          server in overwhelming numbers. In another
     •   Application Design                               instance, attackers run a massive number of
Attacker Module                                           queries through the victim’s search engine or
                                                          database query to bring the server down. Very
     •   Normal User                                      large number of attackers simultaneously
                                                          accesses a popular Website, which produces a
     •   Abnormal User
                                                          surge in traffic to the website and might cause
Flash crowd dismisser                                     the site to be virtually unreachable.
     •   Data preparation
     •   Training
     •   Monitoring
A.       Web Server Module
     Web servers are computers on the internet
that host website serving pages to viewers
upon request. This service is referred to as
web hosting. Every web server has a unique
address so that other computers connected to
the internet know where to find it on the vast
network. When your request reaches its
destination, the web server that hosts website
sends the page in HTML code to your
ipaddress [5]. This return communiqué travels
back through the network. Your computer
receives the code and your browser interprets
the HTML code then displays the page for you
in graphic form.                                               Fig 2. Simple network Attack path
B.       Login
  Login module is general for all kinds of Web               Normal User: The user login in and acts as
application to authenticate and authorize the             a normal user there is no abnormality in his
user’s access to the site. To make valid users            behaviors.
only can access the site, preventing the                      Abnormal User: The user login in and acts
unauthorized access.                                      as the abnormal user, the behaviors of the users
C.       Registration:                                    are found to be abnormal (.e.g., attacker who is
                                                          causing the DDoS attack over the target site).
 This module is also common to all the web
application. Making the users to access the                   Flash crowd dismisser: This model is first
site based upon the registration. It may be free          trained by the stable and low-volume web
or cost. In order to authenticate and authorize           workload whose normality can be ensured by
a user, registration is must.                             most existing anomaly detection systems, and
                                                          then it is used to monitor the following web
D.       Application Design:                              workload for a period of 10 min. When the
    An application which suits for our project            period is past, the model will be updated by the
is designed using the HTML code and the                   new collected web workload whose normality
relevant technologies.                                    is ensured by its entropy fitting to the model.
                                                          Then, the model is used in anomaly detection
E.       Database Design:                                 for the next cycle. If some abnormalities
                                                          hiding in the incoming web traffic are found,
   Once the application has designed then
                                                          the “defense” system will be implemented.
Database has to be designed. Here creation of
the tables related to our project is created.



                                              200                             http://sites.google.com/site/ijcsis/
                                                                              ISSN 1947-5500
                                    (IJCSIS) International Journal of Computer Science and Information Security,
                                    Vol. 8, No. 3, June 2010




            VI.      ARCHITECTURE                                         VII.        APPLICATION
   The process is divided into three phases:                   Web servers application DoS attacks allow
                                                           for efficient DoS with only little resources at
   1.        Data preparation.                             hand, and thus pose a Serious threat to
   2.        Training                                      organization.
   3.        Monitoring
    Data preparation: The main purpose of                      •     Hide speed internet.
data preparation is to compute the AM by the
logs of the web server. Various user data are                  •     Mobility        tracking      in      wireless
collected while accessing the sites.                                 networks.

    Training: Train the collected data for the
abnormalities. Check the user behaviour with
the predefined threshold. If the user exists the
threshold are named as the abnormal users
(.eg., attacker). Likewise all the user data are
trained and found out the abnormality.
    Monitoring: In the Monitoring phase,
checks for the resource availability. If the user
found to be attacker then the resource is
available means allows that user to access the
sites (Simply allow the attacker also if and
only if the resource is available). If the
resource is not available means, temporarily
deny that user to access the site.




                                                              Figure 4. Time delay while transferring
                                                           the file with out attack.




   Figure 3. Proposed Architecture




                                               201                               http://sites.google.com/site/ijcsis/
                                                                                 ISSN 1947-5500
                                 (IJCSIS) International Journal of Computer Science and Information Security,
                                 Vol. 8, No. 3, June 2010




                                                                          VIII.      CONCLUSION
                                                            Creating defenses for attacks requires
                                                        monitoring dynamic network activities in order
                                                        to obtain timely and signification information.
                                                        While most current effort focuses on detecting
                                                        Net-DDoS attacks with stable background
                                                        traffic, we proposed detection architecture in
                                                        this paper aiming at monitoring web traffic in
                                                        order to reveal dynamic shifts in normal burst
                                                        traffic, which might signal onset of App-DDoS
                                                        attacks during the flash crowd event. Our
                                                        method reveals early attacks merely depending
                                                        on the document popularity obtained from the
                                                        server log.


                                                                            REFERENCES
                                                        [1].   IEEE/ACM Transaction on Networking, Vol. 17,
                                                               No. 1, February, 0209.
                                                        [2].   Http://www.linuxsecurity.com/resource_files/intrus
                                                               ion_detection/ddos-whitepaper.html.
                                                        [3].   http://en.wikipedia.org/wiki/Denial-of-serviceattac
                                                               k.
                                                        [4].   K. Poulsen, “FBI Busts Alleged DDoS Mafia,”
                                                               2004.[Online].Available:
                                                               http://www.securityfocus.com/news/9411
  Figure 5. Time delay while transferring the
         file with attack.                              [5].   T. Peng and K. R. M. C. Leckie, “Protection from
                                                               distributed denial of service attacks using history-
                                                               based IP filtering,” in Proc. IEEE Int. Conf.
                                                               Commun., May 2003, vol. 1, pp. 482–486.
                                                        [6].   I. Ari, B. Hong, E. L. Miller, S. A. Brandt, and D.
                                                               D. E. Long, “Modeling, Analysis and Simulation of
                                                               Flash Crowds on the Internet,” Storage Systems
                                                               Research     Center    Jack     Baskin    School   of
                                                               Engineering University of California, Santa Cruz
                                                               Santa Cruz, CA, Tech. Rep. UCSC-CRL-03-15,
                                                               Feb.       28,     2004       [Online].    Available:
                                                               http://ssrc.cse.ucsc.edu/, 95064.
                                                        [7].   J. Jung, B. Krishnamurthy, and M. Rabinovich,
                                                               “Flash crowds and denial of service attacks:
                                                               Characterization and implications for CDNs and
                                                               web sites,” in Proc. 11th IEEE Int. World Wide
                                                               Web Conf., May 2002, pp. 252–262.
                                                        [8].   W. Leland, M. Taqqu, W. Willinger, and D.
                                                               Wilson, “On the selfsimilar nature of ethernet
                                                               traffic (extended version),” IEEE/ACM Trans.
                                                               Networking, vol. 2, no. 1, pp. 1–15, Feb. 1994.
                                                        [9].   J. B. D. Cabrera, L. Lewis, X. Qin, W. Lee, R. K.
                                                               Prasanth, B. Ravichandran, and R. K. Mehra,

   Figure 6. Session closing when the                          “Proactive detection of distributed denial of service
Attacking is found.                                            attacks using MIB traffic variables a feasibility




                                            202                                 http://sites.google.com/site/ijcsis/
                                                                                ISSN 1947-5500
                                                   (IJCSIS) International Journal of Computer Science and Information Security,
                                                   Vol. 8, No. 3, June 2010




        study,” in Proc. IEEE/IFIP Int. Symp. Integr. Netw.                       Steps to Reducing Unwanted Traffic on the Internet
        Manag., May 2001, pp. 609–622.                                            Workshop (SRUTI ’06), 2006.
[10].   S. Noh, C. Lee, K. Choi, and G. Jung, “Detecting                  [22].   Zhichun Li, Anup Goyal, and Yan Chen.
        Distributed Denial of Service (DDoS) attacks                              Honeynet-based Botnet Scan Traffic Analysis
        through inductive learning,” Lecture Notes in                             Northwestern University, Evanston, IL 60208
        Computer Science, vol. 2690, pp. 286–295, 2003.                           {lizcag o210,ychen}@cs.northwestern.edu.
[11].   S. Ranjan, R. Swaminathan, M. Uysal, and E.                       [23].   “Incident Note IN-2004-01 W32/Novarg. A
                                                                                  Virus,” CERT, 2004. [Online]. Available:
        Knightly, “DDoS-resilient scheduling to counter                           http://www.cert.org/incident_notes/ IN-2004-
        application    layer        attacks   under    imperfect                  01.html
        detection,” in Proc. IEEE INFOCOM, Apr. 2006
        [Online].Available:http://www-ece.rice.edu/netwo                             AUTHORS PROFILE
        rks /papers/ dos-sched.pdf
[12].   W. Yen and M.-F. Lee, “Defending application                                                P.NIRANJAN REDDY received
                                                                                                    the B.E Computer Science from
        DDoS with constraint random request attacks,” in                                            Nagpur University in 1992 and
        Proc. Asia-Pacific Conf. Commun., Perth, Western                                            M.Tech (Computer Science and
                                                                                                    Engineering)      from       NIT,
        Australia, Oct. 3–5, 2005, pp. 620–624.                                                     Warangal in the year 2001.He
                                                                                                    worked as a Lecturer and
[13].   C. Roadknight, l. Marshall, and D. Vearer, “File
                                                                                                    Assistant Professor in the
        popularity characterisation,” ACMSIGMETRICS                                                 department of CSE of KITS,
                                                                                                    Warangal, Since 1996. He is
        Performance Eval. Rev., vol. 23, no. 4, pp. 45–50,                                          doing a part-time research in
        Mar. 2000.                                                                                  Kakatiya University, Warangal
                                                                                                    since 2007. He authored two text
[14].   J.   Yuan     and      K.    Mills,   “Monitoring     the                                   books, Theory of computation
        macroscopic effect of DDoS flooding attacks,”                                               and Computer Graphics in the
                                                                                                    field of Computer Science. He
        IEEE Trans. Dependable and Secure Computing,                                                published 3 papers inInternational
                                                                                                    Journals and 6 papers in
        vol.2, no. 4, pp. 324–335, Oct.-Dec. 2005.                                                  International Conferences.
[15].   J. Mirkovic, G. Prier, and P. Reiher, “Attacking
        DDoS at the source,” in Proc. Int. Conf. Network
        Protocols, 2002, pp. 312–321.                                                                K.PRAVEEN KUMAR has
                                                                                                     been working as a lecturer in
[16].    T. Peng and K. R. M. C. Leckie, “Protection from                                            Dept. of CSE, KITS,Warangal
        distributed denial of service attacks using history-                                         in Andhra Pradesh,INDIA for
                                                                                                     the last 2 years. He has
        based IP filtering,” in Proc. IEEE Int.Conf.                                                 completed his B.tech and
                                                                                                     M.tech from KITS warangal.
        Commun., May 2003, vol. 1, pp. 482–486.
                                                                                                     He has published a research
[17].   B. Xiao, W. Chen, Y. He, and E. H.-M. Sha, “An                                               paper at a National level
                                                                                                     Conference.
        active detecting method against SYN flooding
        attack,” in Proc. 11th Int. Conf. Parallel Distrib.
        Syst., Jul. 20–22, 2005, vol. 1, pp. 709–715.
[18].   H.Wang, D. Zhang, and K. G. Shin, “Detecting                                                  M.PREETHI has been
                                                                                                      working as a lecturer in
        SYN flooding attacks,” in Proc. IEEE INFOCOM,                                                 Dept of CSE in KITS,
        2002, vol. 3, pp. 1530–1539.                                                                  Warangal     in    Andhra
                                                                                                      Pradesh, INDIA for the last
[19].   S. Noh, C. Lee, K. Choi, and G. Jung, “Detecting                                              3years. She took her
        Distributed Denial of Service (DDoS) attacks                                                  M.Tech     degree    from
                                                                                                      KITS,Warangal.
        through inductive learning,” Lecture Notes in
        Computer Science, vol. 2690, pp. 286–295, 2003.
[20].   S. Kandula, D. Katabi, M. Jacob, and A. W.
        Berger, “Botz-4-Sale: Surviving Organized DDoS
        Attacks that Mimic Flash Crowds,”MIT, Tech.Rep.
        TR-969,        2004            [Online].       Available:
        http://www.usenix.org/events/nsdi05/tech/ kandula/
        kandula.pdf
[21].   James Binkley and Suresh Singh. An algorithm for
        anomaly-based botnet detection. In Proceedings of




                                                              203                               http://sites.google.com/site/ijcsis/
                                                                                                ISSN 1947-5500