Get documents about "Optimizing the Application-Layer DDoS Attacks for Networks
Document Sample
(IJCSIS) International Journal of Computer Science and Information Security,
Vol. 8, No. 3, June 2010
Optimizing the Application-Layer DDoS
Attacks for Networks
P.Niranjan Reddy K.Praveen Kumar M .Preethi
Head, Dept. of CSE Lecturer, Dept, of CSE Lecturer, Dept, of CSE
KITS, Warangal KITS, Warangal KITS, Warangal
A.P. , INDIA. A.P. , INDIA. A.P. INDIA.
npolala@yahoo.co.in praveen_kumar35@yahoo.co.in preethi_0290@yahoo.co.in
a worm like program is created to simulate
Abstract – The main aim of the proposed
framework is to implement the Application-
self-propagation onto many hosts on a
Layer DDoS Attacks Optimizing for Popular network.
Websites that employing legitimate HTTP When the simple Net-DDoS attacks fail,
requests to flood out victim resources and to attackers shift their offensive strategies to
implement an effective method to identify application-layer attacks and establish a more
whether the surge in traffic is caused by App- sophisticated type of DDoS attacks.
DDoS attackers or by normal Web surfers.
To overreach detection, the attackers
Keywords: Terms – Application-layer, distributed attacking the victim web servers by HTTP
denial of service (DDoS), popular website. GET requests (e.g., HTTP flooding) and
pulling large image files from the victim server
I. INTRODUCTION in overwhelming numbers. In another instance,
attackers run a massive number of queries
Distributed Denial of Service (DDoS) through the victim's search engine or database
attack is an attempt to make a computer query to bring the server down [4]. Such
resource unavailable to its intended users. This attacks called as application-layer DDoS (App-
attack has caused severe damage to servers and DDoS) attacks. The MyDoom worm [23] and
will cause even greater intimidation to the the CyberSlam [3] are all instances of this type
development of new Internet services. attack.
Traditionally, DDoS attacks are carried out at
the network layer, such as ICMP flooding, On the web, “flash crowd”[6],[7] refers to
SYN flooding, and UDP flooding, which are the situation when a very large number of
called Net-DDoS attacks. The intent of these users simultaneously access a popular
attacks is to consume the network bandwidth website[13], which produces a surge in
and deny service to legitimate users of the traffic[8] to the Website and might cause the
victim systems. Among these floodings site to be virtually unreachable. Because burst
another attack is Botnet[21] which is a network traffic and high volume are the common
of compromised hosts or bots, under the characteristics of App-DDoS attacks and flash
control of a human attacker known as the crowds, it is not easy for current techniques to
botmaster. Botnets are used to perform distinguish them merely by statistical
malicious actions, such as launching DDoS characteristics of traffic.
attacks, sending spam or phishing emails and
II. RELATED WORK
so on. Thus, botnets have emerged as a threat
The researchers made an attempt to detect
to internet community. Peer to Peer (P2P) is a
DDoS attacks from three different layers: IP
relatively new architecture of botnets. These
layer, TCP layer, and application layer. From
botnets are distributed, and small. So, they are
all of these views, researchers are looking into
difficult to locate and destroy.
various approaches to differentiate normal
Since many studies have noticed this type traffic from the attack one.
of attacks and have proposed different schemes
Maximum DDoS-related research has
(e.g., network measure or anomaly detection)
concentrated on the IP layer. These techniques
to protect the network and equipment from
attempt to detect attacks by analyzing specific
bandwidth attacks, it is not as easy as in the
features, e.g., arrival rate or header
past for attackers to launch the DDoS attacks
information. For example, Cabrera et al. [9]
based on network layer. To implement DDoS,
used the management information base (MIB)
data which include parameters that indicate
198 http://sites.google.com/site/ijcsis/
ISSN 1947-5500
(IJCSIS) International Journal of Computer Science and Information Security,
Vol. 8, No. 3, June 2010
different packet and routing statistics from III. App-DDoS ATTACKS
routers to achieve the early detection. Yuan et In our opinion, the DDoS attack detection
al. [14] used the cross-correlation analysis to approaches in different scenario can be
capture the traffic patterns and then to decide clustered as:
where and when a DDoS attack possibly
arises. Mirkovic et al. [15] monitored the • Net-DDoS attacks versus stable
asymmetry of two-way packet rates and to background traffic.
identify attacks in edge routers. Other • Net-DDoS attacks versus flash crowd.
statistical approach for detection of DDoS
attacks includes IP addresses [16] and time-to- • App-DDoS attacks versus stable
live (TTL) values [17]. background traffic.
One of the most important research area is • App-DDoS attack versus flash crowd.
TCP layer for detecting DDoS attack. For
The first two scenarios have been well
example, authors [9] mapped ICMP, UDP, and
studied and can be dealt with by most existing
TCP packet statistical abnormalities to specific
DDoS detection schemes while the other two
DDoS attacks based on MIB. Wang et al. [18]
groups are quite different from the previous
used the TCP SYN/FIN packets for detecting
ones.
SYN flooding attacks. In [18], DDoS attacks
were discovered by examining the TCP packet This is a simple comparison between the
header against the welldefined rules and existing system and proposed system.
conditions and differentiated the difference
between normal and abnormal traffic. Noh et Existing System Proposed System
al. [19] attempted to detect attacks by Consume the network Bandwidth is
computing the ratio of TCP flags (including bandwidth and deny effectively used
FIN, SYN, RST, PSH, ACK, and URG) to
TCP packets received at a Web server. Service to legitimate Service to all users if
users. and only if the
Ranjan et al. [11] used statistical methods resource is available.
to detect characteristics of HTTP sessions and
employed rate-limiting as the primary defense
mechanism. Yen et al. [12] defended the Abnormalities are Identifying
application DDoS attacks with constraint identified and denied abnormalities and
random request attacks by the statistical serve them in
methods. Other researchers combated the App- different priority
DDoS attacks by “puzzle,” see, e.g., [20]. Jung queues.
et al.’s work [7] he used two properties to
distinguish the DoS and normal flash crowd: 1) Large amount of data Identifies
a DoS event is due to an increase in the request is required to train. abnormalities with
rates for a small group of clients while flash small amount of
crowds are due to increase in the number of training data
clients and 2) DoS clients originate from new
client clusters as compared to flash crowd Only positive data’s More accurate
clients which originate from clusters that had are used to train identification
been seen before the flash event. Identifying abnormal Identifying most
traffic and filter the abnormal traffic and
network filter when the
network is heavily
loaded.
IV. DETECTION PRINCIPLE
We can cluster the Web surfers and
evaluate their contributions to the anomalies in
the aggregate Web traffic. Here the DDoS
attack is caused only by the authenticated users
of the Website. Then, different priorities are
given to the clusters according to their
abnormalities and serve them in different
priority queues. The most abnormal traffic
may be filtered when the network is heavy
Fig 1. How the attacker can perform attacks on loaded. Here the priority level of the cluster is
App-layer. given based on the access time only. The
199 http://sites.google.com/site/ijcsis/
ISSN 1947-5500
(IJCSIS) International Journal of Computer Science and Information Security,
Vol. 8, No. 3, June 2010
different modules in the implementation are Number of tables needed for the application
given below in the next section. has to be decided and the tables are created for
that.
V. MODULES
Web Server Module F. Attacker Module:
• Login This module consists of webpage through
• Registration which Attackers attack the victim Web servers
by HTTP GET requests (e.g., HTTP Flooding)
• Database Design and pulling large image files from the victim
server in overwhelming numbers. In another
• Application Design instance, attackers run a massive number of
Attacker Module queries through the victim’s search engine or
database query to bring the server down. Very
• Normal User large number of attackers simultaneously
accesses a popular Website, which produces a
• Abnormal User
surge in traffic to the website and might cause
Flash crowd dismisser the site to be virtually unreachable.
• Data preparation
• Training
• Monitoring
A. Web Server Module
Web servers are computers on the internet
that host website serving pages to viewers
upon request. This service is referred to as
web hosting. Every web server has a unique
address so that other computers connected to
the internet know where to find it on the vast
network. When your request reaches its
destination, the web server that hosts website
sends the page in HTML code to your
ipaddress [5]. This return communiqué travels
back through the network. Your computer
receives the code and your browser interprets
the HTML code then displays the page for you
in graphic form. Fig 2. Simple network Attack path
B. Login
Login module is general for all kinds of Web Normal User: The user login in and acts as
application to authenticate and authorize the a normal user there is no abnormality in his
user’s access to the site. To make valid users behaviors.
only can access the site, preventing the Abnormal User: The user login in and acts
unauthorized access. as the abnormal user, the behaviors of the users
C. Registration: are found to be abnormal (.e.g., attacker who is
causing the DDoS attack over the target site).
This module is also common to all the web
application. Making the users to access the Flash crowd dismisser: This model is first
site based upon the registration. It may be free trained by the stable and low-volume web
or cost. In order to authenticate and authorize workload whose normality can be ensured by
a user, registration is must. most existing anomaly detection systems, and
then it is used to monitor the following web
D. Application Design: workload for a period of 10 min. When the
An application which suits for our project period is past, the model will be updated by the
is designed using the HTML code and the new collected web workload whose normality
relevant technologies. is ensured by its entropy fitting to the model.
Then, the model is used in anomaly detection
E. Database Design: for the next cycle. If some abnormalities
hiding in the incoming web traffic are found,
Once the application has designed then
the “defense” system will be implemented.
Database has to be designed. Here creation of
the tables related to our project is created.
200 http://sites.google.com/site/ijcsis/
ISSN 1947-5500
(IJCSIS) International Journal of Computer Science and Information Security,
Vol. 8, No. 3, June 2010
VI. ARCHITECTURE VII. APPLICATION
The process is divided into three phases: Web servers application DoS attacks allow
for efficient DoS with only little resources at
1. Data preparation. hand, and thus pose a Serious threat to
2. Training organization.
3. Monitoring
Data preparation: The main purpose of • Hide speed internet.
data preparation is to compute the AM by the
logs of the web server. Various user data are • Mobility tracking in wireless
collected while accessing the sites. networks.
Training: Train the collected data for the
abnormalities. Check the user behaviour with
the predefined threshold. If the user exists the
threshold are named as the abnormal users
(.eg., attacker). Likewise all the user data are
trained and found out the abnormality.
Monitoring: In the Monitoring phase,
checks for the resource availability. If the user
found to be attacker then the resource is
available means allows that user to access the
sites (Simply allow the attacker also if and
only if the resource is available). If the
resource is not available means, temporarily
deny that user to access the site.
Figure 4. Time delay while transferring
the file with out attack.
Figure 3. Proposed Architecture
201 http://sites.google.com/site/ijcsis/
ISSN 1947-5500
(IJCSIS) International Journal of Computer Science and Information Security,
Vol. 8, No. 3, June 2010
VIII. CONCLUSION
Creating defenses for attacks requires
monitoring dynamic network activities in order
to obtain timely and signification information.
While most current effort focuses on detecting
Net-DDoS attacks with stable background
traffic, we proposed detection architecture in
this paper aiming at monitoring web traffic in
order to reveal dynamic shifts in normal burst
traffic, which might signal onset of App-DDoS
attacks during the flash crowd event. Our
method reveals early attacks merely depending
on the document popularity obtained from the
server log.
REFERENCES
[1]. IEEE/ACM Transaction on Networking, Vol. 17,
No. 1, February, 0209.
[2]. Http://www.linuxsecurity.com/resource_files/intrus
ion_detection/ddos-whitepaper.html.
[3]. http://en.wikipedia.org/wiki/Denial-of-serviceattac
k.
[4]. K. Poulsen, “FBI Busts Alleged DDoS Mafia,”
2004.[Online].Available:
http://www.securityfocus.com/news/9411
Figure 5. Time delay while transferring the
file with attack. [5]. T. Peng and K. R. M. C. Leckie, “Protection from
distributed denial of service attacks using history-
based IP filtering,” in Proc. IEEE Int. Conf.
Commun., May 2003, vol. 1, pp. 482–486.
[6]. I. Ari, B. Hong, E. L. Miller, S. A. Brandt, and D.
D. E. Long, “Modeling, Analysis and Simulation of
Flash Crowds on the Internet,” Storage Systems
Research Center Jack Baskin School of
Engineering University of California, Santa Cruz
Santa Cruz, CA, Tech. Rep. UCSC-CRL-03-15,
Feb. 28, 2004 [Online]. Available:
http://ssrc.cse.ucsc.edu/, 95064.
[7]. J. Jung, B. Krishnamurthy, and M. Rabinovich,
“Flash crowds and denial of service attacks:
Characterization and implications for CDNs and
web sites,” in Proc. 11th IEEE Int. World Wide
Web Conf., May 2002, pp. 252–262.
[8]. W. Leland, M. Taqqu, W. Willinger, and D.
Wilson, “On the selfsimilar nature of ethernet
traffic (extended version),” IEEE/ACM Trans.
Networking, vol. 2, no. 1, pp. 1–15, Feb. 1994.
[9]. J. B. D. Cabrera, L. Lewis, X. Qin, W. Lee, R. K.
Prasanth, B. Ravichandran, and R. K. Mehra,
Figure 6. Session closing when the “Proactive detection of distributed denial of service
Attacking is found. attacks using MIB traffic variables a feasibility
202 http://sites.google.com/site/ijcsis/
ISSN 1947-5500
(IJCSIS) International Journal of Computer Science and Information Security,
Vol. 8, No. 3, June 2010
study,” in Proc. IEEE/IFIP Int. Symp. Integr. Netw. Steps to Reducing Unwanted Traffic on the Internet
Manag., May 2001, pp. 609–622. Workshop (SRUTI ’06), 2006.
[10]. S. Noh, C. Lee, K. Choi, and G. Jung, “Detecting [22]. Zhichun Li, Anup Goyal, and Yan Chen.
Distributed Denial of Service (DDoS) attacks Honeynet-based Botnet Scan Traffic Analysis
through inductive learning,” Lecture Notes in Northwestern University, Evanston, IL 60208
Computer Science, vol. 2690, pp. 286–295, 2003. {lizcag o210,ychen}@cs.northwestern.edu.
[11]. S. Ranjan, R. Swaminathan, M. Uysal, and E. [23]. “Incident Note IN-2004-01 W32/Novarg. A
Virus,” CERT, 2004. [Online]. Available:
Knightly, “DDoS-resilient scheduling to counter http://www.cert.org/incident_notes/ IN-2004-
application layer attacks under imperfect 01.html
detection,” in Proc. IEEE INFOCOM, Apr. 2006
[Online].Available:http://www-ece.rice.edu/netwo AUTHORS PROFILE
rks /papers/ dos-sched.pdf
[12]. W. Yen and M.-F. Lee, “Defending application P.NIRANJAN REDDY received
the B.E Computer Science from
DDoS with constraint random request attacks,” in Nagpur University in 1992 and
Proc. Asia-Pacific Conf. Commun., Perth, Western M.Tech (Computer Science and
Engineering) from NIT,
Australia, Oct. 3–5, 2005, pp. 620–624. Warangal in the year 2001.He
worked as a Lecturer and
[13]. C. Roadknight, l. Marshall, and D. Vearer, “File
Assistant Professor in the
popularity characterisation,” ACMSIGMETRICS department of CSE of KITS,
Warangal, Since 1996. He is
Performance Eval. Rev., vol. 23, no. 4, pp. 45–50, doing a part-time research in
Mar. 2000. Kakatiya University, Warangal
since 2007. He authored two text
[14]. J. Yuan and K. Mills, “Monitoring the books, Theory of computation
macroscopic effect of DDoS flooding attacks,” and Computer Graphics in the
field of Computer Science. He
IEEE Trans. Dependable and Secure Computing, published 3 papers inInternational
Journals and 6 papers in
vol.2, no. 4, pp. 324–335, Oct.-Dec. 2005. International Conferences.
[15]. J. Mirkovic, G. Prier, and P. Reiher, “Attacking
DDoS at the source,” in Proc. Int. Conf. Network
Protocols, 2002, pp. 312–321. K.PRAVEEN KUMAR has
been working as a lecturer in
[16]. T. Peng and K. R. M. C. Leckie, “Protection from Dept. of CSE, KITS,Warangal
distributed denial of service attacks using history- in Andhra Pradesh,INDIA for
the last 2 years. He has
based IP filtering,” in Proc. IEEE Int.Conf. completed his B.tech and
M.tech from KITS warangal.
Commun., May 2003, vol. 1, pp. 482–486.
He has published a research
[17]. B. Xiao, W. Chen, Y. He, and E. H.-M. Sha, “An paper at a National level
Conference.
active detecting method against SYN flooding
attack,” in Proc. 11th Int. Conf. Parallel Distrib.
Syst., Jul. 20–22, 2005, vol. 1, pp. 709–715.
[18]. H.Wang, D. Zhang, and K. G. Shin, “Detecting M.PREETHI has been
working as a lecturer in
SYN flooding attacks,” in Proc. IEEE INFOCOM, Dept of CSE in KITS,
2002, vol. 3, pp. 1530–1539. Warangal in Andhra
Pradesh, INDIA for the last
[19]. S. Noh, C. Lee, K. Choi, and G. Jung, “Detecting 3years. She took her
Distributed Denial of Service (DDoS) attacks M.Tech degree from
KITS,Warangal.
through inductive learning,” Lecture Notes in
Computer Science, vol. 2690, pp. 286–295, 2003.
[20]. S. Kandula, D. Katabi, M. Jacob, and A. W.
Berger, “Botz-4-Sale: Surviving Organized DDoS
Attacks that Mimic Flash Crowds,”MIT, Tech.Rep.
TR-969, 2004 [Online]. Available:
http://www.usenix.org/events/nsdi05/tech/ kandula/
kandula.pdf
[21]. James Binkley and Suresh Singh. An algorithm for
anomaly-based botnet detection. In Proceedings of
203 http://sites.google.com/site/ijcsis/
ISSN 1947-5500
Related docs
Other docs by ijcsis
Comparative Analysis between Split and HierarchyMap Treemap Algorithms for Visualizing Hierarchical Data
Views: 15 | Downloads: 0
Non-Preemptive Multi-Constrain Scheduling for Multiprocessor with Hopfield Neural Network
Views: 5 | Downloads: 0
Reliable Multipath Routing Protocol (RMRP) For Mobile Ad Hoc Networks Using Adaptive Video Compression
Views: 10 | Downloads: 1
Single CCTA-Based Four Input Single Output Voltage-Mode Universal Biquad Filter
Views: 36 | Downloads: 0
A Cloud Computing Architecture for E-Learning Platform, Supporting Multimedia Content
Views: 42 | Downloads: 0
