P. 1
QoS Adoption And Protect It Against DoS Attack

QoS Adoption And Protect It Against DoS Attack

|Views: 53|Likes:
Published by ijcsis
The enormous growth of the internet and the variation in the needs of its applications resulted in the great interest in the recent years in the Quality of Service (QoS). Since it must meet the QoS in all circumstances, another challenge has emerged which represents a hindrance to achieve the QoS. And this challenge was represented by the emergence of some types of DoS that aim at exhausting the bandwidth and eventually violating the agreements of the QoS.
In this research a system was constructed to achieve the QoS depending on the Diffserv technology, as the bandwidth is distributed on the various applications according to the specifications and the requirements of the application, giving the priority to certain applications as well as providing protection to them from the DoS attacks. The model of Anomaly Detection was adopted to detect the attack, and then prohibiting the attack detected by means of dropping the attack flow.
The system prove efficiency in improving the QoS for the applications with critical requirements, through measuring a set of factors that affect the QoS and the efficiency degree of halting the DoS attack manifested by means of the available bandwidth, and eventually preserving the bandwidth in the cases of such attacks.
The enormous growth of the internet and the variation in the needs of its applications resulted in the great interest in the recent years in the Quality of Service (QoS). Since it must meet the QoS in all circumstances, another challenge has emerged which represents a hindrance to achieve the QoS. And this challenge was represented by the emergence of some types of DoS that aim at exhausting the bandwidth and eventually violating the agreements of the QoS.
In this research a system was constructed to achieve the QoS depending on the Diffserv technology, as the bandwidth is distributed on the various applications according to the specifications and the requirements of the application, giving the priority to certain applications as well as providing protection to them from the DoS attacks. The model of Anomaly Detection was adopted to detect the attack, and then prohibiting the attack detected by means of dropping the attack flow.
The system prove efficiency in improving the QoS for the applications with critical requirements, through measuring a set of factors that affect the QoS and the efficiency degree of halting the DoS attack manifested by means of the available bandwidth, and eventually preserving the bandwidth in the cases of such attacks.

More info:

Published by: ijcsis on Oct 10, 2012
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less

10/10/2012

pdf

text

original

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 10, No.

9, September 2012

QoS Adoption And Protect It Against DoS Attack
DR. MANAR Y. KASHMOLA Computer Sciences Department Computer Sciences and Mathematics College Mosul University Mosul, Iraq manar_kashmola@yahoo.com RASHA SAADALLAH GARGEES Software Engineering Department Computer Sciences and Mathematics College Mosul University Mosul, Iraq
rasha_sg@yahoo.com

Abstract— The enormous growth of the internet and the variation in the needs of its applications resulted in the great interest in the recent years in the Quality of Service (QoS). Since it must meet the QoS in all circumstances, another challenge has emerged which represents a hindrance to achieve the QoS. And this challenge was represented by the emergence of some types of DoS that aim at exhausting the bandwidth and eventually violating the agreements of the QoS. In this research a system was constructed to achieve the QoS depending on the Diffserv technology, as the bandwidth is distributed on the various applications according to the specifications and the requirements of the application, giving the priority to certain applications as well as providing protection to them from the DoS attacks. The model of Anomaly Detection was adopted to detect the attack, and then prohibiting the attack detected by means of dropping the attack flow. The system prove efficiency in improving the QoS for the applications with critical requirements, through measuring a set of factors that affect the QoS and the efficiency degree of halting the DoS attack manifested by means of the available bandwidth, and eventually preserving the bandwidth in the cases of such attacks. Keywords: QoS, DoS, Bandwidth, DiffServ, attack.

enables the network to differentiate and handle traffic based on policy. This means providing consistent, predictable data delivery to users or applications that are supported within the network.[4] Quality of service will be of central importance in modern domestic infrastructures, crossed by multiple digital streams for many kinds of user services[5]. Guaranteeing QoS means providing the requested QoS under all circumstances, including the most difficult ones. Among the most difficult circumstances are denial of service (DoS) attacks. Because of this, protection against DoS is a defining characteristic for guaranteed QoS mechanisms[6]. Denial of service (DoS) attacks pose many threats to the networking infrastructure. They consume network resources such as network bandwidth and router CPU cycles with the malicious objective of preventing or severely degrading service to legitimate users [7]. The Denial-of-Service attack (DOS attack) is an attempt from the attacker to prevent legitimate users from accessing system resources. DOS attack has been one of the most serious and successful methods of attacking computer networks [8]. Our aim is to Develop a system implemented on Linux platform to achieve the QoS to distinguish between different types of network services and to give high priority and bandwidth for certain services depending on their requirements, at the expense of other less important services, as is bandwidth management is to be invisible to the user, without the need to increase the overall bandwidth of the network. And we also Protect the security of QoS from DoS attacks, which drains bandwidth, it is classified traffic to normal and abnormal, by establishing a system for intrusion detection and prevention, and be lightweight and quick to detect DoS attacks and prevent them in real time and without the need for access and analysis the contents of packets. This paper is organized as follows: section 2 refers to related work; section 3 describes Major QoS Framework, Functions and parameter. Effect of Dos Attack on QoS, Attack Scenarios, Intrusion Detection System and Intrusion

I. INTRODUCTION Internet was initially designed for providing the best effort delivery of application data since average performance guarantees were sufficient for initial types of applications [1]. But the widespread growth of the Internet and the development of streaming applications, and the advance of technologies in multimedia compression, have guided the Internet society to focus on the design and development of architectures and protocols, that would guarantee a level of Quality of Service. QoS is defined as the collective effect of the service performance, which determines the degree of satisfaction of a user of the service, or a measure of how good a service is, as presented to the user and manifests itself in a number of parameters, all of which have either subjective or objective values[2][3]. Also we can define it as a set of techniques to manage network resources in a manner that

8

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 10, No. 9, September 2012

Prevention System describe in section 4, in section 5 our system model is presented. Section 6 evaluates performance of our system. Section 7 is the conclusion and future work. II. RELATED WORK

In [9] researcher Myung-Sup Kim and et al presented a flowbased abnormal network traffic detection method and its system prototype. This method is efficient, since it can reduce system overhead in the processing of packet data by aggregating packets into flows. In [10] Wen-Shyang Hwang and Pei-Chen Tseng proposed a QoS-aware Residential Gateway (QRG) with real-time traffic monitoring and a QoS mechanism in order to initiate DiffServQoS bandwidth management during network congestion. And in [11] proposed a secure and adaptive multimedia transmission framework to maintain the quality of service (QoS) of the multimedia streams during the Denial-of-Service (DoS) attacks The proposed framework consists of two components: intrusion detection and adaptive transmission management, The results of preliminary simulations in NS2 show that the quality of the multimedia stream can still be maintained during an attack. In [5] investigated QoS issues in such scenario, considering the delivery of a digital terrestrial television transport stream for home entertainment, in the presence of video surveillance, automation data and Internet data streams. They have verified that the introduction of a quality of service router permits to effectively regulate the priority and bandwidth assigned to each service, through the definition of proper QoS rules. In [3] presented an Optimal Smooth Quality Adaptation (OSQA) strategy which gracefully adapts to network bandwidth fluctuations to protect the service quality with relative consistent QoS. They set up a mathematical model and derive the optimal conditions to maximize the system overall resource utilization and minimize the average QoS variance of the requests from their ideal QoS requirements under the resource constraints. Results show that their OS-QA is effective in providing QoS spacing for different quality classes and adapting the QoS smoothly to ensure less perceived QoS jitter. In [12] proposes a system for lightweight detection of DoS attacks, called LD2. The system detects attack activities by observing flow behaviors and matching them with graphlets for each attack type and defines appropriate threshold levels for each DoS attack. The proposed system is lightweight because it does not analyze packet content nor packet statistics. The system implemented based on the concept of BLINC. In [8] propose a new mechanism to guarantees QoS during DOS attacks for IPTV networks, they introduce the concept of “video stream handoff” analogous to the “soft handoff”

done in cellular networks, the idea is to initiate a selective video handoff procedure, either from the server side, when the DOS attack is detected, or from the user side when QoS degradation occurs. All of that should happen without interrupting the user (i.e. while the video is playing). They make use of the SIP protocol stack for signaling, QoS negotiation, and session management. In [13] presents a virtual inline technique which is based on the technique of the Man in the Middle attack (MITM), it combines the NIDS and NIPS together in providing all-wave protection to networks. This technique integrates the advantages of both IDSs and IPSs, and avoids their shortages; it also avoids those problems baffle our researchers in this field. III. QUALITY OF SERVICE A. Major QoS Framework The IP QoS architecture development began with the IntServ concept, and The scalability problem led to the design and introduction of DiffServ architecture [14]  Integrated Services Integrated Services (IntServ) works at the granuIarity of the individual application or flow. It invoIves path setup and resource reservation (RSVP) when the application starts. This preliminary dialogue between the sender and receiver nodes ensures trouble free communication for the session[15]. Typically, applications (such as a VoIP gateway, for example) originate RSVP messages; intermediate routers process the messages and reserve resources, accept the flow or reject the flow [16]. While this is an ideal solution, capable of providing rigorous QoS guarantees, it is very complex and places a substantial processing burden on intermediate routers. Scalability becomes a problem with increasing number of flows. Also, incremental deployment is virtually impossible. Work is in progress to extend RSVP to allow flow aggregation, explicit route setup and QoS negotiation [15]. RSVP messages take the same path that IP packets take, which is determined by the routing tables in the IP routers. RSVP provides several reservation styles [17].  Differentiated Services Enabling thousands of reservations via multi-field classification means that a table of active end-to-end flows and several table entries per flow must be kept. Memory is limited, and so is the number of flows that can be supported in such a way. In addition, maintaining the state in this table is another major difficulty, The only way out of this dilemma appeared to be aggregation of the state: the Differentiated Services (DiffServ) architecture[16].

9

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 10, No. 9, September 2012

Unlike IntServ where the RSVP signaling is used to reserve bandwidths along the path, QoS in DiffServ is provided by provisioning rather than reservation[18]. Primary goal of the Differentiated Services (DS) architecture is to provide a simple, efficient, and thus scalable mechanism that allows for better than best effort services in the Internet[19] It involves a more coarse grained approach, grouping IP packets into a relatively small number of classes. This option has always been available (though seldom used) in the ToS field of the IPv4 header. The DiffServ approach formalises this by defining a set of packet forwarding criteria (Per Hop Behaviours - PHB) based on the DSCP (Differentiated Services Code Point). Thus a variety of classes can be defined, providing a priority scheme, but not at the level of individual applications[15]. DiffServ push the flowbased traffic classification and conditioning to the edge router of a network domain. The core of that domain is only having a responsibility of forwarding the packets according to the PHB associated with each traffic class[14]. B.Network QoS Functions To provide QoS over the IP network, the network must perform the following two basic tasks [18]:

Network delay is caused by the combination of network propagation delay, processing delays and variable queuing delays at the intermediate routers on the path to the destination host. 2)Delay variation ( jitter) Delay variation is usually caused by the buffers built up on routers during periods of increased traffic, and less often by changes of routing due to failures or routing table updates. 3)Packet loss Packet loss is typically the result of excessive congestion in the network. Packet loss is defined as the fraction (or percentage) of IP data packets, out of the total number of transmitted packets. 4)Bandwidth This signifies the portion of the available capacity of an endto-end network path that is accessible to the application or data flow. Consequently, the number of bits that are injected into the network by the various flows of an application have to be adjusted accordingly. IV. DENIAL OF SERVICE A.Effect of Dos Attack on QoS while the adaptive transmission management component is designed to improve QoS of the video via the efficient utilization of the network resources. With the detection of the DoS attacks, the bandwidth occupied by the attacks can be reduced and protected for video transmission[11]. The most common DoS attacks target the computer network's bandwidth or connectivity[22]. Since DoS will inject a large amount of traffic to the network and occupy the bandwidth resources, another issue is how to maintain the quality of service (QoS) of the servers during the DoS attack[11]. Denial of Service (DoS) attacks are then more efficient in a guaranteed multi-services network than in the ”old” best effort Internet. Indeed, with best effort services, a DoS attack has to forbid the target of the attack to communicate. With a multiservices network, it is sufficient to make the network not respect the SLA (Service Level Agreement) committed with clients, what is easier and can be performed using simple flooding attacks [23].

Figure. 1: IP QoS generic functional requirements

C. Network QoS parameter The most important metrics that characterise the performance of an IP network, and that are the most significant factors that influence the end-to-end quality of an application, are [20][21]: 1) Delay Network delay corresponds to the time it takes for application data units to be carried by the network to the destination.

B. Attack Scenarios The first attack scenario targets Storage and Processing Resources. This is an attack that mainly targets the memory, storage space, or CPU of the service provider [24]. The second attack scenario targets bandwidth. is designed to flood the victim network with unwanted traffic that prevents legitimate traffic from reaching the primary victim[25]. Consider the case where an attacker located between multiple communicating nodes wants to waste the network bandwidth and disrupt connectivity. The malicious node can continuously

10

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 10, No. 9, September 2012

send packets with bogus source IP addresses of other nodes, thereby overloading the network. This consumes the resources of all neighbours that communicate, overloads the network, and results in performance degradations[24]. bandwidth attacks may be caused by traffic that looks entirely normal except for its high volume[26]. C .Intrusion Detection System An Intrusion Detection System (IDS) is an entity devoted to the detection of both non-authorized uses and misuses of a system. Usually, it does not attempt to stop intrusion upon its detection, but rather alerts some other system component [27],and depending on their source of input, IDSs can be classified into Host-based Intrusion Detection System(HIDS), Network-based Intrusion Detection System(NIDS) and Hybrid Intrusion Detection System[28]. IDS analysis: According to the detection model, the IDS techniques can be classified into :  Signatures-based detection The signature approach to intrusion detection, which traces back to the early 1990s [29], which is also called misuse-based or pattern detection approaches store the signatures of the known attacks in a database. Then the current traffic is compared with the database to find the patterns matching. The obvious drawback of misused detection approaches is, that it can only detect known attack patterns and is not for detecting new attacks that do not match with stored patterns [30]. Signatures are almost useless in network-based IDSs when network traffic is encrypted. As well as some attacks do not have single distinguishing signatures, but rather a wide range of possible variations. Each variation could conceivably be incorporated into a signature set, but doing so inflates the number of signatures, potentially hurting IDS performance [29].  Anomaly-based detection Anomaly detection approaches build models from the normal data, and any deviation from the normal model in the new data is detected as anomaly. Anomaly detection has the advantage of detecting new types of attacks, while suffering from a high false alarm rate[31]. Anomaly detectors construct profiles representing normal behavior of users, hosts, or network connections. These profiles are constructed from historical data collected over a period of normal operation[32]. D. Intrusion Prevention System The majority of current IDSs stops with flagging alarms and relies on manual response by the security administrator or system administrator. This results in delays between the detection of the intrusion and the response which may range from minutes to months. The Intrusion Prevention Systems (IPSs) are tried to solve this problem. IPSs solutions are

designed to examine all traffic that passes through it to detect and stop undesired access, malicious content and inappropriate transaction rates from penetrating or adversely affecting the availability of critical IT resources[13] Intrusion prevention system (IPS): is software that has all the capabilities of an intrusion detection system and can also attempt to stop possible incidents[33]. IPSs work inline, the Network based IPS (NIPS) are typically deployed at the border of the intranet, and the Host based IPS (HIPS) are typically installed in endpoints[13]. V. PROPOSED SYSTEM

A. General structure of the quality of service system The system was implemented on Linux platform to achieve the quality of service based on the concept of Diffserv, and passes the set of stages as they are first read the incoming packets to the Network Interface Card (NIC) and analyze packet headers. Then they will be classified according to the type of application which belongs to it and that depending on the type of protocol and port number, then give each application the particular priority by changing the TOS field in the packet's header of Internet Protocol, depending on the definition of the TOS field. Finally is the distribution of the data in the queues and given a certain percentage of bandwidth for each queue according to an CBQ algorithm . Figure (2) show the overall structure of the system.

Read packet s

Analysis packets

Classify packets

Marking Packets

Schedule Packets

Figure 2: General structure of the system quality of service

The process of giving precedence to packets is done by marking packets as they are encoded in a particular field to change the ToS header located in the Internet Protocol Version4. Table (1) show the type of encoding used for each application with the type of protocol and port number. Fig (3) show the steps of proposed QoS algorithm.
Table 1: ToS field values and port numbers Application Type Protocol Port Coded type Audio UDP 1071 EF Video UDP 2979 AF31 Telnet TCP 23 CS4 HTTPS TCP 443 AF21 HTTP TCP 80 AF22 21 AF12 FTP TCP 20 AF13 Ping ICMP CS6 other BE

11

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 10, No. 9, September 2012
Begin

Read packets

Analysis packages and determines the type of protocol

focus of this research on the types of DoS attack that consume bandwidth they affect the quality of the service, the system is working neighborhood (Online) has been taking into account that the system is fast and light so does not constitute a burden on the network, capturing packets as soon as they (On the fly),flowing types of attack addressed in this research.    UDP Flood Attack ICMP Flood Attack SYN Flood Attack

Is protocol TCP Y

N

N Is protocol UDP Y

Is protocol ICMP

N

Y Does it belong to one of the designated ports of TCP protocol? N

N

Does it belong to one of the designated ports of UDP protocol?

Does it belong to one of the designated ports of ICMP protocol?

Y

Y

Y

coded ToS field depending on the protocol and port number

Account Checksum of IP header

Distribution of data in the queues according to the value field ToS

Pass the data from each queue according to a certain percentage

End

2. DoS Attack Detection and Prevention System Architecture We have been designing a DoS attack detection system on Linux platform based on Anomaly Detection model, and the detected attack prevented by dropping the attack flow. The system consists of six units: (Packet Sniffer Unit, Packet Analysis Unit, Training Unit, Intrusion Detection Unit, Intrusion Prevention Unit, and Reports Generator Unit). Packet Sniffer Unit read the network packets in real time, and then sends these packets to the Packet Analysis Unit, which analyzes the packets headers and extract information from them. Then packets are collected to flow based on five fields (the source address, the destination address, the type of protocol, source port, the destination port). And each flow will be known by these five fields. The Training Unit are based on finding the appropriate threshold limit values for each type of the three protocols and stored in a text file. The system also includes an intrusion detection unit that can detect a DoS attack, depending on the values of the threshold obtained from the Training Unit, and in the case of the detecting DoS attack it is prevented by Intrusion Prevention Unit. dropping all the flows of the attack and then inform they prevent the attack, Reports Generator Unit issue a report on the attacks that have occurred and some details of it, as will be mentioned later, all this is a light and fast, so that no delay or burden on the network

Figure. 3: proposed QoS algorithm

B. DoS Prevention System 1. DoS Attack Because of the impact on the quality of services can be provided to users by Denial of service attacks bandwidth. The system was designed for the purpose of protecting the quality of service of such attacks, and several research puts a lot of efforts to find many new and effective techniques to detect and prevent such attacks. However, most studies were conducted, such as [34] [26] [22] [31] using Offline data where used as a database of readily available data or by simulation. Having examined the studies only a few issues of the survivability of the server when it is exposed to DoS attacks and testing in a real measure of the effectiveness of the liquidation of such a movement of malignant and longer capture and analyze the real attack if it occurs (On the fly) a difficult task, has been the

Packet Sniffer

Packet analysis unit

Training unit

Threshold vales
forward

Normal flow

Packet Sniffer

Packet analysis unit

Attack detection unit

Attack prevent ion unit

Drop

Report generator unit

Report Attack

flow

Figure. 4: DoS system

12

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 10, No. 9, September 2012
Begin Begin

Read Thresholds Values

Thresholds value

Count=0

Save Threshold Values in parameters

Read Packets

N Read incoming packets

Time > Period?

Y

N

Are the incoming packets belonging to attack flows? Y

Y

N

Is it belonging to an existing flow?

Y

Count the number of Packets per flow

Count maximum value of UDP, ICMP, and TCP Drop Packets of Attack flow Start new Count for New Flow Increment Count of Flow Save the Values in text file

N

Is it belonging to an existing flow?

Start new counter for new flow

Increment counter of existing flow

Inform that attack is stopped

Threshold File

Stop

Figure. 6: Training Algorithm
Forward packet

N Time> Period Y Count the flows larger than threshold

Report Generator Unit generates report to administrator illustrates the attacks that took place depending on information gained from detection unit. Figure (7), shows a model of the attack report, the report includes the IP used by the attacker , IP of the victim, source port , destination port , type of protocol, and the date and time of the attack. The report will be arranged automatically by the date and time of the attack.

Add these flows to attack flows

Save them in File

Attack file

Reset parameters

End

Figure. 5: Dos Attack Detection and Prevention Algorithm

Figure. 7 model of the attack report

We proposed training algorithm to obtain the values of the threshold appropriate to each of the three protocols UDP, SYN and ICMP, as these values will vary depending on network size and the type of data the passers-by , fig (6) shows steps of the proposed training algorithm.

VI. RESULTS AND DISCUSSION A. Test1: In this test was for 5 minutes send a video of Avi type with the flow of HTTP type from server to a normal computer, with the video specifications as follows: Frame rate= 24 frames/second Frame width =240 Pixel Frame height =136 Pixel It has been re-tested twice, with and without QoS, the outcomes were compared and it was as follows:

13

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 10, No. 9, September 2012

Decrease delay rate of time, as the delay rate without QoS was equal to 11.0 ms , while with QoS, it became 10.3 ms. (Figure 8a) and (Figure 8b) show the delay in the video packet with and without QoS.

(b) Figure. (10): used bandwidth (a) without the QoS (b) with the QoS

(a)

(b) Figure (8): delay in the video packet (a) without QoS (b)with QoS

B. Test2: The impact of an ICMP Flood attack on the natural flow of Ping was tested. The ICMP Flood attack from attacking computer to the server by sending a group of ICMP packets with different sizes to the server, and at the same 50 ping request sent such as normally flow by the network. Results were observed with existence of the attack and after preventing it, as shown in Figures (11 a) and (11 b), since the rate of data loss with an attack was 56%, where as the rate of data loss after preventing the attack 0%, also decrease in the rate of Round trip time (RTT) as it was before to prevent the attack 115 ms and after it was stopped 7 ms. Figures (12 a) and (12 b) shows down in the Response Time of Ping flow before and after stopping an ICMP Flood attack.

The percentage of data loss without QoS was 6.33%, and after appling QoS it has become 0.41%, which makes the video presents a clearer view at the recipient. Figure (9a) and Figure (9 b) show snapshot of the video taken with and without the quality of service system.

(a) (b) Figure. (11): Impact of ICMP flood attack on ICMP flow (a) no. of send received and loss packet (b) RTT

(a) (b) Figure. (9): snapshot of the video (a) without the QoS (b) with the QoS

From Figure (10 a) and (10 b) the bandwidth rate used by the video without QoS was equal to 994040.53 bits / sec and for HTTP was 811308.82bits/sec, while they become 1056430.58 bits / sec and for HTTP 513732.26 bits / sec when QoS was used.

(a)

(a)

(b) Figure. (12): Response Time (a) in presence of attack (b) after stop attack

14

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 10, No. 9, September 2012

C.Test3 UDP Flood attack was sent for two minutes from the attacking PC to the server and the impact of the attack on the video sent through the network was measured with loss of data, 10.94 % and delay rate was 11.5ms. While after prevent the attack the loss of data has become 0% and the delay rate was ms10.3. The packet delay in the video shown in Figures (13a, 13b), Figures (14a , 14 b) shows the effect on the video snapshot.

D. Test4 The last test was made to know the impact of an Syn Flood attack on normal traffic of HTTP. It was sent Syn Flood attack for 3 minutes, with HTTP flow as the normal flow and measured productivity and Round Trip Time (RTT) for HTTP flow. As shown in figures (16 a,16 b), (17 a,17 b) that in the existence of the attack, throughput was between (10000-70000 B/S) and it was with a scatter, and the highest value of Round Trip Time equal 1 sec. While after stopping the attack throughput is between (25000-70000) B/S and almost in a straight line, while the highest value of Round Trip Time is equal 0.5 Sec.

(a)

(a)

(b) Figure. (13): delay in the video packet (a) in presence of UDP flood (b) after stop UDP flood (b) Figure. (16): HTTP Throughput (a) in presence of SYN flood (b) after stop SYN flood

(a) (b) Figure. (14): snapshot of the video (a) in presence of UDP flood (b) after stop UDP flood

Used bandwidth have been measured, with bit rate for the video as shown in Figures (15a,15b). The bit rate of the video was equal 941103.12 bits / sec with the presence of attack, and equal 1056052.25 bits / sec after preventing the attack.

(a)

(a) (b) Figure. (15): used bandwidth (a) in presence of UDP flood (b) after stop UDP flood

(b) Figure. (17): RTT (a) in presence of SYN flood (b) after stop SYN flood

15

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 10, No. 9, September 2012

Figure (18 a) and (18 b) show the used bandwidth, The average bandwidth of the video with an attack was equal to 322220.65 bits / sec, But it was equal 497897.17 bits / sec after stopping the attack.

[4] [5]

[6]

[7] [8]
(a)

[9]

[10] [11] [12]

(b) Figure. (18): used bandwidth (a) in presence of SYN flood (b) after stop SYN flood

[13] VII. CONCLUSION: Because of widespread growth of the Internet and the development of streaming applications, Quality of service will be of primary importance in the IP-based networks. In this paper a system was constructed to achieve the quality of service depending on the Diffserv technology, giving the priority to certain applications as well as providing protection to them from the DoS attacks. The model of Anomaly Detection was adopted to detect the attack and then prohibiting the attack detected by means of dropping the attack flow. From tests we verified effectively the QoS in IPbased network, and the system successes to guarantee QoS for IP networks During DOS attacks. Our future work will use a cross platform language and develop a system to detect and prevent distributed DOS attacks and other types of attacks. REFERENCES: [1] [2]
M. Aykut Yigitel, Ozlem Durmaz Incel, and Cem Ersoy ,(2011), “QoSaware MAC protocols for wireless sensor networks: A survey”, Computer Networks, Volume 55, Issue 8, Pages 1982-2004. Jayashree , P.; Easwarakumar, K.S. ; Gokul, B.; and Harishankar, S. ,(2008) “Providing QoS as a Means for Defending DoS Attacks in Active Networks”, IEEE 16th International Conference on Advanced Computing and Communications ADCOM, ISBN: 978-1-4244-2962-2, PP. 406 – 409. Li, X.; Chuah, E.; Tham, J., Y.; and Goh, K. H., (2008) “An Optimal Smooth QoS Adaptation Strategy for QoS Differentiated Scalable Media

[14]

[15] [16] [17] [18] [19] [20] [21] [22] [23]

[3]

Streaming”, IEEE , International Conference on Multimedia and Expo ICME, ISBN: 978-1-4244-2570-9 , PP. 429 – 432. Agrawal V. , December (2005) “Establishment of QoS enabled multimedia collaboration Grid over native IPv6 fabric”, MSc thesis, Birla Institute of Technology and Science, India. Baldi, M.; Morichetti, S.; and Gambi, E. , Sept. (2007),“Quality of Service in Local Area Networks intended for Home Entertainment and Domotic Applications”, IEEE 15th International Conference on Software, Telecommunications and Computer Networks SoftCOM, ISBN: 978-953-6114-93-1, PP. 1 – 5. Owezarski, P.; and Larrieu, N. , Aug. (2006) “Measurement Based Approach of Congestion Control for enforcing a robust QoS in the Internet”, IEEE International Conference on Internet Surveillance and Protection, ISBN: 0-7695-2649-7. Havary-Nassab, V.; Koulakezian, A.;and Ganjali, Y., (2009) “Denial of Service Attacks in Networks with Tiny Buffers”, IEEE, ISBN: 978-14244-3968-3,PP.1-6. Moh’d, A.; Tawalbeh, L.;and sowe, A., (2009) “A Novel Method to Guarantee QoS during DOS Attacks for IPTV using SIP”, IEEE Second International Conference on the Applications of Digital Information and Web Technologies, 2009. ICADIWT '09., ISBN: 978-1-4244-4456-4,PP. 838 - 842 . Kim, M.; Kang, H.; Hong,S.; Chung, S.; and Hong, J. W. , (2004) “A Flow-based Method for Abnormal Network Traffic Detection”, IEEE, Network Operations and Management Symposium, 2004. NOMS 2004. IEEE/IFIP, vol.1,ISBN: 0-7803-8230-7,PP.599 - 612. Hwang W. and Tseng, P., AUGUST (2005) “A QoS-aware Residential Gateway with Bandwidth Management”, IEEE Transactions on Consumer Electronics, Vol. 51, No. 3,PP 840 - 848. Luo, H. and Shyu, M., (2005), “The Protection of QoS for Multimedia Transmission against Denial of Service Attacks”, Multimedia, Seventh IEEE International Symposium on. Pukkawanna, S.; Pongpaibool, P.; and Visoottiviseth, V. , (2008) “LD2: A System For Lightweight Detection Of Denial-Of-Service Attacks”, IEEE, Military Communications Conference, MILCOM 2008, ISBN: 978-1-4244-2676-8,PP.1-7. Wu, Z.; Xiao, D.; Xu, H.; Peng, X.; and Zhuang, X. , (2009), “Virtual Inline: A Technique of Combining IDS and IPS Together in Response Intrusion”, IEEE First International Workshop on Education Technology and Computer Science,vol.1, ISBN: 978-1-4244-3581-4, PP. 1118 – 1121. Elshaikh, M. A.; Othman, M.; Shamala, S. and J. Desa, November (2006) “A New Fair eighted Fair Queuing Scheduling Algorithm in Differentiated Services Network”, IJCSNS International Journal of Computer Science and Network Security, VOL.6 No.11. Frangiskatos, D. and Agrawal, S., M., (2004), “Quality Of Service In Tcp/Ip Networks: A Diffserv Testbed”, Telecommunications Quality of Services: The Business of Success. Welzl, M., (2005), “Network Congestion Control Managing Internet Traffic”,Wiley Series in Communication networking & Distributed System. Park, S. and DeDourek J., (2009), “Quality of Service (QoS) for Video Transmission”, IEEE, First International Conference on Ubiquitous and Future Networks , ISBN: 978-1-4244-4215-7,PP. 142 – 147. Park, K., I., (2005), “QOS in Packet Networks”, Springer. Bechler, M.; Ritter, H.; Schafer, G.; Schiller, J., (2001), “Traffic Shaping in End Systems Attached to QoS-supporting Networks”, IEEE. Miras, D., (2002), “Network QoS Needs of Advanced Internet Applications A Survey”, Internet2 QoS Working Group. Gargees, R.S., (2011), “QoS Adoption and Secure it by Preventing DoS Attack”, M.Sc. Thesis, Mosul University, Iraq. Douligeris, C. and Mitrokotsa, A., (2003), “DDoS attacks and defense mechanisms: classification and state-of-the-art”, Elsevier B.V. Owezarski , P. , (2005) “On the Impact of DoS Attacks on Internet Traffic Characteristics and QoS”, IEEE, 14th International Conference on Computer Communications and Networks ICCCN, ISSN: 1095-2055 , PP. 269 – 274.

16

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 10, No. 9, September 2012

[24]

[25] [26] [27]

[28]

[29] [30]

[31]

[32] [33]

[34]

Denko, M., K., (2006), “ Detection and Prevention of Denial of Service (DoS) Attacks in Mobile Ad Hoc Networks using Reputation-Based Incentive Scheme”, Journal of Systemics,Cybernetics and Informatics, VOLUME 3 - NUMBER4. Specht, S., M.; Lee, R. B., (2004), “Distributed Denial of Service: Taxonomies of Attacks, Tools and Countermeasures”, 17th International Conference on Parallel and Distributed Computing Systems. Gil, T., M., (2000), “MULTOPS: a data structure for denial-of-service attack detection ”, PhD thesis, VRIJE UNIVERSITEIT. Cotroneo, D.; Peluso, L.; Romano, S.P. and G. Ventre, (2002), “An Active Security Protocol against DoS attacks”, IEEE, Proceedings of the Seventh International Symposium on Computers and Communications (ISCC’02). ISBN: 0-7695-1671-8 PP. 496 – 501. Ying, L.; Yan, Z. and Yang-Jia, O., (2010), “The Design and Implementation of Host-based Intrusion Detection System”, IEEE, Third International Symposium on Intelligent Information Technology and Security Informatics, ISBN: 978-1-4244-6730-3,PP. 595 – 598. Endorf, C.; Schultz, E. and Mellander, J., (2004), “Intrusion Detection & Prevention”, McGraw-Hill. Malliga, s.; Tamilarasi, A. and Janani, M., (2008), “Filtering spoofed traffic at source end for defending against DoS / DDoS attacks”, IEEE, Proceedings of the 2008 International Conference on Computing, Communication and Networking (ICCCN 2008), ISBN: 978-1-42443594-4,PP. 1 – 5. Luo', H. and Shyu, M., (2007) “Differentiated Service Protection Of Multimedia Transmission Via Detection Of Traffic Anomalies”, IEEE International Conference on Multimedia and Expo , ISBN: 1-4244-10169,PP. 1539 - 1542 . Pukkawanna, S., (2008), “Lightweight Detection Of Dos Attacks”, M.Sc.Thesis in Computer Science, Mahidol University. Mirashe, S., P. and Kalyankar, N., V., (2010), “3Why We Need the Intrusion Detection Prevention Systems (IDPS) In IT Company”, IEEE, 2nd International Conference on Computer Engineering and Technology, Volume 7, ISBN: 978-1-4244-6347-3, PP.V7-112 - V7116. N., M.; Parmar, A. and Kumar, M. , (2010), “A Flow based Anomaly Detection System using Chi-square Technique”, IEEE, 2nd International Advance Computing Conference, PP.285 – 289, ISBN: 978-1-42444790-9.

17

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

You're Reading a Free Preview

Download
scribd
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->