com/site/journalofcomputing WWW.JOURNALOFCOMPUTING.ORG


Junaid Gul, Sammee Mushtaq, Rabia Riaz
Abstract—Execution of distributed denial-of-service (DDoS) attacks requires little effort on the attacker’s side, since a vast number of insecure machines provide fertile ground for attack zombies. These attacks can easily be downloaded and deployed. On the other hand, prevention of the attack or the response and trace back of agents is extremely difficult due to a large number of attacking machines, the use of source-address spoofing and the similarity between legitimate and attack traffic. Many defense systems have been designed to counter DDoS attacks, yet the problem remains largely unsolved. The objective of this work is to develop algorithm that will help optimal placement of guard node (GN) in different network topologies. If we use all nodes in the networks as Guarding nodes (GN), then the overall efficiency of the network as well as the energy of nodes will decrease rapidly. We study how to optimize the placement of these nodes so that they can detect DDoS attack on earliest, while using minimum number of GN, and keep the cost factor and overhead as low as possible with minimal energy utilization. Simulation results prove that as compared to previous schemes our scheme requires less number of GN’s and provide higher level of security for data traffic using minimum energy. Index Terms—Set guard node with link down (SGLD), Guard nodes (GN), Distributed denial of service (DDoS).

—————————— ——————————



denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) is an attempt by attacker to prevent legitimate users from using resources. Denial-of-Service denies a victim (host, router, or entire network) from providing or receiving normal services [10]. A DDoS attack directs hundreds or even thousands of compromised “zombie” hosts against a single target. These zombie hosts are unwittingly recruited from the millions of unprotected computers accessing the Internet through high-bandwidth, “always-on” connections. By planting “sleeper” codes on these machines, hackers can quickly build a legion of zombies, all waiting for the command to launch a DDoS attack. With enough zombie hosts participating, the volume of an attack can be astounding.

make the way towards the victim (object). Attacker intrudes into the host computer to deploy them. Daemons affect both the target and the host computers. c) Master Program/Agent that organizes the attacking structure in coordination with attack daemons.

d) Actual Attacker who actually attacks the victim (object) and stays behind the attacking strategy as a brain. For initializing and launching an attack, attacker sets up a DDoS attack network with number of attacking hosts, masters and attack daemons (also referred to as zombies). Each attacking host controls one or more masters. Each master in turn links to a group of attack daemon. During profound attacks the disproportionate traffic produced can also make the network heavily congested. DDoS attacks do not have same patterns which make them very tricky to detect and guard against. In DDoS attacks, attack sources are multiple; an experienced attacker can change the pattern and attacking source so the traffic approaching to the target node seems legal. The GN node can let them pass, but as approaching toward target this traffic can re-assemble and lead to DDoS attack

Fig. 1. Stages of a typical DDoS attack

Following are the main attack elements that are involved during DDoS attack process. a) Victim (Object) that is affected by the attack. b) Attack Daemon Agents are programs that

Junaid Gul is with the Department of Computer Sciences and Information Technology, University of Azad Jammu and Kashmir, Muzaffarabad, Pakistan. Sammee Mushtaq is with the Department of Computer Sciences and Information Technology, University of Azad Jammu and Kashmir, Muzaffarabad, Pakistan. Rabia Riaz is with the Department of Computer Sciences and Information Technology, University of Azad Jammu and Kashmir, Muzaffarabad, Pakistan.



checked before reaching its destination at least one or more time. Many research developments and commercial applications try to manage the DDoS problem. To give effective results we try to study some distributed and hierarchical defense mechanism. [5]In order to establish the importance of placement, consider the network as shown in Fig.3. Nodes in the network can do work as a router or a system using same algorithm. But the nodes that perform detection will be named as guarding nodes (GN).

Fig. 2. DDoS attack network

In this research we have studied and reflect that optimal placement of the GN is key factor in DDoS detection mechanism. Two important considerations for placement include i) There should be minimum number of GN and ii) They should be placed where they can observe maximum traffic. Another key factor of the study is that if number of GN node is less then there should be minimum overhead and data delay, because all nodes are not working as guarding nodes. The structure of research paper is: related work is shown in section II, section III elaborates SGLD used in this paper, and section IV shows simulation and comparison results. Section V concludes our work.

Fig. 3. Illustration of GN placement at 3, 4, and 7

There are many aspects that should be kept in mind while developing the algorithms or doing engineering task for deploying mechanism against the DDoS. For example, which node should be designated as GN and how many in numbers (Minimum) they will be in network so DDoS detection mechanism performs its job well? If we designated large number of node as GN then there will be communication and computational overhead, cost factor will also increase and energy factor will get affected. There are three key factors as defined in reference [2] that a DDoS detection mechanism should be capable of. i. Timely and accurate DDoS detection. ii. Action to avoid flooding. iii. Mechanism must be capable to identify that which traffic can lead a DDoS attack. By keeping these three points in mind we can deploy the mechanism effectively. If we have to detect the DDoS attack in time and accurately then guarding nodes should be near to the target and maximum traffic should be

The work done by [6] is in our study boundary. The optimal placement of detecting nodes in system is named as set packing and those detecting nodes are capable of minimizing the attack within h hops. The information provided is complex and have some deficiencies that we will discuss later in the research paper, so we can get optimal placement while not compromising on security at any level. The reference “Distributed Defense against DDoS Attacks” [2] observe that such nodes that are capable of detecting DDoS attack must be placed near to the victim so the three condition or key points provided by reference [2] should be met. Accurate and timely detection is key factor in any DDoS detection mechanism; this can be achieved by keeping GN near the target or victim and checking the legitimate traffic. If the attack is detected GN can then take action and avoid flooding. But in the reference paper it is not discussed that how they will place the GN nodes. In [7] an approach named as gateway based approach number of gateways are introduced in networks so they can work as a team in the situation of DDoS attack and can take action against DDoS like checking traffic and avoid flooding etc. Optimal allocation of filters against DDoS attacks [8] optimally allocates filters available in a single router to attack actual attacker, or entire domains of attack sources, so as to maximize the flow of good traffic conserved, under a restriction on the number of GN. They have formulated two filtering problems: the single-tier and the twotier filtering, depending on the granularity of the packet filtering. Filter allocation in single-tier is formulated as knapsack problem and in two-tier they used dynamic programming. In single-tier filtering is performed on the entire gateway whereas in two-tier filtering is carried out not only on the entire gateway but also on the individual attackers [9].



A packet filter placement problem with application to defense against spoofed denial of service attacks presented in [9] relates the filter placement problem to the vertex cover problem. Their approach does not explicitly covers the majority of DDoS flooding attacks but only deals with spoofed denial of service attacks. Routing tables are extensively used by the two types of filters, maximal and semi-maximal, defined in their work. This scheme can have degraded performance if routing tables are well populated specially in the case of large scale networks. When the attacking structure is ready the attack host’s launch an ‘attack’ command with victim’s address, attack duration and attack method etc. Master program broadcasts the command to the attack daemons under its control. On receiving the attack command daemons begin the attack on the victim (object).

Set guard node with link down problem comes up in splitting applications, where we need to partition the elements comprising the network under the strong constraints on what is an allowable partition. The key feature of SGLD problem is that nodes cannot be having connection or communication with other node of other set. Because we are going to make subset of nodes in the network so each edge is adjacent to at most one of the selected nodes and all nodes not adhering to the partition constraint but at least adjacent to one of the node in the set are declared as guarding nodes (GN).

Fig. 4. GN placed at 7,5,4,3

We assume that all attack traffic coming from any node and targeted to a node at least h hops away (in above Fig.4 h =2 ) will be checked by any of the guard node placed in the network because they are between the shortest path of nodes and traffic in the network take shortest path for data communication .In scheme presented by [6] if the path of the traffic is through 0 to 9 then data will pass without any check through guard nodes from 0 to 6, 5, 8 and 9. Therefore, DDoS launched from nodes 0, 6, and 8, 9 can reach node 5 without being checked by any GN. So we place another guard node at 5 not giving any loop hole to the malicious traffic. This example illustrates that even a few number of GN’s, if optimally and parallel placed, can protect a network from attack traffic. In this model we have a graph Graph =G N =nodes creating network.

C= Edge between nodes. Any node N can be designated as a GN in the network so that it can perform the guarding algorithms for per forming the counter measure against DDoS attack. E can be defined as node pair (a,b). (a,b) are nodes connected to each other for exchanging message directly without moving to any other node. h = hops from where DDoS attack can’t be initiated at larger level. Any attack within the h hops in the network can be ignorable because a single computer cannot initiate a larger DDoS attack and traffic. Calculation of detecting effect:Node r risk level against attacks Ra(h). If Ra(h)== 0 Then node can send the traffic which can’t be checked by any GN. Means node r is secure and beyond h hops there is no other node and also every DOS attack is localized or checked with a group of nodes that are less than h hops from node r. Most importantly at least one GN is placed in the way of traffic targeted towards node i. So if Ra (1) == 0 Then detection mechanism detects the upcoming attack packets towards node r. The subset of nodes that are highlighted as GN’s are denoted by M and detection method works such that M N. Our objective to set small subset of nodes that will act as GN’s from M with satisfying that h hops distance remain between every other node but except that if any loop hole or open way remain for attack packets is provided than placing GN’s without considering h hop rule and placing GN parallel to any other GN already placed. In graph theory terminology such a set of GN’s can be considered as dominating set (DS). To set domination number of graph is a difficult problem [8]. Therefore our goal changes to finding good heuristic. We define coverage ration as covering the total number of nodes comprising the network in between the number of GN’s that are required. So the goal is set to achieve minimum to minimum value of for a given value of h hops. Given finite set N = {1, 2, 3,….., m*} is a finite node set and given collection of subsets Nj = {N1, N2, N3,….., N*} of N (i.e. Nj N, j = 1,2,3…., N) and a SGLD is formed with respect to N if Nj Nk = For all j, k and j k . D(P)is representation of number of nodes that sets guard nodes. G(P) defines total number of guard nodes formed. d (i, j) is maximum values for all nodes i, j in a packed form must be less than h hop. To maximize the number of nodes in SGLD and also maximizing the number of sets is equal to minimizing number of GN’s. We analyzed that minimized value of h in n yields a larger M. Greater the value of h can reduce the M but attack packets become risks for nodes because attack traffic targeted towards any node will reach to it without detecting through any guard nodes.



In modeling our work, we set our objective to find set of nodes that are at (h-1) hops away from each other or h hop such that every node not in the set and in h hop away from at least one node in the set. Formulation in mathematically form is as follows: Minimum |M| ……………………………………. (1) Such that Ri (r) = 0, for all Maximum ………………… (2) For all such that for , Maximum ………………… (3) For all such that For all and …………………………… (4) ………………………….…. (5) For all . Equation (1) is our major requirement. (2) and (3) are general SGLD constraints; means that there should be maximum number of nodes in a set pack such that the distance between any two nodes in a set should always be less than r-1 and there should be maximum possible set packs. Equation (4) tells us that the distance between two nodes belonging to two different set packs should always be more than 2-hops. Equation (5) tells us that the distance between two nodes belonging to two different set packs can be sometimes h hops only. This problem is basically a SGLD problem, which is NP-hard [8]; hence, we propose a heuristic algorithm. This algorithm partitions connected nodes in such a way that the maximum value of the distance in the partition is less than r. Then, all nodes connected directly to the partition become GN nodes. This process repeats until all nodes either become member of a partition or become GN nodes.

Energy factor if using fixed wireless node scenario is one of the most crucial aspects in real deployments of mobile sensor networks. A large portion of the energy of sensor applications is spent in node discovery as nodes need to be periodically advertising their presence and be awake to discover other nodes for data exchange. In this scenario we take i initial energy for the node which is going to be the guarding node. Because of DDoS traffic is coming from multiple sites (nodes) to one guarding node so receiving energy is n times to r. But transmission energy t is fixed because in this analysis transmission is not mainly concerned because of specification of DDoS attack is always to compromise node by sending anomalous traffic constantly so transmission energy is not that important. Initial energy = i Receiving energy = r Transmission energy = t No. of nodes sending data = n Energy = E Formula:E=i/n(r)+t

Fig. 7. Energy Consumption for 6-Node Network

To find out the performance level of the above discussed algorithm of the placement mechanism we check it by running it them in same topologies same topologies given in Fig. 8. and set packing algorithm is also considered here for performance comparison as in the case of SGLD.

Fig. 5. Simulation of 10 node network

Fig. 8. 14-Node Network

Fig. 6. Results of GN placement in 10 node network

In these simulations routing policies that allow multipath routing are considered and we select all possible loop-free shortest paths whenever the routing is performed between the two nodes.



7 6 5 4 3 2 1 0 1


Set Packing


No. of Hops






tection technique or collaboration among the nodes. But once guard nodes are selected then any existing mechanisms can be employed. Our aim to develop such a distributed scenario in which a node doesn’t have any information about the size of the network, and start out with limited topological information of the network. Our goal will be to select a small subset of nodes, without having the complete network information that can act as GN’s for the ad hoc network. One of future planning is some nodes are more important to quality monitoring dependent to detect level of risk with every single node. Those risks are very challenging in detection mechanism.


Fig. 9. Coverage Ratio of 14-Node Network

We the authors are thankful to Dr. Rabia Riaz, Assistant Professor, Department of Computer Science and Information Technology, University of Azad Jammu and Kashmir, Muzaffarabad for her guidance and support throughout the work. We pay thanks to our class mates, too, for their help and up keeping.

From these figures it is obvious that performance of set packing is limited and it gives high coverage ratio (larger value of T) as compare to our proposed scheme which gives low coverage ratio (low value of T). Thus, our scheme requires less number of GN’s as compare to set packing for the same value of h and more effective detection without leaving any loop holes. Number of Hops (h) 1 Set Packing SGLD 6 5 2 3 5 3 3 3 4 1 2 5 0 2 6 0 1 7 0 0 8 0 0

[1] Wan, K.K., Roky, K.C. Chang: “Engineering of a global defense infrastructure for DDoS attacks”, Proceedings of IEEE International Conference on Networks, August (2002). [2] J. Mirkovic, M. Robinson, P. Reiher and G. Oikonomou, “Distributed Defense against DDoS Attacks”, University of Delaware CIS Department Technical Report CIS-TR-2005-02. [3] AdityaAkella, AshwinBharambe, Mike Reiter and SrinivasanSeshan, “Detecting DDoS Attacks on ISP Networks”, ACM SIGMOD/PODS Workshop on Management and Processing of Data Streams (MPDS), FCRC 2003, San Diego, CA. [4] Guangsen Z., Manish, P: Cooperative Defense against DDoS Attacks. Journal of Research and Practice in Information Technology 38(1): (2006) [5] M.H. Islam, K.Nadeem, S.A. Khan “Optimal Sensor Placement For Detection Against Distributed Denial of Service Attack” Pak. J. Engg. & Appl. Sci. Vol. 4, Jan 2009 (p. 80-92) [6] Seok Bong Jeong, Young Woo Choi, Sehum Kim “An Effective Placement of Detection Systems for Distributed Attack Detection in Large Scale Network” WISA 2004, LNCS 3325, pp. 204210, 2004 [7] Dong Xuan, Riccardo Bettati, and Wei Zhao, “A Gateway based Defense System for Distributed DoS Attacks in High- Speed Networks”, Proceedings of the 2001 IEEE Workshop on Information Assurance and Security United States Military Academy, West Point, NY, 5-6 June 2001 [8] Karim El Defrawy, AthinaMarkopoulou, and KaterinaArgyraki, “Optimal Allocation of Filters Against DDoS Attacks” Invited paper at the Information Theory and Applications (ITA) Workshop, January 2007. [9] Benjamin Armbruster, J. Cole Smith, Kihong Park, “A Packet Filter Placement Problem with Application to Defense Against Spoofed Denial of Service Attacks”, Elsevier Science, Sep 2005 [10] The Wikipedia website. [Online]. Available:

Table. 1. GN nodes in a 14-node network

DDoS detection, precisely and effectively is very difficult before any recoverable loss. To make detection process effective we have to achieve participation of every single node that is not a feasible solution at all. So as to make feasible solution and effective detection of attack packets we have to reduce the number of guarding nodes to give reliable protection to overall network from those attack packets targeted towards any working node in network. The importance of placing GN at critical points in network for detecting distributed attacks is presented here. The main advantage we achieved above is that over all network traffic check is limited to minimum number of GN’s, thus conserving power and processing capabilities for many nodes in the network. Corresponding to this, approach presented and analyzed above are effective not in terms of reduced number of GN’s but also in localizing attack traffic within h hops or within the transmission range in case of wireless network. In addition, we calculate energy factor consumed by single node in sending packets. Advantages of this overall research are reduced cost and faster convergence in identifying an attack. Our main emphasis in this research has been on the architecture of the detection system rather than on the de-

Junaid Gul obtained a BS(hons.) in Computer Science from University of Azad Jammu & Kashmir in 2011 and currently works as a Graduate Assistant at the Department of Computer Sciences and



Information Technology of University of Azad Jammu & Kashmir while also studying for an M.Phil. in Computer Science at the same institution. His research interest is Networks Security, Ethical Hacking, Software Development and Neural Networks. Sammee Mushtaq received the BS(Hons.) degree in Computer Science from The University of Azad Jammu & Kashmir, and currently studying M.Phil. in Computer Science from The University of Azad Jammu & Kashmir, Muzaffarabad, Pakistan. His research interests include: Network forensics, Network Security, Machine Vision, Bio-informatics and Telemedicine Systems. Rabia Riaz received the Master’s degree in Computer Science from Fatima Jinnah University Rawalpindi, and P.H.D in Electrical Engineering from AJOU University, SUWON, South Korea. Currently employed as Assistant Professor in Department of CS&IT, University of Azad Jammu and Kashmir. Her research interests include: Network forensics, Network Security, Wireless Networks and Sensor Networks.

Sign up to vote on this title
UsefulNot useful

Master Your Semester with Scribd & The New York Times

Special offer for students: Only $4.99/month.

Master Your Semester with a Special Offer from Scribd & The New York Times

Cancel anytime.