You are on page 1of 13

International Journal of Advance Foundation and Research in Computer (IJAFRC)

Volume 2, Issue 6, June - 2015. ISSN 2348 4853

DDos System: A Disparagement System with Cache Based


and Question Generation in Client-Server Application
Dr. V. Naga Lakshmi1

Shameena Begum2

Professor and HOD, Department of Computer Science, GITAM


University, Visakhapatnam. Andhra Pradesh, India
Email-id: vn_lakshmi8@yahoo.com

Assistant Professor, Department of IT, Sasi Institute of


Technology & Engineering, Tadepalligudem, Andhra
Pradesh, India
Email-id: sameenazm@gmail.com

ABSTRACT
Any web application or server requires the use of Distributed Denial of Service (DDoS) service in
order to achieve high security from various attacks. A client server application plays a major role
for any application like healthcare application to prepare distributed applications while reducing
the cost and executing the high performance computing devices. The distributed system in client
server application undergoes many security risks including DDoS. These client server
applications are based on HTTP connection. Thus, the aim of HTTP based connection allows us to
make less vulnerable system against all possible DDOS attack. This system incorporates with
Source Checking, Counting, Attack Detection and Prevention module with Turing test module to
detect the malicious node. In this paper we are proposing a multi-stage detection system which
includes cache based information Turing and question generation pool Turing tests to challenge
the suspicious intruders more effectively and efficiently. The proposed system is executed to
check the efficiency of proposed work and to judge how effectively the proposed system is capable
to mitigate the DDoS traffic from network.
Keywords: DDos, Turing test, Question generation, VC (virtual cluster).

I.

INTRODUCTION

A. DDoS Attack in Network


Distributed Denial of Service (DDoS) is the main security concern in present time against network
security [1]. DDoS attacks control various machines all around the network. These DDoS attacks are
called as zombies. The main aim of DDoS is to prevent a legal user to access the network resources or
services from the victim server. Thus user will not be able to access its services like web, email etc. in
network. Mainly DDoS attacks specially focus the network availability i.e. network bandwidth and
servers computing capability. DDoS attack is launched producing huge volume of traffic in the network
that causes the interrupt in network services. Though, it is complex to identify the DDoS attacks and
normal traffic in the network. Thus DDoS attacks have been taken as serious issues in network security.
DDoS attack may cause to serious loss in any organization.

31 | 2015, IJAFRC All Rights Reserved

www.ijafrc.org

International Journal of Advance Foundation and Research in Computer (IJAFRC)


Volume 2, Issue 6, June - 2015. ISSN 2348 4853

To resolve the DDoS attack, previous works [2-5] done for minimizing the DDoS attack traffic and
mitigate its effect in network.
B. Types of Dos Attacks
Generally, DDoS attacks are classified into two main parts. In first part, DDoS attacks use maximum
bandwidth in network to break the network. In second part is resource depletion which uses the CPU,
network resources and services for which user are not able to access the network resources. The attack
generally begins from various sources to focus at a single target. These attacks are given below:

SYN Flood Attack: These attacks are belongs to TCP-based network services. These attacks
causes the server harass which leads system crash [6].

TCP Reset Attack: These types of attacks use the properties of TCP protocol. Attackers listens the
TCP connection and send a fake TCP RESET packet to the victim. Due to these attacks the victim
to casually close its TCP connection [7].

ICMP Attack: These types of attacks use ICMP echo request packets for victim and attacks start
via ping. Attackers use ICMP datagram to produce these types of attack [8].

UDP Storm Attack: These types of attacks are produces in UDP connection. When there is
connection made between two parties then they will generate large number of packets on the
network due to this attack happen.

DNS Request Attack: These types of attacks are produced by using UDP-based DNS requests and
causes in network bandwidth. Attackers use spoofed source IP address to communicate with
server [9].

CGI Request Attack: In this attack, an attacker sends CGI request to server which uses huge CPU
resources in network. Result of this attack causes close the services of server.

Mail Bomb Attack: In this attack, an attacker sends numerous amounts of mail to target server
which can be tough to handle by server. Due to this attack server can stop working.

ARP Storm Attack: This attack produces by huge ARP request to target system which can badly
affect its system.

Algorithmic Complexity Attack: Its a class of low-bandwidth DDoS attacks that exploit
algorithmic deficiencies in the worst case performance of algorithms used in many mainstream
applications.

Spam Attack: This type of attack is focusing for organization as well as public users. Huge
amount of mails are sending through the attacker side at a time.

C. Client-Server Application
Client- server application is an application in which client can request for accessing services or available
resources to remote server. A wireless local area network (WLAN) is an application in which two or more
system or devices are connected through an access point. User can move around the network coverage.
In the given network coverage system will be remain connected via wireless connection. Various Current
32 | 2015, IJAFRC All Rights Reserved

www.ijafrc.org

International Journal of Advance Foundation and Research in Computer (IJAFRC)


Volume 2, Issue 6, June - 2015. ISSN 2348 4853

WLANs are based on IEEE 802.11 standards, marketed under the Wi-Fi brand name. It is a type of localarea network with the aim of high-frequency radio waves rather than wires to communicate between
nodes [10].

II.

RECENT RELATED WORK

Fei Wang, Xiaofeng Hu and Jinshu Su [11] have suggested an unfair rate limiting mechanism which was
used to handle DDoS attacks. They have focused on the traffic increasing patterns. In the proposed work,
they categorized port-flows into three subsets with various decreasing priorities. In simulation section,
port-flows that most likely contain DDoS attack traffic compressed most. To avoid drawback of LoURL,
they have presented CoURL to enhance DDoS mitigation in an efficient manner. They have proved an
outstanding performance for their given approach.

Md.Khamruddin and Dr Ch. Rupa [12] have proposed an approach to detect various types of DDoS
attacks. In the given approach, they have balanced the load on the victim machine by replicating servers.
For mitigate the traffic on victim machine, attack signature has pushed back to upstream routers. The
main goal of their mechanism is to mitigate the traffic on the victim machine so that the legal users have
got the services from remote server.

Yonghong Chen et. al. [13] modeled a network DDoS intrusion detection approach which is generally
based on pre-processing network traffic predicted approach. Moreover, chaos theory has been come in
their research. Their approach detected an anomaly caused due to any reason either by burst legal traffic
or by DDoS flooding attacks. They efficiently used the neural network to execute the proposed approach
in order to differentiate between DDoS attacks from unusual traffic. Their results have been based on the
DARPA network traffic data which showed that the given DDoS detection method got high detection
probabilities.

B.S. Kiruthika Devi et. al. [14] described the classification of attack and effectual traffic monitored online.
They have measured performance metrics like Latency, Link utilization and Throughput. They have used
IBRL approach to reduce the attack traffic so that legal users were able send their packets without any
congestion. The research design and the execution carried out on a simulated testbed. The experimental
result showed that the rate limiting was efficient in reducing a network from DDoS attacks. They
suggested enhancements in future contain weight based performance metrics to group the impact of
DDoS attacks and quantify at various attack strengths.

Jin Wang et. al. [15] explained two web applications DDoS detection approach. The given approach
focused on large deviation theory i.e. LD-IID and LD-MP. LD-IID distinguished a users access actions with
33 | 2015, IJAFRC All Rights Reserved

www.ijafrc.org

International Journal of Advance Foundation and Research in Computer (IJAFRC)


Volume 2, Issue 6, June - 2015. ISSN 2348 4853

experimental click-ratio distribution, and chosen huge deviation to estimate the deviation of each
continuous users access actions to the priori click-ratio distribution of a website. LD-MP provided the
connection of a users sub-sequent web-pages accessed. The proposed approach provided huge deviation
theory to estimate the uniformity of users experimental access action to the priori websites access
action. In result section, LD-IID detected web app-DDoS precisely, yet one-order Markov process makes
LD-MP has high false negatives.

III.

PROBLEM STATEMENT

A. The main issue to keep DDoS mitigation system relevant against growing the attackers.
B.

In the case, attackers get the control of user datagram protocol (UDP) like domain name server; user
is not able to access the services from remote server.

C. The mentioned methodology was not much cost effective.


D. Some research was not focusing on packet loss in DDoS mitigation system.

IV.

RESEARCH METHODOLOGY

The proposed system architecture is shown in figure 1. The packet coming from user side will arrived in
Source Checking and Counting Module, where user is verified. If user is suspicious then the user is
redirected to the Cache-Based Turing Module. In Cache-Based Turing Module, user is verified by the
server through cache information of user saved in temporary file (users system). The Detection section
will be used for finding any other DDoS attack. The Source Checking and Counting Module takes care the
all the essential information regarding attack detection. Moreover, we have Question generation module
which is also used for DDoS prevention.

A. Source Checking and Counting Module


This module serves as a coordinator module for another module. In this module we have

Source Checking Module and


Counting Module

1. Source Checking Module


This module is responsible for categorization of packets based on their status. This module acts as a coordination for other module. By using this module, packets are categorized into following list:

Black list: In this section, Source Checking Module verifies the users address. If it is exist in black
list database then it will block the packet with the given users address. Otherwise, it will send the
packet to pink list or white list.
Pink list: In this section, packets will be again verified by Cache Based Turing Test. It will check
whether the packet is suspicious or not based on cache information. If packet is suspicious, it will
send it to black list else in white list.

34 | 2015, IJAFRC All Rights Reserved

www.ijafrc.org

International Journal of Advance Foundation and Research in Computer (IJAFRC)


Volume 2, Issue 6, June - 2015. ISSN 2348 4853

White list: In this list, only authorized user address will be store after the complete verification
by Cache Based Turing Test.

2. Counting Module
The counting module stores the address of source and destination packet. It also store the arrival time of
request. The default mode of counting module is to be disabled. Whenever any suspicious packet
identified by DDoS Attack Detection Module, its value change to enable from disable by DDoS Attack
Detection Module. The counting module reset its value periodically.

Lists (Black, White.)

Source
Checking

DDoS Attack
Detection

VC

VC

Caching Based
Turing
Turing Test

VC
Question
Generation

Figure 1: Packet Flow in the Proposed DDoS system

B. DDoS Attack Detection Module


The main aim of this module is to find suspicious source and send this suspicious source address to black
list repository. Moreover, the given source is authorized by the Cache-Based Turing Module by
challenging the source to receive the question. It takes four steps for detecting the suspicious source
which are given below:

1. Stage 0: In this section, the detection module act as a monitor mode which is responsible for
detecting the source actions and collects its information in the form of average, and maximum value
of connection/incoming packets/incoming bytes per second. The stored data represents each VCs
network actions which can be used for identifying the suspicious source.
2. Stage 1: In this stage, the process in Stage 0 is still running to gather the instant VC traffic data for
identifying malicious source.

At this section, attack detection module check for each virtual

controller, compare the value between current traffic and the previous statistic one. If the current
35 | 2015, IJAFRC All Rights Reserved

www.ijafrc.org

International Journal of Advance Foundation and Research in Computer (IJAFRC)


Volume 2, Issue 6, June - 2015. ISSN 2348 4853

traffic value is greater than the previous statistic one then the detection status moved to the Stage 2
and the Counting Module enable to count the incoming traffic of the particular virtual controller.
3. Stage 2: Four essential parameters are used which are given below:

TH: This is nothing but the maximum threshold value. This value can be the connection set
establish between the virtual controller and user.

NUM_Period: In this section a threshold value set during the packets sent by user is more
than the threshold value given. In this case the DDoS Attack Detection Module attached the
certain IP address into the Pink list database. After that authentication section is achieved by
the Cache-Based Turing Module.

MXTH: It is also a threshold value which is set in the condition whether the number of
connection time is greater than MXTH. In such condition the certain IP address is attached to
the Pink list database on the same time if its value is 90 % of the Apaches Server performance
or TH.

Node_TH: It is also a threshold value which is set in the condition when the number of IP
source connection greater than the given limit. In such condition system immediately switch
50% of the IP connection to the Pink list database. The given section must have to be done to
ignore the congestion on the virtual controller; else in such condition the system may crash.

There may be some condition, in which no IP attached into the Pink list for NUM_Period value, and then
in this situation the DDoS Attack Detection Module status is again move to Stage 1 and further the
Counting Module become disabled.

4. Stage 3: In this section, due to traffic from or to virtual controller is extremely huge that it takes 9095 % of the virtual controller inbound or outbound network bandwidth. Any analysis in this situation
may lead to a system crash or busier. Thus, to avoid this condition, we attached the public IP to
destination block list to block the incoming HTTP connections coming from the user. The public IP of
virtual controller is consecutive attached and blocked incoming HTTP connections until its traffic is
down. Till then the traffic is switch to the Cache-Based Turing Section where authentication of the
client is happened.

5. Cache-Based Turing
Cache is such a verification technology in which less effort is needed and a secure side service in
included. This enables user to verify through a secure server. Although a number of transaction of service
is needed. It includes a few number of secure data migration. This technology is as per the result secure
as well as most reliable.
This Turing is done for rapid information about the user. The destination address stores a number of
secure other destinations (3n3). The user is being asked for give access to these destination addresses. If
it is found there it moved from the black list to white list.
36 | 2015, IJAFRC All Rights Reserved

www.ijafrc.org

International Journal of Advance Foundation and Research in Computer (IJAFRC)


Volume 2, Issue 6, June - 2015. ISSN 2348 4853
Black/White

Sender

Limited
Service

Service
Provider
First
Attempt

Other
Attempt

Pink
List

Full
verification
(Cache Based
Turing
Verification)

Black
List

White
List

Full
Service

Figure 2: Authenticating User on Basis of White Pink and Black List Concept

Server

Existing Server

Data in Cache

User

The Cache based Turing consist of following steps:


Step 1: Server connects to the user and gets the existing users connection in the cache with a secure
server side.

Server

User

37 | 2015, IJAFRC All Rights Reserved

Data in Cache

www.ijafrc.org

International Journal of Advance Foundation and Research in Computer (IJAFRC)


Volume 2, Issue 6, June - 2015. ISSN 2348 4853

Whenever user wants a service, it is processed in request response form. The request from user, hits to
the server where user verification is done. At this stage, server looks for information stored in cache in
user system. These caches information are stored in text format as temporary file in system directory
where the data stored in form of name value pair. The information filled by the user is matched with
these caches data. When the information in cache is correctly matched with information filled by the user
then user is authorize to access the legitimate service.

Step 2: Server contacts with the existing user with the credential received from the user

Server

Existing Server

In this stage user is verified with the help of existing server. Existing server already verified the user
through cache information stored in system.
Step 3: Existing server once again verified with the user data present in cache.

Existing Server

Data in Cache

Step 4: In strategy the status is given to the server from the existing server, than according to the status
received by the server it decide whether to share with the user or not than its updating once again the
cache.
V.

RESULT AND DISCUSSIONS

This paper is implemented using NetBean 6.8 and Spring tool suit IDE. Apache tomcat 7.0 running as web
server. Here we are using Java SE, Servlet and Html as web technology. For robot attack, we are using
Swing technology. The result and discussions part are describe below:

38 | 2015, IJAFRC All Rights Reserved

www.ijafrc.org

International Journal of Advance Foundation and Research in Computer (IJAFRC)


Volume 2, Issue 6, June - 2015. ISSN 2348 4853

Figure 3: Verifying User through Answering Question


In Figure 3 user is verifying through answering the security question. If user gives correct answer then
user will be able to login successfully. In the case of wrong answering, user will not have access to login.

Figure 4: Successfully login by user


In Figure 4, user has given correct answer. Thus he/she is authorized for further services.

39 | 2015, IJAFRC All Rights Reserved

www.ijafrc.org

International Journal of Advance Foundation and Research in Computer (IJAFRC)


Volume 2, Issue 6, June - 2015. ISSN 2348 4853

Figure 5: Access Denied for Wrong Answer


In Figure 5, user has given wrong answer. Thus user is not authorized for login. In this case, user is not
able to get the services for further use.

Figure 6: Authorized user successfully login


In Figure 6, already verified user wants to register. In this case, user will directly login without any
security question.

40 | 2015, IJAFRC All Rights Reserved

www.ijafrc.org

International Journal of Advance Foundation and Research in Computer (IJAFRC)


Volume 2, Issue 6, June - 2015. ISSN 2348 4853

Figure 7: User blocked for wrong answering


In Figure 7, user 5 again wants to login but giving wrong answer. In this case, user will be block
permanently.

Figure 8: Register and Blocked User


Figure 8 shows the information for list of registered user and list of blocked user.

VI. CONCLUSION
This paper presented a multi-stage detection system which includes cache based information Turing and
question generation pool Turing tests to challenge the suspicious intruders more effectively and
efficiently. In this paper, we identified the attacker through cache information. Users have to answer the
security question at the time of logging. Once the user gives correct answer for the given security
question. She/he is able to login successfully and can use the further services. Instead of wrong
41 | 2015, IJAFRC All Rights Reserved

www.ijafrc.org

International Journal of Advance Foundation and Research in Computer (IJAFRC)


Volume 2, Issue 6, June - 2015. ISSN 2348 4853

answering by attacker, user is not able to login and hence access will be denied for further services. Thus
each time verified user will login, she/he is able to use the further services. In the case of wrong
answering by attacker will result the block the user permanently. Thus only verified user will have access
to use the given services.

VII. REFERENCES
[1]

The top five DDoS attacks of 2011. [Online]. Available:

http://www.itbusinessedge.com/slideshows/show.aspx?c=92910
[2]

M. Goldstein, M. Reif, A. Stahl, and T. Breuel, High performance traffic shaping for DDoS
mitigation, in Proceedings of the 2008 ACM CoNEXT Conference, ser. CoNEXT 08. ACM, 2008.

[3]

X. Liu, X. Yang, and Y. Lu, To filter or to authorize: Network-layer DoS defense against
multimillion-node botnets, in ACM SIGCOMM, 2008.

[4]

S. H. Khor and A. Nakao, DaaS: DDoS mitigation-as-a-service, in Proceedings of the 2011


IEEE/IPSJ International Symposium on Applications and the Internet, ser. SAINT 11. IEEE
Computer Society, 2011, pp. 160171.

[5]

T. Peng, C. Leckie, and K. Ramamohanarao, Survey of network-based defense mechanisms


countering the DoS and DDoS problems,ACM Comput. Surv., vol. 39, April 2007.

[6]

S. M. Khattab, C. Sangpachatanaruk, R. Melhem, D. Mosse, and T. Znati, Proactive Server Roaming


for Mitigating Denial-of-Service Attacks, in Proceedings of the 1st International Conference
on International Technology: Research and Education (ITRE03), pp. 286-290, Aug. 2003.

[7]

Robert

Vamosi,

Study:

DDoS

attacks

threaten

ISP

infrastructure,

Online

at

http://news.cnet.com/8301-1009_3-10093699-83.html, CNET News, Nov. 2008.


[8]

Internet World Stats, Internet User Statistics The Big Picture: World Internet Users and
Population Stats, http://www.internetworldstats.com/stats.htm.

[9]

A. Yaar, A. Perrig, and D. Song, PI: A path identification mechanism to defend against DDoS
attacks, in proceedings of the IEEE symposium on Security and Privacy, pp. 93-109, May 2003.

[10]

Mofreh Salem, Amany Sarhan and Mostafa AbuBakr, A DOS Attack Intrusion Detection and
Inhibition Technique for Wireless Computer Networks, ICGST- CNIR, Volume (7), Issue (I),
July 2007.

[11]

Fei Wang, Xiaofeng Hu and Jinshu Su, Unfair Rate Limiting for DDoS Mitigation Based on Traffic
Increasing Patterns, IEEE, 2012.

[12]

A. Md.Khamruddin and B. Dr Ch. Rupa, A Rule Based DDoS Detection and Mitigation Technique,
Nirma University International Conference on Engineering, 2012.

[13]

Yonghong Chen, Xinlei Ma, Xinya Wu, DDoS Detection Algorithm Based on Preprocessing
Network Traffic Predicted Method and Chaos Theory, IEEE Communications Letters, VOL. 17,
NO. 5, MAY 2013.

42 | 2015, IJAFRC All Rights Reserved

www.ijafrc.org

International Journal of Advance Foundation and Research in Computer (IJAFRC)


Volume 2, Issue 6, June - 2015. ISSN 2348 4853

[14]

S. Kiruthika Devi, G. Preetha, S. Mercy Shalinie, DDoS Detection using Host-Network based
Metrics and Mitigation in Experimental Testbed, IEEE, 2012.

[15]

Jin Wang, Xiaolong Yang, Keping Long, Web DDoS Detection Schemes Based on Measuring Users
Access Behavior with Large Deviation, IEEE Globecom, 2011.

43 | 2015, IJAFRC All Rights Reserved

www.ijafrc.org