You are on page 1of 11

International Journal of Advance Foundation and Research in Computer (IJAFRC)

Volume 2, Issue 6, June - 2015. ISSN 2348 4853

Detection and Defense of DDoS Attacks


Neha Titarmare *
CSE Dept, RGCER, Nagpur
nehatitarmare@gmail.com

Nayan Hargule
CE Dept, SCET, Nagpur
nayankumarhargule69@gmail.com

ABSTRACT
Distributed Denial of Service (DDoS) attacks pose severe threat to the computers and network
infrastructures. There is an utmost need to develop mechanisms which can be effective against
DDoS attacks which generate heavy traffic and make network bandwidth and/or system
resources depleted or limited. We develop attack model which gives us an idea about the patterns
of the DDoS attacks. Four types of attack namely Host scan, Port scan, TCP SYN flood, ICMP flood
have been considered. The attack model depicts the patterns or behavior of the mentioned
attacks. We also develop a detection mechanism, which compares the traffic flow with the attack
model and identifies the particular attack. A defense mechanism based on distributed black box
technique deployed in the middle of the network and swaps the source ip-address with the
destination ip- address to provide effective defense.
Index TermsAttack model, DDoS, Host Scan, Port Scan, ICMP, TCP.

I. INTRODUCTION
DoS attacks are one of the crucial threats posed to the users and infrastructures of the Internet. A DoS
attack attempts to deprive the legitimate users from using their service. It breakdowns the service and
disrupt the network bandwidth. DoS attack can be launched from a single host or a network node. DDoS
attacks pose a more serious threat than DoS attacks. DDoS is a type of DoS attack where an attacker
deploys a number of hosts and launches an attack on the victim in a coordinated manner or
simultaneously. The goal of DDoS attack is achieved by sending a large number of packets to the target
and thus flooding it. The target is unable to deal with the large number of packets and gets overloaded,
and ultimately becomes incapable of providing normal service. DDoS attacks can be classified on the
basis of the type of resources that is consumed.
1) Resource Flooding: The attacker consumes victims resources such as memory, CPU, hard disk to
make it unavailable for normal users.
2) Bandwidth Flooding: The victim network is flooded by unwanted traffic to prevent the normal
traffic from reaching the victim network.
Well known DDoS flooding attacks are TCP SYN flood attack and ICMP flood attack. TCP SYN flood makes
use of TCP SYN packets while ICMP flood makes use of ICMP packets.
Before attacking the target, the attacker often uses host scan and port scan to check the services that they
can break into. Host scan and port scan are used as tools to check the suseptibility of the target. If host
scan and port scan is carried out frequently then it can be considered as an attack. Generally, host
scanning and port scanning is done to keep a watch on the systems and the network. A network
administrator usually performs these scans to check network and scanning is done a fixed number of
time. However, if the number of scans surpasses a fixed threshold then they are considered as attack. In

57 | 2015, IJAFRC All Rights Reserved

www.ijafrc.org

International Journal of Advance Foundation and Research in Computer (IJAFRC)


Volume 2, Issue 6, June - 2015. ISSN 2348 4853
host scan attack, the attacker scans or analyses the other host computer, so as to gain their information
such as services available, and check their vulnerability. Port scan attack is performed to check the active
ports and services provided by them. The objective of this is to find the vulnerable ports of a target host
[2] [4][12].
In most of the previous work [5] [11] an attack model is described as a model where an attack is
generated. In this paper, we propose an attack model to extract the attack patterns for the attack. These
attack patterns help us to identify the type of attack, nature and its characteristics. The purpose of attack
model is to effectively differentiate between attack flow and normal flow. Differentiating the attack flow
facilitates effective detection of specific attacks. Our technique is based on the concept of lightweight
detection [2] [3] [4]. We have based our attack model on four types of DDoS attacks: Host scan, Port scan,
TCP SYN flood, ICMP flood. Preliminary results show that the method is effective to extract the attack
patterns and detect them. Also we defend the attacks using Distributed Black Box strategy.
Following this introduction, the paper is organized as follows. Section 2 describes the previous work in
the area of DDoS attack. Section 3 describes in detail, our proposed attack model methodology and
detection and defense method. Section 4 describes our experiments and results. Section 5 discusses
limitation of the work, conclusion.

II. RELATED WORK


A. Intrusion Detection System (IDS)
Intrusion detection system (IDS) has been extensively used to protect against the DDoS attacks. IDS
detect attacks either by using signatures or anomaly behaviour. In signature based IDS, signatures of
attack are matched to the traffic flow to identify the attack. In anomaly based IDS, deviation from normal
system behaviour helps to detect an attack. The weakness of signature IDS is that it cannot detect new
attack while anomaly IDS considers normal activity as malicious. Intrusion detection systems cause high
level of resource consumption.
B. BLINC[1]
BLINC or BLINd Classification is an approach based on classification of traffic flows according to the
applications that generate them. The method observes and identifies the patterns of host behaviour. The
patterns are analysed at three different levels namely a) the social level b) the functional level c) the
application level. Analysing the traffic flows at different levels is the distinct feature of this approach.
The method is operated in dark means it does not access the packet payload, there is no knowledge of
port numbers and only information about the current flow collectors is provided. There are two unique
features of the method, first is that it focuses on classifying the individual flows to associating Internet
hosts with applications and after that it classifies the flow accordingly. The authors believe that, by
observing the host activity more information can be extracted and nature of applications of the host can
be deduced. Second, BLINC analyses host behaviour at three different levels:
a) social level b) functional level c) application level
At the social level, host popularity is taken into consideration. The interactions of a host with other host
are observed. Also, it identifies the host communities. At the functional level, the functional role of host in

58 | 2015, IJAFRC All Rights Reserved

www.ijafrc.org

International Journal of Advance Foundation and Research in Computer (IJAFRC)


Volume 2, Issue 6, June - 2015. ISSN 2348 4853
the network is considered, such as if the host is provider or consumer of a service or both. The role of a
host is identified by observing the number of ports a single host uses for communication. For example: If
a single port has been used by a host in number of interactions then BLINC assumes that the host
provides a specific service. At the application level, transport layer interactions between hosts on specific
ports are captured to identify the application of origin. For each application, the behaviour pattern is
created in the form of graphlets. In BLINC classification, a set of predefined graphlets is matched with
flow behaviours. The key feature of this methodology is tunability. The method gives results at different
levels of detail with accuracy. BLINC first analyses traffic at three mentioned levels. Then a criterion for
classification is controlled using thresholds which can be relaxed or tightened. There is a flexibility to
choose level of accuracy and detail according to i) the goal of the study ii) the amount of exogenous
information. The other highlights of the work are development of classification benchmark, identification
of patterns of behaviour, highly accurate classification and detection of unknown attacks. The
distinctness of BLINC is that it focuses on all flows generated by hosts. BLINC is advantageous in the
sense that it identifies unknown applications such as malicious flows.
C. Lightweight Detection [2]
The lightweight detection technique is based on the Blind classification or BLINC [1]. In this work, DoS
attacks are classified into four classes namely, SYN flood, ICMP flood, port scan and host scan. Here the
attack pattern is described as graphlet. SYN flood, ICMP flood, and host scan graphlets are defined in this
paper while the port scan graphlet is taken from BLINC [1]. Lightweight technique detects attack by
comparing the traffic flow with the graphlets. In TCP SYN flood attack, the attacker sends a large number
of TCP SYN packets with a spoofed source IP address. Since the target gets flooded with the half open
connection its resources are consumed and it does not provide a normal service. In ICMP flood attack, the
attacker sends a large number of ICMP packets.

Fig 1. Flowchart for DoS detection [2]

This attack is detected by the large number of ICMP packets destined to the same IP address. Port scan
and host scan are used as tools by the attacker to check the vulnerability of the systems. Host scan and
port scan finds out the vulnerable target host and its port. Lightweight detection method is advantageous
because of its light weight. Without analysing the packet content, packet size, or packet inter- arrival time,
it can identify the DoS activities.

Fig 2. DoS attack graphlet [2]

59 | 2015, IJAFRC All Rights Reserved

www.ijafrc.org

International Journal of Advance Foundation and Research in Computer (IJAFRC)


Volume 2, Issue 6, June - 2015. ISSN 2348 4853
D. LD2[3]
The LD2 method proposes lightweight detection of DoS attacks. The system observes the flow behaviours
and matches them with graphlets for each attack. The system is said to be lightweight as it does not
analyses the packet such as its contents, size or statistics. Six types of DoS attacks is employed in this
method such as SYN flood, ICMP flood, host scan, port scan, UDP flood and smurf. In LD2 the effect of
background traffic intensity is studied. Based on this study, appropriate threshold levels are defined. The
performance of LD2 work is benchmarked in terms of detection accuracy, CPU utilization and memory
requirement. This method is based on the idea of BLINC. The system analyses and differentiates flow
behaviours into graphlets of different attack types. A graphlet is defined as a signature which captivates
the behaviour of a specific attack. Every graphlet depicts the relationship between source and
destination ports usage, the sets of distinct ports and IPs. The LD2 system observes attack activities for
time interval of one minute. During each interval packets are captivated and differentiated into flows of
five tuples namely srcIP, protocol, dstIP, srcPort, dstPort. All flow records are mapped to the graphlets at
the end of the interval. If the graphlets matches, all flows of that graphlet are considered as attack activity.
After this, the graphlet is removed from the system and the unmatched graphlets are carried forward for
next analysis. For each type of attack there can be multiple graphlets since the graphlets are indexed by
source IP addresses. The intensity of background traffic plays a major role in deciding the threshold of
graphlet matching. The LD2 is trained to recognize attack traffic at various intensity levels of background
traffic to determine the threshold levels. Two types of background traffic traces namely controlled traces
and real traffic traces are used.
The key advantage of LD2 is that it detects rate based attack such as flooding attacks. Its flexibility
recognizes abnormal traffic such as Trojans and worms. It consumes less memory. However, the
disadvantage is that it cannot detect bad traffic except DoS and requires more CPU resources [13].
E. Defense against DDoS using distributed Black Box and Graveyard strategies

This paper introduces two strategies of defense mechanisms: Distributed Black Box/Packet Reflector and
the Graveyard. The first scheme that is Distributed Black Box is distributed in nature and employs hybrid
defense mechanisms. The hybrid mechanism uses three basic ideas: multi deployment in the middle
locations, data mining and knowledge sharing, and mixing of previously suggested defense mechanisms.
Thereby, it is called as Distributed Black Box and can be placed anywhere in the network. Three main
places have been suggested where the mechanism can be deployed, they are:
1) Near the targeted system, 2) Near the Attacker, 3) In the middle.
The packet reflector performs the function of a) Rate Limiting to slow down the rate of incoming
packets, in the event of attack. b) Works as reflecting surface: copies the source address of incoming
packet forwards to new destination. In reflection process, destination address is replaced by source
address. c) Deploys the defense mechanism at various location . The demerit of this mechanism is that
the middle area between the attacker and victim is under the control of various internet providers. These
providers do not pay heed for effective defense mechanisms. The black box requires additional time to
alter the header and resend it. The Rate Limit does not give enough time to achieve defense mechanism
definitely. The packets are categorized into three types: a) Normal b) Suspicious c) Malicious. The
Graveyard Defense Technique is divided into two stages: a) Detection Analysis stage b) Traffic Control
Stage. In the detection analysis stage, primary testing is done to verify if the incoming packet is DDoS
malicious. If it is not then it is free to go anywhere. If the packet is malicious it is sent to the second stage,

60 | 2015, IJAFRC All Rights Reserved

www.ijafrc.org

International Journal of Advance Foundation and Research in Computer (IJAFRC)


Volume 2, Issue 6, June - 2015. ISSN 2348 4853
where next level of testing is performed. In the traffic control stage each packet is assigned a category.
Suspected packets are continuously monitored and their speed is controlled while malicious packets are
immediately dropped in the graveyard. In graveyard, packets are given a chance to live if a mistake was
committed in sending them to graveyard. A second test is done to be sure whether the packet is still
needed. In this model manipulation and reflection has been removed to make the process manageable. It
still requires accurate testing operations to be reliable.

III. METHODOLOGY
In this section we describe our technique. Our proposed method for attack model is based on lightweight
methodology [2] [3]. The attack model[5] [11] contains signatures or attack patterns of the four attacks
namely host scan, port scan, TCP SYN flood, ICMP flood. The model helps to effectively differentiate
between the attack flow and normal traffic. The attack patterns are extracted from traffic flow. In our
work, we develop four attack models for each type of attack. The idea is to first generate an attack [6] [7]
to observe it and then extract the patterns or features of the attack. Thus, for every attack a different
model exists.

Fig 3. Attack Model Generation


For TCP SYN flood attack model, we first generate the TCP SYN flood attack, when the attack is generated
we observe it and extract the pattern of the attack. In TCP SYN attack [6], the attacker sends SYN packet
to the target with erroneous IP address. A SYN packet is used as a request to open a TCP connection. For
every such request, the target will send SYN/ACK packet as a reply and tries to establish a TCP
connection. These connections are never completed and they remain half open on account of spurious
IP address of the attacker. The victim indefinitely waits for the reply of the attacker. As a result its
resources are depleted while legitimate connections are denied. Thus, we can say that SYN flood attack
has occurred if different numbers of source ports or source IPs are seen in the attack model. The attack is
implemented by making modifications in the TCP SYN packet header unlike [2] [3]. We increment the
sequence number of the packets, so that wrong sequence numbered packets are delivered to the victim
and it waits indefinitely to complete the connection.
In ICMP flood attack [6], the attacker sends a large number of ICMP packets to the victim. Thereby, the
target gets flooded with packets depleting the data transmission capacity for legitimate traffic. Thereby,
in ICMP attack model, there is a continuous flow of packets. This attack is implemented by making
changes in the ICMP packet header unlike [2] [3]. A counter is setup in the packet header which
increments and floods the victim with a large number of packets.

61 | 2015, IJAFRC All Rights Reserved

www.ijafrc.org

International Journal of Advance Foundation and Research in Computer (IJAFRC)


Volume 2, Issue 6, June - 2015. ISSN 2348 4853
In host scan attack model, we fix a threshold value. If the number of times of the scan surpasses the
threshold value, then host scan attack is generated. However, if the numbers of scans are within the
threshold limit it will not be considered as an attack but a normal host scan activity. Host scan attack is
generated by sending ICMP packets. Attacker sends a packet to a host, if a reply comes then it symbolizes
that the host is active. Then data packets are sent to establish connection with the victim and to extract
the required information of the host.
In port scan attack model, ports are scanned using a threshold value. If the ports are scanned beyond the
threshold value it is indicated as an attack. However, if it is scanned below threshold value it is
considered as normal activity. Port scanning informs which ports are active and services provided by
them [12]. The active ports are scanned a number of times to extract more information such as port
number, destination IP address and services provided [8].
Basically, host scan and port scan do not impose any threat to the systems. They are carried out to check
the vulnerability. After that, the attacks are launched by the attacker. The common tuple which is used in
all the four models is sourceIP address. Other tuples vary according to the nature of the attacks.
Thus, we have developed four attack models which distinguish between the normal traffic flow and
attack traffic flow.

Fig 4. Attack Model for TCP SYN Flood

Fig 6. Attack Model for Port Scan

Fig 5. Attack Model for ICMP

Fig 7. Attack Model for Host Scan

Detection of DDoS Using Attack Model


Each type of attack is detected by comparing flow behaviours against the attack models.

62 | 2015, IJAFRC All Rights Reserved

www.ijafrc.org

International Journal of Advance Foundation and Research in Computer (IJAFRC)


Volume 2, Issue 6, June - 2015. ISSN 2348 4853

Traffic
Flow

Match with
Attack
Models

Identify
DDoS
Attacks

Flow of
Attack

Flow associated
with attack

Fig 8. Flowchart for DDoS Detection


Our detection method has three steps: The traffic flow module captures the traffic flow based on 5-tuple
flow records (srcIP, protocol, dstIP, srcPort, and dstPort) and sends flow records to the Match with
Attack Model module, which maps each flow record to pre-defined attack model. Finally, the Identify
DDoS attack module uses predefined threshold value to identify flows associated with DDoS activities.
Flows that match with one of the model are then classified as DDoS traffic. The model that has been
classified in each interval will be removed from memory. The flows classified as DDoS attack will be kept
for future reference. Any unclassified pattern will be considered as unknown. The key advantage of the
proposed method is its lightweight. It can identify a group of hosts associated with DDoS activities
without analyzing packet content, packet size. Furthermore, our technique can detect other network
anomaly if they pose similar behaviours as these DDoS attacks.
Defense of DDoS Attack using distributed Black Box and Graveyard strategies
One of the main points in designing an effective defence mechanism is where to place that solution to
perform better.
There are three main suggestions of places where these mechanisms could be placed and they are:
Near the targeted system: It is not possible to place the defence mechanism near the target as it hard
to predict the target.
Near the Attacker: An effective implementation of defence mechanism is to place the defence
mechanisms near all possible attackers over the network, and this is, of course, infeasible.
In the middle: In this model, we use the defence mechanisms to provide protection to every connected
node.
The configuration of the Distributed black box has to perform the following tasks:
1. Works as a reflecting surface (e.g. a mirror); it copies the source address of the incoming packet (even
if the address was spoofed) and forwards it to the new destination.
2. Deploys the defence mechanism at different locations i.e. in the middle of the network.
This deployment will guarantee a reasonable minimization of the huge number of attacking packets
coming to the victim's network. Each node in the Distributed black box mechanism will take some of
the incoming packets and reflects them back to the source address using header manipulation tools. In
this reflection, the destination address will be replaced by the source address that is copied from the
incoming malicious packets. Each additional node that contains the black box will add more security to
defence the network. In fact, we do not expect from a single box to successfully resist an attack but

63 | 2015, IJAFRC All Rights Reserved

www.ijafrc.org

International Journal of Advance Foundation and Research in Computer (IJAFRC)


Volume 2, Issue 6, June - 2015. ISSN 2348 4853
multiple black boxes will guarantee relatively low damages. In this proposal, mixing more than one idea
into one mechanism enhances the strengths of defense against DDoS attack.

IV.

EXPERIMENTAL RESULTS

In this section we describe our results using network simulator.

Fig 9. Host Scan Detection

Fig 10. Port Scan Detection

Fig 11. ICMP Flood Detection

Fig 12. TCP SYN Flood Detection

The Fig 9 depicts the host scan detection. Fig 10 depicts the port scan detection. Fig 11 depicts the ICMP
detection. Fig 12 depicts TCP SYN Flood attack.

Fig:13 Host Scan Attack Defense

Fig:14 Reflection of Packets back to Source in Host Scan

64 | 2015, IJAFRC All Rights Reserved

www.ijafrc.org

International Journal of Advance Foundation and Research in Computer (IJAFRC)


Volume 2, Issue 6, June - 2015. ISSN 2348 4853

Fig:15 Port Scan Attack Defense

Fig:16 Reflection of Packets back to Source in Port


Scan

Fig: 17 ICMP Flood Attack Defence

Fig:18 Reflection of Packets back to Source in ICMP Flood

Fig: 19 TCP SYN Flood Attack Defence

V. CONCLUSION

65 | 2015, IJAFRC All Rights Reserved

www.ijafrc.org

International Journal of Advance Foundation and Research in Computer (IJAFRC)


Volume 2, Issue 6, June - 2015. ISSN 2348 4853
We propose attack models for the four DDoS attack. The model extracts the attack patterns for the host
scan attack, port scan attack, TCP SYN flood attack, ICMP flood attack. The model is generated in two
steps, first we generate the attacks and secondly we extract the attack patterns on the basis of their flow
behaviour. The advantage of the method is that we can effectively differentiate between a normal flow
and attack flow. For generation of attack models we need to have prior knowledge about the nature and
characteristics of the attacks. The model identifies attack flow but it cannot identify the specific attack
except those mentioned above. Throughput, response time and detection rate are parameters of
detection. Throughput is 87.31 % and detection rate is 97%. We have also successfully defended the
various attacks using distributed black box and graveyard method. The parameters for defense are false
positive, effectiveness and false negative.

VI. REFERENCES
[1]

Thomas Karagiannis, Konstantina Papagiannaki, and Michalis Faloutsos, BLINC: Multilevel


Traffic Classification in the Dark, ACM Sigcomm, 2005.

[2]

Sirikaran Pukkawanna, Vasaka Visoottiviseth, Panita Pongpaibool Lightweight Detection of DoS


Attacks In Proc of IEEE ICON 2007, Adelaide, South Australia, November 2007.

[3]

Sirikaran Pukkawanna, Panita Pongpaibool, Vasaka Visoottiviseth, LD2: A System for


Lightweight Detection of Denial of Service AttacksIEEE 2008.

[4]

Neha Titarmare, Nayan Hargule, Priyanka Gonnade, Punam Marbate, DDoS Detection using
Attack Model, IJARCSSE,Vol 4, Issue 6, June 2014..

[5]

Jie Yu, Zhoujun Li, Huowang Chen, Xiaoming Chen A Detection and Offense Mechanism to Defend
Against Application Layer DDoS Attacks Third International Conference on Networking and
Services (ICNS07).

[6]

Jelena Mirkovic, Gregory Prier, Peter Reiher, Attacking DDoS at Source.

[7]

J. Mirkovic, J. Martin, and P. Reiher, A Taxonomy of DDoS Attacks and DDoS Defense
Mechanisms, ACM Sigcomm Computer Comm. Rev., vol. 34, no.2, 2004, 3953.

[8]

Cynthia Bailey Lee, Chris Roedel, Elena Silenok, Detection and Characterization of Port Scan
Attacks.

[9]

Theerasak Thapngam, Shui Yu, Wanlei Zhou, Gleb Beliakov,Discriminating DDoS Attack Traffic
from Flash Crowd through Packet Arrival Patterns First International Workshop on Security in
Computers, Networking and Communications, IEEE 2011.

[10]

Simona Ramanauskait1, Antanas enys, Composite DoS Attack Model , ISSN 2029-2341 print /
ISSN 2029-2252, Vilniaus Gedimino technikos universitetas.

[11]

Jalal Atoum, Omar Faisal, Distributed Black Box and Graveyards Defense Strategies against
Distributed Denial of Services, Second International Conference on Computer Engineering and
Applications (ICCEA), 2010.

66 | 2015, IJAFRC All Rights Reserved

www.ijafrc.org

International Journal of Advance Foundation and Research in Computer (IJAFRC)


Volume 2, Issue 6, June - 2015. ISSN 2348 4853
[12]

Cynthia Bailey Lee Detection and Characterisation of Port Scan Attacks.

[13]

Snort, http://www.snort.org.

[14]

Jalal Atoum, Omar Faisal Distributed Black Box and Graveyard Defense Strategies Against
Distributed Denial of Services, Second International Conference on Computer Engineering and
Applications (ICCEA10).

67 | 2015, IJAFRC All Rights Reserved

www.ijafrc.org