Professional Documents
Culture Documents
ABSTRACT
The Backscattering is one of spammer spoofing technique used in domain by legitimate ones, thus the spam is send
by anyone to us, we cant realize it is spam, the Non delivery report is accessed mechanism is called out when the
sender sends the spoofing content to all, for the legitimate users bounce messages are send to innocent one those
email or DNS servers etc, thus the DNS address is spoofed it is known as DNS Backscatter, The Non-Delivery
Report makes ones proof of send mail or packets to server is doubt, thus we have an Perturbation methodology to
made secure based packet sending through networks, also bounce messages can give harm to the sender, thus we
need to propagate wide technology to overcome using perturbation, in that we have introduce the stages, that gives
an very effective to prevent backscatter in network, it also gives headers, of messages previously send through that
we can easily identify it is non delivery messages (bounced) or send by victim, this title defines thoroughly of
prevention.
Keywords:- Backscatter, Non-Delivery Messages, DDoS Attacks, Perturbation
I. INTRODUCTION
The main objective of any flooding attack is
the speedy use of dangerous system resources in order
to paralyze the afford services and make them occupied
to its rightful users. Assuming that such an attack takes
place against or use a critical part like the DNS it is
very likely that would quickly harm the overall
networks services making it unavailable to any
rightful user. Many researchers have sketch out the
threat of flooding attacks using recursive DNS name Fig 1.1. DNS Backscattering
servers open to the world. For instance, according to a On the additional hand, the most complicated
recent study, which is based on case studies of several and modern attacks use the DNS method themselves
attacked ISPs report to have on a volume of 2.8 Gbps, in a try to enlarge flooding attack consequences.
one event point to attacks achievement as high as 10 Putting it one more way, in a DNS magnification attack
Gbps and used as many as 140,000 broken name state, the attacker exploits the information that little
servers. Flooding attacks against DNS are similar to size requirements could produce better answer.
other well documented Internet services flooding Particularly, new RFC condition behind IPv6, DNS
attacks and could be launched in two discrete ways. In Secure, Naming Authority Pointer (NAPTR) and other
the first case the attacker sends a huge number of fake extensions to the DNS system, need name servers to go
DNS requests either from a single or numerous back much better responses to queries. The relation
sources, depending on the flooding architecture among a request and the parallel response is known as
utilized. An instance of numerous sources flooding the strengthening factor and is calculate.
architecture attack against a DNS is depicted in figure. The attacker use a discrete plan similar to that
According to this development, the attacker arrange obtainable in obvious that the bandwidth and resources
usually innocent hosts, called bots, to concurrently use rate at the victim boost very fast. Furthermore, it
make fake DNS needs aiming at troublesome the should be famous that the attacker featly spoof all
normal DNS operation by consuming its resources; query wants to include an precise type of DNS provide
mainly memory and CPU. in order the dependable DNS server to make large
responses. This task could be managed either by
determine which DNS servers accumulate RRs that
when request create large responses or by cooperate a Amplification Factor = size of (response) / size of
DNS server and consciously include a precise record (request)
also known as the intensification record - that will
make a large reply. An illustration of this method,
exploiting large TXT records which is introduced in The bigger the intensification factor is, the
wide DNS (EDNS). As stated in by combining quicker the bandwidth and resource expenditure at the
dissimilar reaction types, the strengthening effect can victim is induced. Consequently, in the case of DNS
reach up to a feature higher than 60. After that, the amplification attack the aggressor is based on the fact
attacker collects a list of open recursive name servers that a single DNS request (small data length) could
that will recursively query for, and then return the generate very larger responses (bigger data length). For
strengthening record he/she created. Even a list of example, in the initial DNS specification the DNS
known name servers may be more than sufficient. As answer was restricted up to 512 bytes length, while in
stated in there is a 75% chance that any known name even bigger. The attack unfolds as follows: The invader
server is an open resolver too, thus a copy of a TLD falsifies the source address field in the UDP datagram
zone file may be enough. to be that of a host on the victims network. Using the
spoofed address, a DNS query for a valid reserve
Protection Mechanisms record is crafted and sent to a middle name server. The
last entity is usually an open recursive DNS server,
In here the protection mechanism is which forwards the final response towards the target
countermeasure using the strengthening of network and machine.
defend against the attacks, in general the system is
given very secured against the DNS DDos attacks and II. RELATED WORK
other protection is coped are deployed in each network,
The work of acting parallel is very big opinion to build Inferring Internet Denial-of-Service Activity:
more inattentive thing of robust DNS infrastructure and How common are denial-of-service attacks in the
the protection in our network is before attack. Internet? Our incentive is to quantitatively appreciate
the nature of the present threat as well as to allow
DNS server now can occupy transportation longer-term analysis of trend and chronic patterns of
with response, such as malign user is fitted to produce attacks. We present a new technique, called
the suitable spoofed DNS requests in the name of very backscatter analysis, that supplies a conservative
clear. The level of protection is should be introduced in approximation of worldwide denial-of-service
spoof detection mechanism and implemented in movement. We use this move toward on 22 traces
firewall as well. Moreover, to mitigate DNS cache (each covering a week or more) gather over three years
poison and Man-In-The-Middle (MITM) attacks, from 2001 through 2004. Crosswise these corpuses we
which usually are launch at the near the beginning quantitatively assess the number, length, and focus of
stages of a DNS intensification attack, additional safety attack, and qualitatively typify their behavior. In total,
mechanisms should be employed. These are necessary we observed over 68,000 attacks directed at over
in order to ensure the truthfulness and origin 34,000 distinct victim IP addresses---ranging from
verification of the DNS data that reside either in RR well-known e-commerce company such as Amazon
cache or in the region file. Apart from well and Hotmail to small foreign ISPs and dial-up
conventional practices to strongly configure DNS connections. We believe our technique is the first to
servers, one more effective remediation, at least against provide quantitative approximation of Internet-wide
outsiders, is to immobilize open recursion on name denial-of-service activity and that this article describes
servers from outside sources and only tolerant the most complete public measurements of such
recursive DNS create from trusted sources. This activity to date. A framework for classifying denial of
method significantly diminishes the intensification service attacks: Initiation a denial of service (DoS)
vector. Obtainable data until now disclose that the attack is small but discovery and reply is a painfully
majority of DNS servers operate as open recursive slow and often a physical process. Automatic
servers. The dimension factory reports that more than classification of attacks as single- or multi-source can
75% of domain name servers of about 1.3 million help focus a response, but current packet-header-based
sampled permit recursive name service to random approach are vulnerable to spoofing. The work
querying sources. This leaves deserted name servers to introduces a structure for classify DoS attack based on
both cache poisoning and DoS attacks. header content, and novel techniques such as transient
ramp-up behavior and spectral analysis. Although
headers are easily forged, we show that characteristics
of attack ramp-up and attack spectrum are more of service (DDoS) attacks continue to plague the
difficult to spoof. To evaluate our framework we Internet.
monitored access links of a regional ISP detecting 80
live attacks. Header analysis identified the number of III. BACKGROUND STUDY
attackers in 67 attacks, while the remaining 13 attacks
were classified based on ramp-up and spectral analysis. 3.1. Problems In Present System
We validate our results through monitoring at a second
site, controlled experiment, and simulation. We use Denial-of-service attack can be simply
experiments and simulation to understand the explained with the analogy of the telephone network. A
underlying reasons for the characteristics observed. In telephone number can be easily attacked by calling to
addition to helping understand attack dynamics, that number by a number of people simultaneously,
classification mechanisms such as ours are important which in turn not give access to a legitimate caller. A
for the development of realistic models of DoS traffic, denial-of-service attack is a malignant attempt by a
can be packaged as an automated tool to aid in rapid single person or a group of persons to disrupt an online
response to attacks, and can also be used to estimate service. Denial-of-service attacks have caused huge
the level of DoS activity on the Internet. Study of a financial losses in recent years in the Internet. Denial-
Denial of Service Attack on TCP: This research of-Service attacks a
sketch out a network-based denial of service attack for businesses on websites like eBay.com, amaon.com,
IP (Internet Protocol) based networks. It is popularly yahoo.com, ZDNet.com, Buy.com and a lot of other
called SYN flooding. It works by an attacker sending similar websites
many TCP (Transmission Control Protocol) connection
requests with spoofed source addresses to a victim's Most of the attacks that come under a denial-
machine. Each request causes the targeted host to of-service are bandwidth attacks. The attackers
instantiate data structures out of a limited pool of generate a huge traffic in the network and overload the
resources. Once the target host's resources are network with unwanted or bogus Internet packets.
exhausted, no more incoming TCP connections can be Detection of bandwidth attack is difficult when the
established, thus denying further legitimate access. The detector is far from the victim. But it becomes easier
research contributes a detailed analysis of the SYN when the detector is placed near to the victim.
flooding attack and a discussion of existing and Recently, a lot of denial-of-service attack detection
proposed countermeasures. Furthermore, we introduce schemes have been proposed. Most of these schemes
a new solution approach, explain its design, and come under volume-based scheme or feature-based
evaluate its performance. Our approach offers scheme. Volume-based scheme needs a detectable
protection against SYN flooding for all hosts connected disruption in the traffic volume. When the attack is
to the same local area network, independent of their done gradually, then there is a possible vulnerability in
operating system or networking stack implementation. some volume based scheme. On the other hand,
It is highly portable, configurable, extensible, and feature-based scheme detects the attack by inspecting
requires neither special hardware, nor modifications in the header information. It checks the header, and some
routers or protected end systems. A taxonomy of DDoS schemes even check the data parts as well to detect any
attack and DDoS defense mechanisms: Distributed possible anomaly in the traffic. But the checking of
denial-of-service (DDoS) is a rapidly growing problem. every single packet is time consuming and if the traffic
The multitude and variety of both the attacks and the is very high, it becomes very difficult. Feature based-
defense approaches is overwhelming. This research schemes are most accurate in detection, but they are
presents two taxonomies for classifying attacks and notoriously processor hungry. This thesis focuses on
defenses, and thus provides researchers with a better another approach, which takes the positive sides of
understanding of the problem and the current solution both volumes-based approach and feature-based
space. The attack classification criteria was selected to approach, detecting denial-of-service attack using
highlight commonalities and important features of packet size distribution. The method only uses the
attack strategies, that define challenges and dictate the entropy of the packet size, and when there is a spike in
design of countermeasures. The defense taxonomy the packet size entropy- time series, it could be a
classifies the body of existing DDoS defenses based on potential denial-of-service attack.
their design decisions; it then shows how these Network Attacks
decisions dictate the advantages and deficiencies of Reconnaissance Attacks
proposed solutions. A Path Identification Mechanism Access Attacks
to Defend Against DDoS Attacks: Distributed denial Denial-of-Service Attacks
cases the sender cannot be verified, thus ignoring the The Non delivery report of network packets
message (i.e., dropping it). are very harmful to the user agent, In some cases, the
reecipient server realizes the email cannot be delivered
4.1.1. DoS Attack Prevention in Backscattering: only after the SMTP conversation has ended, and it
tries to notify the sender by sending an NDR email.
This practice was OK before the time of spammers and
Most of the time the attacker launches a DoS email forgery (even the RFC says it should be done this
attack by sending a large amount of bogus data to way), but nowadays, it is strongly discouraged. Such
interfere or disrupt the service on the server. Using a thing may occur if the email was relayed through a
volume-based scheme to detect such attacks would not secondary MX or front-end server to a primary
be able to inspect short-term denial-of-service attacks, MX/back-end server, (so the email has already been
as well as cannot distinguish between heavy load of accepted from the original sender by the secondary
legitimate users and huge number of bogus messages MX/front-end), but the relay target server (primary
from attackers. Enabling early detection of Denial-of- MX/back-end) cannot deliver the email.
service (DoS) attacks in network traffic is an important
and challenging task because Denial-of-Service attacks a) DNS Setup Stage: This phase takes place right after
have become one of the most serious threats to the DNS is established, but before any packets are
Internet. There are methods based on packet size transmitted over the network. In this phase, Sender
entropy detection. Here what we are introducing is a decides on a symmetric-key crypto-system
hybrid approach which will use address distribution as (encryptkey, decryptkey) and Receiver symmetric keys
well as packet size entropy. key1, . . . , keyK, where encryptkey and decryptkey are
An discoverer is a particular IP address that the keyed encryption and decryption functions,
touches many destination. In the application classes we respectively. S securely distributes decryptkey and a
study, originators interact with their targets. In symmetric key keyj to node nj on PSD, for j = 1, . . . ,
principle the originator could be the victim of spoofed K. Key distribution may be based on the public-key
traffic (such as a DNS server as part of an crypto-system such as RSA: Sender encrypts keyj
amplification attack); we have not recognized such using the public key of node nj and sends the cipher
originators in our data. text to nj . nj decrypts the cipher text using its private
The movement prompts the targets interest in key to obtain keyj . Sender also announces two hash
discovering the originators domain name from its IP functions, H1 and HMAC key , to all nodes in PSD. H1
address: a reverse DNS mapping that causes a is unkeyed while HMAC key is a keyed hash function
requester to make a reverse query if the result is not that will be used for message authentication purposes
already cached. This query may be for logging (as by later on. Besides symmetric key distribution, Sender
firewalls), to perform domain-name based access also needs to set up its Perturbation keys. Let e : G G
control, or to characterize the originator (for example, GT be a computable bilinear map with
mail servers that consider the senders hostname as part multiplicative cyclic group G and support Zp, where p
of anti-spam measures). The requester is defined as the is the prime order of G, i.e., for all , G and q1, q2
computer that does resolution of the reverse name. That Zp, e( q1 , q2 ) = e(, ) q1q2 . Let g be a
the target and the requester may be the same computer, generator of G. H2(.) is a secure map-to-point hash
or the requester may be a dedicated recursive resolver function: {0, 1} G, which maps strings uniformly
shared by several targets. to G. S chooses a random number x Zp and
computes v = g x . Let u be another generator of G. The
secret PERTURBATION key is sk = x and the public
PERTURBATION key is a tuple pk = (v, g, u).
http://www.icann.org/committees/security/dns-
ddos-advisory-31mar06.pdf, March 2006.
[13] Mockapetris P., Domain Names Concepts and
Facilities, RFC 1034, November 1987.
[14] Mockapetris P., Domain Names
Implementation and Specification, RFC 1035,
Nov. 1987.
[15] Vixie P., Extension Mechanisms for DNS, RFC
2671, August 1999.
[16] Arends, R., Austein, R., Larson, M., Massey, D.,
Rose, S., Resource Records for the DNS
Security Extensions, RFC 4034, March 2005.
[17] Arends, R., Austein, R., Larson, M., Massey, D.,
Rose, S., Protocol Modifications for the DNS
Security Extensions, RFC 4035, March 2005.
[18] Guo, F., Chen, J., and Chiueh, T., Spoof
Detection for Preventing DoS Attacks against
DNS Servers, In Proceedings of the 26th IEEE
international Conference on Distributed
Computing Systems , July 2006
[19] Chandramouli, R. and Rose, S. An Integrity
Verification Scheme for DNS Zone file based on
Security Impact Analysis, In Proceedings of the
21st Annual Computer Security Applications
Conference, Dec. 2005.
[20] Atkins, D., Austein, R., Threat Analysis of the
Domain Name System (DNS), RFC 3833, Aug.
2004.