Professional Documents
Culture Documents
Abstract
Distributed Denial of Service (DDoS) attacks invade networks and web services
every day. Many current research projects and activities try to design various DDoS
protection solutions. Nevertheless, there are more and more advanced DDoS
attacks that are ingenious and powerful which may cause that many of these
comprehensive DDoS protection solutions are not so efficient and do not fully
mitigate advanced DDoS attacks. Accordingly, it is important to test DDoS
protection solutions and reveal their limitations and bottlenecks prior to employ
them into networks. This work deals with DoS and DDoS detection techniques
and presents the testing procedures of DDoS protection solutions. We describe
state of the art in detection techniques of current DDoS attacks. The techniques are
based on signature and anomaly detection. Other alternative approaches are also
evaluated and their advantages and drawbacks are discussed. Besides these detection
techniques, we survey the DDoS protection solutions and special DDoS protection
appliances and evaluate them.
Further, we introduce two testing procedures for observing the behaviour of
network security and DDoS protection appliances during the DDoS attacks. The
first testing procedure is based on a software DDoS generator that runs on
common server or personal computer. The paper also presents various software
DDoS generators and their specifications. The second testing procedure uses the
professional stress tester Spirent Avalanche which enables to generate various types
of DDoS attacks. This stress tester is able to mix legitimate traffic with DDoS
attacks and emulates various communication protocols and services. We evaluate
these testing procedures and present our experimental results of both approaches.
We focus on the performance and modularity of these testing procedures and the
range of possible DoS/DDoS attacks that can be generated.
Keywords: DoS Attacks, DDoS Attacks, DDoS protection, DDoS detection,
network, security, tests.
1 Introduction
Internet services, websites and web applications are frequently used by many clients
every day. These services must work correctly and must be available for users who
use them. Nevertheless, the Internet connection enables to various attackers to hit
these services and cause economic damages caused by the malfunction or
interruption of these services. Distributed denial of service attacks become very
frequent nowadays. Generally, a Denial of Service (DoS) attack is realized by one
host. Distributed DoS attacks are sent by more hosts or bots that are controlled by
an attacker. These attacks usually flood services at target devices connected to the
Internet. The basic principle of DDoS attacks is depicted in Figure 1. In the figure,
the combination of flood DDoS and amplification flood DDoS attacks is shown.
More information about types of DDoS attacks can be found in the paper [ 1 ].
The most important part is the SW DoS generator node. We use a server with
Linux OS (Debian 7.4). This device must have two network interfaces with high
throughput (at least 1 Gbps). The first interface is used for configuration and
remote control. The second interface is used for sending the DoS traffic to a tested
device. The generator can employ any existed software DDoS testers that are
described in Section 4.1 but we use a simple script to generate DDoS/DoS attacks.
The implemented DoS tester program which generates DoS attacks is written in
Python. The program provides 5 types of DoS attacks, namely TCP-SYN DoS
attack, TCP-RST DoS attack, TCP Xmas DoS attack, UDP flood attack and ARP
DoS attack.
The hardware of the SW DoS generator node should be powerful (strong CPU and
memory) to generate a large number of packets. Tested device can be a webserver,
a firewall, a router and so on. If we want test webservers or other services, we
should emulate website/service clients’ traffic by a client emulator application and
mix it with DoS traffic by using highly performed switch (Switch 2) to get real
results. If we test a firewall or a router performance and DoS mitigation functions,
we can generate DoS attacks directly (Switch 2 is not needed). The control terminal
is used for remote control and configuration of the nodes and devices in the testing
topology via Switch 1.
The most important part of this procedure is the test appliance. We use Spirent
Avalanche 3100B stress tester. This tester which is shortly described in Section 4.2
is used for generating DDoS/DoS traffic and normal traffic from emulated clients
or servers. The tester provides 16 types of DDoS/DoS attacks. Furthermore, there
is an attack designer component which can be used to implement the new attacks
for testing purposes. The advantage is that the emulations of the client and
server/service sides are in one single device. The tester is able to generate more
attacks at one time and mix them with emulated traffic to get more real results.
Thus, we can test a wide range of network security devices and network services.
The control terminal is used for remote control and configuration of the test
appliance and the tested device in the topology via Switch 1. The connection
between the test appliance and tested devices should have high throughput (e.g. 10
Gbps fiber interfaces). The example of results with tested device Firewall ASA 5510
during SYN flood attacks is depicted in Figure 6.
Figure 6: Throughput of Cisco Firewall ASA 5510 with DDoS SYN flood attacks.
8 Conclusions
In this paper, we described and evaluated the basic DDoS/DoS detection
techniques (anomaly, signature and hybrid) and three DDoS/DoS protection
approaches (security network devices based, Anti-DoS appliance based and cloud
based). The cloud based DDoS mitigation solutions are more appropriate for small
and medium sized networks due to modest costs, a high percentage of the DDoS
mitigation and solid detection and mitigation response times (minutes).
Nevertheless, the anti-DDoS/DoS appliance based protection solutions are usually
more costly than cloud based protection solutions but they should be employ in
high-profiled large e-commerce and data centers due to faster DDoS/DoS detection
and mitigation and the higher frequency of attacks.
The paper also describes some common hardware and software based DDoS/DoS
generators and testers and their specifications and two DDoS/DoS testing
procedures are presented. The software based testing procedure is able to test some
basic DoS/DDoS attacks and flood less performed network devices to get their
limits. For example, the DDoS SYN attack is generated up to 208 000 packets per
second. The appliance based testing procedure is able to test this DDoS SYN attack
up to 7.5 million packets per seconds if Avalanche 3100B with 10 Gbps interface is
employed. For the professional testing of larger networks and some special security
devices, the appliance based procedure is more appropriate than software based
procedure due to their performance and configuration options.
Acknowledgements
Research described in this paper was financed by the National Sustainability
Program under grant LO1401, by the Czech Science Foundation under grant no.
14-25298P and the Technology Agency of the Czech Republic project
TA0301081. For the research, infrastructure of the SIX Center was used.
References
[1] Dzurenda, P., Martinasek, Z., Malina, L.: Network Protection Against
DDoS Attacks. International Journal of Advances in Telecommunications,
Electrotechnics, Signals and Systems 4, no. 1, pp. 8-14, 2015.
[2] Alenezi, M., and Reed, M.: Methodologies for detecting DoS/DDoS attacks
against network servers, in ICSNC 2012, The Seventh International
Conference on Systems and Networks Communications, pp. 92-98, 2012.
[3] Peng, T., Leckie, C., Ramamohanarao, K.: Survey of network based defense
mechanisms countering the DoS and DDoS problems, ACM Computing
Surveys (CSUR), vol. 39, p. 42 pages, 2007.
[4] Kompella, R. R., Singh, S., Varghese, G.: On scalable attack detection in the
network, in Proceedings of the 4th ACM SIGCOMM Conference on Internet
Measurement. ACM Press, New York, pp. 187-200, 2004.
[5] You, Y., Zulkernine, M., Haque, A.: Detecting flooding-based DDoS
attacks, pp. 1229-1234, 2007.
[6] Talpade, R., Kim, G., Khurana, S.: NOMAD: Traffic-based network
monitoring framework for anomaly detection," in Fourth IEEE Symposium
on Computers and Communications, pp. 442-451, 1999.
[7] Kim, Y., Jo, J. Y., Suh, K. K.: Baseline profile stability for network anomaly
detection, International Journal of Network Security, vol. 6, No.1, pp. 60–
66, 2008.
[8] Jalili, R., Imani-Mehr, F., Amini, M., Shahriari, H. R.: Detection of
distributed denial of service attacks using statistical pre-processor and
unsupervised neural networks, in Information Security Practice and
Experience. Springer, pp. 192–203, 2005.
[9] Blazek, R. B., Kim, H., Rozovskii, B., Tartakovsky, A.: A novel approach to
detection of denial-of-service attacks via adaptive sequential and batch-
sequential change-point detection methods, pp. 220-226, 2001.
[ 10 ] Cabrera, J. B. D. et al.: Proactive detection of distributed denial of service
attacks using mib traffic variables-a feasibility study, pp. 609-622, 2001.
[ 11 ] Defeating DDOS Attacks, Cisco Systems, Inc., white paper, pages 11, 2004.