Detection Of Flooding DDOS Attacks

Using Firecol
Project members:
R.Sridharan - 42209205079
P.Swaaminathan - 42209205085
K.Natarajan - 42209205311

Under the guidance of:
Ms.A.R.Revathi
Basepaper: Jeerome Francois , Issam Aib,”FireCol A
Collaborative Protection Network for the Detection of
Flooding DDoS Attacks”,IEEE transaction on Networking-
Jan 2012


1
OBJECTIVE
 To archive the scalable solution for the early detection of
flooding DDOS attacks

 To provide protection to subscribed customer and saving
valuable network resources.

 Use of FireCol provides effective solution to increase the
security and reliability of the network.





Detection Of Flooding DDOS Attacks Using Firecol

2
INTRODUCTION

SECURITY is one of the critical attributes of any
communication network.

The goal of traditional DoS attacks is to overflow
user and kernel domain buffers.

 Wireless networks are accompanied with an
important security flaw. They are much easier to
attack than any wired network.





Detection Of Flooding DDOS Attacks Using Firecol

3
KEYWORDS
 IPS (Intrusion Prevention Systems):
The IPSs form virtual protection rings around the host to
defend and collaborate by exchanging selected traffic
information.
 DDOS(Distributed Denial Of Service):
DDOS problem occurs during data transformation through
internet in a distributed network.
 FIRECOL:
Composed of IPS located at the internet service provider(ISP)
level.It is used to detect the anonymous user and overcome
it.




Detection Of Flooding DDOS Attacks Using Firecol





4
EXISTING SYSTEM
 The largest DDoS attacks have now grown a hundredfold to
break the 100 Gb/s, for which the majority of ISPs today lack
an appropriate infrastructure to mitigate them.[1]
 To detect DDoS attacks based on counting new IP addresses.
These works are close but differ from FireCol, in which
detection is focused on the potential victim.[2]
 A DoS resistant communication mechanism is proposed for
end-hosts by using acknowledgments.[3]
 A peer-to-peer approach is introduced,[4] and mobile-agents
are leveraged to exchange newly detected threats.[5]


Detection Of Flooding DDOS Attacks Using Firecol



5
PROPOSED SYSTEM
 FireCol new collaborative system that detects flooding DDoS
attacks as far as possible from the Victim host and as close
as possible to the attack source(s) at the Internet service
provider (ISP) level.
 FireCol relies on a distributed architecture composed of
multiple IPSs forming overlay networks of protection rings
around subscribed customers.
 Participating IPSs along the path to a subscribed customer
collaborate by computing and exchanging belief scores on
potential attacks.


Detection Of Flooding DDOS Attacks Using Firecol

6
FIRECOL METRICS
1. Frequency:
The frequency is the proportion of packets matching rule within
a detection window.






7
FIRECOL METRICS
1. Frequency:
The frequency is the proportion of packets matching rule
within a detection window.


where Fi is the number of packets matched by rule ri during
the detection window.
 Every customer rule set is complete,
in the sense that every packet must match at least one
rule.
8
.
2. Entropy:
The entropy H measures the uniformity of
distribution of rule frequencies.



 If all frequencies are equal (uniform distribution) ,the
entropy is maximal.


9
.
3. Relative Entropy:
The relative entropy metric K(f , f’) (the Kullback–Leibler
distance) measures the dissimilarity between two
distributions .



 If the distributions are equivalent, the relative entropy is
zero, and the more deviant the distributions are, the
higher it becomes.

10
FIRECOL ARCHITECTURE
11
FIRECOL COMPONENTS
 Packet Processor:
The packet processor examines traffic and updates
elementary metrics (counters and frequencies) whenever a
rule is matched.
 Metrics Manager:
The metrics manager computes entropies and relative
entropies .
 Selection Manager:
The selection manager checks whether the traffic during the
elapsed detection window was within profile.


12
.
 Score Manager:
The score manager assigns a score to each of the selected
rules depending on their frequencies and the entropy. The
entropy and the frequency are considered high if they are
respectively greater than a threshold and . The different cases
are presented in

THE DECISION TABLE

13
1. Client Application
2. DoS attack
3. File Server
4. Location Guard
5. Normal Client








Detection Of Flooding DDOS Attacks Using Firecol

MODULES
14
SYSTEM CONFIGURATION
Hardware Requirement:
 Processor : Pentium IV 2.4 GHz
 Hard disk : 40 GB
 Monitor : 15 VGA color
 RAM : 512 MB

Software Requirement:
 Platform : JDK 1.5
 Program Language : JAVA SWING
 Tool : NETBEANS 5.5
 Operating System : Windows 2000 or XP

Detection Of Flooding DDOS Attacks Using Firecol

15
REFERENCES
[1] Jerome Francios,” FireCol: A Collaborative Protection Network for the
Detection of Flooding DDoS Attacks”,[Online].Available:
http://dl.acm.org/citation.cfm?id=2428675
[2] T. Peng, C. Leckie, and K. Ramamohanarao, “Detecting distributed denial of
service attacks by sharing distributed beliefs,” in Proc. 8
th
ACISP, Wollongong,
Australia, Jul. 2003, pp. 214–225.
[3] G. Badishi, A. Herzberg, and I. Keidar, “Keeping denial-of-service attackers in
the dark,” IEEE Trans. Depend. Secure Comput., vol. 4, no.3, pp. 191–204, Jul.–
Sep. 2007.
[4] R. Janakiraman, M. Waldvogel, and Q. Zhang, “Indra: A peer-to-peer approach
to network intrusion detection and prevention,” in Proc. IEEE WETICE, Jun.
2003, pp. 226–231.
[5] K. Deeter, K. Singh, S. Wilson, L. Filipozzi, and S. T. Vuong,“APHIDS: A mobile
agent-based programmable hybrid intrusion detection system,” in Proc.
MATA, 2004, pp. 244–253.

Detection Of Flooding DDOS Attacks Using Firecol




16
CLIENT APPLICATION MODULE
 This module used to gather server IP address and port
number.

 Using this address and port number, the following modules
perform based on this module.




Detection Of Flooding DDOS Attacks Using Firecol

17
FILE SERVER MODULE
 A file server is a computer attached to a network that has the
primary purpose of providing a location for shared disk
access.
 It is designed primarily to enable the storage and retrieval of
data while the computation is carried out by the
workstations.




Detection Of Flooding DDOS Attacks Using Firecol


18
DDOS ATTACK MODULE
 Distributed Denial-Of-Service attack (DDoS attack) is an
attempt to make a machine or network resource unavailable
to its intended users.
 Perpetrators of DDoS attacks typically target sites or services
hosted on high-profile web server such as banks, credit card
payment gateways, and even root name servers.






Detection Of Flooding DDOS Attacks Using Firecol

19
SCREENSHOT
20
SCREENSHOT
21
SCREENSHOT
22
HORIZONTAL AND CERTICAL
COMMUNICATION
23
.
24
Shows the frequencies of three rules r1,r2,r3 from three
distributions representing different detection windows
(t1,t2,t3) and values for entropies and relative entropies.