Distributed Denial of Services (DDoS): Attacks and Defence Mechanisms Mohammad Takhi Abed Sarkil Master’s student, Telecommunication systems Blekinge Institute of Technology Karlskrona, Sweden mosa17@student.bth.se
Nasirali Kovvuru Master’s student, Telecommunication systems Blekinge Institute of Technology Karlskrona, Sweden nako17@student.bth.se Abstract— A Distributed Denial of Service (DDoS) attack is a variant of a DoS attack that employs very large numbers of attacking computers to overwhelm the target with bogus traffic. To achieve the necessary scale, DDoS attacks are often performed by botnets which can co-opt millions of infected machines to unwittingly participate in the attack. Ping-of-death, SYN flooding, ICMP flooding, HTTP flooding, are most popular DDoS attacks. IRC based bots are used by attackers to have a communication channel for instructing bots to attack, but in automatic DDoS attacks by automating the use phase in addition to the recruit, exploit and infect phases and thus to avoid the need for any communication between attacker and agent machines, all are preprogrammed. Now it is very essential to create sophisticated automatic defense techniques to overcome those automated attacks. Solution to the above attacks is broadly classified with four proposals they are Attack Prevention, Attack Detection, Attack source identification, and Attack reaction. To achieve those proposals, we should use intelligence at different layers of the OSI Reference Model and to evaluate their performance. This paper is a theoretical evaluation of our hypothesis that “Securing OSI layers in DDoS attacks by enhancing protocols and Machine learning algorithms will not give perfect Defense mechanism against DDoS attacks”. Keywords—zombies, botnets, flooding, IP spoofing, TCP, UDP, IRC, Machine learning, Artificial Intelligence.
I. INTRODUCTION DDOS attacks are one of the key issues in the rapidly growing internet environment. DDoS attacks are mainly aims to disrupt the services provided by a victim either by excessive usage of the bandwidth or by overloading with malicious requests to occupy the limited resources of the host by taking advantage of vulnerabilities in the Internet Protocol. The present Internet Protocols do not have intelligence to validate the contents of the IP packet [1]. This is a huge advantage for the attackers to fake their identity. The main types of attacks are flooding and Spoofing [2], any service provider can become a victim of DDoS attack. The main aim of the attack is to make the resources of a provider unavailable to its legitimate users. Recent researches on defense methods proved to be effective to some extent but the main problem is the packets from the legitimate users may also get dropped in these approaches. It is essential to optimize the existing methods or propose a more effective integrated solution to handle these attacks. In the recent times, there is an increase in the number of attacks of these kinds and there are different reasons for the attack. The existing defense mechanisms are effective to some extent but not satisfactory. As the Internet is taking new modifications day to day, the attackers are also becoming more aware and keep changing the types of attack on the service
providers. Based on the type of automation also there arediverse types of attacks. The attackers make use of the existing vulnerabilities in the operating systems to make the slaves which we call ‘zombies’ or ‘bots’ and a network of these bots is called botnet. The power of the attack is based on the size of the botnet. This paper is organized as follows, in the section 2, we will look at a survey related to recent DDoS attacks [2]. In the section 3, we will briefly explain types of attacks and present defense mechanisms. In section 4, we will consider the problems to defend against DDoS attacks. In section 5, we will briefly look at concepts of our interest such as, secure UDP protocol, secure TCP protocol, Artificial Intelligence. In section 6, we will provide the discussion where whether our hypothesis and results are discussed, In section 7, conclusion and future scope of this project are summarized. II. SURVEY OF RECENT DDOS ATTACKS Recently there were many DDoS attacks reported. The DDoS attacks are being made in the field of Politics for presidential elections. A group called Armada collective demanded 350,000 dollars from seven banks of South Korea in exchange for not disturbing their online services. Money remains a driving factor for the DDoS attacks. Growing interest in the cryptocurrencies are drawing the interest of the attackers and the attackers try to manipulate the currency rates of the different platforms. In the gaming fields, while the security is far from perfect billions of dollars of profits are being made in the hybrid gaming platforms via the links between the resources and applications. In June and July, DDoS attack on game Final fantasy’s servers. In September, the site of UK National lottery was seriously affected for 90 minutes which caused serious losses to the service. Some platforms started eliminating possible vectors of their own. Recently, Netflix found huge vulnerabilities in its API and they developed two tools of its own to deal with infected application. III.
TYPES OF ATTACKS AND PRESENT DEFENCE MECHANISMS
There are many types of DDoS attacks of which most common are flooding attacks[3], brute force attacks, service overloading attacks and protocol based attacks. The attackers hide their identity by spoofing their identity with the IP address of the bot and the service provider cannot find this traffic as malicious traffic. The attackers with help of these bots enter the host networks and disturb the activity of the host and degrade its service to the legitimate users. The attacks can also be classified based on the degree of automation. They can be manual, semi-automated and automated attacks [3]. The main problem in defending the attacks is not being able to
differentiate the attackers traffic and genuine traffic. Internet is designed for easy end to end connection. Internet protocol do not support the actions for checking the content of the packets that received and transmitted [1]. This is the main advantage for the attackers and this should be taken care of as soon as possible. The existing defense mechanisms are attack detection, attack prevention, attack source identification, and attack reaction. Attack prevention refers to identifying and filtering the attacker packets before the attack. Attack detection refers to the detection of a DDoS attack at the very early stage and prevent a huge loss of resources. Attack source identification refers to identifying the source of the attack to catch the attackers and punish them. Attack reaction refers to identifying the attack and reacting to it by stopping and eliminating it. Further, to achieve all these defense mechanisms there is a need of implementing and installing intelligence at each layer of OSI reference model. Still there are no specific methods to detect and defend DDoS attacks. Recent papers are mostly concentrating on the statistical changes in the load before and after the attack, network hardening techniques, server hardening techniques, usage of Artificial Intelligence to accomplish these tasks. But all the techniques are facing errors and may drop the packets from genuine users while their implementation.
corresponding control servers. This is one of the problem that should consider by us.
IV. PROBLEMS IN DEFENDING DDOS ATTACKS Most of the DDoS attacks are Brute-force attacks, which made counter measuring task difficult because of the following factors:
A. UDP UDP is a connectionless, unacknowledged service, process to process communication, best-effort delivery as IP and operating system independent protocol. UDP packets are called user datagrams and have a fixedsize header of 8 bytes which consists source port number (16 bits), Destination port number (16 bits), Total length (16 bits), checksum (16 bits). Here each process is identified by source and destination port numbers. By looking at the UDP header one can say that the only place where we have Integrity check whether the packet got corrupted or not is checksum (16 bits). In UDP checksum calculation is different from the one for IP and ICMP. Here the checksum includes three sections: a pseudo header, the UDP header, and the data coming from the application layer. By taking all the above headers data in 16-bits and summing them, the resultant sum is complimented to get checksum. Checksum is purely used for integrity of the packets data On the other hand, UDP packets will be tracked by stateful Firewalls especially to recognize the application that has requested those packets, here stateful firewall by using iptables can trace and drop the unknown UDP Packets but it does not help in the case of DDoS Attacks as all the packets are coming from legitimate users(Zombies). 1. Key Exchange: JFK (Just Fast Keying) protocol[4] can be used instead of IKE (Internet Key Exchange) protocol, which is more narrowly created for Internet Security applications. JFK protocol main goals are to provide security to generated key, perfect forward secrecy, privacy, memory-DDoS (to resist memory exhaustion attacks), computation-DDoS (to resist CPU exhaustion attacks), Efficiency, Non-Negotiable (to avoid complex negotiations over capabilities), perfect forward secrecy. IETF is still working on IKE to patch the vulnerabilities to DDoS attacks and complexity of the protocol. In the meantime, we can make use of JFK protocol instead IKE to protect against DDoS attacks.
A. Flash crowds Flash crowds is most common phenomenon in most of the web services. It results to congested Network, server overloading, substantial number of flows but can predictable. It is very complex to distinguish between Bandwidth Attack and Flash crowd. This is one of the problem to us. B. Multiple ways of Attack It is essential to us to predict ways of attack, in case of our operating systems attackers making use of different vulnerabilities before they get patched. They are using very sophisticated and smart techniques to hide themselves and make the attack powerful. They are thinking in multidimensional way, like, if the victim doesn’t have vulnerabilities, they are searching for dependencies of victim’s operations. Let say, victim want access to other services out from his network to furnish his tasks, attackers try to overload that outer services such victim get affected. This is one of the problem to us. Furthermore, attackers may use new methods to combat with existing defense mechanisms. So, it is essential to make our system learn new attack types by itself and to update its filters according to the requirement. C. Multiple Source types As technologies advances several new gadgets and devices starts usage of Internet WAN Technology for communication. The traffic from each source type must be inspected and classified. The number of filtering rules which can be installed in router/firewall is often limited. Therefore, it can be impossible to setup filter for each source when very large botnets are involved in the attack. In 5G, IOT devices (numerous diverse types of devices) starts sending their data to
D. Filter Placement Basically, there are three possible locations to place filters they are: close to the source (server), close to the victim (Bot), and within the intermediate network. placing close to the source or within the intermediate network is very desirable to eliminate the problem at root. But, installation at many systems is not desirable. So, a high-level planning should be done to strategically place the filters[1] at discrete points, such that all packets from all the sides got filtered, so this is also one of the problem that should be consider by us. V.
INTERESTING CONCEPTS
Transport layer is responsible for peer to peer connection management by means of connection oriented and connection less services. It is also responsible for flow control, error control and process to process delivery. The most known Transport layer protocols[4] are TCP and UDP. Securing the above protocols to make the system resistant to DDoS attacks is very essential, securing can be done by making use of well-known Key-Exchange and Encryption Mechanisms.
2.
Embedding Hidden message to the Data Apart from header part, UDP packet has Data part and that can be used to embed some intelligence bits (a secret message or code). In this approach, we suppose to choose randomly 4 bit positions, to embed hidden code. Hidden code should be exchanged from source to receiver and vice-versa, before actual data communication starts (via key exchange phase 1 of the JFK protocol). When a sender wants to communicate a UDP message or code to the receiver, it must first let the receiver know the positions of the secret code through the encrypted communication. The filter on the nearest gateway router will recognize by steganography and watermarking methods, the rite UDP packets with this hidden message and if it passes integrity check, then that packet forwards to the receiver, otherwise gateway router drops the packets. The probability of discovering secret code which is randomly distributed in the data part of the UDP packet is 1/224, which is low through a brute force attack. Since without hidden message intruder cannot know the position of secret code bits and cannot impersonate a user. Attacker may sniff the packets and can know the pattern of bits by guessing or by analyzing the packets. But, to prevent such replay attacks, hidden message or code can be exchanged once within 5 minutes or once within 500 packets of exchange such replay attacks can be controlled. Packet authentication gives us more security by resolving the man in the middle attacks. This model is resistant to IP spoofing in DDoS attacks.
Figure 1 depicts an architecture for DDoS attack detection system. Firstly, ingress and egress filtering is done and if resultant traffic seems legitimate then that traffic will be taken to database for further processing by Machine learning algorithms. Otherwise the packets will be dropped. The data in the database is taken by the machine learning algorithms to extract the feature of the traffic (i.e., Packet rate, Protocol type, Bandwidth, Statistics etc.). Then the extracted features are normalized to speed up the training process which is done by some machine learning algorithms. And the resultant packet will be labelled as a legitimate one or a DDoS attack one by those algorithms, If the resultant packet is DDoS attack packet then that will be dropped at this step and updates its filtering rule. here the labels are pre-defined and we have control to it so it comes under supervised machine learning.
B. TCP Protocol The most common DDoS attacks using TCP[5] is SYN flooding. To resist the SYN flooding attacks a similar procedure as done with secure UDP can be used with TCP also where encrypted secret messages are exchanged before the three-way handshake, During the three-way handshake along with the data part secret code is sent at random bit positions. At any point, if the acknowledgement packets data part is not placed at secret code positions, SYN will terminate Any packet that does not have embedded code is rejected like UDP, here also replay attacks are prevented. The performance analysis of secure TCP and secure UDP protocols are given in [4]. C. DDoS defence based on Artificial Intelligence Well known DDoS attack detection methods are statistical methods and machine learning methods. 1. Statistical Methods: It is similar to attack prevention method, but in this approach, instead of filtering ingress and egress traffic we monitor the traffic. Here monitoring task will be done by deploying a defense system at source end of the network. In this approach, defense system compares different entropy measures[6] (i.e., Shannon entropy, Hartley entropy, Renyin ++s entropy, Renyin ++s generated entropy etc.) depending on the base of the logarithm used to define. To know the Bandwidth utilization statistics in DDoS detection both low rate and high rate attacks by making use of pattern recognition techniques. 2. Machine Learning Most frequently used Machine learning algorithms[7] for anomaly detection are NaĂŻve Bayes, Neural Network, Support Vector Machine, Decision Tree, K-Nearest Neighbor.
Figure 1:Architecture for DDoS attack detection using Artificial Intelligence [4]. VI.
SOLUTION DISCUSSION
In the first two solutions at Transport layer i.e., Secure UDP and Secure TCP protocols. By adding packet authentication method as discussed in this paper, DDoS attacks at TCP and UDP protocols can be stopped. When it comes to limitations, these approaches are good and applicable only if the server knows its traffic and that should be pre-defined in their gateways. Moreover, both gateways should satisfy the first phase of JFE protocol to have secure communication channel. Another problem here is, attackers are making use of zombies, who are may be the legitimate users for that services. This approach is somewhat eliminating DDoS attacks in some specific applications but not for most broadly using applications.
By carefully analyzing the Machine Learning Architecture for DDoS attacks and its working, one can say that this Architecture can prevent the DDoS attack to happen from the first filter and it can Detect the DDoS attack, by means of Machine learning algorithms at Normalization mode and machine learning classifier. But here the question of attack source identification and attack reaction methods cannot be furnished and therefore, it may require more complex algorithms and more memory management techniques and more resources. Many Machine Learning Algorithms till date uses statistical Machine Learning to identify DDoS attacks which are prone to several drawbacks like, improper selection of statistical feature shows its results in output, if the attack vectors (new way of attack) are increased then statistical feature should be changed, need to update its threshold values whenever you change the system and attack vectors. From the above result, our hypothesis that usage of Secured OSI layer (Transport layer) level protocols and Machine learning algorithms will not completely defend against DDoS attacks is satisfied. And theoretically we provided falsification among our interesting concepts. VII.
CONCLUSION AND FUTURE SCOPE
From the above result, we can conclude that DDoS attacks are becoming more and more sophisticated. More complex and more reasonable methods should be implemented in the future to completely defend against this attack. Till date there is no method proposed to completely defend against DDoS attacks. Research on Deep learning[8] based approaches by training with large scale of datasets by making use of different neural network models: Convolution Neural Network (CNN), Recurrent Neural Network (RNN) these methods are proved to train large data sets. By placing deep learning systems at our gateway, we can have the possibility to handle heavier traffics. In the future IOT devices also uses internet as their vehicle to serve. Research on Hadoop[9] Technologies are also important, because if we can make our gateway as the master node of Hadoop technology and if at any time it got flash crowd or attack all the traffic can handle to slave nodes either in batch mode or in contract mode to process and mark the packets. Such in future this technological view is also important. REFERENCES
[1] T. Peng, C. Leckie, and K. Ramamohanarao, “Survey of network-based defense mechanisms [2]
[3]
[4]
[5]
countering the DoS and DDoS problems,” ACM Comput. Surv., vol. 39, no. 1, 2007. J. Mirkovic and P. Reiher, “A taxonomy of DDoS attack and DDoS defense mechanisms,” Comput. Commun. Rev., vol. 34, no. 2, pp. 39–53, 2004. S. T. Zargar, J. Joshi, and D. Tipper, “A survey of defense mechanisms against distributed denial of service (DDOS) flooding attacks,” IEEE Commun. Surv. Tutor., vol. 15, no. 4, pp. 2046–2069, 2013. A. Z. Ghavidel and B. Issac, “Secure Transport Protocols for DDoS Attack Resistant Communication,” in 2007 5th Student Conference on Research and Development, 2007, pp. 1–5. L. Limwiwatkul and A. Rungsawang, “Distributed denial of service detection using TCP/IP header and traffic
[6]
[7]
[8]
[9]
measurement analysis,” in IEEE International Symposium on Communications and Information Technology, 2004. ISCIT 2004., 2004, vol. 1, pp. 605–610 vol.1. J. Jiang and S. Papavassiliou, “Detecting network attacks in the Internet via statistical network traffic normality prediction,” J. Netw. Syst. Manag., vol. 12, no. 1, pp. 51–72, 2004. S. Seufert and D. O’Brien, “Machine Learning for Automatic Defence Against Distributed Denial of Service Attacks,” in 2007 IEEE International Conference on Communications, 2007, pp. 1217–1222. X. Yuan, C. Li, and X. Li, “DeepDefense: Identifying DDoS Attack via Deep Learning,” in 2017 IEEE International Conference on Smart Computing (SMARTCOMP), 2017, pp. 1–8. J. Zhang, P. Liu, J. He, and Y. Zhang, “A Hadoop Based Analysis and Detection Model for IP Spoofing Typed DDoS Attack,” in 2016 IEEE Trustcom/BigDataSE/ISPA, 2016, pp. 1976–1983.
Biographies Kovvuru Nasirali was born in Kalikiri village, Andhra Pradesh in 21-05-1996. He received the B.Tech in Electronics and Communication Engineering from the Jawaharlal Nehru Technological University, Kakinada, in 2016. He is currently perusing MSc degree in Telecommunication Systems at BTH, Karlskrona. He has completed summer internship at Convergence Labs in Telecom Protocol developing and testing , his research interests include Telecommunications, IOT, Network Security, 5G, cloud computing and Network Management, he has good knowledge in Linux, programmng, TCP/IP, configuration of network and firewalls, Intrusion Detection systems, web development, DNS, DHCP, SNMP. Kovvuru Nasirali is member of IETE and LEO club Kakinada.
Mohammad Takhi Abed Sarkil was born in Amalapuram town in Andhra Pradesh, India on 12 August, 1995.He studied his Bachelor’s degree in the field of Electronics and Communications Engineering in Jawaharlal Nehru Technological University, Kakinada from 2013-2016 and he is presently pursuing his M.Sc in Telecommunication Systems in Blekinge Institute of Technology, Karlskrona, Sweden. From 2013-2014 he was a student in Bachelor of technology in Electronics and Communications field in which he did his main study on Network Analysis, Microprocessors, Antennas and Wireless networks. He had given a seminar on Barcoding Technology in 2015 the Jawaharlal Nehru Technological University college. At present, he is in Sweden doing his masters in Telecommunications and interested to do work on Cloud computing
.
and Security
Mohammad Takhi Abed Sarkil is a member of IETE, India since 2013.