Nayan Hargule
CE Dept, SCET, Nagpur
nayankumarhargule69@gmail.com
ABSTRACT
Distributed Denial of Service (DDoS) attacks pose severe threat to the computers and network
infrastructures. There is an utmost need to develop mechanisms which can be effective against
DDoS attacks which generate heavy traffic and make network bandwidth and/or system
resources depleted or limited. We develop attack model which gives us an idea about the patterns
of the DDoS attacks. Four types of attack namely Host scan, Port scan, TCP SYN flood, ICMP flood
have been considered. The attack model depicts the patterns or behavior of the mentioned
attacks. We also develop a detection mechanism, which compares the traffic flow with the attack
model and identifies the particular attack. A defense mechanism based on distributed black box
technique deployed in the middle of the network and swaps the source ip-address with the
destination ip- address to provide effective defense.
Index TermsAttack model, DDoS, Host Scan, Port Scan, ICMP, TCP.
I. INTRODUCTION
DoS attacks are one of the crucial threats posed to the users and infrastructures of the Internet. A DoS
attack attempts to deprive the legitimate users from using their service. It breakdowns the service and
disrupt the network bandwidth. DoS attack can be launched from a single host or a network node. DDoS
attacks pose a more serious threat than DoS attacks. DDoS is a type of DoS attack where an attacker
deploys a number of hosts and launches an attack on the victim in a coordinated manner or
simultaneously. The goal of DDoS attack is achieved by sending a large number of packets to the target
and thus flooding it. The target is unable to deal with the large number of packets and gets overloaded,
and ultimately becomes incapable of providing normal service. DDoS attacks can be classified on the
basis of the type of resources that is consumed.
1) Resource Flooding: The attacker consumes victims resources such as memory, CPU, hard disk to
make it unavailable for normal users.
2) Bandwidth Flooding: The victim network is flooded by unwanted traffic to prevent the normal
traffic from reaching the victim network.
Well known DDoS flooding attacks are TCP SYN flood attack and ICMP flood attack. TCP SYN flood makes
use of TCP SYN packets while ICMP flood makes use of ICMP packets.
Before attacking the target, the attacker often uses host scan and port scan to check the services that they
can break into. Host scan and port scan are used as tools to check the suseptibility of the target. If host
scan and port scan is carried out frequently then it can be considered as an attack. Generally, host
scanning and port scanning is done to keep a watch on the systems and the network. A network
administrator usually performs these scans to check network and scanning is done a fixed number of
time. However, if the number of scans surpasses a fixed threshold then they are considered as attack. In
www.ijafrc.org
www.ijafrc.org
This attack is detected by the large number of ICMP packets destined to the same IP address. Port scan
and host scan are used as tools by the attacker to check the vulnerability of the systems. Host scan and
port scan finds out the vulnerable target host and its port. Lightweight detection method is advantageous
because of its light weight. Without analysing the packet content, packet size, or packet inter- arrival time,
it can identify the DoS activities.
www.ijafrc.org
This paper introduces two strategies of defense mechanisms: Distributed Black Box/Packet Reflector and
the Graveyard. The first scheme that is Distributed Black Box is distributed in nature and employs hybrid
defense mechanisms. The hybrid mechanism uses three basic ideas: multi deployment in the middle
locations, data mining and knowledge sharing, and mixing of previously suggested defense mechanisms.
Thereby, it is called as Distributed Black Box and can be placed anywhere in the network. Three main
places have been suggested where the mechanism can be deployed, they are:
1) Near the targeted system, 2) Near the Attacker, 3) In the middle.
The packet reflector performs the function of a) Rate Limiting to slow down the rate of incoming
packets, in the event of attack. b) Works as reflecting surface: copies the source address of incoming
packet forwards to new destination. In reflection process, destination address is replaced by source
address. c) Deploys the defense mechanism at various location . The demerit of this mechanism is that
the middle area between the attacker and victim is under the control of various internet providers. These
providers do not pay heed for effective defense mechanisms. The black box requires additional time to
alter the header and resend it. The Rate Limit does not give enough time to achieve defense mechanism
definitely. The packets are categorized into three types: a) Normal b) Suspicious c) Malicious. The
Graveyard Defense Technique is divided into two stages: a) Detection Analysis stage b) Traffic Control
Stage. In the detection analysis stage, primary testing is done to verify if the incoming packet is DDoS
malicious. If it is not then it is free to go anywhere. If the packet is malicious it is sent to the second stage,
www.ijafrc.org
III. METHODOLOGY
In this section we describe our technique. Our proposed method for attack model is based on lightweight
methodology [2] [3]. The attack model[5] [11] contains signatures or attack patterns of the four attacks
namely host scan, port scan, TCP SYN flood, ICMP flood. The model helps to effectively differentiate
between the attack flow and normal traffic. The attack patterns are extracted from traffic flow. In our
work, we develop four attack models for each type of attack. The idea is to first generate an attack [6] [7]
to observe it and then extract the patterns or features of the attack. Thus, for every attack a different
model exists.
www.ijafrc.org
www.ijafrc.org
Traffic
Flow
Match with
Attack
Models
Identify
DDoS
Attacks
Flow of
Attack
Flow associated
with attack
www.ijafrc.org
IV.
EXPERIMENTAL RESULTS
The Fig 9 depicts the host scan detection. Fig 10 depicts the port scan detection. Fig 11 depicts the ICMP
detection. Fig 12 depicts TCP SYN Flood attack.
www.ijafrc.org
V. CONCLUSION
www.ijafrc.org
VI. REFERENCES
[1]
[2]
[3]
[4]
Neha Titarmare, Nayan Hargule, Priyanka Gonnade, Punam Marbate, DDoS Detection using
Attack Model, IJARCSSE,Vol 4, Issue 6, June 2014..
[5]
Jie Yu, Zhoujun Li, Huowang Chen, Xiaoming Chen A Detection and Offense Mechanism to Defend
Against Application Layer DDoS Attacks Third International Conference on Networking and
Services (ICNS07).
[6]
[7]
J. Mirkovic, J. Martin, and P. Reiher, A Taxonomy of DDoS Attacks and DDoS Defense
Mechanisms, ACM Sigcomm Computer Comm. Rev., vol. 34, no.2, 2004, 3953.
[8]
Cynthia Bailey Lee, Chris Roedel, Elena Silenok, Detection and Characterization of Port Scan
Attacks.
[9]
Theerasak Thapngam, Shui Yu, Wanlei Zhou, Gleb Beliakov,Discriminating DDoS Attack Traffic
from Flash Crowd through Packet Arrival Patterns First International Workshop on Security in
Computers, Networking and Communications, IEEE 2011.
[10]
Simona Ramanauskait1, Antanas enys, Composite DoS Attack Model , ISSN 2029-2341 print /
ISSN 2029-2252, Vilniaus Gedimino technikos universitetas.
[11]
Jalal Atoum, Omar Faisal, Distributed Black Box and Graveyards Defense Strategies against
Distributed Denial of Services, Second International Conference on Computer Engineering and
Applications (ICCEA), 2010.
www.ijafrc.org
[13]
Snort, http://www.snort.org.
[14]
Jalal Atoum, Omar Faisal Distributed Black Box and Graveyard Defense Strategies Against
Distributed Denial of Services, Second International Conference on Computer Engineering and
Applications (ICCEA10).
www.ijafrc.org