New Methods for Detection of DoS and DDoS Attacks

By K. Munivara Prasad

The  Internet  revolution  has  completely  changed  the  traditional ways   of   functioning   of  
 essential   applications   including   banking, healthcare,  defense,  academic,  and  logistics.  
Internet-based  services replaced  these  traditional  services  at  a  rapid  pace  over  the  
past  two decades.  Growth   in  internet-dependency  of  individuals   and  entities resulted that 
the internet is the fundamental support for the information
world.
The   emergence   of   new   Internet-based   services   such   as   e- governance,    
e-procurement,    and    other    services    are    contributing significantly  to  the  global,  
social  and  economic  development.  With  the exponential growth in Internet-based services and 
users worldwide, the internet  infrastructure  and  services  are  facing  numerous  challenges 
related to continuous attacks.
Distributed  Denial  of  Service  (DDoS)  is  one  of  the  most  observed attacks over internet 
architecture, posturing robust challenges to defense
mechanisms   incorporated   in   the   framework. As   the   DDoS   attack
information  is  not  made  public  by  companies  (to  avoid  deterioration  of brand   value),   
researchers   often   face   the   problem   of   the   limited information  available  to  design  
effective  defensive  strategies  against DDoS attacks.

 

The  current  section  presents  the  impact  of  DDoS  attack  and  the inherent  vulnerability  
of  the  internet  architecture.  Real  events  of  DDoS attack  together  with  their  financial  
impact  on  companies  are  included. Further,  the  need  for  designing  an  efficient  DDoS  
defense  strategy  is presented in the research work.
The  internet  resources  and  network  systems  should  be  readily accessible for genuine users 
who aim to use the services at any specific time  .  Unavailability  of  internet  services  
and  applications  at  the required instance is one of the major challenges restricting the spread 
of Internet-based   services.   The   unavailability   can   results   to   either intentional 
causes or accidental causes. The basic internet framework is designed   to   handle   accidental   
failures   but   is   not   efficient   against intentional purposes such as intrusion, malware, 
hacking, etc.
The Denial-of-Service (DoS) attack is categorized under intentional failures   observed   on   the  
 internet,   which   are   caused   by   malware programmers  or  intruders.  These  attackers  
deny  or  compromise  the availability  of  internet  resources  to  genuine  or  authorized  users.

• Language: English
• Publisher: MOHAMMED ABDUL SATTAR
• Release date: Aug 22, 2023
• ISBN: 9798223949688

Book preview

CHAPTER - 1 INTRODUCTION

The Internet revolution has  completely  changed  the  traditional ways of functioning of essential applications including banking, healthcare, defense, academic, and logistics. Internet-based services replaced these traditional services at a rapid pace over the past  two decades. Growth in internet-dependency of individuals and entities resulted that the internet is the fundamental support for the information world.

The emergence of new Internet-based services such as e- governance, e-procurement, and other services are contributing significantly to the global, social and economic development. With the exponential growth in Internet-based services and users worldwide, the internet infrastructure and services are facing numerous challenges related to continuous attacks.

Distributed Denial of Service (DDoS) is one of the most observed attacks over internet architecture, posturing robust challenges to defense mechanisms incorporated in the framework. As the DDoS attack information is not made public by companies (to avoid deterioration of brand value), researchers often face the problem of the limited information available to design effective defensive strategies against DDoS attacks.

The current section presents the impact of DDoS attack and the inherent vulnerability of the internet architecture. Real events of DDoS attack together with their financial impact on companies are included. Further, the need for designing an efficient DDoS defense strategy is presented in the research work.

The internet resources and network systems should be readily accessible for genuine users who aim to use the services at any specific time [126]. Unavailability of internet services and applications at the required instance is one of the major challenges restricting the spread of Internet-based services. The unavailability can results to either intentional causes or accidental causes. The basic internet framework is designed to handle accidental failures but is not efficient against intentional purposes such as intrusion, malware, hacking, etc.

The Denial-of-Service (DoS) attack is categorized under intentional failures observed on the internet, which are caused by malware programmers or intruders. These attackers deny or compromise the availability of internet resources to genuine or authorized users [38]. Different types of DoS attacks have been observed over the past decade, which includes SYN Flood, smurf attack, finger-board, black-hole-attack, snork, teardrop, misdirection, etc. These attacks target the inherent vulnerabilities in internet protocols, network layers, applications, operating systems, and protocols.

Distributed DoS attacks (DDoS attacks) are  an  advanced  form  of DoS attacks, wherein the DDoS attacks, intruders target single resource/ application from several hundreds of compromised hosts [87], [27]. The compromised hosts are referred to as zombies or bots and are unknowingly hired from those unprotected computers connected to the internet as a botnet.

Several types of DDoS attacks have been observed over the internet in the past decade, which has been classified  in  [42]  and  [87].  Among these different types, Packet-flooding attack is most frequently observed over the internet. This attack type forwards a significant volume of deceptively genuine TCP, UDP and ICMP packets to a single target. The authors in [99]  presented  two  prominent  issues  in  countering  these DDoS attacks. As the number of compromised computers  or  zombies  is very high then these are spread across diversified geographical areas. Further, the traffic volume transmitted by one zombie is limited, but the cumulative value of all the zombies targeting the host is quite significant, resulting in crowding at the destination. Zombies typically spoof their IP addresses, which restrict the defensive mechanism from  tracing  back  to the zombies. Over the past few years, the volume of spoofed attacks is decreasing according [51]. However, the volume of DDoS attacks continues to pose challenges to defensive mechanisms. Due to the distributed nature and voluminous flow of requests, conventional defensive mechanisms such as firewalls, traditional IDS, and access

control lists within routers cannot counter such threats [31], [83], [93], [13]. The inability of accurately detecting normal packets from malicious packets restricts the IDS from defending against the attack.

DDoS flooding attack relies on traffic volume and does not rely on exploiting network vulnerabilities or loopholes. Accordingly, there is no need for modifying DDoS packets  such  as  malicious  packet  payload. Hence, packets in DDoS attack appear  similar  to  that  of  the  genuine packet requests [87]. Further, IP spoofing [53] and stateless routing complicates the detection process. These  attacks are highly dynamic and can easily skip defense mechanism [25], [87].

Thus, to effectively counter DDoS attacks, several defensive strategies have been proposed in the contemporary literature [27], [87]. However, a complete and effective counter mechanism is yet to be designed due to the increasing instances of such attacks and substantial financial losses involved with these attacks. Also, intruders often share their attack methods, resulting in compounding instances of DDoS attacks. Similarly, in defense strategy designers and  programmers should share their methods and attack details over internet community. This enables quick development of the counter mechanism for DDoS attacks.

1.1  DoS and DDoS Attacks

In the DoS attack, intruders target a single server or network and restrict genuine users from gaining access to that specific  server [29]. The attackers achieve this by transmitting numerous packets  at  a  time  to create flooding effect at the target  resource  or  by  transmitting  crafted data packets, which exploit the inherent software vulnerabilities.

Transmitting packets beyond the capacity of the  target's  resources and consuming the entire resources is the primary target of the DoS attackers. For achieving this and denying service to genuine users, intruders transmit numerous requests to a single target. Further, to complicate the intrusion detection mechanisms, attackers raise these requests from multiple sources that are geographically spread worldwide. This distributed type of DoS intrusion attack is termed as the Distributed Denial of service (DDoS) attack.

A typical structure of DDoS attack with the components involved in the attack is depicted in Figure 1.1. Initially, the source systems, referred to as zombies that are vulnerable to attack are identified, and the intruders deploy their malicious code in these zombies. After successfully deploying the code in source systems (Zombies), the intruders identify a secure channel to launch the DoS attack on the single targeted server or resource. To further complicate the process of detection, the intruders

often modify the packets from the Zombies, typically by spoofing the source.

Figure 1.1: DDoS Attack Structure

The vulnerable source systems referred to as Zombies or bots together with the structure of components depicted in Figure 1.1 is also referred to as a botnet. The attackers can  launch  mutual  attacks  in  a botnet and can undertake software updates using the secure channel between attacker and bots.

The aspects of specific attack features, the process of preparation and attack launch along with the characteristics of the attack play a prominent role in devising the DDoS attack taxonomy. Further, the process of selecting Zombies and the attack impact on these Zombies must be analyzed for clear taxonomy. The DDoS attacks are observed primarily to incapacitate the availability of system bandwidth, end applications, and protocols involved in the network.

1.1.1  Attacks on Protocol

In the DDoS  attack,  Zombies  send  packets  through  the  network  at  a fixed transmission rate to gain access from the inherent design aspect of the typical network protocols. Further,  the  attacker  attempts  to  learn from the inherent vulnerabilities in the network, through the expected functioning of guiding protocols like UDP, ICMP, and TCP.

The prominently observed real time attacks of DDoS attacks on protocols are SYN flooding, UDF flood [50], Smurf [1] and ICMP. The SYN flooding targets the network by transmitting numerous SYN packets which use the available system resources and fills the buffers. UDP flooding attack attempts to bring down the network by transmitting UDP packets to random ports. Further, for most of the UDP  packets,  the target source reply with the Internet Control Message Protocol (ICMP) messages, but the end point of these messages is unknown.

1.1.2  Attacks on Bandwidth

The attackers transmit high volume data from an Internet Service Provider (ISP) to the selected target resource to attack the bandwidth of the system. A large volume of ICMP packets is one of the prominent attacks observed on bandwidth [18]. The ISP network is equipped with the significant capacity to ensure uninterrupted communication between numerous sources and destinations. However, the connection from ISP to the victim often has limited capacity compared to the capacity of the ISP.

Accordingly, attackers send large volumes of packets from ISP, and these connections consume the existing bandwidth, thereby decreasing the genuine traffic flow. The attackers consume this bandwidth by sending numerous packets to the entire network connection [72].

1.1.3  Attacks on Application

Attackers attempting to target end applications by  transmitting  a small volume of malformed messages. These packets exploit the known software bugs either in the application or the system OS. Either one or multiple packets sent over the network can typically make  the  target system to malfunction or completely disable the system. However, defending such attacks is more comfortable as compared to aforementioned two attack types. Defensive mechanisms typically involve removing the identified system vulnerabilities [118] or through the incorporation of additional filter rules to eliminate the corrupted packets [88]. Ping of death attack is one of the most observed attacks on the application. In this type of attack, intruders transmit ping message that exceeds the preset limit (typically 656536 octets) such that the message is continuously retransmitted in the system. Land attacks and Teardrop attacks are also commonly observed attacks targeting application [50].

1.2  Problem Formulation and Objectives

In networks, the data traffic has data packets, which communicates between the endpoints of the communication process and such data

transmissions formed a network traffic flow. The first step of the detection and mitigation mechanism is to extract features from the data packets as well as flows. In [76] provides the survey conducted on the accessible traffic network and traffic features. Hence it presents the some of the most useful and crucial elements for analysing the chosen network traffic.

Network traffic analysis is classifying into data packets and traffic flows. In data packet, network traffic analysis uses the raw data, whereas the flow analysis utilizes accumulated input data. The two analyses are done on incomplete input data which is to be preferably from real network traffic sample data.

The headers with various applicable features of individual IP data packets should be taken into consideration. If there is no misrepresentation, the source and destination addresses find the endpoints of the communications. Moreover, the TTL shares the navigation path length of the packets and protocol identifier provides limitations on the details of normal packet sequence for this mode of communication. The protocol headers may even give further perspectives of the communication. Besides the header values, packet sequence furnishes the details of packet inter-arrival times as well as packet fragmentation levels which are considered as indirect features.

The network traffic analysis considers, flow with an IP  source address, and destination address along with port number features is a unidirectional sequence of data packets. In according to the modern flow export definitions [37], for example, IPFIX, data feature selection process is easy and has extra information data such as physical network  port indexes and next-hop IP addresses.

The level of data availability is another major difference between a packet and flow analysis. The packet analysis allows complete accessibility to the entire data of the communications whereas dataflow records give only communications metadata. Further, the commonly monitored statistics consists of flow duration, endpoint addresses, traffic packet count, and traffic protocol flow duration.

The deep packet inspection (DPI) along with network traffic application layer analysis is usually carried out by the default firewall system and intrusion detection systems (IDSs). In [26] states that