New Methods for Detection of DoS and DDoS Attacks
()
About this ebook
The Internet revolution has completely changed the traditional ways of functioning of
essential applications including banking, healthcare, defense, academic, and logistics.
Internet-based services replaced these traditional services at a rapid pace over the
past two decades. Growth in internet-dependency of individuals and entities resulted that
the internet is the fundamental support for the information
world.
The emergence of new Internet-based services such as e- governance,
e-procurement, and other services are contributing significantly to the global,
social and economic development. With the exponential growth in Internet-based services and
users worldwide, the internet infrastructure and services are facing numerous challenges
related to continuous attacks.
Distributed Denial of Service (DDoS) is one of the most observed attacks over internet
architecture, posturing robust challenges to defense
mechanisms incorporated in the framework. As the DDoS attack
information is not made public by companies (to avoid deterioration of brand value),
researchers often face the problem of the limited information available to design
effective defensive strategies against DDoS attacks.
The current section presents the impact of DDoS attack and the inherent vulnerability
of the internet architecture. Real events of DDoS attack together with their financial
impact on companies are included. Further, the need for designing an efficient DDoS
defense strategy is presented in the research work.
The internet resources and network systems should be readily accessible for genuine users
who aim to use the services at any specific time . Unavailability of internet services
and applications at the required instance is one of the major challenges restricting the spread
of Internet-based services. The unavailability can results to either intentional
causes or accidental causes. The basic internet framework is designed to handle accidental
failures but is not efficient against intentional purposes such as intrusion, malware,
hacking, etc.
The Denial-of-Service (DoS) attack is categorized under intentional failures observed on the
internet, which are caused by malware programmers or intruders. These attackers
deny or compromise the availability of internet resources to genuine or authorized users.
Related to New Methods for Detection of DoS and DDoS Attacks
Related ebooks
Statistical Methods for Physical Science Rating: 0 out of 5 stars0 ratingsPrinciples of Mathematical Modeling Rating: 0 out of 5 stars0 ratingsOpen Data Structures: An Introduction Rating: 4 out of 5 stars4/5Verification Techniques for System-Level Design Rating: 0 out of 5 stars0 ratingsBasic Research and Technologies for Two-Stage-to-Orbit Vehicles: Final Report of the Collaborative Research Centres 253, 255 and 259 Rating: 0 out of 5 stars0 ratingsFRET and FLIM Techniques Rating: 4 out of 5 stars4/5MSP430 Microcontroller Basics Rating: 5 out of 5 stars5/5Platform Interference in Wireless Systems: Models, Measurement, and Mitigation Rating: 5 out of 5 stars5/5Quality and Performance Measurement in National Sport-Governing Bodies Rating: 0 out of 5 stars0 ratingsNext Generation SDH/SONET: Evolution or Revolution? Rating: 3 out of 5 stars3/5Risk Management in the Air Cargo Industry: Revenue Management, Capacity Options and Financial Intermediation Rating: 0 out of 5 stars0 ratingsSimulation Statistical Foundations and Methodology Rating: 0 out of 5 stars0 ratingsRobust Methods in Biostatistics Rating: 0 out of 5 stars0 ratingsData Analysis for Social Science: A Friendly and Practical Introduction Rating: 0 out of 5 stars0 ratingsMicroprocessor Programming and Applications for Scientists and Engineers Rating: 0 out of 5 stars0 ratingsFinFET Modeling for IC Simulation and Design: Using the BSIM-CMG Standard Rating: 5 out of 5 stars5/5Price formation in the cryptocurrency market. A hypotheses driven econometric analysis of cryptocurrency price determinants Rating: 0 out of 5 stars0 ratingsPrinciples of Functional Verification Rating: 0 out of 5 stars0 ratingsManaging reverse logistics using system dynamics: A generic end-to-end approach Rating: 0 out of 5 stars0 ratingsRadiometric Tracking Techniques for Deep-Space Navigation Rating: 0 out of 5 stars0 ratingsAutomated Enzyme Assays Rating: 0 out of 5 stars0 ratingsValue at Risk and Bank Capital Management: Risk Adjusted Performances, Capital Management and Capital Allocation Decision Making Rating: 0 out of 5 stars0 ratingsLogic, Automata, and Algorithms Rating: 0 out of 5 stars0 ratingsGlow Discharge Plasmas in Analytical Spectroscopy Rating: 0 out of 5 stars0 ratingsExperimental Design: A Chemometric Approach Rating: 0 out of 5 stars0 ratingsApplications of HPLC in Biochemistry Rating: 0 out of 5 stars0 ratingsThe Hybridization of Vocational Training and Higher Education in Austria, Germany, and Switzerland Rating: 0 out of 5 stars0 ratingsQueueing Networks and Markov Chains: Modeling and Performance Evaluation with Computer Science Applications Rating: 5 out of 5 stars5/5
Security For You
How to Become Anonymous, Secure and Free Online Rating: 5 out of 5 stars5/5How to Be Invisible: Protect Your Home, Your Children, Your Assets, and Your Life Rating: 4 out of 5 stars4/5CompTIA Security+ Study Guide: Exam SY0-601 Rating: 5 out of 5 stars5/5The Hacker Crackdown: Law and Disorder on the Electronic Frontier Rating: 4 out of 5 stars4/5Mike Meyers CompTIA Security+ Certification Passport, Sixth Edition (Exam SY0-601) Rating: 5 out of 5 stars5/5Dark Territory: The Secret History of Cyber War Rating: 4 out of 5 stars4/5Cybersecurity For Dummies Rating: 4 out of 5 stars4/5Practical Lock Picking: A Physical Penetration Tester's Training Guide Rating: 5 out of 5 stars5/5The Cyber Attack Survival Manual: Tools for Surviving Everything from Identity Theft to the Digital Apocalypse Rating: 0 out of 5 stars0 ratingsSocial Engineering: The Science of Human Hacking Rating: 3 out of 5 stars3/5Cybersecurity: The Beginner's Guide: A comprehensive guide to getting started in cybersecurity Rating: 5 out of 5 stars5/5Mike Meyers' CompTIA Security+ Certification Guide, Third Edition (Exam SY0-601) Rating: 5 out of 5 stars5/5Hacking : The Ultimate Comprehensive Step-By-Step Guide to the Basics of Ethical Hacking Rating: 5 out of 5 stars5/5The Art of Intrusion: The Real Stories Behind the Exploits of Hackers, Intruders and Deceivers Rating: 4 out of 5 stars4/5Codes and Ciphers - A History of Cryptography Rating: 4 out of 5 stars4/5Make Your Smartphone 007 Smart Rating: 4 out of 5 stars4/5Tor and the Dark Art of Anonymity Rating: 5 out of 5 stars5/5How to Hack Like a Pornstar Rating: 5 out of 5 stars5/5Remote/WebCam Notarization : Basic Understanding Rating: 3 out of 5 stars3/5Wireless Hacking 101 Rating: 4 out of 5 stars4/5CompTIA Network+ Review Guide: Exam N10-008 Rating: 0 out of 5 stars0 ratingsHacking For Dummies Rating: 4 out of 5 stars4/5Hacking: Ultimate Beginner's Guide for Computer Hacking in 2018 and Beyond: Hacking in 2018, #1 Rating: 4 out of 5 stars4/5CISSP Study Guide Rating: 4 out of 5 stars4/5Cybersecurity for Beginners : Learn the Fundamentals of Cybersecurity in an Easy, Step-by-Step Guide: 1 Rating: 0 out of 5 stars0 ratingsGame Console Hacking: Xbox, PlayStation, Nintendo, Game Boy, Atari and Sega Rating: 0 out of 5 stars0 ratingsCompTIA Network+ Certification Guide (Exam N10-008): Unleash your full potential as a Network Administrator (English Edition) Rating: 0 out of 5 stars0 ratings
Reviews for New Methods for Detection of DoS and DDoS Attacks
0 ratings0 reviews
Book preview
New Methods for Detection of DoS and DDoS Attacks - K. Munivara Prasad
CHAPTER - 1 INTRODUCTION
The Internet revolution has completely changed the traditional ways of functioning of essential applications including banking, healthcare, defense, academic, and logistics. Internet-based services replaced these traditional services at a rapid pace over the past two decades. Growth in internet-dependency of individuals and entities resulted that the internet is the fundamental support for the information world.
The emergence of new Internet-based services such as e- governance, e-procurement, and other services are contributing significantly to the global, social and economic development. With the exponential growth in Internet-based services and users worldwide, the internet infrastructure and services are facing numerous challenges related to continuous attacks.
Distributed Denial of Service (DDoS) is one of the most observed attacks over internet architecture, posturing robust challenges to defense mechanisms incorporated in the framework. As the DDoS attack information is not made public by companies (to avoid deterioration of brand value), researchers often face the problem of the limited information available to design effective defensive strategies against DDoS attacks.
The current section presents the impact of DDoS attack and the inherent vulnerability of the internet architecture. Real events of DDoS attack together with their financial impact on companies are included. Further, the need for designing an efficient DDoS defense strategy is presented in the research work.
The internet resources and network systems should be readily accessible for genuine users who aim to use the services at any specific time [126]. Unavailability of internet services and applications at the required instance is one of the major challenges restricting the spread of Internet-based services. The unavailability can results to either intentional causes or accidental causes. The basic internet framework is designed to handle accidental failures but is not efficient against intentional purposes such as intrusion, malware, hacking, etc.
The Denial-of-Service (DoS) attack is categorized under intentional failures observed on the internet, which are caused by malware programmers or intruders. These attackers deny or compromise the availability of internet resources to genuine or authorized users [38]. Different types of DoS attacks have been observed over the past decade, which includes SYN Flood, smurf attack, finger-board, black-hole-attack, snork, teardrop, misdirection, etc. These attacks target the inherent vulnerabilities in internet protocols, network layers, applications, operating systems, and protocols.
Distributed DoS attacks (DDoS attacks) are an advanced form of DoS attacks, wherein the DDoS attacks, intruders target single resource/ application from several hundreds of compromised hosts [87], [27]. The compromised hosts are referred to as zombies or bots and are unknowingly hired from those unprotected computers connected to the internet as a botnet.
Several types of DDoS attacks have been observed over the internet in the past decade, which has been classified in [42] and [87]. Among these different types, Packet-flooding attack is most frequently observed over the internet. This attack type forwards a significant volume of deceptively genuine TCP, UDP and ICMP packets to a single target. The authors in [99] presented two prominent issues in countering these DDoS attacks. As the number of compromised computers or zombies is very high then these are spread across diversified geographical areas. Further, the traffic volume transmitted by one zombie is limited, but the cumulative value of all the zombies targeting the host is quite significant, resulting in crowding at the destination. Zombies typically spoof their IP addresses, which restrict the defensive mechanism from tracing back to the zombies. Over the past few years, the volume of spoofed attacks is decreasing according [51]. However, the volume of DDoS attacks continues to pose challenges to defensive mechanisms. Due to the distributed nature and voluminous flow of requests, conventional defensive mechanisms such as firewalls, traditional IDS, and access
control lists within routers cannot counter such threats [31], [83], [93], [13]. The inability of accurately detecting normal packets from malicious packets restricts the IDS from defending against the attack.
DDoS flooding attack relies on traffic volume and does not rely on exploiting network vulnerabilities or loopholes. Accordingly, there is no need for modifying DDoS packets such as malicious packet payload. Hence, packets in DDoS attack appear similar to that of the genuine packet requests [87]. Further, IP spoofing [53] and stateless routing complicates the detection process. These attacks are highly dynamic and can easily skip defense mechanism [25], [87].
Thus, to effectively counter DDoS attacks, several defensive strategies have been proposed in the contemporary literature [27], [87]. However, a complete and effective counter mechanism is yet to be designed due to the increasing instances of such attacks and substantial financial losses involved with these attacks. Also, intruders often share their attack methods, resulting in compounding instances of DDoS attacks. Similarly, in defense strategy designers and programmers should share their methods and attack details over internet community. This enables quick development of the counter mechanism for DDoS attacks.
1.1 DoS and DDoS Attacks
In the DoS attack, intruders target a single server or network and restrict genuine users from gaining access to that specific server [29]. The attackers achieve this by transmitting numerous packets at a time to create flooding effect at the target resource or by transmitting crafted data packets, which exploit the inherent software vulnerabilities.
Transmitting packets beyond the capacity of the target's resources and consuming the entire resources is the primary target of the DoS attackers. For achieving this and denying service to genuine users, intruders transmit numerous requests to a single target. Further, to complicate the intrusion detection mechanisms, attackers raise these requests from multiple sources that are geographically spread worldwide. This distributed type of DoS intrusion attack is termed as the Distributed Denial of service (DDoS) attack.
A typical structure of DDoS attack with the components involved in the attack is depicted in Figure 1.1. Initially, the source systems, referred to as zombies that are vulnerable to attack are identified, and the intruders deploy their malicious code in these zombies. After successfully deploying the code in source systems (Zombies), the intruders identify a secure channel to launch the DoS attack on the single targeted server or resource. To further complicate the process of detection, the intruders
often modify the packets from the Zombies, typically by spoofing the source.
Figure 1.1: DDoS Attack Structure
The vulnerable source systems referred to as Zombies or bots together with the structure of components depicted in Figure 1.1 is also referred to as a botnet. The attackers can launch mutual attacks in a botnet and can undertake software updates using the secure channel between attacker and bots.
The aspects of specific attack features, the process of preparation and attack launch along with the characteristics of the attack play a prominent role in devising the DDoS attack taxonomy. Further, the process of selecting Zombies and the attack impact on these Zombies must be analyzed for clear taxonomy. The DDoS attacks are observed primarily to incapacitate the availability of system bandwidth, end applications, and protocols involved in the network.
1.1.1 Attacks on Protocol
In the DDoS attack, Zombies send packets through the network at a fixed transmission rate to gain access from the inherent design aspect of the typical network protocols. Further, the attacker attempts to learn from the inherent vulnerabilities in the network, through the expected functioning of guiding protocols like UDP, ICMP, and TCP.
The prominently observed real time attacks of DDoS attacks on protocols are SYN flooding, UDF flood [50], Smurf [1] and ICMP. The SYN flooding targets the network by transmitting numerous SYN packets which use the available system resources and fills the buffers. UDP flooding attack attempts to bring down the network by transmitting UDP packets to random ports. Further, for most of the UDP packets, the target source reply with the Internet Control Message Protocol (ICMP) messages, but the end point of these messages is unknown.
1.1.2 Attacks on Bandwidth
The attackers transmit high volume data from an Internet Service Provider (ISP) to the selected target resource to attack the bandwidth of the system. A large volume of ICMP packets is one of the prominent attacks observed on bandwidth [18]. The ISP network is equipped with the significant capacity to ensure uninterrupted communication between numerous sources and destinations. However, the connection from ISP to the victim often has limited capacity compared to the capacity of the ISP.
Accordingly, attackers send large volumes of packets from ISP, and these connections consume the existing bandwidth, thereby decreasing the genuine traffic flow. The attackers consume this bandwidth by sending numerous packets to the entire network connection [72].
1.1.3 Attacks on Application
Attackers attempting to target end applications by transmitting a small volume of malformed messages. These packets exploit the known software bugs either in the application or the system OS. Either one or multiple packets sent over the network can typically make the target system to malfunction or completely disable the system. However, defending such attacks is more comfortable as compared to aforementioned two attack types. Defensive mechanisms typically involve removing the identified system vulnerabilities [118] or through the incorporation of additional filter rules to eliminate the corrupted packets [88]. Ping of death attack is one of the most observed attacks on the application. In this type of attack, intruders transmit ping message that exceeds the preset limit (typically 656536 octets) such that the message is continuously retransmitted in the system. Land attacks and Teardrop attacks are also commonly observed attacks targeting application [50].
1.2 Problem Formulation and Objectives
In networks, the data traffic has data packets, which communicates between the endpoints of the communication process and such data
transmissions formed a network traffic flow. The first step of the detection and mitigation mechanism is to extract features from the data packets as well as flows. In [76] provides the survey conducted on the accessible traffic network and traffic features. Hence it presents the some of the most useful and crucial elements for analysing the chosen network traffic.
Network traffic analysis is classifying into data packets and traffic flows. In data packet, network traffic analysis uses the raw data, whereas the flow analysis utilizes accumulated input data. The two analyses are done on incomplete input data which is to be preferably from real network traffic sample data.
The headers with various applicable features of individual IP data packets should be taken into consideration. If there is no misrepresentation, the source and destination addresses find the endpoints of the communications. Moreover, the TTL shares the navigation path length of the packets and protocol identifier provides limitations on the details of normal packet sequence for this mode of communication. The protocol headers may even give further perspectives of the communication. Besides the header values, packet sequence furnishes the details of packet inter-arrival times as well as packet fragmentation levels which are considered as indirect features.
The network traffic analysis considers, flow with an IP source address, and destination address along with port number features is a unidirectional sequence of data packets. In according to the modern flow export definitions [37], for example, IPFIX, data feature selection process is easy and has extra information data such as physical network port indexes and next-hop IP addresses.
The level of data availability is another major difference between a packet and flow analysis. The packet analysis allows complete accessibility to the entire data of the communications whereas dataflow records give only communications metadata. Further, the commonly monitored statistics consists of flow duration, endpoint addresses, traffic packet count, and traffic protocol flow duration.
The deep packet inspection (DPI) along with network traffic application layer analysis is usually carried out by the default firewall system and intrusion detection systems (IDSs). In [26] states that