K.Kuppusamy, V.Priyadharshini - Automated DDoS prevention using MAC

On the Internet, E-Commerce is the selling of products, services, or information between businesses. The companies buying from and selling to each other online. But there's more to it than purchasing. It's evolved to encompass supply chain management as more companies outsource parts of their supply chain to their trading partners. In traditional sales, the buyer and/or the salesman are the active party. In one case, the buyer initiates the purchase by either going to the store to buy or calling on the phone and making an order.

Due to increase in number of users on internet, many people want to attack other system resources. Competitors also want to make their web site more popular than others. So they want to attack the service of other’s web site. They keep on logon to a particular web site more times, and then service provided by the web server performance keeps degraded. To avoid that one, this application maintains a status table.

In another situation, the salesman goes to the home or place of business to make the sale, or he calls on the phone to make the sale. A third method combines action from both parties.At present most of the systems are venerable to Denial of Service (DoS) attack. Denial of Service attacks is of particular interest and concern to the Internet community because they seek to render target systems inoperable and/or target networks inaccessible. "Traditional" DoS attacks, however, typically generate a large amount of traffic from a given host or subnet and it is possible for a site to detect such an attack in progress and defend themselves. Distributed DoS attacks are a much more nefarious extension of DoS attacks because they are designed as a coordinated attack from many sources simultaneously against one or more targets.

Many of the system get affected by the denial of service because an intruder finds one or more systems on the Internet that can be compromised and exploited. This is generally accomplished using a stolen account on a system with a large number of users and/or inattentive administrators, preferably with a high- bandwidth connection to the Internet (many such systems can be found on college and university campuses).

The compromised system is loaded with any number of hacking and cracking tools such as scanners, exploit tools, operating system detectors, root kits, and DoS/Distributed DoS(DDoS) programs. This system becomes the DDoS master. The master software allows it to find a number of other systems that can themselves be compromised and exploited. The attacker scans large ranges of IP network address blocks to find systems running services known to have security vulnerabilities. This initial mass-intrusion phase employs automated tools to remotely compromise several hundred to several thousand hosts, and installs DDoS agents on those systems. The automated tools to perform this compromise is not part of the DDoS toolkit but is exchanged within groups of criminal hackers. These compromised systems are the initial victims of the DDoS attack. These subsequently exploited systems will be loaded with the DDoS daemons that carry out the actual attack.

The intruder maintains a list of owned systems, the compromised systems with the DDoS daemon. The actual denial of service attack phase occurs when the attacker runs a program at the master system that communicates with the DDoS daemons to launch the attack. Here is where the intended DDoS victim comes into the scenario.

The goal of this application is to maximize a system utility function.When a DDoS attack occurs, the proposed defense system ensures that, in a web transaction, which typically consists of hundreds or even thousands of packets from client to server, only the very first SYN packet may get delayed due to packet losses and transmissions. Once this packet gets through, all later packets will receive service that is close to normal level. This clearly will lead to significant performance improvement.

Related work

In the context of triggered measurements ATMEN [14]provides a general communication framework. Our work could utilize such a framework if available, however, ATMEN does not address the detection of DDoS attacks.The spectrum of anomaly detection techniques ranges from time-series forecasting [5, 24] and signal processing[4], to network wide approaches for detecting and diagnosing network anomalies [15, 32]. These approachesare intended for detecting coarse-grained anomalies, and do not necessarily provide the diagnostic capability required for large-scale DDoS detection. Also related to our multi-stage approach are techniques for fine grained traffic analysis, using flow or packetheader data. Techniques for performing detailed multidimensional clustering at scale [9, 30] to generate concise traffic summary reports, are of particular interest to attack detection. Other solutions for online traffic analysis use either optimized data structures and/or cou algorithms [33, 13, 10] for detecting heavy-hitters. Moore et al [21], detect attacks utilizing the fact that many types of attacks generate backscatter traffic unintentionally. Network telescopes and honeypots [29] havealso been used to track botnet and scan activity. Some of the early DoS attacks typically used source address spoofing to hide the sources of the attacks, and this motivated a large body of literature on IP traceback. Proposed solutions include packet marking [26, 23], hash based traceback [27], and reverse path flooding [6].There are also several proprietary DDoS detection systems available [3, 19]. In our evaluation, we compare the set of alarms generated by LADS with those generated by a commercial system deployed at a Tier-1 ISP.There are several recent proposals for mitigating DoS attacks. Many solutions rely on infrastructural support for either upstream filtering [17], or using overlays [12, 28]. Recent work also focuses on re- designing networks providing a framework of capabilities to prevent flooding attacks [31, 2]. Several proposals [11, 22] focus on end-system solutions combining specific types of Turing tests and admission control to enable servers to deal with flooding attacks and flash crowds gracefully.Mirkovic et al. [20] provide an excellent taxonomy of DDoS attacks and defences.

Proposed system

The goal of the proposed system is to maximize a system utility function, while the adversary’s goal is to minimize it. The system utility function in this context is the total client satisfaction rate, defined as the number of new clients (per second) that eventually make their way to the system, multiplied by the average satisfaction of each client.

When a DDoS attack occurs, the proposed defense system ensures that, in a web transaction, which typically consists of hundreds or even thousands of packets from client to server, only the very first SYN packet may get delayed due to packet losses and transmissions. Once this packet gets through, all later packets will receive service that is close to normal level. This clearly will lead to significant performance improvement.

The basic idea behind the proposed system is to isolate and protect legitimate traffic from huge volumes of DDoS traffic when an attack occurs;
Our first step is to distinguish packets that contain genuine source IP addresses from those that contain spoofed addresses. This is done by redirecting a client to a new IP address and port number (to receive web service) through a standard HTTP redirect message;
Part of the new IP address and port number will serve as a Message Authentication Code (MAC) for the client’s source IP address. Packets from an attacker who uses spoofed IP addresses will not have the correct MAC since the attacker will not be able to receive the HTTP redirect message.

Implementation

The detailed design of the proposed system can be implemented by the following techniques.

Packet Filter
We observe that a web transaction typically consists of hundreds or even thousands of packets sent from a client to a server. During a DDos attack, since the packets will be randomly dropped at high probability, each of these packets will go through a long delay due to TCP timeouts and retransmissions. Consequently, that total page download time in a transaction can take hours. Such service quality is of little or no use to clients. In contrast, our defense system ensures that, throughout a web transaction, only very first packet from a client may get delayed. All later packets will be protected and served. We show that this allow a decent percentage of legitimate clients to receive a reasonable level of service.
MAC Generator
This module is to distinguish packets that contain genuine source IP addresses from those that contain spoofed address. Once the very first TCP SYN packet of a client gets through, the proposed system immediately redirects the client to a pseudo-IP address (still belonging to the website) and port number pair, through a standard HTTP URL redirect message. Certain bits from this IP address and the port number pair will serve as the Message Authentication code(MAC) for the client’s IP address. MAC is a symmetric authentication scheme that allows a party A, which shares a secret key k with another party A, which shares a secret key k with another party B, to authenticate a message M sent to B with a signature MAC (M, k) has the property that, with overwhelming probability, no one can forge it without knowing the secret key k.
MAC Verifier
This module is to prevent attackers who are using genuine address or spoofed address. Since a legitimate client uses its real IP address to communicate with the server, it will receive the HTTP redirect message (hence the MAC). So, all its future packets will have the correct MACs inside their destination IP addresses and thus be protected. The DDos traffic with spoofed IP addresses, on the other hand, will be filtered because the attackers will not receive the MAC sent to them. So, this technique effectively separates legitimate traffic from DDos traffic with spoofed IP addresses.
IP Handler
When an attackers using genuine address, the proxy server uses the Deficit Round Robin algorithm to collect the address of the client request. if an attacker sends packets much faster than its fair share, the scheduling policy will drop its excess traffic. More Over, for each genuine IP address, the system will perform accounting on the number of packets that reach the firewall but are dropped by the scheduler; it’s IP address will be blacklisted.

Conclusion

This project is developed on ASP.NET using SQL-Server 2000 as the database, so the application features more security and user friendliness. This application is highly reliable and result oriented. No system can claim to be perfect and comprehensive in this era of software explosion, where every other day new software gets released. So what is required for good system is that it should be flexible to encompass modification whenever need arises and should facilitate easy maintenance. Keeping this in mind, this system has been developed in a way, as it should accommodate future enhancements and modifications. Online purchasing and selling is our main motto. Make sure the competitor should not access our web service more than thrice. It provides the details about the supplier’s entry, branch entry, stock details and denial attacks. It maintains a status table. It contains the attacker’s IP address. The web server provides the encryption and decryption for each user. It encrypts for every IP address, after getting the request from web client, it decrypts and knows the particular web client has been accessed. During decryption, if it does not get the correct value, web server will not proceed further. It just displays some inconvenience message. Using statistics values, we can easily find out the attackers.

References

1. Ciscoguard
2. ]ADKINS,D.,LAKSHMINARAYANAN, K., PERRIG, A., AND STOICA, I. Taming IP Packet Flooding Attacks. In ACM SIGCOMM HotNets II (2003).
3. ArborNetworks http://www.arbor.com
4. BARFORD, P., KLINE, J., PLONKA, D., AND RON, A. A Signal Analysis of Network Traffic Anomalies. In Proc. Of ACM/USENIX IMW (2002).
5. BRUTLAG, J. D. Aberrant Behavior Detection in Time Series for Network Monitoring. In Proc. of USENIX LISA (2000)
6. BURCH, H., AND CHESWICK, B. Tracing Anonymous Packets to Their Approximate Source. In USENIX LISA (2000)
7. COOKE, E., JAHANIAN, F., AND MCPHERSON, D. The zombie roundup: Understanding, detecting, and disrupting botnets.SRUTI Workshop, 2005.