Sie sind auf Seite 1von 8

CHARACTERIZING DDoS ATTACKS WITH TRAFFIC RATE ANALYSIS

Cheolho Lee
Graduate School of Information and Communication, Ajou University Suwon, Korea

Sanguk Noh
School of Computer Science and Information Engineering, The Catholic University of Korea Bucheon, Korea

Kyunghee Choi
Graduate School of Information and Communication, Ajou University Suwon, Korea

Gihyun Jung
Division of Electronics Engineering, Ajou University Suwon, Korea

ABSTRACT As the complexity of Internet is scaled up, it is likely for Internet resources to be exposed to Distributed Denial of Service (DDoS) attacks. To characterize the pattern of the DDoS network attacks on TCP-based servers, in this paper, we present a network traffic analysis mechanism, called Traffic Rate Analysis (TRA), which computes TCP flag rates and protocol rates under various types of the DDoS attacks. We experiment with the metrics of various ratios of types of packets going in and out of a host. The experimental results showed that the features of the DDoS attacks were distinctive and predictive. We wish the experimental results could be used to detect and prevent a variety of network flooding attacks. KEYWORDS Distributed Denial of Service Attacks, Network Security, Network Traffic Analysis

1. INTRODUCTION
As the complexity of Internet is scaled up, it is likely for Internet resources to be exposed to Distributed Denial of Service (DDoS) attacks. It was reported that the DDoS attacks against network servers such as Yahoo, e-Bay, and E-Trade caused serious damages to system stability [3, 11]. Since the attacks could be made on any system of the Internet, a tapestry of approaches to prevent the attacks or to minimize damages has been proposed in many Internet applications [1, 3, 5, 6, 7, 13, 17]. Regarding the analysis of various patterns of the DDoS network attacks, many researchers have investigated the randomness and the distribution of source IP addresses. From this perspective, if the randomness of source IP addresses is getting higher than usual one, alarms are set upon the detection of the DDoS attacks. Gil and Poletto [4] examined traffic flows in one direction vs. flows in opposite direction over IP packets by using t heir own data-structure, MULTOPS. Their network monitoring device using the MULTOPS detects flooding attacks by the difference between packet rates going to and coming from the

This work has been supported, in part, by the Korea Research Foundation under grant KRF-2002-041-D00465.

81

IADIS International Conference e-Society 2003

victim. Their assumption for the detection is based on the disproportional difference between the packet rates, which is caused by randomness of malicious packets. Kulkarni et al. [8] traced the source IP addresses and construct Kolmogorov Complexity Metrics [10] for identifying their randomness. Kolmogorov Complexity Metrics change according to the degree of randomness of spoofed source IP addresses. Actually, the randomness of source IP addresses is very low without any DDoS attacks but it is very high under the DDoS attacks. However, these approaches are not applicable when attackers reduce the level of randomness of the source IP addresses or when they use the actual IP addresses instead of the spoofed ones. In another approach to detection mechanism, Wang et al. [18] examined the protocol behavior of TCP SYN-FIN (RST) pairs. If there are no DDoS attacks against a TCP-based server, the rate of SYNs for TCP connection establishment and the rate of FINs for TCP connection termination are the same value, or rarely different in case of retransmission. In case of SYN flooding attack, for example, the rate of SYNs clearly differs from the one of FINs. The metrics of SYN-FIN (RST) pairs could be useful to detect the SYN flooding attack against web servers. This approach is somewhat similar to our approach in that both of them take into account TCP flags to detect the DDoS attacks (or flooding attacks). However, their method can be applicable only to SYN Flooding attacks. On the other hand, our approach is more general so that our mechanism can be applicable to all types of the DDoS attacks, i.e., SYN Flooding attacks, UDP Flooding attacks, ICMP Flooding attacks, and so on. It is crucial to identify the network traffic characteristics of flooding attacks in protecting Internet resources from them. To understand the features of DDoS attacks, we introduce a network traffic analysis mechanism in two settings: web server without any attack and web server with the DDoS attacks. In these settings, we measure TCP flag rates, which are expressed in terms of the ratios of the number of the TCP flags to the total number of TCP packets. For example, the number of SYNs drastically increases in case of the SYN flooding attack, which is one of the most common DDoS attacks. In consequence, the increasing number of SYNs indicates the possibility of the DDoS attacks. In addition to the flag rates, we also measure protocol rates, which are the ratios of the number of packets belonging to specific protocols (TCP, UDP, or ICMP) to the total number of packets on the IP network. The in-depth analysis of simulation results shows that we can efficiently detect the symptoms of the DDoS attacks using two sets of the rates, namely, flag rates and protocol rates. To be more generally applicable in realistic settings, therefore, this paper presents a new approach to identify the features of the DDoS network attacks using all of the flags, i.e., SYN, FIN, RST, ACK, etc., within Transmission Control Protocol (TCP) header, and taking into account the relationship between the flags and network packets. In the following section, we will discuss how we analyze network traffic characteristics, and define two network traffic rates. Section three describes a simulated network environment, and shows clear factors that indicate the symptoms of various flooding attacks. In conclusion, we summarize our results and further research issues.

2. NETWORK TRAFFIC ANALYSIS


We rely on the dynamics of differences between the rates of TCP flag and protocol to analyze the features of DDoS attacks. Due to the burstiness of TCP flags, the ratio of the number of a specific TCP flag within TCP header, for example, SYN, FIN, RST, ACK, etc., to the total number of TCP packets, during normal operations without DDoS attacks, clearly differs from the ones under the attacks. With the flag and the protocol rates for both inbound and outbound network traffic, we characterize the symptoms of the DDoS attacks. We present a network traffic analysis mechanism, Traffic Rate Analysis (TRA). This mechanism calculates two measuring factors: TCP flag rate and protocol rate. The traffic rate analysis uses the traffic flowing into a victim (a host) as inbound, and the traffic flowing from the victim as outbound. A packet collecting agent captures IP packets and classifies them into TCP, UDP, or ICMP packets. In case of the TCP packet, further, the classification procedure separates the packet into TCP header and payload. From the TCP header containing SYN, FIN, RST, ACK, PSH, and URG flags, the flags are tested to determine whether or not they are set. If any flag of six TCP flags turns on, the agent counts it and sums it up. The packet collecting agents also count the total number of TCP packets during a specific observation period td (sec). Our alarming agents then compute two metrics TCP flag rates and protocol rates. A flag rate is expressed in terms of the ratio of the number of a TCP flag to the total number of TCP packets as follows:

82

CHARACTERIZING DDOS ATTACKS WITH TRAFFIC RATE ANALYSIS

R t d [ Ki ] =

total number of a flag ( K ) in a TCP header total number of TCP packets

(inbound )

R t d [ Ko ] =

total number of a flag ( K ) in a TCP header total number of TCP packets

(1 )
( outbound )

Here, td means the sampling period. In the equation 1, K stands for one of six flags: SIN, FIN, RST, ACK, PSH, and URG flags, denoted as S, F, R, A, P, and U, for either inbound (i) or outbound (o ) network traffic. For example, R1 [Ai] represents the ACK flag rate of inbound traffic when the sampling period is one second. A protocol rate is also defined by the ratio of the number of TCP , UDP, or ICMP packets to the total number of IP packets as follows:
total number of [TCP |UDP | ICMP ] packets (inbound ) total number of IP packets total number of [TCP |UDP| ICMP ] packets R td [ [TCP |UDP| ICMP ] o] = ( outbound ) total number of IP packets R td [ [TCP |UDP| ICMP ] i ] =

(2 )

Similarly, for example, R2 [UDPo ] stands for the UDP protocol rate of outbound network traffic during the sampling period two seconds. Since the traffic rate analysis utilizes a rate scheme, our mechanism can be applicable even to scaled-up network settings. This enables us to examine the various traffic patterns and to identify the features of the DDoS attacks in various network environments.

3. SIMULATIONS AND RESULTS


We have implemented a simulated network environment using SPECweb99 [16], Tribe Flood Network 2000 (TFN2K) [15], and libpcap [9]. In the simulated, Web-based environment, the SPECweb99 located in Web clients generates web traffic, the TFN2K on DDo S attackers simulates DDoS attacks, and the libpcap used by a packet collecting agent captures the stream of network traffic. While the web clients request of the web server that they should be serviced, the DDoS attackers make various flooding attacks towards the web server. We construct the simulated network environment on LINUX machines, which consist of a web server using Apache, web clients, DDoS attackers, a network monitoring device including a packet collecting agent and an alarming agent (700 MHz Pentium III, 256 MB memory), and the network bandwidth of 100 Mbps. Figure 1 presents the simulated network setting, and our agents working on the network monitoring device.

Figure 1. A simulated network environment

83

IADIS International Conference e-Society 2003

The packet collecting agent, sitting on the network monitoring device, captures IP packets and classifies them into TCP, UDP, or ICMP packets. The agent looks into TCP packets in detail and separates the packet into header and payload. The alarming agent then calculates the traffic rates (flag rates and protocol rates) and generates reports. We measured two types of network traffic rates in the simulated network environment, as depicted in figure 1. The network traffic models were generated in two settings: norma l web server without any attack and the web server with DDoS flooding attacks. For each network traffic setting, we changed two factors, simultaneous connections (SC ) and requests per connection (R/C), to simulate different web traffic patterns. The SC indicates the number of HTTP connections at a given time, which approximates the number of users in real networks. The R/C represents the number of requests to be issued in a HTTP connection. In the experiment, we used 5, 10, 50, 100, 150, and 200 for the SC and 1, 2, 5, and 10 for the R/C. The sampling period td (sec) was one second for all of the experiments.

3.1 Flag rates without any attack


The experimental results of normal web traffic (without DDoS attack) are depicted in figure 2. Even if SC ranges from 5 to 200, the results of all TCP flag rates 1 are almost identical.

Figure 2. TCP flag rates in normal web service when SC=200

We measured TCP flag rates for inbound and outbound network traffic, respectively. In both of inbound and outbound TCP flag rates, the rates of SYN and FIN were less than 0.1. On the other hand, the rate of an ACK flag was close to 1.0. This revealed the fact that most of the TCP packets set an ACK flag bit in their header for the purpose of sending an acknowledgement as a notification of receipt.

3.2 Traffic rates with various DDoS attacks


TCP flag rates and protocol rates are measured and analyzed under several well-known DDoS attacks: SYN flooding, UDP flooding, ICMP flooding, and other miscellaneous attacks. For simulating the attacks, TFN2K [15] is utilized. For SC and R/C, we use 100 and 2, respectively.

3.2.1 SYN flooding attack


Figure 3 presents the inbound and outbound TCP flag rates when a SYN flooding attack occurs. The attack is done with random ports between 30 and 70 seconds.

In figure 2, for instance, R1[Si] means the ratio of the number of SYN flags to the number of total TCP packets for inbound network traffic with the sampling period, 1 sec. We similarly define R1[Ni] as the TCP flag rate with no flags set. In this case, N stands for null.

84

CHARACTERIZING DDOS ATTACKS WITH TRAFFIC RATE ANALYSIS

Figure 3. TCP flag rates under SYN flooding attack

R1 [Ai] goes down to about 0.0, due to the SYN s burst during the attack. This indicates that web traffic flow is blocked by enormous amount of SYN packets. On the other hand, R1 [Si ] and R1 [Ui ] in the inbound flag rates drastically change and go up to almost 1.0. The outbound TCP flag rates except R1 [So ] are not affected by the attack at all. Since a victim follows the TCP three-way handshaking protocol, it replies to all SYN packets with SYN flags, if the SYN flooding attack is made on open ports . Thats the reason why R1 [So ] increases.

3.2.2 UDP flooding attack


Figure 4 shows the inbound and outbound TCP flag rates and protocol rates under the UDP flooding attack. The UDP flooding attack is made between 20 and 60 seconds. Right after the attack, R1 [UDPi] drastically increases while R1 [TCPi ] decreases as much. The TCP flag rates dont change at all even though the amount of TCP network traffic decreases, since the UDP flooding attack is done with UDP packets. Unlike R1 [UDPi], the UDP protocol rate - R1 [ UDPo ] - in the outbound network traffic doesnt change significantly and remains in normal data flow because the incoming UDP packets do not require any response.

(a) Inbound

(b) Outbound Figure 4. TCP flag rates and protocol rates under UDP flooding attack

85

IADIS International Conference e-Society 2003

3.2.3 ICMP flooding attack


Figure 5 shows the inbound and the outbound TCP flag rates and protocol rates under the ICMP flooding attack, which is performed between 20 and 60 seconds. The ICMP protocol rate for inbound traffic, R1 [ICMPi], increases from nearly zero to one. Like R1 [ UDPi] under the UDP flooding attack, the increase of R1 [ICMPi] under the ICMP flooding attack is obvious. One different thing is that R1 [ICMPo] sharply goes up and down, as depicted in the right diagram of figure 5 (b), since all of the inbound ICMP ping requesting packets ask for a Web server (victim) to reply with ICMP ping acknowledging packets. That is, in case of the ICMP flooding attack, the victim is not able to continuously send any packet due to the flooding of ICMP packets.

(a) Inbound

(b) Outbound Figure 5. TCP flag rates and protocol rates under ICMP flooding attack

3.2.4 Other miscellaneous attacks


The MIX flooding attack combines TCP, UDP, and ICMP flooding attacks [2]. Figure 6 shows the inbound and the outbound TCP flag rates and protocol rates under the MIX flooding attack, being done between 20 and 58 seconds. During the SYN attack, the ACK flag rate for inbound network traffic R1 [Ai] decreases nearly zero but R1 [Si ] and R1 [Ui ] go up to almost one because of the flooding of SYN flags. In the protocol rates, R1 [TCPi], R1 [UDPi], and R1 [ICMPi] are the same because the MIX flooding attack uses the protocols in the same proportion.

86

CHARACTERIZING DDOS ATTACKS WITH TRAFFIC RATE ANALYSIS

Figure 6. TCP flag rates and protocol rates under MIX flooding attack

The TARGA3 flooding attack generated by TFN2K combines the MIX flooding attack and the XMAS flooding attack. The distribution of flag and protocol rates is depicted in figure 7.

Figure 7. TCP flag rates and protocol rates under TARGA3 flooding attack

The above figures imply that alarming agents need to calculate all four traffic rates together, to clearly characterize the symptoms of various DDoS attacks, which are flag rates and protocol rates for inbound and outbound network traffic, respectively. In summary of table 1, we conclude that the traffic rate analysis mechanism could be used to represent the features of network traffic under a variety of the DDoS attacks. Table 1. Network traffic rates with significant changes
Types of attacks SYN UDP ICMP MIX TARGA3 R[Ai] R[Si] , R[Ui] , R[Fi] , R[Pi] , R[Ui] Inbound Flag rates R[Si] , R[Ui] , R[Ai] R[UDPi] , R[TCPi] R[ICMPi], R[TCPi] R[TCPi] , R[UDPi] , R[ICMPi] R[ICMPo] , R[TCPo] Protocol rates Flag rates Outbound Protocol rates

87

IADIS International Conference e-Society 2003

In the table 1, indicates a rate close to nearly one, nearly zero, and presents a stable rate. To determine whether or not SYN and TARGA3 flooding attacks, our alarming agents need to watch the fluctuation of flag rates; for UDP and ICMP flooding attacks, they need to check protocol rates; for the MIX flooding attacks, they need to examine flag as well as protocol rates. For the cases such as SYN, UDP, MIX, and TARGA3 flooding attacks, the inbound traffic rates are crucial to detect the DDoS flooding attacks. However, the alarming agents might watch both inbound and outbound traffic rates for the purpose of detecting ICMP flooding attacks.

4. CONCLUSIONS
We investigated the characteristics of network traffic of DDoS attacks on TCP-based servers. To efficiently present the characteristics, we suggested a traffic rate analysis (TRA) mechanism, which calculates flag rates and protocol rates for inbound and outbound network traffic. With the in -depth simulation, we found that the rates could be used to represent the features of network traffic under various types of flooding attacks. In our future research, to determine the reliability of our method, we will continuously test the TRA in different network settings, for example, SMTP and FTP servers. Further, we will consider learning algorithms [14] to compile a pair of traffic rates and presence (or absence) of flooding attacks into state-action rules. The alarming agents will be equipped with the compiled rules to be adaptive in dynamic network settings.

REFERENCES
1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. 18. BindViews RAZOR Security Team, 2001. Zombie Zapper , available on-line: http://razor.bindview.com/tools/ZombieZapper_forms.html. Dittrichs, D., 2002. Dave Dittrichs Homepage, available on-line: http://www.washington.edu/People/dad. Garber, L., 2000. Denial-of-Service Attacks Rip the Internet, IEEE Computer , vol. 33(4), pp 12-17. Gil, T.M, and Poletto, M., 2001. MULTOPS: a data-structure for bandwidth attack detection, In Proceedings of the 10th USENIX Security Symposium, pp 23-38. Houle, J.K., and Weaver, M.G., 2001. Trends in Denial of Service Attack Technology, CERT Coordination Center. Householder, A., Manion, A., Pesante. L., and Weaver. M.G., 2001. Managing the Threat of Denial-of-Service Attacks, CERT Coordination Center. Kargl, F., Maier, J., and Weber, M., 2001. Protecting Web Servers from Distributed Denial of Service Attacks, In Proceedings of the 10th International Conference on World Wide Web, pp 514-524. Kulkarni, A.B., Bush, S.F., and Evans, S.C., 2001. Detecting Distributed Denial-of-Service Attacks Using Kolmogorov Complexity Metrics. Technical report 2001CRD176, GE Research and Development Center. Lawrence Berkeley National Labs Network Research Group. libpcap, available on-line: http://ftp.ee.lbl.gov. Li, M., and Vitanyi, P., 1997. An Introduction to Kolmogorov Complexity and Its Applications, Springer-Verlag, Section 7.6, pp 506-509. Moore, D., Voelker, G.M., and Savage, S., 2001. Inferring Internet Denial-of-Service Activity. In Proceedings of the 10th USENIX Symposium, pp 9-22. Mutaf, P., 1999. Defending against a Denial-of-Service Attack on TCP, In the 2nd International Workshop on Recent Advances in Intrusion Detection (RAID99). NIPC (National Infrastructure Protection Center), 2001. find_ddos, available on-line: http://www.nipc.gov/warnings/advisories/2001/01-005.htm. Noh, S. and Gmytrasiewicz, P. J., 1999. Towards Flexible Multi-Agent Decision-Making Under Time Pressure. In Proceedings of the 16th International Joint Conference on Artificial Intelligence, pp 492-498. Packet Storm. Tribe Flood Network 2000 (TFN2K) DDoS tool, available on-line: http://packetstormsecurity.org/distributed/TFN2k_Analysis-1.3.txt. Standard Performance Evaluation Corporation. SPECweb99 Benchmark, available on-line: http://www.spec.org/osg/web99. TheoryGroup, 2001. Remote Intrusion Detector(RID), available on-line: http://www.theorygroup.com/Software/RID. Wang, H., Zhang, D., and Shin, K.G., 2002. Detecting SYN Flooding Attacks. In Proceedings of IEEE INFOCOM The Conference on Computer Communications, vol. 21, no. 1, pp 1530-1539.

88