0 Bewertungen0% fanden dieses Dokument nützlich (0 Abstimmungen)
16 Ansichten5 Seiten
VPN provides confidentiality, integrity and availability
through tunneling and encryption. Protocols used in VPN provide
various security features but it does not provide any protection
against Denial of Service (DoS) attack. DoS attacks to VPN
represent a serious threat to organizations using Internet for
communication. It also barricades the services provided by the
service providers. Malicious traffic enters into the Internet only
through the edge network. To provide a continuous VPN service, a
protection mechanism is to be added at the edge of customer’s
network. This paper discusses such protection mechanisms based
on filtering.
VPN provides confidentiality, integrity and availability
through tunneling and encryption. Protocols used in VPN provide
various security features but it does not provide any protection
against Denial of Service (DoS) attack. DoS attacks to VPN
represent a serious threat to organizations using Internet for
communication. It also barricades the services provided by the
service providers. Malicious traffic enters into the Internet only
through the edge network. To provide a continuous VPN service, a
protection mechanism is to be added at the edge of customer’s
network. This paper discusses such protection mechanisms based
on filtering.
VPN provides confidentiality, integrity and availability
through tunneling and encryption. Protocols used in VPN provide
various security features but it does not provide any protection
against Denial of Service (DoS) attack. DoS attacks to VPN
represent a serious threat to organizations using Internet for
communication. It also barricades the services provided by the
service providers. Malicious traffic enters into the Internet only
through the edge network. To provide a continuous VPN service, a
protection mechanism is to be added at the edge of customer’s
network. This paper discusses such protection mechanisms based
on filtering.
Mitigating DoS Attack in VPN Monika #1 , Swati Kapoor *2
1 Assistant Professor, Department of Computer Science & Applications, Kurukshetra University, Kurukshetra, Haryana, India 2 Department of Computer Science & Applications, Kurukshetra University, Kurukshetra, Haryana, India
Abstract VPN provides confidentiality, integrity and availability through tunneling and encryption. Protocols used in VPN provide various security features but it does not provide any protection against Denial of Service (DoS) attack. DoS attacks to VPN represent a serious threat to organizations using Internet for communication. It also barricades the services provided by the service providers. Malicious traffic enters into the Internet only through the edge network. To provide a continuous VPN service, a protection mechanism is to be added at the edge of customers network. This paper discusses such protection mechanisms based on filtering.
Keywords DoS, VPN I. INTRODUCTION With growth of internet security is becoming a topic of major concern. Security is the most important thing when the medium used for communication is public. To provide security in the network we can either use firewalls or we can build our own private network. A firewall is a specially programmed router that sits between a site and the rest of the network [1].Firewall is a good solution but, it is not so much effective as compared to private network which is more secure. Creating private networks are very costly. A technical solution to protect data through Internet is VPN [2]. Virtual Private Networks are public networks that simulate the behaviour of private network. They provide security to the data by encrypting and encapsulating the data packets. A tunnel is created for the transfer of data. The process of creating tunnel is known as tunneling. VPN logically constructs a geographically dispersed LAN. The communication between this geographically dispersed LAN can be done using Internet. To a remote user, VPN provides all the benefits of a private network, while corporations benefit from the low operational costs, high security, and instant global coverage offered by it [3][4].VPN allows remote access, authentication, integrity and access control apart from the encryption and tunneling. VPN provides virtualization at each and every layer of TCP/IP model. IPSec, L2TP, PPTP, SSL/TLS are widely used VPN technologies. MPLS VPNs are also very popular these days. VPNs may be implemented by a large variety of technologies, ranging from dial lines to ATM or MPLS links, using multiple mechanisms to support data security as well as some level of QoS guarantees [5]. L2TP and PPTP are data link layer protocols, also known as layer 2 VPN protocols. The Point-to-Point Tunneling Protocol (PPTP) is a protocol that allows Point-to-Point Protocol (PPP) connections to be tunneled through an IP network, creating a Virtual Private Network (VPN) [6]. Layer two VPN protocols encapsulate data in PPP frames and are capable of transmitting non-IP protocols over an IP network. IPSec is implemented at the IP layer, so it affects all layers above it, in particular TCP and UDP. IPSec is designed to provide interoperable, high quality, cryptographically-based security for IPv4 and IPv6. An SSL VPN consists of one or more VPN devices to which users connect using their Web browsers. The traffic between the Web browser and the SSL VPN device is encrypted with the SSL protocol or its successor, the Transport Layer Security (TLS) protocol. Current VPN technology permits using the public Internet or any IP (Internet Protocol) network as if it were a private leased line between end-points, providing secure access to all private resources [7]. Although VPNs provide security but still there are chances of several attacks. Active attacks Denial of Service attack also known as Availability attack is one of the major attack to the VPN. The section 2 of paper describes the role of VPN in network security with the help of simulation over OPNET IT GURU. Section 3 of paper describes how the filtering at the subscribers edge can prevent DoS attack. Ping attack an example of DoS attack is simulated over OPNET IT GURU to check the performance after applying filtering at the subscribers edge router. II. ROLE OF VPNS IN NETWORK SECURITY To secure the network from external attacks firewalls are a good solution, but the problem with firewalls is that they discard all the packets including useful packet. For example if a employee sitting in companys office wants to communicate with server locating at different location, then due to the firewalls filtering rule to filter out all the database traffic coming to server employee will never be able to send and receive data from server. To solve this problem VPNs are used. The firewall will prevent all the traffic coming to server except the traffic coming from VPN site. To analyze how the performance of network will be affected when VPN is built three scenarios were created in OPNET IT GURU Academic Edition. Figure 1 shows the VPN scenario in which VPN is created between LAN2 and the Server. The Second scenario was without VPN and firewall and the third one with firewall only. Firewall was configured in both Scenario 1 and Scenario 3 to block database traffic. International Journal of Computer Trends and Technology (IJCTT) volume 4 Issue 5Month 2013
The simulated results shown below in Figure 2 and Figure 3 shows that VPN allowed traffic only from the authenticate users while firewall blocked all the traffic and in the third scenario that was without VPN and firewall all the traffic from LAN1 was going to the server.
Traffic received (pkts/sec) Simulation time (minutes)
Fig. 2 Database Traffic received (packets/sec)
Traffic received (pkts/sec) Simulation time( 30 min)
Fig. 3 Database Traffic received (packets/sec)
VPN provides security by not allowing traffic from the unauthorized user as shown in Figure 2 & 3, but due to VPN response time increases which means performance degradation. The Figure 4 shown below describes how the http response time increases with the addition of VPN in the network. The line marked with no. 1 shows the http response time of VPN with firewall, line marked with no. 2 shows without VPN response time and line marked with 3 shows response time with firewall. So, taking the advantage of delay due to tunnel attacker can easily flood the network or can create congestion in the network.
Response Time (Seconds) Simulation time (minutes) Fig. 4 HTTP page response time (seconds)
International Journal of Computer Trends and Technology (IJCTT) volume 4 Issue 5Month 2013
III. METHOD TO PREVENT DOS ATTACK IN VPN Although VPN provides security by tunneling, authentication, encryption, and integrity but still there are chances of various attack from the external network. Table 1 given below describes various attacks on VPN and their countermeasures.
TABLE I Threats posed to VPN and their Countermeasures Threat Countermeasures Intrusion Controlling the ingress points into the VPN. Block all illegitimate data traffic from unauthorized users using firewalls. Virus/Mal ware Infections Use antivirus at the client side and at the network servers. Split- Tunneling Split tunneling itself does not cause any attack but it give opportunity to attackers on the shared network to gain access over internal network. Host-based firewall can be useful in this case to prevent network-based attacks. User- Credential related threats Two-factor or three-factor authentication mechanisms can be used to authenticate users at the remote end of the VPN connection.
Apart from these threats the major threat to VPN is denial of service attack. In a denial-of-service (DoS) attack, an attacker attempts to prevent legitimate users from accessing information or services [8]. Denial of service (DoS) lowers anonymity as messages need to get retransmitted to be delivered, presenting more opportunities for attack [9]. DoS attack can be either Protocol based or Infrastructure based. Infrastructure based attacks are again of two types. They are bandwidth attack and resource depletion attack [10], [11]. Traditional DoS attacks are flooding based attacks which fill the network with the unwanted messages or packets. The low-rate attacks are harder to detect than the flooding based DoS attacks because of their low average attack rate and various attack patterns [12]. The DoS attacks directed at network infrastructure can have a serious impact on the overall operation of the Internet and hence the VPN [13]. To understand how attack occurs let us assume that if a company has its branches in 3 countries and the employees of two countries are allowed to access all the services from the server while the employees of third branch have limited access to the server. All the employees in third branch are allowed different services depending on their designation. So if the employee from the third branch known as attacker who is not allowed to access any information from the server tries to ping all the workstations in that branch to create internal traffic and manage all those workstations to ping the server located in other branch as shown in Figure 5. So the main aim of attacker is not to access the internal information at the server but to only create traffic in the network. To prevent this, a technique known as filtering at the router is implemented. IV. PROPOSED STRATEGY
To protect the network from the outsiders attack the first step is obviously to filter the traffic coming to or going from the network. The filtering rule can be of various types. Examples are source based filtering, ingress filtering and egress filtering. All these filtering mechanisms have their own advantages and disadvantages. Ingress filtering is helpful in preventing forge source addresses. While in egress filtering there is a chance of spoofed packet address. So, first step is to do filtering. A. Filtering at the Edge Router of the network If filtering is done at the router then we can prevent the unauthorized person to access our secure network. So in our strategy we used extended access control list attribute of the router to do filtering. With the help of extended ACL we can permit or deny the traffic coming or leaving the network based on source, destination and protocols. So, in order to protect SiteB from the external network having attacker we imposed filtering rule on RouterA that no traffic is allowed to pass from the RouterA destined to another network which are secure eg. to SiteB or LAN1 as shown in figure5. B. Network Topology This section describes the network topology used. In this network a scenario is created on a world map using OPNET IT GURU. The topology contains 6 Ethernet workstations connected via ehternet16 switch to the RouterA (Ethernet4_slip8 gateway) forming a network. RouterA in turn is connected to the Internet. RouterB connected to SalesB (Ethernet workstation). LAN1 is connected to Internet with the RouterE. All the workstations (except Attacker) and LAN are assigned Sales Person profile. So they can access Database, HTTP web browsing and Email. Server is shielded with Firewall (Ethernet_Slip8 Firewall). VPN is created between LAN1-Server and between SalesB-Server. Firewall is designed to drop all the database traffic, so that only SalesB and LAN1 can access the database traffic. Attacker node is not assigned any profile. And ping attack (a type of DoS attack) is simulated. The Attacker node is designed to send ip ping traffic to other workstations connected to switch, these workstations and Attacker in turn will send ip ping traffic to salesB. This created so many requests & replies packets in the network which affects the network performance and increases the Email download, download time, HTTP page response time and servers HTTP load. Two scenarios are used Scenario1: withAttack_VPN (as shown in Figure 5) Scenario2: withFiltering_Router (same as Figure 5 with additional extended access control list implemented at Routers A, B, E) International Journal of Computer Trends and Technology (IJCTT) volume 4 Issue 5Month 2013
In the first scenario only ping attack is done on the network. In the Second scenario, routers were assigned access control list to filter the traffic. C. Results and Discussion 1) Traffic Dropped: In the first scenario that is withAttack_VPN traffic dropped is null because the router in this scenario is designed to pass all the traffic so drop is 0. But due to the extended ACL so much traffic is dropped at RouterA as shown in Fig. 6.
Traffic Dropped (pkts/sec) Simulation Time (minutes)
Fig. 6 Traffic Drop at RouterA 2) Response Time: In first scenario when there was attack in the network and there was no filtering mechanism http page response time approaches to 0.125 seconds (approx). While in second scenario page response time at its peak is 0.111 second (approx). As shown in Figure 7. Similar is the case with Email download response time it is less in second scenario. At its peak in the second scenario response time was only 0.135 sec while in first scenario it is 0.178 sec as shown in figure 8.
Response Time (sec) Simulation Time (min)
Fig. 7 HTTP page respone time
Response Time (sec) Simulation Time(minutes)
Fig. 8 Email Download Response Time
3) Firewall Processing Delay: As shown in fig. 9 firewall processing delay is more in first scenario because firewall International Journal of Computer Trends and Technology (IJCTT) volume 4 Issue 5Month 2013
has to filter all the traffic while in second scenario it is less.
Delay (seconds) Simulation Time (minutes)
Fig. 9 Processing Delay at firewall
V. CONCLUSION AND FUTURE SCOPE Although VPN is very secure network it provides security to the remote client to access server located at different location but, still VPN suffers from various attacks. DoS attack is harmful attack for the network. To prevent network from the DoS attack filtering scheme can be imposed at the edge of the network so that, packets can be dropped at the edge. Filtering at the edge router of subscriber seems to be good idea because we can prevent traffic to enter in the VPN tunnel. But filtering also filters the traffic which is necessary. So filtering can reduce congestion in the network and can prevent DoS attack but to avoid dropping of important data we need to develop a technique in near future.
REFERENCES [1] Aruna Malik, Harsh K Verma, Raju Pal, (2012) Impact of Firewall and VPN for securing WLAN, International Journal of Advanced Research in Computer Science and Software Engineering, vol. 2, Issue 5, pp. 407- 410. [2] Olalekan Adeyinka, (2008) Analysis of problems associated with IPSec VPN Technology, Electrical and Computer Engineering, CCECE, pp 1903-1908. [3] Shashank Khanvilkar and Ashfaq Khokhar, (2004) Virtual Private Networks: An Overview with Performance Evaluation Communications Magazine, IEEE , vol.42, no.10, pp.146,154. [4] C. J . C. Pena and J . Evans, (2000) Performance Evaluation of Software Virtual Private Networks (VPN), Proc. 25 th Annual IEEE Conf. Local Comp. Networks, pp. 52223. [5] Lus Henrique M. K. Costa, Serge Fdida, Otto Carlos M. B. Duarte, (2000) An Introduction to Virtual Private Networks: Towards D- VPNs, Networking and Information System Journal, vol. 3 no. 4, pp. 1- 20. [6] Bruce Schneier, (1999) Cryptanalysis of Microsoft's PPTP Authentication Extensions (MS-CHAPv2), CQRE '99, Springer- Verlag, pp. 192-203. [7] (2006), NeoAccel SSL VPN-Plus-The Future of Virtual Private Networks, NeoAccel White Paper [8] S S Nagamuthu Krishnan, V Saravanan, (2010), Defending Denial of Service: State Overload Attacks, Int. J. Advanced Networking and Applications, vol. 2, issue 3, pp. 719-722. [9] Nikita Borisov, George Danezis, Prateek Mittal, Parisa Tabriz, (2007) Denial of Service or Denial of Security? How Attacks on Reliability can Compromise Anonymity Proc. 14 th ACM Conference on Computer & communications security, pp. 92-102. [10] Peng.T., Leckie.C. & Ramamohanarao. K., (2007) Survey of network- based defense mechanisms countering the DoS and DDoS problems, ACM Comput. pp 39-42. [11] Michael Glenn, (2003) A Summary of DoS/DDoS Prevention, Monitoring and Mitigation Techniques in a Service Provider Environment, SANS Institute, GSEC Practical Version 1.4b. [12] Xiapu Luo, Edmond W. W. Chan, RockyK.C.Chang, (2009) Detecting Pulsing Denial-of-Service Attacks with Nondeterministic Attack Intervals, EURASIP Journal on Advances in Signal Processing, pp. 1- 13. [13] S. saraswathi, P. Yogesh, (2012) Mitigating Strategy to shield the VPN Service from DoS attack, International J ournal on Cryptography and Information Security, vol. 2, no. 2, pp. 53-63.