LOCATION ESTIMATION OF DDOS ATTACKS FROM FLASH CROWDS

BY S.VAISHNAVI M.E(II YEAR)

INTRODUCTION
Secured data transmission and storage are the most significant concern in Internet. Memoryless feature, stateless, dynamic and anonymous nature of the internet facilitate increasing cyber attack especially DDoS attack. Distributed denial of service(DDoS) attack is a critical threat to internet makes the IP traceback problem significant to find actual hackers. DDoS attack is targeted at exhausting victims physical or logical resources such as network bandwidth, computing power etc.,.

OBJECTIVE
To differentiate DDoS attack from flash crowds. To detect low-rate DDoS attack or able to estimate attackers even with small number of attack packet rate. To increase service of legitimate users and quality of service.

Existing system
Large flooding attacks detected. No packet marking technique. Packets passing through routers categorized into flows and record entropy variations. If DDoS attack has been identified, the victim initiates the pushback process to identify location of zombies. It works independently as an additional module on routers for monitoring flow information and communicating with its upstream and downstream routers when pushback procedure is carried out.

Cont
Algorithm used: 1.local flow monitoring. 2.IP traceback algorithm. 1.local flow monitoring: Running during normal network flow. suspends when DDoS attack is ongoing. 2.IP traceback algorithm: Initiated by the victim. IP traceback request from victim is triggered at upstream routers on attack path.

DDoS ATTACK

DISADVANTAGES
Packet flooding types of attacks is detected easily whereas for attack with small number attack packets is not identified. When attack strength is less than seven times of normal flow packet rate, detection could not succeed. so finer granularity is required. Static threshold to determine packet flow rate. Differentiation of DDoS attack and flash crowd is not considered. hence flash crowd is treated as DDoS resulting in false positive alarm.

PROPOSED SYSTEM
Flash crowds and DDoS attacks have very similar properties in terms of internet traffic, however Flash crowds are legitimate flows and DDoS attacks are illegitimate flows.
To detect low-rate DDoS attack using information metric such as entropy which increases quality of users.

How it is distinguished
Essential differences between DDoS attack and flash crowd: 1.Aspects of access intents. 2.distributions of source IP address. 3.speed of the increased and decreased traffic.

1.Aspects of access intents

Type Flash crowd User Access motive Legitimate user(social Expects successful events) access until server is slowed down or shut down Illegitimate user Aims to shut down the server quickly or to cause the server unavailable for legitimate users.

DDoS attack

2.Distributions of source IP address

Type Flash crowd Aggregated IP Distribution address Very dispersive Address are in Gaussian noise increasing order distribution. So limited Address are in decreasing order. Poisson distribution. method

DDoS attack

3.speed of traffic
Type Flash crowd Access motive all users are impossible to access simultaneously the same server No of Request to server increases gradually to the peak and decreases gradually from the peak at the end

DDoS attack

launch a large number of requests to the server simultaneously

increases sharply to the peak, and decreases sharply at the end too.

10

30 25

20

15

IMPLEMENTATION REQUIREMENTS
Software requirements: Os: windows xp Database: mysql Language: java Hardware requirements:5 systems

Literature review

LITERATURE REVIEW-1
The attackers mimic the normal network behaviours, e.g. pumping the attack packages as Poisson distribution to disable detection algorithms. The attackers use the same mathematical functions to control the speed of attack package pumping to the victim. The technique used is information theory parameter. i.e.,. entropy rate, to discriminate the DDoS attack from legitimate accessing.

Cont
Entropy is a measure for the randomness of a process to raise the alarm for the potential attacks. Define the packages which share the same destination address as a flow. Once an alarm is raised for a flow on destination path, entropy rate is calculated . If the flow is DDoS attack, the entropy rates on routers and neighbour routers are the same. Once the attack is confirmed, the router will discard the suspected flow. i.e., the attack flow.

DISADVANTAGES
The compromise of accuracy detection and the time of confirming the attack is critical. Attackers may using multiple attack package generation functions in one attack which fails the detection algorithm.

REFERENCE: Shui Yu and Wanlei Zhou Entropy-Based Collaborative Detection of DDOS Attack on Community Networks,in Sixth Annual IEEE International Conference on Pervasive Computing and Communications,2008

LITERATURE REVIEW-2
It is based on a probabilistic marking algorithm in which an attack graph can be constructed by a victim site. Efficiently deduce the local traffic generated at each router in the attack graph based on the volume of received marked packets at the victim site. Given the intensities of these local traffic rates, we can rank the local traffic and identify the network domains generating most of the attack traffic. Routers provide additional packet marking functions besides basic packet routing and forwarding.

Cont
Whenever a packet passes through a router, it will be marked either deterministically or probabilistically. Marked packets have information about their respective traversed paths.

DISADVANTAGES
The PPM mechanism is vulnerable to attackers who can send spoofed marking packet to mislead the victim. Accuracy is a problem because marked messages by the routers who are closer to leaves could be overwritten by downstream routers on attack tree. It suffers from storage space problem to store large amount of marked packets for reconstructing attack tree. It requires all routers in internet to be involved in marking which is practically impossible.

Cont
REFERENCE: Terence K.T. Law, John C.S. Lui, You Can Run, But You Cant Hide:An Effective Statistical Methodology to Trace Back DDoS Attackers, VOL. 16, NO. 9, september 2005

LITERATURE REVIEW-3
A flooding-based DDoS attack sends a large amount of unwanted traffic to a victim machine. Distance based defense framework mechanism that provides defense against DDoS attacks by coordinating between the defense systems at source and victim ends. This mechanism efficiently drops attack packets at the source end and helps to sustain the QoS for the legitimate traffic at the victim end.

Distance based defense operation

DISADVANTAGES
The recovery process in this framework after an attack identified is slow. During an attack, this framework does not perform well to decide whether an attack has ended or even when an attack is under progress. REFERENCE: Yonghua You, Mohammad Zulkernine,A Distributed Defense Framework for Flooding-Based DDoS Attacks, The Third International Conference on Availability, Reliability and Security-2008

LITERATURE REVIEW-4
propose a set of novel methods using probability metrics to distinguish DDoS attacks from Flash crowds effectively. The probability metric includes many classes such as the total variation metric and the Bhattacharyya metric. The total variation metric measures the difference of two discrete probability distributions. Bhattacharyya metric is used to measure the similarity of two discrete probability distributions.

ADVANTAGES
It proposes hybrid probability metric of the total variation metric and the Bhattacharyya metric to distinguish clearly DDoS attacks from Flash crowds. This hybrid metric can reduce the false positive rate greatly. It also distinguish DDoS attacks from Normal network flow and even Flash crowds from Normal network flow.

DDoS attack detection system using hybrid probability metric

Components
Flow anomaly detector: It is a multi-input and bi-output device which detects the flows anomaly of the incoming flows in a specified router. It output two flows which include one abnormal flow at least. Flow distribution estimator: It is used to sample the flows distribution according to its characteristics in the sampling period to obtain the flow probability distribution.

Cont
Hybrid probability metric calculator: -It is used to compute the values of the total variation and the similarity coefficient of two flows in parallel. Decision device: -It is used to distinguish DDoS attack from Flash crowd. -It also detect anomaly flow being DDoS attack or flash crowd from Normal network flow. -If DDoS attack, discard immediately, otherwise pass the flow to the destination or the downstream routers.

Cont
REFERENCE: Ke Li, Wanlei Zhou, Ping Li, Jing Hai and Jianwen Liu, Distinguishing DDoS Attacks from Flash Crowds Using Probability Metrics, Third International Conference on Network and System Security-2009.

LITERATURE REVIEW-5
A low-rate DDoS attack has significant ability of concealing its traffic because it is very much like normal traffic. Information entropy is a measure of uncertainty associated with a random variable. Information distance (or divergence) is a measure of the difference between different probability distributions.

ADVANTAGES
Early detection and detection accuracy of DDoS attack.
produces lower false positive rates. REFERENCE: Yang Xiang and Wanlei Zhou, Low-Rate DDoS Attacks Detection and Traceback by Using New Information Metrics, IEEE transactions on information forensics and security, vol. 6, no. 2, june 2011

Outline of design and development

Incoming packets

local flow monitoring and IP traceback algorithm

Legitimate flow

Hybrid probability metric

LITERATURE REVIEW
1. Shui Yu and Wanlei Zhou Entropy-Based Collaborative Detection of DDOS Attack on Community Networks ,in Sixth Annual IEEE International Conference on Pervasive Computing and Communications,2008 IEEE 2. Terence K.T. Law, John C.S. Lui, You Can Run, But You Cant Hide:An Effective Statistical Methodology to Trace Back DDoS Attackers, VOL. 16, NO. 9, september 2005 3. Yonghua You, Mohammad Zulkernine,A Distributed Defense Framework for Flooding-Based DDoS Attacks, The Third International Conference on Availability, Reliability and Security2008. 4. Ke Li, Wanlei Zhou, Ping Li, Jing Hai and Jianwen Liu, Distinguishing DDoS Attacks from Flash Crowds Using Probability Metrics, Third International Conference on Network and System Security-2009 5. Yang Xiang and Wanlei Zhou, Low-Rate DDoS Attacks Detection and Traceback by Using New Information Metrics, IEEE transactions on information forensics and security, vol. 6, no. 2, june 2011. 6. Shui yu,Wanlei Zhou,traceback of DDoS attacks using Entropy variations, vol.22, no.3, march 2011.

Thank you