PROACTIVE ROAMING HONEYPOTS FOR MITIGATING DENIAL OF SERVICE ATTACKS

Abstract

Today, as the world turns into a global village, enterprises have become highly dependant on the Internet connected network for their functionality. For these organizations, any threat to the network security can lead to heavy financial, economic and other loses. So, protection of network against security threats is a crucial prerequisite for their functioning. However, today's Internet connected networks are under permanent attack by intruders. Existing detection tools react only on reconfigured and therefore known attacks. Honeypots are an upcoming technology used in the area of network security to detect and analyze unknown attacks. It is a resource which is intended to be attacked and compromised to gain more information about the attacker and his attack techniques. Honeypots have been used to mitigate the effects of Denial of Service attacks, which are very real and costly threat to the Internet today. However, because of their deployment at fixed locations, they may be compromised by sophisticated attacks. Moreover, a compromised static honeypot can be used to attack servers in the network. In this dissertation, proactive roaming honeypot scheme has been proposed to mitigate the effects of DoS attacks. It allows the locations of honeypots to be unpredictable, continuously changing and disguised within -a server pool. A subset of the servers is active and provides service, while the rest of the idle server pool acts as honeypots. This combines resource management with network defense techniques to create a new hybrid defense. Modifications have been made to the current TCP connection migration mechanisms to suit roaming requirements. The proposed scheme works on two lines of defense: restrict the access to the defended services and proactive roaming, which means the migration of the service to new server with different IP address. The performance of the proposed scheme has been evaluated under different scenarios. Roaming mechanism has potential to improve the DoS defensive strategy. The benefit of the server roaming outweighs the cost of the roaming. In particular, it provides average response time that is independent of attack load for a fixed number of attack machines. The simulation study has been done using NS-2 discrete event network simulator. The simulation is written in TCL & C++ and runs under LINUX on a Pentium IV machine.