RULE BASED APPROACH FOR DETECTING AND MITIGATING DISTRIBUTED DENIAL OF SERVICE ATTACKS

Abstract

Globalization is a present trend of society, which in turn is dependent on Internet. Thus number of nodes interconnected through Internet is increasing day-by-day. This increasing interconnection of nodes has lead to enormous increase in security threats. Among various security threats, the most disastrous is Distributed Denial of Service attacks (DDoS). DDoS attacks are hampering the routine functioning of any network or a system. The main aim of such attacks is to prevent the victim either from the benefit of a particular service (in case of client being victim), or from providing its services to others (in case of server being victim). Attackers performing DDoS attacks achieve their motive by depleting the resources of a victim by overwhelming them with enormous and useless traffic. Though a large number of schemes have been proposed and implemented for the defense against the DDoS attacks, but still there exists a scope for enhancement. Till date great amount of research has been carried out in the area of the detection of the presence of these attacks, differentiating the legitimate flows from the attack ones, but there is still a scantiness of effective approaches that encompass multiple stages of the process of defense against DoS attacks. In this work "Rule Based approach for Detecting and Mitigating Distributed Denial of Service attacks ", a novel approach for detection is proposed, which deals with proactively mitigating the influence of the attack, classification of the packets as attack or legitimate. This approach uses two stage model to classify the legitimate packets from the attack packets. Stage one uses data mining technique to mine out various known attacks (e.g.: smurf, neptune etc). This step is performed as close to source as possible. It helps in conserving the bandwidth of rest of the components of Internet. The remaining unknown attack and legitimate packets are forwarded further till last router corresponding to the server. At the last router (stage two) based on previous connection timestamps the legitimate -normal packets are filtered out and sent to server for fulfilling the required iii request. The rest of the packets are forwarded to honeypot which emulates all the activities of our actual server. Here the activities of the client are monitored aggressively and accordingly the new attack patterns are detected. The effectiveness of the approach is validated with simulation in ns-2, on a Linux platform. The results show that this approach is effective in conserving upto 40% of network bandwidth and 25% reduction of average time period between request made by client and request fulfilled by server. iv