PROTECTION FROM DISTRIBUTED DENIAL OF SERVICE (DDoS) ATTACKS IN ISP DOMAIN

Abstract

The Internet is used extensively for important services such as banking, transportation, medicine, education, stock trades, defense, etc. Most of these transactions must be processed in a timely manner. However, these services are delayed, degraded and sometimes completely disrupted because of attacks on the Internet. The inherent vulnerabilities of the Internet architecture provide opportunities for a lot of attacks on its infrastructure and services. The problem is aggravated because of huge base of unprotected hosts on the Internet. These hosts are used in an unauthorized manner by attackers, as slaves called zombies, to launch attacks against high profile sites. Flooding Distributed denial-of-service (DDoS) is one such kind of attack in which a large number of unwitting hosts are used as an army against the victim site. Flooding DDoS attacks consist of an overwhelming quantity of packets being sent from multiple attack sites to a victim site. These packets arrive in such a high quantity that some key resource at the victim (bandwidth, buffers, CPU time to compute responses) is quickly exhausted. The victim either crashes or spends so much time handling the attack traffic that it cannot attend to its real work. Thus legitimate clients are deprived of the victim's service for as long as the attack lasts. While services are restored as soon as the attack subsides, the incidents still create a significant disturbance to the users and costs victim sites millions of dollars. The traditional security technologies such as firewalls, Intrusion detection systems (IDSs) and access control lists in routers are unable to defend networks from these attacks. The stumbling barrier against these attacks is that it is almost impossible to differentiate 111 between genuine and attack packets. The seriousness of DDoS problem and growing sophistication of attackers have led to development of numerous defense mechanisms in research and commercial communities. In order to be effective, these defense mechanisms need global deployment, normal traffic models, infrastructural changes, and minimal collateral damage. However, these requirements are difficult to accomplish because of decentralized Internet management, unpredictable user behaviour and variety of network environments, sophisticated and user friendly attack tools, high computational overheads at core of Internet, and distributed nature ofDDoS attacks. In this study, an ISP domain has been chosen to place various defense nodes of the proposed system. This provides advantage of more resources to fight against DDoS attacks. Moreover, single administrative control in an ISP domain, allows defense nodes to collaborate in a cohesive manner to achieve synergistic effect. Transit-stub model of GT-ITM topology generator is adopted for creating simulation topology consisting of four ISPs. The major contributions ofthe work are as follows. The present work is divided into three parts. In the first part, an overview ofDDoS problem, its basic cause, DDoS defense challenges and principles are presented. Core problems in existing DDoS defense techniques are identified on the basis of common DDoS defense principles and an array of DDoS attack types. Second part of the thesis proposes an automated approach to detect flooding DDoS attacks and filter attack traffic at ingress edges of the protected ISP domain. A time series analysis of observed traffic detects flooding DDoS attacks by characterizing asymmetry in traffic distributions. The approach is validated using simulations in NS-2 testbed. Low rate flooding DDoS attacks, which slowly degrade services to legitimate clients, are detected reliably and accurately. Simulation experiments carried out at various attack strengths show IV detection of very meek rate attacks. High rate flooding DDoS attacks, which completely disrupt services to legitimate clients, are easily detected at point of presence (POP) near the victim in ISP domain. High rate attacks whose intensity per flow slowly rises are also detected at an early stage. So a proactive detection of high rate flooding DDoS attacks is also exhibited in the proposed approach, which helps in timely recovery from attack. The filtering of attack traffic is done at ingress links of POPs in the protected ISP domain to save core bandwidth and reduce filtering overheads at single point. The selection of detection threshold and its impact on detection accuracy is analyzed using receiver operating characteristics (ROC) curves. The comparison of legitimate service level achieved with volume based existing techniques manifests supremacy of the approach. In the third part of the thesis, high computational overheads of analyzing flooding DDoS attacks near the victim are tackled by proposed distributed approach in ISP domain. Analytical solution well supported by simulation experiments is presented to distribute computational overheads of detection system among POPs of the ISP domain without compromising accuracy. The computational complexity of proposed distributed scheme at POP connected to victim server is very less as compared to existing schemes. It makes our approach robust against high volume and high computational overheads of monitoring and analsysing traffic near the victim. Errors are also computed by removing assumptions. Regression and correlation analysis is used to find relationship between number of zombies used to launch the attack and deviation from detection threshold. Standard error of estimate, sample coefficient of determination and coefficient of correlations are calculated to describe the relationship. A tolerance based proactiveapproach is proposed to regulate traffic such that server resources are allocated in a fair manner to all traffic sources under a high rate flooding DDoS attack. The proposed algorithms rate limit traffic at edges of protected ISP domain depending upon share of traffic passing through it.