HONEYPOT FRAMEWORK FOR NETWORKS UNDER DISTRIBUTED DENIAL OF SERVICE ATTACKS

Abstract

Internet was designed for openness, functionality and with the aim of sharing resources. Security was not the prime concern during the initial phase of the design. Phenomenal growth of the Internet during the last two decades has converted the Internet into a public connected network used for daily important communications such as stock trades, financial management, banking, medicine, education etc. However, lack of built in security has caused the Internet to be vulnerable to intrusions and has facilitated break-ins of a variety of types, leading to heavy financial losses, delays, customer dissatisfaction etc. Over the past few years, denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks have become a costly threat. These attacks are critical, as they are aimed at denying or degrading service for a legitimate user. Defending the DDoS attacks involves three phases: before the attack, during the attack and after the attack. Defense corresponding to the first phase is prevention; second phase is detection and characterization. Lastly, defense after the attack makes use of mitigation techniques. In the last decade there have been several attempts to defend against DDoS attacks using one or more of the above approaches. Though an array of schemes have been proposed,jTicst-of-~ them are point technologies or perimeter solutions which are unable to withstand the advancing attack techniques. There is a dire need of complete framework to defend against various phases of DDoS attacks. This is presented in detail through citing key works in the first part of the thesis. In the second part of the thesis, we propose a honeypot based framework that provides integrated defense during various phases of a DDoS attack. Our framework is proactive and works on three lines of defense, namely, detection, characterization and response, and mitigation. The work presented in this thesis proposes new and efficient techniques for each of the lines of defense. We propose the use of honeypot that appears to be part of a network but which is actually isolated, (un)protected, and monitored, and which appears to contain information or a resource that would be of value to attackers. Our framework does not replace the existing technologies like firewalls and IDS but is used in conjuction with them to defend the attacks. We model Internet as transit-stub network. Our aim to defend the DDoS attack is to prevent the attack flow reach the target to ensure its availability. The traffic is analyzed on the edge router of transit domain before entering the network. The detection thresholds are iii optimized and the detector is calibrated according to network load and client requirements. If the attack is detected, the flows corresponding to attackers are identified. At macroscopic-level, the flows that maximally contribute to the DDoS attacks are identified and dropped before they enter the network. Rest of the flows undergoes microscopic detection and characterization. Legitimate flows are routed to active servers. The anomalous and suspicious flows are tagged as attacks, directed to honeypots and further monitored before any action is taken on them. Number and location of honeypots and servers is varied dynamically depending on the network load and client requirements. Hence our scheme encompasses various aforementioned phases of defense and is tuned to operate in one of the three modes of defense, namely naive, normal or best, depending on the client load, attack load and client requirements. In the third part of the thesis, we introduce novel dual - level attack detection (D-LAD) scheme which is the first line of defense in the proposed framework. The first level attempts to detect congestion inducing macroscopic attacks which cause apparent slowdown in network functionality. Using the Macroscopic - Level Attack Detectors (Ma- LAD), macroscopic or large volumes of attacks are detected early at border routers in transit network before they converge at the victim.On the other hand, sophisticated attacks that cause networks to degrade gracefully, and stealth attacks that may not necessarily impact the network and remain undetected in transit domain but have dramatic impact on server are detected at second level by Microscopic - Level Attack Detectors (Mi-LAD) at border routers in stub domain near the victim. The techniques for attack detection are based on entropy which measures traffic feature distribution and utilize cumulative sum and change point detection computed in moving time window. Honeypots help achieve high detection rate and filtering accuracy. Our proposed scheme is a hybrid that combines anomaly detection and honeypots in a way that exploits the best features of these mechanisms while shielding their limitations. The compromise between detection accuracy and time of confirming is a critical aspect and the proposed technique provides the quite demanded optimal solution to this problem. Our scheme is simple to understand and implement. Results demonstrate that in addition to being competitive than other techniques, our scheme is very effective and works well in the presence of different DDoS attacks. It is capable of handling infiltrating, sophisticated, meek as well as highly distributed DDoS attacks. Besides being computationally fast and accurate, it adapts to varying network conditions with minimum collateral damage and false alarms.

The fourth part of the thesis introduces the problem of characterization of traffic. Attack characterization forms second line of defense in the proposed framework. Our techniques for attack characterization are based on examining traffic feature distributions which identify the attacks in systematic manner. Our detection and characterization overlap, since the method used to detect the existence of an attack provides necessary information to characterize the traffic. Characterization is extended to take an immediate response decision. The response system either drops the attack traffic in a timely fashion or renders them harmless by redirecting them into a trap for further evaluation and analysis. Similar to detection, characterization is performed at two levels. In case of macroscopic level characterization, most of the macroscopic attack traffic is identified early at the border router of transit network. Response mechanism at this level selectively drops the congestion inducing attack traffic. The microscopic level attack characterization is triggered at border router of stub network by Mi-LAD. The response mechanism then redirects the suspicious traffic of anomalous flows to honeypot trap for further evaluation. Legitimate traffic is directed to servers. Our response mechanism works by implementing three rules, namely allow rule, redirect rule and drop rule to implement the above functionality. Hence, our response mechanism selectively drops the attack packets and minimizes collateral damage in addressing the DDoS problem. In the fifth part of the thesis, we propose a proactive 'autonomous dynamic' honeypot redirection approach for attack mitigation which forms the third line of defense of the proposed framework. In our approach to attack mitigation, the total budget (total number of machines) gets partitioned into two groups, active servers and honeypots. The traffic is handled through honeypots or active servers contingent on the input derived from characterization at microscopic level. The good traffic is routed to one of the active servers, while the attack is diffused across honeypots. By 'dynamic' we mean that the number of active servers and honeypots is adaptive and changing and by 'autonomous' we mean change in number and locations of active servers and honeypots is triggered independently with changing network conditions. Legitimate clients, depending upon their trust levels (defined by organization according to its security policy configurations), can track the actual servers for certain time period. Anomalous flows reaching honeypots are logged by honeypot. Our mitigation techniques use light weight backward hash chains for tracking the location, number and duration of active servers and honeypots. Our mitigation technique has an edge over existing techniques as it provides service continuity to legitimate clients with guaranteed Quality of Service (QoS) in addition to stable network functionality under dynamically changing network conditions even for attacked network. Our work also includes analytical modeling and extensive simulations in ns-2 carried out over AT&T topology generated by GT-ITM topology generator with realistic network parameters. Various attack scenarios have been synthetically generated specially for testing the suggested techniques. Implementation of basic proof-of-concept, cost benefit analysis and exhaustive analysis of network performance parameters like goodput, mean time between failure and average response time have been performed to evaluate the various techniques and demonstrate feasability of the proposed framework. The simulation results are very promising and show that the proposed framework is robust, resilient and can withstand high levels of DDoS attacks. Finally the contributions made in the thesis are summarized and scope for the future work is outlined.