DEFENSE MECHANISMS AGAINST DISTRIBUTED DENIAL OF SERVICE (DDOS) ATTACKS

Abstract

In past two decades, Internet has revolutionized almost every facet of our lives. Government, commercial, and educational organizations depend on Internet to such an extent that day-to-day operations are significantly hindered when the network is "down". Almost all the important services such as banking, transportation, stock trade, medicine, education, etc are extended to Internet now. Everything is available on a click of a mouse. But unfortunately at the same time, the prosperity of the Internet also attracts abusers and malicious attackers. Since the original aim of Internet was to provide an open network for researchers to share their research resources, therefore openness and growth of the network were the design priorities while security issues were of less concern. Abusers and malicious attackers take advantage of this to launch attacks and intrusions to the Internet based services. Internet based attacks can be launched anywhere in the world, and unfortunately no Internet based service is immune to these attacks. These attacks lead to heavy financial losses, delays, and customer dissatisfaction. Trustworthiness and security of the Internet not only benefits on-line businesses, but is also an issue for national safety. Denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks are currently amongst the most problematic Internet security threats. These attacks are critical as they aim at denying or degrading services for a legitimate user. DDoS attacks can be defined as any form of attempt that forces some system component to limit, or even halt, normal services. The traditional purpose and impact of DDoS is to prevent or deny the legitimate use of computer or network resources. Regardless of significant advances that have been made in network management and security, Internet connected systems face a consistent threat from DDoS attacks. Over the recent years, several research works have proposed solutions for handling DDoS attacks. A lot of them claim to be best in absence of benchmarks, but none of them is able to withstand the advancing attack techniques. Researchers have come up with more and more specific solutions to the DDoS problem. However, existing DDoS attack tools also keep on improving using new attack techniques. Hence there is a critical need of addressing this issue to achieve a long lasting solution. Accordingly, the thesis focuses on the research towards developing a robust and effective solution to counteract DDoS attacks and is organized as follows.

In the first part of the thesis, a brief introduction of the research work, motivation, and problem formulation is given. Then it is followed by a state of the art literature review. Following that, we describe our proposed approach, 'flow-volume based approach (FVBA)', for detecting variety of DDoS attacks. In the proposed mechanism, attacks are detected by monitoring abrupt traffic changes inside ISP network. The flow-volume based approach (FVBA) constructs profile of the traffic normally seen in the network, and identifies anomalies whenever traffic goes out of profile. Tolerance factor which is a tunable parameter is used to make proposed detection system adaptable to the varying network conditions and attack loads in real time. Proposed scheme is evaluated through extensive simulations using NS-2 network simulator on Linux platform. Network topologies similar to Internet, used for simulation, are generated using Transit-Stub model of GT-ITM topology generator. Five performance metrics, i.e. detection rate, false positive rate and receiver operating characteristics (ROC), Goodput and NPSR are used to evaluate the performance of proposed scheme and it is compared with existing volume based approaches. The results show that proposed scheme gives 10-30% improvement in detection rate over earlier volume based schemes. For validating performance of proposed scheme, KDD 99, a publicly available benchmark dataset is used. The flow-volume based approach (FVBA) though performs better than previous methods, it can be further improved by taking the hetroskedastic nature of DDoS attack traffic. Hence in subsequent section, the thesis deals with nonlinear statistical methods for fast and effective detection of flooding DDoS attacks. In this research work, the Generalized Autoregressive Conditional Heteroskedastic (GARCH) model, which is a commonly used statistical modeling technique for financial time series, is used as a new technique for detecting DDoS attacks. Our studies show that this non linear volatility model gives 4 to 5.5% improvement in detection performance from earlier models like linear prediction. The results reveal that time series modeling of DDoS attacks does show a lot of promise. Detection performance of GARCH model based detection scheme is also compared with FVBA scheme. Results show that GARCH model based detection scheme shows marginal improvement in detection rate over FVBA. The thesis also deals with predicting number of zombies involved in a DDoS attack. A real time estimation of the number of zombies in DDoS scenario is helpful to suppress the effect of attack by choosing predicted number of most suspicious attack sources for either filtering or rate limiting. We use various regression models i.e. linear, polynomial, exponential, power, logarithmic and multiple to predict number of zombies in a DDoS attack. Various statistical performance measures are used to evaluate the performance of various regression models. A comparative study of different regression models for predicting number of zombies is performed. Generally the method being promising, simulation results show that multiple regression model performs better than other regression models. The other new proposal, which is a different method for predictingnumber of zombies involved in a DDoS attack, is presented next to the above section. The proposed method uses feed forward neural networks of different sizes to predict number of zombies. The sample data used to train and test the feed forward neural networks is generated using NS-2 network simulator running on Linux platform. Mean square error (MSE) is used to compare the performance of various feed forward neural networks. For the prediction of the number of zombies in a DDoS attack, three feed forward neural networks of different sizes have been tested. For the problem at hand, feed forward networks with 5, 10 and 15 neurons are used. Selected feed forward networks are compared for their prediction performance. The simulation results show that feed forward networks with 10 neurons perform better than the others, as it is able to predict number of zombies involved in a DDoS attack with very less error. Prediction performance of ANN based scheme has also been compared with regression based scheme and results show that ANN based scheme performs better than regression based scheme when attack is more severe. The other main issue presented in the thesis is our approach for estimating strength of a DDoS attack. Estimating strength of attack is helpful to suppress the effect of attack, as it enables a security administrator to effectively equip his arsenal with proper defense mechanisms for fighting against DDoS threat according to the strength of attack. Hence in this research work, we use regression analysis to investigate suitability of various regression models i.e. linear, polynomial, exponential, power, logarithmic and multiple to estimate strength of a DDoS attack. A comparative study has also been performed using different regression models for estimating strength of DDoS attack. The simulation results show that multiple regression model performs better to estimate strength of a DDoS attack. Lastly summary of the contributions made in the thesis and the future scope of the work are presented. All in all, the thesis expounds the various approaches we proposed for defending against variety of DDoS attacks.