Runtime Dynamic Path Identification for Preventing DDoS Attacks

1Shaik Zahanath Ali, 2Shobini.B and 3G.Shiva Krishna

1 Computer science and Engineering ,Swathi Institute of Technology & Sciences Near Ramoji Film

City Beside Kothagudem 'X' Roads, Hyderabad, Telangana 501512

2 Computer science and Engineering, Swathi Institute of Technology & Sciences Near Ramoji Film

City Beside Kothagudem 'X' Roads, Hyderabad, Telangana 501512

3Computer science and Engineering, Swathi Institute of Technology & Sciences Near Ramoji Film

City Beside Kothagudem 'X' Roads, Hyderabad, Telangana 501512

,shaikzahanathali4u@gmail.com ,shobini.b@gmail.com ,Shivagujju@gmail.com

Abstract

Cyber security is a biggest Challenge. Protecting our digital lives is an issue of paramount

importance. DDOS attacks are launched by adversaries using botnet, an army of compromised nodes

hidden in the network. Compromised nodes are a set of nodes controlled by a botnet.DDOS attack is a

most popular threat and is categorized as volumetric attack where the target destination is

overwhelmed with large number of requests leading to impossibility of serving any users. In DDOS

attack large number of machines act cooperatively under the supervision of one or more bot masters.

These bots may be malicious users by themselves or maybe preliminarily infected.In recent years,

there are increasing interests in using path identifiers (PIDs) as inter-domain routing objects.

However, the PIDs used in existing approaches are static, which makes it easy for attackers to launch

distributed denial-of service (DDoS) flooding attacks. To address this issue, we present the design,

implementation, and evaluation of dynamic path identification based approach or a framework that

uses PIDs negotiated between neighboring domains as inter-domain routing objects. We built an

application to show the effectiveness and the results revealed usefulness of our framework.

Key Words –DDoS attack, flooding DDoS, dynamic path identification, cyber security

1. INTRODUCTION

Security plays vital role in any communication system. In the history of computing there were many

instances in which large scale attack on made for many reasons. Denial of Service (DoS) is one of the

attacks that ensure disruption of legitimate communication between two systems. When such attack is

made in large scale, it is known as DDoS attack whose impact is more on the victim server and

corresponding business in distributed environment.

DDoS attack, when compared with other attacks is complex in nature and adversaries compromise

vast number of nodes in order to launch distributed DoS attack. Many companies like Facebook,

Google and Twitter are victims of such attacks. The HTTP flooding attacks include session flooding

attacks, request flooding attacks, asymmetric attacks, slow request or response attacks, HTTP

fragmentation attack, slow post attack, and slow reading attack. Zargar, Joshi, and David (2013) made

a review of different DDoS flooding attacks. The motivation these attacks is classified into financial

Science, Technology and Development

Volume VIII Issue X OCTOBER 2019

ISSN : 0950-0707

Page No : 16

gain, revenge, ideological belief, intellectual challenge, and cyber warfare. This way many other

researchers contributed towards preventing DDoS attacks. As far as flooding-based DDoS attacks is

concerned, it is understood from the literature that there needs to be further research to be carried out.

In this paper we proposed a methodology that caters to the needs of a system which can use runtime

path-based solution to detect and prevent flooding DDoS attacks.

1.1 Bandwidth DDoS

Bandwidth Distributed Denial of Service (BW-DDoS) attack results in network congestion as it

consumes more bandwidth. Such attacks are explored in they include UDP Flood, DNS Reflection

and ACK Storm to mention few. There is a specific procedure in which attackers make DDoS attacks.

First, they need to identify and select agents, then take steps to compromise the agents, then perform

needed communication and launch attacks. In such attacks are described as scalability problem.

1.2 DDoS Flooding Attacks

A review is made in on DDoS flooding attacks. The reasons for the attacks include cyber warfare,

ideological belief, revenge, financial gain and intellectual challenge. These attacks may be made at

network level or transport level. Application level attacks are meant for spending resources at server

side. There are different kinds of flooding attacks. They include HTTP flooding attacks and

reflection-based flooding attacks.

Figure 1: Botnet for Causing DDoS Attacks

As presented in Figure 1, handlers are the machines used by adversaries indirectly to launch flooding

attacks. Bots are nothing but machines that are compromised by attackers. Botnets can be of many

kinds. They include IRC-based, P2P based and web-based. The response to such attacks can be

maintained at different locations as explored.

Science, Technology and Development

Volume VIII Issue X OCTOBER 2019

ISSN : 0950-0707

Page No : 17

Figure 2: Possible DDoS detection and response locations

As presented in Figure 2, detection of DDoS is made at different locations. The locations may be

various intermediate networks or attack destinations. The normal packets in case of DDoS attacks

increases from bottom to top. Similarly, the response mechanisms are better from bottom to top. On

the other hand, the detection accuracy increases from top to bottom.

1.3 Other DDoS Attacks and Botnet Detection Techniques

SYN flooding kind of DDoS attack is explored. It is made for monetary gains. There is vulnerability

in TCP 3-way handshake which is exploited by SYN flood attacks. Different kinds of bots used in the

attacks are studied. Net Flow is the solution employed in to handle bonnets. DDoS attacks in

distributed P2P networks are explored in while counter measures for the same are found. From the

literature it is understood that flooding DDoS attacks need further research to have runtime path

identification-based solution. The remainder of the paper is as follows. Section 2 reviews literature.

Section 3 presents the proposed framework. Section 4 provides results and section 5 concludes the

paper.

2. RELATED WORK

This section provides review of literature pertaining to DDoS attacks and the methods to detect and

prevent them. The performance of the methods depends on network conditions and is influenced by

many parameters. There should be a generic method to defend most of the attacks irrespective of the

protocol used; A trace back mechanism should be implemented with customization support. It should

be cost effective without compromising Quality of service [9].

A mathematical model to detect shrew attacks was proposed by taking into account the explicit

behavior of TCP’s congestion window adaptation mechanism [3]. It can evaluate attack effect from

attack pattern and network environment. The analytical results instruct how to tune the attack

parameters to improve attack effect in a given network and how to configure the network resources to

mitigate a given shrew attack [16]. Information distance is calculated between attack traffic and

legitimate traffic [3]. Methods to identify DDOS attacks not only at edge routers but also at core of

the network by computing entropy and frequency sorted distribution [1], A detailed discussion of

botnet relationship between network visibility, botnet invariant behavior and existing botnet based

techniques is carried out.

Volumetric attacks have a severe impact on data plane but not on controller. The impact is visible

only in attack phase [9]. Protocol exploitation doesn’t have effect on network band width. The effect

Science, Technology and Development

Volume VIII Issue X OCTOBER 2019

ISSN : 0950-0707

Page No : 18

is on consumption of resources like logical ports. More detailed detection system is proposed which

will analyze where the attack occurred either in transit or source. The dynamic nature of the stealthy

attacks is studied because the technique benefits from increased correlation arising under shifting

patterns in network traffic [2]. More investigation is required to evaluate the trade - -offs among space

and time granularity of monitoring the number of observations and the ability to detect attacks under

decreasing levels of intensity [2].

TCP SYN attack consumes data structure on the server operating system[3]. Retransmission leads to

severe congestion and finally time out. Once a malicious host is detected the packets are filtered and

the services get resumed. Anomaly detection is done by various statistical methods, machine learning

and softcomputing.Routers can be configured via the access control list to access the network and

drop suspected traffic If you filter all incoming ICMP traffic to broad cast address at the router none

of the machines will respond and the attack will not work.

Based on macroscopic level a hierarchical method is proposed in order to capture traffic patterns with

spatial-temporal domains [2]. Macroscopic characteristics found in network traffic are one of the

ways to detect DDoS. When this approach is coupled with a dynamic monitoring capabilities, it will

have higher utility. The solution in [2] could provide warnings when detection is made. The model

used to launch attack was made with minimal cost and attacks are prevented for showing the

performance of the approach. From the literature [1]- [16], it is found that there is need for further

investigation on handling DDoS attacks.

3. PROPOSED FRAMEWORK

The proposed framework includes the design, implementation and evaluation of D-PID, a

framework that dynamically Changes path identifiers (PIDs) of inter-domain paths in order to

prevent DDoS flooding attacks.When PIDs are used as inter-domain routing objects. We have

described the design Details of D-PID and implemented it in a 42-node prototype to verify its

feasibility and effectiveness. We have presented numerical results from running experiments

on the prototype.The results show that the time spent in negotiating and distributing PIDs are

quite small (in the order of ms) and D-PID is effective in preventing DDoS attacks. We have

also conducted extensive simulations to evaluate the cost in launching DDoS attacks in D-

PID and the overheads caused by D-PID. It is implemented as a distributed system of various

nodes and the nodes are arranged in different groups. Runtime path IDs are dynamically

obtained in order to prevent DDoS attacks. The inter-domain connectivity is kept secret and it

will change dynamically.

Science, Technology and Development

Volume VIII Issue X OCTOBER 2019

ISSN : 0950-0707

Page No : 19

Figure 3: Proposed framework for preventing DDoS attacks

As shown in Figure 3, the proposed system has many modules. User is one module. In this user is

sharing the information from one place to another place.Attacker is another module. Here, attacker is

attacking for information in network. Attacker is doing to attacks on original data.Network manager is

another module. Here the manager controlling the sharing of information in the network. Provide

security from the attackers.

Figure 4:The flow of activities in the proposed system

As presented in Figure 4, there are different processes involved in the system. There are different

components like source, router, group manager and destination. The data flow through router from

Science, Technology and Development

Volume VIII Issue X OCTOBER 2019

ISSN : 0950-0707

Page No : 20

source to destination is safeguarded from DDoS attacks. This is achieved with the help of the

proposed algorithm.

Figure 5: Sequence of events in the proposed system

As presented in Figure 5, it is evident that there are many objects among which interactions

are made. They include source, router, group manager and destination. The data sent from the

source is reaching the destination with proper means and routing from the router. It also

ensures that DDoS attacks are detected and prevented with dynamic path at runtime.

Algorithm: Dynamic Path based Prevention for DDOS Attacks

Input: Wide Area Network(WAN)

Output: Communication with Ddos Prevention.

1.Divide network into Sub groups

2.Generate dynamic key for inter group communication

3.Generate Signature for unique identification of groups

4.For each subnetwork in WAN

5.For each node in subnetwork

6.Ensure that id for path construction changes

7. End For

Science, Technology and Development

Volume VIII Issue X OCTOBER 2019

ISSN : 0950-0707

Page No : 21

8.End For.

9.Repeat steps from 4-8 iteratively and Periodically

10.Ensures that attacker will not succeed in establishing paths to target server.

End

Algorithm 1:Dynamic Path based Prevention for DDOS Attacks

The proposed system is implemented with simulated parties involved in the network to demonstrate

proof of the concept. It is implemented as a distributed system of various nodes and the nodes are

arranged in different groups. Runtime path IDs are dynamically obtained in order to prevent DDoS

attacks. The inter-domain connectivity is kept secret and it will change dynamically.By using dynamic

PIDs, it is possible to detect DDoS attacks and prevent them as well.It reduces chances of causing

DDoS attacks. It has provision to show the probability of attack and also prevention.

4. IMPLEMENTATION AND RESULTS

This section provides implementation details and results. The prototype is developed in Java

programming language with GUI to have intuitive interface. It simulates the distributed environment

and provides various components to demonstrate proof of the concept.

Figure 6: Router Screen

As can be seen in Figure 6, there is schematic simulation that contains source and destination with

many intermediate nodes. There will be routers to forward packets and take care of security issues.

There is network group manager in order to coordinate. The network is divided into groups to have

better control on the runtime path generation dynamically to deceive attackers.

Science, Technology and Development

Volume VIII Issue X OCTOBER 2019

ISSN : 0950-0707

Page No : 22

Figure 7: Source Screen

As presented in Figure 7, the source screen provides interface to choose path of a file to be sent to

destination. Before that it has mechanisms to assign group key and assign signature according to the

proposed algorithm.

Figure 8: Shows the simulation of the file transferred to destination successfully

As presented in Figure 8, the file is transferred to destination successfully. It is possible through

runtime path identification and avoid DDoS attacks.

Science, Technology and Development

Volume VIII Issue X OCTOBER 2019

ISSN : 0950-0707

Page No : 23

Figure 9: User Receive a File from Source Screen

As can be seen in Figure 9, user receives file sent from the source. This is the evidence that there is

proper communication and mechanism to transfer data even in presence of DDoS attacks.

Figure 10:Identify Attacker Screen

Science, Technology and Development

Volume VIII Issue X OCTOBER 2019

ISSN : 0950-0707

Page No : 24

This screen shows how the attacker is identified. This will help in preventing attacks and ensure that

the system works as expected.

Figure 11:Different Transaction Upload Delay Details Graph Screen

As shown in Figure 11, it is understood that the upload delay is presented with different experiments.

The horizontal axis shows different experiments while the vertical axis shows the total delay causes in

milliseconds.

Science, Technology and Development

Volume VIII Issue X OCTOBER 2019

ISSN : 0950-0707

Page No : 25

Figure 12:Different Transaction Upload Throughput Details Graph Screen

As can be seen in Figure 12, it is clear that different experimentsare made and the throughput is

recorded. The system is found to be good to prevent attacks and ensure that that given data is reaching

the destination every time.

5. CONCLUSION AND FUTURE WORK

Distributed Denial of Service (DDoS) attacks in wide area networks are attacks made by adversaries

with the help of thousands of compromised nodes or zombies. Thus DDoS attacks are essentially

made with large scale denial of service intentions. Thus DDoS attacks became potential risk to

Internet wide applications. In this paper we proposed a framework to detect flooding DDoS attacks

and also provided algorithm to handle it. DDoS attack detection method is proposed based on

dynamic path identification.The nodes in Wide Area Network are organized into groups where PIDs

are dynamically generated and the concept of signatures is used in order to detect DDoS attacks.An

attacker module is introduced along with other modules like source, router and

destination.Visualization of normal flow and attack scenario provide proof of the concept.In future, it

can be extended to detect other kinds of DDoS attacks.

Science, Technology and Development

Volume VIII Issue X OCTOBER 2019

ISSN : 0950-0707

Page No : 26

References

[1] Laura Feinstein, Dan Schnackenberg and RavindraBalupari, Darrell Kindred. (2003). Statistical

Approaches to DDoS Attack Detection and Response1. IEEE, p1-12.

[2] Jian Yuan and Kevin Mills, Senior Member, IEEE. (2005). Monitoring the Macroscopic Effect of

DDoS Flooding Attacks. IEEE TRANSACTIONS ON DEPENDABLE AND SECURE

COMPUTING. 2, p324-335.

[3] JingtangLuo, Xiaolong Yang, Senior Member, IEEE, Jin Wang, Member, IEEE, JieXu, Member,

IEEE, Jian Sun, Member, IEEE, and Keping Long, Senior Member, IEEE. (2014). On a

Mathematical Model for Low-Rate Shrew DDoS. IEEE TRANSACTIONS ON

INFORMATION FORENSICS AND SECURITY. 9, p1069-1083.

[4] Ashish Dutt, MaizatulAkmar Ismail, and TututHerawan. (2016). A Systematic Review on

Educational Data Mining. IEEE, p1-15.

[5] AmeyaAgaskar, Ting He, Member, IEEE, and Lang Tong, Fellow, IEEE. (2010). Distributed

Detection of Multi-Hop Information Flows With Fusion Capacity Constraints. IEEE

TRANSACTIONS ON SIGNAL PROCESSING. 58, p3373-3383.

[6] Mauro Barni and Fernando P´erez-Gonz´alez. (2013). COPING WITH THE ENEMY:

ADVANCES IN ADVERSARY-AWARE SIGNAL PROCESSING. IEEEp1-5.

[7] Mauro Barni, Fellow, IEEE, and BenedettaTondi, Student Member, IEEE. (2014). Binary

Hypothesis Testing Game With Training Data. TRANSACTIONS ON INFORMATION

THEORY. 60, p4848-4866.

[8] Ting He, Member, IEEE, and Lang Tong, Fellow, IEEE. (2008). Distributed Detection of

Information Flows. IEEE TRANSACTIONS ON INFORMATION FORENSICS AND

SECURITY. 3 , p390-403.

[9] NazrulHoque, Dhruba K Bhattacharyya and Jugal K Kalita. (2015). Botnet in DDoS Attacks:

Trends and Challenges. IEEE., p1-29.

[10] BhavyaKailkhura, Student Member, IEEE, Swastik Brahma, Member, IEEE, BerkanDulek,

Member, IEEE, Yunghsiang S Han, Fellow, IEEE, Pramod K. Varshney, Fellow, IEEE.

(2015). Distributed Detection in Tree Networks: Byzantines and Mitigation

Techniques. IEEE., p1-13.

[11] Stefano Marano, Vincenzo Matta, and Lang Tong, Fellow, IEEE. (2009). Distributed Detection

in the Presence of Byzantine Attacks. IEEE TRANSACTIONS ON SIGNAL PROCESSING. 57

, p16-29.

[12] Stefano Marano, Vincenzo Matta, Ting He, Member, IEEE, and Lang Tong, Fellow, IEEE.

(2013). The Embedding Capacity of Information Flows Under Renewal Traffic. IEEE

TRANSACTIONS ON INFORMATION THEORY. 59 , p1724-1739.

Science, Technology and Development

Volume VIII Issue X OCTOBER 2019

ISSN : 0950-0707

Page No : 27

[13] MortezaMardani, Student Member, IEEE, Gonzalo Mateos, Member, IEEE, and Georgios B.

Giannakis, Fellow, IEEE∗. (2011). Dynamic Anomalography: Tracking Network Anomalies

via Sparsity and Low Rank†. IEEE., p1-37.

[14] MortezaMardani, Student Member, IEEE, and Georgios B. Giannakis, Fellow, IEEE. (2015).

Estimating Traffic and Anomaly Maps via Network Tomography. IEEE,p1-15.

[15] ParvathinathanVenkitasubramaniam, Member, IEEE, Ting He, Member, IEEE, and Lang Tong,

Fellow, IEEE. (2008). Anonymous Networking Amidst Eavesdroppers. IEEE

TRANSACTIONS ON INFORMATION THEORY. 54 , p2770-2784.

[16] Yang Xiang, Member, IEEE, Ke Li, and Wanlei Zhou, Senior Member, IEEE. (2011). Low-Rate

DDoS Attacks Detection and Traceback by Using New Information Metrics. IEEE

TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY. 6, p426-437.

Science, Technology and Development

Volume VIII Issue X OCTOBER 2019

ISSN : 0950-0707

Page No : 28