Minimize distributed denial of service attack using web farm attentuator - Nguyen Van Linh

Nguyễn Văn Linh và Đtg Tạp chí KHOA HỌC & CÔNG NGHỆ 135(05): 45 - 48 45 MINIMIZE DISTRIBUTED DENIAL OF SERVICE ATTACK USING WEB FARM ATTENTUATOR Nguyen Van Linh 1* , Nguyen Lan Huong 2 College of Information and Communication Technology - TNU SUMMARY After the first DDoS attacks on Web server of the University of Minnesota in the early 90s of last century, people have realized that this is extremely dangerous tools of hackers, so far with no preventing effective method.Using botnets to disguise assault with a user's access level to cause great difficulties for administrators to detect and fend off the attacks are taking place. This paper introduces a method using smart filter for network traffics to reduce bandwidth DDoS attacks. The key point of the method is the use of dynamic thresholds evaluated unusual access from zombie computers as well as an active queue mechanism to aid the process of the legitimate users’ traffic. The results showed that service clusters can sustain DDoS attacks with the performance of legitimate access is much better and consequently to cause the attacker to increase his botnet size as much as possible or costs much more to compensate for the filter installed. Keywords: Distributed Denial Of Service, Network Security INTRODUCTION * Although the web is only over a quarter of a century,DistributedDenial of Service attacks were and will still be and the tool of choice for criminals since the dawn of the Internet.They are easy, very effective and no solution to prevent absolutely. Denial of Service is a logically crude tactic to use when target systems are bombarded with traffic, which chokes the targeted networks and renders them unavailable to users. According toArbor Networks reports 6 , in the First Half of 2014saw the most volumetric DDoS attacks ever, with more than 100 events over 100GB/sec reported.In recent years, the botnettool has came out to be a popular contributor to unwanted and malicious Internet traffic.The army of zombie hosts can open regular TCP sessions and issue legitimate-like HTTP requests, making a DDoS attack very difficult to distinguish from legitimate user’s access. This is the backdrop for our system, which is designed to protect Web farms against modern DDoS attacks. This paper introduces webfarm attentutor: a novel architecture to attenuate the DDoS * Tel : 0985 117 515, Email : nvlinh@ictu.edu.vn attacker’s bandwidth.This method is asymmetric and only monitorsand protects the uplink toward the Web farm, which is the typical bottleneck in DDoS attacks. A key feature of method is : use active queue mechanism to evaluate the characteristics of legitimate upload traffic to favor it over attack traffic.To combat such sophisticated attackers, attentuator uses randomized thresholds that trap and penalize deterministic zombie traffic that tries to mimic human client patterns. And target is :attenuatethe DDoS attack’s bandwidth, and consequently to cause the attacker to increase his botnet size as much as possible or costs much more to compensate for the filter installed. MODEL A typical structure of network is depicted in Figure.1. The Web farm is connected to the Internet through a filtered Firewall. A real service is typically leased on a bit/s basis, with throughput between hundreds of Mbit/s to a few Gbit/s. From the ISP side, the traffic goes through routers, firewalls and load balancers until it reaches the actual servers. It is quite reasonable to assume that the routers, internal switches and firewalls are all provisioned to have sufficient throughput to Nitro PDF Software 100 Portable Document Lane Wonderland Nguyễn Văn Linh và Đtg Tạp chí KHOA HỌC & CÔNG NGHỆ 135(05): 45 - 48 46 sustain flash crowds, and consequently, are less likely to be the bottleneck at the time of a DDoS attack 2 . As for the load-balancer, many typical commercial products are engineered so the supported upload throughput toward the Web farm is two orders of magnitude lower than supported the throughput in the opposite direction 3 . Because of ordering, we argue that ISP router will be flooded before the load balancers and firewall so we will place filter as a part of router to process data towards to web farm. Figure 1. Web farm basic structure The design of method Because we use active queue mechanism to discriminate between normaluser’straffic and from botnet’s access so the filter is the main part of method. Packets forwarded to an egress queue of the ISP router enter the filter. The filter’s task is to decide whether the incoming packets are ‘‘legitimate” or ‘‘suspicious”. To do so, the filter maintains state on a per client basis such asper source IP address. The filter sends ‘‘legitimate” packets to the high queue, and ‘‘suspicious” packets to the low queue. Both queues are common to all clients. The queues are scheduled using a standard Weighed Fair Queueing 2 policy (WFQ) , with weights that are strongly biased in favor of ‘‘legitimate” traffic. Note that ‘‘suspicious” traffic is notdiscarded automatically, as will be explained below. When traffic is light then the WFQ can serve both queues without loss. However, when traffic exceeds the link capacity, the WFQ causes packets in the low queue to bedropped. Model is depicted in Figure 2. Figure 2. Active queue mechanism of filter Dynamic bandwidth threshold To service a large of amount of accessing from clients, server must allocate a huge of bandwidth and resources so main idea is to temporarily allow clients to enter more traffic than expected, but not constantly over time.The dynamic bandwidth threshold depends on the client’s behavior in past sessions. If a client sends more than traffic as expected to the server in previous sessions, his bandwidth threshold for the current session will be decreased. On the other hand, if he enters less bandwidth than expected, his bandwidth threshold for the current session is increased. Threshold can be easily estimated by Bi+1 = Fi . Bi where: - BiThe bandwidth threshold (in bytes) for session numberi - FiThebehavior of client for session numberi Target of our filter is tolimit the amount of traffic clients sent to the high queueduring a single session and it also monitors the total upload bandwidth, per Web sessionto support its decisions : keep or drop packets. Defeat attacker’s bandwidth Because a zombie use the same strategy by using a higher uplink speed which will actually have a lower score 4 ,which matches our intuition: the zombie can finish its upload burst faster, but its down period of service is still the same number of seconds, so on average it uses a smaller fraction of its available bandwidth. So metric measures the success of our method against the attacker. The intuition here that reaches the low queue Nitro PDF Software 100 Portable Document Lane Wonderland Nguyễn Văn Linh và Đtg Tạp chí KHOA HỌC & CÔNG NGHỆ 135(05): 45 - 48 47 is harmless, so it is a waste of the attacker’s time. Only the attack traffic that reaches the high queue is effective from an attacker’s perspective. Thus we define the consumed time as the total time that the attacker spent on transmittingtraffic that reached the high queue. With this, we define Attenuation as: Attenuation = EXPERIEMENT RESULTS Basic simulation scenarios To illustrate filter’s ability we ran multiple scenarios totest and combat various attack strategies. Each scenario simulated in 3 minutes. The main criterion measured by calculating some parameters and some of successful sessions as well as number of successful page downloads. In all the scenarios, parameters and values were taken fromTable2. First and second scenario are no attack situation; Web sessions are from legitimate clients. In other scenario we measured about 200 successful Web sessions. See Table 2 Scenario two gave identical identical results so it is omitted from the figure. Third scenario is simple flooding model without filter and decision on factors but it is clearly seen with a simple flooding attack, botnet size must increase. The total attacker bandwidth grows with the number of attackers.Table 2 indeed shows that about ten zombies totally denied service from the legitimate clients, and the fraction of successful Web sessions drops to 10% when the number of zombies grows any further.No matter how many attackers participate in the attack the legitimate clients didn’t encounter any problem in their successful Web page downloads. Thus we see that our filter totallydefeats the most availablecommon attack strategy. If wescale-up the simulation results to a transport link with 1GBps, we can project thatfilter can defeat attackers with botnet size of more than hundred thoudsand zombies as well as big bandwitdth to 10 or 15 Gbps. Results To show best results for testing, we should focuson a criterion which identifies situations where the serviceis actually denied. So a service defined “denied” if legitimate clients have asession success rate below 50%. It means thatwe need to know botnet size for both no filter and filter installed.Table 1 summarize these results. In addition, we also saw that service is not available with filter installed when attack type is one of “random” or “ low-burst slow”. In comparison, a small botnet size with more than 10 zoombies, system also can’t service because simple floading. And ration in this situation will be against these attackers is 16–18. With this results, we seehigh degree of zombie coordination, and filter already defeats simple attackers, including ones ofthe defense mechanism and exhibit legitimate session. In fact, that action with high speed are notdifferent from the attack withnormal uplinkspeeds. Table 1. Defeat attacker’s bandwidth Attack type No filter Filter installed Simple flooding none none High-burst slow 0.432 none Low-burst fast 0.138 none Low-burst slow 0.012 14 Random 0.083 16 Finally, Table 2illustrates the value of attacker’s attenuation on the same parameters. Here we can see that increasing the trap session rateimproves the filter. The parameter values we chose are compromises between these conflicting goals. Table 2. Selected parameters for filter Parameter Value Parameter Value Legitimacy 19/16 Suspicious 11/16 Session Max 100 KB Session Min 30KB Trap Min 5s Trap Max 15s AOP High 90s AOP Low 20s Think Min 5s Think Max 15s CONCLUSIONS This paper introduced a method to build filter of network in DDOS attack, a novel Nitro PDF Software 100 Portable Document Lane Wonderland Nguyễn Văn Linh và Đtg Tạp chí KHOA HỌC & CÔNG NGHỆ 135(05): 45 - 48 48 architecture to attenuate the DDoS attacker’s bandwidth when attacking a Web farm. Filter monitors and protects the uplink toward the Web farm, which is the typical bottleneck in DdoSattacks. Filter relies on the fact that legitimate upload toward Web farms is produced by humans using Webbrowsing software. We used the characteristics of such traffic to punish zombie traffic, that tends to be continuous and heavy. Beyond the simple flooding attackers that are currently prevalent, we also considered sophisticated attack strategies that try to exhibit legitimate-like behavior, and rely on an intimate familiarity with active queue mechanisms. REFERENCES 1. A.K. Parekh, R.G. Gallager, A generalized processor sharing approach to flow control in integrated services networks: the single-node case, IEEE/ACM Transactions on Networking 1 (3) (2011) 344–357 2. C. Douligeris, A. Mitrokotsa, DDoS attacks and defense mechanisms: classification and state-of-the- art, Computer Networks 44 (5) (2004) 643–666 3. Esraa Alomari, Selvakumar Manickam: Botnet- based Distributed Denial of Service (DDoS) Attacks on Web Servers: Classification and Art, International Journal of Computer Applications (0975 – 8887) , Volume 49– No.7, July 2012 4. Taghavi Zargar, Saman: A Survey of Defense Mechanisms Against Distributed Denial of Service (DDoS) Flooding Attacks, IEEE Communications Surveys and Tutorials. pp. 2046–2069, April 2014 5. Cisco Systems: Defeating DDOS Attacks – White Paper 6. Arbor Networks: Arbor Data Sheet, . 7. NS2, The Network Simulator, mation. TÓM TẮT GIẢM THIỂU TẤN CÔNG TỪ CHỐI DỊCH VỤ PHÂN TÁN THÔNG QUA BỘ TIÊU GIẢM LƯU LƯỢNG Nguyễn Văn Linh*, Nguyễn Lan Hương Trường Đại học Công nghệ Thông tin & Truyền thông – ĐH Thái Nguyên Từ sau cuộc tấn công DDoS đầu tiên vào máy chủ Web của đại học Minnesota những thập niên 90 của thế kỷ trước, người ta đã nhận ra đây là công cụ vô cùng nguy hiểm của tin tặc, đến nay vẫn chưa có phương pháp chống đỡ hiệu quả.Việc sử dụng mạng botnet để ngụy trang hành vi tấn công với truy cập của người dùng gây ra mức độ khó khăn rất lớn với người quản trị trong việc phát hiện và chống đỡ những cuộc tấn công đang diễn ra. Bài báo này giới thiệu một phương pháp sử dụng bộ lọc có đánh giá trong cụm máy chủ giúp suy giảm băng thông của cuộc tấn công DDoS. Điểm cốt lõi của phương pháp là sử dụng các ngưỡng linh động trong đánh giá đặc tính của dữ liệu truy cập để xác định truy cập bất thường từ máy tính ma cũng như một mô hình hàng đợi kiểu mới để trợ giúp quá trình đánh giá các truy cập bất hợp pháp từ kẻ tấn công. Kết quả của phương pháp cho thấy cụm máy chủ có thể chống đỡ cuộc tấn công DDoS với hiệu suất phục vụ truy cập hợp pháp tốt hơn rất nhiều cũng như bắt buộc kẻ tấn công phải bỏ ra chi phí lớn gấp nhiều lầnđể huy động lượng lớn máy tính ma nếu muốn tấn công trong tương lai. Từ khóa: An ninh mạng, tấn công từ chối dịch vụ phân tán Ngày nhận bài:16/01/2015; Ngày phản biện:26/02/2015; Ngày duyệt đăng: 31/5/2015 Phản biện khoa học: TS. Nguyễn Toàn Thắng – Trường Đại học Công nghệ Thông tin & truyền thông - ĐHTN * Tel : 0985 117 515, Email : nvlinh@ictu.edu.vn Nitro PDF Software 100 Portable Document Lane Wonderland