Minimize distributed denial of service attack using web farm attentuator - Nguyen Van Linh
To show best results for testing, we should
focuson a criterion which identifies situations
where the serviceis actually denied. So a
service defined “denied” if legitimate clients
have asession success rate below 50%. It
means thatwe need to know botnet size for
both no filter and filter installed.Table 1
summarize these results. In addition, we also
saw that service is not available with filter
installed when attack type is one of “random”
or “ low-burst slow”. In comparison, a small
botnet size with more than 10 zoombies,
system also can’t service because simple
floading. And ration in this situation will be
against these attackers is 16–18. With this
results, we seehigh degree of zombie
coordination, and filter already defeats simple
attackers, including ones ofthe defense
mechanism and exhibit legitimate session. In
fact, that action with high speed are
notdifferent from the attack withnormal
uplinkspeeds.
4 trang |
Chia sẻ: thucuc2301 | Lượt xem: 602 | Lượt tải: 0
Bạn đang xem nội dung tài liệu Minimize distributed denial of service attack using web farm attentuator - Nguyen Van Linh, để tải tài liệu về máy bạn click vào nút DOWNLOAD ở trên
Nguyễn Văn Linh và Đtg Tạp chí KHOA HỌC & CÔNG NGHỆ 135(05): 45 - 48
45
MINIMIZE DISTRIBUTED DENIAL OF SERVICE ATTACK
USING WEB FARM ATTENTUATOR
Nguyen Van Linh
1*
, Nguyen Lan Huong
2
College of Information and Communication Technology - TNU
SUMMARY
After the first DDoS attacks on Web server of the University of Minnesota in the early 90s of last
century, people have realized that this is extremely dangerous tools of hackers, so far with no
preventing effective method.Using botnets to disguise assault with a user's access level to cause
great difficulties for administrators to detect and fend off the attacks are taking place. This paper
introduces a method using smart filter for network traffics to reduce bandwidth DDoS attacks. The
key point of the method is the use of dynamic thresholds evaluated unusual access from zombie
computers as well as an active queue mechanism to aid the process of the legitimate users’ traffic.
The results showed that service clusters can sustain DDoS attacks with the performance of
legitimate access is much better and consequently to cause the attacker to increase his botnet size
as much as possible or costs much more to compensate for the filter installed.
Keywords: Distributed Denial Of Service, Network Security
INTRODUCTION
*
Although the web is only over a quarter of a
century,DistributedDenial of Service attacks
were and will still be and the tool of choice
for criminals since the dawn of the
Internet.They are easy, very effective and no
solution to prevent absolutely. Denial of
Service is a logically crude tactic to use when
target systems are bombarded with traffic,
which chokes the targeted networks and
renders them unavailable to users.
According toArbor Networks reports
6
, in the
First Half of 2014saw the most volumetric
DDoS attacks ever, with more than 100
events over 100GB/sec reported.In recent
years, the botnettool has came out to be a
popular contributor to unwanted and
malicious Internet traffic.The army of zombie
hosts can open regular TCP sessions and issue
legitimate-like HTTP requests, making a
DDoS attack very difficult to distinguish from
legitimate user’s access. This is the backdrop
for our system, which is designed to protect
Web farms against modern DDoS attacks.
This paper introduces webfarm attentutor: a
novel architecture to attenuate the DDoS
*
Tel : 0985 117 515, Email : nvlinh@ictu.edu.vn
attacker’s bandwidth.This method is
asymmetric and only monitorsand protects the
uplink toward the Web farm, which is the
typical bottleneck in DDoS attacks. A key
feature of method is : use active queue
mechanism to evaluate the characteristics of
legitimate upload traffic to favor it over attack
traffic.To combat such sophisticated
attackers, attentuator uses randomized
thresholds that trap and penalize deterministic
zombie traffic that tries to mimic human
client patterns. And target is :attenuatethe
DDoS attack’s bandwidth, and consequently
to cause the attacker to increase his botnet
size as much as possible or costs much more
to compensate for the filter installed.
MODEL
A typical structure of network is depicted in
Figure.1. The Web farm is connected to the
Internet through a filtered Firewall. A real
service is typically leased on a bit/s basis,
with throughput between hundreds of Mbit/s
to a few Gbit/s. From the ISP side, the traffic
goes through routers, firewalls and load
balancers until it reaches the actual servers. It
is quite reasonable to assume that the routers,
internal switches and firewalls are all
provisioned to have sufficient throughput to
Nitro PDF Software
100 Portable Document Lane
Wonderland
Nguyễn Văn Linh và Đtg Tạp chí KHOA HỌC & CÔNG NGHỆ 135(05): 45 - 48
46
sustain flash crowds, and consequently, are
less likely to be the bottleneck at the time of a
DDoS attack
2
. As for the load-balancer, many
typical commercial products are engineered
so the supported upload throughput toward
the Web farm is two orders of magnitude
lower than supported the throughput in the
opposite direction
3
. Because of ordering, we
argue that ISP router will be flooded before
the load balancers and firewall so we will
place filter as a part of router to process data
towards to web farm.
Figure 1. Web farm basic structure
The design of method
Because we use active queue mechanism to
discriminate between normaluser’straffic and
from botnet’s access so the filter is the main
part of method. Packets forwarded to an
egress queue of the ISP router enter the filter.
The filter’s task is to decide whether the
incoming packets are ‘‘legitimate” or
‘‘suspicious”. To do so, the filter maintains
state on a per client basis such asper source IP
address. The filter sends ‘‘legitimate” packets
to the high queue, and ‘‘suspicious” packets
to the low queue. Both queues are common to
all clients. The queues are scheduled using a
standard Weighed Fair Queueing
2
policy
(WFQ) , with weights that are strongly biased
in favor of ‘‘legitimate” traffic. Note that
‘‘suspicious” traffic is notdiscarded
automatically, as will be explained below.
When traffic is light then the WFQ can serve
both queues without loss. However, when
traffic exceeds the link capacity, the WFQ
causes packets in the low queue to
bedropped. Model is depicted in Figure 2.
Figure 2. Active queue mechanism of filter
Dynamic bandwidth threshold
To service a large of amount of accessing
from clients, server must allocate a huge of
bandwidth and resources so main idea is to
temporarily allow clients to enter more traffic
than expected, but not constantly over
time.The dynamic bandwidth threshold
depends on the client’s behavior in past
sessions. If a client sends more than traffic as
expected to the server in previous sessions,
his bandwidth threshold for the current
session will be decreased. On the other hand, if
he enters less bandwidth than expected, his
bandwidth threshold for the current session is
increased. Threshold can be easily estimated by
Bi+1 = Fi . Bi
where:
- BiThe bandwidth threshold (in bytes) for
session numberi
- FiThebehavior of client for session numberi
Target of our filter is tolimit the amount of
traffic clients sent to the high queueduring a
single session and it also monitors the total
upload bandwidth, per Web sessionto support
its decisions : keep or drop packets.
Defeat attacker’s bandwidth
Because a zombie use the same strategy by
using a higher uplink speed which will
actually have a lower score
4
,which matches
our intuition: the zombie can finish its upload
burst faster, but its down period of service is
still the same number of seconds, so on
average it uses a smaller fraction of its
available bandwidth. So metric measures the
success of our method against the attacker.
The intuition here that reaches the low queue
Nitro PDF Software
100 Portable Document Lane
Wonderland
Nguyễn Văn Linh và Đtg Tạp chí KHOA HỌC & CÔNG NGHỆ 135(05): 45 - 48
47
is harmless, so it is a waste of the attacker’s
time. Only the attack traffic that reaches the
high queue is effective from an attacker’s
perspective. Thus we define the consumed
time as the total time that the attacker spent
on transmittingtraffic that reached the high
queue. With this, we define Attenuation as:
Attenuation =
EXPERIEMENT RESULTS
Basic simulation scenarios
To illustrate filter’s ability we ran multiple
scenarios totest and combat various attack
strategies. Each scenario simulated in 3
minutes. The main criterion measured by
calculating some parameters and some of
successful sessions as well as number of
successful page downloads. In all the
scenarios, parameters and values were taken
fromTable2. First and second scenario are no
attack situation; Web sessions are from
legitimate clients. In other scenario we
measured about 200 successful Web sessions.
See Table 2 Scenario two gave identical
identical results so it is omitted from the
figure. Third scenario is simple flooding
model without filter and decision on factors
but it is clearly seen with a simple flooding
attack, botnet size must increase. The total
attacker bandwidth grows with the number of
attackers.Table 2 indeed shows that about ten
zombies totally denied service from the
legitimate clients, and the fraction of
successful Web sessions drops to 10% when
the number of zombies grows any further.No
matter how many attackers participate in the
attack the legitimate clients didn’t encounter
any problem in their successful Web page
downloads. Thus we see that our filter
totallydefeats the most availablecommon
attack strategy. If wescale-up the simulation
results to a transport link with 1GBps, we can
project thatfilter can defeat attackers with botnet
size of more than hundred thoudsand zombies
as well as big bandwitdth to 10 or 15 Gbps.
Results
To show best results for testing, we should
focuson a criterion which identifies situations
where the serviceis actually denied. So a
service defined “denied” if legitimate clients
have asession success rate below 50%. It
means thatwe need to know botnet size for
both no filter and filter installed.Table 1
summarize these results. In addition, we also
saw that service is not available with filter
installed when attack type is one of “random”
or “ low-burst slow”. In comparison, a small
botnet size with more than 10 zoombies,
system also can’t service because simple
floading. And ration in this situation will be
against these attackers is 16–18. With this
results, we seehigh degree of zombie
coordination, and filter already defeats simple
attackers, including ones ofthe defense
mechanism and exhibit legitimate session. In
fact, that action with high speed are
notdifferent from the attack withnormal
uplinkspeeds.
Table 1. Defeat attacker’s bandwidth
Attack type No filter Filter
installed Simple flooding none none
High-burst slow 0.432 none
Low-burst fast 0.138 none
Low-burst slow 0.012 14
Random 0.083 16
Finally, Table 2illustrates the value of
attacker’s attenuation on the same parameters.
Here we can see that increasing the trap
session rateimproves the filter. The
parameter values we chose are compromises
between these conflicting goals.
Table 2. Selected parameters for filter
Parameter Value Parameter Value
Legitimacy 19/16 Suspicious 11/16
Session Max 100
KB
Session Min 30KB
Trap Min 5s Trap Max 15s
AOP High 90s AOP Low 20s
Think Min 5s Think Max 15s
CONCLUSIONS
This paper introduced a method to build filter
of network in DDOS attack, a novel
Nitro PDF Software
100 Portable Document Lane
Wonderland
Nguyễn Văn Linh và Đtg Tạp chí KHOA HỌC & CÔNG NGHỆ 135(05): 45 - 48
48
architecture to attenuate the DDoS attacker’s
bandwidth when attacking a Web farm. Filter
monitors and protects the uplink toward the
Web farm, which is the typical bottleneck in
DdoSattacks. Filter relies on the fact that
legitimate upload toward Web farms is
produced by humans using Webbrowsing
software. We used the characteristics of such
traffic to punish zombie traffic, that tends to
be continuous and heavy. Beyond the simple
flooding attackers that are currently prevalent,
we also considered sophisticated attack
strategies that try to exhibit legitimate-like
behavior, and rely on an intimate familiarity
with active queue mechanisms.
REFERENCES
1. A.K. Parekh, R.G. Gallager, A generalized
processor sharing approach to flow control in
integrated services networks: the single-node
case, IEEE/ACM Transactions on Networking 1
(3) (2011) 344–357
2. C. Douligeris, A. Mitrokotsa, DDoS attacks and
defense mechanisms: classification and state-of-the-
art, Computer Networks 44 (5) (2004) 643–666
3. Esraa Alomari, Selvakumar Manickam: Botnet-
based Distributed Denial of Service (DDoS)
Attacks on Web Servers: Classification and Art,
International Journal of Computer Applications
(0975 – 8887) , Volume 49– No.7, July 2012
4. Taghavi Zargar, Saman: A Survey of Defense
Mechanisms Against Distributed Denial of Service
(DDoS) Flooding Attacks, IEEE Communications
Surveys and Tutorials. pp. 2046–2069, April 2014
5. Cisco Systems: Defeating DDOS Attacks –
White Paper
6. Arbor Networks: Arbor Data Sheet,
.
7. NS2, The Network Simulator,
mation.
TÓM TẮT
GIẢM THIỂU TẤN CÔNG TỪ CHỐI DỊCH VỤ PHÂN TÁN THÔNG QUA BỘ
TIÊU GIẢM LƯU LƯỢNG
Nguyễn Văn Linh*, Nguyễn Lan Hương
Trường Đại học Công nghệ Thông tin & Truyền thông – ĐH Thái Nguyên
Từ sau cuộc tấn công DDoS đầu tiên vào máy chủ Web của đại học Minnesota những thập niên 90
của thế kỷ trước, người ta đã nhận ra đây là công cụ vô cùng nguy hiểm của tin tặc, đến nay vẫn
chưa có phương pháp chống đỡ hiệu quả.Việc sử dụng mạng botnet để ngụy trang hành vi tấn
công với truy cập của người dùng gây ra mức độ khó khăn rất lớn với người quản trị trong việc
phát hiện và chống đỡ những cuộc tấn công đang diễn ra. Bài báo này giới thiệu một phương pháp
sử dụng bộ lọc có đánh giá trong cụm máy chủ giúp suy giảm băng thông của cuộc tấn công
DDoS. Điểm cốt lõi của phương pháp là sử dụng các ngưỡng linh động trong đánh giá đặc tính của
dữ liệu truy cập để xác định truy cập bất thường từ máy tính ma cũng như một mô hình hàng đợi
kiểu mới để trợ giúp quá trình đánh giá các truy cập bất hợp pháp từ kẻ tấn công. Kết quả của
phương pháp cho thấy cụm máy chủ có thể chống đỡ cuộc tấn công DDoS với hiệu suất phục vụ
truy cập hợp pháp tốt hơn rất nhiều cũng như bắt buộc kẻ tấn công phải bỏ ra chi phí lớn gấp nhiều
lầnđể huy động lượng lớn máy tính ma nếu muốn tấn công trong tương lai.
Từ khóa: An ninh mạng, tấn công từ chối dịch vụ phân tán
Ngày nhận bài:16/01/2015; Ngày phản biện:26/02/2015; Ngày duyệt đăng: 31/5/2015
Phản biện khoa học: TS. Nguyễn Toàn Thắng – Trường Đại học Công nghệ Thông tin & truyền thông - ĐHTN
*
Tel : 0985 117 515, Email : nvlinh@ictu.edu.vn
Nitro PDF Software
100 Portable Document Lane
Wonderland
Các file đính kèm theo tài liệu này:
- brief_51679_55531_1542016105345file7_54_2046713.pdf