Techniques for Detecting, Preventing or Mitigating Distributed Denial of Service - Essay Example

Techniques for Detecting, Preventing or Mitigating Distributed Denial of Service (DDoS) s s Introduction When using the internet, individuals and companies face a threat from attackers with the aim of depleting internet resource in their target network (Patrikakis, Masikos, & Zouraraki, n.d.). The weakness they utilize is the nodes from the interconnectedness of world computers in a worldwide web, which makes it possible for them to access resources on their target, exhaust them and launch a DDoS attack against them (Glen, 2013; Nagesh, Kordcal, & Sekaran, 2007). The resources targeted by the attacker are their target`s bandwidth, data structure of their operating system and computing power of the system (Patrikakis, Masikos, & Zouraraki, n.d.). This process requires a large network of computers running malicious program. To acquire the network, the attacker uses software that recruits vulnerable computers (Glen, 2013). That is, the computers with improperly patched antivirus, out of date antivirus and without antivirus (FU, 2012). To recruit machines into his/her DDoS attack, the attacker may follow several processes. Firstly, the attacker may use a machine infected with malicious programs to search, find, and infect another machine (Patrikakis, Masikos, & Zouraraki, n.d.). The infected machine joins the previous in the haunt of the unprotected machine and infects them. Secondly, the attacker may create a long list of the machine he/she want to recruit before infecting them with the malicious software to make them join his/her army of attacking computers (Glen, 2013; Patrikakis, Masikos, & Zouraraki, n.d.). Notably, some public servers, when compromised, become effective to the attacker when creating the hit list (Patrikakis, Masikos, & Zouraraki, n.d.). For instance, the attacker may run topological scanning where one machine is infected and finds other machine to infect through url it stores (UMUC, 2012). Local subnet scanning uses a compromised host to attack another computer within its own network without firewall detection as it uses the information stored in the local addresses (UMUC, 2012). Lastly, permutation scanning infects the machines allocated a regular pseudorandom combination record of IP addresses (Patrikakis, Masikos, & Zouraraki, n.d.). It searches for uninfected machine in the IP addresses and infect it. When it identifies the infected machine, it jumps over it to the uninfected (UMUC, 2012). The process stops when the infected machine finds several infected machines while it scans (Patrikakis, Masikos, & Zouraraki, n.d.). Body i. Preventing Wireless DDoS Attack There are various frames used in the wireless network as a way of complementing and facilitating how data is transmitted effectively. Request-to-Send (RTS) system addresses the problems associate with hidden nodes in the virtual transporter sensing system (Malekzadeh, Ghani, & Subramaniam, 2011). Clear-to-Send (CTS) is transmitted once RTS has responded while the Acknowledgement (ACK) recognises the successfully transmitted data (Malekzadeh, Ghani, & Subramaniam, 2011). The Contention-free control frames reorganizes the Network Allocation Vector (NAV) before discharging the channel (Malekzadeh, Ghani, & Subramaniam, 2011). Each of the data frame structure has a duration frame (Malekzadeh, Ghani, & Subramaniam, 2011). The duration frame reserves the channel to accommodate the length of time needed for the needed data frame. It is this duration frame the wireless network utilises to reset the NAV (Malekzadeh, Ghani, & Subramaniam, 2011). The wireless network is only allowed to send packets when the NAV value is zero. Therefore, the operation process of NAV and the duration of field minimize the possibility of collision. However, this is a chief chance for the DDoS attacker to damage the wireless network (UMUC, 2012). Utilising this loophole, the attacker continuously sends forged data frames set at large duration as a way of exhausting computing power and memory of the wireless network (UMUC, 2012). The recipient of the forged data frames can never verify the validity or duplication of the control frames received and the targeted wireless network accepts the forged frames (UMUC, 2012). The DDoS attack utilises the bandwidth. Without bandwidth, the wireless network can no longer operate the way it was designed (Glen, 2013). This disrupts the constant communication between the wireless station and presence of wireless network (Glen, 2013). The legitimate users end up without gaining access the wireless network. ACFNC Model To control and provide countermeasures against the DDoS attack on wireless networks, a lightweight non-cryptographic security solution, ACFNC model, may be used (Malekzadeh, Ghani, & Subramaniam, 2011). This model prevents DDoS attackers from utilising the control frame vulnerabilities. The model considers the limited resources on a wireless network as a major step to installing sufficient security and exactness, reducing the overhead cost, and conserves the elevated effectiveness cost (Glen, 2013; Malekzadeh, Ghani, & Subramaniam, 2011). This model is also compatible with available network facilities. Its implementation is only a firmware upgrades. This reduces the cost of massive replacement that may be needed when installing other prevention methods. ACFNC Structure Defined TS Security Field ACFNC model identifies a new placeholder field that is used to hold the security element (Malekzadeh, Ghani, & Subramaniam, 2011). The security field is called TS. It has a size of 4 bytes. It is attached at the end of control frames of a wireless network (Malekzadeh, Ghani, & Subramaniam, 2011). It is attached before FCS to provide secure control frames (UMUC, 2012). Secure Time Synchronisation Function In wireless network, time duration is an important factor. Wireless network utilises time to launch application from an event simultaneously (UMUC, 2012). Hence, ACFNC uses a time synchronising function (Malekzadeh, Ghani, & Subramaniam, 2011). By use of beacon frames, a new system clock is presented inform of timestamp field. All network systems are set at the same value, which is transmitted to them at the determined beacon interval. This assists the ACFNC model to synchronise rely time between the wireless access point and stations (Malekzadeh, Ghani, & Subramaniam, 2011). The standard TSF are efficient in transmission (Malekzadeh, Ghani, & Subramaniam, 2011). However, they do not carry the appropriate security measures. The attacker utilises them to desynchronise wireless attacks by making synchronised attacks. Mostly, the attacker manipulates the timestamp field to send mistaken instance values, counterfeit original beacon frames to incorrect timestamp field, and attacker may transmit delayed beacon frame. These misinform the TSF procedure (Malekzadeh, Ghani, & Subramaniam, 2011). The wireless station adjusts its clock to erroneous data received and it fails to synchronise to access points. This makes the network to dispose all frames, including the control frame. The station will not receive any frame. Exhaustion of resources occurs, which affects bandwidth, latency, and cause loss rate (FU, 2012). Many methods employed to organize moment synchronisation in wireless network do not regard the protection of the account by concentrating on the TSF helplessness against the synchronisation assaults. The ACFNC model employs a simplified version of TESLA protected time synchronising mechanism (Malekzadeh, Ghani, & Subramaniam, 2011). The normal TESLA uses digital signatures that are expensive to compute for a small wireless network. It also carriers 24 bytes per beacon frame, which is big for small wireless network (Malekzadeh, Ghani, & Subramaniam, 2011). The simplified version of TESLA is a lightweight broadcasting instrument, which employs one-way hash succession when providing authentication and reliability to the beacon frame (Malekzadeh, Ghani, & Subramaniam, 2011). This instrument improves security without affecting the speed of connection via the wireless network. Its process of working include calculation of the time synchronise by the access point. Later, wireless station verifies the time synchronised. Replay-Preventing Mechanism Based on a secure TSF (STSF), replay attacks are prevented by developing further extension in the ACFNC model (Malekzadeh, Ghani, & Subramaniam, 2011). The extensions are based on holding capability of time windows as a way of validating newness of arriving control frames (FU, 2012). This system tags a sent control frame to an identifier. This creates time for the control frame. By utilising the replay attack mechanism, resources such as bandwidth, battery life, buffer, and computing power on a wireless network will be limited (Malekzadeh, Ghani, & Subramaniam, 2011). Moreover, use of this method eliminates the need of keeping record of the control frames reception sequence. Its working is never memory dependent. This lowers the algorithm complexity without asking for extra memory (Malekzadeh, Ghani, & Subramaniam, 2011). Procedure of the ACFNC Model The ACTNC model prevents DDoS attacks through two ways. That is, the generation phase and verification stage (Malekzadeh, Ghani, & Subramaniam, 2011). Generation phase occurs when the sender station generates values related to TS defence field (Malekzadeh, Ghani, & Subramaniam, 2011). The sending station is the one that sets the time for the sent control frame. It tags the created value on the TS field of the control frame before sending the frame to the receiver. The verification stage occurs on the receiver station as a way of verifying the legitimacy of the received control frames (Malekzadeh, Ghani, & Subramaniam, 2011). Firstly, it discards all control frames without the TS field. If it the TS field, the receiver adds 5 and subtract CCT from the value of TS field. The resultant value must be less than or equal to resultant time out. If this condition is met, the network considers the frame as valid. For ACK, CTS, or RTS frames, their request is implemented instantly after their verification is approved (Malekzadeh, Ghani, & Subramaniam, 2011). However, CF-End and CF-End-ACK frames need duration verification from the receiver (Malekzadeh, Ghani, & Subramaniam, 2011). If the duration field is zero, the frames are considered valid and implemented. Otherwise, they are discarded. ii. Preventing Client-Server DDoS Attack Another method of preventing DDoS attack is implement authentication-based DDoS attack resistance solution (Badishi, Herzberg, Idit, Oleg & Avital, 2008). The method describe here is the FI hopping, which endures high level of DDoS attack without affecting the data conveyance between the client and server (Badishi, Herzberg, Idit, Oleg & Avital, 2008). FI hopping is an improvement of per packet authentication process, IPSec (Badishi, Herzberg, Idit, Oleg & Avital, 2008). IPSec assigns secret key as a way of providing per packet some authentication (Romanov, 2008). With provision of valid secret key to traffic relayed between client and server, it is possible to prevent a DDoS attack (Badishi, Herzberg, Idit, Oleg & Avital, 2008). During transmission, the unidentified bogus traffic is recognized and discarded. The server also undertakes more work in every request as compared IPSec demands to authenticate the sent request (Badishi, Herzberg, Idit, Oleg & Avital, 2008). However, IPSec can only withstand up to medium levels of DDoS attacks (Badishi, Herzberg, Idit, Oleg & Avital, 2008). Moreover, it requires a lot of computational power in every traffic packet (Badishi, Herzberg, Idit, Oleg & Avital, 2008). Hence, when large volume of traffic is to be authenticated, the server may fail to protect the network against DDoS attacks (Romanov, 2008). Finally, matchless information added for authentication by the IPSec security has 32-bit Security Parameter Index (SPI) field (Badishi, Herzberg, Idit, Oleg & Avital, 2008). Every packet that lacks a valid SPI is thrown away while the one detected to have IPSec is passed over to identification stage. However, IPSec provides a short-lived protection as SPI value is fixed (Badishi, Herzberg, Idit, Oleg & Avital, 2008). It is therefore possible for an attacker to know the SPI fixed value. Eventually, a DDoS attack becomes successful. As a way of reducing cryptographic computation caused by severe attacks and discarding the use of a fixed SPI value, a user employs identification information that keep on changing with time instead of using changing packet (Badishi, Herzberg, Idit, Oleg & Avital, 2008). A filter Identifier (FI) is set for individual packet. The FI is obtained from a secret pseudorandom sequence (Badishi, Herzberg, Idit, Oleg & Avital, 2008). The two parties relaying information between them only know the sequence (Badishi, Herzberg, Idit, Oleg & Avital, 2008). The client creates the FI while the server shares a secret and different IPSec to each client (FU, 2012; Romanov, 2008). For every fixed time interval when client and server communicate, FI is chosen as the next number in the progression (Romanov, 2008). The party that accepts the FI verifies the FI validity against accepted value (Badishi, Herzberg, Idit, Oleg & Avital, 2008). In case validity is detected, the packet is moved to the next step (Romanov, 2008). Otherwise, the packet is discarded as irrelevant. FI is recalculated once in a given time, like 5 seconds (Badishi, Herzberg, Idit, Oleg & Avital, 2008). The time is made short to avoid attacker from detecting the changes (Romanov, 2008). iii. Preventing Website DDoS Attack The following proposed system is effective when detecting a DDoS directed to a website. The system name is Programmable Embedded System (Tuncer, & Takar, 2011). The system determines the DDoS Assault on the port 80. In the system operations, statistics related to data packet, packet header, IP number, and packet size are highly useful when establishing the DDoS assault through SYN flooding and smurf (FU, 2012; Nagesh, Kordcal, & Sekaran, 2007). The system is devised of two phases (Tuncer, & Takar, 2011). First Phase The first phase obtains fuzzy categorization regulations from the guidance data. Firstly, packet and the segment headers confine the data frames flowing in a network (Tuncer, & Takar, 2011). The data is collected within 2 seconds duration. Then, the training data from the collected data and segment headers creates statistic according to a set procedure as shown below (Tuncer, & Takar, 2011). Attribute Definition SYN Incoming connection from port 80 FIN Terminated connection from port 80 Count Incoming connection from similar IP addresses RST Termination of abnormal connection request Packet Total number packet from port 80 (Tuncer, & Takar, 2011) From the generated data, there is normal and DDoS data classes. The fuzzy categorization policies from the derived training data are taken out using data mining and fuzzy judgments (Tuncer, & Takar, 2011). After the first phase, the information collected is passed over to the second phase, the test phase (Tuncer, & Takar, 2011). In the test phase, the fuzzy classification policies from the first phase run inform of a program to the memory of the embedded machine (Tuncer, & Takar, 2011). It tests in every two seconds (Tuncer, & Takar, 2011). It tests whether the traffic from a network has been observed (Tuncer, & Takar, 2011). At the beginning, it ensures the frame was captured, followed by packet and segment headers. It ensures the records were kept inform of statistics and compared to set rules of fuzzy (Tuncer, & Takar, 2011). (Tuncer, & Takar, 2011) As a way of detecting DDoS, a programmable hardware is embedded to internet (Tuncer, & Takar, 2011). The hardware is made up of several parts. Firstly, the processor to checks the DMA core and ensure transmission of frames occurs at 10/100 IP Mac Core (Tuncer, & Takar, 2011). Secondly, the random access memory to facilitate fast and voluminous processing of data (Tuncer, & Takar, 2011). Thirdly, the on chip memory stores data collected and program for the device (Tuncer, & Takar, 2011). Fourthly, the fast Ethernet (10/100 IP Mac Core) ensures frames send and received according to IEEE 802.3 format (Tuncer, & Takar, 2011). Finally, the timer regulates duration of traffic collection. The hardware is incorporated with Very High Speed Integrated Circuit Hardware Description Language (VHDL), which makes it acknowledge and send frames in authentic time (Tuncer, & Takar, 2011). Moreover, the hardware utilises a high-level language program (Tuncer, & Takar, 2011). References Badishi, G., Herzberg, A., Idit, K., Oleg, R., & Avital, Y. (2008). An empirical study of denial of service mitigation techniques. Symposium on Reliable Distributed System. Submitted to CS Department, Bar-Ilan University, 115-125. FU, Z. (2012). Multifaceted defence against distributed denial of service attack: Prevention, detection and Mitigation. Thesis Paper. Gothenburg, Sweden: Chalmers University of Technology retrieved from http://www.cse.chalmers.se/~zhafu/thesis.pdf Glen, M. (2013). A summary of DoS/DDoS prevention, monitoring, mitigation techniques in a service provider environment. SANS Institute. Retrieved from https://www.sans.org/reading-room/whitepapers/intrusion/summary-dos-ddos-prevention-monitoring-mitigation-techniques-service-provider-enviro-1212 Malekzadeh, M., Ghani, A. A. A., & Subramaniam, S. (2011). Design and implementation of a lightweight security model to prevent IEEE 802.11 wireless Dos Attack. EURASIP Journal on Wireless Communication and Networking, 105675, 1-16. DOI: 10.1155/2011/10565 Nagesh, H. R. K., Kordcal, A. R., & Sekaran, C. (2007). Proactive model for mitigating internet Denial-of-Service attacks. International Conference on Information and Technology, Department of Computer Engineering, National Institute of Technology Karnataka, India. Patrikakis, C., Masikos, M., &Zouraraki, O. (n.d.). Distributed denial of service. The internet protocol Journal, 7(4). Retrieved from http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_7-4/dos_attacks.html Romanov, O. (2008). Beaver on IPSec-Protection from DoS attacks. Final Paper, Masters in Science Electrical Engineering, Senate of Technion, Israel Institute of Technology. Retrieved from http://webee.technion.ac.il/~idish/ftp/romanov-msc.pdf Tuncer, T. & Takar, Y. (2011). Detection DoS attack on FPGA using fuzzy associated rules. International joint conference of IEEE Trustcom-11/IEEE ICESS-11/FCST-11, 1271-1276. DOI: 10.11109/Trustcom.2011.171 UMUC (2012). Monitoring, auditing, intrusion detection, intrusion prevention, and penetration testing, CSEC 640, 1-45. Wees, A. L. (n.d.). Denial of service detection, prevention, and mitigation techniques. CSEC 640. Retrieved from http://researchedsolution.wordpress.com/2013/09/14/denial-of-service-dos-detection-prevention-and-mitigation-techniques/ Read More