To Study and Explain the Different DDOS Attacks In MANET

Transcription

1 To Study and Explain the Different DDOS Attacks In MANET Narender Kumar 1, Dr. S.B.L. Tripathi 2, Surbie Wattal 3 1 Research Scholar, CMJ University, Shillong, Meghalaya (India) 2 Ph.D. Research Guide, CMJ University, Shillong, Meghalaya (India) 3 Research Scholar, CMJ University, Shillong, Meghalaya (India) Abstract One of the serious attacks to be considered in ad hoc network is DDOS attack. A DDOS attack is a largescale, coordinated attack on the availability of services at a victim system or network resource. The DDOS attack is launched by sending an extremely large volume of packets to a target machine through the simultaneous cooperation of a large number of hosts that are distributed throughout the network. The attack traffic consumes the bandwidth resources of the network or the computing resource at the target host, so that legitimate requests will be discarded. Keywords: MANET, DDOS Attacks, Methods of Attack, ICMP. Introduction Distributed denial-of-service attack (DDOS attack) is an attempt to make a machine or network resource unavailable to its intended users. Although the means to carry out, motives for, and targets of a DOS attack may vary, it generally consists of the efforts of one or more people to temporarily or indefinitely interrupt or suspend services of a host connected to the Internet. Perpetrators of DOS attacks typically target sites or services hosted on high-profile web servers such as banks, credit card payment gateways, and even root name servers. The term is generally used relating to computer networks, but is not limited to this field; for example, it is 205 also used in reference to CPU resource management. One common method of attack involves saturating the target machine with external communications requests, such that it cannot respond to legitimate traffic, or responds so slowly as to be rendered essentially unavailable. Such attacks usually lead to a server overload. In general terms, DOS attacks are implemented by either forcing the targeted computer(s) to reset, or consuming its resources so that it can no longer provide its intended service or obstructing the communication media between the intended users and the victim so that they can no longer communicate adequately. Denial-of-service attacks are considered violations of the IAB's Internet proper use policy, and also violate the acceptable use policies of virtually all Internet service providers. They also commonly constitute violations of the laws of individual nations. Mobile Ad-Hoc Network (MANET) A mobile ad-hoc network (MANET) is a selfconfiguring infrastructure-less network of mobile devices connected by wireless. Ad hoc is Latin and means "for this purpose". Each device in a MANET is free to move independently in any direction, and will therefore change its links to other devices frequently. Each must forward traffic unrelated to its own use, and

2 therefore be a router. The primary challenge in building a MANET is equipping each device to continuously maintain the information required to properly route traffic. Such networks may operate by themselves or may be connected to the larger Internet. MANETs are a kind of wireless ad hoc networks that usually has a routable networking environment on top of a Link Layer ad hoc network. The growth of laptops and /Wi-Fi wireless networking, have made MANETs a popular research topic since the mid 1990s. Many academic papers evaluate protocols and their abilities, assuming varying degrees of mobility within a bounded space, usually with all nodes within a few hops of each other. Different protocols are then evaluated based on measure such as the packet drop rate, the overhead introduced by the routing protocol, end-to-end packet delays, network throughput etc. Symptoms The United States Computer Emergency Readiness Team (US-CERT) defines symptoms of denial-of-service attacks to include: compromising not only the intended computer, but also the entire network. If the attack is conducted on a sufficiently large scale, entire geographical regions of Internet connectivity can be compromised without the attacker's knowledge or intent by incorrectly configured or flimsy network infrastructure equipment. Unusually slow network performance (opening files or accessing web sites) Unavailability of a particular web site Inability to access any web site Dramatic increase in the number of spam s received (this type of DOS attack is considered an bomb) Methods of Attack Denial-of-service attacks can also lead to problems in the network 'branches' around the actual computer being attacked. For example, the bandwidth of a router between the Internet and a LAN may be consumed by an attack, Figure 1: DDOS Attacks A "denial-of-service" attack is characterized by an explicit attempt by attackers to prevent legitimate users of a service from using that service. There are two general forms of DOS attacks: those that crash services and those that flood services. A DOS attack can be perpetrated in a number of ways. The five basic types of attack are: 206

3 Consumption of computational resources, such as bandwidth, disk space, or processor time Disruption of configuration information, such as routing information Disruption of state information, such as unsolicited resetting of TCP sessions Disruption of physical network components Obstructing the communication media between the intended users and the victim so that they can no longer communicate adequately A DOS attack may include execution of malware intended to:[citation needed] Max out the processor's usage, preventing any work from occurring. Trigger errors in the microcode of the machine. Trigger errors in the sequencing of instructions, so as to force the computer into an unstable state or lock-up. Exploit errors in the operating system, causing resource starvation and/or thrashing, i.e. to use up all available facilities so no real work can be accomplished or it can crash the system itself Crash the operating system itself. Low-rate Denial-of-Service attacks The Low-rate DoS (LDoS) attack exploits TCP s slow-time-scale dynamics of retransmission time-out (RTO) mechanisms to reduce TCP throughput. Basically, an attacker can cause a TCP flow to repeatedly enter a RTO state by sending high-rate, but short-duration bursts, and repeating periodically at slower RTO timescales. The TCP throughput at the attacked node will be significantly reduced while the attacker will have low average rate making it difficult to be detected. Peer-to-peer attacks Attackers have found a way to exploit a number of bugs in peer-to-peer servers to initiate DDoS attacks. The most aggressive of these peer-topeer-ddos attacks exploits DC++. Peer-to-peer attacks are different from regular botnet-based 207 attacks. With peer-to-peer there is no botnet and the attacker does not have to communicate with the clients it subverts. Instead, the attacker acts as a "puppet master," instructing clients of large peer-to-peer file sharing hubs to disconnect from their peer-to-peer network and to connect to the victim's website instead. As a result, several thousand computers may aggressively try to connect to a target website. While a typical web server can handle a few hundred connections per second before performance begins to degrade, most web servers fail almost instantly under five or six thousand connections per second. With a moderately large peer-to-peer attack, a site could potentially be hit with up to 750,000 connections in short order. The targeted web server will be plugged up by the incoming connections. While peer-to-peer attacks are easy to identify with signatures, the large number of IP addresses that need to be blocked (often over 250,000 during the course of a large-scale attack) means that this type of attack can overwhelm mitigation defenses. Even if a mitigation device can keep blocking IP addresses, there are other problems to consider. For instance, there is a brief moment where the connection is opened on the server side before the signature itself comes through. Only once the connection is opened to the server can the identifying signature be sent and detected, and the connection torn down. Even tearing down connections takes server resources and can harm the server. This method of attack can be prevented by specifying in the peer-to-peer protocol which ports are allowed or not. If port 80 is not allowed, the possibilities for attack on websites can be very limited. ICMP flood A smurf attack is one particular variant of a flooding DoS attack on the public Internet. It relies on misconfigured network devices that allow packets to be sent to all computer hosts on a particular network via the broadcast

4 address of the network, rather than a specific machine. The network then serves as a smurf amplifier. In such an attack, the perpetrators will send large numbers of IP packets with the source address faked to appear to be the address of the victim. The network's bandwidth is quickly used up, preventing legitimate packets from getting through to their destination. To combat Denial of Service attacks on the Internet, services like the Smurf Amplifier Registry have given network service providers the ability to identify misconfigured networks and to take appropriate action such as filtering. Ping flood is based on sending the victim an overwhelming number of ping packets, usually using the "ping" command from unix-like hosts (the -t flag on Windows systems is much less capable of overwhelming a target). It is very simple to launch, the primary requirement being access to greater bandwidth than the victim. Ping of death is based on sending the victim a malformed ping packet, which might lead to a system crash. SYN flood A SYN flood occurs when a host sends a flood of TCP/SYN packets, often with a forged sender address. Each of these packets is handled like a connection request, causing the server to spawn a half-open connection, by sending back a TCP/SYN-ACK packet (Acknowledge), and waiting for a packet in response from the sender address (response to the ACK Packet). However, because the sender address is forged, the response never comes. These half-open connections saturate the number of available connections the server is able to make, keeping it from responding to legitimate requests until after the attack ends. Prevention Scheme We propose a new defense mechanism which consists of a flow monitoring table (FMT) at each node. It contains flow id, source id, packet sending rate and destination id. Sending rates are estimated for each flow in the intermediate nodes. The updated FMT is sent to the destination along with each flow. After monitoring the MAC layer signals the destination sends the Explicit Congestion Notification (ECN) bit to notify the sender nodes about the congestion. The sender nodes, upon seeing these packets with ECN marking, will then reduce their sending rate. If the channel continues to be congested because some sender nodes do not reduce their sending rate, it can be found by the destination using the updated FMT. It checks the previous sending rate of a flow with its current sending rate. When both the rates are same, the corresponding sender of the flow is considered as an attacker. Once the DDOS attackers are identified, all the packets from those nodes will be discarded. Conclusion In this paper, we discussed the DDOS attacks and proposed a prevention scheme to mitigate the attack in wireless ad hoc networks. Our approach can accurately identify DDOS attack flows and consequently apply rate-limiting to the malicious network flows. Our proposed defense mechanism identifies the attackers effectively. Once the attackers are identified, the attack traffic is discarded. This makes the network resources available to the legitimate users. We compared the performance of our proposed scheme with the SWAN scheme and proved that our proposed scheme assures better performance. By simulation results, we have shown that our proposed scheme achieves higher bandwidth received and packet delivery ratio with reduced packet drop for legitimate users. 208

5 References [1] Wei Ren, Dit-Yan Yeung, Hai Jin, Mei Yang: Pulsing RoQ DDoS Attack and Defense Scheme in Mobile Ad Hoc Networks, International Journal of Network Security, Vol. 4, No.2, pp (2007) [2] Yang Xiang, Wanlei Zhou, Morshed Chowdhury: A Survey of Active and Passive Defense Mechanisms against DDoS Attacks, Technical reports, Computing series, Deakin university,school of Information Technology(2004) [3] Giriraj Chauhan,Sukumar Nandi: QoS Aware Stable path Routing (QASR) Protocol for MANETs, in First International Conference on Emerging Trends in Engineering and Technology, pp (2008). [4] Amey Shevtekar, Nirwan Ansari: A routerbased technique to mitigate reduction of quality (RoQ) attacks, Computer Networks: The international Journal of Computer & Telecommunication Networking, Vol. 52, No.5, pp (2008) [5] Rajaram,A., Palaniswami,S.: The Trust- Based MAC-Layer Security Protocol for Mobile Ad hoc Networks, International Journal on Computer Science and Engineering, Vol. 2, No. 02, pp (2010) [6] L. Zhou and Z. Haas, Securing Ad Hoc Networks, IEEE Network Magazine Vol.13 No.6, pp , (1999). [7] Y. Hu, D. Johnson, and A. Perrig, SEAD: Secure Efficient Distance Vector Routing in Mobile Wireless Ad-Hoc Networks. Proc. of the 4th IEEE Workshop on Mobile Computing Systems and Applications (WMCSA 02), pp. 3-13, (2002). 209