Agent Based Preventive Measure for UDP Flood Attack in DDoS Attacks

Transcription

1 Agent Based Preventive Measure for UDP Flood Attack in DDoS Attacks AARTI SINGH 1*, DIMPLE JUNEJA 2 1, 2 M.M. Institute of Computer Technology & Business Management Abstract M.M.University, Mullana,Haryana, India Distributed Denial-of-Service (DDoS) attack is an attack which makes victim resources and services unavailable to its intended users. In particular, User Datagram Protocol (UDP) flood attack in DDoS attacks is a method causing host based denial of service. It occurs when attacker sends UDP packets to a random port on the victim system, causing responses to be sent to forged IP address. The basic thrust of this paper is agent based solution for UDP flood attack because software agent technology seems to be a strong candidate for defending DDoS attacks and very few researchers have thought of deploying agents towards providing solution for UDP attack earlier. Keywords - Denial-of-Services, Distributed Denial-of-services, Agent Technology, Computer Network Security, User Datagram Protocol. 1. Introduction A Distributed Denial-of-Service (DDoS) attack is an attack which makes resources unavailable to its legitimate users. It means the attacker wants to disable the uses of sites or services on Internet for its intended users temporarily or indefinitely. This attack occurs when multiple systems (which are compromised by attackers) flood the bandwidth or resources of a target system with data packets [4,11, 13]. Distributed Denial-of-Service attack brought attention in February 2000 when some well known web sites like yahoo.com, CNN.com etc. got down due to this attack. Afterwards in July 2009 this attack took place on major web sites in South korea and United States and several social networking sites, including Twitter, Facebook, Live journal, Google blogging pages were affected by this attack. In today s technology oriented scenario, entire world is becoming dependent on computers and internet for various services and these kind of attacks can be very much dangerous in such situations thus need for preventive measures is very apparent. The four components involved in any DDoS attack are Victim or Host computer, Real Attacker, Master Control Program and Demons. Here, the victim computer is the system being chosen for attack whereas real attacker is the master mind working behind the method and strategy for attack. It works behind the shield of Master control program, which makes it difficult to trace back to it. Master control program works as interface between the real attacker and the attacking demons and also, acts as a shield for the actual attacker receiving the attack command from the real attacker and further instructing the demons under its control to finally attack on victim. Demons are used to attack on host system directly. Large no of demons can be employed to attack the victim simultaneously to flood it. It is evident that involvement of different working components makes it difficult to prevent the victim or host system from these attacks [1]. This work aims to exploit agent technology for preventing User Datagram Protocol attack. This paper is structured as follows: Section 2 explains UDP flood attack mechanism. Section 3 provides review of literature related to the DDoS attacks and specifically focuses on UDP attack problem. Section 4 describes the proposed framework. Finally Section 5 concludes the paper and discusses future scope of the proposed framework. 2. Mechanism of UDP Flood Attack UDP Flood or Fraggle Attack comes under category of DDoS flood attacks. Here the attacking host launches a DDoS attack by issuing an attack command having the victim s address, attack duration, attack methods, and other ISSN:

2 instructions to the master control programs, which serve as attack handlers. The Master control programs in turn forward the attack instruction to their agents which may be either demons or zombies (compromised systems). The agents will be demons or zombies, depending on the technique [4] used for flooding the victim. If direct attack method is used then demons will serve the purpose and in case of reflector method zombies will be used. On receiving the attack instruction from the master, demons start sending UDP packets to the victim with a spoofed IP address as the source. Victim on receiving these packets, sends the acknowledgement to the source IP address, but doesn t get any response in turn and keeps waiting for it. At last when victim gives up communication, all its resources have been consumed leading to crash of the system. Multiple demons are under the control of each master control program and even these masters can be multiple, which leads to large number of UDP packets to be delivered to victim system. This ensures flooding the system by consuming the entire bandwidth and other resources [15, 18]. Figure 1. given below illustrates the mechanism of UDP flood attack. Attacker Attack Command Master Control Program Demon 1 Demon 2 ICMP Response Redirected Demon 3 Spoofed IP Actual ICMP Response Victim or Host Computer UDP Packets Figure 1 : UDP Flood Attack Mechanism Next section presents the work of eminent researchers and hence an attempt has been made to explore the extent of work done so far in the mentioned area of work. 3. Literature Review This section presents the literature review & explores various challenges in the DDoS attack. Lau et. al. (2000) in [13] has proposed to implement queering algorithm in network routers to prevent DDoS attacks. Although this work proposed solution for DDoS attacks as a whole and does not focus on a specific type of it. Houle et. al (2001) in [8] provided review of DDoS attack mechanisms. Paxson (2001) in [16] has thrown light on use of reflectors in DDoS attack and discussed some possible defense against reflector attacks. Cabrera et. al (2001) in [3] proposed solution that aimed to protect web servers from this attack or to minimize its effect. Their solution spreads over the organization s entire internet infrastructure. Hussain et. al (2003) in [9] has proposed framework for classifying DoS attacks based on header contents, transient ramp-up behavior and spectral analysis. Specht (2004) in [19] has proposed taxonomies of Distributed Denial-of Service attacks, tools, and countermeasure to help reduce the scope the DDoS problem and to facilitate a comprehensive solutions. Mirkovic (2004) in [14] proposed two different taxonomies for classifying attacks and defenses of DDoS attack. This is helpful for researchers in better understanding of the Distributed Denial-of-Service problems. Kotenko et. al (2006) in [12] has proposed a framework for agent based simulation of DDoS attack and defense mechanisms. Slee (2007) in [18] provided review of DDoS attack mechanisms. Seufert et. al (2007) in [17] has proposed a framework for data collection and traffic filtering. This approach detects attack from the resource usage of the system. However extension of this solution to use multiple algorithms is left for future. Armbruster et. al (2007) in [1] has proposed solution for defense against spoofed denial of service, for packet filter placement problem. Wang et. al (2008) in [20] has proposed multi layer puzzle based DoS defense architecture which embeds puzzle techniques into the services. Juneja et. al (2009) in [10] has proposed a multi agent framework for detecting, protecting and source tracing of DDoS attacks. Although, this work proposed solution for tracing DDoS attack but still number of agents required to get optimal results is not clear and needs to be tested. ISSN:

3 The literature review highlights that although some researchers have proposed solutions for either one type of DDoS attack or the other but UDP still need attention. Also, very few researchers have attempted to incorporate agents in proposing solutions for DDoS attacks. This provides motivation for this work which aims to focus only on UDP attack. 3.1 Agents Overview An agent is a software entity or a combination of hardware or software entity which has the ability to act on behalf of its users autonomously. It is possessed with many useful features like cooperation, learning ability, reactivity and pro-activity. The software agents not only provide the competitive advantage by improving process quality but also integrate the new technology and specialized expertise. Agent technology finds its applications in wide areas such as user interfaces, mobile computing, information retrieval and filtering, smart messaging, telecommunications and the electronic marketplace. The smart agents interact with each other in a multi-agent system in various ways. The clusters of agents in a multi-agent framework are competitive, cooperative, and task-oriented and can also provide an interface to users. The characteristics that motivated the use of software agents in DDoS attacks are their security monitoring capabilities like : autonomy, fault tolerance, robust, dynamic-configuration, information providers, taskoriented and scalable [10]. Possessed with all such capabilities, agents can certainly be useful in prevention of DDoS attacks. Next section illustrates the proposed framework and provides details on exploitation of agents in it. 4. The Proposed Framework This section describes the proposed framework, which aims to detect and prevent UDP attacks on victim or host computer. Figure 2 given below provides high-level view of the proposed framework. Primarily, the proposed frame work comprises of three different components namely Victim Computer Agent (VCA), Filter Agent (FA) and Timer Agent (TA). FA is supported by a History Buffer (HB) containing list of invalid IP addresses for future reference. Host Computer (Victim) Victim Computer Agent History Buffer Invalid IP? Filter Agent Valid IP Timer Agent Attacker or Hacker Master Control Program Request Response <R1>, <R2>, <R3> Demon1 Demon 2 Demon 3 Figure 2 : High level view of Proposed Framework for Preventing UDP Attack Details of various components are as follows: Victim or Host Computer:- It is the system targeted by the attacker for attack and to disable all its services to its intended users. ISSN:

4 Filter Agent:- It receive packet from outside world and it checks the source addresses for valid IP address. If the address is valid then it forwards the communication request to timer agent otherwise it blocks the communication with the suspicious IP. Also it saves the address in history buffer for future references. Timer Agent:- It receives communication request from the filter agent, places a time stamp on it and forwards it to Victim Computer Agent (VCA). Victim Computer Agent (VCA):- It receives communication from timer agent and passes it to host computer and vice-versa. Whenever FA blocks an IP address, it informs VCA about the same, so that host computer need not wait for any response of the messages sent. History Buffer (HB):- History buffer is main element on Host side to check the validity of received packet s IP address. It maintains the list of invalid IP address, which is suspicious to be used for attack along with the date of attack. Range of valid IP address will be too long to be maintained and searched in case of attack scenario. Thus invalid addresses seem reasonable to be maintained and compared. Whenever a communication request arrives, its IP address is first searched in HB, if a match is found then communication is blocked temporarily by FA. In case if the IP address doesn t match in HB it is assumed to be valid and the request is forwarded to timer agent for further processing. Same request coming from same IP address is processed three times at max and if no response in that context is received then further communication from that address is blocked temporarily. Suspicious IP address is blocked only for a specified period assuming that DDoS attack uses compromised systems (Zombies) and they are innocent otherwise, the real owner of the system, might not be even aware of the attack taking place from his/her system. Thus after the specified period, communication request from that IP address is again entertained and if the responses are received properly then communication is carried on. 4.1 Flowchart and Algorithms This section provides flowchart and algorithms for the proposed framework. Figure 3 given below provides the flow diagram for the framework. Algorithms for various agents involved are given in Figures 4(a)-4(c). ISSN:

5 START CR = Communication Request Activate Filter Agent If same request from same IP No Initialize Counter=1 Yes Counter+ = 1 Check Invalid IP? Yes Block Communication No Check counter> 3 No Pass to Timer Agent Activate Timer Agent STOP Yes Block communication & add IP to HB Timestamp received packet & pass to VCA Pass packet to Host Computer for processing and receive response STOP VCA sends response to FA Pass response to source IP STOP Figure 3: Flowchart of Proposed Framework 5. Conclusions and Future Work This work initiated with a discussion of UDP attacks and it was found that preventive measure for the same is the need of the hour. This work proposed an agent-based framework for preventing and detecting UDP flood attacks. Agent technology has proved to be promising and being exploited in many other research areas. Thus proposed framework seems to be promising although its implementation and verification in real life environment is left as future work. ISSN:

6 Filter Agent ( ) Input : CR=Communication Request Response from VCA; Output: CR to TA, update HB, blocked message report to VCA; Action: activate, sleep; Case 1: input==cr Activate (FA); If (IP==last communicated (IP) && (request==last_request_type)) Counter=counter+1; If (counter >=3) Block communication; Update (HB); report to VCA; Else Counter=0; Search IP address in HB; If (invalid IP) Block communication; Else Counter=1; Pass CR to TA; Case 2: input==response from VCA pass response to source IP Sleep( ); Figure 4(a) Algorithm for Filter Agent References Victim Computer Agent ( ) Input : CR= Communication Request, Blocked Communication, response from host; Output: CR to Host Computer, Response to FA; Case 1: input = CR Activate (VCA); Pass to host computer; Case 2: input = response from host Pass to FA; Case 3: Input= Blocked communication; Inform to host ; Sleep ( ); Figure 4(b) Algorithm for Victim Computer Agent Timer Agent ( ) Input : CR= Communication Request; Output: CR to VCA; Input : CR from Filter Agent Activate (TA); Send <Timestamp, CR> to VCA; Sleep( ); Figure 4(c) Algorithm for Timer Agent [1] Armbruster B., Smith J. Cole and Park K., A Packet Filter Placement Problem with Application to Defense against Spoofed Denialof-Service Attacks, European Journal of Operational research, Vol. 176, Issue 2, pp , 16 January [2] Bremler-Barr A. and Levy H., Spoofing Prevention Method, In Proceedings of IEEE INFOCOM, Miami, FL, March [3] Cabrera J. B. D., Lewis L., Qin X., Lee W., Prasanth R.K., Ravichandran B. and Mehra R. K., Proactive Detection of Distributed Denial of Service Attacks using MIB Traffic Variables - A Feasibility Study, Proceedings of the 7th IFIP/IEEE International Symposium on Integrated Network Management, Seattle, WA - May 14-18, [4] Chang R., Defending Against Flooding-Based Distributed Denial-of-Service Attacks: A Tutorial, In Telecommunications Network Security, IEEE Communications Magazine, pp , October [5] Douligeris C. and Mitrokotsa A., DDoS Attacks and Defense Mechanisms: Classification and State-of-the-Art, Computer Networks, Vol. 44, pp , [6] Freiling C., Holz T., and Wicherski G., Botnet Tracking: Exploring a Root-Cause Methodology to Prevent Distributed Denial-of- Service Attacks, In ESORICS 2005, LNCS 3679, pp , Springer-Verlag Berlin Heidelberg, [7] Hole K, Denial-of-Service Attacks, Nowires research Group, Department of Informatics, University of Bergen, September 1, available at [8] Houle K.J., Weaver G.M., Trends in Denial-of-Service Attack Technology, CERT and CERT coordination center, Carnegie Mellon University, October 2001.Available on < [9] Hussain A., Heidemann J., and Papadopoulos C., A Framework for Classifying Denial-of-Service Attacks, Karlsruhe, Germany, pp , [10] Juneja D., Chawla R. and Singh A., An Agent-Based Framework to Counter attack DDoS Attacks. International Journal of Wireless Networks and Communications, Vol. 1, No. 2, pp , [11] Kim Y., Lau W., Chuah M. and Chao H., PacketScore : Statistics-based Overload Control against Distributed Denial-of-Service Attacks, IEEE Transactions on Dependable and Secure Computing, Vol. 3, No. 2, pp , April-June [12] Kotenko I. and Ulanov A., Agent-based Simulation of Distributed Defense Against Computer Network Attacks, Proceedings 20th European Conference on Modelling and Simulation Wolfgang Borutzky, Alessandra Orsoni, Richard Zobel, ECMS ISSN:

7 [13] Lau F., Rubin S., Smith M. and Trajkovie L., Distributed Denial-of-Service Attack. In IEEE International Conference on Systems, Man, and Cybernetics, pp , Nashville, TN, USA, October [14] Mirkovic J. and Reiher P., A Taxonomy of DDoS Attack and DDoS Defense Mechanisms, ACM SIGCOMM Computer Communication Review, Vol. 34, Issue 2, pp , April [15] Park K. and Lee H., On the Effectiveness of Route Based Packet Filtering for Distributed DoS Attack Prevention in Power-Law Internets. In proceedings of SIGCOMM 01, California, USA, August 27-31, [16] Paxson V., An Analysis of Using Reflectors for Distributed Denial-of-Service Attacks, ACM SIGCOMM Computer Communication Review, Vol. 31, Issue 3, July [17] Seufert S. and O Brien D., Machine Learning for Automatic Defense against Distributed Denial- of-service Attacks, International Conference on Communications (ICC 07), pp , June 2007 [18] Slee D., Common Denial-of-Service Attacks, published July 10, [19] Specht S. and Lee R., Distributed Denial-of-Service: Taxonomies of Attacks, Tools and Countermeasures, Proceedings of the 17 th International Conference on Parallel and Distributed Computing Systems, pp , September [20] Wang X. and Reiter M., A Multi-layer Framework for Puzzle-based Denial-of-Service Defense, International Journal of Information Security, Vol. 7, No. 4, pp , August ISSN: