An Efficient and Practical Defense Method Against DDoS Attack at the Source-End

An Efficient and Practical Defense Method Against DDoS Attack at the Source-End Yanxiang He Wei Chen Bin Xiao Wenling Peng Computer School, The State Key Lab of Software Engineering Wuhan University, Wuhan 4372, Hubei, China {yxhe,chenwei,wlpeng}@whueducn Department of Computing The Hong Kong Polytechnic University, Hung Hom, Kowloon, Hong Kong csbxiao@comppolyueduhk Abstract Distributed Denial-of-Service (DDoS) attack is one of the most serious threats to the internet Detecting DDoS at the source-end has many advantages over defense at the victim-end and intermediate-network One of the main problems for source-end methods is the performance degradation brought by these methods, which discourages Internet Service Providers(ISPs) to deploy the defense system We propose an efficient detection approach, which only requires limited fixed-length memory and low computation overhead but provides satisfying detection results The low cost of defense is expected to attract more ISPs to join the defense The experiments results show our approach is efficient and feasible for defense at the source-end Introduction Distributed Denial-of-Service (DDoS) attack is one of the most serious threats to the internet and there is still a lack of efficient defense mechanisms As more business and commerce services depend on the internet, DDoS attacks can bring numerous financial loss to these e-business companies As Moore [9] reported, the majority of attack packets use spoofed source IP during attack The source IP address can be spoofed by a malicious attacker because the source or destination IP address in a packet can be refilled in the current IP protocol The current DDoS detection and prevention methods are mostly deployed at the source-end, victim-end or intermediate-network Compared to defense at the This work is supported by the National Natural Science Foundation of China under Grant No 45 victim-end and intermediate-network methods, defense at the source-end has the several advantages First it brings low overhead to network devices for monitoring traffic Detection at the source-end does not need to handle numerous traffic as the victim-end or intermediate-network detection methods do Second, it can avoid potential risk of being attacked The defense system itself may become the target of DDoS attacks and may be broken down before the protected system collapses The burden of monitoring numerous attacking packets congesting at the victim side makes the defense system itself vulnerable to DDoS attack Deployment at source-end will avoid this problem due to limited attack streams near the source side Finally, when the attack is detected at the source, efficient response can be adopted to filter malicious traffic Compared to response at the victim side, the overhead of performing filter at the source is rather low However, one of the biggest problems of the source-end detection is a lack of motivation to deploy them Sourceend detection requires wide deployment among different Internet Service Providers(ISPs) The deployment of sourceend method will degrade the performance of network devices and the ISPs are poorly motivated to join cooperation We require more space and computation efficient method to attract more ISPs to participate the source-end detection method To make the detection efficient and accurate, our approach makes a tradeoff between state-method and stateless-method Stateless-method, which does not need to record the state of each packet, can save storage and computation resource But the efficiency is obtained at the sacrifice of accuracy State-method, which monitors each packet behavior, is more accurate than the stateless-method But monitoring each packet is expensive and infeasible on the high speed link network The Bloom filter[2] -7695-228-5/5 $2 25 IEEE

method is modified and employed in the source-end detection The modified method offers accurate detection results with little memory request and low computation overhead In order to defense against spoofed IP DDoS attacks, we summarize the following novel contributions made in this paper A space-efficient data structure is proposed on the basis of Bloom filter The fixed-size data structure avoids the potential DDoS attack threat against most dynamic memory allocation methods The data structure is space-efficient, which is acceptable for most of ISPs A computation efficient detection scheme is presented to monitor malicious packets With proposed data structure, only addition and subtraction operations are required in detection scheme The paper is organized as following: Section 2 introduces the related work in the area of DDoS attacks research Our space-efficient data structure and computation-efficient detection scheme are addressed in Section 3 Experimental results show that our approach can accurately detect a spoofed IP DDoS attack, which will be presented in Section 4 Section 5 offers our conclusion and future work 2 The Related Work According to the location of the detector, most of current spoofed IP DDoS attack detection and prevention schemes can be classified into three categories : the source-end, victim-end or intermediate-network Detecting spoofed IP DDoS at the victim server side encourages researchers because the deployment of IDSs at the victim servers seems more practical In [2] Wang detects the SYN flooding attacks near the server side and the detector is installed at leaf routers that connect end hosts to the Internet Their method performs detection by monitoring abnormal SYN-FIN pairs behavior and a non-parameter CUSUM method is utilized to analyze these pairs In Cheng s work [6], their approach utilizes the TTL in the IP header to estimate the Hop-Count of the each packets and detect attacks by the spoofed packets Hop-Count deviation from normal ones Syn cache and cookies method is evaluated in Lemon [7] work, the basic idea is to use cache or cookies to evaluate security of connection before establishing the real connection with protected server The detection at the source end has more advantages but has deployment difficulties It is not easy to attract more ISPs to deploy source-end defense in their domains For example the RFC2827 [4] is to filter spoofed packets at each ingress router Before the router forwards one packet to destination, it will check the packet whether belongs to its routing domain If not, it is probably a spoofed packet with malicious attempt and the router will drop it However, it may degrade routing performance, which discourages the ISPs to participate defense Mirkovic introduces D-WARD [8], a DDoS defense system at source-end Attacks are detected by the constant monitoring of two-way traffic flows and periodic comparison with normal flow models Defense at intermediate-network mainly includes traceback and pushback Attack source traceback attempts to identify the real location of the attacker Most of the traceback schemes are to mark some packets along its routing path or send some special packets In [] the authors describe a series of marking algorithms starting from the simplest to the more sophistical ones including node append, node sample and edge sample With the identification of real path of the spoofed packets, pushback technique can be applied to inform upstream ISP to perform specified filtering [5] 3 Efficient Approach at the Source-End Before the detection method is presented, the abnormal behavior of malicious traffic is analyzed The three-way handshake of normal TCP connection and that of abnormal half-open connection are compared Based on the difference of handshakes, our DDoS detection method is proposed To save the storage cost and computation overhead, a Bloom filter based hash data structure is applied A simple but efficient detection scheme is offered in our paper Our method is expected to attract more ISPs to participate the source-end DDoS defense because detection method does not bring evident performance degradation to network infrastructures 3 Analysis of Half-open Connection We first analyze the difference between normal traffic and attacking traffic The different three-way handshake scenarios of normal TCP connection and abnormal halfopen connection caused by spoofed IP DDoS attack are compared The normal three-way handshake is shown in Figure (a) First the client sends a SY N request to the server After receiving such request, server replies with a packet, which contains both the acknowledgement ACK and the synchronization request SY N(denoted as ACK/SY N in the following paper) Then the client sends ACK back to finish the building up of the connection In the Figure, k and j are sequence numbers produced randomly by the server and client respectively during the three-way handshake All the three-way handshake control packets will be observed at the side of source-end, where the client is located -7695-228-5/5 $2 25 IEEE

Client SYN_SENT ESTABLISHED Attack SYN_SENT Syn(k) Ack(k+)+Syn(j) Ack(j+) Server (a) Normal three-way handshake Syn(k) Half-Open Connection Server LISTEN SYN RECIEVED Ack(k+)+Syn(j) Packet is lost because of unreachable spoofed IP LISTEN SYN_RECIEVED ESTABLISHED Spoofed IP (b) Abnormal Half-Open connection caused by spoofed source IP 32 Original Bloom Filter Bloom filter is first described by Burton Bloom [2] and originally used to reduce the disk access to differential files and other applications, eg spell checkers Now it has been extended to defend against DDoS attack [,, 3] The idea of Bloom filter is to allocate a vector v of m bits, initially all set to, and then choose k independent hash functions, h,h 2,,h k, each with range {,,m} For each element a A, the bits at positions h (a),h 2 (a),,h k (a) in v are set to (Figure 2) Note that a particular bit might be set to multiple times which may cause potential false result Given a query for b we check the bits at positions h (b),h 2 (b),,h k (b) If any of them is, then certainly b is not in the set A Otherwise we conjecture that b is in the set However there is a certain probability that Bloom filter give false result, which is called a false positive The parameters k and m should be chosen such that the probability of a false positive is acceptable Element a H (a)=p H 2 (a)=p 2 Figure Three-way handshake in a complete TCP connection and Half-Open connections H 3 (a)=p 3 m bits In a spoofed IP DDoS attack, the three-way handshake is not as same as that of a complete TCP connection Figure (b) shows the difference The attacker usually uses an unreachable spoofed source IP in the attacking packet to improve attack efficiency The packet will not trigger the third round of handshake The detector at the source only observes the first round handshake, SY N, but will never find the second and the third round handshake 32 Space-Efficient Monitoring Table In order to capture abnormal handshake at the source side, the traffic will be analyzed and recorded Considering numerous volume of traffic on the internet, the data structure for storing packets information should be carefully designed Compared to stateless method, the state method exceeds in its accuracy But it requires significant memory and computational resource to record behavior of each packet or each flow Our method makes a tradeoff between state method and stateless method Based on Bloom filter, a space-efficient hash data structure is used to record the behavior of each packet We first introduce the original Bloom filter and then present our monitoring table, a modified Bloom filter H k (a)=p k Figure 2 Original Bloom filter uses independent hash functions to map input into corresponding bits 322 Modified Monitoring Table Considering numerous IP addresses in network traffic, using limited m bit array to record IP address is not sufficient and may bring high false positive We make two main modifications to original Bloom filter(figure 3): First, we use large array of counts table to substitute m bit array Second we split the IP address into several segments and hash them separately into hash table After using counts table to replace m bit array, all the counts are initialized to When a key is inserted or deleted, the value of count is incremented or decremented by accordingly When a count changes from to, the corresponding bit is turned on When a count changes from to the corresponding bit is turned off The value in the count indicates the current statistic results of traffic -7695-228-5/5 $2 25 IEEE

The IP address is split into k segments and in our paper k is set to 4 Then each segment is an octet in IP address, which is more convenient to process If the IP address is directly hashed into monitoring table as [3] did, there will occur serious hash collision The reason is the number of counts is relatively limited compared to the number of numerous IP addresses values in the internet When the IP address is separated into several segments, the value range becomes small for each segment 33 Detection Scheme To detect attacking traffic with spoofed source IP, the destination IP is recorded in the monitoring tables When a SY N packet, the TCP control packet for the first round handshake, is captured from the outgoing traffic, the destination IP( the server s IP) is split into several segments and then hashed into the monitoring table If the corresponding count is, the corresponding count is turned on If the count is already turned on, the count is incremented by accordingly If corresponding ACK/SY N packet for the second round of handshake is soon captured in the incoming traffic The source IP( the server s IP) is hashed into the hash table again But this time the corresponding count is decremented by When a count changes from to, the corresponding bit is turned off The count will keep unchanged if the first two rounds of three-way handshake are completely captured at the ingress and egress router at the source side The detection scheme is depicted in Figure 3 These counts are reset to for every period t Outgoing traffic: SYN : + IP address P -> s s 2,s 3,,s k H (s )=P H 2 (s 2 )=P 2 H 3 (s 3 )=P 3 H k (s k )=P k 2 2 3 Incoming traffic: ACK/SYN : - Figure 3 The detection scheme increases or decreases the value of the count according to the three-way handshake If there is no any second round handshake packet ACK/SY N sent back to respond to previous SY N, the count has no chance to be decremented by for this handshake The value in the count will grow large because it has been increased by by each spoofed SY N packet When a DDoS attack happens, an exceptional heavy volume of packets are sent toward the victim IP If the value of a count exceeds the predefined threshold during period t, this value is regarded as suspicious If there is at least one count in each table containing suspicious value, the DDoS attack alarm will be launched The detection scheme only requires a simple hash operation and addition/subtraction operations These operations bring little overhead to today s computers 4 Experiments Results An experiment is designed to evaluate the performance of our detection method The network simulator NS2 is used to simulate DDoS attack scenarios and the detection scheme is measured in simulation To evaluate the detection performance, three scenarios are designed: there is no attacking traffic, the total traffic contains % attacking traffic and the total traffic contains 5% attacking traffic The network delay from the source to the victim server is set to ms and the bottleneck bandwidth for victim server is M The attacking traffic begins the 2 second and the whole simulation last for seconds The detection results are shown in the Figure 4 As the Figure 4 shown, when the attack begins, the value of the count will increase rapidly and distinguish itself from normal score When there is more attacking traffic, the score will be increased more dramatically Figure 4(c) shows that the 5% attacking traffic triggers a much larger value than that of % attacking traffic in Figure 4(b) Our method can accurately find the abnormal score caused by DDoS attack with fixed-length monitoring table 5 Conclusion In this paper, we propose a space and computation efficient method Based on Bloom filter, a space-efficient data structure is discussed and fixed-length table is used to monitor traffic at the source end A simple and efficient detection scheme is presented, which brings little computation overhead As the experiments results shown, the method gives accurate detection results Our method requires limited resource and is expected to attract more ISPs to participate the source-end detection It is an efficient as well as practical method The parameter t mentioned in the section 33 defines the reset period of each count in the monitoring table A appropriate value for t will improve the detection results In our simulation, t is set to second by experience and may not be optimal The optimization of t will be part of our future work In future work, the detection scheme will be applied to real internet to evaluate the feasibility and effectiveness -7695-228-5/5 $2 25 IEEE

2 3 4 4 3 2 4 3 2 The score changes in the counter:no attacking traffic (a) There is no attacking traffic The score changes in the counter:% of total traffic is attacking traffic Attack begins at 2 second % of total traffic is attacking traffic No attacking traffic 2 3 4 (b) The total traffic contains % attacking traffic 4 3 2 The score changes in the counter:5% of total traffic is attacking traffic Attack begins at 2 second 5% of total traffic is attacking traffic 2 3 4 (c) The total traffic contains 5% attacking traffic the 7th International Symposium on Parallel Architectures, Algorithms and Networks 24(ISPAN 4), pages 58 586, 24 [4] P Ferguson and D Senie Network ingress filtering: Defeating denial of service attacks which employ IP source address spoofing, May 2 [5] J Ioannidis and S M Bellovin Implementing pushback: Router-based defense against DDoS attacks In Proceedings of Network and Distributed System Security Symposium, Catamaran Resort Hotel San Diego, California The Internet Society, February 22 [6] C Jin, H N Wang, and K G Shin Hop-count filtering: An effective defense against spoofed DDoS traffic In Proceedings of the th ACM conference on Computer and communication security(ccs), pages 3 4 ACM Press, October 23 [7] J Lemon Resisting SYN flood DoS attacks with a SYN cache In In Proceedings of the BSDCon 22 Conference, -4 Feb 22 [8] J Mirkovic and G Prier Attacking DDoS at the source In In th Proceedings of the IEEE International Conference on Network Protocols, Paris, France, November 22 [9] D Moore, G Voelker, and S Savage Inferring internet denial of service activity In Proceedings of USENIX Security Symposium, Aug 2 [] S Savage, D Wetherall, A Karlin, and T Anderson Practical network support for IP traceback In Proceedings of the ACM SIGCOMM Conference, pages 295 36 ACM Press, 2 [] A C Snoeren Hash-based IP traceback In Proceedings of the ACM SIGCOMM Conference, pages 3 4 ACM Press, August 2 [2] H Wang, D Zhang, and K G Shin Detecting SYN flooding attacks In Proceedings of IEEE INFOCOM, volume 3, pages 53 539, June 23-27 22 Figure 4 The value of a count increases dramatically when a DDoS attack begins References [] S Abdelsayed, D Glimsholt, C Leckie, S Ryan, and S Shami An efficient filter for denial-of-service bandwidth attacks In IEEE Global Telecommunications Conference, 23 GLOBECOM 3, volume 3, pages 353 357, Dec 23 [2] B H Bloom Space/time trade-offs in hash coding with allowable errors Communications of the ACM, 3(7):422 426, July 9 [3] E Chan, H Chan, V C S Chan, KMand Chan, and etc IDR: an intrusion detection router for defending against distributed denial-of-service(ddos) attacks In Proceedings of -7695-228-5/5 $2 25 IEEE