of 6

A Survey on DDoS Attacks in Web- Referral Mechanism and Solution for Mitigation

Published on June 2016 | Categories: Types, Research, Internet & Technology | Downloads: 50 | Comments: 0

Journal of Computing, ISSN 2151-9617, http://www.journalofcomputing.org





A Survey on DDoS Attacks in Web- Referral Mechanism and Solution for Mitigation
V. Govindasamy , V. Akila, E. Gayathri
Abstract—Distributed Denial of Service threats has become the real threat to the security of the Internet. In the critical application areas, the information transmission must be kept secret and confidentiality should be ensured. Such applications are space research, military applications and online transactions. A web referral mechanism will defend against attacks by granting privilege URL to legitimate clients, thereby ensuring protection against such attacks. This paper analyses the security measures adopted in the web referral mechanism and presents a survey of the existing trace back mechanisms and mitigation techniques. This paper aims at providing solution for the drawbacks in the current techniques. Index Terms— Distributed Denial of Service threats – web referral mechanism – trace back mechanism – attack mitigation.

——————————  ——————————

1 Introduction


HE key design feature of the Internet makes it vulnerable to various kinds of attacks. Some of the website attacks are sniffing, snooping, IP spoofing, masquerading, access attacks, injection and execution of malicious software, object reusability and Distributed Denial of Service (DDoS) attacks. The DDoS attack disrupts the communication of the legitimate client with the web server and consumes network bandwidth by posing bogus packets. Hence, client connection attempt will be rejected by the web servers and the service becomes unavailable. The DDoS attacks are more common that exploit the weakness of the key design infrastructure. Such attacks have been reported in the most popular online trading sites Amazon, e-bay and the news site cnn.com. DDoS attacks are stealthier and tougher to trace as more machines are involved in the attack. Effective defense against DDoS attacks is a challenging task as the vulnerabilities exploited by the attacker to launch an attack will be introduced during the design and implementation

phase of a product. Various tools are available to detect such attacks but none of them are proved to be efficient. A solution to defend against Denial of Service attacks is referral mechanism which is built upon the existing relationships. In this mechanism the legitimate client connection is retained even during flooding attacks. The client’s legitimacy is verified by means of authorization checks on the certificate owned by the client. The referral mechanism if combined with the autonomous system, tracing will be effective as it monitors the entire network by relatively monitoring few points in the system. It uses packet marking techniques and is enforced in the ID fields of the IP addresses. The rest of the paper is organized as follows: The motivation is given in section 2. The DDoS attack types are illustrated in section 3. Detailed analysis of detection schemes are given in section 4. The defence mechanisms are explained in section 5. Section 6 concludes the paper and section 7 is for future enhancements

Mr.V.Govindasamy is working as A.P in I.T Dept of Pondicherry Engineering College (PEC), Pin 605014, India. Mrs.V.Akila is employed in C.S.E Dept of Pondicherry Engineering College,Pin 605014, India. Ms.E.Gayathri is pursuing her M.Tech(I.S) at Pondicherry Engineering College, Pin 605014, India.

2 Motivations
More DDoS attacks are happening every day. This fact is not revealed to the public as it will result in loss of customers for an organization or online site. The loss incurred due to this attack will be in terms of billions of dollars to replace and repair the web server’s hardware and software components. The factors which motivated for DDoS attacks are as follows 1. Revenue Loss



2. Slow Network Performance 3. Service Unavailability 4. Service Disruption 5. Processing Power Costs 6. Communication Overhead

the target’s allotted bandwidth and hence subsequent legitimate user requests will be left unprocessed. Two main classifications are under this bandwidth depletion attack they are

3 Attack Types
A DDoS attack is one in which an attacker intentionally tries to deny access to a specific victim or target. It is done by sending large volume of useless packets from different locations on the internet. The attack classification is depicted in the Fig.1
DDoS Attack Types

(i) Direct Flood Attack and (Ii) Reflection Flood Attack In direct flood attack, the target is flooded directly with multiple packets. The compromised hosts also will be involved in the attack as the entire bandwidth is populated with bogus packets the victim is unable to process those requests. In the reflection flood attack, in certain scenarios attack will not be launched directly towards the targeted system, but instead the intermediate nodes play the reflectors role as they start to send packets towards the victim by assuming that it is the source to which it should reply.

Bandwidth Depletion Attacks

Resource Depletion Attacks

3.2. Resource depletion attacks
These attacks attempt to exhaust the target system resources. The classification under the resource depletion attacks are TCP SYN flood attack, teardrop attack and TCP/IP stack attack. The attacker will also send malformed packets in this scenario to disrupt the network communication.

Direct Flood Attack

Reflection Flood Attack

Udp Flood

4 Detection Schemes
Smur f Fragg le Dns Reflection

Ping Flood

Tcp Syn Flood Attack Recursive Http Floods

Reflec tion

Teardrop Attack

Push & Ack Attacks

Provision of security to web services is important as there are series of attacks emerging everyday due to the advanced technologies and available free source DDoS tools. Hence solutions should be provided rather than countermeasures in order to defend against DDoS attacks. The detection schemes [2] should be simple and robust and should not reveal any information regarding the IP address of the user. The available detection schemes in web referral mechanism for DDoS attacks are listed in Table 1.

Tcp/Ip Stack Attack

Land Attack

Sl.No 1.

Detection Scheme

Detects attacks, correlator and precursors which caused the attack Detects ongoing bandwidth attacks The attacks are detected based on steady backlog of

Fig 1: DDoS Attack classification



3.1 Bandwidth depletion attacks
The target system is flooded with massive amount of unwanted traffic [1] which consumes










Non-adaptive group testing


Live baiting




Session scheduling algorithm


Resilient scheduling


Agent detection scheme

transient connection traffic Detects router overload, mis configuration, overloaded or intermittent links and network intrusion Tracks the handler or agent behaviour to defend against future DDoS installation attacks Identifies pirators. Used in security and networking applications Detects attackers using group testing theory and it depends on the counting of request packets Detects attackers by solving visual recognition pattern Defences against intrusion attacks, protocol attacks, request flooding attacks, asymmetric attacks. Repeated one shot attacks It detects new attacks based on scheduling policy and scheduler service rate Detects flooding attackers using randomized matrix construction and detection algorithm

Identify the exact source or perpetrators who exploited such attack more precisely. It also should aid effective mitigation for the current attacks with minimal damage. For incremental deployment, a new mechanism should require only minimal changes to the existing infrastructure. The effective defense [3] methodologies against DDoS attacks are broadly classified into two types as illustrated below

5.1 Attack Trace back
The information is collected regarding the individual packet forwarding agents and an attack tree is constructed for router-level based on the gathered information. If the routing path taken by the particular packet is traced then the attack tree leaves can be identified. The trace back mechanism are essential in order the clear the zombie attackers

5.2 Attack Mitigation
Various filtering mechanisms are used to identify the impacts of the real-time ongoing attacks. In order to mitigate from the attacks a legitimate packet needs to be differentiated from the malicious one. Several referral schemes are used regarding this classification. Employing any one of those packets can be identified as a one originating from the legitimate user or attacker.

6 Defense Functionalities
The distributed nature of the DDoS attacks ensures the need of a successful defence mechanism to overcome the threat. Most of the existing systems are efficient in successful defense. But, none offers the exact solution. Three main defense functionalities [4] are mentioned as below (i) Attack Detection (Ii) Rate Limiting (Iii)Traffic Differentiation If the nodes collaborate and exchange the alert messages, the resulting detection scheme will be acceptable and addresses almost all the issues. Instead of offering defence measures in either source or destination, combining the advantages of source-end, victim-end and core-end, the defense mechanisms yield better solution. The nodes collaborate by exchanging messages and packets will be marked as high or low for priority handling. If the above collaboration functionality is exploited then a single physical node has more than one functionality.

Table 1. Existing DDoS attack detection mechanism and their purposes

5 Defense Mechanism
An ideal DDoS attack defense mechanism should

6.1 Classifier
The entire traffic is classified into legitimate and malicious ones. The legitimate packets are



marked with high priority and others with low priority.

6.2 Rate Limiting
This functionality is deployed by routers. If an attack occurs, it runs a weighted fair share algorithm in order to assign priority markings to forward it towards the victim and the traffic is rate limited to preserve the victim’s resources.

iTrace, messages will be generated to support the victim for identifying the possible slaves. The DDoS slaves occupy only small amount of traffic which implies the overhead will be minimal while identifying them. If a router receives push back signal [5], it will monitor the aggregates which arrives inside the network from different links and the corresponding congestion links are identified. The deployment of filters in upstream routers depends on the capability of the downstream router’s aggregate estimation property. If the aggregates arrive at the same rate in all the links, then legitimate traffic cannot be differentiated from the malicious one which is the drawback of this push back scheme.

6.3 Alert Generator
It propagates the attack alert to neighbour nodes. The alert message contains the IP address of the victim and specifies the desired rate limit. The direct neighbours which are in the same overlay are called as peers. The peer networks are built dynamically by using the traffic flow information. The alert generator nodes will be always active and examines all the traffic signs. The classifiers and rate limiters are active only during the attack. The activation is triggered by an alert generator and conveyed to all the overlay nodes. The high priority stamp receives better service than the low priority stamp. The packet marking mechanism is used to differentiate the legitimate packet from malicious ones. Fabrication and replay of the control messages can be prevented by signing each message with the sender’s private key. It is encrypted with the help of session key by attaching a sequence number to it. An attack can be defended by a node by validating the control message in the peer stamp which acts as a nonce.

8 Attack Mitigation
Pi is a packet marking mechanism [6], which is used to mitigate the attacks effectively. It explains how pi-marks are generated if a packet traverses along the router to its destination. Each router includes the number ‘n’ in the IP identification field where ‘n’ is the constant which is equal to 1 or 2. The MD5 hashes of the last ‘n’ bits are concatenated with the IP address of the routers will serve as the marking bits. Marking bits are cached in order to avoid the recalculation. The improved scheme of pi is stack pi [7], which consists of two new marking methods namely, Stack based marking and Write-ahead marking to improve the performance. Upon receiving a packet, IP identification field will be shifted to left ‘n’ bits and is written into the place of least significant bits. The router simply pushes the marking field into the stack. In the write ahead process, each router needs to substitute its own IP address for the last hop address and the next hop IP address to mark the bits. In Hop count filtering [8], an attacker cannot falsify the number of hops taken by the packet to reach its destination. Only the IP field in the packet can be forged. By clustering the address prefixes based on hop-counts, it builds an IP2HC mapping table in order to detect the IP spoofed packets. The spoofed packets will be discarded as soon as it is identified. The deterministic bit marking scheme, identifies the attack packets and drops them. All the packets originating from the same location, if it arrives at the destination have the common path signature. In hash based path identification [9] scheme, to consume the victim’s resources a large number of

7 Trace back Techniques
Probabilistic packet marking technique [3] marks the packets, which is done by the router. Hence the attack path can be reconstructed by the victim. This technique traces anonymous packet flooding towards the source. Each marked packet represents the sample of the path it traversed. Using these details, the source of attack traffic can be easily detected. The enhanced scheme of probabilistic packet marking is used to minimize the false positive rate, and to reconstruct the attack path. To overcome the computational overhead, further enhancements can be done. Let ‘d’ be the number of routers between the victim and the attacker and ‘p’ be the probability of packets sent by the attacker towards the victim. It is represented by the formula p(received unmarked packets) = (1-p)d In ICMP Trace back scheme [5], ICMP packets will be generated by the routers and sent to the destination with lower probability. Using that



malicious packets are forwarded towards it. The victim should have the ability to distinguish between the legitimate traffic and malicious ones. To have this differentiation, the path information should be embedded in each of the forwarded packet. Each router hashes its IP address with MD5 to reduce the collision of marks. The value of the IP ID field should be initialized to 0, before it is transmitted to the routers. The victim server capabilities are divided into two groups namely, high capability and low capability victim servers. The work of high capability victim server is to accept all legitimate packets including a few malicious ones. And its vice-versa is the low capability victim server.

network. Its capabilities are based on the information, which is inserted in the packets. The capability is generated by each router and is marked in the fields of the packet. This approach divides the Internet traffic into privileged and unprivileged. Privileged packets always have high priority than unprivileged ones. For obtaining a privileged channel, the client must obtain its own capability. If a privileged packet is forwarded, the router checks the embedded capability to verify the markings. If the markings match, then it will be forwarded else discarded. Valid markings will be maintained by the routers. If the attack path is detected, then further connection attempts from that particular user will not be allowed inside the network, thereby preventing it from consuming network bandwidth.

9 Limitations
The web-referral mechanism supports only clients who pose the fixed IP address. It can be extended using the dynamic NAT, which generates the client’s capability using the IP prefix instead of the whole address. Bandwidth utilisation among the users can be better managed by the using capability tokens to control the usage among the clients. The web-referral mechanism could also break SSL/TLS service, because the Privilege URLs are not encoded using domain names instead they use IP addresses. One way to solve this problem is to confine the capability token in the port number field. Discovery of referrers are not transparent to the clients. Simply the request will be sent online. The clients are not aware of the process in the search procedure. A solution to solve this problem is to have the client’s ISP be its referrer. The referrer mechanism requires modifications to the edge routers for capability verification and address translation which in turn affects the deployment. But, it is considered to be feasible when compared with other existing mechanisms. It is possible to avoid the changes in the edge router. It can be done by attaching an external device which is capable of performing the tasks at high speed. The existing attack mitigation techniques focus on detecting the attack, after it floods the network with unwanted traffic. The drawback of this mechanism is that it consumes network bandwidth by flooding packets. The better solution to this problem can be provided by monitoring the network traffic before being it floods the target. For this, a Stateless Internet Flow Filter (SIFF) [10] can be used which can stop individual traffic flows before it enters inside the

10 Conclusion
Every day new attacks are launched by the attackers due to technological advancement. Also the available freeware tools are numerous. In order to detect the attack, various trace back mechanisms exist but none offers an appropriate solution. The drawbacks in the trace back mechanisms need high process and storage costs, little scalability and poor performance. The existing attack mitigation techniques offers a better protection, but leaves the system open to bandwidth consumption which in turn leads to system slow down and performance. Hence, the proposed solution SIFF addresses these issues by monitoring the network links to trace the attackers. In the referral mechanism the confidentiality of the privileged URL is not achieved by any of the existing techniques which lead to security related issues.

11 Future Enhancement
The confidentiality of the privilege URL should be maintained by the client, if violated leads to cross site scripting attacks. After obtaining the privilege URL if the client browses any other social networking sites which may not be secure. If that site is malicious, then cross site scripting attack is exploited against the privilege URL. On obtaining the privilege URL, the attacker can later impersonate the web server as an authorized client. A mitigation or solution that can be done to ensure the confidentiality can be achieved using the Reverse Proxy concept, as it intercepts the communication and detects the attacks. The



proxy is placed in between the client and the web server. It intercepts each and every response and applies various steps to determine whether the page contains any malicious script or not. After applies various steps to determine whether the page contains any malicious script or not. After verification, it is forwarded to the client, hence the name Reverse Proxy.

[10] Abraham Yaar Adrian Perrig Dawn Song,” SIFF: A Stateless Internet Flow Filter to Mitigate DDoS Flooding Attacks”, Proceedings of IEEE symposium on Security and Privacy,pp.130-143,2004

[1] Ahmed Saafan, “Distributed Denial of Service Attacks: Explain nation, classification and suggested Solutions”, 2009.

V.Govindasamy received his B.Tech (CSE) from Pondicherry Engineering College, Puducherry (1996) and M.E (CSE) from Vellore Engineering College, Vellore (2000). He is currently employed at Pondicherry Engineering College as Assistant Professor in the department of Information Technology. His areas of interests include Business Intelligence, Uncertain Data Management and Network Security. V.Akila received her B.E (CSE) from Bharathidasan University (1996) and M.E (CSE) from Anna University (2006). She is currently employed at Pondicherry Engineering College as Assistant Professor in the department of Computer Science and Engineering. Her areas of interests are Software Engineering, Software Architecture and Network Security. E.Gayathri received her B.Tech (CSE) from RajivGandhi College of Engineering and Technology, Puducherry, India (2009). She is currently pursuing her M.Tech(IS) in Pondicherry Engineering College, Puducherry, India . Her field of interests include Web Services, Web Technology and Information Security.

[2] Dalia Nashat, Xiaohong Jiang and Susumu Horiguchi, “ On the Detection of DDoS Attackers for Large-Scale Networks”, IEEE International Conference on eBusiness Engineering, pp.206-212, 2009. [3] M. Muthuprasanna and G. Manimaran, “Distributed Divide-and-conquer techniques for effective DDoS attack defences”, The 28th International Conference on Distributed Computing Systems, pp.93-102, 2008. [4] George Oikonomou, Jelena Mirkovic, Peter Reiher and Max Robinson, “A Framework for A Colloborative DDoS Defense”, Proceedings of the 22nd Annual Computer Security Applications Conference (ACSAC ’06), 2006. [5] Allison Mankin, Dan Massey, Chien-Lung Wu, S. Felix Wu and Lixia Zhang, “On Design and Evaluation of “Intention-Driven” ICMP Traceback”, Proceedings of Tenth International Conference on Computer Communications and Networks, pp.159-165, 2001

[6] Stefan Savage, David Wetherall, Member, IEEE, Anna Karlin, and Tom Anderson, et al, “Network Support for IP Traceback,” IEEE/ACM Transactions on Networking, vol. 9, no. 3, pp.226–237, June 2001. [7] Abraham Yaar, Adrian Perrig, Member, IEEE, and Dawn Song, “StackPi: New Packet Marking and Filtering Mechanisms for DDoS and IP Spoofing Defense,” IEEE Journal on Selected Areas in Comunications, vol. 24, no. 10, pp. 1853–1863, October 2006. [8] C. Jin, H. Wang and K. G. Shin, “Hop-Count Filtering: An Effective Defense against Spoofed Traffic,” ACM International Conference on Computer and Comunications Security, Washington D.C., pp. 30– 41, October 2003. [9] Guang Jin, Fei Zhang, Yuan Li, Honghao Zhang, Jiangbo Qian, “A Hash-based Path Identification Scheme for DDoS Attacks Defense”, IEEE Ninth International Conference on Computer and Information Technology, 2009.

Sponsor Documents


Forgot your password?

Or register your new account on INBA.INFO


Lost your password? Please enter your email address. You will receive a link to create a new password.

Back to log-in