Science, Technology and Development ISSN : 0950-0707

Runtime Dynamic Path Identification for Preventing DDoS Attacks 1Shaik Zahanath Ali, 2Shobini.B and 3G.Shiva Krishna

1 Computer science and Engineering ,Swathi Institute of Technology & Sciences Near Ramoji Film City Beside Kothagudem 'X' Roads, Hyderabad, Telangana 501512

2 Computer science and Engineering, Swathi Institute of Technology & Sciences Near Ramoji Film City Beside Kothagudem 'X' Roads, Hyderabad, Telangana 501512

3Computer science and Engineering, Swathi Institute of Technology & Sciences Near Ramoji Film

City Beside Kothagudem 'X' Roads, Hyderabad, Telangana 501512

,[email protected] ,[email protected] ,[email protected]

Abstract Cyber security is a biggest Challenge. Protecting our digital lives is an issue of paramount importance. DDOS attacks are launched by adversaries using botnet, an army of compromised nodes hidden in the network. Compromised nodes are a set of nodes controlled by a botnet.DDOS attack is a most popular threat and is categorized as volumetric attack where the target destination is overwhelmed with large number of requests leading to impossibility of serving any users. In DDOS attack large number of machines act cooperatively under the supervision of one or more bot masters. These bots may be malicious users by themselves or maybe preliminarily infected.In recent years, there are increasing interests in using path identifiers (PIDs) as inter-domain objects. However, the PIDs used in existing approaches are static, which makes it easy for attackers to launch distributed denial-of service (DDoS) flooding attacks. To address this issue, we present the design, implementation, and evaluation of dynamic path identification based approach or a framework that uses PIDs negotiated between neighboring domains as inter-domain routing objects. We built an application to show the effectiveness and the results revealed usefulness of our framework.

Key Words –DDoS attack, flooding DDoS, dynamic path identification, cyber security

1. INTRODUCTION Security plays vital role in any communication system. In the history of computing there were many instances in which large scale attack on made for many reasons. Denial of Service (DoS) is one of the attacks that ensure disruption of legitimate communication between two systems. When such attack is made in large scale, it is known as DDoS attack whose impact is more on the victim server and corresponding business in distributed environment. DDoS attack, when compared with other attacks is complex in nature and adversaries compromise vast number of nodes in order to launch distributed DoS attack. Many companies like Facebook, Google and Twitter are victims of such attacks. The HTTP flooding attacks include session flooding attacks, request flooding attacks, asymmetric attacks, slow request or response attacks, HTTP fragmentation attack, slow post attack, and slow reading attack. Zargar, Joshi, and David (2013) made a review of different DDoS flooding attacks. The motivation these attacks is classified into financial

Volume VIII Issue X OCTOBER 2019 Page No : 16 Science, Technology and Development ISSN : 0950-0707

gain, revenge, ideological belief, intellectual challenge, and cyber warfare. This way many other researchers contributed towards preventing DDoS attacks. As far as flooding-based DDoS attacks is concerned, it is understood from the literature that there needs to be further research to be carried out. In this paper we proposed a methodology that caters to the needs of a system which can use runtime path-based solution to detect and prevent flooding DDoS attacks.

1.1 Bandwidth DDoS Bandwidth Distributed Denial of Service (BW-DDoS) attack results in as it consumes more bandwidth. Such attacks are explored in they include UDP Flood, DNS Reflection and ACK Storm to mention few. There is a specific procedure in which attackers make DDoS attacks. First, they need to identify and select agents, then take steps to compromise the agents, then perform needed communication and launch attacks. In such attacks are described as scalability problem. 1.2 DDoS Flooding Attacks A review is made in on DDoS flooding attacks. The reasons for the attacks include cyber warfare, ideological belief, revenge, financial gain and intellectual challenge. These attacks may be made at network level or transport level. Application level attacks are meant for spending resources at server side. There are different kinds of flooding attacks. They include HTTP flooding attacks and reflection-based flooding attacks.

Figure 1: Botnet for Causing DDoS Attacks As presented in Figure 1, handlers are the machines used by adversaries indirectly to launch flooding attacks. Bots are nothing but machines that are compromised by attackers. Botnets can be of many kinds. They include IRC-based, P2P based and web-based. The response to such attacks can be maintained at different locations as explored.

Volume VIII Issue X OCTOBER 2019 Page No : 17 Science, Technology and Development ISSN : 0950-0707

Figure 2: Possible DDoS detection and response locations As presented in Figure 2, detection of DDoS is made at different locations. The locations may be various intermediate networks or attack destinations. The normal packets in case of DDoS attacks increases from bottom to top. Similarly, the response mechanisms are better from bottom to top. On the other hand, the detection accuracy increases from top to bottom. 1.3 Other DDoS Attacks and Botnet Detection Techniques SYN flooding kind of DDoS attack is explored. It is made for monetary gains. There is vulnerability in TCP 3-way handshake which is exploited by SYN flood attacks. Different kinds of bots used in the attacks are studied. Net Flow is the solution employed in to handle bonnets. DDoS attacks in distributed P2P networks are explored in while counter measures for the same are found. From the literature it is understood that flooding DDoS attacks need further research to have runtime path identification-based solution. The remainder of the paper is as follows. Section 2 reviews literature. Section 3 presents the proposed framework. Section 4 provides results and section 5 concludes the paper.

2. RELATED WORK This section provides review of literature pertaining to DDoS attacks and the methods to detect and prevent them. The performance of the methods depends on network conditions and is influenced by many parameters. There should be a generic method to defend most of the attacks irrespective of the protocol used; A trace back mechanism should be implemented with customization support. It should be cost effective without compromising [9]. A mathematical model to detect shrew attacks was proposed by taking into account the explicit behavior of TCP’s congestion window adaptation mechanism [3]. It can evaluate attack effect from attack pattern and network environment. The analytical results instruct how to tune the attack parameters to improve attack effect in a given network and how to configure the network resources to mitigate a given shrew attack [16]. Information distance is calculated between attack traffic and legitimate traffic [3]. Methods to identify DDOS attacks not only at edge routers but also at core of the network by computing entropy and frequency sorted distribution [1], A detailed discussion of botnet relationship between network visibility, botnet invariant behavior and existing botnet based techniques is carried out. Volumetric attacks have a severe impact on data plane but not on controller. The impact is visible only in attack phase [9]. Protocol exploitation doesn’t have effect on network band width. The effect

Volume VIII Issue X OCTOBER 2019 Page No : 18 Science, Technology and Development ISSN : 0950-0707

is on consumption of resources like logical ports. More detailed detection system is proposed which will analyze where the attack occurred either in transit or source. The dynamic nature of the stealthy attacks is studied because the technique benefits from increased correlation arising under shifting patterns in network traffic [2]. More investigation is required to evaluate the trade - -offs among space and time granularity of monitoring the number of observations and the ability to detect attacks under decreasing levels of intensity [2]. TCP SYN attack consumes data structure on the server operating system[3]. Retransmission leads to severe congestion and finally time out. Once a malicious host is detected the packets are filtered and the services get resumed. Anomaly detection is done by various statistical methods, machine learning and softcomputing.Routers can be configured via the access control list to access the network and drop suspected traffic If you filter all incoming ICMP traffic to broad cast address at the router none of the machines will respond and the attack will not work. Based on macroscopic level a hierarchical method is proposed in order to capture traffic patterns with spatial-temporal domains [2]. Macroscopic characteristics found in network traffic are one of the ways to detect DDoS. When this approach is coupled with a dynamic monitoring capabilities, it will have higher utility. The solution in [2] could provide warnings when detection is made. The model used to launch attack was made with minimal cost and attacks are prevented for showing the performance of the approach. From the literature [1]- [16], it is found that there is need for further investigation on handling DDoS attacks.

3. PROPOSED FRAMEWORK The proposed framework includes the design, implementation and evaluation of D-PID, a framework that dynamically Changes path identifiers (PIDs) of inter-domain paths in order to prevent DDoS flooding attacks.When PIDs are used as inter-domain routing objects. We have described the design Details of D-PID and implemented it in a 42-node prototype to verify its feasibility and effectiveness. We have presented numerical results from running experiments on the prototype.The results show that the time spent in negotiating and distributing PIDs are quite small (in the order of ms) and D-PID is effective in preventing DDoS attacks. We have also conducted extensive simulations to evaluate the cost in launching DDoS attacks in D- PID and the overheads caused by D-PID. It is implemented as a distributed system of various nodes and the nodes are arranged in different groups. Runtime path IDs are dynamically obtained in order to prevent DDoS attacks. The inter-domain connectivity is kept secret and it will change dynamically.

Volume VIII Issue X OCTOBER 2019 Page No : 19 Science, Technology and Development ISSN : 0950-0707

Figure 3: Proposed framework for preventing DDoS attacks As shown in Figure 3, the proposed system has many modules. User is one module. In this user is sharing the information from one place to another place.Attacker is another module. Here, attacker is attacking for information in network. Attacker is doing to attacks on original data.Network manager is another module. Here the manager controlling the sharing of information in the network. Provide security from the attackers.

Figure 4:The flow of activities in the proposed system As presented in Figure 4, there are different processes involved in the system. There are different components like source, router, group manager and destination. The data flow through router from

Volume VIII Issue X OCTOBER 2019 Page No : 20 Science, Technology and Development ISSN : 0950-0707

source to destination is safeguarded from DDoS attacks. This is achieved with the help of the proposed algorithm.

Figure 5: Sequence of events in the proposed system As presented in Figure 5, it is evident that there are many objects among which interactions are made. They include source, router, group manager and destination. The data sent from the source is reaching the destination with proper means and routing from the router. It also ensures that DDoS attacks are detected and prevented with dynamic path at runtime. Algorithm: Dynamic Path based Prevention for DDOS Attacks

Input: Wide Area Network(WAN)

Output: Communication with Ddos Prevention.

1.Divide network into Sub groups

2.Generate dynamic key for inter group communication

3.Generate Signature for unique identification of groups

4.For each subnetwork in WAN

5.For each node in subnetwork

6.Ensure that id for path construction changes

7. End For

Volume VIII Issue X OCTOBER 2019 Page No : 21 Science, Technology and Development ISSN : 0950-0707

8.End For.

9.Repeat steps from 4-8 iteratively and Periodically

10.Ensures that attacker will not succeed in establishing paths to target server.

End

Algorithm 1:Dynamic Path based Prevention for DDOS Attacks The proposed system is implemented with simulated parties involved in the network to demonstrate proof of the concept. It is implemented as a distributed system of various nodes and the nodes are arranged in different groups. Runtime path IDs are dynamically obtained in order to prevent DDoS attacks. The inter-domain connectivity is kept secret and it will change dynamically.By using dynamic PIDs, it is possible to detect DDoS attacks and prevent them as well.It reduces chances of causing DDoS attacks. It has provision to show the probability of attack and also prevention.

4. IMPLEMENTATION AND RESULTS This section provides implementation details and results. The prototype is developed in Java programming language with GUI to have intuitive interface. It simulates the distributed environment and provides various components to demonstrate proof of the concept.

Figure 6: Router Screen As can be seen in Figure 6, there is schematic simulation that contains source and destination with many intermediate nodes. There will be routers to forward packets and take care of security issues. There is network group manager in order to coordinate. The network is divided into groups to have better control on the runtime path generation dynamically to deceive attackers.

Volume VIII Issue X OCTOBER 2019 Page No : 22 Science, Technology and Development ISSN : 0950-0707

Figure 7: Source Screen As presented in Figure 7, the source screen provides interface to choose path of a file to be sent to destination. Before that it has mechanisms to assign group key and assign signature according to the proposed algorithm.

Figure 8: Shows the simulation of the file transferred to destination successfully As presented in Figure 8, the file is transferred to destination successfully. It is possible through runtime path identification and avoid DDoS attacks.

Volume VIII Issue X OCTOBER 2019 Page No : 23 Science, Technology and Development ISSN : 0950-0707

Figure 9: User Receive a File from Source Screen As can be seen in Figure 9, user receives file sent from the source. This is the evidence that there is proper communication and mechanism to transfer data even in presence of DDoS attacks.

Figure 10:Identify Attacker Screen

Volume VIII Issue X OCTOBER 2019 Page No : 24 Science, Technology and Development ISSN : 0950-0707

This screen shows how the attacker is identified. This will help in preventing attacks and ensure that the system works as expected.

Figure 11:Different Transaction Upload Delay Details Graph Screen As shown in Figure 11, it is understood that the upload delay is presented with different experiments. The horizontal axis shows different experiments while the vertical axis shows the total delay causes in milliseconds.

Volume VIII Issue X OCTOBER 2019 Page No : 25 Science, Technology and Development ISSN : 0950-0707

Figure 12:Different Transaction Upload Throughput Details Graph Screen As can be seen in Figure 12, it is clear that different experimentsare made and the throughput is recorded. The system is found to be good to prevent attacks and ensure that that given data is reaching the destination every time.

5. CONCLUSION AND FUTURE WORK Distributed Denial of Service (DDoS) attacks in wide area networks are attacks made by adversaries with the help of thousands of compromised nodes or zombies. Thus DDoS attacks are essentially made with large scale denial of service intentions. Thus DDoS attacks became potential risk to wide applications. In this paper we proposed a framework to detect flooding DDoS attacks and also provided algorithm to handle it. DDoS attack detection method is proposed based on dynamic path identification.The nodes in Wide Area Network are organized into groups where PIDs are dynamically generated and the concept of signatures is used in order to detect DDoS attacks.An attacker module is introduced along with other modules like source, router and destination.Visualization of normal flow and attack scenario provide proof of the concept.In future, it can be extended to detect other kinds of DDoS attacks.

Volume VIII Issue X OCTOBER 2019 Page No : 26 Science, Technology and Development ISSN : 0950-0707

References [1] Laura Feinstein, Dan Schnackenberg and RavindraBalupari, Darrell Kindred. (2003). Statistical Approaches to DDoS Attack Detection and Response1. IEEE, p1-12. [2] Jian Yuan and Kevin Mills, Senior Member, IEEE. (2005). Monitoring the Macroscopic Effect of DDoS Flooding Attacks. IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING. 2, p324-335. [3] JingtangLuo, Xiaolong Yang, Senior Member, IEEE, Jin Wang, Member, IEEE, JieXu, Member, IEEE, Jian Sun, Member, IEEE, and Keping Long, Senior Member, IEEE. (2014). On a Mathematical Model for Low-Rate Shrew DDoS. IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY. 9, p1069-1083. [4] Ashish Dutt, MaizatulAkmar Ismail, and TututHerawan. (2016). A Systematic Review on Educational Data Mining. IEEE, p1-15. [5] AmeyaAgaskar, Ting He, Member, IEEE, and Lang Tong, Fellow, IEEE. (2010). Distributed Detection of Multi-Hop Information Flows With Fusion Capacity Constraints. IEEE TRANSACTIONS ON SIGNAL PROCESSING. 58, p3373-3383.

[6] Mauro Barni and Fernando P´erez-Gonz´alez. (2013). COPING WITH THE ENEMY: ADVANCES IN ADVERSARY-AWARE SIGNAL PROCESSING. IEEEp1-5. [7] Mauro Barni, Fellow, IEEE, and BenedettaTondi, Student Member, IEEE. (2014). Binary Hypothesis Testing Game With Training Data. TRANSACTIONS ON INFORMATION THEORY. 60, p4848-4866. [8] Ting He, Member, IEEE, and Lang Tong, Fellow, IEEE. (2008). Distributed Detection of Information Flows. IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY. 3 , p390-403. [9] NazrulHoque, Dhruba K Bhattacharyya and Jugal K Kalita. (2015). Botnet in DDoS Attacks: Trends and Challenges. IEEE., p1-29. [10] BhavyaKailkhura, Student Member, IEEE, Swastik Brahma, Member, IEEE, BerkanDulek, Member, IEEE, Yunghsiang S Han, Fellow, IEEE, Pramod K. Varshney, Fellow, IEEE. (2015). Distributed Detection in Tree Networks: Byzantines and Mitigation Techniques. IEEE., p1-13. [11] Stefano Marano, Vincenzo Matta, and Lang Tong, Fellow, IEEE. (2009). Distributed Detection in the Presence of Byzantine Attacks. IEEE TRANSACTIONS ON SIGNAL PROCESSING. 57 , p16-29. [12] Stefano Marano, Vincenzo Matta, Ting He, Member, IEEE, and Lang Tong, Fellow, IEEE. (2013). The Embedding Capacity of Information Flows Under Renewal Traffic. IEEE TRANSACTIONS ON INFORMATION THEORY. 59 , p1724-1739.

Volume VIII Issue X OCTOBER 2019 Page No : 27 Science, Technology and Development ISSN : 0950-0707

[13] MortezaMardani, Student Member, IEEE, Gonzalo Mateos, Member, IEEE, and Georgios B. Giannakis, Fellow, IEEE∗. (2011). Dynamic Anomalography: Tracking Network Anomalies via Sparsity and Low Rank†. IEEE., p1-37. [14] MortezaMardani, Student Member, IEEE, and Georgios B. Giannakis, Fellow, IEEE. (2015). Estimating Traffic and Anomaly Maps via Network Tomography. IEEE,p1-15. [15] ParvathinathanVenkitasubramaniam, Member, IEEE, Ting He, Member, IEEE, and Lang Tong, Fellow, IEEE. (2008). Anonymous Networking Amidst Eavesdroppers. IEEE TRANSACTIONS ON INFORMATION THEORY. 54 , p2770-2784. [16] Yang Xiang, Member, IEEE, Ke Li, and Wanlei Zhou, Senior Member, IEEE. (2011). Low-Rate DDoS Attacks Detection and Traceback by Using New Information Metrics. IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY. 6, p426-437.

Volume VIII Issue X OCTOBER 2019 Page No : 28