Contents Real time detection and response of distributed denial of service attacks for web services A thesis submitted for the degree of Doctor of Philosophy by Stavros Shiaeles Democritus University of Thrace Department of Electrical and Computer Engineering Xanthi, October 2013 i Contents Copyright ©2013 Stavros Shiaeles Democritus University of Thrace Department of Electrical and Computer Engineering Building A, ECE, University Campus – Kimmeria, 67100 Xanthi, Greece All rights reserved. No parts of this book may be reproduced or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior written permission of the author. ii Contents I would like to dedicate this thesis to my parents. iii Contents iv Contents Contents Advising Committee of this Doctoral Thesis .................................... ix Approved by the Examining Committee .......................................... xi Acknowledgements ........................................................................ xiii Abstract ......................................................................................... xv Extended Abstract in Greek (Περίληψη) ......................................... xvii List of Figures ................................................................................ xxiii List of Tables .................................................................................. xxv Abbreviations ................................................................................. xxvii Chapter 1: Introduction .................................................................. 1 1.1 Introduction and motivation .......................................................... 3 1.2 Scope, goals and objectives .......................................................... 4 1.3 Research methodology ................................................................. 5 1.3.1 Literature review ..................................................................... 5 1.3.2 Analysis and investigation ........................................................ 5 1.3.3 Testbeds ................................................................................ 5 1.4 Novel aspects of thesis ................................................................. 6 1.5 Dissertation Outline ..................................................................... 7 Chapter2: Background .................................................................... 11 2.1 Fuzzy Logic ................................................................................. 13 2.1.1 Introduction to Fuzzy Logic ...................................................... 13 2.1.2 Basic Principles of Fuzzy Logic .................................................. 13 2.1.3 Basic Terms .......................................................................... 14 2.1.4 Basic Properties of Fuzzy Sets .................................................. 15 2.1.5 Membership Functions ............................................................ 16 2.1.6 Fuzzy Set Operations .............................................................. 19 2.1.7 Linguistic Modifiers or Linguistic Hedges .................................... 20 2.1.8 If-then Rules ......................................................................... 21 2.1.9 Fuzzy Logic Controllers ........................................................... 22 2.1.10 Fuzzy Logic Systems ............................................................. 24 2.1.11 Mamdani Fuzzy Model ........................................................... 24 2.1.12 Sugeno Systems type ........................................................... 27 2.2 Fuzzy Estimators ......................................................................... 28 2.2.1 Preliminaries ......................................................................... 29 2.2.2 Non-Asymptotic Fuzzy Estimators ............................................. 30 2.3 Bots, Botnets and C&C Servers ...................................................... 32 2.3.1 Introduction .......................................................................... 32 2.3.2 Anatomy of a DDoS attack ....................................................... 33 2.3.3 Preparing the bot for the Client ................................................ 35 2.3.4 Setting Up the Command and Control Server ............................. 36 2.3.5 Performing the attacks ............................................................ 37 2.3.5.1 ICMP attack ..................................................................... 38 2.3.5.2 UDP flood attack ............................................................... 38 2.3.5.3 SYN flood attack ............................................................... 38 2.3.5.4 HTTP flood attack ............................................................. 39 2.4 BoNeSi DDoS emulator ................................................................. 39 v Contents 2.4.1 Introduction .......................................................................... 39 2.4.2 Installation ........................................................................... 40 2.4.3 Attacking .............................................................................. 40 Chapter 3: Real Time DDoS Detection using Fuzzy Estimators ........ 45 3.1 Introduction ................................................................................ 47 3.2 Related Work .............................................................................. 47 3.3 Description of the proposed method ............................................... 49 3.3.1 Non-Asymptotic Fuzzy Estimators: Our approach ........................ 49 3.4 Empirical evaluation ..................................................................... 51 3.4.1 Datasets ............................................................................... 52 3.4.2 Empirical results .................................................................... 53 3.4.3 Performance, accuracy and limitations ...................................... 54 3.5 Conclusion .................................................................................. 58 Chapter 4: An improved IP spoofing detection method for web DDoS attacks ..................................................................... 59 4.1 Introduction ................................................................................ 61 4.2 Related Work .............................................................................. 61 4.3 Fuzzy Hybrid Spoof Detector Conceptual Model ................................ 63 4.4 A prototype implementation of FHSD and Experimental design ........... 70 4.5 Results ....................................................................................... 73 4.6 Discussion .................................................................................. 75 4.7 Limitations ................................................................................. 77 4.8 Conclusion .................................................................................. 78 Chapter 5: On scene criminal investigation of a “zombie” computer ........................................................................ 79 5.1 Introduction ................................................................................ 81 5.2 Related Work .............................................................................. 81 5.3 Methodology ............................................................................... 83 5.4 Testbed setup procedure .............................................................. 83 5.5 Testing Triage Tools ..................................................................... 85 5.5.1 TriageIR v.0.79 ..................................................................... 85 5.5.2 TR3Secure ............................................................................ 86 5.5.3 Kludge 3.20110223 ................................................................ 88 5.6 Results ....................................................................................... 89 5.6.1 TriageIR v.0.79 ..................................................................... 96 5.6.2 TR3Secure ............................................................................ 96 5.6.3 Kludge 3.20110223 ................................................................ 97 5.7 Drawbacks .................................................................................. 97 5.7.1 TriageIR v.0.79 ..................................................................... 97 5.7.2 TR3Secure ............................................................................ 99 5.7.3 Kludge 3.20110223 ................................................................ 99 5.8 Adherence to ACPO Principle 2....................................................... 100 5.8.1 TriageIR v.0.79 ..................................................................... 100 5.8.2 TR3Secure ............................................................................ 101 5.8.3 Kludge 3.20110223 ................................................................ 101 5.9 Conclusion .................................................................................. 102 5.9.1 TriageIR v.0.79 ..................................................................... 102 5.9.2 TR3Secure ............................................................................ 103 5.9.3 Kludge 3.20110223 ................................................................ 103 vi Contents Chapter 6: Conclusions