Dual-Level Attack Detection, Characterization and Response for Networks Under DDoS Attacks

DDoS attacks aim to deny legitimate users of the services. In this paper, the authors introduce dual level attack detection (D-LAD) scheme for defending against the DDoS attacks. At higher and coarse level, the macroscopic level detectors (MaLAD) attempt to detect congestion inducing attacks which cause apparent slowdown in network functionality. At lower and fine level, the microscopic level detectors (MiLAD) detect sophisticated attacks that cause network performance to degrade gracefully and stealth attacks that remain undetected in transit domain and do not impact the victim. The response mechanism then redirects the suspicious traffic of anomalous flows to honeypot trap for further evaluation. It selectively drops the attack packets and minimizes collateral damage in addressing the DDoS problem. Results demonstrate that this scheme is very effective and provides the quite demanded solution to the DDoS problem. takovsky, 2001; Carl, Kesidis, Brooks, & Rai, 2005; Gil & Poletto, 2001; Ioannidis & Bellovin, 2002; Lakhina, Crovella, & Diot, 2005; Mahajan, Floyd, & Wetherall, 2001). Detecting a DDoS attack is relatively easy at the victim network (Bencsath & Vajda, 2004; Blazek et al., 2001; Gil & Poletto, 2001) because it can observe all the attack packets. However, attack packets clog a large part of the network before they are detected at the victim. Early attack detection schemes (Carl et al., 2005; Ioannidis & Bellovin, 2002; Mahajan et al., 2001) unfortunately, have to wait for the flooding to become DOI: 10.4018/jmcmc.2011010101 2 International Journal of Mobile Computing and Multimedia Communications, 3(1), 1-20, January-March 2011 Copyright © 2011, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited. widespread, consequently, they are ineffective to fence off the DDoS timely. Moreover, early packet drops can cause collateral damage, as legitimate packets are also dropped with aggregate of attack flows. Many of the present DDoS attack detection techniques are complex, difficult to deploy or lead to computational and memory overheads (Bencsath & Vajda, 2004; Blazek et al., 2001; Carl et al., 2005; Gil & Poletto, 2001; Ioannidis & Bellovin, 2002; Lakhina et al., 2005; Mahajan et al., 2001). Unlike earlier proposals for attack detection (Bencsath & Vajda, 2004; Blazek et al., 2001; Carl et al., 2005; Gil & Poletto, 2001; Ioannidis & Bellovin, 2002; Lakhina et al., 2005; Mahajan et al., 2001) that are either based on unreliable assumptions or too complicated to implement, our dual-level based scheme is simple to understand and implement. It is capable of handling infiltrating, sophisticated as well as highly distributed attacks and provides a basis for characterization. It adapts to varying network conditions with minimum false alarms. The rest of the paper is organized as follows. The traffic feature selection is described, followed by an overview of dual-level attack detection (D-LAD) scheme. Design of macroscopic level attack detector is explained next whereas design of microscopic level attack detector is given after that. Then, the overall response technique is discussed and the performance of our proposed scheme is evaluated. Finally, the paper is concluded. TRAFFIC FEATURE SELECTION DDoS attacks are launched from distributed sources. Hence the attack traffic is spread across multiple links. As the distance from the victim increases, attack traffic is more diffused and harder to detect because the volume of attack flows are indistinguishable from legitimate flows. Current schemes for early attack detection are based on detecting aggregates causing sustained congestion on communication links (Ioannidis & Bellovin, 2002; Mahajan et al., 2001), imbalance between incoming or outgoing traffic volume on routers (Carl et al., 2005) and probabilistic packet marking techniques . These early detection methods, unfortunately, have to wait for the flooding to become widespread, consequently, they are ineffective to fence off the DDoS timely. Lakhina et al. (2005) observed that most of traffic anomalies despite their diversity share a common characteristic: they induce a change in distributional aspects of packet header fields (i.e., source address, source port, destination address, and destination port etc called traffic features). Let an information source have n independent symbols each with probability of choice pi. Then the entropy H is defined as: H p p i i i n = = å log2 1 (1) Entropy can be computed on a sample of consecutive packets. The entropy detection method is used to calculate the distribution of randomness of some attributes which are fields in the network packets’ headers. These attributes can be values like source IP address, TTL etc. that indicate the packet’s properties. Entropy captures in a single value the distributional changes in traffic features, and observing the time series of entropy on the features exposes unusual traffic behavior. Source IP based entropy algorithms are efficient in case of highly distributed DDoS attacks or highly concentrated high bandwidth attacks. A proficient and sophisticated attacker usually tries to defeat the detection algorithm based on source IP based entropy (Feinstein, Schnackenberg, Balupari, & Kindred, 2003) by secretly producing flooding attack and simulating the monitor’s expected normal data flow. After knowing some packet attributes’ entropy values, these attackers could use the attack tools to produce some flooding with adjustable entropy values. By guess, test or summary these attackers could probably know the normal entropy range in the monitors and 18 more pages are available in the full version of this document, which may be purchased using the "Add to Cart" button on the product's webpage: www.igi-global.com/article/dual-level-attack-detectioncharacterization/51658?camid=4v1 This title is available in InfoSci-Journals, InfoSci-Journal Disciplines Communications and Social Science. Recommend this product to your librarian: www.igi-global.com/e-resources/libraryrecommendation/?id=2