An Integrated Honeypot Framework for Proactive Detection, Characterization and Redirection of DDoS Attacks at ISP level

Distributed Denial of Service (DDoS) attacks can effect the steady functioning of any network, posing a severe security threat. Concentrated single source DDoS attacks consume huge resources like bandwidth in a very small duration and have direct impact at ISP level, thus making them easily detectable. In contrast, diluted low rate DDoS attacks lead to graceful degradation of network over a longer duration and hence are mostly undetectable. The outcome of above attacks is that legitimate users are denied service. Though an array of schemes have been proposed for the detection of the presence of DDoS attacks, characterizing of the flows as a normal flow or a malicious one, and mitigating the effects of the attacks once they have been detected, there is still a dearth of complete frameworks that encompass multiple stages in the process of defense against DDoS attacks. In this paper, we propose a novel honeypot framework that proactively detects the presence of attack, characterizes the TCP flows as attack or legitimate, and mitigates the influence of the attack by redirecting attack flows to honeypots. The detection has been achieved by an innovative entropy based scheme. Our detection mechanism adapts itself according to variation in attack loads in real time and calibrates the system to operate in one of the naïve, normal or best defense modes. The in stream flows are characterized on the basis of entropy value and mode of operation in moving time window. During mitigation, attack flows are redirected to autonomic dynamic honeypots present in the same network as active FTP servers. A dynamic honeypot engine (DHE) in honeypot controller (HC) module has been modeled to generate judicious mixture of honeypot and active FTP servers from a pool of servers depending on real time network conditions at ISP level. Goodput, mean time between failure and average response time have been evaluated for naïve, normal and best defense mode of operation. We validate the effectiveness of the approach with simulations carried out at different attack strengths in ns-2 on a Linux platform. We also report our experimental results for detection over KDD 99 dataset. Results show that our proposed framework gives a drastic improvement in terms of average response time and good put. It meets the challenges of most of the existing solutions to DDoS with its ability to proactively detect variable rate attack in real time with minimum false alarms and minimum collateral damage. The proposed scheme has the potential to maintain stable network functionality even in the presence of attacks. It can be fine tuned according to the dynamically changing network conditions at ISP level.