A Novel Online Technique to Characterize and Mitigate DoS Attacks using EPSD and Honeypots
Step 5: Filtering and Connection Dropping
Firstly, idle servers (honeypots) detect attacker addresses so that all their subsequent requests are filtered out. Secondly,
each time a server switches from idle to active; it drops all its current (attack) connections, opening a window of opportunity for legitimate requests before the attack re-builds up. These two benefits the filtering effect and the connection-dropping effect [9], respectively.
VI. EXPERIMENTAL DESIGN
A. Simulation Topology
Fig. 2 depicts the simulated network topology. The shaded clients are the attackers; the others are legitimate. They request files of size 1 Mbps each with request inter-arrival times drawn from a Poisson distribution.
Let Tsample be the time interval after which the flow statistics (packet arrivals) are monitored continuously per flow. Let Ncurrent be the number of packets arrived till the sample instant from the time the flow was active minus the number of packets arrived till the last sample instant. Let small_stats be an array of length Nstats which stores the value of Ncurrent for the last Nstats
instants. Once the flow is past its slow start phase, for every TEPSD seconds, the EPSD functionality is invoked online for the small_stats array, i.e. for the latest Nstats samples. This is done as even a legitimate flow lacks periodicity in its slow start phase. We should delay the decision of tagging the flow as attack or legitimate till EPSD has been called for cnt_thresh times. For each time that the periodicity is found to be missing from the array small_stats, another counter bad_flow is incremented. If bad_flow is greater than a pre-defined threshold bad_thresh, then the flow is tagged as an attack flow and further packets from the flow are discarded. The detailed steps are shown in the form of a flowchart in Fig. 3.
The value of Nstats should be chosen such that it should neither be too large to cause a great overhead in terms of storage and processing requirements, and at the same time it should be large enough to indicate at least two complete cycles with respect to the RTT from the source node to the server in order to safely judge the periodicity, i.e.
Nstats > 2*RTT/ Sample Period (3) VII. RESULTS
A. Stage 1 Simulation Results
In this subsection, we present the simulation results of stage 1
Fig. 2. Simulated Topology
Client Server Authenticator
Router
TECHNIQUE TO CHARACTERIZE AND MITIGATE DOS ATTACKS 51
Fig. 3. (a) Flowchart for sampling the number of packets per flow. (b) Flowchart for invoking the EPSD functionality for the online methodology.
TCP flow. The domain of analysis includes the observation of the Exactly Periodic Subspace (EPS) energy vs. the period at which it occurs. The period, other than 1 (as period of 1 denotes the dc component of the energy), at which the significant positive EPS energy is observed denotes the exact period of the packet process. Honeypot-based characterization is used for UDP flows. Any flow directed towards honeypot is illegitimate and hence a UDP flow destined for a honeypot is characterized as an attack flow.
1) Legitimate Flow
Let Tsample be 10ms, TEPSD be 1 sec and Nstat be 11. An enlarged view of the packet process passed on to one run of the EPSD procedure is shown in Fig. 4. As can be observed, the packet process is visibly periodic in nature. The resulting EPSD graph is shown in Fig. 5. The energy at period 1 is the dc component of the signal. The period where the next highest
energy is observed is the actual period of the signal, which is 5 here, i.e. the signal due to the packet process is periodic with a period of 50 ms (as the samples are taken at 10ms intervals), which is the RTT.
2) Attack Flow
The result of applying the EPSD technique on the packet process of an attack flow is shown in Fig. 6.
Our doubts of the lack of periodicity in the packet process for an attack flow are confirmed by the resultant EPSD graph.
There is no significant energy at any non-dc component to qualify it as a periodic signal. To qualify this flow as a normal flow, there should have been significant energy at period 5, but there appears to be none according to the generated EPSD graph, thus characterizing the flow as an attack flow.
(b) (a)
Sample the number of packets arriving every Tsample seconds.
Let Ncurrent be the difference between the number of packets arrived till the current sample and the number arrived till the last sample.
Add Ncurrent as the latest element of the array small_stats, which maintains the Ncurrent
values of the previous Nstats samples.
Has the flow been proved
‘suspicious’?
No
Tag flow as
‘attack flow’
Yes
Start Start
Invoke EPSD functionality for array small_stats every TEPSD seconds and increment counter.
Is it periodic? Yes
Increment bad flow.
Is counter> cnt_thresh and is (bad_flow/
counter) > bad_thresh?
Flow is suspicious.
Yes counter=0 bad flow=0
Is the flow past its slow start
phase? No
Yes
No
No SARDANA ET AL.
52
B. Stage 2 Simulation Results
Once a flow has been characterized and directed to a honeypot and an active server respectively, average response time and number of packets dropped are used as metrics for comparing the performance of the scheme.
1) Cost of honeypots
Fig. 7 shows cost incurred by roaming honeypot scheme under no attack condition.
As the number of honeypots increase, even under low or no attack conditions , the average response time increases because the number of active servers which could have otherwise furnished client requests take up the role of honeypots even when there are no attacks.
2) Benefit of Honeypots in case of UDP Flows
In case of UDP attack flow, in the absence of honey pots, the number of packets dropped increase with increase in client load, as expected. However in the presence of honey pots , the attack flow is filtered as soon as an attack is detected by a honeypot. Thus the attack traffic in the network decreases substantially, giving chance to more and more legitimate traffic reaching their destination . This gives a stable behavior even with increase in client load upto a limit in presence of honeypots, as shown in Fig. 8.
3) Benefit of Honeypots in case of TCP Flows
Fig. 9 shows the expected behavior in the graph as average response time increases with increasing attack load in case of none, 1 and 4 honeypots. 3 Honeypots and 2 servers provide the most optimum combination for this set of <client load, migration interval parameters > because the average response time increases marginally with increase in attack load and then decreases. The unexpected decrease in average response time is due to the fact that as soon as the attacks are detected, they are filtered out and after some time no attacks persist, thus decreasing the average response time for a given client load.
Fig. 4. A few sample observations from the legitimate flow packet process.
Fig. 5. EPS Energy vs. Period for legitimate TCP Flow
0 0.5 1 1.5 2 2.5 3 3.5 4 4.5 5
No Honeypots 1 Honeypot 2 Honeypots 3 Honeypots 4 Honeypots Number of Honeypots
Average Response Time
Fig. 7. Cost of honeypots incurred under absence of attacks (Attack Load = 0 Mbps; Client Load = .5 Mbps; Migration Interval = 2s)
0 10 20 30 40 50 60 70 80 90 100
0 0.2 0.4 0.6 0.8 1
Client Load
No. of Packets Dropped
No Honeypots With Honeypots
Fig. 8. Benefit of Honeypot under the presence of UDP based DoS attack ( Attack load = .5 Mbps ; Migration Interval =2s)
Fig. 6. EPS Energy vs. Period for an attack flow
TECHNIQUE TO CHARACTERIZE AND MITIGATE DOS ATTACKS 53
The challenge is the determination of optimum values for a set of parameters for a scenario.
4) Optimum Migration Interval
As shown in Fig. 10, optimum migration interval is the function of parameters specific to the scenario. For a given attack load, for each value of migration interval, increasing client load increases the number of clients done, up to a maximum value and then resulting in a decrease. For the given attack load and a particular value of client load, the curve that contains the maximum value of number of clients done gives the optimum value of migration interval for the given combination of parameters.
VIII. CONCLUSIONS
In the proposed framework, we are using the EPSD technique to distinguish legitimate TCP flows from the attack ones. We illustrate the effectiveness of this approach by applying the technique on both kinds of flows.
Proactive roaming honeypot has been presented to mitigate DoS attacks. The scheme takes advantage of both filtering and connection dropping effect.
Results show that the framework has potential to improve the DoS defensive strategy in both TCP and UDP flows.
However, because of sacrificing some servers to act as honeypots, distributing the load on all the servers outperforms the roaming honeypots scheme in the case of a high legitimate client load combined with a low attack load.
IX. FUTUREWORK
The RTT of a TCP flow may vary slightly from trip to trip, due to queuing delay variations. For characterization to be successful in stage 1, the sampling period has to be large enough to tolerate RTT fluctuation, while small enough to make the periodicity to be observed distinguishable. Thus, it would be challenging to identify TCP flows with very small RTTs. These flows generally do not pose severe security threats because they are mostly local traffic, or traffic between two administratively close networks. Nevertheless, one possible remedy of this is to set up a list of neighboring sites and treat the traffic related to these sites separately. Another possibility is to add artificial delay at the router where we take measurements, so that the range within which RTTs vary is relatively small.
Although stage 2 of the framework focuses on physically roaming honeypots, the potential of logically roaming honeypots is notable. Further, the number of honeypots varied adaptively depending on attack load would solve the shortcomings and is left for future work.
REFERENCES [1] Honeypot Project, URL http://project.honeynet.org
[2] Chen-Mou Cheng, H. T. Kung, and Koan-Sin Tan, “Use of Spectral Analysis in Defense Against DoS Attacks,” In the Proceedings of Global Telecommunications Conference, 2002, GLOBECOM '02. IEEE, Vol. 3, pp:. 2143 – 2148, Nov. 2002.
[3] Rong-Ching Wu, and Ta-Peng Tsao, “Theorem and Application of Adjustable Spectrum,” IEEE Trans. on Power Delivery, Vol. 18, No. 2, pp. 372-376, April 2003,.
[4] P.L. Feibig, D.M. Etter, and S.D. Stearns, “A Software Tool for comparing Spectral Estimation Techniques,” Twenty-Third Asilomar Conference on Signals, Systems and Computers, 1989. Vol. 1, pp. 371 – 375, 1989.
[5] K. Anagnostakis, S. Sidiroglou, P. Akritidis, K. Xinidis, E. Markatos, and A. Keromytis, “Detecting targeted attacks using shadow honeypots”, In Proceedings of the 14th USENIX Security Symposium, Aug. 2005.
[6] D. Darian Muresan, and Thomas W. Parks, “Orthogonal, Exactly Periodic Subspace Decomposition,” IEEE Trans. on Signal Processing, Vol. 51, No. 9, pp. 2270-2279, Sep. 2003.
[7] B. Gandhi, K. Kumar, R.C. Joshi, “A Novel EPSD Based Approach for Characterization of DDoS Attacks,” International Conference of Next Generation Communications ICONGENCOM-06, in press.
[8] C. Sangpachatanaruk, S. M. Khattab, T. Znati, R. Melhem, D. Moss,
“Design and analysis of a replicated elusive server scheme for mitigating denial of service attacks,” In The Journal of Systems and Software, Vol.
73 , pp: 15–29 , 2004.
[9] C. Sangpachatanaruk, S. M. Khattab, T. Znati, R. Melhem, and D.
Mosse, “Server Roaming for Mitigating Denial of Service Attacks”. In Proceedings of ANSS’03, 2003.
[10] R. Rivest. The md5 message-digest algorithm. In RFC 1321, 1992.
[11] A. C. Snoeren, H. Balakrishnan, and M. F. Kaashoek, “The migrate approach to Internet mobility,” In Proceedings of the Oxygen Student Workshop, July 2001.
[12] F. Sultan, K. Srinivasan, D. Iyer, and L. Iftode, “Migratory TCP:
Connection migration for service continuity in the Internet,” In Proceedings of the 22nd International Conference on Distributed Computing Systems (ICDCS), 2002.
0 1 Honeypot 4 Servers 3 Honeypots 2 Servers 4 Honeypots 1 Server
Fig. 9. Behavior of Honeypots under the presence of TCP attacks.
0
Number of Clients Done
Miv = 2s
Fig. 10. Optimum Migration Interval
SARDANA ET AL.
54
Abstract—The concept of multiplexing voice traffic sent over IP protocol (VoIP) on a common channel for efficient utilisation of the transmission link capacity is a great concern to network engineers. A VoIP gateway allocates a channel capacity that lies between the average and peak rates of traffic intensity and buff-ers the traffic during periods when demand exceeds channel ca-pacity. In order to evaluate performance of the gateway a traffic model is needed. In this work we propose Markov Modulated Poisson Process (MMPP) for modelling of multiplexed VoIP traf-fic, generated by a number of independent sources, which flows into a VoIP gateway. We apply this model to analytical analysis of the gateway performance using fluid flow modelling tech-niques. We give a cumulative distribution function of the number of packets in the gateway buffer and evaluate it against the simu-lation.
Index Terms—Computer network performance, Integrated voice-data communication, Markov processes, Modelling.
I. INTRODUCTION
he growth of communication based on Voice over IP pro-tocol (VoIP) has been exceptional during recent years and is expected to continue in the future. Consequently, voice packets produced during telephone conversations are to have considerable share in all voice packets sent through computer networks. When certain amount of voice calls is performed simultaneously on a single link, the link needs to be shared between them, and a statistical multiplexing of voice packets is necessary. The multiplexing process is usually performed by a voice gateway which resides in a border between the tra-ditional telecommunication network and a computer network transporting VoIP packets, Fig 1.
Input lines Buffer Output link
Computer/IP network Public switched
telephone network
Digital encoding, packetization P1
P3
P2 C
Fig. 1 A VoIP gateway
The gateway performs time division multiplexing, where periodically one user at time gains control of a full capacity of a Arkadiusz Biernacki is with the Institute of Computer Science, Silesian University of Technology, Akademicka 16, 44-100 Gliwice, Poland (e-mail:
arkadiusz.biernacki@polsl.pl).
link for a short instance of time. VoIP gateway can be consid-ered as a kind of statistical multiplexer thus it is usually mod-elled as queuing systems with buffer space, to which are con-nected variable bitrate (VBR) sources, served by a transmis-sion link of fixed capacity. If the sum of VBR sources peak rates Pi is not allowed to exceed an output link rate Cl of a multiplexer, i.e.
∑
≤i l
i C
P , then a multiplexer is working under a peak rate allocation. The advantages of peak rate allo-cation multiplexing are no packet loss due to a buffer overflow at a burst level as well as a minimal packet delay. The disad-vantage is that bandwidth is wasted when input links are send-ing at a lower rate than their peak rate. This motivates the ar-gument for statistical multiplexing where the sum of the con-nection peak rates is allowed to exceed the link capacity, i.e.
∑
>i l
i C
P .
The ratio of the number of VBR sources that can be multi-plexed on a fixed capacity link under a specified delay or loss constraint to the number of sources that can be supported on the basis of a peak rate allocation is called a statistical multi-plexing gain (SMG). To determine and maximise the SMG, admission control rules are formulated that relate to traffic characteristics, which flows into the buffer of a VoIP gateway, the gateway performance constraints and parameters. In order to formulate these rules a multiplexed traffic model as well as a performance analysis of VoIP gateway are needed.
In this work we created MMPP model of multiplexed VoIP traffic and using this model we computed cumulative distribu-tion of packet of the number of packets in the VoIP gateway.
We based our model on Markov processes, because they pro-vide flexible and efficient means for the description and analysis of computer system properties. Performance and de-pendability measures can be easily derived.
VoIP traffic exhibits properties of self-similarity and long-range dependence (LRD) [1, 2]. These characteristics have significant impact on a network performance. However, as pointed out in [3], matching the LRD is only required within finite time-scales of interest to the system under study. One of the consequences of this result is that more traditional traffic models such as Markov Modulated Poisson Process (MMPP) can still be used to model a traffic exhibiting long-range de-pendence
The rest of this paper is organised as follows: in section II