Spread Of Distributed Denial Of Service Attack Computer Science

Essay add: 12-01-2017, 10:49   /   Views: 8

Due to the explosion of botnets, Distributed Denial-of-Service attack (DDoS) becomes more frequently and dangerously. There are different DDoS technical issues that the researchers are trying to resolve. All of them focus on detection and prevention the DDoS. The problem captured in this paper is how to simulate the spread of a particular DDoS attack. An application based on Random Walk and Cellular Automation simulation techniques are also presented. The experimental results show that this simulation application can generate a high speed DDoS-similar attack with input controllable parameters as well as can predict the number of zombies participated in a particular attack.

Fast evolution of the Internet makes it become a vulnerable land. Many network-attack techniques were born along with explosion of botnets. The Internet itself becomes a sensitively conductible environment for the network attacks which need gathering a huge force. One of the attack techniques recently attracting the researchers' attention is Distributed Denial-of-Service. This breed of Denial-of-Service (DoS) attack requires the participation of many compromised hosts across the interconnected networks. Much recent research focuses mainly on how to detect and prevent the DDoS. Some of them mention of trace-back algorithm used to find the source of a DDoS attack. A few hypotheses describing the DDoS process are proposed. However, the theories of spread of DDoS seem to be forgotten. The researchers have been leaving this area open. To generate a DDoS attack, attackers need to collect multiple hosts from different sources. This practice leads to a fact that the simulation of DDoS with real network devices is costly. A network lab in the university needs to be equipped many hosts, switches and routers which may cost many-thousand dollars. Moreover, the simulation of DDoS may be more dangerously because of damage to the simulation system itself. Even in an ideal environment where the DDoS can be simulated perfectly, keeping track of spread of DDoS and analysis the results are still too difficult to solve. If this simulation application can be implemented successfully, it would help the students or researchers who do not have enough conditions to practice on the real network security lab.

In this paper we build an application simulating the spread of DDoS attack based on two simulation techniques which are Random Walk and Cellular Automation simulation. We choose these techniques because the randomness of DDoS can be expressed thoroughly by using them in an appropriate way. The analytical result of this simulation helps us to answer two questions. The first one relates to the speed of spread of DDoS attack. The other one is prediction how many zombies participated in a particular DDoS attack. The result is also compared with observation results obtained from NS2, a network simulation tool.

The rest of this paper is organized as follows. In section 2, we introduce some previous works done in DoS and DDoS simulation. Section 3 is the challenges and problem statement. Section 4 is methods and techniques used in this research. In section 5, we describe a specific DDoS World simulating the spread of DDoS attack. Section 6 is some results from our experiment. Conclusion is made in section 7.

DDoS is a branch of DoS. They share the same goal that is an attempt to make the computer resources unavailable to its intended users. There are many DoS techniques classified into some popular categories. The most common form is ICMP flood coming with a lot of instances. The first instance is SYN flood exploiting a flaw in 3-way handshake of TCP/IP protocols. The attacker tries to send SYN packets continuously in order to make the receiver be busy. The receiver sends back a SYN/ACK packet in the second phase but the attacker will never send another SYN packet in the third phase. Thus the 3-way handshake process is never finished. Ping flood is the second instance of ICMP flood. It is usually generated by a Unix host rather than a Windows host. The attacker tries to send the ping-request packets continuously to the victim. The only requirement is the attacker's system must have larger bandwidth than victim's system. Similar to Ping Flood is Ping of Death [1] which is based on sending the malformed ping packets to the victim. It might lead to system crash. The second form of DoS is Teardrop attack [2]. It relates to malformed IP fragments such as oversize or overlapping payload. Each network has itself maximum transmission unit (MTU). System can be crashed because of a bug in TCP/IP fragmentation re-assembly code. Peer-to-peer is type of DoS attack exploiting the strength of peer-to-peer networks. Attacker instructs many-thousand clients to connect to a victim site. The result is the victim site goes down swiftly. Permanent Denial-of-Service (PDoS) [3] focuses mainly on mistakes of hardware. Attacker tries to access remotely to network devices by exploiting the hardware flaws of these devices. Then they replace the firmware with a modified, corrupted one. Therefore, this technique is called flashing. Nuke modifies the ICMP ping packets and sends them to the victim. The victim is busy with these malformed packets, thus the system gets slowing down and then completely stops. A most famous Nuke tool is WinNuke which sends an out-of-band string to TCP port 139 (NetBIOS) of Windows 95. It results in a notice named Blue Screen of Death.

DDoS [4] is a special type of DoS gathering multiple hosts from different sources across the networks. The DDoS attacker plays the center role compromising other hosts in order to serve his attack goals. The hosts compromised are called zombies. The reason for this name is that zombies completely do not know about what they are doing. The zombies are similar to the compromised hosts. The owners do not know about what had happened to their hosts until the grave consequence showed. Each zombie is instructed to use a type of DoS attack technique unconsciously. Because of participation of multiple hosts, some big DDoS attacks can not be prevented. On December 8, 2010, some finance companies such as Mastercard.com, PayPal, Visa.com were DDoS attacked from a group named Anonymous in the support for the Whistleblowing site Wikileaks.ch [5]. These websites were brought down more than 16 hours.

The DDoS simulation with real network devices is very costly because of participation of many hosts. Thus the DDoS attack simulation is essential. There is much research trying to simulate the DDoS. The NS2 [6] is an open source discrete event network simulation tool which can be used to simulate partly the DDoS. In [7] the authors proposed a method simulating the DDoS based on network processor. They have tried to implement a high performance parallel processing architecture on a single chip for deep packet inspection and traffic management. The authors in [8] have developed the simulation software called DDoSSim which comprehensively investigates DDoS attack and defense mechanism. The first phase of spread of DDoS simulation process is how to simulate the DDoS. Thus in the future we can use studies from [7] and [8] to generate the real input traffic for the simulation.

The second phase is how to simulate the spread of DDoS attack. We have no research mentioned of this topic so far. The final goal of this simulation is to answer the two questions. One question is how fast the DDoS spreads. Other one is how many zombies participated in the attack. Some research is carried out to answer the second question. In [9], Gupta, Joshi and Misra proposed a method predicting the number of zombies in a DDoS attack using Polynomial Regression Model. They use NS2 as a simulator for launching DDoS attack with different number of zombies. The results they got are promising with very less error rate. With the same author group, they proposed another approach for predicting the number of zombies. In [10], an Artificial Neural Network (ANN) based scheme is described as a main method for answering the second question. Sample data used in the attack is also generated from NS2.

To guarantee for randomness and integrity of application, the Random Walk and Cellular Automation simulation are used as main techniques. These ones have proposed in [11]. We will go into details of them in section 4.

3. The Challenges and Problem Statement

In the simulation of DDoS attack, there is a frequently ask question giving headache to researchers. It is how to generate the sample data for the DDoS attack. In a particular DDoS attack, packets are sent from zombies to victim and vice versa. Do we need to simulate these packets themselves? If needed, how can we generate them? If we choose the first solution, we need to make "real" packets which are fully formatted. For example, in a Ping of Death attack, ICMP request packets must be emulated with all fields and flags. Firstly, the normal ICMP request packet is generated and then modified to become a malformed packet. With this choice, the researchers or students who are doing with DDoS simulation can capture these "real" packets in the simulator. Then they analyze the packets and figure out what happened inside the packets. Hence they can understand the DDoS more thoroughly. The second solution for DDoS sample input data is using analytical input parameters [12]. With this method, the sample input data is available in form of input parameters. We select the input parameters, assign them appropriate value, press "play" button, and get result. It is similar to a black box. Researchers only need to choose input data, put them into the black box and do not care about what happened. At last, he gets and satisfies with the analytical result. In fact, he does not know about what the system did between the inputs and outputs. Advantage of this solution in comparison with the first one is highly performance. The system do not care about generating the sample attack packets, thus performance is much higher than the "real" packet method. Trade-off is made between the performance and accuracy.

Identification of source of a DDoS attack is also another challenge. As mentioned, real attacker of a DDoS attack hides his head behind the zombies. The victim can only see a huge force attempting to attack him. He is puzzled because he does not know about who is instigator. How can we resolve this problem? Let imagine that you are in a fierce battle. Enemy soldiers rush forward after a shouting of a commander. How can you identify who is the commander? The first solution is you look at the position where the shouting is sent. In almost cases, the sound source comes from the long distance and you can not identify what you need among a human tide. The second solution is you have to defeat the enemy soldiers, one by one. At last, the commander appears automatically and you can catch him. The problem is that you do not need to defeat all enemy soldiers before you got the commander. It costs time and attempt. Our troop might have final win but got severe loss. A solution which does not have to kill everyone needs to be found out. In DDoS, an algorithm like what we have described above called trace-back algorithm. IP trace-back method introduced in [13] is an effective solution for tracking back to the source of an attack. In spread of DDoS attack simulation, finding the attack source is not quite important. The source of attack should be defined at the very first step of simulation.

Up to now, all DDoS research mainly focus on how to detect and prevent this kind of DoS attack. The study of spread of DDoS seems to fall into oblivion. Because of this reason, developing an application which can simulate the spread of DDoS lacks of basic theories and standards. The selection for input parameters also causes controversy. The problem is how to ensure the randomness and honesty of simulation as well as simulation's results. Thus the research of the spread of DDoS is essential. This research proposes a way to simulate the spread of a DDoS attack, which we have been developing and call it DDoS World.

4. Methodology4.1. DDoS Simulation Techniques

To guarantee the randomness and honesty of our simulation, the Random Walk and Cellular Automation simulation techniques are selected. Cellular Automation is type of computer simulation that is dynamic computational model and is discrete in space, state, and time [11]. The space is a grid of sites or squares initialized states by given rules. Number of the states is finite. The transition rule or update rule is operated once the squares change their own state. The rules specify the local relationships and indicate how cells are to change state, regulate behavior of system [11]. In Random Walk techniques, system makes decision based on result of one or multiple random generators. These results are random, thus walking direction can not be anticipated. The turtle graphics is used to draw the trace where the cursor has just gone over.

4.2. The Turtle Graphics

"Turtle Graphics is a term in computer graphics for a method of programming vector graphics using a relative cursor (the "turtle") upon a Cartesian plane" [12]. In practice, when an attacker generates a DDoS attack, he tries to compromise the zombies as much as possible. He can make the compromission by scanning opening port technique. When he detected a host which has one or multiple vulnerable ports opening, he tries to exploit theses ports by different intrusion actions. If he is lucky, he would make this host become a zombie. In our DDoS World, a "turtle" or a cursor plays the port scanner role. This port scanner tries to scan every squares of the grid. Each square symbolizes a location which can be a host or not. The grid itself is a network domain which the hacker wants to make corrupt use of hosts in there. When a host is considered as a zombie, the port scanner "turtle" will mark this place by a black circle and continue finding other hosts in the same network with the gateway. The "turtle" and grid are depicted in figure 1.

5. The DDoS World5.1. Introduction to DDoS WorldFigure 1: DDoS World Visualization

In our DDoS World, a grid of squares is built as mentioned in section 4. The red, black, brown, and green circles are symbolized attacker, zombies, gateways, and safe hosts, respectively. The white zone is safely detected area or undetected area. The attacker has his own fixed location at center of the grid. This position is the only one visible at very first stage of simulation. The zombie is defined as a host opening vulnerable ports and compromised. The safe host is defined as a host which does not open any ports or opens only invulnerable ports. The third case for the safe host is a host opening vulnerable ports but not compromised. The gateway is an entrance point to access a particular network such as a router or a switch Layer 3. The attacker needs to compromise the gateway first before exploiting the other hosts in the same network. If the attacker cannot pass a gateway, he will switch to another gateway and do the same work. In the future, the attacker can come back and tries to compromise the gateway where he was defeated. Dark addresses are the places where no host is available. At the initial stage, the port scanner does not know whether a position is host or not. The most exact answer will come at the end of simulation. The white zone where do not have the circles or squares is undetected are. The white zone with the pink line is safely detected area. We can never know whether a host is available in this zone or not even though the simulation ended. We can make some guesses based on the input parameters and output results but it is not really needed.

5.2. The Taxonomy of Input and Output Parameters for DDoS World

The simulation topology is generated by using Transit-Stub model of GT-ITM topology generator [13]. The taxonomy of input and output parameters are picked up from [14]. Below is list of parameters used in DDoS World as AI factors.

The input parameters:

Size of DDoS World: the zone where attacker want to dominate.

Simulation Time: program finished when this amount of time elapsed.

Number of Vulnerable Hosts: calculated based on Probability of Presence of Vulnerable Hosts.

Number of Gateway (Networks).

Size of each network (S): The program will detect the hosts within an area (S+1) x (S+1) with gateway located at center.

Probability of going through a gateway (%): whether a gateway is compromised or not.

Probability of presence of safe hosts (%).

Probability of presence vulnerable hosts (%).

…

The output parameters:

Number of Zombies after simulation ended: Zombies compromised.

Number of Gateway (Networks) infected: Gateway compromised.

Number of times the port scanner switched from a host to another host: number of moves of port scanner done inside the grid.

Number of times the port scanner went out of DDoS World: number of moves of port scanner done outside the grid (in the boundary).

…6. Evaluation

The figure 2 depicts an input and output interface of DDoS World application. The simulation time is fixed to a particular amount of seconds. If size of DDoS world is small (from 10x10 to 15x15), number of networks is small (2-3) and probability go through gateway is small (<70%), the experimentally initial result shows that the simulation is finished before the attacker obtains the number of zombies that he desires. In contradiction with the first case, if size of DDoS world, number of networks and probability go through gateway are large enough, the simulation is finished right after the attacker obtains the number of zombies that he desires. The larger the degree of scatter of hosts in a network is, the faster the application finishes. The reason is ability of catching and compromising a host increases in a bigger network.

Figure 2: Input and Output of DDoS World Application7. Conclusion

In this paper we focused on constructing the spread of DDoS attack simulation application using Random Walk and Cellular Automation simulation technique. A DDoS attack simulation traffic is generated based on analytical input parameters. The turtle graphics is used to visualize the simulation.

Two main contributions are:

Develop an application simulating the spread of a DDoS attack

Answer the questions:

How many zombies participated in a particular attack?

How is the speed of spread of DDoS attack?

The accuracy of simulation is limited to probabilistic inputs. Using of only three probabilistic parameters partly decrease the honesty of simulation. Some more AI elements should be put into this model such as topology of network, type of DDoS attack, type of media. Probability of presence of firewalls, IDSs, antivirus programs are also should be taken into account.

Article name: Spread Of Distributed Denial Of Service Attack Computer Science essay, research paper, dissertation