This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.
The literature review is my brief analysis on the Data Communication and Networking, Network Security, Denial of Service attacks, with complete analysis on Dos attacks on network layers and analysis of Distributed Denial of Service Attacks on Application Layers for complete understanding towards attcks,types of attacks and to provide a better solution for Distributed Denial of Service attack.
Introduction to Data Communications.
Data Communications and networkings are changing the way we do business and the way we live. Business decisions need to be made and even more quickly and the decisions makers require immediate access to accurate information. Business today relay on computer networks and internet works according to (A.Forouzanet al.ï¼Œ2007).The development in the Personal computer brought tremendous changes in business, education, industry. Technological advances are making it possible for communication links to carry more and faster signals. Networking has resulted in new technologies it is able to exchange data such as text, audio, video from all points of the world. We are depending on internet to access the data and to upload and download the data quickly and accurately and at any time.
What is a Network?
According to ï¼ˆ(Schweberï¼Œ1974ï¼‰Page No 361 -a communication system which supports many users is called as a network. A network is also defined as a transmission medium that is used to carry internet packets through the network. A network is a collection of hardware and software taken together to provide shared data. According toï¼ˆA.Forouzanet al.ï¼Œ2007ï¼‰ internetwork is defined as a network of networks. A network is a set of devices connected by communication links referred as nodes. A node can be a computer, printer or any device which is capable of sending or receiving data generated by other nodes in a network. According to (Naugleet al.ï¼Œ1999ï¼‰A network is a transmission medium that is configured to carry internet packets. A transmission medium is any set of communications equipment that is configured to carry data. This includes the cable, network interface card, and the software to send and receive packets data. Which combined network and software to send data from one destination to another location is called as network. The hardware consists of the physical equipment that carries signals from one point to other point of network. The software consists of instructions sets that make possible the services that we expect from a network. The data sent from one point to another point in the world will broke into several packets. The network layer is responsible for the individual packets from the source host to destination host. The network layer makes sure that each packet will reach its destination from its origin. If a packet passes the network boundary it needs another dressing system to help distinguish the source and destination systems. When independent networks or links are connected to create internetworks or large networks the connection devices called routers route the packets to their final destination
According toï¼ˆS.Tanenbaumï¼Œ2003ï¼‰Computer networks are divided into local area networks; wide area networks and Metro area networks.LAN are designed to allow resources to be shared between personal computers or workstations. Wide area network provides long distance transmission of data, image, audio, video information over the whole world. A Wan can be as complex as the backbone that connect the internet .When two are more networks are connected they become an internetwork, or internet. Many phases of our daily life changed drastically because of internet. Internet has come a long way because it is continuously changing. Most of the users use the service of Internet Service Providers (ISPS).There are international, national, regional, local service providers. Communication takes palace between different systems in a computer networks..An entity is anything capable of sending or receiving information for information to occur, the entities must agree on protocol.
Fig 1: Source to destination Delivery ï¼ˆA.Forouzanet al.ï¼Œ2007ï¼‰Page No: 35
The figure shows source to destination delivery. In this Data packets are transferring between layer A and Layer B.Layer A is sending the data Packets to Layer B.When the packets arrive at router B, the router makes a decision based on the final destination (F) of the Packet.
It is software that resides in computer memory or in the memory of transmission device. A protocol is a set of rules that govern the data communications. Protocols define what data is communicated, when data is communicated and how data is communicated. According toï¼ˆSteinkeï¼Œ2003ï¼‰Network Protocol is a set of rules for communicating between computers. Timing, Sequencing and Error Control are governed by Protocols. Without these rules the computer cannot make sense of streaming the incoming bits.
For two entities to successfully communicate they must speak the same language what is communicated and when it is communicated must confirm o some mutually acceptable set of conventions between the entities involved. The set of conventions is referred to as protocol, which can be defined as a set of rules governing the exchange of data between two entities ï¼ˆStallingsï¼Œ1997.The key elements of protocol are Syntax, Semantics, and Timing. Syntax includes things as data format, coding and signal levels. Semantics include control information and error handling. The data to be exchanged must be sent in frames of specific syntax format. Important Characteristics of protocol are Direct/Indirect, Monolithic/Structured, Symmetric/Asymmetric, and Standard/Nonstandard.
Communications involve three agents Applications, Computers and Networks. Communication between two entities may be direct or indirect. Application is a file transfer operation according to ï¼ˆStallingsï¼Œ1997). Computers are connected to networks, and the data to be exchanged are transferred by the network from one computer to another the transfer of data from one application to another involves first getting the data to the computer in which the application resides and then getting it to the intended application within the computer. Communication Task is divided into three independent Layers Network Access layers, Transport Layers, Application Layers.
Network Layer is concerned with getting packets from the source all the way to the destination. Getting packets to the destination require many hops at intermediate routers along the way. Which clearly contracts with that type of data link layer which has more modest goal of moving frames from one end of a wire to other. Network layer is the lowest layer that deals with the end to end transmission according to ï¼ˆ5.ï¼Œ2003ï¼‰
The Transport layer ensures data is successfully sent and received between two nodes when data is sent incorrectly. This layer has the responsibility to ask for retransmission of the dataï¼ˆSteinkeï¼Œ2003ï¼‰It provides a reliable, network-independent message-interchange service to the top three application-oriented layers. This layer acts as an interface between the layers.
Application Layer provides the interface between the software running in a computer and the network. It Provides functions to the user's software including, file transfer access and management and electronic mail service.
Fig 2.Networks Layer (4)
Fig 2 shows the relationship between the Network Layers application layer to the user.
There are several applications in the application layer that follow client server paradigm. The client server programs are divided into two categories; can be used directly by the user suah as e-mail .
What is Internet (?)
According ï¼ˆStallingsï¼Œ2003ï¼‰to Internet is a large collection of interconnected networks all of which use the TCP/IP Protocol Suite. The main task of internet is to provide services for user. Among the most popular applications are remote loggings, electronic mail and file transfer. The architecture of e-mail explained as follows .In the first scenario the sender and receiver of e-mail are users on the same system. They are directly connected to a shared system. In the Second Scenario the sender and receiver of the e-mail are users on different system. The message needs to be sent over internet. When the sender and receiver of an e-mail are on different systems we need client and server.Transfering files from one computer to another computer is one of the most common tasks expected from networking or a internetworking environments. The greatest volume of data exchange in the internet today is with the help of file transfer.
World Wide Web
The World Wide Web is a repository of information linked together from points all over the world. The World Wide Web is a combination of flexibility, portability, and user friendly features that distinguish it from other services provided by the internet. World wide information is shared through medium of internet. Internet is a global system connected through computer networks. It is a network of networks that consists of millions of private and public networks. Through Internet Protocols data is transferred from one computer to another computer. When the data is send or received the message gets divided into packets and reaches the destination area. There are several internet attacks such as social engineering, data driven attacks, infrastructure attacks, denial of service attacks.
Network Attacks (NWIDS)
Network attacks are defined as a set of malicious activities to disturb, deny, degrade or destroy information and service resident bin computer networks. A network attack is executed through the data stream on networks and aims to compromise the integrity. A network attacks can vary from annoying email directed at an individual to intrusion attacks on sensitive data. Attacks have been classified into ten categories. Virus,worm,Trojan,Buffer Overflow, Denial of Service, Network Attack, Physical attack, Password attack, Information Gathering Attack.
According to Merrican-Webster's online dictionary (www.m-w.com), Information is defined as knowledge obtained from investigation, study, or instructions,intelligence,news,facts,data,a signal or character( as in communication system or computer) representing data(as message, experimental data, or a picture) which justifies change in a construct(as a plan or theory) that represents physical or mental experience or another construct and security is defined as: freedom from danger,safety,freedom from fear or anxiety. According to ï¼ˆMaiwaldï¼Œ2001ï¼‰ measures adopted to prevent the unauthorized use, misuse, modification, or denial of use of Knowledge, facts, data, or capabilities. Information security is the name given to the preventative steps to be taken to guard our information and our capabilities. We have to guard them against threats and guard them from the exploitation of vulnerability. Information security is the name given to the preventative steps we take to guard our information and our capabilities. We guard these things against threats, and we guard them from the exploitation of vulnerability. Information security with in an organization has under gone changes in the last two decades. The generic name for collection of tools designed to protect data and to thwart hackers is computer security. The major change that affected security is after the introduction of distributed systems and the use of networks and communications facilities for carrying data between terminal user and computer and between computer and computer. Network security measures are needed to protect data during their transmission and to guarantee that transmissions are authentic.
Types of Attacks
In order to understand the types of attacks that exist to security we need to have complete information of security requirements. Computer and network address three requirements.
Secrecy: Requires that the information in a computer system can only be accessible for reading by authorized parties. This type of access includes pointing, displaying and any forms of disclosure.
Integrity: Requires that computer system assets can be modified only by authorized parties. Modifications include writing, changing, changing status, deleting and creating.
Availability: Requires that computer system assets are available to authorized parties.
The types of attacks on the security of a computer system or network are best characterized by viewing the function of the computer system as providing information. There is a flow of information from a source, such as a file or a region of main memory, to a destination, such as another file or a user. The four general categories of attacks are Interruption, Interception, Modification, and Fabrication.
These attacks are categorized in terms of active attacks and passive attacks.
Passive Attacks: Passive attacks mean the eavesdropping on, or monitoring of transmissions.
Active Attacks: The second major attack is active attacks. These attacks involve some modification of the data stream or the creation of a false stream and sub divided into four categories: masquerade, reply, modification of messages and denial of service.
A Masquerade attack usually includes one of the other forms of active attck.Authentication sequences can be captured and replayed after a valid authentication sequence can be captured and replayed after a valid authentication sequence has taken place, thus enabling an authorized entity with few privileges to obtain extra privileges by impersonating an entity that has those privileges.
Replay involves the passive capture of a data unit and its subsequent retransmission to produce an authorized effect.
Modifications of messages simply means that some portion of a legitimate message is altered or those messages are delayed or recorded, to produce an unauthorized effect.
Denial of Service attacks prevents the user to establish a communication. An entity may surpress all messages directed to a particular destination. Another form of service denial is the disruption of an entire network either by disabling the network or by overloading it with messages so as to degrade performance.
Opposite Characteristics of passive attacks are presented by Active attacks. Where as passive attacks are difficult to detect, measures are available to prevent their success. It is quite difficult to prevent active attacks absolutely, to do so it requires physical protection of all communications facilities and paths at all times.
Network Security Attacks/Internet Threats
According to ï¼ˆAndrew G.Mason CCIEï¼Œ2001ï¼‰The internet is a collection of privately and publicly owned hosts. Anyone owing a computer a computer is able to get onto the Internet. There are hundreds of thousands of individuals on the internet. Most of these individuals have no ill intensions, there are a number who, for one reason or other choose to try to penetrate or disrupt services on corporate network. Sometimes networks are attacked by a technique where an innocent third party is used to launch the attack. An individual whose system has been infected by a worm inadvertently passes along this worm to all known e-mail contacts. There are number of ways that the data on a corporate network are attacked. Among them familiar are Packet Sniffing, IP Address Spoofing, Port Scans, Dos Attacks, and Application Layer Attack.
Packet Sniffing: The attacker uses a packet sniffer to analyze the data for sensitive information travelling between two sites. It uses a packet sniffer to discover username and password combinations.
Port Scans: This method determines the ports on a network device where a firewall listens. After the attacker discovers the weaknesses, attacks are concentrated on applications that use those ports. Port Scans can be launched against firewalls, routers, or individual computers.
Application Layer Attack: These attacks are concerned with the exploitation of weakness in the application layers and really focus on intrusion attacks in most cases application layer attacks take advantage when security weakness in the web server, in the specific technology used in the website, or in faulty controls in the filtering of an output on the server side. These attacks include malicious software attacks, web server attacks, and remote command execution, cross site scripting.
Eavesdropping attacks: These attacks consist of the unauthorized interception of network communications and the disclosure of the exchanged information. This can be performed in several different layers. Attack targets network layer by sniffing into the exchanged packets or in the physical layers by physically wiretapping the access medium.
Logon Abuse Attacks: A successful logon abuse attack would by pass the authentication and access control mechanism and allow user to obtain access with more privileges than authorized.
IP Spoofing Attacks: The intruder changes the Source IP Address of packets to pretend as a trusted user. The attacker sends a packet with an IP Source address of a known trusted host by altering the packet at the transport layer. The target host will be deceived and accept the modified packet as valid.
Intrusion Attacks: These types of attacks of focus on unauthorized users gaining access to a system through the network. Such an attack would target specific vulnerabilities in assets. A typical web server intrusion attack is a butter overflow attack, which occurs when a web service receives more data than it has been programmed to handle and thus reacts in unexpected and unpredicted ways.
Hijacking Attacks: These attacks are essentially attempts to gain unauthorized access to a system by using a legitimate entity's existing connection. At the session layer if a user leaves an open session, this can be subject to session hijacking by an attacker. An example of session hijacking is the TCP sequence number attack. This attack exploits the communication session which ahs established between the target host and a legitimate host that initiated the session. The attacker hijacks the session of the legitimate host by predicting a sequence number selected by the target host, which is used by TCP.
DoS Attacks: The attacker attempts to block valid users from accessing a resource or gateway. This blockage is achieved by sending traffic that causes an exhaustion of resources. A more advanced type is the distributed denial of service (DDoS) attack. Where the attacker uses resources from a distributed environment against a target host. Well known Dos Attacks
SYN Attack. In a Syn attack, the attacker exploits the inability of a server process to handle unfinished connection requests. The attacker floods a server process with connection requests, but it does not respond when the server's answers those requests. This causes the attacked system to crash, while waiting for the proper acknowledgements of the initial requests.
Ping of death: This is an early dos attack in which an attacker sends a ping request that is larger than 65,536 bytes. Which is the maximum size allowed for the IP,causing the system to crash or restart. These types of attacks are prevented completely as measures have taken by the operating systems.
Several security mechanisms and controls have been developed to provide security services in various network layers for both wired wireless networks and for various network protocols. At the core of network security is the protection of message routing and relaying. Firewalls are the basic mechanism for access control in network layers .Since the prevention of network attacks is not always successful; several tools have been developed in order to detect possible intrusion attacks. One of the most important categories of attacks against network availability which cannot always be dealt is DoS Attacks.
Introduction to DoS and DDoS Attacks:
"DoS constitute one of the major threats among and hardest security problems in today's Internet. The main aim of the DoS is disruption of service by attempting to limit access to a machine or service. Depending on the attackers strategy the target can be a file system space, the process space, the network bandwidth or the network connections. These attacks achieve their goal by sending at a victim stream of packets in order to exhaust the bandwidth of its network traffic or its processing capacity"
Distributed denial-of-service attack (DDoS) adds the many to one dimension to the DoS problems, making the prevention and mitigation more severe. These attacks use many internet hosts in order to exhaust the resources of the target and cause DoS to legitimate clients. The traffic is usually so aggregated that it is so difficult to distinguish packets from attack packet. The attack volume will be larger than the system can handle. The attacks achieve their desired effects by sending large amounts of network traffic and by varying packet fields in order to avoid characterization and tracing. Extremely sophisticated "user-friendly" and powerful DDoS toolkits are available to potential attackers, increasing the danger of becoming victims in a DoS attacks or DDoS attacks.
Basic Characteristics of DoS Attacks: DoS attack can be described as an attack designed to render a computer or network incapable of providing normal services. A DoS attack is considered to take place only when access to computer or network resource is intentionally blocked or degraded as result of malicious action by other user. These attacks do not damage the data directly or permanently but they intentionally compromise the availability of resources. The most common DoS attacks target the computer's bandwidth or connectivity.
The factors of motivation to launch DoS attacks
No one can clearly describe what are the motivation factors to launch attacks and destroy network security of the system. Few reasons were identified motivations behind launching Dos attacks. "Retribution, Hostility or frustration, Need to gain recognition or regain lost status, Political Activism, Gaining Control over computing resources, Avoiding detection, Extortion".
Types of DoS Attacks
Hardware and Software sabotage, Shut down or Shut down attacks, Flooding attacks, System Resources starvation attacks, Buffer overflow attacks, Packet fragmentation attacks, Malformed packet attacks, "Boomerang attacks", premature session termination.
Prevention of DoS Attacks
According to (Bidgoli) this section addresses this topic by considering number of alternatives."Risk management consideration, Policy considerations, Business continuity measures, Hot Sites, Warm Sites, Cold sites, Uninterruptable power supplies, Fail over systems and devices, Firewalls, routers, Host based measures, Packet Filters and personal firewalls.
Distributed Denial of Service Attacks
DDoS attacks are planned through sending "Zombies" by releasing malformed fragmented programs in a huge volume after receiving the specialized signal from a handler machine. For a victim network they are multiple handlers, after receiving signal from a handler they start DDoS attck.Well in advance before the intended data on which DDoS will occur 'zombies" and handlers will be installed in a system. As per the research I came to know that "In 2001.CERT/CC was the victim of DDoS attack in which vast number of large fragmented UDP packet was sent to its web port from numerous "Zobbies"
According to (Bidgoli) because of the massive outlages potential DDoS are mainly possess high level of threat. To hide presence of "Zombies" and handlers DDoS programs use the technique of secrecy. Through the methodology of encryption process DDoS maintain unreadable communication in the network.To make detection of "Zombies" more difficult DDoS creates compromised process on each system in recent types of DDoS attacks.
As per the analysis of (Jia, 2005) DDoS attacks became more sophisticated and more difficult to defeat. in most of the current systems defense action are taken only after the DDoS attacks are launched in this way before the attack sources can be found or traced target system or network is harmed. According to (C. P. Pfleeger and S. L. Pfleeger, 2000)" the DDoS attacks are network flooding attacks from multiple machines', As per his analysis in order to launch a DDoS attack the attacker first scans a million of machines for vulnerable service and other weakness. When the assault starts, the real attacker hides his identity and sends order to "Zoombies" to perform the attacks (D. Xuan, 2001).
Fig 3: Hierarchical Model of DDoS attack Page No: 295 (Jia, 2005)
Classification of DDoS Attacks
According to (B) model of attacks include computation of resource destruction or alteration of configuration and physical destruction or alternation of network components. In (Mehra, September 1997) the attacks are classified by degree of automation, exploited vulnerability, attack rate dynamics and impact. As per the technical point attacks are classified by attacking method.the resources consumed by attacks include network bandwith, disk space, CPU time, data structures printers tape devices network connection etc
Any system providing TCP-based network service is potentially subject to this attack. The attackers use half-open connection to cause the server exhaust its resource to keep the information describing all pending connections.The result will be system crash or system in operative (CERT, 1996 b)
TCP reset also exploit the characteristics of TCP protocol. By listen in (Advisory, 1998) the TCP connections to the victim the attacker sends a fake TCP RESET packet to the victim. Then it causes the victim to advertently terminate its TCP connection (S.Mohiuddin, 2002).
Smurf attacks send forged ICMP echo request packets to IP broadcast addresses. These attacks lead large amounts of ICMP echo reply packets being sent from an intermediary site to victim, accordingly cause network congestion or outages (1997)
This kind of attack can only impair the host's services, bur also congests or slow done the intervening network. When a connection is established between two UDP Services, each of which produces a very high number of packets thus cause an attack.
In this the attack sends a large number of UDP based DNS request to name server using a spoofed source IP address,the name server acting as an intermediate party in the attack, responds by sending back to the spoofed IP address as the victim destination. Because of the amplification effect of DNS response, it can cause serious bandwidth attack [CERT 2000e].
By simply sending multiple CGI request to the target server, the attacker consumes the CPU resources of the victim. Server is forced to terminate its services because of this.
A mail bomb is the sending of a massive amount of e-mail to a specific person or system. A huge amount of mail may simply fill up the recipient's disk space on the server or, in some cases, may be too much for a server to handle and may cause the server to stop functioning. This attack is also kind of flood attack ï¼ˆ2003).
During a DDoS attack, the ARP request volume can become very massive and then the victim system can be negatively affected.
Algorithmic Complexity Attacks
It's a class of low-bandwidth DoS attack that exploit algorithmic deficiencies in the worst case performance of algorithms used in many mainstream applications [Crosby and Wallach 2003]
DDoS attacks mainly target on three layers of TCP/IP Protocol; Application Layer, IP Layer, TCP Layer. According (Proactive Detection of Distributed Denial Of service Attacks Using MIB Traffic Variables a Feasibility study, may 2001) for his analysis he used the management information base data which include parameters that indicate different packets and routing statistics from router to achieve early detection at the same time (Monitoring the macroscopic effect of DDoS Flooding Attacks, Oct-Dec 2005) to capture the traffic patterns and to decided when and where possible DDoS attack arises he used cross-correlation analysis. Meanwhile to identify attacks in edge routers asymmetry of two packets are supervised by (Attacking DDoS at the source, 2002). Further analysis and research work on DDoS attacks detection was done on Time to like values and IP Address by ("An active detecting method against SYN flooding attack, Jul. 20-22, 2005).These all attempts are focused on IP layers of TCP IP to find attacking mechanics of DDoS ("Protection from distributed denial of service attacks using history-based IP filtering,"., May 2003).
DDoS attacks second target is TCP Layer, These attacks mapped based on MIB on, UDP and TCP, ICMP and packet statistical and abnormalities by authors (Proactive Detection of Distributed Denial Of service Attacks Using MIB Traffic Variables a Feasibility study, may 2001), at the same time research was done by ("Detecting SYN flooding attacks,", 2002) to detect SYN Flooding attacks he used the TCP, SYN/FIN packets. Subsequently DDoS attacks were discovered by analyzing the TCP packet header against the well defined rules and distinguished the difference between normal and abnormal traffics explained in ("Distributed denial of service detection using TCP/IP header and traffic measurement analysis,", Oct.26-29 2004) .
Our work of detecting the DDoS Attacks on popular web site is done on HTTP.HTTP is a thin layer which is used to transfer the data from source to destination with the help of application layer of TCP/IP.In previous days intruder concentrated less on these type of attacks. Target of Intruder is session HTTP and defense mechanism was proposed by many researches initially ("Defending application DDoS with constrain random request attacks,", Oct. 3-5, 2005) proposed one definition with the help of statistical methods on Application DDoS attacks. At the same time researches proposed against statistical rule proposed earlier and it is most important for our analysis research. According to (Jung et al 5)'s described normal flash crowd and DoS by two properties in his paper
"A DoS event is due to an increase in the (1) " Flash crowd are due to increase in the
Request rate for a small group of client" number of clients
"DoS clients originated from new client (2) "Flash crowd clients are originated from
Clusters" clusterds that had been seen before
The flash event"
At the time I noticed App-DDoS attack have different approach to stop the legitimate user access on different websites and App-DDoS attacks will be generated at compromised routers or host by request of authorized users through http protocol. Previously I realised this http is used TCP/IP Application layer to transfer data from source to destination. The working principle of all website is, when service request from user to website that will transfer to HTTP and consume TCP port 80 (it is a common port for all websites). At the same time intruder also used same port 80 to target websites. In this scenario the attack is not stopped by firewalls (firewall is software which stop malicious web request on firewall installed system).at the same time HTTPS tunnel also affected by this threats .in this scenario intruders encapsulates malicious packet with tunnel of the HTTPS. Having analyses on DDoS attacks scenario I now realise these attacks are not detected by existing methods because this types of attacks are deals with different types of layers of protocol and this attack is encapsulate malicious packets authenticated user packets. Additionally I have learned that all attacks are impersonating normal user's access behavior to escape from existing detection technique. Subsequently popular websites are affected from intruders regular request, it occupies network bandwidth that decrease throughput of the network.
This type of attacks on popular websites on 2008 world cup events.
Figure 1 Continues web request effect on web
Fig 1 depicted the scenarios of web access behavior on websites in succors 1998 world cup final day.
According to (Stochastic models for generating synthetic HHTP source traffic, 2004) the traffic of burst web request in world cup 1998 in Fig 2 that explains
ARRIVAL REQUEST NUMBER
For me the significant learning resulted from all issues what we discussed earlier that current detection mechanisms are invalid because all are depends on characteristic of network traffic and popularity of the website.
Existing DDoS attack Mechanism: Many researches, methods, systems have emerged to fight against DDoS attacks. There are many outcomes and results for defending DDoS attacks. I am going to share few earlier approaches on DDoS Attacks.
"A Novel approach to detecting DDoS attacks at an early stage"According to Bin Xiao for providing fair treatment to legitimate traffic at the same time dropping attack traffic would be appreciable for any anti DoS solution. Attempt to propose a simple, but effective filtering mechanism running at the source end, also demonstrated that system exhibits good programming during spoofed attacks, irrespective of the starting of the attack traffic. The system should be thwart a class of attacks that involves employing unused addresses and establishing many connections to a destination with objectives of degrading services to the valid requests. The success of the system lies on the statistical collected by the edge router and considered a single source network with vey few parameters.
"ITS: A DDoS Mitigating Architecture" DDoS mitigation architecture that protects legitimate traffic from the large volume of malicious packets during a DDoS bandwidth attack. The system keeps a legitimacy list and gives higher, priority to the packets to those packets that are on the list. The legitimacy list is kept up to date by keeping only the entries that complete the TCP three way handshakes and thus defeats IP spoofing. Entries in the list contain the IP connections. A packet signature of active TCP Connections. A Packet obtains high priority of its path signature strongly correlates with the corresponding path signature stored in the legitimacy list. We show that the scheme is efficient when deployed incrementally by using priority queing.at perimeters routers. An autonomous system can immediately benefit from our proposed system when deployed even if other Ass do not deploy it.
"Detecting DDoS based on Multi feature fusion "Detection of DDoS attacks is currently a hot topic in both industry and academica.We present an IP flow Interaction Algorithm(IFI) \merging multi feature of normal flow and DDoS attack flow .DADF employs an adaptive parameter estimates algorithm and detects. DDoS attacks by associating with the states of IFI time series and an alert evaluation mechanism analysis and experiment results show that IFI can be used to identify DDoS attacks flow.DADF can fast detect DDoS attacks with higher detection rate and lower false alarm rate under relatively large normal background flow.
"DDoS attack detection method based on linear prediction Model "The IP Flow feature value (FFV)algorithm is proposed based on the essential features of DDoS attacks as the abrupt traffic changes flow dissymmetry, distributed source IP address and concentrated target IP addresses. Using linear prediction technique a simple and efficient.ARMA prediction model (DDAP) is designed and an alert evaluation mechanism is developed to reduce the false positive due to prediction error and flow noise. The experiment results demonstrate that DDAP is an efficient DDoS attacks detection scheme with more accuracy and lower false alarm rate.
"Internet Domain Security Management" He proposed a cooperative inter domain security management to protect access of legitimate users from the DDoS attacks exploiting randomly spoofed source IP address. We assume that internet is divided into multiple domains and there exists one or more domain security manager in each domain which is responsible for identifying hosts with the domain. The security management Co-operation is achieved in two steps. First domain security manager forwards information regarding identified suspicious attacks flows to neighboring managers. Secondly the domain security manager verifies the attacks verify the attack upon receiving return messages from the neighboring managers. The management method proposed in this paper is designed not only to prevent network resources form being exhausted by the attacks but also to increase the possibility that legitimate users can fairly access the target services. The experiment on test bed methods was verified to be able to maintain hig detection accuracy and to enhance the normal packet survival rate.
DDoS attacks are a serious problem on the internet and rate of growth and wide acceptance challenge the general public, a skeptical government and business. It is clear that the waves of DDoS attacks will continue to pose significant threat. As new countermeasures are developed, new DDoS attack modes will emerge. Since DDoS attacks are complex and difficult to combat. The effect of DDoS will not only affect organizational physical I.T infrastructure but also affects its business continuously in all possible ways. We need to confront DoS attacks as a problem that requires a long-term effort in order to implement effective solutions. According to (schultz, 2006) to some extent DoS Attacks differ from Other Layers of Attacks. As per analysis I have understood that Information Security widely has recognized and divided into; "Confidentiality of data; Integrity of data and systems; Availability of data systems networks and security".Target of DoS attack is mainly on network security and data systems. Indentifying of DoS attacks is done through the process of attack carried out these are distinguished by attacks geared towards stealing or copying confidential data. DoS attacks can contaminate and overlap who enters into system and changes the key parameters in system files to out of range values in effect attacking to not only the dependability of the system but effects the availability. The system not only crash but it cannot even bootable depending on the changes made by the attack.