Denial Of Service Attack Simulation Computer Science Essay

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

Abstract-Due to the explosion of botnets, Distributed Denial-of-Service attack (DDoS) becomes more frequently and dangerously. There are different DDoS technical issues that the researchers are trying to resolve. All of them focus on detection and prevention the DDoS. The problem captured in this paper is how to simulate the spread of a particular DDoS attack. An application based on Random Walk and Cellular Automation simulation techniques are also presented. The experimental results show that this simulation application can generate a high speed DDoS-similar attack with input controllable parameters as well as can predict the number of zombies participated in a particular attack.

Keywords: Distributed Denial-of-Service attack; turtle graphics; Random Walk simulation; Cellular Automation simulatio;, DDoS zombie; Network Simulator 2


Fast evolution of the Internet makes it become a vulnerable land. Many network-attack techniques were born along with explosion of botnets. The Internet itself becomes a sensitively conductible environment for the network attacks which need gathering a huge force. One of the attack techniques recently attracting the researchers' attention is Distributed Denial-of-Service. This breed of Denial-of-Service (DoS) attack requires the participation of many compromised hosts across the interconnected networks. Much recent research focuses mainly on how to detect and prevent the DDoS. Some of them mention of trace-back algorithm used to find the source of a DDoS attack. A few hypotheses describing the DDoS process are proposed. However, the theories of spread of DDoS seem to be forgotten. The researchers have been leaving this area open. To generate a DDoS attack, attackers need to collect multiple hosts from different sources. This practice leads to a fact that the simulation of DDoS with real network devices is costly. A network lab in the university needs to be equipped many hosts, switches and routers which may cost many-thousand dollars. Moreover, the simulation of DDoS may be more dangerously because of damage to the simulation system itself. Even in an ideal environment where the DDoS can be simulated perfectly, keeping track of spread of DDoS and analysis the results are still too difficult to solve. If this simulation application can be implemented successfully, it would help the students or researchers who do not have enough conditions to practice on the real network security lab.

In this paper we build an application simulating the spread of DDoS attack based on two simulation techniques which are Random Walk and Cellular Automation simulation. We choose these techniques because the randomness of DDoS can be expressed thoroughly by using them in an appropriate way. The analytical result of this simulation helps us to answer two questions. The first one relates to the speed of spread of DDoS attack. The other one is prediction how many zombies participated in a particular DDoS attack. The result is also compared with observation results obtained from NS2, a network simulation tool.

The rest of this paper is organized as follows. In section 2, we introduce some previous works done in DoS and DDoS simulation. Section 3 is the challenges and problem statement. Section 4 is methods and techniques used in this research. In section 5, we describe a specific DDoS World simulating the spread of DDoS attack. Section 6 is some results from our experiment. Conclusion is made in section 7.


DDoS is a branch of DoS. They share the same goal that is an attempt to make the computer resources unavailable to its intended users. There are many DoS techniques classified into some popular categories. The most common form is ICMP flood coming with a lot of instances. The first instance is SYN flood exploiting a flaw in 3-way handshake of TCP/IP protocols. The attacker tries to send SYN packets continuously in order to make the receiver be busy. The receiver sends back a SYN/ACK packet in the second phase but the attacker will never send another SYN packet in the third phase. Thus the 3-way handshake process is never finished. Ping flood is the second instance of ICMP flood. It is usually generated by a Unix host rather than a Windows host. The attacker tries to send the ping-request packets continuously to the victim. The only requirement is the attacker's system must have larger bandwidth than victim's system. Similar to Ping Flood is Ping of Death [1] which is based on sending the malformed ping packets to the victim. It might lead to system crash. The second form of DoS is Teardrop attack [2]. It relates to malformed IP fragments such as oversize or overlapping payload. Each network has itself maximum transmission unit (MTU). System can be crashed because of a bug in TCP/IP fragmentation re-assembly code. Peer-to-peer is type of DoS attack exploiting the strength of peer-to-peer networks. Attacker instructs many-thousand clients to connect to a victim site. The result is the victim site goes down swiftly. Permanent Denial-of-Service (PDoS) [3] focuses mainly on mistakes of hardware. Attacker tries to access remotely to network devices by exploiting the hardware flaws of these devices. Then they replace the firmware with a modified, corrupted one. Therefore, this technique is called flashing. Nuke modifies the ICMP ping packets and sends them to the victim. The victim is busy with these malformed packets, thus the system gets slowing down and then completely stops. A most famous Nuke tool is WinNuke which sends an out-of-band string to TCP port 139 (NetBIOS) of Windows 95. It results in a notice named Blue Screen of Death.

DDoS [4] is a special type of DoS gathering multiple hosts from different sources across the networks. The DDoS attacker plays the center role compromising other hosts in order to serve his attack goals. The hosts compromised are called zombies. The reason for this name is that zombies completely do not know about what they are doing. The zombies are similar to the compromised hosts. The owners do not know about what had happened to their hosts until the grave consequence showed. Each zombie is instructed to use a type of DoS attack technique unconsciously. Because of participation of multiple hosts, some big DDoS attacks can not be prevented. On December 8, 2010, some finance companies such as, PayPal, were DDoS attacked from a group named Anonymous in the support for the Whistleblowing site [5]. These websites were brought down more than 16 hours.

The DDoS simulation with real network devices is very costly because of participation of many hosts. Thus the DDoS attack simulation is essential. There is much research trying to simulate the DDoS. The NS2 [6] is an open source discrete event network simulation tool which can be used to simulate partly the DDoS. In [7] the authors proposed a method simulating the DDoS based on network processor. They have tried to implement a high performance parallel processing architecture on a single chip for deep packet inspection and traffic management. The authors in [8] have developed the simulation software called DDoSSim which comprehensively investigates DDoS attack and defense mechanism. The first phase of spread of DDoS simulation process is how to simulate the DDoS. Thus in the future we can use studies from [7] and [8] to generate the real input traffic for the simulation.

The second phase is how to simulate the spread of DDoS attack. We have no research mentioned of this topic so far. The final goal of this simulation is to answer the two questions. One question is how fast the DDoS spreads. Other one is how many zombies participated in the attack. Some research is carried out to answer the second question. In [9], Gupta, Joshi and Misra proposed a method predicting the number of zombies in a DDoS attack using Polynomial Regression Model. They use NS2 as a simulator for launching DDoS attack with different number of zombies. The results they got are promising with very less error rate. With the same author group, they proposed another approach for predicting the number of zombies. In [10], an Arti¬cial Neural Network (ANN) based scheme is described as a main method for answering the second question. Sample data used in the attack is also generated from NS2.

To guarantee for randomness and integrity of application, the Random Walk and Cellular Automation simulation are used as main techniques. These ones have proposed in [11]. We will go into details of them in section 4.

The Challenges and Problem Statement

In the simulation of DDoS attack, there is a frequently ask question giving headache to researchers. It is how to generate the sample data for the DDoS attack. In a particular DDoS attack, packets are sent from zombies to victim and vice versa. Do we need to simulate these packets themselves? If needed, how can we generate them? If we choose the first solution, we need to make "real" packets which are fully formatted. For example, in a Ping of Death attack, ICMP request packets must be emulated with all fields and flags. Firstly, the normal ICMP request packet is generated and then modified to become a malformed packet. With this choice, the researchers or students who are doing with DDoS simulation can capture these "real" packets in the simulator. Then they analyze the packets and figure out what happened inside the packets. Hence they can understand the DDoS more thoroughly. The second solution for DDoS sample input data is using analytical input parameters [12]. With this method, the sample input data is available in form of input parameters. We select the input parameters, assign them appropriate value, press "play" button, and get result. It is similar to a black box. Researchers only need to choose input data, put them into the black box and do not care about what happened. At last, he gets and satisfies with the analytical result. In fact, he does not know about what the system did between the inputs and outputs. Advantage of this solution in comparison with the first one is highly performance. The system do not care about generating the sample attack packets, thus performance is much higher than the "real" packet method. Trade-off is made between the performance and accuracy.

Identification of source of a DDoS attack is also another challenge. As mentioned, real attacker of a DDoS attack hides his head behind the zombies. The victim can only see a huge force attempting to attack him. He is puzzled because he does not know about who is instigator. How can we resolve this problem? Let imagine that you are in a fierce battle. Enemy soldiers rush forward after a shouting of a commander. How can you identify who is the commander? The first solution is you look at the position where the shouting is sent. In almost cases, the sound source comes from the long distance and you can not identify what you need among a human tide. The second solution is you have to defeat the enemy soldiers, one by one. At last, the commander appears automatically and you can catch him. The problem is that you do not need to defeat all enemy soldiers before you got the commander. It costs time and attempt. Our troop might have final win but got severe loss. A solution which does not have to kill everyone needs to be found out. In DDoS, an algorithm like what we have described above called trace-back algorithm. IP trace-back method introduced in [13] is an effective solution for tracking back to the source of an attack. In spread of DDoS attack simulation, finding the attack source is not quite important. The source of attack should be defined at the very first step of simulation.

Up to now, all DDoS research mainly focus on how to detect and prevent this kind of DoS attack. The study of spread of DDoS seems to fall into oblivion. Because of this reason, developing an application which can simulate the spread of DDoS lacks of basic theories and standards. The selection for input parameters also causes controversy. The problem is how to ensure the randomness and honesty of simulation as well as simulation's results. Thus the research of the spread of DDoS is essential. This research proposes a way to simulate the spread of a DDoS attack, which we have been developing and call it DDoS World.


DDoS Simulation Techniques

To guarantee the randomness and honesty of our simulation, the Random Walk and Cellular Automation simulation techniques are selected. Cellular Automation is type of computer simulation that is dynamic computational model and is discrete in space, state, and time [11]. The space is a grid of sites or squares initialized states by given rules. Number of the states is finite. The transition rule or update rule is operated once the squares change their own state. The rules specify the local relationships and indicate how cells are to change state, regulate behavior of system [11]. In Random Walk techniques, system makes decision based on result of one or multiple random generators. These results are random, thus walking direction can not be anticipated. The turtle graphics is used to draw the trace where the cursor has just gone over.

The Turtle Graphics

"Turtle Graphics is a term in computer graphics for a method of programming vector graphics using a relative cursor (the "turtle") upon a Cartesian plane" [12]. In practice, when an attacker generates a DDoS attack, he tries to compromise the zombies as much as possible. He can make the compromission by scanning opening port technique. When he detected a host which has one or multiple vulnerable ports opening, he tries to exploit theses ports by different intrusion actions. If he is lucky, he would make this host become a zombie. In our DDoS World, a "turtle" or a cursor plays the port scanner role. This port scanner tries to scan every squares of the grid. Each square symbolizes a location which can be a host or not. The grid itself is a network domain which the hacker wants to make corrupt use of hosts in there. When a host is considered as a zombie, the port scanner "turtle" will mark this place by a black circle and continue finding other hosts in the same network with the gateway. The "turtle" and grid are depicted in figure 1.


The DDoS Process in Real World

In practice, the DDoS process often happens in six steps:

[1] Firstly, attacker selects a zone in which he tries to comprise the zombies.

[2] Attacker scans IP-address ranges of this zone to find the Gateways/Networks.

[3] If he can go through a gateway, he tries to compromise the computers which have vulnerability opening ports.

[4] The compromised gateways and computers then become the zombies.

[5] Finally, zombies attack the victim (by SYN Flood…).

[6] Repeat from step [2].

In real world, when an attacker intends to attack a victim, s/he needs to select a zone first. A zone can be a single network address, a subnet, or even multiple subnets. Then he uses a port scanning tool in order to scan the defined IP addresses range which covers the selected zone. The type of DDoS attack is also defined in this step such as SYN flood, PDoS, Nuke... The goal of this step is attempt to find the gateways which are network entrances. When a burglar, for a thing, wants to access a house, he at least needs to know the house's entrances. There are some scan strategies which can be selected by attacker. He can choose scanning from start IP address to end IP address of IP range. Another choice can be random scanning. One of the favorite choices of attackers is picking up the IP addresses that are likely to be a gateway (or a network entrance such as a router or a switch layer 3) in order to scan first. Those IP addresses like this can be .1, .10, .100, .9, .99, .111 in octet fourth.

If he is lucky and go through the gateway (it means gateway is compromised), he will try to scan every potential IP addresses in this subnet. For example, if IP address of gateway is, it is likely that all IPs in range of will be scanned. After done this most risky subnet, some other subnets having the common gateway can be inferred by port scanner. The exhaustive scan can appear if the attacker have special favorite with a particular subnet. If he can go through the gateway but cannot go further the first subnet, he had an unsuccessful attempt. It is most likely that the first subnet right after the gateway is a point to point link which connects the gateway to internal LAN or DMZ zone. It means we only have two IP addresses at two ends and port scanner will get its loss. That's the reason why the exhaustive scan needed to guess or infer the other subnets sharing the common gateway. In step [3], the IP addresses are checked one by one in order to discover the presence of a host. If an IP address is not related to a host, the port scanner checks another consecutive IP address and a message informing the host unreachable is returned to the attacker (or not if the attacker has turned off the detail debugging in the port scanner in order to eliminate the spam notification). In case that an IP address is related to a host, the port scanner checks whether this host is opening a vulnerable port or not. A vulnerable port is a opening regular service port such as Web port 80 (8080), FTP port 20/21, SMTP port 25, POP3 port 110, DNS port 43, etc, which is not protected by any firewalls or security tools at upper layers in OSI or TCP/IP model. If the ports are under vulnerable status, the attacker will put some backdoors or some malicious scripts on each port in order to unspoken control the host. These scripts operate as clients which are under control of a DDoS attack server running on attacker's computer. The compromised computer is totally unknown of the malicious code. That is the reason why those computers are called the zombies. When a new zombie appears, a message informing the present of a new zombie is sent back the attacker. The attacker will send a packet including the information of victim and type of DDoS attack to the new zombie. In turn, the new zombies (both gateways and regular hosts) will themselves attack the victim. After finishing a network, the port scanner will continue trying to find and compromise other gateways which are entrances of other networks. This process is iterative until the attacker terminates the attack.

Simulation and Metrics

The first reason for building a simulation is the expenditure for hardware device is expensive, especially the network devices. The second reason is saving system resources. The third reason comes from being illegal and impractical of implement an attack experiment in the real system or even in a laboratory. Another reason is hard to modify the real network topology in order to create various scenarios. Finally, the real environment is quite "real", so it is hard to cover all the affect on the experimental result.

Here we state some mechanisms to emulate the distributed DoS system from similar works. Mark-Aided Distributed Filtering (MADF) uses the neural network in order to detect the anomaly behavior and collect the intelligence by the annotations obtained in the previous scenario. This mechanism offer SSFNET simulator to measure the performance of a distributed DoS system. Integrating into SSFNET are Trinoo and TFN2K which is used to build DDoS network topology for attack simulation. To make the DDoS attack as real as possible, Cooperative Association for Internet Data Analysis (CAIDA) offer Skitter which is one of their projects. With this project, we can take advantage of a real Internet topology dedicated to DDoS attack. The traffic generator of this project comes from server aroot.ipv4.20040120.

To measure the performance of a DDoS simulation, we use average of legitimate traffic passed rate (LTPR) and attack traffic pass rate (ATPR) which have following formulas:



The ratio LAR is also the favorite criterion to measure the performance of a DDoS attack simulation. The formula for LAR is:


When number of attack packets increase infinitely, LAR will reach to 0. We can conclude that the simulation is not effective because this case can not happen in real world. Another case is LTPR reaches to 0; hereby the LAR also reaches to 0. We conclude that the simulation is also not effective.

In addition to LAR, NFR is also used to measure the performance of a DDoS attack. This criterion show the number of packets passed through the router. It requires less computation but still show the overall performance of distributed DoS system. The formula for NFR is:


Like LAR, the NFR reaches to 0 (non effective simulation) if number of total packets passed in router increase infinitely or number of attack packets passed in router reaches to 0.

Introduction to DDoS World

In our DDoS World, a grid of squares is built as mentioned in section 4. The red, black, brown, and green circles are symbolized attacker, zombies, gateways, and safe hosts, respectively. The white zone is safely detected area or undetected area. The attacker has his own fixed location at center of the grid. This position is the only one visible at very first stage of simulation. The zombie is defined as a host opening vulnerable ports and compromised. The safe host is defined as a host which does not open any ports or opens only invulnerable ports. The third case for the safe host is a host opening vulnerable ports but not compromised. The gateway is an entrance point to access a particular network such as a router or a switch Layer 3. The attacker needs to compromise the gateway first before exploiting the other hosts in the same network. If the attacker cannot pass a gateway, he will switch to another gateway and do the same work. In the future, the attacker can come back and tries to compromise the gateway where he was defeated. Dark addresses are the places where no host is available.

DDoS World Visualization

At the initial stage, the port scanner does not know whether a position is host or not. The most exact answer will come at the end of simulation. The white zone where do not have the circles or squares is undetected are. The white zone with the pink line is safely detected area. We can never know whether a host is available in this zone or not even though the simulation ended. We can make some guesses based on the input parameters and output results but it is not really needed. of sites or squares initialized states by given rules. Number of the states is finite. The transition rule or update rule is operated once the squares change their own state. The rules specify the local relationships and indicate how cells are to change state, regulate behavior of system [11]. In Random Walk techniques, system makes decision based on result of one or multiple random generators. These results are random, thus walking direction can not be anticipated. The turtle graphics is used to draw the trace where the cursor has just gone over.

To demonstrate for the simulation, assume that attacker intends to dominate 3 networks which have IP-address range as follows: (A) -; (B) -; (C) - Assume all subnet mask is Because each network has 254 IPs, we can specify easily the size of DDoS World is 3*254 = 762 IPs, that correspond to at least 762 squares. These IP addresses are distributed into the DDoS World grid as depicted in step 1 of figure 2. The three different colors symbolize three different networks. At step 2, the gateway is detected first (the brown one in the figure). At step 3, the attacker compromises the hosts and makes them become zombies (the black one in the figure).


















Step 1















Step 2















Step 3

DDoS Process in DDoS World

The Taxonomy of Input and Output Parameters for DDoS World

With a simulation application, selecting inputs and outputs factors is very important. The "real" of simulation of an incident is up to input assumptions. In another word, it describes the artificial intelligence (AI) of the program. If it has only some little changes in initial constraints, the output results may be different significantly. Those changes are unpredictable. Moreover, since the set of input factors are diverse, we cannot include all the practical elements in the simulation. Only subset of them including the most specific features should be chosen. Below is a list of input and output parameters which participate in a DDoS attack.

Type of attack: can be semantic (TCP SYN, hard requests, incorrect packets) or brute-force (smurf/fraggle, UDP/ICMP flood).

Rate of dynamics of attack: when the intensity change in time happens, the attack packet rate can change. This change can be described by a constant or a function over the time. This rate can be increasing or degrading.

Type of victim: can be a host, a service, a network or multiple subnets. At least we should specify the IP address and ports.

Impact on the victim: can be a degrading attack (when zombies participate in the DDoS attack one by one) or a disruptive attack (when all zomebies attack simultaneously).

Possibility of exposure: when we can distinguish the attack packets, we can discover type of DDoS attack. There are two types of DDoS attacks in terms of distinguishing of packets: filterable and non-filterable. In non-filterable one, the attack packets are disguised in order to be indistinguishable from regular packets. In filterable one, the attack packets can be revealed by exploit protocol, size, field value, etc.

Taxonomy of DDoS Attack Mechanisms from [14]

Degree of automation: in practice, attack can be generated automatically or manually. If it has done automatically, the setting parameters need to be setup first. In this case, the attacker can change some of settings while the attack is running. Moreover, automation is expressed in the communication between the attacker and his zombies. This communication can be direct (attacker knows the addresses of all zombies) or indirect (zombie communicates with the attacker).

Permanency of Agents: the participation of zombies in an attack can be permanent or variable. Permanent one means the zombies are always in the attack. Variable one means the zombies sometimes are not in the attack. This change can be formulated by a constant or a function.

Validity of source addresses: is related to whether the attacker uses spoofed source or not. The main objective is to disguise the source of attack. This fake address can be traced back or not. The options of spoofing may be as follows: 1) No spoofing, the real source address is used; 2) A Constant, a faked address is randomly selected from a pool; 3) "Random", with every new attack packet, a random address is generated. This range does not intersect with the range in the given network; 4) "Random Real", also with every new attack packet, a random address is generated. The difference is this range is in the same range of the given network.

Cooperated Mechanism: the mechanism of components operation in a DDoS attack can be centralized or decentralized. These components are autonomous and heterogeneous.

Technique of attack detection: we have three types of attack detection: anomaly, misuse, and hybrid. Anomaly behavior detects the attack based on the distraction of regular behavior. The anomaly incidents will be reported. Misuse detection detects the attack based on the signatures which are set of information of types of attack. The hybrid type is the combination of two last types. In the simulation, the attack can be one of them or all.

Location of deployment: an element participating in an attack can play a role as source of attack, intermediate devices or defended networks.

The stages of defense: The victim or victim s' system can have some mechanism for defense such as attack counteraction, attack source detection, attack detection, attack prevention.

Technique of attack prevention and counteraction: The techniques used are authentication, resource management, and filtering.

Deviation from model data: some measures can be used such as threshold or rules for packets and connections. Data mining is used to trace back the attack and also the fluctuation of parameters.

Technique of source detection: some trace-back algorithms are mentioned as in sector III. Some favorite techniques are packet marking, packet signatures, generation of auxiliary packets, etc.

Technique for data collecting: data can be obtained from outside sources or by learning.

The simulation topology is generated by using Transit-Stub model of GT-ITM topology generator [13]. The taxonomy of input and output parameters are picked up from [14]. A diagram of taxonomy is showed in figure 3. Below is list of parameters used in DDoS World as AI factors.

i. The input parameters:

a. Size of DDoS World (X, Y): the zone where attacker want to dominate. X, Y must be integers larger than or equal to 10.

b. Maximum Simulation Time in second: program will finish when this amount of time elapsed. It must be positive float or integer.

c. Probability of Presence of Vulnerable Hosts (%): It must be positive integer less than or equal to 100.

d. Number of networks must be a positive integer which less than the size of DDoS World (X*Y).

e. Size of each network (S): The program will detect the hosts within an area (S+1) x (S+1) with gateway located at center.

f. Probability Scanner Goes Through a Gateway Successfully (%): whether a gateway is compromised or not. It must be positive integer less than or equal to 100.

g. Probability of Presence of Safe Hosts (%): It must be positive integer less than or equal to 100.

h. Degree of Scatter of Hosts in a Network in squares (S): The program will detect the hosts within an area (S+1) x (S+1) with gateway located at center. It must be positive integer less than [min(X, Y)]/2.

i. Attacker Position (X, Y): location of attacker in the grid. X, Y must be positive integers and less than X, Y respectively.

j. Number of zombies at which you desire to finish program is defined by formula: PROB_FINISH = round (0.25*PROB_VUL_HOST, 2).

ii. The output parameters:

a. Number of Zombies after simulation ended: Zombies compromised.

b. Number of Gateway (Networks) infected: Gateway compromised.

c. Number of times the port scanner switched from a host to another host: number of moves of port scanner done inside the grid.

d. Number of times the port scanner went out of DDoS World: number of moves of port scanner done outside the grid (in the boundary).

e. Real Simulation Time: The amount of time it took to run the simulation.


The tool used for evaluation is Network Simulator 2 (NS2). NS2 is a name for series of open-source discrete event network simulators, specifically ns-2 and ns-3. With NS2, we can write the code and algorithm to simulate a network and communication between network devices. The code is complied to become scripts. NS2 provide an interface which allows running the scripts and displays in the screen. This interface is called Nam. We use NS2 as a comparison with DDoS World. In an aspect, NS2 can simulate the DDoS attack by assembling the virtual network devices, but we need significant attempt to build the topology and write the code. NS2 is also not able to simulate the spread of a DDoS attack. As mentioned, the transit-stub model of GT-ITM is a standard template topology using to simulate the DDoS attack. Its visualization is in figure 4. In this topology, each network is treated as an autonomous system (AS). For the evaluation, we build a model with 4 transit domains. Each domain has 12 transit nodes such as routers. Each transit domain links to its two neighbor domains from 2 transit nodes. Remaining 10 transits node links to local stub domains. Each local stub domain has 10 clients. Therefore, we have total 10*10*4 = 400 hosts which generate traffic. Total zombies who generate attack traffic are fixed to 10-100. One of transit domain will contain the victim (usually is a server).

In our DDoS World, we will adjust input parameters to be correlative to the transit-stub model. We do not need to code and compile the code in our application. A visualization interface is provided to see the spread of DDoS attack instead of using a separate tool. The input parameters are adjusted as follows:

Transit-stub model from GT-ITM

Size of DDoS World: larger than 20x20 (>400 hosts). We suggest the size of DDoS World should be larger than four hundreds at least 1.5 times. It means about 600 hosts ≈ 24x25.

Attacker position: it depends, should be (5, 5) or (15, 5) or (15, 5) or (15, 15).

Maximum simulation time: 120 seconds.

Number of networks: 40

Degree of scatter of each network: 1 to 2 which can cover from 9 to 25 hosts for each transit stub, respectively.

Probability of going through gateway successfully: it depends. Here we select 80%.

Probability of presence of safe host: because the number of zombies should be from 10 to 100, we suggest the range for presence of safe host between 67.50% (for 100 zombies) and 87.75% (for 10 zombies) inclusive.

Probability of presence of vulnerable host: because the number of zombies should be from 10 to 100, we suggest the range for presence of vulnerable host between 2.25% (for 10 zombies) and 22.50% (for 100 zombies) inclusive.

The figure 5 depicts an input and output interface of DDoS World application. The simulation time is fixed to a particular amount of seconds. If size of DDoS world is small (from 10x10 to 15x15), number of networks is small (2-3) and probability go through gateway is small (<70%), the experimentally initial result shows that the simulation is finished before the attacker obtains the number of zombies that he desires. In contradiction with the first case, if size of DDoS world, number of networks and probability go through gateway are large enough, the simulation is finished right after the attacker obtains the number of zombies that he desires. The larger the degree of scatter of hosts in a network is, the faster the application finishes. The reason is ability of catching and compromising a host increases in a bigger network.

Input and Output of DDoS World Application with default parameters


In this paper we focused on constructing the spread of DDoS attack simulation application using Random Walk and Cellular Automation simulation technique. A DDoS attack simulation traffic is generated based on analytical input parameters. The turtle graphics is used to visualize the simulation.

Two main contributions are:

i. Develop an application simulating the spread of DDoS attack

ii. Answer the questions:

a. How many zombies participated in a particular attack?

b. How is the speed of spread of DDoS attack?

The accuracy of simulation is limited to probabilistic inputs. Using of only three probabilistic parameters partly decrease the honesty of simulation. Some more AI elements should be put into this model such as topology of network, type of DDoS attack, type of media. Probability of presence of firewalls, IDSs, antivirus programs are also should be taken into account.