This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.
In recent years, widespread adoption of the internet has resulted in rapid advancement in information technologies. Internet is used by the general population for the purposes such as financial transactions, educational activities and countless other activities. This development of the Internet use has unfortunately been accompanied by a growth of malicious activity in the web application. Nowadays, Distributed Denial of Service (DDoS) attack is a huge risk to the Internet. In the earlier works, an Intrusion Detection System can detect attacks such as Session hijacking attack, SQL Injection attack and Privilege Escalation attack. But to our disappointment, we cannot handle DDoS attack efficiently using existing system design. To solve this problem, in this paper, we propose a scheme using honeypot for eliminating such attack by analyzing DDoS features like Stream of packets consuming a key resource, malformed packets confusing an application or protocol, overload the internet infrastructure. Main goal is to convincingly simulate the success of the compromise of a system. By this, we implement the lessons learned by the honeypot in hardening the system against the DDoS attack. In our paper, we present the design of a system that allows disrupting the attacker's chain of actions.
Keywords: Distributed Denial of Service (DDoS) attack, Honeypot technique, Intrusion Detection System, Web application.
Even though the last decade has witnessed tremendous growth in the internet service, a proper mechanism has not evolved to discourage or stop the internet attacks. One such internet attack is Distributed Denial of Service (DDoS) attack that continues to pose a real threat to internet service. Though many schemes have been proposed to defend against spoofing, DDoS attack; none has overcome the difficulties of widespread deployment.
Denial of Service (DoS) attacks is intended attempts to stop legitimate users from accessing a specific network resource that have been known to the network research community since the early 1980s. The Computer Incident Advisory Capability (CIAC) reported the first Distributed DoS (DDoS) attack incident in 1999 and most of the DoS attacks since then have been distributed in nature. At present, there are two main methods to launch DDoS attacks in the Internet. First method is for the attacker to send some malformed packets to the victim to confuse a protocol or an application running on it. Another method, which is the most common one, involves an attacker trying to do one or both of the following:
Disrupt a legitimate user's connectivity by exhausting bandwidth, router processing capacity or network resources; these are essentially network/transport-level flooding attack.
Disrupt a legitimate user's services by exhausting the server resources (e.g., sockets, CPU, memory, disk/database bandwidth, and I/O bandwidth); these essentially include application-level flooding attacks.
Many DDoS flooding attacks had been launched against different organizations since the summer of 1999. The majority of the DDoS flooding attacks launched to date have tried to make the victims' services unavailable that leads to revenue losses and increased costs of mitigating the attacks and restoring the services. For instance, in February 2000, Yahoo! experienced one of the first major DDoS flooding attacks that kept the company's services off the Internet for about 2 hours incurring a significant loss in advertising revenue. In October 2002, 9 of the 13 root servers that provide the Domain Name System (DNS) service to Internet users around the world shut down for an hour because of a DDoS flooding attack. Another major DDoS flooding attack occurred in February 2004 that made the SCO Group website inaccessible to legitimate users.
A group calling themselves "Anonymous" orchestrated DDoS flooding attacks on organizations such as Mastercard.com, PayPal, PostFinance and Visa.com on December 2010. The attack brought down the Mastercard, PostFinance, and Visa websites. Most recently since September 2012, online banking sites of 9 major U.S. banks have been continuously the targets of series of powerful DDoS flooding attacks launched by a foreign hacktivist group called Izz ad-Din al-Qassam Cyber Fighter. As a result, several online banking sites have slowed or grounded to a halt before they get recovered several minutes later.
In a typical DDoS attack, the attacker subverts a number of servers on the Internet by exploiting well-known security flaws. These compromised servers become the slaves of the attacker by the installation of flooding tools for the real attack. The attacker sends control traffic to his compromised slave that instructs them to generate high volume traffic toward the victim, typically with a faked source address to prevent backtracking to the slaves.
In this paper, we present the design of a system that allows disrupting the attacker's chain. The goal of the system is to convince the attacker that he successfully compromised the slave. In reality, the system is a kind of a honeypot that lures him to believe so. Thereby, the operator of the honey-pot learns the tactics of the attacker and can implement efficient defenses in the rest of his network. On the other hand, the attack on the victim is of course successfully inhibited and the recording of the compromise may help in a legal action against the attacker.
An intrusion can be defined as any set of actions that attempt to compromises the integrity, privacy, confidentiality or accessibility of resources of the system. An Intrusion detection system aims to identify an intruder breaking or misusing system resources.
Intrusion Detection Approaches
1.1.1 Misuse Detection: It is based on the knowledge of vulnerabilities and known attack signatures. Misuse detection is concerned with detecting intruders who are attempting to break into a system by using some known vulnerabilities. Signature based IDS store patterns of Known attacks. It use stored behavior pattern to identify and detect attacks. It can identify only known, previously seen attacks. One of the main drawbacks of Signature based IDS is that it cannot detect new attacks or previously unseen attacks.
1.1.2 Anomaly Detection: Anomaly detection assumes that intrusions will always reflect some variation from normal pattern. This type of IDS stores normal behavior of system (using previously seen behavior). It is used to classify any behavior that violates it as attacks. Anomaly based IDS detects new attacks but it produces false alarm for legitimate but previously unseen system behavior which is termed as false positives.
Honeypot systems are system's setup to gather information about an attacker or intruder into the system. A Honeypot is designed to catch would be attackers before they invade the real servers and services. The main idea of Honeypot is to setup an attractive system that appears to have some vulnerability for easy access to resources. Honeypots are setup not to capture the attacker but to monitor and learn from their actions, then find people how they search and use the system and how those exploitations can be prevented.
In this paper, we propose a framework, which accurately detect attacks in multi-tier web application. We present a new Intrusion Detection System based on analyzing user behavior and by analyzing the user input queries using Honeypot technique to reduce false positives in Dynamic web application. Honey pots are designed to check the activity of intruders, save log files and record events. By collecting such data, the Honeypots work to improve security.
IDS uses predefined knowledge to identify an attack, it doesn't have the capability to identify any new attacks, but a Honeypot gives a real-time approach on how the attack has happened, through which it will be possible to strengthen the system security.
2 Related Work
Ingress Filtering  and IPsec can prevent most spoofing DDoS attacks, if they are properly deployed. However, the management hassle and per-packet performance overhead are obstacles. Overhead may occur on mobile IP support, when an ingress filtering rules are adapted. In honeypot back propagation, filtering stats, only when a packet from an attacker is detected, based on destination address. Only when attack occurs, the honeypot back propagation scheme required light-weight per-packet filtering.
The SOS architecture  tackles the DoS attack in the context of a privet service with predetermined clients. It uses on overly network to hide the locations of a small number of proxy nodes (servelets) and allows only traffic from the servlets to enter the protected network. If a client requires an access to the overlay network it has to authenticate with any one of the access point (SOAPS), which routes each clients packet to one of the servelets using hash-based routing. Due to overhead of the overly routing, communication latency may increase upto 10 times. The work on this paper provides a more effective solution by avoiding overly routing and by taking action only when an attack occurs.
Packets marking [1, 12 and 14] and packets logging  are the two different approaches to the trace back problem. Even though, hierarchical trace back  with inter and intra-domain trace back mechanism is similar to the proposed hieratical honeypot back propagation approach, it triggers only upon the detection of packets from attackers.
The proactive server roaming scheme has been proposed in , where a prototype of the scheme is evaluated, and has been studied through simulation. The location of the honeypot is roaming within a pool of server, so as to make it difficult for attackers to direct their traffic away from the honeypots and to avoid detection. The scheme allows only k out of N series to be concurrently active where as the remaining N-K act as honeypot. The location at the current active server and the honeypot are changed according to a pseudo-random schedule shared among the servers and legitimate client. Therefore legitimate clients always send their service request to active servers whereas attack request may reach the honeypot. The source address of any request that hits a honeypot is black listed so that all future requests from this source are subsequently dropped. The source address is not blacklisted unless a full service handshake is recorded to ensure that it is not spoofed.
Several proposals have been made to cope with DDoS attacks even though neither of them solves the issue completely. Broadly the approaches can be categorized into two broad categories: mitigation of the impact/detection the attack and identification of the source of the attack. The first category includes measures as
(a) Filtering packets ,
(b) Disabling broadcasts and idle services
(c) Applying security patches .
The second area of proposals focuses on identifying the source of the DDoS attack. This problem of tracing back of such packets of data received considerable attention in the past: Bellovin's ITRACE  uses ICMP packets to verify the path of a small subset of selected forwarded packets. So, the victim may be able to locate the compromised slave.  use a packet marking scheme to enable the victim to trace back the real source of the packet.  enhance the scheme by reducing the number of markings by employing network topology maps. Finally,  propose a source path isolation engine in strategically located routers in order to enable victims to request the taken path of a given packet. However, all these mechanisms suppose that a large enough amount of networks implements them. How realistic this assumption is for the future cannot be fully answered currently.
3 State of Art
Honeypot is a unique system that is connected to the organization network in order to attract the attackers to get connects with them and from which it can learn their behavior, through which it is possible to identify any kind of new attacks. Furthermore it can be used to monitor behavior of an individual which gained access to the Honeypot. Honeypots are a unique tool to learn about the policy of hackers to compromise the system security.
Intrusion Detection System can be used as an extension of a Honeypot for improving their storage capabilities. The concept involved in Honeypot is that any packets or any traffic route to the Honeypot system is assumed that it was suspect for an attack. A system administrator cannot find any fault or attack sensation in their organization, he/she may get satisfied with the security they have for their organization, but by using Honeypot we can obtain the recorded information about an attack, which was failed to detect by the firewall.
IDS uses predefined knowledge to identify an attack, it doesn't have the capability to identify any new attacks by the blackhats, but a Honeypot gives a real-time approach on how the attack has happened, through which it will be possible to strengthen the security.
4 Proposed Method
In Computer world, Honeypot is the technology used to trap the attackers by learning their flow in attacking a system, though there are lot of attacks that can be detected, the distributed denial of service attack cannot be handled efficiently. A distributed denial of service attack uses multiple machines to prevent the legitimate use of a service. For example Stream of packets consuming a key resource, malformed packets confusing an application or protocol, overload the internet infrastructure. Thus by identifying these above mentioned abnormalities in the incoming packets, the honeypot can able to learn the distributed denial of service attack and handle it so efficiently.
Set up a Server and then fill it with attractive files. Build it hard but not impossible to crack into. After that sit and wait for the attackers to show up. Monitor them as they gambol around in the server. Trace their conversations and learn them like watching insects under a magnifying glass. The Honey pot system should appear as common system.
Fig. 1 Building Honeypot
In our analysis of existing research in the coping with DDoS, we looked for a generally applicable solution. The response to an incident should be independent of platform as the attack occurs across many different platforms within a network and should not assume the changes in a large part of the backbone network. Therefore, we propose a sys-tem that can be generally applied in each organization and relies on state-of-the-art technology. The vantages of this system are two-fold: First we can defend our operational network with a high probability against known DDoS and against new, future variants. Second, we trap the attacker so that recording of the compromise can help in a legal action against the attacker.
The devised system is a honeypot that lures the attacker to believe that he successfully compromised a slave for his needs. In reality, the honeypot learns the behavior of attacker. The lessons learned are then implemented in the rest of the network as defensive mechanisms.
The honeypot provides information about an organization. It should consist of similar systems and applications than the one used by the organization for its productive environment so to give the attacker a real world feeling and to be able to implement the learned lessons in the productive environment.
The depicted organization runs a well set up and maintained security infrastructure with classical elements and recent developments: Services such as web, mail, ftp services and DNS that should be accessible from the outside are situated in a demilitarized zone (DMZ). The local internal network (LAN) of the organization is in another zone protected by a firewall with adequate, up-to-date security appliances; even inside the LAN file transmission are always encrypted, the clients run trusted operating systems; the services are managed by an indirect authentication method. Furthermore, detection systems are running: host based intrusion detection systems (IDS) and vulnerability scanners, and network IDS together with network vulnerability scanners at the borders of the organization's network. The organization might operate virtual private net-works (VPN) with local subsidiaries and a public key infrastructure (PKI) for Intra-business Corporation. Standard mechanisms are used for protection of web and mail servers.
In this security infrastructure, we introduce a new system: a honeypot that should attract distributed denial-of-service attackers. This virtual system physically corresponds to a set of computing system or a network of such systems following the idea of the Honeynet project. The Honeynet is a conceptually upgrading of traditional honey-pots used for intrusion detection.
Our DDoS honeypot must fulfill the task to lure the attacker into employing this system as a compromised slave.
That's why the attacker's packet regardless of protocol should be handled by the honeypot while all other regular packets are forwarded to the legitimate destination (web server, mail server, client, e.g.). So, the honeypot should simulate the whole network of the organization to the attacker. Every system in the organization might be a honeypot. For example, if the attacker's compromise packets to the web server of the corporation are detected, the packets go to the honeypot for processing. The reply the attacker gets should be indistinguishable from a real reply of the web server.
Three major problems must be solved to successfully project this illusion to the attacker:
The attack must be detectable.
The attack packets must be actively directed to the honeypot.
The honeypot must be able to simulate the organization's network infrastructure, at least the parts known to the attacker.
The first issue is linked to the solution of the second problem: both should ideally be implemented by a transparent packet forwarder at the border of the corporation's DMZ. Its functionality is to look at each packet and decide if the packet belongs to a DDoS attack. If the test is negative, the packet should go to the given destination inside the DMZ or the LAN. In all other cases the packet forwarder should determine which part of the honeypot system should pro-duce the request. A possible setup of the honeypot could be that each Internet service of the corporation is replicated in one system of the honeypot. First experiments showed that the forwarder is a potential bottleneck in this setup. Therefore, we investigate currently different other setups with next generation routers for this issue.
The detection itself is done by efficiently matching signatures of DDoS packets. Currently, we employ similar signatures as the DDoS signatures, that can be able to detect know attacks with a large probability. However, this method has the drawback, although being very efficient, that new attacks are not detected until our system knows the signature.
Finally, the third problem can be solved by employing a variant of the Honeynet approach. Then, it should also be easier to simulate realistic confirmation messages to the attacker. The depicted warning system of the honeypots to the reflectors and the victim enables to play down eventual probes of the attacker to verify the success of the DDoS attack at these points.
In this paper, we described a promising tool for luring attackers into the belief of a successful DDoS attack. We showed how such a system can be used in depth real-world network environment. We identified different problems with the current realization and provided first solutions to cope with the scalability of the honeypot. Although our honeypot is still in its infancy, we achieved first promising results with the presented initial setup. Future work will consist of the development of a honeynet. Intrusion detection system using Honeypot technique can able to detect intrusions more accurately by analyzing the user behavior and by analyzing input queries in order to reduce the false positive rate in Dynamic web application. Honeypot gives a real-time approach on how the attack has happened, through which it will be possible to strengthen the security.