Robust Defence Mechanism Based On Web Server Computer Science Essay

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

Now a days Distributed Denial Of Service attacks can break up web service and causes huge amount of losses. A new robust DDOS security mechanism has been designed, that is a Three-Layer defence mechanism grounded on web server. It uses the means of statistical filtering and traffic limit by combining the features of the traffic of web server and TCP/IP reference model, in the network, transport and application layer in order to filter the illicit traffic. Most of the traffic is filtered on network layer by using Simplified Hop Count Filtering (SHCF) algorithm and the rest is filtered on transmission layer using SYN Proxy Firewall on transmission layer and finally traffic limit is used on application layer. By using this robust mechanism Web Services can be safe guarded under DDoS attack. Testing this mechanism in Linux Kernel, result says that this can defend DDOS attack in an effective manor.

Key Words: Infrastructure of DDoS attack,attack and Defence methods of DDoS, Methods of DDoS, Overview of Three-Layer Defence Mechanism, Implementation and Test.


DoS stands for Denial of Service is an attack that prevents the users from being attacked by the attackers in the network and making them not to use the network service or a computer system. And the other attack which is called as DDoS expansion of this is Distributed Denial Of Service attack which attacks in a big scale, This attack adds the activities which are available in the network and chooses a victim system and installs indirectly through many computers which are compromised on the Internet. There are two types of victims ,The one whose services are attacked are called "primary victim", and when the systems which are compromised and makes establish the attack known as "secondary victims". This victim causes major disaster and makes abrupt attack as many number of computer participate in this and sends huge number of data flow packets and is even hard to detect the attacker . "Accordant with Web Security DDoS is :A DDoS attack establish a coordinated DoS attack by using large no of computers against one or more targets. The another technology of Using client or server the effect caused by this technology is doubled and even the effect caused is very much high.

Infrastructure of DDOS attack:

Here I am going to explain the roles played by attacker, master ,slave and victim.

Attacker: An attacker is the one who setup attack versus on a particular victim by using DDoS attack infrastructure.

Master: A master gets attack command from attacker and send some similar commands, by some particular signalling protocol, through a list of slaves. Masters are compromised hosts with DDOS master software installed.

Slave: A slave, after receiving the attack controls from its master, sends out lots of malicious packets towards the victim.

Victim: In DDOS attack model, by the collection of DDOS, the bandwidth of the attacked victim is taken away.

Figure :Distributed Denial of Service Attack

Distributed Denial of Service Attack Methods:

Here below are some of the methods utilized by the attacker. Using these techniques attacker coordinate and execute the attack. In February 2000 these kind of attacks were plugged in the internet. As time passes by it may be seen that, the distributed techniques like Trinoo, and TFN become more ahead and thus more difficult to detect.

Trinoo: In this the transmit information among the attacker and the control master program takes place by using TCP. Using UDP packets the master program transmit informations with the attack daemons. Trinoo's attack daemons implement UDP flood attacks against the target victim.

Tribe Flood Network: In this the transmit information between the attacker and the control master program is done by using a command line interface. Via ICMP echo reply packets transmit information among the control master and the attacker is done. TFN's attack devils implement Smurf, SYN Flood, UDP Flood, and ICMP Flood attacks.

Distributed Denial Of Service Defences Methods:

To make network and neighbouring network secure, there are many safety measures that a network or a host can perform. This includes:

Applying Security Patches:

Host computers must be modified with most recent security techniques and patches to defence against denial of service attacks.

Disabling Unused Services:

Disabling UDP echo will give assistance against the attack. The network services must be disabled, when the network services are unused or unneeded, to avoid attacks.

Overview Of Three-Layer Defence mechanism:

As web is the core technology in e-commerce and the primary target of DDOS attack, protecting web services is dominant importance. For this a new and a robust mechanism is designed based on web services.

Figure: Three-Layer defence mechanism

It uses means of statistical filtering and traffic limit by contributing the features of the traffic of web server and TCP/IP reference model, in the network, transport and application layer in order to filter the illicit traffic.

The fundamental idea behind this mechanism is remove and defend legitimate traffic from big volume DDOS traffic when an attack occur. The first step in this is to identify packets that contain genuine source IP address from that of spoofed address, this is done by the first-layer defence based on network layer and the second layer defence based on the transport layer. A simplified Hop Count Filtering as protection base on the transport layer. Therefore we can differentiate illicit traffic from normal traffic.

Still, attackers may also use their real IP address to send a huge volume of traffic to the victim. Second step is to avoid such attacks from using more than necessary system resources. This is done in the application layer ie third -layer defence.

The scheme is to perform equal bandwidth allocation among all clients and attackers that are using legitimate IP address. Even with equal bandwidth allocation among all clients, the attackers may still overcome the legitimate clients and takeaway big portion of system bandwidth.

To take an action, a law is impose to impose quota each client my send. Whenever a client exceeds this quota, it is doubted as a possible attacker and will be given only a fair fraction of its share. In this way I can assure that, most of the system resources will be give to the legitimate clients.

Design of Three-Layer Mechanism:

Here the defending methods of Network Layer ,Transport Layer and Application Layer are described

Defence Method on Network Layer:

This layer uses SHCF algorithm which removes big amount of unwanted spoofed IP packets by identifying the legitimate clients by choosing the first 24-bit source IP address prefix from the IP header. The principle behind SHCF is they do not carry hop count values that are compatible with the IP addresses being spoofed when most spoofed IP packets, arriving at victims.

For each web server, we create an SHCF table by assembling its IP address according to first 24bit. Applying minimum hop-count of all IP address inside a 24-bit network address as the hop-count of the network. Later when the table is created, each IP address is changed to a 24-bit address prefix, and the genuine hop-count of the ip address is compared to the one saved in SHCF table. As 24-bit aggregation does not protect the correct hop-count differ by greater than two.

Defence Method on Transport Layer

This layer uses a SYN Proxy Firewall algorithm to remove rest of the unwanted IP packets.

SYN Proxy is a firewall based protection approach, in this approach each and every packet bound to a host inside the firewall need to be analysed first, based on this authenticity decisions are made and necessary actions are taken to protect internal host.

In this scheme, when a TCP connection request is made, the firewall answers on behalf of the server, after the three-way handshake is successfully completed does the firewall contact the host and establish a second connection.

In this type of attack, the firewall answers to the SYN sent by the attacker. As the final ACK never reaches the destination, the firewall terminates the connection, later when the firewall receives the final ACK, it makes a new connection to the internal host on behalf of the original client. As soon as the connection is established ,the firewall will be acting as a proxy to translate the sequence number s in the packets that flow between the client and the server.

Defence Method on Application Layer

Attackers might sometime pose as legitimate clients and send legitimate HTTP request to use the bandwidth of the aimed system. In this layer, an algorithm of traffic limit is used to protect against attack using genuine IP addresses.

This problem is solved, when firewall will carry out a fair bandwidth allotment among all clients and attackers that use authentic IP address. The system can set a quota "q" such that the chance for a legitimate transaction to send more than "q" packets is very small. Later when an IP address sends more than "q" packets, it will be given only one tenth of its fair share. This in fact limits the amount of bandwidth attackers can consume. This quota "q" should be set according to the normal transaction behaviour profiled at the protected web site.


To meet the transaction of the packets and efficiency of the proposed system, a module should be implemented inside the Linux netcard driver. The transport-layer and application-layer defence methods are implemented inside the netfilter, shown in flow chart below.

Test and Conclusion

A test scene is built, to test the performance against DDOS attacks. In this host1 and host2 act as legitimate clients, where as host3 and host4 act as attackers, web server and defending systems are configured as CPU P4 2.4G, Memory 512M,OS Fedora core4,Web server Apache and others are configure as :CPU Celeron 2.4G, Memory 256M,OS Windows XP sp2.

Without Defence system

Hosts 1 and 2 can visit web server, when hosts 3 and 4 do not make DDOS attacks.

At the same time hosts 1 and 2can not visit web server, when hosts 3 and 4 make DDOS attacks.

With Defence systems

When hosts 3 and 4 make DDOS attacks, at the same time, hosts 1 and 2 connect web server, web server can be visited without delay.

This is tested several times and a graph is drawn.

As we can see from the graph, the defending system can remove 98.56% to 98.91% of illicit traffic.

Hence, Three-Layer defence mechanism based on web service can assure sustaining availability of web server under DDOS attack.