Keywords

1 Introduction

Distributed denial-of-service attacks are a critical threat to the internet. DDoS attackers generate a huge amount of requests to victims through compromised computers (zombies), with the aim of denying normal service or degrading of the quality of services [1]. Internet was primarily designed to facilitate communication and was not designed in a way to give security to such communications. Hence, the network has a lot of scope of being attacked. DoS attacks are growing at a rapid speed, and they are becoming distributed and highly sophisticated. The astounding fact to know is that a DDoS attack can be launched at a minimum of $20. With the help of botnet, DDoS attack can be implemented by sending a few packets by each compromised system. It, hence, becomes difficult to differentiate between legitimate and illegitimate traffic. There are many schemes to tackle these attacks like DPM, PPM, FDPM, and information theory. Several detection schemes exist. Like a technique which prioritizes packets based on a score which estimates its legitimacy given the attribute values it carries and based on this score, selective packet discarding is carried out [2]. Another method was the one in which traffic is analyzed only at the edge routers of an Internet service provider (ISP) network [3, 4]. This framework is able to detect any source-address-spoofed DDoS attack, no matter whether it is a low-volume attack or a high-volume attack. We will be discussing about information theory and linear packet marking technique in this paper and its advantages over conventional DPM and PPM. We will also talk about some of the techniques from which we can prevent our system to be a part of the botnet. Entropy can measure the variations of randomness of flows on a given local router [5]. Based on such variations, a DDoS attack can be detected. If the difference between the entropy and mean is greater than a threshold value, then there is an attack.

2 Related Work

2.1 Node Append

This is the simplest method of marking to trace the attacker. In this method, we continue appending the information about the router in the header of the packet. The disadvantage is the overhead on the packet header and insufficient space to accommodate so many routers [5].

2.2 Node Sampling

This was introduced to solve the problem of storage overhead. The packets are marked depending on the probability chosen at random [5]. Either 0 or 1, can be chosen, so the probability is 0.5. A node once marked is not marked again. The problem lies when it becomes difficult to know which node will mark the packet and a high number of packets are required to trace back the attack.

2.3 Edge Sampling

Authors sent the packet with some probability p and overcome the shortcoming in node sampling about the distance from the destination by introducing d. When the packet is marked, it is updated to 0 and is incrementally increased with every decrease in ttl [5]. Once a packet is marked, it is not marked again. \(p(1 - p) \wedge (d - 1)\) where d is the number of hops away from the destination.

Let x be the number of packets then

$$E(X) = ln(d)/p(1 - p) \wedge (d - 1)$$
(1)

The disadvantage of this technique is that we need many packets to trace the route and in case of multiple attackers, this technique is not that robust.

2.4 Probabilistic Packet Marking

This is basically the extension of edge sampling. There is not enough space in the packet header to store the 32-bit address of the router. The value of the router in the fields is fragmented so that it is less used by the router. It can even be applied after or during the attack with no additional router storage problems [6] as in case of logging.

2.5 Deterministic Packet Marking

This is almost similar to PPM but as in PPM, the authors mark the packets based on a probability, and in deterministic packet marking, we mark all the packets passing through the network [2]. Using IP address of the router, packets are marked. The problem occurs in case of IP spoofing, where the attackers can spoof their IP address making it difficult to reach the correct router.

2.6 Linear Packet Marking

This scheme needs the number of packets almost equal to the hops traversed by the packet [3]. In this trace back scheme, the ID field value is divided by the number of hops. The remainder, thus, obtained is the value of the hop that will mark the packets. Like all packet marking schemes, it also needs an attack to be alive and trace backing to the source itself creates a DoS while performing the attack. In this scheme, the authors use TTL value to decide the hop count and the value in the ID field at the router to decide whether to mark the packet or not.

2.7 Entropy Variation

Entropy can measure the variations of randomness of flows on a given local router [7]. Based on such variations, a DDoS attack can be detected. In case of an attack, the actual source can be found by submitting the requests to upstream routers and finally reaching the source. The advantage lies in the fact that it does not require the attack to be alive, can differentiate between legitimate and illegitimate users efficiently, and does not require any marking. The problem in this technique comes in case of trace back when a request is made to all upstream routers in order to identify the source.

3 Analysis of a Random and Flow-Based Model

We found out that the maximum hops that a packet travels before reaching the destination is 25. A simulation is done using the tracert command and the same is shown in Figs. 1 and 2. The algorithm that we are using for detecting whether a DoS or a DDoS is happening or is it a surge in the legitimate traffic is explained in Algorithm 1, and the algorithm we are using for marking the packet for successful IP trace back is explained in Algorithm 2.

Fig. 1
figure 1

Tracing the route of Facebook.com

Full size image
Fig. 2
figure 2

Tracing the route of Google

Full size image

3.1 Algorithm Used for This Work Are

Algorithm 1: To determine the threshold time after which we monitor if there is an attack.

Start from 1 time unit after which we will check for an attack and increase the time exponentially. The next time interval after which we monitor the attack will be 2 units. So the time intervals are increasing like this 1, 2, 4…

A threshold value is formed based on past experiment and trends keeping in mind (based on different kinds of networks for different purposes like in an airline website, No. of visits during festivals or holidays increases to many folds):

Different months

Days

Seasons (summer, winter, spring, rainy, etc.) Festivals (can be included in months)

Weekly

On reaching this threshold value, we start increasing the time interval additively instead of exponentially, i.e., now, time interval increases by 1 time unit…

$${\text{k}},{\text{k}} + 1,{\text{k}} + 2\ldots$$

If there as an attack at any point, mitigate it, reduce the threshold value to half of the time interval, and reduce the time to 1 unit again and repeat the process.

Algorithm 2: To detect an attack due to high number of packets being sent by a few attackers, local router is the router taken into consideration. Upstream routers are the routers just above the local router. A flow is defined as fij <ui, dj, t>: ui is an upstream router, dj is the destination address, and t is the current time.

The algorithm is as follows [8]:

  1. 1.

    Initialize C0, δ0 with some experimental value.

  2. 2.

    Identify the flows f1, f2, f3 … fn and set count number of each flow to zero, x1 = 0, x2 = 0, x3 = 0 …, xn = 0 (count number is basically the number of times a particular flow (having same upstream router and timestamp) occurs in a given time).

  3. 3.

    When time interval used to monitor the traffic (as described in the above algorithm) is over, calculate the probability distribution and entropy variation as follows:

$$pj = xj\,*\,(\sum\limits_{j = 1}^{n} x ) - 1$$
(2)
$$h = - \sum\limits_{j = 1}^{n} {pj\,{ \log }(pj)}$$
(3)
  1. 4.

    Save x1, x2 … xn and H(F).

  2. 5.

    If there is no dramatic change of the entropy variation H(F), |H(F)-C| <= δ update mean and the standard variation is

$$C[t] = \sum\limits_{j = 1}^{n} {\alpha j\,*\,C[t - j],\,\,\,\,\,\,\,\,\,\,\,\,\,\,\,\,\,\,} \sum\limits_{j = 1}^{n} {\alpha j = 1,}$$
(4)
$$\delta [t] = \sum\limits_{j = 1}^{n} {\beta j\,*\,\delta [t - j],\,\,\,\,\,\,\,\,\,\,\,\,\,\,\,\,\,\,} \sum\limits_{j = 1}^{n} {\beta j = 1,}$$
(5)
  1. 6.

    Go to step 2.

  2. 7.

    If |H(F)-C| > δ, then the attack is possible.

  3. 8.

    Now if pi * log(pi/qj) > 0.2 (where qj is another flow), then it is a legitimate traffic. Otherwise, it is an attack.

Algorithm 3: We are implementing the algorithm based on the assumption that a packet on an average takes only 25 hops to reach the destination [6]. The steps of marking are as follows: on the arrival of a packet, we will apply our packet marking algorithm. Then, based on the algorithm, we will see to mark the packet or leave it unmarked and finally forward it on the network [2]. We use ID field of the ipv4 to store the unique identification number of the router, as well as the maximum hop distance from the destination. A diagram of the complete header is given in Fig. 3. Distance is calculated using the ttl value of the packet that tells the maximum time the packet can stay on the network.

Fig. 3
figure 3

IPv4 header

Full size image
figure a

We simulated our detection Algorithm 1 using Wireshark. We edited our files by converting them into text format using editcap, modifying the header using tcprewrite, used multithreading to make the capturing and detection modules run together, and tcpreplay to resend the packets. Combining all such concepts in C programming on a Linux platform, we were able to implement our algorithm. The calculations are shown below. The detailed algorithm is explained in Fig. 4.

Fig. 4
figure 4

Flow diagram

Full size image

The simulation of Algorithm 2 is shown using ns2. The changes are made in the header of the trace file. The data needed is saved in .tr file and is extracted for analyzing using the awk script on the desired columns.

figure b

4 Conclusion and Future Work

4.1 Conclusion

The conclusions drawn from the paper are that DoS and DDoS attack are a great threat to the internet. Packet marking techniques are costly to implement and are difficult to predict at an early stage. Moreover, we need the attack to be alive to trace back to the origin of the attack. The entropy variation technique is thus a relatively new technique for the detection of DDoS and DoS attack and there is a steep learning curve for the whole organization, for both users and administrators. Packet marking techniques, on the other hand, are more mature, well documented, and easy to understand.

For the people who are not familiar with the technology used for information theory should adopt to packet marking techniques for the reason stated above and wait for the information theory to become more mature.

4.2 Future Work

In future, we would like to implement these techniques on the public and private cloud setup and compare the results of our algorithm with the results of the existing techniques. We would also check the scalability and the fault tolerance of the algorithm in both the types of cloud that is public as well as private cloud.