Preventing Denial of Service Attacks by N.V.Krishna Rao (08034D0501) Under Supervision and Guidance of Dr. S.Durga Bhavani S.V.S.Hanumantha Rao (Internal Guide) (External Guide)

ABSTRACT(MDAF Scheme): This Project proposes a scheme for detecting and preventing the most harmful and difficult to detect DoS Attacks those that use IP address spoofing to disguise the attack flow. The scheme allows the system to configure itself based on the normal traffic of a Web server, so that the occurrence of an attack can be quickly and precisely detected. The MDAF scheme scans the marking field of all incoming packets to selectively filter-out the attack packets. On employing this marking scheme, when a packet arrives at its destination, its marking depends only on the path it has traversed. If the source IP address of a packet is spoofed, this packet must have a marking that is different from that of a genuine packet coming from the same address. The spoofed packets can thus be easily identified and dropped by the filter, while the legitimate packets containing the correct markings are accepted.

Approaches for Defending DoS Attacks Preventive Source Tracking Reactive Defense Solutions Proactive Server - Packet Marking Schemes Path Identifier scheme (Pi) Roaming Scheme Probabilistic Packet Marking(PPM) Pushback method Deterministic Marking Approach(DPM) D-WARD Message Traceback Method Packet Score Logging Neighbor Stranger- Traffic Observation Method Discrimination (NSD ) Existing System :

Proposed System: Distinguishing the Attack Packets Learning Phase Filtering Phase Marking Verification Attack Detection Complete Filtering Scheme Route Change Consideration Pushback Implementation

Distinguishing the Attack Packets Marking Scheme: Marking algorithm: k <- a 16-bit random number, secretly maintained by the Router M(R) <- k XOR h(A) For each packet w { If W.ID = 0 Then w.ID <- M(R) Else { M_old <- w.ID M_new <- M(R) XOR SL(M_old) w.ID <- M_new } }

Learning Phase The (IP-address, Marking) pairs are stored in a Filter Table, which are later used to verify each incoming packet and filter-out the spoofed ones. Filtering Phase To the packet from an IP address recorded in the Filter Table, it is accepted if it has a consistent marking otherwise, it is dropped. For the packet from a new IP address, scheme accept it with probability p and put the (IP-address, Marking) pair to a Check List, so that the marking can be verified. Marking Verification If there is a consistent marking from unknown IP address till the threshold value then the (IP-address, Marking) from check table is moved to Filter table. Attack Detection A counter known as TMC is maintained by server, it is incremented each time packets with incorrect markings as well as packets from unknown source addresses that are not recorded if counter reaches the threshold value then attack is signaled.

Complete Filtering Scheme: 1)If the (IP-address, Marking) pair is same with one of the records in the Filter Table, the packet is received. 2) If the source IP address of the packet exists in theFilter Table, but the marking does not match, this packet is considered to be a spoofed packet and is dropped. TMC is incremented. 3) If the source IP address does not appear in the Filter Table, then this packet is accepted with a probability p. TMC is incremented. 4) If the TMC value exceeds the threshold, an attack is signaled. 5) All echo reply messages that are received as responses to the firewall’s requests are handled by the Check List verification process. They are not passed through the filter.

Pushback Implementation In the Pushback method, the victim of a DoS attack sends the signatures of attack to upstream routers and ask them to help filtering out these packets. Route Change Consideration SMC, to count the number of mismatching packets for any IP address A. When the value of SMC A reaches a threshold value, the entry (A, Marking A ) is copied to the Check List to test whether the route from this source has changed.

Software Requirements: WINDOWS/LINUX OS J2SE 5.0 MS ACCESS Hardware requirements: Intel Pentium based Micro-Processor with a minimum speed of 500MHz or higher Ram memory of 256MB or higher Network Interface Card(NIC)

Use Case diagram

Class Diagram

Sequential diagram

collaboration

Scheme Topology for packet flow Scheme Topology for packet flow in Route change consideration.

The Results of This Project is illustrated with Screens using following tasks. 1. In Learning Phase adding the new client1 to the marking table 2. Authentication of user packets. 3. In Filtering phase handling the new client2 with verification process using check table. 4. Preventing the Attacker performing Spoofed attack with the client2’s ip address. 5. Preventing the Attacker performing Randomized attack. 6. Preventing the Attacker performing Flood attack. 7. Illustrating the attack signal and processing only legitimate user packets. 8. Showing the decrease in probability of acceptance of packets from new IP address. 9. Route change considerations of Client1 using smc table and path marking.

16/42 Learning Phase: Client 1 sending packet.

Learning Phase: Client1 window showing the Data transmission from Client1 to router1.

L earning Phase: Router1 window showing the marking value and the details of Data Transmission to Router6.

Learning Phase: Router6 window showing the marking value and the details of Data Transmission to server

Learning Phase: Server window showing the packet acceptance details, packet details and authentication.

Learning Phase: Client 1 window showing input data and the server response message with the authentication message.

Learning Phase: Mark table reflecting the addition of Client 1 IPaddress and marking

Learning Phase: Login table showing the Client 1 authentication details

Learning Phase: Client 1 window showing the sending multiple packets and its authentication responses

Learning Phase: Server window showing the spoofed details, packet details and authentication details.

Filtering Phase: Client2 window showing sending a packet.

Filtering Phase: Client2 window showing echo message responses and adding of record to mark & login tables after the verification process in filtering phase.

Server window showing the Client 2 packet details, adding to Checklist and sending the echo packets in verification process in filtering phase.

Filtering Phase: Server window showing the Client 2 packet details, echo packets and adding record to Mark table and login table after verification process

Check table with the Client 2 path marking in Filtering Phase – verification process

Mark table reflecting the addition of Client 2 path marking in filtering phase.

Attacker window showing the Spoofing the Client2’s IP address and sending data packets (Spoofed Attack).

Router6 window showing the details of sending the spoofed data packet to Server and showing the marking value (37992) which is different from the actual value (41184).

. Server window showing the spoofed details which has the different marking value than the actual marking value stored in the mark table for the IP address and packet details

Attacker window performing the Randomized Attack.

Server window showing packet details in Filtering phase - verification process, the IP address accepted and stored in checklist for the verification.

Server window showing the deletion of the record from Check list

Mark table showing the Fake IP address with special symbol (null) so that it can filter all the packets coming from IP address

Attacker window performing the Flood Attack.

Mark table showing the Fake IP address with special symbol (null) so that it can filter all the packets coming from IP address.

Attacker window showing the flood packets transmission

Server window showing the Attack Signal

Server window showing Push back method implementation

Router6 implementing the packet filtration after push back method implementation.

Client2 (legitimate user) window showing data packets authentication and acceptance of the packet after pushback method implementation

Router6 Forwarding only the legitimate user packers after push back implementation.

Server window showing the processing only legitimate user packets after push back method implementation.

Attacker performing Randomized attack

Router6 Forwarding only legitimate user packers and filtering the fake IP address packets.

Server window showing the processing only legitimate user packets after push back method implementation.

Client3 window showing the details of Data Transmission.

Router6 showing the filtration of the packet after push back method implementation

Server processing only legitimate user packets after push back implementation.

Client1 window showing the details of sending data packet through router5 instead of Router1.

Route change consideration: Router5 window showing the details of Data Transmission to Router6 and marking value.

Route change consideration: Server window showing the denial of packet due to the difference in the marking value that is recorded in mark table for this IP address

Route change consideration: SMC table reflecting the addition of Client 1 path marking with IP address and count.

Route change consideration: Check table reflecting the Client1 new path marking and its count in verification process

Route change consideration: Mark table reflecting the Updating of Client 1 path marking (38112 to 38768).

Route change consideration: Client1 window showing the updating of record in Mark table.

. Route change consideration: Server window showing the updating of record in Mark table.

conclusion The MDAF scheme can distinguish the attack packets (containing spoofed source addresses) from the packets sent by legitimate users, and thus filters out most of the attack packets before they reach the victim. On employing this marking scheme, when a packet arrives at its destination, its marking depends only on the path it has traversed. If the source IP address of a packet is spoofed, this packet must have a marking that is different from that of a genuine packet coming from the same address. The spoofed packets can thus be easily identified and dropped by the filter, while the legitimate packets containing the correct markings are accepted. FUTURE ENHANCEMENTS In Future following enhancements can be done: Making the packet marking more effective. Router Intelligent systems can be implemented to identify the Route changes. This scheme can be implemented with Web Servers.

BIBLIOGRAPHY [1] Deital & Deital, Java How To Program, PHI, Sixth Edition,2005. [2] Grady Booch, Unified Modelling Language user guide, Addison Wesley, Second Edition, [3] Herbert Schieldt, Java2 The Complete Reference, Tata McGrawHill, Seventh Edition, [4] Elliotte Rusty Harold, Java Network Programming,O’Reilly&Associates,Second Edition, [5] Roger Pressman, Software Engineering,McGraw Hill,Sixth Edition,2005. [6] William Stallings, Network Security Essentials (Applications and Standards ), Pearson Education, First Edition, [7] [8] [9] [10] Yao Chen, Shantanu Das, Pulak Dhar, Abdulmotaleb El Saddik, and Amiya Nayak, “Detecting and Preventing IP spoofed Distributed DoS Attacks”,International Journal of Network Security, Vol.7, No.1, PP.70-81, July2008. Roaming Scheme

DoS Attacks: The denial-of-service(DoS) attacks whose sole purpose is to reduce or eliminate the availability of a service provided over the Internet, to its legitimate users. This is achieved either by exploiting the vulnerabilities in the software, network protocols, or operation systems, or by exhausting the consumable resources such as the bandwidth, computational time and memory of the victim. The first kind of attacks can be avoided by patching-up vulnerable software and updating the host systems from time to time. The second kind of DoS attacks are much more difficult to defend. This works by sending a large number of packets to the target, so that some critical resources of the victim are exhausted and the victim can no longer communicate with other users. IP Spoofing : A technique used to gain unauthorized access to computers, whereby the intruder sends messages to a computer with an IP address indicating that the message is coming from a trusted host. A hacker uses a variety of techniques in IP Spoofing, to find an IP address of a trusted host and then modify the packet headers so that it appears to victim that the packets are coming from that trusted host.

Preventive Defense: - The preventive schemes aim at improving the security level of a computer system or network, thus preventing the attacks from happening, or enhancing the resistance to attacks. - Such solutions are generally costly and difficult to really prevent attacks Source Tracking: - The source-tracking schemes aim to track-down the sources of attacks, so that punitive action can be taken against them and further attacks can be avoided. - A problem existing in these solutions is that the reconstruction of attack path becomes quite complex and expensive when there are a large number of attackers. These types of solutions are designed to take corrective action after an attack has happened and cannot be used to stop an ongoing DoS attack Reactive Solutions: - The Reactive measures for DoS defense are designed to detect an ongoing attack and react to it by controlling the flow of attack packets to mitigate the effects of the attack. - The success of the reactive schemes depends on a precise differentiation between good and attack packets (containing spoofed source addresses) and must ensure that packets from legitimate users are should not dropped.

Preventive Defense: Proactive Server Roaming Scheme: A Proactive Server Roaming Scheme belongs to this category. This system is composed of several distributed homogeneous servers and the location of active server changes among them using a secure roaming algorithm. Only the legitimate users will know the server’s roaming time and the address of new server. All connections are dropped when the server roams, so that the legitimate users can get services at least in the beginning of each roaming epoch before the attacker finds the active server out again. Source Tracking: Packet Marking Schemes: Probabilistic packet marking (PPM), in which the routers insert path information into the Identification field of IP header in each packet with certain probability, such that the victim can reconstruct the attack path using these markings and thus track down the sources of offending packets. Deterministic Marking Approach (DPM), in which only the address of the first ingress interface a packet enters instead of the full path the packet passes (as used in PPM) is encoded into the packet

Message Traceback Method: In the message traceback method,routers generate ICMP traceback messages for some of received packets and send with them. By combining the ICMP packets with their TTL differences,the attack path can be determined.Some factors are considered to evaluate the value of an ICMP message, such as how far is the router to the destination,how quick the packet is received after the beginning of attack, and whether the destination wishes to receive it. Logging: Logging is to record packet information at routers. The path to the attacker can be determined by the routers exchanging information with each other. Traffic-Observation Method: The Traffic-Observation method is to determine the attack path by observing the rate change of attack traffic. During an attack, basing on the knowledge of the Internet topology, the victim floods an incoming link with excessively large numbers of packets, so that the attack traffic will be reduced if it comes from this link. By performing the link test recursively, the attacker can be finally found out.

Reactive Solutions: Path Identifier Scheme (PI): This scheme uses the idea of packet marking for filtering out the attack packets instead of trying to find the source of such packets. This scheme uses a path identifier (Pi) to mark the packets; the Pi field in the packet is separated into several sections and each router inserts its marking to one of these. Once the victim has known the marking corresponding to attack packets, it can filter out all such packets coming through the same path. Pushback method: The Pushback method generates an attack signature after detecting a congestion, and applies a rate limit on corresponding incoming traffic. This information is then propagated to upstream routers, and the routers help to drop such packets, so that the attack flow can be pushed back. D-WARD : D-WARD is designed to be deployed at the source network. It monitors the traffic between the internal network and outside and looks for the communication difficulties by comparing with predefined normal models. A rate limit will be imposed on any suspicious outgoing flow according to its offensive.

PacketScore scheme: A PacketScore scheme estimates the legitimacy of packets and computes scores for them by comparing their attributes with the normal traffic. Packets are filtered at attack time basing on the score distribution and congestion level of the victim. Neighbor Stranger Discrimination (NSD): In the Neighbor Stranger Discrimination (NSD) approach, NSD routers perform signing and filtering functions besides routing. It divides the whole network into neighbors and strangers. If the packets from a network reach the NSD router directly without passing through other NSD routers, this network is a neighbor network.Two NSD routers are neighbor routers to each other if the packets sending between them do not transit other NSD routers. Therefore, a packet received by an NSD router must either from a neighbor networks, or from a neighbor router. Each NSD router keeps an IP addresses list of its neighbor networks and a signatures list of its neighbor routers. If a packet satisfies neither of the two conditions, it is looked as illegitimate and dropped.

Marking Scheme: The mark made by a router would be a function of its IP address. To fit the 32-bit IP address A of a router into the ID field, scheme employ a hash function h that converts A to a 16-bit value. This scheme adopt the CRC-16 hash function which is easy to compute and has low collision rate. Since attackers can easily know the routers’ IP addresses, they can spoof the marking on a packet if they know the hash function used by each router. To avoid such spoofing of the marking, each router R uses a 16-bit key KR (which is a random number chosen by the router) when computing its marking. The marking for a router R is calculated as MR = h(A) XOR KR, where A is the IP address of the router. After receiving a packet the router computes the marking M = MR XOR Mold, if an old marking Mold exists in that packet, and replaces Mold with M.

Filtering Scheme: Complete Filtering Scheme: 1 ) If the (IP-address, Marking) pair is same with one of the records in the Filter Table, the packet is received. 2) If the source IP address of the packet exists in theFilter Table, but the marking does not match, this packet is considered to be a spoofed packet and is dropped. TMC is incremented. 3) If the source IP address does not appear in the Filter Table, then this packet is accepted with a probability p. TMC is incremented. 4) If the TMC value exceeds the threshold, an attack is signaled. 5) All echo reply messages that are received as responses to the firewall’s requests are handled by the Check List verification process. They are not passed through the filter.

.