Sei sulla pagina 1di 13
International Journal of Advance Foundation and Research in Computer (IJAFRC) Volume 2, Issue 6, June

International Journal of Advance Foundation and Research in Computer (IJAFRC) Volume 2, Issue 6, June - 2015. ISSN 2348 – 4853

DDos System: A Disparagement System with Cache Based and Question Generation in Client-Server Application

Dr. V. Naga Lakshmi 1

Professor and HOD, Department of Computer Science, GITAM University, Visakhapatnam. Andhra Pradesh, India Email-id: vn_lakshmi8@yahoo.com

Shameena Begum 2

Assistant Professor, Department of IT, Sasi Institute of Technology & Engineering, Tadepalligudem, Andhra Pradesh, India Email-id: sameenazm@gmail.com

A B S T R A C T

Any web application or server requires the use of Distributed Denial of Service (DDoS) service in order to achieve high security from various attacks. A client server application plays a major role for any application like healthcare application to prepare distributed applications while reducing the cost and executing the high performance computing devices. The distributed system in client server application undergoes many security risks including DDoS. These client server applications are based on HTTP connection. Thus, the aim of HTTP based connection allows us to make less vulnerable system against all possible DDOS attack. This system incorporates with Source Checking, Counting, Attack Detection and Prevention module with Turing test module to detect the malicious node. In this paper we are proposing a multi-stage detection system which includes cache based information Turing and question generation pool Turing tests to challenge the suspicious intruders more effectively and efficiently. The proposed system is executed to check the efficiency of proposed work and to judge how effectively the proposed system is capable to mitigate the DDoS traffic from network. Keywords: DDos, Turing test, Question generation, VC (virtual cluster).

I. INTRODUCTION A. DDoS Attack in Network
I. INTRODUCTION
A. DDoS Attack in Network

Distributed Denial of Service (DDoS) is the main security concern in present time against network security [1]. DDoS attacks control various machines all around the network. These DDoS attacks are called as zombies. The main aim of DDoS is to prevent a legal user to access the network resources or services from the victim server. Thus user will not be able to access its services like web, email etc. in network. Mainly DDoS attacks specially focus the network availability i.e. network bandwidth and server’s computing capability. DDoS attack is launched producing huge volume of traffic in the network that causes the interrupt in network services. Though, it is complex to identify the DDoS attacks and normal traffic in the network. Thus DDoS attacks have been taken as serious issues in network security. DDoS attack may cause to serious loss in any organization.

International Journal of Advance Foundation and Research in Computer (IJAFRC) Volume 2, Issue 6, June

International Journal of Advance Foundation and Research in Computer (IJAFRC) Volume 2, Issue 6, June - 2015. ISSN 2348 – 4853

To resolve the DDoS attack, previous works [2-5] done for minimizing the DDoS attack traffic and mitigate its effect in network.

B. Types of Dos Attacks

Generally, DDoS attacks are classified into two main parts. In first part, DDoS attacks use maximum bandwidth in network to break the network. In second part is resource depletion which uses the CPU, network resources and services for which user are not able to access the network resources. The attack generally begins from various sources to focus at a single target. These attacks are given below:

SYN Flood Attack: These attacks are belongs to TCP-based network services. These attacks causes the server harass which leads system crash [6].

TCP Reset Attack: These types of attacks use the properties of TCP protocol. Attackers listens the TCP connection and send a fake TCP RESET packet to the victim. Due to these attacks the victim to casually close its TCP connection [7].

∑ ICMP Attack: These types of attacks use ICMP echo request packets for victim and
∑ ICMP Attack: These types of attacks use ICMP echo request packets for victim and attacks start
via ping. Attackers use ICMP datagram to produce these types of attack [8].
∑ UDP Storm Attack: These types of attacks are produces in UDP connection. When there is
connection made between two parties then they will generate large number of packets on the
network due to this attack happen.
∑ DNS Request Attack: These types of attacks are produced by using UDP-based DNS requests and
causes in network bandwidth. Attackers use spoofed source IP address to communicate with
server [9].
∑ CGI Request Attack: In this attack, an attacker sends CGI request to server which uses huge CPU
resources in network. Result of this attack causes close the services of server.
∑ Mail Bomb Attack: In this attack, an attacker sends numerous amounts of mail to target server
which can be tough to handle by server. Due to this attack server can stop working.
∑ ARP Storm Attack: This attack produces by huge ARP request to target system which can badly
affect its system.

Algorithmic Complexity Attack: It’s a class of low-bandwidth DDoS attacks that exploit algorithmic deficiencies in the worst case performance of algorithms used in many mainstream applications.

Spam Attack: This type of attack is focusing for organization as well as public users. Huge amount of mails are sending through the attacker side at a time.

C. Client-Server Application

Client- server application is an application in which client can request for accessing services or available

resources to remote server. A wireless local area network (WLAN) is an application in which two or more system or devices are connected through an access point. User can move around the network coverage. In the given network coverage system will be remain connected via wireless connection. Various Current

International Journal of Advance Foundation and Research in Computer (IJAFRC) Volume 2, Issue 6, June

International Journal of Advance Foundation and Research in Computer (IJAFRC) Volume 2, Issue 6, June - 2015. ISSN 2348 – 4853

WLANs are based on IEEE 802.11 standards, marketed under the Wi-Fi brand name. It is a type of local- area network with the aim of high-frequency radio waves rather than wires to communicate between nodes [10].

II. RECENT RELATED WORK

Fei Wang, Xiaofeng Hu and Jinshu Su [11] have suggested an unfair rate limiting mechanism which was used to handle DDoS attacks. They have focused on the traffic increasing patterns. In the proposed work, they categorized port-flows into three subsets with various decreasing priorities. In simulation section, port-flows that most likely contain DDoS attack traffic compressed most. To avoid drawback of LoURL, they have presented CoURL to enhance DDoS mitigation in an efficient manner. They have proved an outstanding performance for their given approach.

Md.Khamruddin and Dr Ch. Rupa [12] have proposed an approach to detect various types of
Md.Khamruddin and Dr Ch. Rupa [12] have proposed an approach to detect various types of DDoS
attacks. In the given approach, they have balanced the load on the victim machine by replicating servers.
For mitigate the traffic on victim machine, attack signature has pushed back to upstream routers. The
main goal of their mechanism is to mitigate the traffic on the victim machine so that the legal users have
got the services from remote server.
Yonghong Chen et. al. [13] modeled a network DDoS intrusion detection approach which is generally
based on pre-processing network traffic predicted approach. Moreover, chaos theory has been come in
their research. Their approach detected an anomaly caused due to any reason either by burst legal traffic
or by DDoS flooding attacks. They efficiently used the neural network to execute the proposed approach
in order to differentiate between DDoS attacks from unusual traffic. Their results have been based on the
DARPA network traffic data which showed that the given DDoS detection method got high detection
probabilities.

B.S. Kiruthika Devi et. al. [14] described the classification of attack and effectual traffic monitored online. They have measured performance metrics like Latency, Link utilization and Throughput. They have used IBRL approach to reduce the attack traffic so that legal users were able send their packets without any congestion. The research design and the execution carried out on a simulated testbed. The experimental result showed that the rate limiting was efficient in reducing a network from DDoS attacks. They suggested enhancements in future contain weight based performance metrics to group the impact of DDoS attacks and quantify at various attack strengths.

Jin Wang et. al. [15] explained two web applications DDoS detection approach. The given approach focused on large deviation theory i.e. LD-IID and LD-MP. LD-IID distinguished a user’s access actions with

International Journal of Advance Foundation and Research in Computer (IJAFRC) Volume 2, Issue 6, June

International Journal of Advance Foundation and Research in Computer (IJAFRC) Volume 2, Issue 6, June - 2015. ISSN 2348 – 4853

experimental click-ratio distribution, and chosen huge deviation to estimate the deviation of each

continuous user’s access actions to the priori click-ratio distribution of a website. LD-MP provided the

connection of a user’s sub-sequent web-pages accessed. The proposed approach provided huge deviation

theory to estimate the uniformity of user’s experimental access action to the priori website’s access

action. In result section, LD-IID detected web app-DDoS precisely, yet one-order Markov process makes

LD-MP has high false negatives.

III. PROBLEM STATEMENT

A. The main issue to keep DDoS mitigation system relevant against growing the attackers.

B. In the case, attackers get the control of user datagram protocol (UDP) like domain name server; user

is not able to access the services from remote server. C. The mentioned methodology was
is not able to access the services from remote server.
C.
The mentioned methodology was not much cost effective.
D.
Some research was not focusing on packet loss in DDoS mitigation system.
IV.
RESEARCH METHODOLOGY
The proposed system architecture is shown in figure 1. The packet coming from user side will arrived in
Source Checking and Counting Module, where user is verified. If user is suspicious then the user is
redirected to the Cache-Based Turing Module. In Cache-Based Turing Module, user is verified by the
server through cache information of user saved in temporary file (user’s system). The Detection section
will be used for finding any other DDoS attack. The Source Checking and Counting Module takes care the
all the essential information regarding attack detection. Moreover, we have Question generation module
which is also used for DDoS prevention.
A. Source Checking and Counting Module
This module serves as a coordinator module for another module. In this module we have

Source Checking Module and

Counting Module

1. Source Checking Module

This module is responsible for categorization of packets based on their status. This module acts as a co- ordination for other module. By using this module, packets are categorized into following list:

Black list: In this section, Source Checking Module verifies the user’s address. If it is exist in black list database then it will block the packet with the given user’s address. Otherwise, it will send the packet to pink list or white list.

Pink list: In this section, packets will be again verified by Cache Based Turing Test. It will check whether the packet is suspicious or not based on cache information. If packet is suspicious, it will send it to black list else in white list.

International Journal of Advance Foundation and Research in Computer (IJAFRC) Volume 2, Issue 6, June

International Journal of Advance Foundation and Research in Computer (IJAFRC) Volume 2, Issue 6, June - 2015. ISSN 2348 – 4853

White list: In this list, only authorized user address will be store after the complete verification by Cache Based Turing Test.

2. Counting Module

The counting module stores the address of source and destination packet. It also store the arrival time of

request. The default mode of counting module is to be disabled. Whenever any suspicious packet

identified by DDoS Attack Detection Module, its value change to enable from disable by DDoS Attack

Detection Module. The counting module reset its value periodically.

Lists (Black, White.) Source DDoS Attack VC Checking Detection VC Caching Based Turing Turing Test
Lists (Black, White.)
Source
DDoS Attack
VC
Checking
Detection
VC
Caching Based
Turing
Turing Test
VC
Question
Generation
Figure 1: Packet Flow in the Proposed DDoS system
B. DDoS Attack Detection Module
The main aim of this module is to find suspicious source and send this suspicious source address to black

list repository. Moreover, the given source is authorized by the Cache-Based Turing Module by

challenging the source to receive the question. It takes four steps for detecting the suspicious source

which are given below:

1. Stage 0: In this section, the detection module act as a monitor mode which is responsible for

detecting the source actions and collects its information in the form of average, and maximum value

of connection/incoming packets/incoming bytes per second. The stored data represents each VC’s

network actions which can be used for identifying the suspicious source.

2. Stage 1: In this stage, the process in Stage 0 is still running to gather the instant VC traffic data for

identifying malicious source. At this section, attack detection module check for each virtual

controller, compare the value between current traffic and the previous statistic one. If the current

International Journal of Advance Foundation and Research in Computer (IJAFRC) Volume 2, Issue 6, June

International Journal of Advance Foundation and Research in Computer (IJAFRC) Volume 2, Issue 6, June - 2015. ISSN 2348 – 4853

traffic value is greater than the previous statistic one then the detection status moved to the Stage 2 and the Counting Module enable to count the incoming traffic of the particular virtual controller.

3. Stage 2: Four essential parameters are used which are given below:

TH: This is nothing but the maximum threshold value. This value can be the connection set establish between the virtual controller and user.

NUM_Period: In this section a threshold value set during the packets sent by user is more than the threshold value given. In this case the DDoS Attack Detection Module attached the certain IP address into the Pink list database. After that authentication section is achieved by the Cache-Based Turing Module.

MXTH: It is also a threshold value which is set in the condition whether the number of connection time is greater than MXTH. In such condition the certain IP address is attached to the Pink list database on the same time if its value is 90 % of the Apache’s Server performance or TH.

∑ Node_TH: It is also a threshold value which is set in the condition when
∑ Node_TH: It is also a threshold value which is set in the condition when the number of IP
source connection greater than the given limit. In such condition system immediately switch
50% of the IP connection to the Pink list database. The given section must have to be done to
ignore the congestion on the virtual controller; else in such condition the system may crash.
There may be some condition, in which no IP attached into the Pink list for NUM_Period value, and then
in this situation the DDoS Attack Detection Module status is again move to Stage 1 and further the
Counting Module become disabled.
4.

Stage 3: In this section, due to traffic from or to virtual controller is extremely huge that it takes 90- 95 % of the virtual controller inbound or outbound network bandwidth. Any analysis in this situation may lead to a system crash or busier. Thus, to avoid this condition, we attached the public IP to destination block list to block the incoming HTTP connections coming from the user. The public IP of virtual controller is consecutive attached and blocked incoming HTTP connections until its traffic is down. Till then the traffic is switch to the Cache-Based Turing Section where authentication of the client is happened.

5. Cache-Based Turing

Cache is such a verification technology in which less effort is needed and a secure side service in included. This enables user to verify through a secure server. Although a number of transaction of service is needed. It includes a few number of secure data migration. This technology is as per the result secure as well as most reliable. This Turing is done for rapid information about the user. The destination address stores a number of secure other destinations (3n 3 ). The user is being asked for give access to these destination addresses. If it is found there it moved from the black list to white list.

International Journal of Advance Foundation and Research in Computer (IJAFRC) Volume 2, Issue 6, June

International Journal of Advance Foundation and Research in Computer (IJAFRC) Volume 2, Issue 6, June - 2015. ISSN 2348 – 4853

Black/White Limited Sender Service Service Provider First Attempt Pink Black List List Other Attempt Full
Black/White
Limited
Sender
Service
Service
Provider
First
Attempt
Pink
Black
List
List
Other
Attempt
Full
verification
White
(Cache Based
List
Turing
Verification)
Full
Service
Figure 2: Authenticating User on Basis of White Pink and Black List Concept
Server
Existing Server
Data in Cache
User
The Cache based Turing consist of following steps:
Step 1: Server connects to the user and gets the existing users connection in the cache with a secure
server side.
Server User Data in Cache
Server
User
Data in Cache
International Journal of Advance Foundation and Research in Computer (IJAFRC) Volume 2, Issue 6, June

International Journal of Advance Foundation and Research in Computer (IJAFRC) Volume 2, Issue 6, June - 2015. ISSN 2348 – 4853

Whenever user wants a service, it is processed in request response form. The request from user, hits to the server where user verification is done. At this stage, server looks for information stored in cache in user system. These caches information are stored in text format as temporary file in system directory where the data stored in form of name value pair. The information filled by the user is matched with these caches data. When the information in cache is correctly matched with information filled by the user then user is authorize to access the legitimate service.

Step 2: Server contacts with the existing user with the credential received from the user

Server Existing Server In this stage user is verified with the help of existing server.
Server
Existing Server
In this stage user is verified with the help of existing server. Existing server already verified the user
through cache information stored in system.
Step 3: Existing server once again verified with the user data present in cache.
Existing Server
Data in Cache

Step 4: In strategy the status is given to the server from the existing server, than according to the status received by the server it decide whether to share with the user or not than its updating once again the cache.

V. RESULT AND DISCUSSIONS

This paper is implemented using NetBean 6.8 and Spring tool suit IDE. Apache tomcat 7.0 running as web

server. Here we are using Java SE, Servlet and Html as web technology. For robot attack, we are using Swing technology. The result and discussions part are describe below:

International Journal of Advance Foundation and Research in Computer (IJAFRC) Volume 2, Issue 6, June

International Journal of Advance Foundation and Research in Computer (IJAFRC) Volume 2, Issue 6, June - 2015. ISSN 2348 – 4853

Figure 3: Verifying User through Answering Question In Figure 3 user is verifying through answering
Figure 3: Verifying User through Answering Question
In Figure 3 user is verifying through answering the security question. If user gives correct answer then
user will be able to login successfully. In the case of wrong answering, user will not have access to login.

Figure 4: Successfully login by user

In Figure 4, user has given correct answer. Thus he/she is authorized for further services.

International Journal of Advance Foundation and Research in Computer (IJAFRC) Volume 2, Issue 6, June

International Journal of Advance Foundation and Research in Computer (IJAFRC) Volume 2, Issue 6, June - 2015. ISSN 2348 – 4853

(IJAFRC) Volume 2, Issue 6, June - 2015. ISSN 2348 – 4853 Figure 5: Access Denied
Figure 5: Access Denied for Wrong Answer In Figure 5, user has given wrong answer.
Figure 5: Access Denied for Wrong Answer
In Figure 5, user has given wrong answer. Thus user is not authorized for login. In this case, user is not
able to get the services for further use.
Figure 6: Authorized user successfully login

In Figure 6, already verified user wants to register. In this case, user will directly login without any security question.

International Journal of Advance Foundation and Research in Computer (IJAFRC) Volume 2, Issue 6, June

International Journal of Advance Foundation and Research in Computer (IJAFRC) Volume 2, Issue 6, June - 2015. ISSN 2348 – 4853

(IJAFRC) Volume 2, Issue 6, June - 2015. ISSN 2348 – 4853 Figure 7: User blocked
Figure 7: User blocked for wrong answering In Figure 7, user 5 again wants to
Figure 7: User blocked for wrong answering
In Figure 7, user 5 again wants to login but giving wrong answer. In this case, user will be block
permanently.

Figure 8: Register and Blocked User

Figure 8 shows the information for list of registered user and list of blocked user.

VI.

CONCLUSION

This paper presented a multi-stage detection system which includes cache based information Turing and

question generation pool Turing tests to challenge the suspicious intruders more effectively and

efficiently. In this paper, we identified the attacker through cache information. Users have to answer the

security question at the time of logging. Once the user gives correct answer for the given security

question. She/he is able to login successfully and can use the further services. Instead of wrong

International Journal of Advance Foundation and Research in Computer (IJAFRC) Volume 2, Issue 6, June

International Journal of Advance Foundation and Research in Computer (IJAFRC) Volume 2, Issue 6, June - 2015. ISSN 2348 – 4853

answering by attacker, user is not able to login and hence access will be denied for further services. Thus each time verified user will login, she/he is able to use the further services. In the case of wrong answering by attacker will result the block the user permanently. Thus only verified user will have access to use the given services.

VII.

REFERENCES The top five DDoS attacks of 2011. [Online]. Available:

[1]

http://www.itbusinessedge.com/slideshows/show.aspx?c=92910

[2] M. Goldstein, M. Reif, A. Stahl, and T. Breuel, “High performance traffic shaping for DDoS mitigation,” in Proceedings of the 2008 ACM CoNEXT Conference, ser. CoNEXT ’08. ACM, 2008. [3] X. Liu, X. Yang, and Y. Lu, “To filter or to authorize: Network-layer DoS defense against multimillion-node botnets,” in ACM SIGCOMM, 2008. [4] S. H. Khor and A. Nakao, “DaaS: DDoS mitigation-as-a-service,” in Proceedings of the 2011 IEEE/IPSJ International Symposium on Applications and the Internet, ser. SAINT ’11. IEEE Computer Society, 2011, pp. 160–171. [5] T. Peng, C. Leckie, and K. Ramamohanarao, “Survey of network-based defense mechanisms countering the DoS and DDoS problems,”ACM Comput. Surv., vol. 39, April 2007. [6] S. M. Khattab, C. Sangpachatanaruk, R. Melhem, D. Mosse, and T. Znati, “Proactive Server Roaming for Mitigating Denial-of-Service Attacks,” in Proceedings of the 1st International Conference on International Technology: Research and Education (ITRE’03), pp. 286-290, Aug. 2003. [7] Robert Vamosi, “Study: DDoS attacks threaten ISP infrastructure,” Online at http://news.cnet.com/8301-1009_3-10093699-83.html, CNET News, Nov. 2008. [8] Internet World Stats, Internet User Statistics – The Big Picture: World Internet Users and Population Stats, http://www.internetworldstats.com/stats.htm. [9] A. Yaar, A. Perrig, and D. Song, “PI: A path identification mechanism to defend against DDoS attacks,” in proceedings of the IEEE symposium on Security and Privacy, pp. 93-109, May 2003. [10] Mofreh Salem, Amany Sarhan and Mostafa AbuBakr, “A DOS Attack Intrusion Detection and Inhibition Technique for Wireless Computer Networks”, ICGST- CNIR, Volume (7), Issue (I), July 2007. [11] Fei Wang, Xiaofeng Hu and Jinshu Su, “Unfair Rate Limiting for DDoS Mitigation Based on Traffic Increasing Patterns”, IEEE, 2012. [12] A. Md.Khamruddin and B. Dr Ch. Rupa, “A Rule Based DDoS Detection and Mitigation Technique”, Nirma University International Conference on Engineering, 2012. [13] Yonghong Chen, Xinlei Ma, Xinya Wu, “DDoS Detection Algorithm Based on Preprocessing Network Traffic Predicted Method and Chaos Theory”, IEEE Communications Letters, VOL. 17, NO. 5, MAY 2013.

IEEE Communications Letters, VOL. 17, NO. 5, MAY 2013. 42 | © 2015, IJAFRC All Rights
International Journal of Advance Foundation and Research in Computer (IJAFRC) Volume 2, Issue 6, June

International Journal of Advance Foundation and Research in Computer (IJAFRC) Volume 2, Issue 6, June - 2015. ISSN 2348 – 4853

[14] S. Kiruthika Devi, G. Preetha, S. Mercy Shalinie, “DDoS Detection using Host-Network based Metrics and Mitigation in Experimental Testbed”, IEEE, 2012. [15] Jin Wang, Xiaolong Yang, Keping Long, “Web DDoS Detection Schemes Based on Measuring User’s Access Behavior with Large Deviation”, IEEE Globecom, 2011.

Access Behavior with Large Deviation”, IEEE Globecom, 2011. 43 | © 2015, IJAFRC All Rights Reserved