Download Packet Marking Schemes

Preventing Denial of Service Attacks
by
N.V.Krishna Rao (08034D0501)
Under Supervision and Guidance of
Dr. S.Durga Bhavani
(Internal Guide)
S.V.S.Hanumantha Rao
(External Guide)
Abstract(MDAF Scheme):
It proposes a scheme for detecting and preventing the most harmful and difficult
to detect DoS Attacks those that use IP address spoofing to disguise the attack
flow.
The scheme is based on a firewall that can distinguish the attack
packets(containing spoofed source addresses) from the packets sent by legitimate
users, and thus filters out most of the attack packets before they reach the victim.
The scheme allows the firewall system to configure itself based on the normal
traffic of a Web server, so that the occurrence of an attack can be quickly and
precisely detected.
The MDAF scheme employs a firewall at each of the perimeter routers of the
network to be protected and the firewall scans the marking field of all incoming
packets to selectively filter-out the attack packets. On employing this marking
scheme, when a packet arrives at its destination, its marking depends only on the
path it has traversed. If the source IP address of a packet is spoofed, this packet
must have a marking that is different from that of a genuine packet coming from
the same address. The spoofed packets can thus be easily identified and dropped
by the filter, while the legitimate packets containing the correct markings are
accepted.
Marking Scheme:
The mark made by a router would be a function of its IP address. To fit the 32-bit IP address A of
a router into the ID field, scheme employ a hash function h that converts A to a 16-bit
value. This scheme adopt the CRC-16 hash function which is easy to compute and has low
collision rate. Since attackers can easily know the routers’ IP addresses, they can spoof the
marking on a packet if they know the hash function used by each router.
To avoid such spoofing of the marking, each router R uses a 16-bit key KR (which is a random
number chosen by the router) when computing its marking. The marking for a router R is
calculated as MR = h(A) XOR KR, where A is the IP address of the router. After receiving a
packet the router computes the marking M = MR XOR Mold, if an old marking Mold exists in
that packet, and replaces Mold with M.
Filtering Scheme:
Complete Filtering Scheme:
1) If the (IP-address, Marking) pair is same with one of the records in the
Filter Table, the packet is received.
2) If the source IP address of the packet exists in theFilter Table, but the
marking does not match, this packet is considered to be a spoofed packet and
is dropped. TMC is incremented.
3) If the source IP address does not appear in the Filter Table, then this
packet is accepted with a probability p. TMC is incremented.
4) If the TMC value exceeds the threshold, an attack is signaled.
5) All echo reply messages that are received as responses to the firewall’s
requests are handled by the Check List verification process. They are not
passed through the filter.
DoS Attacks:
The denial-of-service(DoS) attacks whose sole purpose is to
reduce or eliminate the availability of a service provided over the
Internet, to its legitimate users. This is achieved either by exploiting the
vulnerabilities in the software, network protocols, or operation systems, or by
exhausting the consumable resources such as the bandwidth, computational
time and memory of the victim.
The first kind of attacks can be avoided by patching-up vulnerable
software and updating the host systems from time to time. The second kind
of DoS attacks are much more difficult to defend. This works by sending a
large number of packets to the target, so that some critical resources of the
victim are exhausted and the victim can no longer communicate with other
users.
IP Spoofing :
A technique used to gain unauthorized access to computers, whereby
the intruder sends messages to a computer with an IP address indicating
that the message is coming from a trusted host. A hacker uses a variety of
techniques in IP Spoofing, to find an IP address of a trusted host and then
modify the packet headers so that it appears to victim that the packets are
coming from that trusted host.
Approaches for Defending DoS
Attacks
Preventive
Defense
Source Tracking
Reactive
Solutions
Proactive Server Roaming Scheme Packet Marking Schemes
Path Identifier scheme (Pi)
Probabilistic Packet Marking(PPM)
Pushback method
Deterministic Marking Approach(DPM) D-WARD
Message Traceback Method
Packet Score
Logging
Neighbor StrangerTraffic Observation Method
Discrimination (NSD)
• Preventive Defense:
- The preventive schemes aim at improving the security level of a computer system
or network, thus preventing the attacks from happening, or enhancing the
resistance to attacks.
- Such solutions are generally costly and difficult to really prevent attacks
• Source Tracking:
- The source-tracking schemes aim to track-down the sources of attacks, so that
punitive action can be taken against them and further attacks can be avoided.
- A common problem existing in these solutions is that the reconstruction of attack
path becomes quite complex and expensive when there are a large number of
attackers(i.e. for highly distributed DoS attacks). These types of solutions are
designed to take corrective action after an attack has happened and cannot be
used to stop an ongoing DoS attack
• Reactive Solutions:
- The Reactive measures for DoS defense are designed to detect an ongoing
attack and react to it by controlling the flow of attack packets to mitigate the
effects of the attack.
- The success of the reactive schemes depends on a precise differentiation
between good and attack packets (containing spoofed source addresses) and must
ensure that packets from legitimate users are should not dropped.
Preventive Defense:
Proactive Server Roaming Scheme:
A Proactive Server Roaming Scheme belongs to this category. This
system is composed of several distributed homogeneous servers and the
location of active server changes among them using a secure roaming
algorithm. Only the legitimate users will know the server’s roaming time and
the address of new server. All connections are dropped when the server
roams, so that the legitimate users can get services at least in the beginning
of each roaming epoch before the attacker finds the active server out again.
Source Tracking:
Packet Marking Schemes:
Probabilistic packet marking (PPM), in which the routers insert path
information into the Identification field of IP header in each packet with
certain probability, such that the victim can reconstruct the attack path using
these markings and thus track down the sources of offending packets.
Deterministic Marking Approach (DPM), in which only the address of the first
ingress interface a packet enters instead of the full path the packet passes
(as used in PPM) is encoded into the packet
Message Traceback Method:
In the message traceback method,routers generate ICMP traceback
messages for some of received packets and send with them. By combining
the ICMP packets with their TTL differences,the attack path can be
determined.Some factors are considered to evaluate the value of an ICMP
message, such as how far is the router to the destination ,how quick the
packet is received after the beginning of attack, and whether the destination
wishes to receive it.
Logging:
Logging is to record packet information at routers. The path to the
attacker can be determined by the routers exchanging information with each
other.
Traffic-Observation Method:
The Traffic-Observation method is to determine the attack path by
observing the rate change of attack traffic. During an attack, basing on the
knowledge of the Internet topology, the victim floods an incoming link with
excessively large numbers of packets, so that the attack traffic will be
reduced if it comes from this link. By performing the link test recursively, the
attacker can be finally found out.
Reactive Solutions:
Path Identifier Scheme (PI):
This scheme uses the idea of packet marking for filtering out the attack
packets instead of trying to find the source of such packets. This scheme
uses a path identifier (Pi) to mark the packets; the Pi field in the packet is
separated into several sections and each router inserts its marking to one of
these. Once the victim has known the marking corresponding to attack
packets, it can filter out all such packets coming through the same path.
Pushback method:
The Pushback method generates an attack signature after detecting a
congestion, and applies a rate limit on corresponding incoming traffic. This
information is then propagated to upstream routers, and the routers
help to drop such packets, so that the attack flow can be pushed back.
D-WARD :
D-WARD is designed to be deployed at the source network. It monitors
the traffic between the internal network and outside and looks for the
communication difficulties by comparing with predefined normal models. A
rate limit will be imposed on any suspicious outgoing flow according to its
offensive.
PacketScore scheme:
A PacketScore scheme estimates the legitimacy of packets and computes scores
for them by comparing their attributes with the normal traffic. Packets are filtered at
attack time basing on the score distribution and congestion level of the victim.
Neighbor Stranger Discrimination (NSD):
In the Neighbor Stranger Discrimination (NSD) approach, NSD routers perform
signing and filtering functions besides routing. It divides the whole network into
neighbors and strangers. If the packets from a network reach the NSD router directly
without passing through other NSD routers, this network is a neighbor network .Two
NSD routers are neighbor routers to each other if the packets sending between them do
not transit other NSD routers. Therefore, a packet received by an NSD router must
either from a neighbor networks, or from a neighbor router. Each NSD router keeps an
IP addresses list of its neighbor networks and a signatures list of its neighbor routers. If
a packet satisfies neither of the two conditions, it is looked as illegitimate and dropped.
Proposed System:
• Distinguishing the Attack Packets
• Learning Phase
• Filtering Phase
• Marking Verification
• Attack Detection
• Complete Filtering Scheme
• Route Change Consideration
• Pushback Implementation
•
Distinguishing the Attack Packets
Marking Scheme:
•
•
•
Marking algorithm:
k <- a 16-bit random number, secretly maintained by the Router
M(R) <- k XOR h(A)
For each packet w
{
If W.ID = 0 Then
w.ID <- M(R)
Else
{
M_old <- w.ID
M_new <- M(R) XOR SL(M_old)
w.ID <- M_new
}
}
Learning Phase
The (IP-address, Marking) pairs are stored in a Filter Table, which are later used to verify
each incoming packet and filter-out the spoofed ones.
Filtering Phase
To the packet from an IP address recorded in the Filter Table, it is accepted if it has a
consistent marking otherwise, it is dropped . For the packet from a new IP address,
scheme accept it with probability p and put the (IP-address, Marking) pair to a Check
List, so that the marking can be verified.
Marking Verification
If there is a consistent marking from unknown IP address till the threshold value then
the (IP-address, Marking) from check table is moved to Filter table.
•
Attack Detection
A counter known as TMC is maintained by server, it is incremented each time packets with
incorrect markings as well as packets from unknown source addresses that are not recorded
if counter reaches the threshold value then attack is signaled.
• Complete Filtering Scheme:
1) If the (IP-address, Marking) pair is same with one of the records in the Filter Table, the
packet is received.
2) If the source IP address of the packet exists in theFilter Table, but the marking does not
match, this packet is considered to be a spoofed packet and is dropped. TMC is incremented.
3) If the source IP address does not appear in the Filter Table, then this packet is accepted with
a probability p. TMC is incremented.
4) If the TMC value exceeds the threshold, an attack is signaled.
5) All echo reply messages that are received as responses to the firewall’s requests are handled
by the Check List verification process. They are not passed through the filter.
• Pushback Implementation
In the Pushback method, the victim of a DDoS attack sends the signatures of attack
to upstream routers and ask them to help filtering out these packets.
•
Route Change Consideration
SMC, to count the number of mismatching packets for any IP address A. When the value of
SMCA reaches a threshold value, the entry (A, MarkingA) is copied to the Check List to test
whether the route from this source has changed.
•
•
Software & Hardware Requirements:
For Client and Server Systems:
Software Requirements:
WINDOWS/LINUX OS
J2SE 5.0
MS ACCESS
Hardware requirements:
Intel Pentium based Micro-Processor with a minimum speed of 500MHz or higher
Ram memory of 256MB or higher
Network Interface Card(NIC)
•
Use Case diagram
Class Diagram
Sequential diagram
client
node
Router
server
1: sends
2: marks
3: sends
4: verifies
5: response
6: spoofs
7: sends
8: marks
9: sends
10: verifies
collaboration
6: spoofs
client
node
1: sends
4: verifies
10: verifies
2: marks
8: marks
7: sends
Router
5: response
3: sends
9: sends
server
Scheme Topology for packet flow
• The Results of This Project is illustrated with Screens using following
tasks.
1. In Learning Phase adding the new client1 to the marking table
2. Authentication of user packets.
3. In Filtering phase handling the new client2 with verification
process using check table.
4. Preventing the Attacker performing Spoofed attack with the
client2’s ip address.
5. Preventing the Attacker performing Randomized attack.
6. Preventing the Attacker performing Flood attack.
7. Illustrating the attack signal and processing only legitimate user
packets.
8. Showing the decrease in probability of acceptance of packets from
new IP address.
9. Route change considerations of Client1 using smc table and path
marking.
Learning Phase: Client 1 sending packet.
22/42
•
Learning Phase: Client1 window showing the Data transmission from Client1 to router1.
Learning
Phase: Router1 window showing the marking value and the details of Data Transmission
to Router6.
Learning Phase: Router6 window showing the marking value and the details of Data
Transmission to server
Learning Phase: Server window showing the packet acceptance details, packet details
and authentication.
Learning Phase: Client 1 window showing input data and the server response
message with the authentication message.
Learning Phase: Mark table reflecting the addition of Client 1 IPaddress and marking
Learning Phase: Login table showing the Client 1 authentication details
Learning Phase: Client 1 window showing the sending multiple packets and its
authentication responses
Learning Phase: Server window showing the spoofed details, packet details and
authentication details.
Filtering Phase: Client2 window showing sending a packet.
Filtering Phase: Client2 window showing echo message responses and adding of record
to mark & login tables after the verification process in filtering phase.
Server window showing the Client 2 packet details, adding to Checklist and sending the
echo packets in verification process in filtering phase.
Filtering Phase: Server window showing the Client 2 packet details, echo packets and
adding record to Mark table and login table after verification process
Check table with the Client 2 path marking in Filtering Phase – verification process
Mark table reflecting the addition of Client 2 path marking in filtering phase.
Attacker window showing the Spoofing the Client2’s IP address and sending data
packets (Spoofed Attack).
Router6 window showing the details of sending the spoofed data packet to Server and
showing the marking value (37992) which is different from the actual value (41184).
Server window showing the spoofed details which has the different marking value than
the actual marking value stored in the mark table for the IP address and packet details
.
Attacker window performing the Randomized Attack.
Server window showing packet details in Filtering phase - verification process, the IP
address accepted and stored in checklist for the verification.
Server window showing the deletion of the record from Check list
Mark table showing the Fake IP address with special symbol (null) so that it can filter all
the packets coming from IP address
Attacker window performing the Flood Attack.
Mark table showing the Fake IP address with special symbol (null) so that it can filter all
the packets coming from IP address.
Attacker window showing the flood packets transmission
Server window showing the Attack Signal
Server window showing Push back method implementation
Router6 implementing the packet filtration after push back method implementation.
Client2 (legitimate user) window showing data packets authentication and acceptance of
the packet after pushback method implementation
Router6 Forwarding only the legitimate user packers after push back implementation.
Server window showing the processing only legitimate user packets after push back
method implementation.
Attacker performing Randomized attack
Router6 Forwarding only legitimate user packers and filtering the fake IP address packets.
Server window showing the processing only legitimate user packets after push back
method implementation.
Client3 window showing the details of Data Transmission.
Router6 showing the filtration of the packet after push back method implementation
Server processing only legitimate user packets after push back implementation.
Client1 window showing the details of sending data packet through router5 instead of Router1.
Route change consideration: Router5 window showing the details of Data Transmission
to Router6 and marking value.
Route change consideration: Server window showing the denial of packet due to the
difference in the marking value that is recorded in mark table for this IP address
Route change consideration: SMC table reflecting the addition of Client 1 path marking
with IP address and count.
Route change consideration: Check table reflecting the Client1 new path marking and its
count in verification process
Route change consideration: Mark table reflecting the Updating of Client 1 path marking
(38112 to 38768).
Route change consideration: Client1 window showing the updating of record in Mark table.
Route change consideration: Server window showing the updating of record in Mark
table.
.
conclusion
• The MDAF scheme can distinguish the attack packets (containing spoofed source
addresses) from the packets sent by legitimate users, and thus filters out most of
the attack packets before they reach the victim.
•
On employing this marking scheme, when a packet arrives at its destination, its
marking depends only on the path it has traversed. If the source IP address of a
packet is spoofed, this packet must have a marking that is different from that of a
genuine packet coming from the same address. The spoofed packets can thus be
easily identified and dropped by the filter, while the legitimate packets containing
the correct markings are accepted.
•
I have developed this project using the java, since it is pure object oriented
programming language and supports networking with high security. It consists of
four modules each module is targeted at specific functionalities and integrated
properly.
FUTURE ENHANCEMENTS
In Future following enhancements can be done:
• Making the packet marking more effective.
• Router Intelligent systems can be implemented to identify the Route changes.
• This scheme can be implemented with Web Servers.
BIBLIOGRAPHY
[1] Deital & Deital , Java How To Program, PHI, Sixth Edition,2005.
[2] Grady Booch, Unified Modelling Language user guide, Addison Wesley, Second
Edition, 2005.
[3] Herbert Schieldt , Java2 The Complete Reference, Tata McGrawHill, Seventh
Edition, 2006.
[4] Elliotte Rusty Harold, Java Network Programming,O’Reilly&Associates,Second
Edition, 2005.
[5] Roger Pressman, Software Engineering,McGraw Hill,Sixth Edition,2005.
[6] William Stallings, Network Security Essentials (Applications and Standards),
Pearson Education, First Edition, 2006.
[7] www.en.wikipedia.org/wiki/Ipspoofing.
[8] www.securityfocus.com/infocus/1674
[9] www.sun.com
[10] Yao Chen, Shantanu Das, Pulak Dhar, Abdulmotaleb El Saddik, and Amiya Nayak,
“Detecting and Preventing IP spoofed Distributed DoS Attacks” ,International
Journal of Network Security, Vol.7, No.1, PP.70-81, July2008.
.