Академический Документы
Профессиональный Документы
Культура Документы
Web Site: www.ijettcs.org Email: editor@ijettcs.org, editorijettcs@gmail.com Volume 2, Issue 3, May June 2013 ISSN 2278-6856
designed to destroy or corrupt data to technologically advanced robot networks with intelligent coding that allows them to intercommunicate with each other, and send back captured private data like bank account numbers and credit card details to the owner of the malware (Hoeflin, D. etal. 2007). This paper is divided into four Sections. In the Section-I the description of the synflood is mentioned, Section-II contains the design part of the prototype, Section-III describes the consideration of the design, Section-IV concludes the paper and the future work is suggested.
DoS,
DDoS,
Network
Security,
1.1 INTRODUCTION
A Denial of Service (DoS) attack is an attack which attempts `to prevent the victim from being able to use all or part of their network connection. A denial of service attack may target a user, to prevent them from making outgoing connections on the network[1]. Denial of service attacks are much easier to accomplish than remotely gaining administrative access to a target system. Because of this, denial of service attacks have become very common on the Internet. IT Administrators are constantly faced with threats as a result of the Internet (West,M.2008). They can be responsible for a plethora of different services and resources on a network at any one time and the challenges involved in ensuring service availability are vast (Franklin, J. et al. 2007). As a result, these Administrators rely on specialized hardware and software to combat attacks from external sources. There is a huge range of solutions on the market today to assist and defend against such attacks, but they are either costly or complicated to set up and configure properly. One of the major problems is that the Internet protocol is designed to be as lightweight as possible, meaning security considerations are usually an afterthought, and usually too late[1][2]. The assaults circulating on the Internet at this very moment range from malicious viruses Volume 2, Issue 3 May June 2013
Fig1: General view of DoS Attack 1.1 SYN Flood Attack A SYN flood is a form of denial-of-service attack in which an attacker sends a succession of SYN requests to a target's system[13]. Several connections set by the attacker are half-open without proper acknowledgments, the server queue gets full and another client can not connect. In computer security, a denial-of-service attack (DoS attack) is an attempt to make a computer resource unavailable to its intended users. SYN (synchronize) is a type of packet used by the Transmission Control Protocol (TCP) when initiating a new connection to synchronize the sequence numbers on two connecting computers[9].When a client attempts to start a TCP connection to a server, the client and server exchange a series of messages which normally runs like this: The Transmission Control Protocol (TCP) is a virtual circuit protocol that is one of the core protocols of the Internet protocol suite, often simply referred to as TCP/IP. Using Page 377
Figure 2: Normal TCP 3-Way Handshake The Transmission Control Block (TCB) is a transport protocol data structure (actually a set of structures in many operations systems) that holds all the information about a connection. The memory footprint of a single TCB depends on what TCP options and other features an implementation provides and has enabled for a connection. Usually, each TCB exceeds at least 280 bytes, and in some operating systems currently takes more than 1300 bytes. The TCP SYN-RECEIVED state is used to indicate that the connection is only half open, and that the legitimacy of the request is still in question. The important aspect to note is that the TCB is allocated based on reception of the SYN packet before the connection is fully established or the initiator's return reachability has been verified[14]. This situation leads to a clear potential DoS attack where incoming SYNs cause the allocation of so many TCBs that a host's kernel memory is exhausted[7]. In order to avoid this memory exhaustion, operating systems generally associate a "backlog" parameter with a listening socket that sets a cap on the number of TCBs simultaneously in the SYN-RECEIVED state. Although this action protects a host's available memory resource from attack, the backlog itself represents another (smaller) resource vulnerable to attack. With no room left in the backlog, it is impossible to service new connection requests until some TCBs can be reaped or otherwise removed from the SYN-RECEIVED state. Depleting the backlog is the goal of the TCP SYN flooding attack, which attempts to send enough SYN segments to fill the entire backlog. The attacker uses source IP addresses in the SYNs that are not likely to trigger any response that would free the TCBs from the SYN-RECEIVED state. Because TCP attempts to be reliable, the target host keeps its TCBs stuck in SYN-RECEIVED for a relatively long time before
Page 378
The SYN flooding attack became well-known in 1996, when the magazines 2600 and Phrack published descriptions of the attack along with source code to perform it[11] . This information was quickly used in attacks on an Internet service provider's (ISP's) mail and Telnet servers, causing outages that were widely publicized in The Washington Post and The Wall Street Journal (among other venues). CERT quickly released an advisory on the attack technique[10]. The basis of the SYN flooding attack lies in the design of the 3-way handshake that begins a TCP connection[3]. In Volume 2, Issue 3 May June 2013
2. Design
To develop a working prototype that detects and mitigates HTTP based DDoS attacks, there must be adequate design of a system before it can be implemented. The system was designed so that it could be deployed in a Distributed environment (that is, the CAPTCHA part need not be on the same physical server)[13]. The system also integrates directly with Apache making deployment of the Detection module (Mitigate.c) exceptionally easy for any novice IT administrator to set up. The problem scenario is when too many hosts (or compromised computers) request the website at the same time. The server cannot cope with the requests and service availability is affected. Figure 3.1 shows a basic overview of the network topology used in the prototype system. The system detects when an individual host has requested a website too many times and then requires that host to verify they are a human. Certain exceptions to this rule exist (for example, Search Engines are exempt from having to verify at all and are always given access to the site without hindrance).
Fig 2.2 represents the overview of prototype in which A represents Visitor, B represents Apache Server, C represents Mitigate module, D represents Captcha Module. Algorithm 2.1 represents the whole Captcha system whether the IP address is allowed or not. 2.3 Apache Module The Apache Web Server will be used to serve web page requests for the prototype. The server allows for custom modules to be included, and a basic module for detecting a possible DDoS attack and then mitigating it will be developed. The module will detect the number of times a user has requested the web page in a given time[2]. Figure 3.4 shows a more detailed view of how the three components interact with one another. The apache web server runs with the module compiled. Whenever a user visits a website hosted on the Apache web server, the Mitigate.c (once compiled, becomes mitigate. so) module is called .The module should have the ability to define an allowed. Hosts file for known IPs we do not want to challenge with the captcha.php module. The module should also have the ability to send a user to another server to process the captcha.php module (saving resources on the primary server until the user has been confirmed as human). The module should have a variable that can be changed which defines the requests per minute that an IP address can send to the server before triggering the captcha.php module. When the limit for number of access requests per minute is exceeded, the module should forward the user to the captcha.php module for verification of the user making the request. If verified, the captcha.php module will send back a confirmation to the mitigate module, if not then the user will be presented with the CAPTCHA page again and again (until the captcha.php limit is exceeded).
Figure 2.1: Overview of the network topology 2.1 System overview All compromised machines are automated attacks, therefore using a method that checks whether a request originated from a real human being should help to deny the attack. The system will determine whether an IP address has requested a page too many times in a given limit[3]. 2.2 ALGORITHM FOR CAPTCHA SYSTEM Step 1.Visitors sends GET request to server Step2.Is IP allowed in the list? Step3.If Yes Step4. Then Process request and send website content back Step5.Else Read client List Step6.Has this IP sent GET request more than X times in the Last Y seconds? Step7.Then GET recaptcha bax and request visitor confirm they are real person. Step8.Does user get captcha input correct? Step9.Then add user to allow list and purge other lists. Step10.Process request and send website content back. Step11.Else Instantiate Captcha list for IP by 1. Volume 2, Issue 3 May June 2013
Page 379
Figure 2.3: UML Diagram of Apache Module calls 2.4 PHP Module Once the request has been handed from the mitigate.c module to the PHP module, it is the PHP modules responsibility to determine whether or not the request was made by a human or an automated robot. The PHP module makes use of the ReCAPTCHA Project, a free, hosted CAPTCHA service which the owners claim process over 30 million CAPTCHA requests a day. The PHP module should create a variable which holds the number of attempts the user has taken. It should also have a variable which holds the maximum number of attempts the user is allowed. If the user exceeds the threshold of this limit, the IP address they are using will be denied using iptables. If the request is processed correctly by the user, the Captcha.php module should send back this result to the mitigate.c Apache module so that it may add the IP address to the allowed list of hosts. As a result of this inclusion the user will never be required to verify themselves again whilst using that web server (or until the list is purged by an administrator). Figure 2.4 shows the process as described previously of the Captcha.php system. It needs to be established how the DENY will be added to the IPTABLES firewall rules, as PHP normally runs under the web server user (either nobody or apache) and therefore would not normally have permission to configure the firewall in Linux. As this is a prototype, a workaround was used was to simply deny access using .htaccess file. This will deny the user access to the requested website, but will not deny them access to the server. In a real world situation, this is of no real use, but is useful as verification that the prototype is working as designed.To make designing and implementing the system speedier, the ReCAPTCHA Project have readily available libraries for us to use which lets us call the CAPTCHA and process the requests without having to code a great deal.
Figure 3.4: UML Diagram of Captcha Module Volume 2, Issue 3 May June 2013 Page 380
Denail Of Service Prevention Techniques(April 2010). [10] A Taxonomy of DDoS Attacks and DDoS Defence Mechanisms. [11] New Mitigating Technique to overcome DDoS attack(2008). [12] A study on Tcp-Syn Attacks and their effects on a Network Infrastructure(June 2010). [13] Multifaceted Defense Against Distributed Denial Of Service Attacks:Prevention,Detection,Mitigation(2012). [14] TCP connection Management Mechanisms for Improving Internet Server Performance(2005).
References:
[1] CERT. (2001, June 4). Denial of Service. Retrieved November 19, 2009 from http://www.cert.org/tech_tips/denial_of_service.html [2] Lee, R., & Speecht, S. (2004). Distributed Denial of Service: Taxonomies of Attacks, Tools and Countermeasures [3] Defenses Against Distributed Denial of Service Attacks. Retrieved 10 March, 2011 from http://www.garykessler.net/library/ddos.html [4] Leyden, J. (2004, September 23). US credit card firm fights DDoS attack. Retrieved 20 September, 2009 from http://www.theregister.co.uk/2004/09/23/authorize_d dos_attack/ [5] Labovitz, C. (2009, August 6). Where Did All the Tweets Go? Retrieved 5th April, 2011 from http://asert.arbornetworks.com/2009/08/where-didall-the-tweets-go/ [6] StackPi:Anew Defense Mehanism against IP
spoofing and DDoS Attacks(20, December 2002). [7] Network Bandwidth Denial Of Service(DoS)(2005). [8] Analyzing Interaction Between Denial Of Service(DoS)Attacks and Threats(2009).
Page 381