Professional Documents
Culture Documents
Keywords: DDoS
Introduction
With the development and application of cloud computing, the main goal of
DDoS attacks turns to cloud node [1,2], the specic performance for the limited
computing resources (such as CPU, memory and network bandwidth, protocol
stack, etc.), relies on exhausting the damaged cloud nodes resources to achieve
the eect of attack. Since cloud computing has strong service resources, DDoS
needs to launch large-scale attack to be eective.
In view of research on DDoS attack detection for cloud services, it is necessary
to satisfy three major goals: one is the timeliness of detection, that is, as far as
possible to detect aggressive behavior in the early time, because it is meaningless
to detect aggressive behavior after large-scale attack outbreaks and it has caused
damage to the availability of the target; secondly, it is the sensitivity of attack
trac, detection features can be used to distinguish between normal trac and
abnormal trac eectively, which improve the accuracy of attack detection and
ltering; the third one is the adaptability of attack scale, that is, whether it is a
c Springer International Publishing Switzerland 2015
G. Wang et al. (Eds.): ICA3PP 2015, Part III, LNCS 9530, pp. 611624, 2015.
DOI: 10.1007/978-3-319-27137-8 44
612
J. Zhang et al.
high-rate attack or low-rate one, the method of detection can detect aggressive
behavior accurately. At present, most of the DDoS attack detection methods
in academia [38] are proposed by the target of the sensitivity of abnormal
trac. These methods emphasize the ability of detection feature to distinguish
between normal and abnormal trac, present many complicated machine learning algorithm to detect, and obtain good detection precision. However, with
the application layer based on DDoS attacks of low-rate rampant, a few DDoS
detection methods [16,17] begin to focus on the adaptability of attack scale, but
also because of the high complexity of detection algorithm, these methods cant
satisfy the goal of the timeliness of detection. The contradiction between the
complexity of detection methods and the timeliness of detection caused that the
current detection method can not meet all the requirements of three goals, how
to achieve a good tradeo is the urgent problem need to solve.
There are many destructive and strong DDoS attacks [911], such as SYN
ooding, ACK ooding and RST/FIN ooding in the transport layer, the DNS
ooding, HTTP ooding and Mail ooding in the application layer. These attacks
are threatening the dependability of cloud computing with varying degrees. In
addition, their common features mainly exist in two aspects: rst of all, they are
based on transport layer protocol such as TCP or UDP transport layer protocol;
secondly, all of the attacks use IP spoong technology, and the transport layer
connection state of attack trac exists abnormal. Therefore, we can judge in a
timely and eective manner whether the cloud node is under DDoS attack or not
through the cumulative calculation based on both the check results of abnormal
transport layer connection state and the authenticity of transport layer data segments source. Compared to IP ow, the HOPCOUNT value calculated by TTL
values in TCP segment has better stability, which helps to reduce the occurrence
of judging the legal packets to be IP spoong packets due to update delay of
HOPCOUNT, and can better solve the problem of false positives. This paper
presents a DDoS attack detection model for trac ltering. The core idea is that
through analysis on the characteristics of HOPCOUNT value calculated from the
packets with dierent types of IP spoong, the preliminary checks of the abnormal packets from inbound and outbound trac are accomplished by temporal
correlation features of transport layer connection state; on this basis, a non parameter CUSUM algorithm is used to achieve accurate DDoS attack detection and
ltering. The experiment results show that detection model can divide packets
into the normal and the abnormal accurately. And aggressive behavior can be
found at the beginning of the attack, which makes a best opportunity for cleaning the attack trac. In addition, our detection model is not only sensitive to
DDoS attack with high-rate, but also to low-rate one such as HTTP asymmetric
attack, the data of ROC curves indicate that our detection model has better
performance.
The rest of the paper is organized as follows. In Sect. 2, we briey overview
the related work. Section 3 presents our framework of DDoS attacks detection
model designed in this paper. In Sect. 4, we propose a set of check rules and relevant check algorithm for abnormal packets. Section 5 presents the DDoS attacks
A Robust and Ecient Detection Model of DDoS Attack for Cloud Services
613
Related Work
614
J. Zhang et al.
Figure 1 shows the overall architecture of the model. The abnormal check component monitors IP ow and TCP/UDP segment. This component monitors
the packets through the inbound and outbound, checks the authenticity of the
source of data segment and the abnormality of the packets. Caching the source
IP address in the data segment and corresponding TTL values by the IP ow
monitoring, and preliminary checks the authenticity of the IP ows source by
A Robust and Ecient Detection Model of DDoS Attack for Cloud Services
615
HOPCOUNT. The packets which are judged as IP source forging and related to
abnormal connection state of the transport layer are called abnormal packets.
They include TCP based abnormal packets, such as SYN and SYN/ACK, ACK,
and UDP based abnormal packets, such as DNS, NTP, and common packets.
Their quantity indicates the growth of abnormal trac. All check results are
submitted to the decision component. The decision component judges whether
the network service is under DDoS attack. Finally, the decision is sent to response
components (router or rewall). This paper focuses on the trac abnormal check
component and decision component which are related to DDoS attack detection.
The trac abnormal check component contains two main functions. After the
authentication of network trac source, the rst check judges the authentication of source of data segments in transport layer by searching data segment
address. The second check is based on the abnormal connection state of the
transport layer. They provide important information for the decision component. This component is a part of packet parsing process, therefore, it must be
ecient. Ecient mapping data structure and corresponding search algorithm
are required.
4.1
616
J. Zhang et al.
linked list which is composed of dierent nodes corresponding to the same KEY.
Once the second bit is assigned, it cant be re-assigned to avoid the conict of
the hash function and the damage to the rst pointer of the linear linked list.
Nodes of linear list include the Source IP, the corresponding HOPCOUNT value
and the time stamp. If the KEY search conict occurs, the information in the
nodes can help to avoid misjudgment. The improved bloom lter provides an
ecient data structure for both TCP2HC and UDP2HC. Ecient key searching and robust HOPCOUNT abnormal check are supported, which is helpful to
improve the overall performance of the check component.
4.2
Check Algorithm
The core of our check algorithm includes new TCA check and abnormal data
packet check. Because most of the DDoS attacks use IP spoong, it is necessary
to authenticate the source of connection before the connection checking. To check
the abnormal data packet, we must check if there is connection state abnormity
in transport layer rst.
In this research, 3 assumptions are followed:
Assumption 1. The router of ISP communication network is not controlled by
attackers;
Assumption 2. All the DDoS attacks use IP spoofing technical;
Assumption 3. The attacker and the faked IP are not in the same LAN;
Assumptions 1 and 2 are general assumptions and widely accepted. For
Assumption 3, the attacker can be easily exposed if the attacker and the faked
IP are in the same LAN.
According to Assumption 1, it is feasible to authenticate the source of connection by hop count. The hop count of a packet is determined by the structure
A Robust and Ecient Detection Model of DDoS Attack for Cloud Services
617
of communication network and relatively stable [21], especially for the packet in
the transport layer. Whether the attacker can pass the checking system depends
on if it can set a proper initial TTL value for each cheating packet. In order to
set a proper initial TTL value, the attacker should get the hs which is the hop
number between the host of cheating IP to the target machine. However, it is
dicult to get hs when the attacker randomly select cheating source IP for each
packet. The attacker must have a mapping table from the IP addresses in all the
random IP space to their corresponding hs . The attacker must break through
at least one host in each subnet of every random address space to get the hs by
traceroute.
618
J. Zhang et al.
TCP InboundCRule1
TCP InboundCRule2
TCP InboundCRule3
TCP InboundCRule4
If all TCP ags are not set, and the TCA exists in
TCP2HC table, then calculate HOPCOUNT, and if this
HOPCOUNT does not match the stored HOPCOUNT,
the packets are abnormal;
TCP InboundMRule1
TCP InboundMRule2
TCP OutboundCRule1 If both SYN ag and ACK ag are set, then search the
entry for the requestKEY of <TCA, SYN> in TCP2HC
table, if it does not exist, then the packet is abnormal;
TCP OutboundCRule2 If both SYN ag and ACK ag are set, and TCA exists in
TCP2HC table, start the timeout retransmission timer.
When the timer overow,query the entry with
replyKEY of <TCA, ACK> in TCP2HC table, if it
does not exist, then the packet is abnormal;
UDP InboundCRule1
UDP OutboundMRule1 If the TCA is not found in UDP2HC table, then add a new
entry for the KEY of <TCA, SYN> in UDP2HC table.
A Robust and Ecient Detection Model of DDoS Attack for Cloud Services
619
Decision Component
The check algorithm in Sect. 4 is only to authenticate each single packet. Although
the check result of single packet cannot directly judge if the network is being
attacked, it aords necessary information for further decision. A sudden increase
of abnormal packet indicates that there is DDoS attack or scanning to the network [22]. Therefore, the DDoS attack decision algorithm can be based on the
cumulative check results in a certain period of time.
5.1
n
.
n
(1)
(2)
620
J. Zhang et al.
where E(Cn ) = b, = {n }
n=1 and = {n }n=1 are two stochastic sequences
satisfying E(n ) = E(n ) 0, h = 0. I(H) is an indicator function. The function
value equals 1 if H is true, 0 otherwise. For sequence C(n, t), if the mean value
exists a step change from b to b + h at the point m, it indicates that there
is a sudden change in the sequence value. We adopt non-parametric CUSUM
algorithm to continuously detect the sequence change and the change point m.
It can monitor the sequence in real-time with low false-alarm rate and thus
detect DDoS attacks immediately.
In case the network trac is in normal state, the mean value of C(n, t)
is close to 0, i.e., E(Cn ) 1. We denote F (n) = Cn , when b = b ,
h . is the oset determined for each specic network environment. The
mean value of sequence Fn in normal state is oset to negative and turns positive
when a attack occurs. Consequently, the oset sequence is applicable to the nonparametric CUSUM algorithm:
(3)
where b < 0, b < h < 1. According to the non-parametric CUSUM algorithm, the stochastic sequence Fn produces negative mean value . When the
attack occurs, Fn jump to positive (h + b > 0, h is the minimum growth of
the sequence Fn when attack occurs). We accumulate the positive value and
ignore the negative value. If the accumulation exceeds the threshold at a certain moment, the system determined that DDoS attack occurs. In normal state,
the value of sequence Fn is either negative or non-continuous small positive.
The accumulation will not exceed the threshold. Furthermore, the algorithm is
converted into a problem of calculating formula 4. It is worth noting that h is
the smallest increment when attack occurs, it is not the threshold for attack
detection in the algorithm.
k
F i , T0 = 0
(4)
n = Tn min T k , where T k =
i=1
1kn
n >N
n N
(6)
A Robust and Ecient Detection Model of DDoS Attack for Cloud Services
621
Performance Evaluation
SYN ooding
DNS ooding
120
65
54
1050
HTTP ooding 6
60
420
Table 3 list out the average accuracy and delay of detection with dierent K,
and values. The result shows that the proposed model has a high accuracy
and can satisfy the demand of detect attack in early stage.
To test the adaptability of the detection model to dierent attack scale, we
give the ROC curves of SYN ooding attack detection, HTTP ooding attack
detection and DNS ooding attack detection respectively. As shown in Fig. 5,
the result demonstrates that the abnormal detection rate of high distribution
SYN ooding attack reached almost 100 % while the false alarm rate is less than
2 %; for the high intensity DNS ooding attack, the abnormal detection rate is
more than 90 % when the false alarm rate is 2.5 %; for the lower distribution of
HTTP ooding attacks, the abnormal detection rate is more than 90 % when the
false alarm rate is 9 %. It can be seen that the model has a superior performance
against the high distribution of DDoS. Although the performance of low distribution and small-rate DDoS attack detection is decreased slightly, the overall
performance is relatively stable and eective. So we can say that the detection
model has a good adaptability for dierent scale of DDoS attack.
622
J. Zhang et al.
30
98.9
45.3
14 92.1
25 94.6
86.4
53
100
23.7
19 100
83.6
32 100
68.4
68
100
11.2
35 100
17.3
45 100
14.5
89
100
6.7
50 100
8.7
60 100
7.1
120 100
5.1
85 100
8.3
75 100
6.3
This paper proposed a robust and ecient detection model of DDoS attack for
cloud services. First, we give a set of rules on IP address authenticity, transport
layer connection address authenticity and transport layer abnormal connection
state to check the abnormal packet in the communication process in the transport
layer. In detail, we use hop-count based ltering for IP address authentication.
A Robust and Ecient Detection Model of DDoS Attack for Cloud Services
623
References
1. Sumter, R.L.Q.: Cloud Computing: Security Risk Classication. ACMSE, Oxford
(2010)
2. Jansen, W., et al.: Cloud hooks: security and privacy issues in cloud computing.
In: 44th Hawaii International Conference on System Sciences (HICSS), pp. 110.
IEEE (2011)
3. Bhuyan, M.H., Kashyap, H.J., Bhattacharyya, D.K., Kalita, J.K.: Detecting distributed denial of service attacks: methods, tools and future directions. Comput.
J. bxt031 (2013)
4. Patel, K.: Security survey for cloud computing: threats and existing IDS/IPS techniques. In: 24th International Conference on Control, Communication and Computer Technology, pp. 8892. IEEE (2013)
5. Zargar, S.T., Joshi, J., Tipper, D.: A survey of defense mechanisms against distributed denial of service (DDoS) ooding attacks. IEEE Commun. Surv. Tutor.
15(4), 20462069 (2013)
6. Gupta, S., Kumar, P., Abraham, A.: A prole based network intrusion detection
and prevention system for securing cloud environment. Int. J. Distrib. Sens. Netw.
(2013)
7. Yi, F., Yu, S., Zhou, W., Hai, J., Bonti, A.: Source-based ltering scheme against
DDoS attacks. Int. J. Database Theory Appl. 1(1), 920 (2008)
8. Gavaskar, S., Surendiran, R., Ramaraj, D.E.: Three counter defense mechanism
for TCP SYN ooding attacks. Int. J. Comput. Appl. 6(6), 09758887 (2010)
9. Gulshan, S., Kavita, S., Swarnlata, R.: A technical overview DoS and DDoS attack.
Proc. Int. Conf. Comput. 2010, 274282 (2010)
10. Bogdanoski, M., Suminoski, T., Risteski, A.: Analysis of the SYN ood DoS attack.
Int. J. Comput. Netw. Inf. Secur. (IJCNIS) 5(8), 111 (2013)
11. Bhandari, N.H.: Survey on DDoS attacks and its detection and defence approaches.
Int. J. Sci. Mod. Eng. (IJISME) 1(3), 23196386 (2013)
12. Peng, T., Leckie, C., Ramamohanarao, K.: Protection from distributed denial of
service attacks using history-based IP ltering. In: IEEE International Conference
on Communications, pp. 482486 (2003)
13. Tao, Y., Yu, S.: DDoS attack detection at local area networks using information
theoretical metrics. In: 12th IEEE International Conference on Trust, Security and
Privacy in Computing and Communications (TrustCom), pp. 233240 (2013)
624
J. Zhang et al.
14. Francois, J., Aib, I., Boutaba, R.: Firecol: a collaborative protection network for
the detection of ooding DDoS attacks. IEEE/ACM Trans. Netw. (TON) 20(6),
18281841 (2012)
15. Chouhan, V., Peddoju, S.K.: Packet monitoring approach to prevent DDoS attack
in cloud computing. Int. J. Comput. Sci. Electr. Eng. (IJCSEE) 1(2), 23154209
(2013)
16. Chonka, A., Singh, J., Zhou, W.: Chaos theory based detection against network
mimicking DDoS attacks. IEEE Commun. Lett. 13(9), 717719 (2009)
17. Dou, W., Chen, Q., Chen, J.: A condence-based ltering method for DDoS attack
defense in cloud environment. Future Gener. Comput. Syst. 29(7), 18381850
(2013)
18. Wang, F., Wang, H., Wang, X., Su, J.: A new multistage approach to detect subtle
DDoS attacks. Math. Comput. Model. 55(1), 198213 (2012)
19. Bhuyan, M.H., Bhattacharyya, D., Kalita, J.: An empirical evaluation of information metrics for low-rate and high-rate DDoS attack detection. Pattern Recognit.
Lett. 51, 17 (2015)
20. Broder, A., Mitzenmacher, M.: Network applications of bloom lters: a survey.
Internet Math. 1(4), 485509 (2004)
21. Paxson, V.: End-to-end routing behavior in the internet. IEEE/ACM Trans. Netw.
5(5), 601615 (1997)
22. Jung, J., Krishnamurthy, B., Rabinovich, M.: Flash crowds and denial of service
attacks: characterization and implications for cdns and web sites. In: Proceedings of
the 11th International Conference on World WideWeb, pp. 293304. ACM (2002)