基于目的地址熵的分布式拒绝服务攻击检测与回溯方法(IJCNIS-V7-N8-2)

I.J.ComputerNetworkandInformationSecurity,2015,8,9-20PublishedOnlineJuly2015inMECS()DOI:10.5815/ijcnis.2015.08.02Copyright©2015MECSI.J.ComputerNetworkandInformationSecurity,2015,8,9-20DestinationAddressEntropybasedDetectionandTracebackApproachagainstDistributedDenialofServiceAttacksAbhinavBhandariandA.LSangalNationalInstituteofTechnology,Jalandhar,IndiaEmail:{bhandarinitj@gmail.com,Sangal62@yahoo.com}KrishanKumarSBS,StateTechnicalCampus,Ferozpur,IndiaEmail:K.Salujasbs@gmail.comAbstract—Withallthebriskgrowthofweb,distributeddenialofserviceattacksarebecomingthemostseriousissuesinadatacenterscenarioswherelotmanyserversaredeployed.ADistributedDenialofServiceattackgen-eratessubstantialpacketsbyalargenumberofagentsandcaneasilytireouttheprocessingandcommunicationresourcesofavictimwithinverylessperiodoftime.De-fendingDDoSprobleminvolvedseveralstepsfromde-tection,characterizationandtracebackinordertodomiti-gation.Thecontributionofthisresearchpaperisalotmore.Firstly,floodingbasedDDoSproblemsisdetectedusingobtainedpacketsbasedentropyapproachinadatacenterscenario.Secondlyentropybasedtracebackmeth-odisappliedtofindtheedgeroutersfromwherethewholeattacktrafficisenteringintotheISPdomainofthedatacenter.VarioussimulationscenariosusingNS2aredepictedinordertovalidatetheproposedmethodusingGT-ITMprimarilybasedtopologygenerators.Infor-mationtheorybasedmetricslikeentropy;averageentro-pyanddifferentialentropyareusedforthispurpose.IndexTerms—DDoSattacks,datacenter,entropy,aver-ageentropy,differentialentropy,traceback.I.INTRODUCTIONNetworksecurityismorechallengingthaneverasto-day’scorporatenetworksbecomeincreasinglycomplexduetoscalablearchitectureoftheInternet.Witheachpassingyear,thesecuritythreatsfacedbythecomputernetworkshavebecomemoretechnicallysophisticated,betterorganizedandhardertodetect.OneofthemajorthreatstocybersecurityisDistributedDenial-of-Service(DDoS)attackinwhichthevictimnetworkelement(s)arebombardedwithhighvolumeoffictitious,attackingpacketsoriginatedfromalargenumberofmachines.Theaimoftheattackistooverloadthevictimandrenderitincapableofperformingnormaltransactions.Overthelastyear,DDoSattacksevolvedinstrategyandtactics.Accordingtothesurveyreportfortheyear2014Fig.1showsthecustomersreportedattacksrangingfrom309Gbpsatthetopend,through200Gbps,191Gbps,152Gbps,130Gbpsand100Gbps[1].Thissharpincreaseinattacktrafficonceagainprovesthatattackersarecontinu-ingtoshiftmethodologytomakeuseofthelatestattackcapabilitiesavailabletothemandtofocusattacksonthemostvulnerableareasofanetwork.In2013,shortandsharpattacksappearedtobemorecommon,with88per-centofattackslastinglessthanonehour,upfrom78per-centlastyear.Fig.1.SizeoflargestreportedDDoSattack(inGbps)[1]Networksecurityresearchershavedesigneddevelopedandimplementedanumberofcountermeasuresagainsttheseattacksbutnoneofthemethodsprovidesidealsolu-tionbecauseofthesmartnessoftheattackers.Everytimeanewmethodisinvented,theattackerswilladesignacounterdefendingmethodtoattack.Asstatedbythe[2]foracomprehensiveDDoSSolu-tionfourmodulesdetection,characterization,tracebackandmitigationarerequired.Detectionistheprocessofidentifyingthatanetworkorserverisunderattackafterthelaunchoftheattack.Itrequirestrafficmonitoringanditsrefinedbehavioralanalysis.Characterizationmeansdiscriminatingattacktrafficfromlegitimatetraffic.Itishinderedbythefactthatattackandlegitimatetrafficlookalike.However,goodcharacterizationisofimmenseim10DestinationAddressEntropybasedDetectionandTracebackApproachagainstDistributedDenialofServiceAttacksCopyright©2015MECSI.J.ComputerNetworkandInformationSecurity,2015,8,9-20portancetoDDoSdefense,asitdeterminestheamountofcollateraldamageandeffectivenessoftheresponse.Tracebackisprocessofidentifyingtheactualsourceoftheattackpacketoreventozombieswhichparticipatesintheattackprocess.ItisevenmorechallengingbecauseoftheIPspoofingperformedbytheattackersandthede-ploymentoverhead.Afteridentifyingthesourceoftheattackorevenzombiesitisrequiredtosendamessagetothatparticularsourcetostop/ratelimitorfiltertheattackpackets.Thisprocessiscalledmitigation.Itspurposeistominimizeorlessenstheimpactoftheattack.Fig.2demonstratesthedifferentmodulesinvolvedintheDDoSdefenseframework.Fig.2.DDoSDefenseModulesThispapermakesthefollowingcontributionsTodetectDDoSattacksinadatacenterwherenum-bersofserversaredeployedandoneoftheserversisunderattack.Thedestinationaddressbasedentro-pyisused.TotracebacktheedgeroutersoftheISPdomainus-ingdifferentialentropymethod.Tousestandardsix-sigmamethodforidentifyingthethresholdvaluesoftheentropiesfornormaltraf-fic.Tovalidatethedetectionandtracebackmethodsus-ingtheNS2simulationscenariosintegratedwithGT-ITMtopologygenerators.Therestofthepaperisorganizedasfollows.SectionIIdemonstratestheresearcheffortsrelatedtodetectionandtracebackofDDoSattacks.SectionIIIchartsout,theinformationtheorybasicconceptsandtheirmodelingintoDDoSdetectionandtracebackproblem.SectionIVde-scribesthedetailsofsimulationscenariosalongwithre-sultsanddiscussion.SectionVconcludestoprovidefu-turedirectionsinth