Baseline - A Passive Approach to Tolerate and Detect
DoS/DDoS Attacks
JIN Shu
Computer Science Department
Nanjing University of Sci & Tech
Nanjing, Jiangsu, P.R.China
LIU Fengyu
Computer Science Department
Nanjing University of Sci & Tech
Nanjing, Jiangsu, P.R.China
XU Manwu
State Key Software Tech Lab
Nanjing University
Nanjing, Jiangsu, P.R.China
Abstract - As many approaches have been suggested recently to
address the problem of distributed denial-of-service (DDoS)
attacks, yet few of them pay enough attention to the quality of
service (QoS) requirements of the communication processes
running on the victim-end systems, especially when they are
under DDoS attacks. By employing a novel communication
service surveillance algorithm called “ Shepherd” , we present in
this paper a DDoS detection architecture named Baseline - a
passive approach due to its different perspective with respect to
many other DDoS detection methods. Baseline can be installed
on any host in the Internet communication environment wi th
trivial effort and the running system consists only of a low weight
daemon that efficiently performs Shepherd algorithm on the
registered communication processes. Through adding plug -able
modules to the actuator of the daemon, Baseline can be easily
integrated with intrusion detection systems (IDS). While
compared with previous work, our approach does not require
traffic analysis or packets content filtering, which entails an
always-running process with high CPU overhead; nor does it
require any modification to the existing router systems, which is
simply considered impractical economically. Moreover, Baseline
achieves zero false positive to some extent, as we show in the
paper.
Keywords: Baseline Service, Availability Surveillance,
DoS/DDoS Attacks Detection
1 Introduction
As the wide spread use of email, web shopping, instant
messaging, searching and all the other daily life services, Internet
is playing an more and more important role both socially and
economically. Along with providing the connectivity to anyone
from any place at any time, the Internet brings some severe
security problems as well even back to the days of its birth when
the first connection between computers in the ARPAnet resulted a
crash in the receiving system due to some bugs in the
communication software [1]. Among all the security problems,
distributed denial of service (DDoS) attack is considered to be the
most intractable one. Lots of security incidents have been reported
to be caused by the DDoS attacks. Some recent occurrences of
such attacks that bring much attention are shown as follows: in
the year 2000, a DDoS attack took Yahoo.com down for three
hours and got EBay, Amazon and Buy.com out of service for a
considerable period of time which cost millions; in year 2001, a
worm called “ Code Red” attack on www.whitehouse.gov and only
by being moved to a different host could the Whitehouse website
get back to service. According to the press, it is estimated that
corporations globally lost over $1.39 trillion in revenue due to
security breaches in 2000, and of which, over 60% was due to
viruses and DoS/DDoS attacks [2]. For some reasons, such as the
unwillingness to admit the incompetence in doing businesses, not
every DDoS attack incident may be revealed to the public, what
we have known from the media is just a tip of the iceberg.
According to today’s trend of initiating DDoS attacks with easily-
get and user-friendly tools, we may conclude that, remaining to be
a great problem to solve, DDoS attacks are still on the rise in the
foreseeable future.
To address the problem of DDoS attacks, of which several
typical kinds such as Smurf, SYN-Flooding and TFN2k have been
identified and investigated [3, 4, 5], we must investigate the
underlying Internet infrastructure first. The Internet is designed
and implemented with the sole consideration of speed and
functionality, unfortunately not security, in the mind. Such design
decisions are reasonable in the early times of the Internet when all
of the users, most of them were researchers, elaborated to share
their knowledge on the basis of mutual trust. While being widely
used in the world, some vulnerabilities of the Internet
infrastructure are discovered by people and organizations with
malicious intentions, namely attackers, and further be abused to
service their selfish needs. Some of such vulnerabilities exploited
by the attackers are as follows. When a host is connected, it can
generate and then inject into the Internet almost any number
packets and any kind of packets at will at any time, which give
rise to the intrusions such as port-scanning and protocol abusing.
All protocols of the Internet protocol (IP) suite deliver their
respective payload over the IP packet through the Internet routing
infrastructure. When a packet is forwarded by a router, only the
destination IP address is used, with a hint that any source address
may be just ok, which directly results the problem of IP Spoofing
(sending IP packets with arbitrarily forged source addresses) and
thus make it more difficult, if not impossible, to identify the
source of the spoofed IP packet. Bearing in mind only the speed
and efficiency considerations, routers in the Internet pay no
attention to the problem of authorization and authentication, thus
make the Internet open to any incoming IP packet flow and of
which many are malicious. Routers almost never log, which make
the Internet stateless. Querying routers with the information of
passing packets is extremely difficult. Any hardware or software
system may have some holes or bugs included, an attacker may
exploit them to compromise the whole system, we will ignore
such a problem in this paper by assuming that all the hardware
and software systems we mentioned just work properly.
Although a perfect solution to defend against the DDoS
attack can never be achieved in the current Internet Infrastructure
according to the nature and the underlying routing mechanisms of
the Internet previously discussed, many solutions have been
suggested to address the problem. For example: Ingress Filtering
[6]/Egress Filtering [7] can sieve out the spoofed packets even
before they are injected to the Internet; IP traceback [1] and ICMP
traceback [8] are introduced to find out the sources of the DDoS
attacks; Aggregate-based congestion control (ACC) [9] is
introduced to detect and thwart DDoS attack streams through the
mechanism of Pushback [10], which calls for the cooperation of the
routers in the path of packets forwarding from the source to the
destination; Overlay networks [11] are used by the service
providers to hide their Internet servers, and still some approaches
try to detect DDoS attacks simply through the measurement of
some specific variables such as the network throughput or the
packet loss rate of the supervised host. These solutions, if applied
to the hosts and routers in the Internet, will greatly reduce the risk
of been attacked by the DDoS attacks. The more detailed analysis
of these approaches is given in section 2.
Baseline service – the approach present in this paper tries to
address the problem of DDoS attacks from a different perspective,
which is often neglected by other approaches that: what effect the
DDoS attack may cause to the network communication processes
on the hosts? As the problem of DDoS attacks cannot be easily
and totally resolved, if it doesn’t hider the data communication of
the running processes or only degrade the service to an acceptable
extent, why not just tolerate and monitor on it instead of being
over-alert? The philosophy that sits in the heart of our solution is:
“ If it ain't broken, don't fix it” , Baseline service thus takes a
passive attitude toward the possible DDoS attack traffic. The only
thing that is cared by the Baseline daemon deployed in the host is
the service availability status of the currently running
communication processes, are they properly running with enough
bandwidth to service their clients or peers? Or have already been
DDoSed to a halt? Baseline service takes care of it as will be
described in Section 3.
The rest of this paper is organized as follows: In Section 2,
we give a brief introduction to the related work concerning on the
same problem of DDoS attacks. After giving a thorough
description of the Baseline service architecture in Section 3, the
Shepherd algorithm of DDoS detection, which is our core
contribution, is described in Section 4. Then comes Section 5, in
this section we discusses in detail the implementation issues of
Baseline service. Section 6 is an in-depth analysis of the whole
approach. Finally, we conclude our paper with some future work
suggested in Section 7.
2 Related work
In literature, many efforts have been dedicated to the
detection, mitigation, defense and even prevention of the
distributed denial-of-service attacks. We classify them into four
classes according to their specific perspective in solving the
problem and give a brief introduction to each of them in the
remainder of this section.
2.1 Identification/Detection (IDS)
Most of the DDoS detection methods fall into these three
categories: communication throughput measurement, packet loss
ratio statistics, and attack pattern matching. The first type of
DDoS detection methods monitors the traffic on the networked
devices (hosts and routers) and raises a DDoS attack alert when
the throughput goes beyond a predefined threshold. As is always
chosen from the experience acquired through a long time of
network administration and maintenance in the specific network
environment, the threshold value may be considered a mythical
number, which makes these approaches hard to adapt elsewhere.
Although to decide whether or not the host/router is under a
DDoS attack from the packet loss ratio can be implemented
efficiently and entails only trivial overhead, the fact is that packet
loss may be caused by lots of other reasons besides the
DoS/DDoS attacks, thus results a high false positive rate. Pattern
matching may be the most popular technique used in the IDS
systems. Only known DDoS attacks will be detected through
packet content filtering but not the unknown types, which makes
the approach susceptible to a high false negative rate. Baseline
service presented in this paper is a DDoS detection mechanism,
which passively monitors on the service availability of the
running communication processes. Judging DDoS attacks through
the health status of the processes that performs network
communications, Baseline may identify any DDoS attack that
really matters with no priori knowledge and offers a zero false
positive rate in the ideal situation while tolerating the possible
DDoS attacks that cause little or no damages.
2.2 Mitigation
Among all of the approaches that elaborate to mitigate the
damage caused by the DDoS attacks, aggregated-based congestion
control (ACC)[9] is a typical one, which tries to defend the DDoS
attacks through the cooperation of routers in the Internet routing
infrastructure. When a flow of traffic with a high throughput is
identified by the victim (or some dedicated hosts that perform
aggregate detection) as an aggregate, which denote for the streams
of packets flow from different sources with some identical traits
(usually the same destination IP address and port number), the
routers upstream will be queried respectively about their part of
bandwidth contributing to the aggregate and then asked to drop a
considerable percentage of these packets. With Pushback [9, 10]
mechanism introduced, routers may request their upstream
counterparts iteratively in order to stop the aggregate traffic
nearest to its source. To protect the legitimate traffic that
coincidentally bears the same identification with the aggregate,
namely the packets send by the "poor" hosts stated in [9], the rate
limiter of any ACC-enhanced router will not filter out all of such
packets. Given the fact that the algorithm for the discrimination of
these packets is yet to be devised, the ACC-pushback approach
can only mitigate the problem of bandwidth abuse cause by DDoS
attacks and cannot stop the DDoS attacks without disturbing the
communication of some legitimate users.
2.3 Counteraction
Beyond just detect or mitigate the damage of the DDoS
attacks, some projects like ICMP Traceback [8] and IP Traceback
[1] went even farther. When forward a packet to a specific
destination, the ICMP traceback-enhanced router will send a
packet called ICMP traceback message along with it to its
destination due to a low probability (1/20000 is chosen [8]).
Having collected enough packets send by the routers along the
way from different sources to the host, the victim may reconstruct
the attack graph of the whole DDoS attack and thus trace the
attackers to their respective networks or hosts. IP traceback
approaches use some more advanced techniques [12, 13, 14] in order
to reduce the number of traceback packets generated and improve
the reliability and efficiency of the reconstruction of the DDoS
attack paths. Another way of DDoS counteraction, namely
XenoService, is suggested in [15]. In the approach a DDoS attack
is detected through the steep fall of service quality, as a measure
of counteraction, the service provider will inform the cache
servers distributed throughout the Internet with the same content
mirrored to start the same service to the public and thus disperse
the energy of the DDoS attack and make the attacked server(s)
seem unblockable to the hackers. While to flood all these
distributed servers to a halt in the same time may be far beyond
the reach of a single DDoS attack, the only problem remained of
the approach is the cost ensured to deploy and maintain multiple
replication sites.
2.4 Prevention
IP spoofing makes it almost impossible to trace a specific
packet to its source and without using the spoofed source IP
addresses; any packet can be easily traced to its source of origin in
the Internet. P.Ferguson and D.Senie address this problem by
introducing enhanced routers to ISPs' access points [6]. In their
approach with the name "Ingress Filtering", routers that bridge
between the users' hosts and the Internet (edge routers) perform
an source IP address checking, which allows only the packets
with a valid source IP address among the user's specific subnet
(LAN) to pass through and thus be injected into the Internet. With
all the edge routers enhanced to perform Ingress Filtering, the
Internet will never see a single spoofed packet again except for
hardware failures. The benefit is two fold: For the attackers, afraid
of being caught and subject to some possible litigation or other
punishment, no one may take the risk of participating in a DDoS
attack; For all the other administrators of the networked hosts, it's
also important to take good care of their systems in order not to be
compromised by the attackers and thus be used as a DDoS attack
daemon. However, due to some economic reasons such as the cost
for upgrade the routers and the fact that Ingress Filtering brings
little, if not nothing, concrete benefit to the ISPs themselves, the
approach is yet to be widely employed. As is the fate of Egress
Filtering [7], which performs IP source address checking at the
point where the packet leaves a LAN (egress point) by only
allowing packets with a valid IP address in the LAN to be
forwarded to the Internet, prevents all the hosts in the LAN from
initiating anonymous attacks. Ingress Filtering and Egress
Filtering are proven to be effective in preventing IP spoofing and
both need to be deployed in a larger scale.
3 Baseline service
3.1 Overview
Compared with approaches such as [9] and [6], which are
proactive in the defending of the DDoS attacks, and some other
solutions like [11] and [22], which is considered to be reactive,
Baseline takes a somewhat passive attitude toward the DDoS
attacks. With the creed that "if in ain't broken, don't fix it",
Baseline service runs silently in the background and monitors on
the running communication processes, if the availability of any
such process is degraded to a certain degree, which is defined in
the configuration of the process, a possible DDoS attack may be
identified and thus further actions may be taken due to the
decision made by the Baseline actuator.
Figure 1. Baseline service architecture
Running as a background daemon, Baseline service architecture
contains five building components as shown in Figure 1. They are
namely Configuration, Register, Table, Shepherd and Actuator.
Any process that engaged in data communication (TCP/IP based
here) within the Internet may set their respective requirements of
service quality in the Baseline Configuration. When started, the
Shepherd of the Baseline daemon monitors all the communication
operations performed by such registered processes continuously
and if the required service quality cannot be ensured, the
Shepherd will inform Actuator the situation and thus further
actions may be taken due to a decision making procedure of the
Actuator. Detailed descriptions of these components that
constitute the Baseline service are given in the following chapters.
3.2 Configuration
We base our approach on the point that whether denied
services or not, the processes themselves know best. Thus the
communication processes may provide their specific definitions of
denial of service by set them in the Baseline Configuration. This
strategy makes Baseline service different from many other DDoS
Detection methods, which make decisions on whether there are
DDoS attacks going on without even query the status of the
running network services. When a possible DDoS attack is
identified through a noticeable degradation (defined in the
Configuration) in the service quality of a supervised
communication process, Baseline service will make decisions for
the proper reactions to be taken, which is supported by the
Baseline Configuration. Variables that associated with the quality
of service for instance timeout, max timeout times, minimum
bandwidth required, maximum bandwidth required and many
others may be specified in the Configuration and hence be used to
define the normal service status and support the decision making
process of the Baseline Actuator.
With no specific service quality requirements provided in
the Configuration, a communication process may be only
monitored on its timeout and timeout time’s count, which is
considered a universally applicable mechanism and can be
efficiently implemented. In order to be applied by the Baseline
service, more complex strategies need to be specified by the
owners of the processes in the Baseline Configuration.
As shown in Figure 1, current version of the Baseline
service architecture uses timeout and timeout counts to measure
the availability of certain communication processes. If flooded by
a DDoS attack, the processes monitored by the Baseline daemon
may be deprived of their legitimate bandwidth occupation and
their send/receive calls encounter timeouts; the Actuator will
analyze the situation provided by the Shepherd then and take
further actions.
3.3 Table
Baseline Table is the specific storage allocated by Baseline
daemon to record the brief QoS information of every send/receive
call invocated by the communication processes that registered
with Baseline service, which resides in the memory and may be
dynamically appended by the Register and modified by the
Shepherd. When a send/receive operation is invocated, the
Register forges a new entry with the service quality requirements
本文档为【Baseline - A Passive Approach to Tolerate and Detect DoSDDoS Attacks】,请使用软件OFFICE或WPS软件打开。作品中的文字与图均可以修改和编辑,
图片更改请在作品中右键图片并更换,文字修改请直接点击文字进行修改,也可以新增和删除文档中的内容。
该文档来自用户分享,如有侵权行为请发邮件ishare@vip.sina.com联系网站客服,我们会及时删除。
[版权声明] 本站所有资料为用户分享产生,若发现您的权利被侵害,请联系客服邮件isharekefu@iask.cn,我们尽快处理。
本作品所展示的图片、画像、字体、音乐的版权可能需版权方额外授权,请谨慎使用。
网站提供的党政主题相关内容(国旗、国徽、党徽..)目的在于配合国家政策宣传,仅限个人学习分享使用,禁止用于任何广告和商用目的。