A Resilient Peer-to-Peer System for Denial of Service Protection

A Resilient Peer-to-Peer System for Denial of Service Protection

STUDENT SCIENTIFIC RESEARCH CONTEST

Since the Internet appears and becomes popular, Denial of service (DoS) attacks continues tothreaten the reliability of networking systems All most previous approaches for protecting networks from DoS attacks are reactive in that they wait for an attack to be launched before taking appropriate measures to protect the network Nowadays, with the development of information, programs, there are more sophisticated methods that attacker using to attack victim Moreover, with limited infrastructure of ISP (Internet Service Provider) So there is a requirement that we need a system which can easily add into network without changes in infrastructure And WebSOS is solution for that requirement WebSOS has architecture constructed using a combination of secure overlay tunneling, routing via consistent hashing, and filtering It contains an overlay with many nodes which receive requests from user and check those requests belong to user or zombie by a captcha test Then only valid will be forward to server System WebSOS reduces the probability of successful attacks, however it will be dangerous when nodes being attacked and become malicious nodes So this scientific research will mention about improvements that be able to detect those node and change queryfrom user to server through overlay

1 Problem statement 4

2 An Overview of research problem 4

2.1 Definition of Dos attack 4

2.2 Attack methods 5

2.2.1 Attacking a Protocol: 5

2.2.2 Attacking Middleware 7

2.2.3 Attacking an Application 7

2.2.4 Attacking a Resource 7

2.2.5 Pure Flooding 7

2.2.6 IP Spoofing [3] 8

2.3 Previous Dos defense 8

2.3.1 Pushback 8

2.3.2 SIFF: An End-Host Capability Mechanism to Mitigate DDoS Flooding Attacks 9

2.3.3 Pi 9

2.3.4 D-WARD 10

2.3.5 NetBouncer 10

2.3.6 Proof of Work 11

2.4 WebSOS 11

2.4.1 Architecture of WebSOS 11

2.4.2 Chord routing 12

2.4.3 Graphic Turing Tests 13

2.4.4 Access and authentication mechanism 14

3 Deal with problem 15

3.1 Improvement WebSOS 15

3.2 Experiment 17

4 Conclusion 18

5 Reference 19

List figure

Figure 1: three-way handshake 6

Figure 2: Basic SOS architecture 12

Figure 3: Chord routing 13

Figure 4: sample captcha test 14

Figure 5: Sos Proxylet Applet 14

Figure 6: Sos Proxylet Applet 15

Figure 7: Access successful via WebSOS 18

1 Problem statement

Nowadays, with the Internet explosion bring to human many benefits It make human in all over the word can communicate together easily, work more effectively Besides that, the Internet is also an object of many attacks and one type of attack that many current attackers using is Dos (Denial of service) attack Moreover, with the development of information, programs, there are more sophisticated methods that attacker using to attack victim and it hard to detect and defense again attack with limited infrastructure especially in small and medium system So that WebSOS has been developed to address this problem WebSOS in

an overlay network that will check all requests sent to server, and only valid requests that pass captcha test are able to go to server WebSOS is a good system for distinguish request from real user and zombie However, WebSOS assume that all nodes in system are safe and work right Therefore this report will mention about improvement that be able to detect, remove malicious nodes to guarantee query from real user can go to server

2 An Overview of research problem

2.1 Definition of Dos attack [1]

A denial-of-service attack is different in goal, form, and effect than most of the attacks that are launched at networks and computers Most attackers involved in cybercrime seek to breakinto a system, extract its secrets, or fool it into providing a service that they should not be allowed to use Attackers commonly try to steal credit card numbers or proprietary

information, gain control of machines to install their software or save their data, deface Web pages, or alter important content on victim machines Frequently, compromised machines arevalued by attackers as resources that can be turned to whatever purpose they currently deem important

In DDoS attacks, breaking into a large number of computers and gaining malicious control ofthem is just the first step The attacker then moves on to the DoS attack itself, which has a different goal—to prevent victim machines or networks from offering service to their

legitimate users No data is stolen, nothing is altered on the victim machines, and no

unauthorized access occurs The victim simply stops offering service to normal clients

because it is preoccupied with handling the attack traffic While no unauthorized access to the victim of the DDoS flood occurs, a large number of other hosts have previously been compromised and controlled by the attacker, who uses them as attack weapons In most cases, this is unauthorized access, by the legal definition of that term

2.2 Attack methods

In almost attack, to make a successful attack, attackers have to build a Botnet(2) system, in another way is recruitment of the Agent Network Depending on the type of denial of service planned, the attacker needs to find a large number of vulnerable machines to use for

attacking This can be done in a completely automated manner, semi-automatically, or

manually In the cases of two popular DDoS tools, trinoo and Shaft, only the installation process was automated, and discovery, compromise of vulnerable machines were done manually Nowadays, attackers use scripts that automate the entire process, or scanning to identify already compromised machines to take over (e.g., Slammer-, MyDoom-, or Bagle-infected hosts) It has been speculated that some worms may be used explicitly to create a fertile harvesting ground for building bot networks that are later used for various malicious purposes, including DDoS attacks

Some methods of causing a denial of service that attacker prefer to use:

2.2.1 Attacking a Protocol:

An ideal example of protocol attacks is a TCP SYN flood attack A TCP session starts with negotiation of session parameters between a client and a server The client sends a TCP SYN packet to the server, requesting some service In the SYN packet header, the client provides his initial sequence number (x), a uniqueper-connection number that will be used to keep count of data sent to the server When SYN packet receipt, the server allocates a transmissioncontrol block (TCB), storing information about the client, then replies with a SYN-ACK, informing the client that its service request will be granted, acknowledging the client's

sequence number and sending information about the server's initial sequence number (y) Theclient, upon receipt of the SYN-ACK packet, allocates a transmission control block The client then replies with an ACK to the server, which completes the opening of the

connection This process message exchange is called a three-way handshake and is descript

in this figure

Figure 1: three-way handshake

The idea is server's resources allocation for client when receive SYN packet When the serverallocates his a transmission control block and replies with a SYN-ACK and the connection is half-open The server's allocated resources will not be using until the client sends an ACK packet then closes the connection or until a timeout expires and the server will closes the connection and releasing the buffer space So the attacker generates a multitude of half-open connections by using IP source spoofing These requests quickly exhaust the server's

transmission control block memory, and the server cannot accept any more incoming

connection requests The transmission control block records spaces they were using will be exhausted by the attack, other legitimate connections cannot go to In rare cases, the server machine crashes, exhausts its memory, or is otherwise rendered inoperative In order to keep buffer space occupied, the attacker needs to generate a steady stream of SYN packet toward the victim This is an attack is particularly dangerous, when the server receives a large

number of SYN packets and legally cannot easily distinguish the packets from legitimate customers with packages from attack traffic To successfully implement a SYN flood attack,

an attacker needs to locate open ports on the victim's machine Then, just send a small packettraffic, range 10 SYN / minutes can slowly squeeze the victim's resources A SYN attack is less common overflows SYN packets with random port In particular, the attacker creates a large volume of TCP SYN packets targeting the victim's random port, and aims to

overwhelm the victim's network resources, rather than filling the buffer memory of the victims Attacks on protocols can be difficult to resist by means of repair, creating a patch

By creating patches required to change the protocol, while the fact that the internet protocol change is almost impossible In some cases, the current protocol used wisely they can solve the problem As the use of TCP SYN cookies can solve the SYN packet that overflows just change the server to handle the connection.

2.2.2 Attacking Middleware

Attacks can be made on algorithms, for example hash functions normally perform its

operations in linear time for each subsequent entry By using values that force worst-case conditions to exist such as all values hashing into the same bucket, the attacker cause

application to perform their functions in exponential time for each subsequent entry So the attacker can freely send data that is processed using the vulnerable hash function, it can causethe CPU of the server to exceed capacity and degrade what would normally done in a second but now it takes several minutes to complete So that it does not take a very large number of requests to overwhelm some applications

2.2.3 Attacking an Application

The attacker send a large number of packets to reach the limit of service requests that

application can handle For example, Web servers take a certain amount of time to serve normal Web page requests, and thus there will exist some finite number of maximum

requests per second that server can process We assume that the Web server can process 10,000 requests per second, so at most 10,000 customers' requests can be processed

concurrently And the normal load a Web server sees daily is 1000 requests per second But what if an attacker controls 20,000 hosts, and can force each one of them to make one request every 2 seconds to the Web server? That is an average of 10,000 requests per second,and added to the normal traffic so the results is more than 100% of the server's capacity Therefore a large portion of the legitimate requests will not be accepted through because the server is saturated

2.2.4 Attacking a Resource

Resource can be target of attack, such as CPU cycles, in this attack, attacker force the CPU ofsystem work more than needed Or with resource is router switching capacity, this type of attack could be disastrous if the network is not well thought For example, In January 2001

an attack against the router that direct traffic to Microsoft Web site was perform When news

of this attack were known it was discover that all Domain Name Server (DNS) were on the same segment of the network When the router was under the DoS attack, no Web sites of Microsoft were accessible anymore

2.2.5 Pure Flooding

Flooding attacks are also known as bandwidth consumption attacks This type of attack is just sending the maximum possible of packets to the victim with purpose to use all the

be done directly by the ISP, if the packets of the attack have an easy signature to discover as large UDP packets to unused ports or IP packets have protocol value of 255 The filtering might be easy and quick to set-up If attacking packets are well crafted, and looks like

legitimate traffic, it is hard to filter it

2.2.6 IP Spoofing [3]

In normal IP communications, the header field contains the source IP address and the

destination address set by the default network socket operations IP spoofing is a malicious program creates its own packets and does not set the true source IP address in the header of packet and send them out over the network

There are some ways to make a IP spoofing attack

 Random IP address fully: malicious program will create file with header contain IP at random from the entire IPv4 space, from 0.0.0.0 to 255.255.255.255 This type can create invalid IP such as 192.168.0.0 (this for private network) or multicast addresses,broadcast addresses But almost IP value created is valid

 Subnet spoofing: for example with the 192.168.1.0/24 network, a machine in this network can easily spoof a neighbor (such as 192.168.1.34 or 192.168.1.45) with IP

In fact, IP address spoofing is not necessary for a successful DDoS attack, because an

attacker could exhaust resources and capabilities of the victim with a large number of packetsthat do not relate to the source address However, some attackers use IP Spoofing for a few reasons, as to hide the address of the agent, thereby concealing the address of the attacker's handler and better, or used for attack DDoS regions reflected a form of today's most powerfulattack spoofing the IP address of the victim to require some major server sends the query to the server legitimate victims, resulting in the victim attacked the server in the world, and can not succumb IP Spoofing attacker also help overcome the defense mechanism of a number

of servers as they save the address of regular customers and used it as a trustworthy list of priority access in case of attack

2.3 Previous Dos defense

2.3.1 Pushback

Pushback, proposed by Mahajan, [4], the idea, taken from practice, is that network operators try to push back offending traffic toward the source, either crudely by unplugging a network

cable in the router and monitoring whether the bad traffic stops, or by observing network traffic on monitoring equipment Limit the rate of packets sent out from the victim

(pushback), then reduce pressure on the victim, allowing it to exchange traffic and exists in a time effective to stop the attack source or removed This assumes that the offending traffic is not evenly distributed across all possible ingress points

There are two techniques used here: The local Aggregate Congestion Control (ACC) and pushback Congestion control of local-level synthesis detect congestion at the router and set asignal to attack (or more appropriately in each context), a congestion signal, which can be translated into a router filters The signal defines a set of high bandwidth, a subset of networktraffic, and congestion control integrated local limits determine the appropriate rate for that set Then pushback rate limit is sent immediately to the adjacent upstream traffic, which contribute the bulk of the traffic aggregate This mechanism works best against DDoS attacks

to flood and flash, as they share common characteristics, and try to handle the phenomenon from the perspective of congestion control The set limits are too high rate of traffic can make valid also limited, losses, and to set limits so low that an attacker can overcome the common security Over all, pushback seems to require the deployment model approach to therouter Current approach can not push through a rate limited router without understanding pushback method Pushback routers also require states to maintain traffic flow, there is an increasing burden on the network infrastructure of the method

2.3.2 SIFF: An End-Host Capability Mechanism to Mitigate DDoS Flooding Attacks

Yaar [5] proposed to mitigate DDoS flooding attacks using a mechanism in the ability of the end host can distribute Internet traffic is split into two classes: privileged and unprivileged Last Host Capabilities exchange can be used in transportation privileges The router will thenverify these capabilities stateless These Capabilities are delivered in a dynamic mechanism,

so your wrong behavior (air attack) may be able to be withdrawn Capabilities In contrast to other approaches, this plan does not require a cover mechanism, but it does require a

modification of the client and server, as well as both routers again The client uses a

handshake protocol to exchange capacity, and then the privilege of traffic will be expedited

by the network, as opposed to non-privileged communication that will not receive

preferential first There are regulations in place to prevent the attacker sends traffic overflow with the privileges of an unauthorized person, for example, by a person trying to create Capabilities (done by marking in each packet) Capabilities If a client starts to flood, then the flow of information access privileges can be revoked for that client.The authors of this

mechanism proposed two roads: one is the mechanism for next-generation Internet combine these techniques and is a mechanism for the current protocol in IPv4 network It is unclear that the roads will prove effective or not.In summary, this technique also accept several assumptions, including assuming the client and server software updates in TCP / IP to

incorporate the necessary modifications for the new Capabilities The advantage is no need for inter-ISP-or co-operation between ISPs However, it also assumes that fraud is limited, and the handling and maintenance of status is required at each router The new network protocol requirements in the space marked IP packet header, the client and collaboration server, every router to mark packets, and routes between the machines on the network