An Approach for Detecting and Preventing DoS Attacks by Open Source Firewall System

International Journal of Advance Foundation and Research in Computer (IJAFRC)

Volume 3, Issue 1, January - 2016. ISSN 2348 4853, Impact Factor 1.317

31 | 2016, IJAFRC All Rights Reserved www.ijfarc.org

An Approach for Detecting and Preventing DoS Attacks by

Open Source Firewall System Krishna Bhutda, Prakhar Jain, Mani Prakash Singh, Tanveer Alam, Mr. Sumit A. Khandelwal

Dept. of Computer Engineering, MIT Academy of Engineering, Savitribai Phule Pune University

Alandi, Pune-India

[email protected], [email protected], [email protected],

[email protected]

A B S T R A C T

Nowadays, Denial of service (DoS) attacks, have become a major security threat to networks and

to the Internet, DoS is harmful to networks as it delays legitimate users from accessing the server.

Among various online attacks hampering IT security, Denial of Service (DoS) has the most

devastating effects. It has also put tremendous pressure over the security experts lately, in

bringing out effective defense solutions. These attacks could be implemented diversely with a

variety of tools and codes. Since there is not a single solution for DoS, this attack has managed to

prevail on internet for nearly a decade. Hence, it becomes indispensable to carry out these attacks

in small test bed environments in order to understand them better. The increased Cyber-attacks

in recent years have included violation of firewalls. Based on these facts, our main objective is to

present the formation of a platform for open source firewall, which induces a highly efficient

method to strengthen detection, control and also mitigation of such assaults. These real time

attacks are measured and analyzed using network traffic monitors. In addition to that, this

project also details various defense strategies that could be enabled on Open source Software

base firewall in order to mitigate these attacks. The detections are effective for small network

topologies and can also be extended to analogous large domains.

INDEX TERM: DoS Attack, Open Source Firewall, pfsense, Open DNS, VMWare workstation

I. INTRODUCTION

Denial-of-Service (DoS) is a network security problem that poses a serious challenge to trustworthiness

of services deployed on the servers. The aim of DoS attacks is to make services unavailable to legitimate

users by flooding the victim with legitimate-like requests and current network architectures allow easy-

to-launch, hard-to-stop DoS attacks.[1]

It is an attempt by malicious users to carry out DoS attack indirectly with the help of many compromised

computers on the Internet. Attackers can compromise a huge number of computers by spreading a

computer worm using vulnerabilities in popular operating systems [1]. This exhausts the victim network

of resources such as bandwidth, computing power, etc., the victim is unable to provide services to its

legitimate clients and network performance is greatly deteriorated, moreover, with little or no advance

warning, a DoS attack can easily exhaust these resources within a short period of time. However, many

still believe that the traditional security tools such as firewalls can help them deal with the DoS attack [1,

2, 3, 4].




Figure 1:Working of Firewall

Consider four clients namely PC1, PC2, PC3 & PC4 are connected in network. Refer fig. [1].

All of them are connected in star topology. All the clients trying to access the resources from the server

firstly the request will go through the firewall system. The firewall checks whether the coming request

from the client is authorized or not. In the figure PC1 (ip: 192.168.0.1) is unauthorized client trying to

access the server resources which is get denied by pfsense firewall system. And PC2 and PC3 (ip:

192.168.0.2 & 192.168.0.3 respectively) are authorized user so the firewall will allow to access the

resources. Here, PC4 is authorized client flooding the network and sending multiple request so the

firewall block the PC4 (ip: 192.168.0.4 ) because the firewall treats PC4 as attacker.

A DoS attack can be done in a several ways. The basic types of DoS attack include:

Flooding the network to prevent legitimate network traffic.

Disrupting the connections between two machines, thus preventing access to a service.

Preventing a particular individual from accessing a service.

Disrupting a service to a specific system or individual.

Disrupting the state of information, such resetting of TCP sessions

DoS attack can be characterized as an attack with the purpose of preventing legitimate users from using a

victim computing system or network resource. There are two types of DoS attack FDoS and LDoS. The

main purpose of DoS attack is to consume the resources or made the resources unavailable to the other

users. A victim can be a host, server, router, or any computing entity connected to the network. Defending

against DoS attacks is a serious problem due to their increased frequency, sophistication and strength of

attacks. Numerous defense mechanisms have been proposed to prevent, detect, and mitigate DoS attacks.

[5,6]

Nowadays firewall rules are formed based on organizational security policies which is usually about

allowing or denying access based on application, host, network addresses and content inspection. Such

rules do not essentially prevent all kinds of attacks that may happen in a network. For example, attacks




such as scan or flood could still be possible within the allowed ranges. These days such attacks are quite

dynamic and change their characteristics which is not detected by the firewall. Hence a firewall that

understands attacks and keeps track of the same to take steps for prevention is required.

This capability is lacking in present-day firewalls. In our proposed open source firewall, we incorporate

such capabilities to the present day firewalls to be more vigilant and prevents attacks as well. We are

using pfsense as an open source firewall.

II. PROBLEM STATEMENT

Configuration of Open source firewall system for Detection and Prevention of DoS Attack.

A firewall is a network security system which monitor and controlled all the incoming or outgoing

network traffic based on predefined network security rule. Firewall is also used to detect & prevent the

DoS attack. DoS attack is a malicious technique used by the attack When an attacker perform a DoS attack

to a particular system in a network then its data packet passes through the firewall. Here firewall validate

the authenticity of data packet, on the basis of that it allow or reject the data packet. We are going to

Configure an Open Source firewall which will prevent all the malicious user to perform any type of DoS

attack in the network.

III. GOALS & OBJECTIVES

To Study about DoS Attack and Discussing the types of DoS attack.

To Study about the Router and its challenges.

To Study the Different types of Open Source Firewall and the services offered by firewall.

Implementing method of Detection and prevention of DoS attack by using firewall.

To Install and configure pfsense as Open Source firewall.

IV. TYPES OF FIREWALL

A Firewall is a protective system that lies in between internet and computer system. When we use

correctly the firewall it prevent unauthorized user to access of a network. [7]

There are two type of firewall:

1. Hardware firewall

2. Software firewall

Hardware firewall

Hardware firewalls are mostly used in broadband modems, and is the line of defense, using packet

filtering. Before packet reaching to our computer, it is firstly monitored by firewall and check from where

it come from. Firewall check the ip address or header is trusted or not. On the basis of it allow or drop the

packet.

Disadvantages of Hardware firewall system:

Cost. Normally, a dedicated firewall cost more than a software firewall.

It take more physical space and require wiring.

It is very difficult to install and upgrade.




To overcome the limitation of cost in hardware firewall is to use software firewall.

Software firewall

Software firewalls are most suitable for home users not running a network, they are installed in the

operating system and only protect that particular machine, a software firewall will screen requests going

in and out of the computer and determine whether the request between the client and the source is valid

by looking at the predefined rules and verify the interaction.

Advantages of software firewall:

Cheaper the hardware firewall.

Easier to configure than hardware firewall.

It can be installed on laptop which we carry with us.

There are many open source firewall system available in the market. Some of them are as follows:

Iptable/Netfilter

Iptables/Netfilter is the most popular command line based firewall. It is the first line of defence of a Linux

server security. Many system administrators use it for fine-tuning of their servers. It filters the packets in

the network stack within the kernel itself.

Feature of Iptable/Netfilter:

It lists the contents of the packet filter ruleset.

Its lightning fast because it inspects only the packet headers.

Supports Backup and restoration with files.

IPCop Firewall

IPCop is an Open Source Linux firewall distribution, IPCop team is continuously working to provide a

stable, more secure, user friendly and highly configurable Firewall management system to their users.

IPCop provides a well designed web interface to manage the firewall. Its very useful and good for Small

businesses and Local PCs.

Feature of IPCop Firewall:

Its Color coded Web Interface allows you to Monitor the performance Graphics for CPU, Memory and

Disk as well as Network throughput.

Support Multiple language support.

Provides very secure stable and easily implementable upgrade and add on patches.

Shorewall

Shorewall or Shoreline Firewall is another very popular Open source firewall specialized for GNU/Linux.

It is build upon the Netfilter system built into the Linux kernel that also supports IPV6.

Features of Shorewall:

Uses Netfilters connection tracking facilities for stateful packet filtering.

Supports a wide range of routers/firewall/gateway applications.

Centralized firewall Administration.




Multiple ISP support.

Supports VPN

V. STATEMENT OF SCOPE

In todays world of globalization, Security is most valuable thing in this digital world. Denial of service

(DoS) attacks, have become a major security threat to networks and to the Internet, DoS is harmful to

networks as it delays legitimate users from accessing the server. Among various online attacks DoS attack

is most effective attack in IT Security. It has also put tremendous pressure over the security experts

lately, in bringing out effective defense solutions. Firewall is the one of the solution for detecting and

preventing Dos attack. so that will increase performance and efficiency of our network.

Five common types of DoS Attack:

Lets look at how DoS attacks are performed and the techniques used. We will look at five common types

of attacks. [4, 5, 6, 7]

Ping of Death

The ping command is usually used to test the availability of a network resource. It works by sending

small data packets to the network resource. The ping of death takes advantage of this and sends data

packets above the maximum limit (65,536 bytes) that TCP/IP allows. TCP/IP fragmentation breaks the

packets into small chunks that are sent to the server. Since the sent data packages are larger than what

the server can handle, the server can freeze, reboot, or crash.

Smurf

This type of attack uses large amounts of Internet Control Message Protocol (ICMP) ping traffic target at

an Internet Broadcast Address. The reply IP address is spoofed to that of the intended victim. All the

replies are sent to the victim instead of the IP used for the pings. Since a single Internet Broadcast

Address can support a maximum of 255 hosts, a smurf attack amplifies a single ping 255 times. The effect

of this is slowing down the network to a point where it is impossible to use it.

Buffer overflow

A buffer is a temporal storage location in RAM that is used to hold data so that the CPU can manipulate it

before writing it back to the disc. Buffers have a size limit. This type of attack loads the buffer with more

data that it can hold. This causes the buffer to overflow and corrupt the data it holds. An example of a

buffer overflow is sending emails with file names that have 256 characters.

Teardrop

This type of attack uses larger data packets. TCP/IP breaks them into fragments that are assembled on

the receiving host. The attacker manipulates the packets as they are sent so that they overlap each other.

This can cause the intended victim to crash as it tries to re-assemble the packets.

SYN attack

SYN is short form for Synchronize. This type of attack takes advantage of the three-way handshake to

establish communication using TCP. SYN attack works by flooding the victim with incomplete SYN




messages. This causes the victim machine to allocate memory resources that are never used and deny

access to legitimate users.

Limitations of Other Firewall

Un-customizable

Doesnt provide filtering based on operating system

VI. OUR PROPOSED SYSTEM

Mathematical modelling

Wherever Let consider S is a solution set as,

S = {s, I, O, fi, fo}

S Solution Set

s Start State

I Input {Packet1, Packet2,., Packetn }

O Output

fo Output function

fi Input function

fi = { f1, f2 } Where,

f1 = Data Packet (message) by legitimate user

f2 = Data Packet (message) by Attacker

fo Output function

fo = { f3, f4 } Where,

f3 = Allow access to user

f4 = denied access to user

F Filter function

Multi requests are differentiated with respect to time at every amount of time t,

d/dt(msg) = (dv/dt)+(di/dt)

(dv/dt) = d/dt(msg) - (di/dt)

Taking integration on both side,

We get,




v = msg I -------- (1)

where ,

v - valid messages

i - Invalid messages

f3 allow function

f3 is the function which contain all allowed packets into it which are normal/valid.

After allowing some of packets, remaining packet will be get discarded by firewall system as following

step,

f4 - function to block access to user

f4 = v f3

All the allowed packets get subtracted from all the valid packets.

Hence, we get the f4 set collection which contains all the invalid packets that will be denied by firewall

system.

Algorithm of Packet Observation Technique(POT)

Detection will be on the basis of

Message context

Frequency of Message

NML (Normal Message List)

AML (Abnormal Message List)

NML

AML

Where,

Msg Message context

Timestamp Last time message successfully submitted.

Counter Represent No. of message.

POT Algorithm

1: procedure MOM

2: Input Mnewi . New Message




3: if Mnewi e A then 4: END .Fake Message

5: else

6: for i = 1i to jNj do i . Normal Message

7: if Mnew e N and Mnew:counter > f and f > threshold then

8: END . Replayed Message

9: end if 10: end for 11: end if 12: END 13: end procedure

For example,

Assume,

msg = 36; // there are total 36 messages or packets th = 10; // threshold value of messages

Using Filter function (it will differentiate normal and abnormal messages on the basis of message

context)

|A| = 6; //there are 6 abnormal messages or packets

|N| = 30; // there are 30 normal messages or packets then first 6 should be discarded because they are

abnormal.

From the remaining 30 packets,

Now, if A single user sending multiple messages from the same ip address which is msg.counter (from

same ip ) = 13; // 13 messages from a single user who is flooding the network.

These 13 messages will be get discarded by verifying its timestamp.

Timestamp indicates the last time when the messages has been submitted, which can be used to

determine whether they are expired. 17 packets are normal/able to process. // (30-13)

Figure 2: Architectural Diagram




Working:

Firstly, a user sends a request for Connection with the server through authentication process.

The credentials provided by user are compared to those on file in a database of authorized users'

information on a local operating system or within an authentication server.

If the credentials match, the process is completed and the user is granted authorization for

establishing the connection.

If the credentials isnt match then that particular user will not allowed for the connection.

Now if credentials is matched, then every requests from the user will passed through the firewall

system. Firewall system will identify the users IP & IP Header.

Now if that user is trusted user according to firewall then allow that user to access the services. Else

deny it from accessing the services.

After Which, Server will process the Trusted users request and response according to it.

Input

Input will be number of packet that may be requested.

Output

Output will be authentication & authorization or denial (Packet will be Discarded from network) of

packet based on the detection and prevention rule.

Application:

Malware Prevention

IT security

Database Security

Prevent Hijacking servers

VII. CONCLUSION

Modern security technologies have developed mechanisms to defend most forms of DoS attacks, but due

to the unique characteristics of DoS, Open Source Firewall(eg. pfsense) can be configure for the detection

and prevention of DoS attack. Pfsense can be used as router or firewall with many advanced features

such as traffic shaper, Load Balancer and much more. It can be used in small scale to large scale

environment.

VIII. REFERENCES

[1] Manoj Namdeo Rathod, k. B. Manwade. "Internet security using ipt-able". International journal of pure and applied research in engi-neering and technology (IJPRET), 2014; Volume 2 (8): 191-200 ISSN: 2319-507X.

[2] Muraleedharan Navarikuth, Subramanian Neelakantan, Kalpana Sachan, Uday Pratap Singh, Rahul

Kumar, Antashree Mallick. "A dynamic rewall architecture based on multi-source anal-ysis". CSIT (December 2013) 1(4):317-329 DOI 10.1007/s40012-013-0029-x

[3] Ashish Patil, Rahul Gaikwad. "Comparative analysis of the Prevention Techniques of Denial of

service Attack in Wireless Sensor Network". Procedia Computer Science 48 ( 2015 ) 387 - 393.




[4] Istvan Kiss, Piroska Haller, Adela Beres. "Denial of Service Attack detection in case of Tennesse

Eatsman challenge process". Procedia Technology 19 ( 2015 ) 835 - 841.

[5] LIU Xiao-ming, CHENG Gong, LI Qi, ZHANG Miao1. "A comparative study on ood DoS and low-rate

DoS attacks". The Journal of China Universities of Posts and Telecommunications, June 2012, 19(Suppl. 1): 116 - 121.

[6] Fabio Ricciato, Angelo Coluccia, Alessandro D Alconzo. "A review of DoS attack models for 3G

cellular networks from a system design perspective.". Computer Communications 33 (2010) 551 - 558.

[7] Support.Huawei - http://support.huawei.com/ecommunity/bbs/10155231.html

[8] Monowar H. Bhuyan, H. J. Kashyap, D. K. Bhattacharyya and J. K. Kalita. "An overview of DDoS

attacks, detection schemes and research issues and challenges. In addition,they provide a comparison among current detection methods.". The Computer Journal (Impact Factor: 0.79). 03/2013; 57(4):537 - 556.

[9] ZHANG Yi-ying, LI Xiang-zhen, LIU Yuan-an. "The detection and defence of DoS attack for wireless

sensor network.". The Journal of China Universities of Posts and Telecommunications, October 2012, 19(Suppl. 2): 52 - 56.

[10] Raz Abramov, Amir Herzberg. "Study of TCP Ack storm DoS attacks.". computers & security

33(2013) 12 - 27.

[11] J. Stuart Broderick. "Firewalls e Are they enough protection for current networks?". Information

Security Technical Report (2005) 10, 204 - 212.

[12] Aldar C.-F. Chan. "E cient defence against misbehaving TCP receiver DoS attacks". A.C.-F. Chan /

Computer Networks 55 (2011) 3904 3914.

[13] Ms. Sanam E Anto, Ms. S Seetha, Robin K Kuriakose. "A survey on DoS attacks and detection

schemes in wireless Mesh Networks". Sanam E Anto et al. / Procedia Engineering 38 ( 2012 ) 2329

2336.

[14] Ping smurf tredoopsyn-http://www.guru99.com/ultimate-guide-to-DoS-attacks.html

Documents

An Approach for Detecting and Preventing DoS Attacks by Open Source Firewall System