DDos System: A Disparagement System with Cache Based and Question Generation in Client-Server Application

International Journal of Advance Foundation and Research in Computer (IJAFRC)

Volume 2, Issue 6, June - 2015. ISSN 2348 – 4853

31 | © 2015, IJAFRC All Rights Reserved www.ijafrc.org

DDos System: A Disparagement System with Cache Based

and Question Generation in Client-Server Application

Dr. V. Naga Lakshmi1

Professor and HOD, Department of Computer Science, GITAM

University, Visakhapatnam. Andhra Pradesh, India

Email-id: [email protected]

Shameena Begum2

Assistant Professor, Department of IT, Sasi Institute of

Technology & Engineering, Tadepalligudem, Andhra

Pradesh, India

Email-id: [email protected]

A B S T R A C T

Any web application or server requires the use of Distributed Denial of Service (DDoS) service in

order to achieve high security from various attacks. A client server application plays a major role

for any application like healthcare application to prepare distributed applications while reducing

the cost and executing the high performance computing devices. The distributed system in client

server application undergoes many security risks including DDoS. These client server

applications are based on HTTP connection. Thus, the aim of HTTP based connection allows us to

make less vulnerable system against all possible DDOS attack. This system incorporates with

Source Checking, Counting, Attack Detection and Prevention module with Turing test module to

detect the malicious node. In this paper we are proposing a multi-stage detection system which

includes cache based information Turing and question generation pool Turing tests to challenge

the suspicious intruders more effectively and efficiently. The proposed system is executed to

check the efficiency of proposed work and to judge how effectively the proposed system is capable

to mitigate the DDoS traffic from network.

Keywords: DDos, Turing test, Question generation, VC (virtual cluster).

I. INTRODUCTION

A. DDoS Attack in Network

Distributed Denial of Service (DDoS) is the main security concern in present time against network

security [1]. DDoS attacks control various machines all around the network. These DDoS attacks are

called as zombies. The main aim of DDoS is to prevent a legal user to access the network resources or

services from the victim server. Thus user will not be able to access its services like web, email etc. in

network. Mainly DDoS attacks specially focus the network availability i.e. network bandwidth and

server’s computing capability. DDoS attack is launched producing huge volume of traffic in the network

that causes the interrupt in network services. Though, it is complex to identify the DDoS attacks and

normal traffic in the network. Thus DDoS attacks have been taken as serious issues in network security.

DDoS attack may cause to serious loss in any organization.




To resolve the DDoS attack, previous works [2-5] done for minimizing the DDoS attack traffic and

mitigate its effect in network.

B. Types of Dos Attacks

Generally, DDoS attacks are classified into two main parts. In first part, DDoS attacks use maximum

bandwidth in network to break the network. In second part is resource depletion which uses the CPU,

network resources and services for which user are not able to access the network resources. The attack

generally begins from various sources to focus at a single target. These attacks are given below:

• SYN Flood Attack: These attacks are belongs to TCP-based network services. These attacks

causes the server harass which leads system crash [6].

• TCP Reset Attack: These types of attacks use the properties of TCP protocol. Attackers listens the

TCP connection and send a fake TCP RESET packet to the victim. Due to these attacks the victim

to casually close its TCP connection [7].

• ICMP Attack: These types of attacks use ICMP echo request packets for victim and attacks start

via ping. Attackers use ICMP datagram to produce these types of attack [8].

• UDP Storm Attack: These types of attacks are produces in UDP connection. When there is

connection made between two parties then they will generate large number of packets on the

network due to this attack happen.

• DNS Request Attack: These types of attacks are produced by using UDP-based DNS requests and

causes in network bandwidth. Attackers use spoofed source IP address to communicate with

server [9].

• CGI Request Attack: In this attack, an attacker sends CGI request to server which uses huge CPU

resources in network. Result of this attack causes close the services of server.

• Mail Bomb Attack: In this attack, an attacker sends numerous amounts of mail to target server

which can be tough to handle by server. Due to this attack server can stop working.

• ARP Storm Attack: This attack produces by huge ARP request to target system which can badly

affect its system.

• Algorithmic Complexity Attack: It’s a class of low-bandwidth DDoS attacks that exploit

algorithmic deficiencies in the worst case performance of algorithms used in many mainstream

applications.

• Spam Attack: This type of attack is focusing for organization as well as public users. Huge

amount of mails are sending through the attacker side at a time.

C. Client-Server Application

Client- server application is an application in which client can request for accessing services or available

resources to remote server. A wireless local area network (WLAN) is an application in which two or more

system or devices are connected through an access point. User can move around the network coverage.

In the given network coverage system will be remain connected via wireless connection. Various Current




WLANs are based on IEEE 802.11 standards, marketed under the Wi-Fi brand name. It is a type of local-

area network with the aim of high-frequency radio waves rather than wires to communicate between

nodes [10].

II. RECENT RELATED WORK

Fei Wang, Xiaofeng Hu and Jinshu Su [11] have suggested an unfair rate limiting mechanism which was

used to handle DDoS attacks. They have focused on the traffic increasing patterns. In the proposed work,

they categorized port-flows into three subsets with various decreasing priorities. In simulation section,

port-flows that most likely contain DDoS attack traffic compressed most. To avoid drawback of LoURL,

they have presented CoURL to enhance DDoS mitigation in an efficient manner. They have proved an

outstanding performance for their given approach.

Md.Khamruddin and Dr Ch. Rupa [12] have proposed an approach to detect various types of DDoS

attacks. In the given approach, they have balanced the load on the victim machine by replicating servers.

For mitigate the traffic on victim machine, attack signature has pushed back to upstream routers. The

main goal of their mechanism is to mitigate the traffic on the victim machine so that the legal users have

got the services from remote server.

Yonghong Chen et. al. [13] modeled a network DDoS intrusion detection approach which is generally

based on pre-processing network traffic predicted approach. Moreover, chaos theory has been come in

their research. Their approach detected an anomaly caused due to any reason either by burst legal traffic

or by DDoS flooding attacks. They efficiently used the neural network to execute the proposed approach

in order to differentiate between DDoS attacks from unusual traffic. Their results have been based on the

DARPA network traffic data which showed that the given DDoS detection method got high detection

probabilities.

B.S. Kiruthika Devi et. al. [14] described the classification of attack and effectual traffic monitored online.

They have measured performance metrics like Latency, Link utilization and Throughput. They have used

IBRL approach to reduce the attack traffic so that legal users were able send their packets without any

congestion. The research design and the execution carried out on a simulated testbed. The experimental

result showed that the rate limiting was efficient in reducing a network from DDoS attacks. They

suggested enhancements in future contain weight based performance metrics to group the impact of

DDoS attacks and quantify at various attack strengths.

Jin Wang et. al. [15] explained two web applications DDoS detection approach. The given approach

focused on large deviation theory i.e. LD-IID and LD-MP. LD-IID distinguished a user’s access actions with




experimental click-ratio distribution, and chosen huge deviation to estimate the deviation of each

continuous user’s access actions to the priori click-ratio distribution of a website. LD-MP provided the

connection of a user’s sub-sequent web-pages accessed. The proposed approach provided huge deviation

theory to estimate the uniformity of user’s experimental access action to the priori website’s access

action. In result section, LD-IID detected web app-DDoS precisely, yet one-order Markov process makes

LD-MP has high false negatives.

III. PROBLEM STATEMENT

A. The main issue to keep DDoS mitigation system relevant against growing the attackers.

B. In the case, attackers get the control of user datagram protocol (UDP) like domain name server; user

is not able to access the services from remote server.

C. The mentioned methodology was not much cost effective.

D. Some research was not focusing on packet loss in DDoS mitigation system.

IV. RESEARCH METHODOLOGY

The proposed system architecture is shown in figure 1. The packet coming from user side will arrived in

Source Checking and Counting Module, where user is verified. If user is suspicious then the user is

redirected to the Cache-Based Turing Module. In Cache-Based Turing Module, user is verified by the

server through cache information of user saved in temporary file (user’s system). The Detection section

will be used for finding any other DDoS attack. The Source Checking and Counting Module takes care the

all the essential information regarding attack detection. Moreover, we have Question generation module

which is also used for DDoS prevention.

A. Source Checking and Counting Module

This module serves as a coordinator module for another module. In this module we have

• Source Checking Module and

• Counting Module

1. Source Checking Module

This module is responsible for categorization of packets based on their status. This module acts as a co-

ordination for other module. By using this module, packets are categorized into following list:

• Black list: In this section, Source Checking Module verifies the user’s address. If it is exist in black

list database then it will block the packet with the given user’s address. Otherwise, it will send the

packet to pink list or white list.

• Pink list: In this section, packets will be again verified by Cache Based Turing Test. It will check

whether the packet is suspicious or not based on cache information. If packet is suspicious, it will

send it to black list else in white list.




• White list: In this list, only authorized user address will be store after the complete verification

by Cache Based Turing Test.

2. Counting Module

The counting module stores the address of source and destination packet. It also store the arrival time of

request. The default mode of counting module is to be disabled. Whenever any suspicious packet

identified by DDoS Attack Detection Module, its value change to enable from disable by DDoS Attack

Detection Module. The counting module reset its value periodically.

Figure 1: Packet Flow in the Proposed DDoS system

B. DDoS Attack Detection Module

The main aim of this module is to find suspicious source and send this suspicious source address to black

list repository. Moreover, the given source is authorized by the Cache-Based Turing Module by

challenging the source to receive the question. It takes four steps for detecting the suspicious source

which are given below:

1. Stage 0: In this section, the detection module act as a monitor mode which is responsible for

detecting the source actions and collects its information in the form of average, and maximum value

of connection/incoming packets/incoming bytes per second. The stored data represents each VC’s

network actions which can be used for identifying the suspicious source.

2. Stage 1: In this stage, the process in Stage 0 is still running to gather the instant VC traffic data for

identifying malicious source. At this section, attack detection module check for each virtual

controller, compare the value between current traffic and the previous statistic one. If the current

DDoS Attack Detection

Source Checking

Question Generation

Caching Based Turing

Turing Test

VC

VC

VC

Lists (Black, White.)




traffic value is greater than the previous statistic one then the detection status moved to the Stage 2

and the Counting Module enable to count the incoming traffic of the particular virtual controller.

3. Stage 2: Four essential parameters are used which are given below:

• TH: This is nothing but the maximum threshold value. This value can be the connection set

establish between the virtual controller and user.

• NUM_Period: In this section a threshold value set during the packets sent by user is more

than the threshold value given. In this case the DDoS Attack Detection Module attached the

certain IP address into the Pink list database. After that authentication section is achieved by

the Cache-Based Turing Module.

• MXTH: It is also a threshold value which is set in the condition whether the number of

connection time is greater than MXTH. In such condition the certain IP address is attached to

the Pink list database on the same time if its value is 90 % of the Apache’s Server performance

or TH.

• Node_TH: It is also a threshold value which is set in the condition when the number of IP

source connection greater than the given limit. In such condition system immediately switch

50% of the IP connection to the Pink list database. The given section must have to be done to

ignore the congestion on the virtual controller; else in such condition the system may crash.

There may be some condition, in which no IP attached into the Pink list for NUM_Period value, and then

in this situation the DDoS Attack Detection Module status is again move to Stage 1 and further the

Counting Module become disabled.

4. Stage 3: In this section, due to traffic from or to virtual controller is extremely huge that it takes 90-

95 % of the virtual controller inbound or outbound network bandwidth. Any analysis in this situation

may lead to a system crash or busier. Thus, to avoid this condition, we attached the public IP to

destination block list to block the incoming HTTP connections coming from the user. The public IP of

virtual controller is consecutive attached and blocked incoming HTTP connections until its traffic is

down. Till then the traffic is switch to the Cache-Based Turing Section where authentication of the

client is happened.

5. Cache-Based Turing

Cache is such a verification technology in which less effort is needed and a secure side service in

included. This enables user to verify through a secure server. Although a number of transaction of service

is needed. It includes a few number of secure data migration. This technology is as per the result secure

as well as most reliable.

This Turing is done for rapid information about the user. The destination address stores a number of

secure other destinations (3n3). The user is being asked for give access to these destination addresses. If

it is found there it moved from the black list to white list.




Figure 2: Authenticating User on Basis of White Pink and Black List Concept

The Cache based Turing consist of following steps:

Step 1: Server connects to the user and gets the existing users connection in the cache with a secure

server side.

Server

Data in Cache

User

Server

Existing Server

User

Data in Cache

Limited Service

Black List

White List

Pink List

Full Service

Black/White

Service Provider

Sender

Full verification

(Cache Based Turing

Verification)

First Attempt

Other Attempt




Whenever user wants a service, it is processed in request response form. The request from user, hits to

the server where user verification is done. At this stage, server looks for information stored in cache in

user system. These caches information are stored in text format as temporary file in system directory

where the data stored in form of name value pair. The information filled by the user is matched with

these caches data. When the information in cache is correctly matched with information filled by the user

then user is authorize to access the legitimate service.

Step 2: Server contacts with the existing user with the credential received from the user

In this stage user is verified with the help of existing server. Existing server already verified the user

through cache information stored in system.

Step 3: Existing server once again verified with the user data present in cache.

Step 4: In strategy the status is given to the server from the existing server, than according to the status

received by the server it decide whether to share with the user or not than its updating once again the

cache.

V. RESULT AND DISCUSSIONS

This paper is implemented using NetBean 6.8 and Spring tool suit IDE. Apache tomcat 7.0 running as web

server. Here we are using Java SE, Servlet and Html as web technology. For robot attack, we are using

Swing technology. The result and discussions part are describe below:

Existing Server

Data in Cache

Server

Existing Server




Figure 3: Verifying User through Answering Question

In Figure 3 user is verifying through answering the security question. If user gives correct answer then

user will be able to login successfully. In the case of wrong answering, user will not have access to login.

Figure 4: Successfully login by user

In Figure 4, user has given correct answer. Thus he/she is authorized for further services.




Figure 5: Access Denied for Wrong Answer

In Figure 5, user has given wrong answer. Thus user is not authorized for login. In this case, user is not

able to get the services for further use.

Figure 6: Authorized user successfully login

In Figure 6, already verified user wants to register. In this case, user will directly login without any

security question.




Figure 7: User blocked for wrong answering

In Figure 7, user 5 again wants to login but giving wrong answer. In this case, user will be block

permanently.

Figure 8: Register and Blocked User

Figure 8 shows the information for list of registered user and list of blocked user.

VI. CONCLUSION

This paper presented a multi-stage detection system which includes cache based information Turing and

question generation pool Turing tests to challenge the suspicious intruders more effectively and

efficiently. In this paper, we identified the attacker through cache information. Users have to answer the

security question at the time of logging. Once the user gives correct answer for the given security

question. She/he is able to login successfully and can use the further services. Instead of wrong




answering by attacker, user is not able to login and hence access will be denied for further services. Thus

each time verified user will login, she/he is able to use the further services. In the case of wrong

answering by attacker will result the block the user permanently. Thus only verified user will have access

to use the given services.

VII. REFERENCES

[1] The top five DDoS attacks of 2011. [Online]. Available:

http://www.itbusinessedge.com/slideshows/show.aspx?c=92910

[2] M. Goldstein, M. Reif, A. Stahl, and T. Breuel, “High performance traffic shaping for DDoS

mitigation,” in Proceedings of the 2008 ACM CoNEXT Conference, ser. CoNEXT ’08. ACM, 2008.

[3] X. Liu, X. Yang, and Y. Lu, “To filter or to authorize: Network-layer DoS defense against

multimillion-node botnets,” in ACM SIGCOMM, 2008.

[4] S. H. Khor and A. Nakao, “DaaS: DDoS mitigation-as-a-service,” in Proceedings of the 2011

IEEE/IPSJ International Symposium on Applications and the Internet, ser. SAINT ’11. IEEE

Computer Society, 2011, pp. 160–171.

[5] T. Peng, C. Leckie, and K. Ramamohanarao, “Survey of network-based defense mechanisms

countering the DoS and DDoS problems,”ACM Comput. Surv., vol. 39, April 2007.

[6] S. M. Khattab, C. Sangpachatanaruk, R. Melhem, D. Mosse, and T. Znati, “Proactive Server Roaming

for Mitigating Denial-of-Service Attacks,” in Proceedings of the 1st International Conference

on International Technology: Research and Education (ITRE’03), pp. 286-290, Aug. 2003.

[7] Robert Vamosi, “Study: DDoS attacks threaten ISP infrastructure,” Online at

http://news.cnet.com/8301-1009_3-10093699-83.html, CNET News, Nov. 2008.

[8] Internet World Stats, Internet User Statistics – The Big Picture: World Internet Users and

Population Stats, http://www.internetworldstats.com/stats.htm.

[9] A. Yaar, A. Perrig, and D. Song, “PI: A path identification mechanism to defend against DDoS

attacks,” in proceedings of the IEEE symposium on Security and Privacy, pp. 93-109, May 2003.

[10] Mofreh Salem, Amany Sarhan and Mostafa AbuBakr, “A DOS Attack Intrusion Detection and

Inhibition Technique for Wireless Computer Networks”, ICGST- CNIR, Volume (7), Issue (I),

July 2007.

[11] Fei Wang, Xiaofeng Hu and Jinshu Su, “Unfair Rate Limiting for DDoS Mitigation Based on Traffic

Increasing Patterns”, IEEE, 2012.

[12] A. Md.Khamruddin and B. Dr Ch. Rupa, “A Rule Based DDoS Detection and Mitigation Technique”,

Nirma University International Conference on Engineering, 2012.

[13] Yonghong Chen, Xinlei Ma, Xinya Wu, “DDoS Detection Algorithm Based on Preprocessing

Network Traffic Predicted Method and Chaos Theory”, IEEE Communications Letters, VOL. 17,

NO. 5, MAY 2013.




[14] S. Kiruthika Devi, G. Preetha, S. Mercy Shalinie, “DDoS Detection using Host-Network based

Metrics and Mitigation in Experimental Testbed”, IEEE, 2012.

[15] Jin Wang, Xiaolong Yang, Keping Long, “Web DDoS Detection Schemes Based on Measuring User’s

Access Behavior with Large Deviation”, IEEE Globecom, 2011.

Documents

DDos System: A Disparagement System with Cache Based and Question Generation in Client-Server Application