Subject:

Network Security

Topic:
Detection &Prevention of DOS Attacks

Submitted to:
Mr. Khalid Hamid

Submitted By:
Ali Hamza & Adeeb Khan
Introduction

Denial of service (DoS) attacks are a special type of cyberwarfare in which a malicious user
prevents legitimate users from using network services by using up all the resources on the victim
system. The DoS attacker causes network congestion by creating a lot of traffic near the target
system without breaching password files or stealing critical information. Any packet can't go to its
destination due to the overload that has been produced, just due to its size. The Smurf, SYN Flood,
Teardrop, Ping of Death, Black Holes, and Misdirection are common DoS attacks. More than 90%
of DoS attacks have been demonstrated to make advantage of TCP.

Recent attacks on well-known websites like Twitter, Facebook, LiveJournal, eBay, Amazon, and the
name server infrastructure of Microsoft highlight the severity of the issue. The assaults in each of
these instances were based on distributed denial of service (DdoS).

Denial of Service (DoS) attacks have developed into a significant security risk for networks and the
Internet nowadays. As a result, even a novice hacker is capable of launching a massive DoS assault
against the victim's ability to access the Internet. This article discusses how the Snort IDS performs
in terms of detection and packet processing speed. This study outlines the steps needed in
developing a college network security system, assesses the hazards of campus network security,
primarily examines DoS and DDoS attacks, and proposes a novel approach for Snort campus
network security solutions. The goal is to evaluate the functional benefits of the approach,
implementation, and configuration of the open source intrusion detection system based on Snort.

Denial of service attacks are typically characterized as operations that deny access to certain
services to legitimate users or institutions (network connectivity, web or e-mail). The basic purpose
of distributed denial of service attacks is to saturate a certain server with a large amount of pointless
data. The primary channels for deflecting DDoS attacks should be considered to be botnets.

In one year, more than half of colleges are targeted by cyber-attacks such as
viruses/worms/trojans/malware, unauthorized access, or DDoS. These attacks may result in a
campus network (system or device) crash, network access interruption, service system and terminal
failure.

The main goal is to cause harm to the victim. Personal reasons (a significant number of DDoS
attacks are carried out against home computers, presumably for vengeance) or prestige (successful
attacks on popular Web servers gain the respect of the hacker community) are frequently the ulterior
motives. Some DDoS attacks, however, are carried out for monetary gain (damaging a competitor's
resources or blackmailing companies) or for political reasons (a country at war may carry out
attacks against its enemy's critical resources, potentially enlisting a significant portion of the entire
country's computing power for this action). In some cases, the true victim of the attack may not be
the target of the attack packets, but rather others who rely on the target's proper operation.

not only the attack packets, but also others who rely on the target's proper operation.
The goal of a DOS or DDoS attack is straightforward: to bring the server down. As we mentioned
earlier in this article, these types of attacks are typically carried out on major websites because they
are high-profile and affect a large number of customers. There are several ways to accomplish this,
but they all accomplish the same thing. The following services are targeted by DDoS attacks.

• Network Bandwidth.
• Server memory.
• CPU usage.
• Database space.
• Hard disk Space.

Due to features such as lack of centralized control, dynamic topology, limited physical security, and energy
constrained operations, mobile ad-hoc networks (MANETs) are well known to be vulnerable to various
attacks. The focus of this paper is on preventing denial-of-service (DoS) attacks. As an example, consider
intruders who can cause DoS by abusing reactive routing protocols' route discovery procedure. We
demonstrate the inadequacy of tools used in statistical process control (SPC) to detect DoS and propose an
anomaly-based intrusion detection system that employs a combination of chi-square test and control chart to
detect intrusion and then identify an intruder. When the intruder is removed from the network, we see lower
overhead and higher throughput. Over the range of scenarios tested, simulation results show that our
algorithm performs well with a low processing overhead.

Denial of Service (DOS) refers to an attack on computers via a network. A denial of service attack is an
intentional attempt by an attacker to prevent legitimate users from accessing services. When this attack is
carried out in a larger scale, using multiple computers, it is referred to as a Distributed Denial of Service
(DDoS) [1]. An attacker can use a variety of techniques for denial of service, such as flooding, which
involves flooding a network and reducing legitimate user bandwidths in order to disrupt user services.
In a DDoS attack, the attacker attempts to disrupt a server's services by utilizing its CPU and network.

Literature Review

DDoS attack prevention is the least addressed security threat in IoT. The attacker can easily target
constrained devices by consuming their resources and rendering them unavailable to legitimate
users. The recent occurrences of DDoS attacks in IoT networks have piqued the interest of
researchers. In this section, we will look at some related works.

The IDS developed has a complex architecture and has components that are not appropriate for an
IoT setting.
DDoS assault solution based on learning automata. Service Oriented Architecture (SOA) is being
examined for modelling their solution. There are two sections to the algorithm.
An agent-based DDoS mitigation strategy They presented a two-part approach, with the attack
detection performed in the border router.' The detection portion is handled by the border router.
This algorithm is superior to prior works, yet the results are unsatisfactory.
E-Lithe was proposed by Asma Haroon et al. [3]. To make DTLS immune to DoS and DDoS
attacks, the secret key is exchanged using Trusted Third Party (TTP) in this work.
Before beginning the real handshake phase in E-Lithe, the TTP and server agree on a pre-shared
secret key. The mutual key is shared between the client and TTP for client authentication, assuring
the security of client-server communication.
Following that, the client sends a handshake request to the server, which validates the user by
comparing the authentication key.
If the key is found, the server sends a server hello message and the process continues; otherwise, the
process is terminated.

Denial of service attacks, particularly Distributed Denial of Service attacks, pose a threat to the
internet and web services. According to surveys, the percentage of attacks is increasing at an
exponential rate as new and sophisticated strategies are developed. This is a problem when security
students are exposed to various DoS and DDoS tools on offensive approaches; students must know
how to attack and anatomize offensive techniques in order to fully understand how to defend
networks and computer systems and develop their security skills. The goal of this study was to
evaluate some defense strategies against DoS and DDoS attacks utilizing LOIC and Slow Loris and
determine which one is the most successful. This tool supports three sorts of attacks.

Because MANET routing protocols are on-demand, they are vulnerable to DoS attacks such as
sleep deprivation and rushed attacks. We demonstrated how intruders can cause DoS attacks in
MANETs in this research. We evaluate the viability of employing merely a control chart to protect
against these attacks and show that the proposed solution based on static thresholds is ineffective
because it does not cope well with the dynamism of MANETs. Then, we proposed AIDP, an
adaptive intrusion detection and prevention system. It employs ABID, which first use the chi-square
test to examine the overall behavior of the network and signal intrusion, and then employs the
control chart to identify invading nodes. Finally, the intruding nodes are isolated. The simulation
findings reveal that AIDP detects, identifies, and isolates intruding nodes attempting to perform
DoS assaults. AIDP has a high success rate and a very low false alarm rate. We are also working on
generalizing AIDP by integrating other related characteristics to cover all MANET routing threats.

DDoS Defensive architectures such as Source-end, Victim-end, and Intermediate architectures are
used to classify distinct DDoS attacks. We also discussed several detection and mitigation
strategies, such as statistical, soft-computing, knowledge-based, and data mining-based approaches,
as well as their benefits and drawbacks based on where and when they detect and respond to DDoS
attacks.
Finally, we provided an overview of DDoS attack traceback strategies such as packet marking
schemes, information distance, honey pots, and entropy fluctuations. It is extremely tough to create
and implement in practice. DDoS protection and detection. Fulfilling all of the requirements for
DDoS detection is not possible in real-time networks, and to do so, numerous performance
characteristics must be gently and effectively balanced against each other.

Thus, when network difficulties hinder IP packet delivery, network devices such as routers employ
ICMP (Internet Control Message Protocol) to emit error messages to the source IP address. ICMP
messages are created and sent to the source IP address to indicate that a gateway to the Internet,
such as a router, service, or host, cannot be accessed for packet delivery.

Any IP network device can send, receive, and process ICMP messages. However, attackers
nowadays exploit ICMP packets for attack purposes. The attacker makes a ping request to the
victim machine to determine whether or not the victim machine is alive.
If the machine is still alive, respond; else, RTO. The ping command provides the attacker with a
wealth of information, including the victim machine's IP address, operating system, and default
packet size. These parameters are used by the attacker in a DDoS assault.

To choke the victim system, the attacker sends an irregular sequence of ICMP messages. The next
goal is to propose a technique for detecting ICMP flood DDOS using the parameters provided.

Methodology

A DDoS detection approach based on the source IP address is proposed. Instead of monitoring the
traffic, the system watches the new source IP address of the packets. The technique is based on
Jung's research, which shows that during an attack, the majority of the source IP addresses are new.
However, during flash crowds, the majority of IP addresses are not new. A flash crowd is a
significant increase in the demand on a web server caused by a legitimate, huge traffic rush, which
causes congestion and packet loss.
The biggest disadvantage of this strategy is that the attacker might perform a DoS assault against
the victim using known (not new) IP addresses to avoid detection. The attacker can initiate normal
conversation with the target before launching the attack.
Furthermore, not all DoS attacks use faked IP addresses; for example, the attacker could deploy
zombies with legitimate IP addresses.

Kim provides a detection technique based on the creation of a steady baseline profile to monitor
traffic variations. An investigation was performed to determine the traffic's stability in relation to
several parameters. Significant changes in traffic patterns were discovered between sites. As a
result, for detection, a baseline profile based on many parameters was developed. The attributes
were chosen with the idea that the attacker can anticipate some of them, such as packet size, TCP
flag pattern, and protocol types. TTL, source IP prefixes, and server port distribution, on the other
hand, are site dependent and difficult for the attacker to learn, according to the author.
As a result, the technique was proposed based on these characteristics. The study provided in has
some limitations, such as the fact that the properties chosen are not directly related to DDoS attacks,
and there is increased computational complexity with a high false positive rate.
DDoS detection strategies based on distance. The first is average distance estimation, while the
second is distance-based traffic separation. The attack can be identified by measuring the distance
and traffic rate. The TTL value is utilized to deduce the distance value in the average distance
estimation technique.
The "normality" of the traffic is defined by the prediction of the mean value of the distance, which
was accomplished using the exponential smoothing estimation technique. The second technique,
distance-based traffic separation, defines traffic normalcy by predicting traffic arrival rates from
different distances. The minimum mean square error (MMSE) linear predictor approach is used to
predict traffic arrival rates. The mean absolute deviation can be used to differentiate normality and
abnormality in traffic for both techniques (MAD).
The detection is based on the distance calculated using the TTL value. The distance will not
accurately reflect the traffic anomaly. The attacker can calculate the distance to the target and
choose the best route. A skilled attacker can also set the TTL value to be within the expected
distance. Furthermore, the pathways are susceptible to change, and various IPSs may employ
different policies. Finally, for both strategies, the prediction of traffic normalcy is accomplished by
the use of current estimate techniques that are affected by the samples and can be predicted by the
attacker.
It is a router-based heuristic and data structure-based technique for detecting a DDoS attack. The
tree's nodes keep track of packet rate information for subnet prefixes. Statistics are gathered at
several aggregate levels. The tree's size is adjustable in relation to available memory. MULTOPS
assumes that the packet rate for regular traffic between two machines is proportionate. As a result,
any disparity in packet rate would set up an alarm for the attack.

The position and configuration of MULTOPS routers in the network might affect the technique's
capacity to identify assaults with randomized IP source address packets.
Legitimate packets destined for a certain IP destination address will be discarded because the
MULTOPS will be confused by the faked IP address packets and identify the destination address as
under attack. Furthermore, a huge number of attackers could connect to the victim normally, and the
flow rate of the attackers' traffic remains proportional, implying that MULTOPS will not detect the
attack.
 Comparison Table

F1
Title Technology Methodology Results Objectives Precision Accuracy Recall Comments
Score
To provide
Provides an
A Survey: DDOS an overview Provides a general
Machine overview of
Attack on Internet of Survey of DDOS 0.78 0.81 0.85750.8 understanding of
Learning DDOS attacks
Things attacks on the topic
on IoT
IoT
To improve
Proposes a new
A Novel Algorithm for detection of Details on
algorithm for
DoS and DDoS attack DoS and precision,
Algorithm - detecting DoS 0.95 0.83 0.886 0.7
detection in Internet Of DDoS accuracy, etc. not
and DDoS
Things attacks in provided
attacks in IoT
IoT
To improve
Describes a
detection
method for
Detection and and No mention of
Deep detecting and
Prevention of ICMP - prevention 0.88 0.81 0.95340.9 precision,
Learning preventing
Flood DDOS Attack of ICMP accuracy, etc.
ICMP flood
flood DDOS
DDOS attacks
attacks
To provide
Provides an an overview
overview of of defense,
DoS and DDoS Attacks: defense, detection,
Provides a general
Defense, Detection and Machine detection, and and
Survey N/A N/A N/A N/A understanding of
Traceback Mechanisms Learning traceback traceback
the topic
-A Survey mechanisms for mechanisms
DoS and DDoS for DoS and
attacks DDoS
attacks
Proposes an
adaptive
To improve
Adaptive Intrusion intrusion
prevention No mention of
Detection & Prevention Intrusion detection
- of DoS 0.89 0.90 0.88920.9 precision,
of Denial of Service detection method for
attacks in accuracy, etc.
attacks in MANETs prevention of
MANETs
DoS attacks in
MANETs
Proposes a new
A Novel DoS and
algorithm for
DDoS Attacks To improve
detecting DoS Details on
Detection Algorithm detection of
and DDoS precision,
Using ARIMA Time Algorithm - DoS and 0.9 0.7 0.76850.7
attacks using accuracy, etc. not
Series Model and DDoS
ARIMA time provided
Chaotic System in attacks
series model and
Computer Networks
chaotic system
To improve
Proposes a new
A Novel Algorithm for detection of Details on
algorithm for
DoS and DDoS attack DoS and precision,
Algorithm - detecting DoS 0.8 0.8 0.98760.8
detection in Internet Of DDoS accuracy, etc. not
and DDoS
Things attacks in provided
attacks in IoT
IoT
An Approach for Neural - Describes an To improve 0.7 0.7 0.73010.6 No mention of
Detecting and Network approach for detection precision,
Preventing DDoS detecting and and accuracy, etc.
Attacks in Campus preventing prevention
 F1
Title Technology Methodology Results Objectives Precision Accuracy Recall Comments
Score
of DDoS
DDoS attacks in
attacks in
campus
campus
To provide
Provides an
an overview
overview of
The Detection & of detection
detection and Provides a general
Defense of DoS & Intrusion and defense
- defense N/A N/A N/A N/A understanding of
DDoS Attack: A detection techniques
techniques for the topic
Technical Overview for DoS and
DoS and DDoS
DDoS
attacks
attacks

References:

1. A Survey: DDOS Attack on Internet of Things by Krushang Sonar1, Hardik Upadhyay2

2. A Novel Algorithm for DoS and DDoS attack detection in Internet of Things Shruti
Kajwadkar and Vinod Kumar Jain
3. DoS and DDoS Attacks: Defense, Detection and Traceback Mechanisms -A Survey By K.
Munivara Prasad, A. Rama Mohan Reddy & K.Venugopal Rao
4. DoS and DDoS Attack Detection Using Deep Learning and IDS Mohammad Shurman1,
Rami Khrais2, and Abdulrahman Yateem1
5. An Approach for Detecting and Preventing DDoS Attacks in Campus1 Mehdi Merouane
6. Adaptive Intrusion Detection & Prevention of Denial of Service attacks in MANETs by
Adnan Nadeem abd Michael Howarth
7. A Novel DoS and DDoS Attacks Detection Algorithm Using ARIMA Time Series Model
and Chaotic System in Computer Networks by Seyyed Meysam Tabatabaie Nezhad,
Mahboubeh Nazari, and Ebrahim A. Gharavol
8. The Detection & Defense of DoS & DDoS Attack: A Technical Overview by Gulshan
Shrivastava, Kavita Sharma and Swarnlata Rai
9. K. Park and H. Lee. On the effectiveness of probabilistic packet marking for IP traceback
under a denial of service attack.
10. D.Moore, G. Voelker and S. Savage, “Inferring Internet Denial of Service Activity”,
Proceedings of USENIX Security Symposium’.
11. W.Wang, Y.Lu and K.Bhargava,” On Vulnerability and Protection of Ad Hoc On Demand
Distance Vector Protocol”
12. Zargar, S.T., Joshi, J., and Tipper, D., A survey of defense mechanisms against distributed
denial of service (DDoS) flooding attacks