Protocol Share Based Traffic Rate Analysis (PSBTRA) for UDP Bandwidth Attack

  • Zohair Ihsan
  • Mohd. Yazid Idris
  • Khalid Hussain
  • Deris Stiawan
  • Khalid Mahmood Awan
Part of the Communications in Computer and Information Science book series (CCIS, volume 251)

Abstract

Internet is based on best effort and end to end design principles. Although they are the reasons for the Internet’s high efficiency and popularity, they also resulted in many inherent security problems such as the Bandwidth Attacks. There are two main characteristics of bandwidth attack. First, during an attack the incoming traffic rate is much higher than the outgoing traffic rate. Second, the proportion of protocol exploited by the attacker is higher as compare to other protocols in the traffic. Based on these two characteristics, a UDP bandwidth attack detection system based on Protocol Share Based Traffic Rate Analysis (PSBTRA) is proposed. Experiments on real world network shows that this approach can effectively detect UDP bandwidth attacks.

Keywords

Distributed Denial of Service Attack Bandwidth Attack UDP Flooding Attack 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Lipson, H.F.: CERT CC: Tracking and tracing cyber-attacks: Technical challenges and global policy issues. Special Report CMU/SEI-2002-SR-009 (2002)Google Scholar
  2. 2.
    Blumenthal, M.S., Clark, D.D.: Rethinking the Design of the Internet: The End-to-End Argument vs. the Brave New World. ACM Transactions on Internet Technology 1, 70–109 (2001)CrossRefGoogle Scholar
  3. 3.
    RFC 793 Transmission Control Protocol, http://www.faqs.org/rfcs/rfc793.html
  4. 4.
    Albert, R., Jeong, H., Barabási, A.: The Internet’s Achilles’ Heel: Error and attack tolerance of complex networks. Nature 406, 378–382 (2000)CrossRefGoogle Scholar
  5. 5.
    Bellovin, S.M.: Security Problems in the TCP/IP Protocol Suite. ACM Computer Communications Review 19, 32–48 (1989)CrossRefGoogle Scholar
  6. 6.
    CERT CC CERT Statistics, http://www.cert.org/stats/
  7. 7.
    RFC 791 Internet protocol, http://www.ietf.org/rfc/rfc0791.txt
  8. 8.
    Howard, J.D.: An Analysis of security incidents on the Internet 1989-1995. In: Ph. D dissertation. Carnegie Mellon University, Carnegie Institute of Technology (1998)Google Scholar
  9. 9.
    CERT CC Denial of Service Attacks, http://www.cert.org/tech_tips/denial_of_service.html
  10. 10.
    Orman, H., Streak, P.: The Morris Worm: A Fifteen-Year Perspective. IEEE Security & Privacy Magazine 1, 35–43 (2003)CrossRefGoogle Scholar
  11. 11.
    Jelena Mirkovic, J., Peter Reiher, P.: A Taxonomy of DDoS Attacks and DDoS defense Mechanisms. ACM SIGCOMM Computer Communication Review 34, 39–53 (2004)CrossRefGoogle Scholar
  12. 12.
    CERT CC CERT Advisory CA-1998-01 Smurf IP Denial-of-Service Attacks, http://www.cert.org/advisories/CA-1998-01.html
  13. 13.
    Dietrich, S., Long, N., Dittrich, D.: Analyzing distributed denial of service attack tools: The shaft case. In: Proceedings of the 14th USENIX Conference on System Administration, pp. 329–339 (2000)Google Scholar
  14. 14.
    Peng, T., Leckie, C., Ramamohanarao, K.: Survey of Network-Based Defense Mechanisms Countering the DoS and DDoS Problems. ACM Computing Surveys 39, 1–42 (2007)CrossRefGoogle Scholar
  15. 15.
    CERT CC CERT Advisory CA-1996-01 UDP Port Denial-of-Service Attack, http://www.cert.org/advisories/CA-1996-01.html
  16. 16.
    El-Atawy, A., Al-Shaer, E., Tran, T., Boutaba, R.: Adaptive Early Packet Filtering for Defending Firewalls Against DoS Attacks. In: IEEE Conference on Computer Communications, pp. 2437–2445 (2009)Google Scholar
  17. 17.
    Wang, X., You-lin Xiao, Y.: IP Traceback Based on Deterministic Packet Marking and Logging. In: International Conference on Embedded Computing, pp. 178 –182 (2009) Google Scholar
  18. 18.
    Gil, T.M., Poletto, M.: MULTOPS, A data-structure for bandwidth attack detection. In: Proceedings of 10th Usenix Security Symposium, pp. 23–38 (2001)Google Scholar
  19. 19.
    Kulkarni, A.B., Bush, S., Evans, S.: Detecting distributed denial-of- service attacks using Kolmogorov complexity metrics. Technical Report 2001CRD176, GE Research & Development Center (2001)Google Scholar
  20. 20.
    Manikopoulos, C., Papavassiliou, S.: Network intrusion and fault detection: A statistical anomlay approach. IEEE Communications Magazine, 76–82 (2002)Google Scholar
  21. 21.
    Cheng, C.M., Kung, H.T., Tan, K.: Use of spectral analysis in defense against DoS attacks. In: IEEE Global Communications Conference, pp. 2143–2148 (2002)Google Scholar
  22. 22.
    Wang, H., Zhang, D., Shin, K.G.: Detecting SYN flooding attacks. In: IEEE Conference on Computer Communications, vol. 3, pp. 1530–1539 (2002)Google Scholar
  23. 23.
    Blazek, R.B., Kim, H., Rozovskii, B., Tartakovsky, A.: A novel approach to detection of denial-of-service attacks via adaptive sequential and batch-sequential change-point detection methods. In: IEEE Systems, Man and Cybernetics Information Assurance Workshop, vol. 54, pp. 3372–3382 (2006)Google Scholar
  24. 24.
    Limwiwatkul, L., Rungsawangr, A.: Distributed denial of service detection using TCP/IP header and traffic measurement analysis. In: International Symposium Communication Information Technology, pp. 605–610 (2004)Google Scholar
  25. 25.
    Cabrera, J.B.D., Lewis, L., Qin, X., Lee, W., Prasanth, R.K., Ravichandran, B., Mehra, R.K.: Proactive detection of distributed denial of service attacks using MIB traffic variables a feasibility study. In: IFIP/IEEE International Symposium on Integrated Network Management, pp. 609–622 (2001)Google Scholar
  26. 26.
    Noh, S., Lee, C., Choi, K., Jung, G.: Detecting Distributed Denial of Service (DDoS) Attacks Through Inductive Learning. In: Liu, J., Cheung, Y.-m., Yin, H. (eds.) IDEAL 2003. LNCS, vol. 2690, pp. 286–295. Springer, Heidelberg (2003)Google Scholar
  27. 27.
    Xie, Y., Yu, S.: A Large-Scale Hidden Semi-Markov Model for Anomaly Detection on User Browsing Behaviors. IEEE/ACM Transactions on Networking 17, 54–65 (2009)CrossRefGoogle Scholar
  28. 28.
    Xie, Y., Yu, S.: Monitoring the Application-Layer DDoS Attacks for Popular Websites. IEEE/ACM Transactions on Networking 17, 15–25 (2009)CrossRefGoogle Scholar
  29. 29.
    Ranjan, S., Swaminathan, R., Uysal, M., Nucci, A., Knightly, E.: DDoS-Shield: DDoS-Resilient Scheduling to Counter Application Layer Attacks. IEEE/ACM Transactions on Networking 17, 26–39 (2009)CrossRefGoogle Scholar
  30. 30.
    Yen, W., Lee, M.: Defending Application DDoS with Constraint Random Request Attacks. In: Asia-Pacific Conference on Communications, pp. 620–624 (2005)Google Scholar
  31. 31.
    Yu, J., Li, Z., Chen, H., Chen, X.: A Detection and Offense Mechanism to Defend Against Application Layer DDoS Attacks. In: Third International Conference on Networking and Services, pp. 54–54 (2007)Google Scholar
  32. 32.
    Ahn, V., Blum, M., Langford, J.: Telling Humans and Computers Apart Automatically. Communications of the ACM 47, 57–60 (2004)Google Scholar
  33. 33.
    Wireshark,· Go deep, http://www.wireshark.org/
  34. 34.
  35. 35.
  36. 36.
  37. 37.
    TCPDUMP/LIBPCAP public repositor, http://www.tcpdump.org

Copyright information

© Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  • Zohair Ihsan
    • 1
  • Mohd. Yazid Idris
    • 1
  • Khalid Hussain
    • 1
  • Deris Stiawan
    • 1
  • Khalid Mahmood Awan
    • 1
  1. 1.Faculty of Computer Science and Information SystemUniversiti Teknologi MalaysiaSkudaiMalaysia

Personalised recommendations