Fuzzy Observation of DDoS Attack

DDoS attacks are able to block Web servers. Such attacks could be started from anywhere in the network. This chapter presents the possibility of using Ordered Fuzzy Numbers (OFNs) for observation of a DDoS attack. The proposed algorithm could be implemented on routers and predict the moment of the attack. Such prediction gives a possibility for the network administrators to protect server resources. In the chapter the author presents the real test results made on a prepared IP network. The presented results prove that OFNs have a huge potential for usage in observation of DDoS attacks.


Introduction
Today the main network used is the Internet which could be described as a wide area network (WAN). Many huge companies have many offices in different locations connected to the Internet. In this situation often some virtual private networks (VPN) are created to connect the locations in a secure way. This gives a possibility to block the company using a distributed denial of services (DDoS) attack on such systems. Such an attack could block the server from managing connections and thus resources and could generate financial loss for this company. That is why this problem is very common and should be solved.

DDoS Attack Description and Recognition
These attacks are well described in the literature [1][2][3]. There are many possible types of such attacks. One of them could use TCP/IP sockets vulnerabilities [2,4], whereas others could use domain name system (DNS) server vulnerabilities. As mentioned, the main principle of such attacks is to try to utilize all server resources by generating a lot of ordinary user connections. The number of such connections can exceed the servers' capability to handle them. Many papers [1-3, 5, 6] provide methods for dealing with DDoS attacks. These methods could be described as detection and the necessary cooperation between network providers. This is because the attackers send their packets through the network which belongs to a network provider. Therefore only network providers can block the attacker traffic. If they do not block such traffic, that traffic will saturate data links. This saturation causes blockage of the connection to the server [7] which could block some valuable portals such as e-learning platforms [8,9]. Some of the methods for detecting DDoS attacks use general-purpose computing on graphics processing units [10], whereas others recommend protecting networks with a firewall [11,12]. Intrusion prevention systems and intrusion detection systems use huge databases that consist of data collected during simple attacks from one place on the network [11]. But detecting attacks in a real worldwide network, such as a WAN, is a very complicated process. Some authors claim that it could be ensured by cooperation of routers, firewalls, and Internet providers [13][14][15]. Other possibilities include the use of fuzzy logic for this purpose [16,17]. Such a solution requires a great deal of effort from experts who have to provide the rules describing the possible attack. Then, these rules are used for attack observation.

The Idea of Attack Recognition and Prevention
The proposed idea of attack observation, for recognition and prevention, is to limit performance of a network device during the attack that will limit the number of connections made to the target of the attack. Nowadays there are methods for limiting incoming traffic on a firewall and they allow the servers to deal with the already established connection. This should let the users finish their work and enable new users to connect to the server. Such known methods are quality of service (QoS) methods. QoS methods let the network administrators limit data traffic that could be described by many parameters such as source address, destination address, protocol, port, and so on. This solution also makes it possible for the router to count incoming traffic and decide which packet will be transferred as first and which will be the last.
There are some papers describing the QoS method idea that can work on one router and try to protect network resources locally [18]. But this solution does not recognize the source of the attack and does not solve the problem. When the packets are not blocked the hacker is still able to send packets to the server and block its resources. Nowadays routers are, of course, exchanging a lot of information between them.
The main information describes the reachability of the IP networks. This is done by routing protocols such as OSPF, EIGRP, BGP, or multicast routing protocols [19,20]. This mechanism can be used for recognizing the DDoS attacks with some Ordered Fuzzy Numbers (OFNs) implemented. As has already been mentioned, QoS methods are able to count the number of packets, but they are not able to decide if the packet is part of a DDoS attack on a server. There is a need for new services for network providers. Those services should provide mechanisms for detecting the attackers' packets to enable the router to block them on all the network routers, not only on the firewall that operates in front of the target of the attack. Such services should be implemented in an easy way, and it should use some well-known mechanism such as exchanging information between routers via routing protocols. Such a solution is the simple network management protocol (SNMP) which is used for acquiring knowledge on traffic statistics. The solution proposed by the authors for recognizing DDoS attacks using OFNs could be implemented on routers and require collecting traffic statistics. This method should not utilize too many resources of the routers, therefore it should also cooperate with the possible target of the attack. The author defines this method in the following steps.
• Server collects information about its traffic statistics (1) via SNMP from network routers. • Using OFNs, its traffic statistics, and operating status, the server detects that it is under attack (2). • Server establishes IPSec channel to network provider's router (3).
• Server passes information about the type of traffic that has to be blocked by the network using SNMP over the IPSec channel (4). • Router starts to block specific traffic (5).
• Router spreads the information about specific traffic that has to be blocked via a SNMP trap message to other routers (6). • The specific traffic of the attacker is blocked via the network resources (7).
These steps are presented in Fig. 14.1. This idea is very simple and can be implemented very easily. The proposed algorithm uses SNMP and IPSec encryption. Some known aspects of the attack are used. The first is that the target of the attack is a server. The consequence of that fact is that the server should recognize it is under attack. The network alone is not able to decide if the server is under attack. Second, if the routers get the information that they have to block some specific traffic, they could do it. Routers could block specific traffic to the server using an already implemented mechanism such as random early detection. The process of passing the information from the server to the router that there is an attack has to be protected and both sides of the communication have to be authenticated. This could be achieved using a second already existing mechanism such as IPSec encryption and public-key infrastructure. Nowadays many organizations possess X.509 certificates signed by authorized certification authorities. The aforementioned secure communication channel, established by IPSec, could be used for passing the information from the server to the router that the server is under attack. This message can also include information about the kind of traffic to be blocked in the network. There could also be SNMP used in a secured IPSec channel to pass the information. As mentioned, SNMP is also widely implemented on routers. Thus the network providers can implement this solution on their routers. The only thing that has to be done is to decide if the server is under attack. This process could be achieved using the aforementioned Ordered Fuzzy Numbers.

Attack Observation Using OFNs
As has already been mentioned, the system administrator has the possibility to check how many and which users are already connected to the server. He or she is also a person who possesses the knowledge about the prime time of the day in which users usually work with the system. Another issue that could be checked is how many TCP SYN connections actually come to the server by attempts to establish a TCP session. The last area that could be checked by the proposed algorithm, as mentioned before, is router statistics of packet transmission. That complete set of information should be enough to decide whether the server is under attack. In the proposed algorithm, the administrator will not use the fact that the number of connections is growing. The method will measure the packet count during network operation based on router statistics provided by SNMP. In the proposed algorithm, the administrator should measure The specific packet count four times: where t i is a current timeslot. All four measures together give a fuzzy number in OFN notation where This fuzzy number in OFN notation is presented in Fig. 14.2. This is a definition of fuzzy observance of a router.

Definition 1 Fuzzy observance of an R router in time t i is a set
This provides Lemma 1.

Lemma 1
in other situations, R negative . According to this definition during router observance the counters should give: • Positive order of OFNs when the packet count increases • Negative order of OFNs when the packet count decreases The interpretation of these orders is presented in Fig. 14.3. Then the statistics collected on the routers are prepared and the appropriate counters give the results for preparing fuzzy numbers, and a fuzzy observance of the group of routers can be defined. Fuzzy observance of the group of routers is defined as Definition 2 Fuzzy observance of the group of routers is described by the formula: where w i ∈ {w i , . . . , w n } describes an impact on all routers.
This provides a possibility to define the situation when DDoS should be detected on the router: Definition 3 An attack on the router is detected in the following conditions: If Ri is positive AND Ri is negative THEN Attack = true where Ri is an order from the history of statistical results according to that router on the time of day of the observance.
According to this, the situation when DDoS could be detected on a group of routers could be defined as follows.
Definition 4 An attack on a group of routers is detected in the following conditions. If Sm is positive AND Sm' negative THEN Attack = true where Sm is an order from the history of statistical results according to that group of routers on the time of day of the observance.

Experiment Test Results
In the following two subsections we provide descriptions of the test together with the results of attack detection by the proposed method.

Test Description
To test and prove the idea a special IP network was prepared. This test was inspired by the situation in Poland, when the Polish government attempted to sign the ACTA regulations. This situation caused a huge attack on Polish government websites. In consequence, those websites were blocked. The method of attack was very simple, because it was sufficient that many people tried to visit such websites which generated massive traffic to the servers. These servers were not prepared to manage so many connections exceeding their capacity. Finally the servers stopped responding to users' queries. Such a method of attack could be simulated in an easy way. Some simple tools could be found on the Internet [21]. One of them is DDOSIM, Layer 7 DDoS simulator [22]. This solution is provided with the source code, thus it is possible to analyze it and check how it works. In a real situation, the attacker has to collect an appropriate number of hosts that could be used as sources of the attack. Once she has them, the attack can be started. In the prepared simulation, it is enough to just run the DDOSIM program with the appropriate parameters. After that, this tool will generate the defined amount of connections to the defined IP address. To perform this test a special network with mesh topology (shown in Fig. 14.1) was prepared. The user hosts labeled from 1 to 5 were running DDOSIM software in the appropriate cycle. This station was equipped with an Intel i3 processor running under Windows 7 64bit system control. But the DDOSM software was running on a virtual machine in a VMWare environment. That virtual machine was equipped with 512 MB of memory and 1 processor and was running under Debian operating system control and the Web server was equipped with two Intel Xeon processors with a Windows 2008 server operating system. An Internet information service was started on the Web server. It was used to provide an HTTP server functionality. The routers R1 to R6 were Cisco 2600 series routes. To simulate the attack the DDOSIM software requested information from the Web server using a TCP connection in the following steps.
• User sends TCP SYN packet to port 80.
• Web server answers with TCP SYN ACK and reserved resources.
• User sends TCP ACK packet.
• User sends HTTP/GET as a request for information packet.
• Server attempts to answer this request for information packet.
The cycle of simulation was prepared in the following steps and according to the following conditions.
• The IP address of the Web server was 192.168.10.12.
• The user hosts from 1 to 5 have got IP addresses 192.168.x.4, where x belongs to the set 1, 2, 3, 4, 5. • During the attack the packets were sniffed using Wireshark; there were six places where packets were sniffed: user 1 to 5 machines and the Web server. • The network was running normally.
• After 1 min of normal operation the host of user 1 started the attack.
• The target of the attack, of course, was the Web server.
• The user machines were sending request packets using DDSOIM software with these parameters: there were 1,000 HTTP GET messages passed to the Web server every 30 s. • Another user host joined the attack every minute.
• Once all the user's hosts started the attack, all of them attacked together for five minutes. • When the attack stopped, the packets were sniffed for another five minutes.
This test provides a lot of data from the network node using files with whole IP packets from six places of the network. The database from this simulation including the traffic from all the connections can be downloaded from data resource page [23]. Additional packets that could be recognized in the collected database include the open shortest path first routing protocol which was running between routers as in ordinary networks [18,23,24]. In the network prepared for the simulation, to ensure better test conditions, no quality of service method was implemented. Also there was no firewall or IDS/IPS implemented in the network whereas it should normally be implemented [25][26][27]. This was because the authors claim that in a real network the packets which come from ordinary users are not treated as special packets. Moreover the Web servers should not be under any protection in order to check that the method of the attack is strong enough and the database collected could be treated as a valuable amount of data (Fig. 14.4).

Attack Detection Using Proposed Method
Statistics of packets have to be provided to use a proposed method for detecting attacks using OFNs. According to the collected database, the results could be calculated from sniffed packets, and this was done. There is a requirement for defining timeslots for which the statistics will be calculated. Those timeslots were defined to be one minute. Then the amount of packets directed to the Web server and that pass through the routers R1 to R6 was normalized by dividing by 1,000. The achieved results of this simulation are presented in Table 14.1.   To calculate a sum described by Definition 2, the OFNs have to be defined by the statistics collected from the routers. In the timeslots t 0 the normalized value is 0. It means that all numbers are [0, 0, 0, 0]. Thus, accordingly: This has not got any order, but the results provide the information that there is no packet directed to the Web server, therefore there is no attack on it.
In the timeslot t 1 it is possible to provide the OFN with an approximation. This approximation could be made by providing the OFN with only two measurements and is utilized as a four-part number by using the values as follows.
In this situation the OFN for the routers 1 to 6 could be described as Therefore the S m = [0, 0, 2.5, 2.5] with positive order. Those results according to Definition 4 have to be compared with the historical results in the part corresponding to an appropriate day. In the performed simulation the results indicate that the Web server is under attack, but the probability of the attack is 50% because the OFN was prepared with the aforementioned approximation. In the timeslot t 2 it is still possible to provide the OFN only with an approximation. This approximation could be done by providing the OFN from only three measurements and used as a four-part number by making use of the following values.
In this situation the OFN for the routers 1 to 6 could be described as Therefore S m = [0, 2.5, 6, 6] with positive order. Those results according to Definition 4 have to be compared with the historical results in the part corresponding to an appropriate day. In the performed simulation the results indicate that the Web server is under attack, but the situation of the attack could be described with the probability of 75% because the OFN was also provided with an approximation. In the timeslot t 3 it is possible for the first time to provide the OFN without any approximation. It means that for the OFN four measurement results will be used as follows.
In this situation the OFN for the routers 1 to 6 could be described as

Conclusions-Method Comparision
The presented method could be compared with the method proposed in the literature as provided in Table 14.3. As shown in Table 14.3, the proposed method does not require an expert to define the rules of possible attack as in a system with fuzzy logic proposed in some papers [16,17]. Such an expert would have to possess extended knowledge about security and IP networks. This is something that allows us to use the proposed method in a very quick way. The second thing is the manner of gathering results of the observance of a DDoS attack. In the proposed method, the decision about the attack is made using simple calculations provided by the OFN description. This allows achieving the results very quickly and easily. The methods found in the literature make decisions by comparing a list of rules [16,17]. Of course there are some solutions that use mathematical models [28], but they are much more complicated than the method using OFNs. The last thing that could be compared is the possibility of being implemented in a real environment, which means in real networks. The method proposed in the literature requires a lot of processing power. The method proposed in this chapter requires only solving a simple mathematical equation. This is very important, because it lets us use the proposed method in a real network, on real routers. The presented new concept of detecting DDoS attacks was introduced using fuzzy numbers. As has already been mentioned, it consists in determining the server activity trend changes by specification of the direction of changes using OFNs. The test was performed on the real dataset collected in the prepared network. This dataset is about 2 GB in size, but the information about the possible attack could be achieved without utilizing a lot of CPU performance.