12-10-2012, 05:52 PM
Traceback of DDoS Attacks Using Entropy Variations
Traceback of DDoS.pdf (Size: 2.82 MB / Downloads: 83)
Abstract
Distributed Denial-of-Service (DDoS) attacks are a critical threat to the Internet. However, the memoryless feature of the
Internet routing mechanisms makes it extremely hard to trace back to the source of these attacks. As a result, there is no effective and
efficient method to deal with this issue so far. In this paper, we propose a novel traceback method for DDoS attacks that is based on
entropy variations between normal and DDoS attack traffic, which is fundamentally different from commonly used packet marking
techniques. In comparison to the existing DDoS traceback methods, the proposed strategy possesses a number of advantages—it is
memory nonintensive, efficiently scalable, robust against packet pollution, and independent of attack traffic patterns. The results of
extensive experimental and simulation studies are presented to demonstrate the effectiveness and efficiency of the proposed method.
Our experiments show that accurate traceback is possible within 20 seconds (approximately) in a large-scale attack network with
thousands of zombies.
INTRODUCTION
IT is an extraordinary challenge to traceback the source of
Distributed Denial-of-Service (DDoS) attacks in the
Internet. In DDoS attacks, attackers generate a huge amount
of requests to victims through compromised computers
(zombies), with the aim of denying normal service or
degrading of the quality of services. It has been a major
threat to the Internet since year 2000, and a recent survey [1]
on the largest 70 Internet operators in the world demonstrated
that DDoS attacks are increasing dramatically, and
individual attacks are more strong and sophisticated.
Furthermore, the survey also found that the peak of
40 gigabit DDoS attacks nearly doubled in 2008 compared
with the previous year. The key reason behind this
phenomena is that the network security community does
not have effective and efficient traceback methods to locate
attackers as it is easy for attackers to disguise themselves by
taking advantages of the vulnerabilities of the World Wide
Web, such as the dynamic, stateless, and anonymous nature
of the Internet [2], [3]. IP traceback means the capability of
identifying the actual source of any packet sent across the
Internet. Because of the vulnerability of the original design
of the Internet, we may not be able to find the actual hackers
at present.
BACKGROUND AND RELATED WORK
Background of DDoS Attacks
DDoS attacks are targeted at exhausting the victim’s
resources, such as network bandwidth, computing power,
and operating system data structures. To launch a DDoS
attack, the attacker(s) first establishes a network of computers
that will be used to generate the huge volume of traffic
needed to deny services to legitimate users of the victim. To
create this attack network, attackers discover vulnerable
hosts on the network. Vulnerable hosts are those that are
either running no antivirus or out-of-date antivirus software,
or those that have not been properly patched. These
are exploited by the attackers who use the vulnerability to
gain access to these hosts. The next step for the attacker is to
install new programs (known as attack tools) on the
compromised hosts of the attack network. The hosts running
these attack tools are known as zombies, and they can be used
to carry out any attack under the control of the attacker.
Numerous zombies together form an army or botnet [3], [35].
There are two categories of DDoS attacks, typical DDoS
attacks and Distributed Reflection Denial-of-Service
(DRDoS) attacks. In a typical DDoS attack, the master
computer orders the zombies to run the attack tools to send
huge volume of packets to the victim, to exhaust the
victim’s resources. Unlike the typical DDoS attacks, the
army of a DRDoS attack consists of master zombies, slave
zombies, and reflectors. The difference in this type of attack
is that slave zombies are led by master zombies to send a
stream of packets with the victim’s IP address as the source
IP address to other uninfected machines (known as
reflectors), exhorting these machines to connect with the
victim. Then the reflectors send the victim a great volume of
traffic, as a reply to its exhortation for the opening of a new
connection, because they believe that the victim was the
host that asked for it.
Related Work of IP Traceback
It is obvious that hunting down the attackers (zombies), and
further to the hackers, is essential in solving the DDoS
attack challenge. The summary of the existing DDoS
traceback methods can be found in [38] and [39]. In general,
the traceback strategies are based on packet marking.
Packet marking methods include the PPM and the DPM.
The PPM mechanism tries to mark packets with the router’s
IP address information by probability on the local router, and
the victim can reconstruct the paths that the attack packets
went through. The PPM method is vulnerable to attackers, as
pointed out in [30], as attackers can send spoofed marking
information to the victim to mislead the victim. The accuracy
of PPM is another problem because the marked messages by
the routers who are closer to the leaves (which means far
away from the victim) could be overwritten by the downstream
routers on the attack tree [21]. At the same time, most
of the PPM algorithms suffer from the storage space problem
to store large amount of marked packets for reconstructing
the attack tree [22], [24]. Moreover, PPM requires all the
Internet routers to be involved in marking.
System Modeling
In this paper, we categorize the packets that are passing
through a router into flows. A flow is defined by a pair—the
upstream router where the packet came from, and the
destination address of the packet. Entropy is an informationtheoretic
concept, which is a measure of randomness. We
employ entropy variation in this paper to measure changes of
randomness of flows at a router for a given time interval. We
notice that entropy variation is only one of the possible
metrics. Chen and Hwang used a statistical feature, changepoint
of flows, to identify the abnormality of DDoS attacks
[6]; however, attackers could cheat this feature by increasing
attack strength slowly. We can also employ other statistic
metrics to measure the randomness, such as standard
variation or high-order moments of flows. We choose
entropy variation rather than others in this paper because
of the low computing workload for entropy variations.
SUMMARY AND FUTURE WORK
In this paper, we proposed an effective and efficient IP
traceback scheme against DDoS attacks based on entropy
variations. It is a fundamentally different traceback mechanism
from the currently adopted packet marking strategies.
Many of the available work on IP traceback depend on
packet marking, either probabilistic packet marking or
deterministic packet marking. Because of the vulnerability
of the Internet, the packet marking mechanism suffers a
number of serious drawbacks: lack of scalability; vulnerability
to packet pollution from hackers and extraordinary
challenge on storage space at victims or intermediate
routers. On the other hand, the proposed method needs no
marking on packets, and therefore, avoids the inherent
shortcomings of packet marking mechanisms. It employs
the features that are out of the control of hackers to conduct
IP traceback. We observe and store short-term information
of flow entropy variations at routers. Once a DDoS attack
has been identified by the victim via detection algorithms,
the victim then initiates the pushback tracing procedure. The
traceback algorithm first identifies its upstream routers
where the attack flows came from, and then submits the
traceback requests to the related upstream routers. This
procedure continues until the most far away zombies are
identified or when it reaches the discrimination limitation of
DDoS attack flows. Extensive experiments and simulations
have been conducted, and the results demonstrate that the
proposed mechanism works very well in terms of effectiveness
and efficiency.