Preventing Distributed Denial-of-Service Flooding Attacks with Dynamic Path Identifiers

0
363
Preventing Distributed Denial-of-Service Flooding Attacks with Dynamic Path Identifiers

Preventing Distributed Denial-of-Service Flooding Attacks with Dynamic Path Identifiers

Abstract

Preventing Distributed Denial-of-Service Flooding Attacks with Dynamic Path Identifiers,In recent years, there are increasing interests in using path identifiers (PIDs) as inter-domain routing objects. However, the PIDs used in existing approaches are static, which makes it easy for attackers to launch the distributed denial-ofservice (DDoS) flooding attacks. To address this issue, in this paper, we present the design, implementation, and evaluation of dynamic PID (D-PID), a framework that uses PIDs negotiated between the neighboring domains as inter-domain routing objects. In D-PID, the PID of an inter-domain path connecting the two domains is kept secret and changes dynamically. We describe in detail how neighboring domains negotiate PIDs and how to maintain ongoing communications when PIDs change. We build a 42-node prototype comprised of six domains to verify D-PID’s feasibility and conduct extensive simulations to evaluate its effectiveness and cost. The results from both simulations and experiments show that D-PID can effectively prevent DDoS attacks.
 

Introduction

DISTRIBUTED denial-of-service (DDoS) flooding attacks are very harmful to the Internet. In a DDoS attack, the attacker uses widely distributed zombies to send a large amount of traffic to the target system, thus preventing legitimate users from accessing to network resources [1]. For example, a DDoS attack against BBC sites in Jan. 2016 reached 602 gigabits per second and “took them down for at least three hours” [3]. More recently, the hosting provider OVH suffered a large scale DDoS attack in Sep. 2016, launched by a botnet composed at least of 150,000 Internet-of-things (IoT) devices. This attack peaked at nearly one terabit per second (Tbps) and even forced Akamai to stop offering DDoS protection to OVH [2]. Therefore, many approaches [4] have been proposed in order to prevent DDoS flooding attacks, including network ingress filtering [5]–[9], IP traceback [10]–[14], capabilitybased designs [15]–[18], and shut-up messages [19], [20]. At the same time, in recent years there are increasing interests in using path identifiers (PIDs) that identify paths between network entities as inter-domain routing objects, since doing this not only helps addressing the routing scalability and multi-path routing issues [21], but also can facilitate the innovation and adoption of different routing architectures [22]. For instance, Godfrey et al. proposed pathlet routing [21], in which networks advertise the PIDs of pathlets throughout the Internet and a sender in the network constructs its selected pathlets into an end-to-end source route. Koponen et al. further argued in their insightful architectural paper that using pathlets for inter-domain routing can allow networks to deploy different routing architectures, thus encouraging the innovation and adoption of novel routing architectures [22].

Jokela et al. proposed in LIPSIN [23] to assign identifiers to links in a network and to encode the link identifiers along the path from a content provider to a content consumer into a zFilter (i.e.,aPID), which is then encapsulated into the packet header and used by routers to forward packets. Luo et al. proposed an information-centric internet architecture called CoLoR [24] that also uses PIDs as inter-domain routing objects in order to enable the innovation and adoption of new routing architectures, as in [22]. There are two different use cases of PIDs in the aforementioned approaches. In the first case, the PIDs are globally advertised (as in pathlet routing [21] and [22]). As a result, an end user knows the PID(s) toward any node in the network. Accordingly, attackers can launch DDoS flooding attacks as they do in the current Internet. In the second case, conversely, PIDs are only known by the network and are secret to end users (as in LIPSIN [23] and CoLoR [24]). In the latter case, the network adopts an information-centric approach [25]–[27] where an end user (i.e., a content provider) knows the PID(s) toward a destination (i.e., a content consumer) only when the destination sends a content request message to the end user. After knowing the PID(s), the end user sends packets of the content to the destination by encapsulating the PID(s) into the packet headers. Routers in the network then forward the packets to the destination based on the PIDs. It seems that keeping PIDs secret to end users (as in [23] and [24]) makes it difficult for attackers to launch DDoS flooding attacks since they do not know the PIDs in the network. However, keeping PIDs secret to end users is not enough for preventing DDoS flooding attacks if PIDs are static. For example,Antikainenet al. arguedthat an adversarycan construct novel zFilters (i.e., PIDs) based on existing ones and even obtain the link identifiers through reverse-engineering, thus launching DDoS flooding attacks [28]. Moreover, as it is shown in Sec. II-B, attackers can launch DDoS flooding attacks by learning PIDs if they are static.

To address this issue, in this paper, we present the design, implementation and evaluation of a dynamic PID (D-PID) mechanism. In D-PID, two adjacent domains periodically update the PIDs between them and install the new PIDs into the data plane for packet forwarding. Even if the attacker obtains the PIDs to its target and sends the malicious packets successfully, these PIDs will become invalid after a certain period and the subsequent attacking packets will be discarded by the network. Moreover, if the attacker tries to obtain the new PIDs and keep a DDoS flooding attack going, it not only significantly increases the attacking cost (Sec. V-A.1), but also makes it easy to detect the attacker (Sec. V-A.2). In particular, our main contributions are two fold. On one hand, we propose the D-PID design by addressing the following challenges. First, how and how often should PIDs change while respecting local policies of autonomous systems (ASes)? To address this challenge, D-PID lets neighboring domains negotiate the PIDs for their inter-domain paths based on their local policies (Sec. III-B). In particular, two neighboring domains negotiate a PID-prefix (as an IP-prefix) and a PID update period for every interdomain path connecting them. At the end of a PID update period for an inter-domain path, the two domains negotiate a different PID (among the PID-prefix assigned to the path) to be used in the next PID update period. In addition, the new PID of an inter-domain path is still kept secret by the two neighboring domains connected by the path. Second, since inter-domain packet forwarding is based on PIDs that change dynamically, it is necessary to maintain legitimate communications while preventing illegal communications when the PIDs change. To address this challenge, D-PID lets every domain distribute its PIDs to the routers in the domain (Sec. III-C). For every inter-domain path, the routers in a domain forward data packets based on the PID of the previous PID update period and that of the current PID update period. In addition, D-PID uses a mechanism similar to the one that the current Internet collects the minimum MTU (maximum transmission unit) of networks so that a content consumer knows the minimum update period of PIDs along the path from a content provider to it (Sec. III-D – Sec. III-F). Based on this period, the content consumer periodically re-sends a content request message to the network in order to renew the PIDs along the path. Third, the overheads incurred by changing PIDs should be kept as small as possible. This includes not only the overhead in negotiating PIDs by neighboring domains, but also the overhead for a domain to distribute the updated PIDs to routers in the domain, and that for transmitting content request messages resent by content consumers. To address this challenge, the PID prefix assigned to an inter-domain path is unique among the PID prefixes assigned by the two domains connected by the inter-domain path.

On the other hand, we build a 42-node prototype (Sec. IV) comprised by six domains to verify D-PID’s feasibility and conduct extensive simulations (Sec. V) to evaluate D-PID’s effectiveness and overheads. Our results show that D-PID does help preventing DDoS flooding attacks since it not only imposes significant overhead for the attacker to launch DDoS flooding attacks, but also makes it easier for the network to detect the attacker. Surprisingly, achieving such benefits only incurs little overheads. Our simulation results show that the number of extra content request messages caused by D-PID is only 1.4% or 2.2% (by using different data traces), when the PID update period is 300 seconds. Even if the PID update period is 30 seconds, the peak PID update rate of a domain is less than 10 per second with a probability higher than 95%, and the maximal PID update rate of all domains is 202 per second, which is significantly less than the peak update rate (1,962 per second) of IP-prefixes in the current Internet

  • Many approaches have been proposed in order to prevent DDoS flooding attacks, including network ingress filtering, IP traceback, capability-based designs, and shut-up messages.
  • Godfrey et al. proposed pathlet routing, in which networks advertise the PIDs of pathlets throughout the Internet and a sender in the network constructs its selected pathlets into an end-to-end source route.
  • Koponen et al. further argued in their insightful architectural paper that using pathlets for inter-domain routing can allow networks to deploy different routing architectures, thus encouraging the innovation and adoption of novel routing architectures.
  • Jokela et al. proposed in LIPSIN to assign identifiers to links in a network and to encode the link identifiers along the path from a content provider to a content consumer into a zFilter (e., a PID), which is then encapsulated into the packet header and used by routers to forward packets.
  • Luo et al. proposed an information-centric internet architecture called CoLoR that also uses PIDs as inter-domain routing objects in order to enable the innovation and adoption of new routing architectures.

Disadvantages

  • Attackers can launch DDoS flooding attacks by learning PIDs if they are static.
  • More overheads
  • Heavy complexity.

Proposed System

  • In this paper, we present the design, implementation and evaluation of a dynamic PID (D-PID) mechanism. In D-PID, two adjacent domains periodically update the PIDs between them and install the new PIDs into the data plane for packet forwarding. Even if the attacker obtains the PIDs to its target and sends the malicious packets successfully, these PIDs will become invalid after a certain period and the subsequent attacking packets will be discarded by the network. Moreover, if the attacker tries to obtain the new PIDs and keep a DDoS flooding attack going, it not only significantly increases the attacking cost, but also makes it easy to detect the attacker. In particular, our main contributions are two fold.
  • On one hand, we propose the D-PID design by addressing the following challenges. First, how and how often should PIDs change while respecting local policies of autonomous systems (ASes)?
  • Second, since inter-domain packet forwarding is based on PIDs that change dynamically, it is necessary to maintain legitimate communications while preventing illegal communications when the PIDs To address this challenge, D-PID lets every domain distribute its PIDs to the routers in the domain
  • Third, the overheads incurred by changing PIDs should be kept as small as possible. This includes not only the overhead in negotiating PIDs by neighboring domains, but also the overhead for a domain to distribute the updated PIDs to routers in the domain, and that for transmitting content request messages resent by content consumers. To address this challenge, the PID prefix assigned to an inter-domain path is unique among the PID prefixes assigned by the two domains connected by the inter-domain path.

Advantages

  • D-PID does help preventing DDoS flooding attacks since it not only imposes significant overhead for the attacker to launch DDoS flooding attacks, but also makes it easier for the network to detect the attacker.
  • Surprisingly, achieving such benefits only incurs little overheads.
  • Our simulation results show that the number of extra content request messages caused by D-PID is only 1.4% or 2.2% (by using different data traces), when the PID update period is 300 seconds.
  • Even if the PID update period is 30 seconds, the peak PID update rate of a domain is less than 10 per second with a probability higher than 95%, and the maximal PID update rate of all domains is 202 per second, which is significantly less than the peak update rate (1,962 per second) of IP-prefixes in the current Internet.
  • To the best of our knowledge, this work is the first step toward using dynamic PIDs to defend against DDoS flooding attacks
Preventing Distributed Denial-of-Service Flooding Attacks with Dynamic Path Identifiers

Related Work


In this segment, we survey the existing literature on Distributed Denial of Service attacks. S. Yu, et al. [1], proposed a dynamic resource allocation method for securing singular clients of cloud amid DDoS attack guaranteeing quality of service during attack. The cloud condition is fit for controlling the resource allotment since it has vast number of resources to dispense to individual client. The resource allocation system utilized as a part of mists assumes key part in relieving the effect of attack by offering access to resources. In cloud condition the accomplishment of attack or defends relies on who is holding more resources, attacker or cloud client. The dynamic additional resource allocation counteracts starvation, along these lines protecting against DDoS attack. They additionally exhibited line based model of resource portion under different attack situations.

V. A. Foroushani, et al. [2], proposed protection against DDoS attacks containing attack packets with spoofed IP addresses called Trace back based safe defense against DDoS loading attacks. The component is executed shut to attack source, rateconstraining measure of movement sent towards casualty. The execution assessment of the system utilizing true CAIDA DDoS attack datasets showed increment in throughput of real activity forcing less overhead on participating routers.

B. Liu, et al. [3], proposed shared departure filtering for giving insurance against IP spoofing based flooding attacks. They have utilized genuine web dataset for acquiring reenactment comes about. The instrument utilizes the entrance control rundown of autonomous (AS) that contains rundown of tenets for applying entrance/departure separating and unicast reserve path forwarding. This strategy ensures the frameworks which send the component while keeping non-deployers from openly utilizing it.

In [4], A. Compagno, et al. introduced barrier against interest flooding conveyed dissent of administration attacks in Named Data organizing. Interest flooding requires restricted resources to dispatch attack. Pending interest table is kept up at switches for maintaining a strategic distance from copy interests. Poseidon structure is presented for identification and relief of interest flooding attacks. The assessment of the system over system reenactment condition utilizing NS3 demonstrated that it is conceivable to use up to 80% accessible data transfer capacity amid attack utilizing this framework.

C. Chung, et al. [5], proposed distributed intrusion recognition and countermeasure choice component in cloud frameworks. The NICE framework utilizes interruption recognition conspire at each cloud server for distinguishing and dissecting approaching traffic. The strategy works for virtual cloud framework and makes situation attack diagram for ascertaining helplessness to communitarian attacks.

The defenseless frameworks are the exchanged to review state where profound bundle assessment is utilized to stamp potential attack practices.

In [6], S. Rastegari, et al. displayed a quantitative structure for understanding DDoS attack systems and gave defense answers for these attacks. The collaboration amongst aggressor and safe defense is exhibited utilizing Red group Blue group practice where Red group speaks to adversaries and Blue group recognizes conceivable vulnerabilities endeavoring to shield them. The framework was tried utilizing OMNeT++ arrange test system. The reproduction comes about show that one defense technique isn’t generally an ideal arrangement; rather it ought to powerfully adjust and enhance as indicated by changing attack strategies.

In [7], L. Jingna has portrayed different Denial of Service attack standards, strategies for recognizing the DoS and DDoS attacks, and safe defense instruments against DDoS attacks. Different attack propelling techniques, for example, SYN Flood, IP mocking DoS attack, UDP flood attack, the PING flood attack, Teardrop attack, Land attack, Smurf attack, Fraggle attacks, and so on are clarified. Discovery techniquesfor above attacks are recorded with their organization area. Certain methodologies are recommended for improving barrier techniques.

S. Yu, et al. [8], proposed a strategy for recognizing flash crowds from DDoS attacks in view of stream connection coefficient. The attackers utilize the movement design fundamentally the same as blaze swarm which cripples the recognition of attack. This poses a test for the individuals who endeavor to safe defense the DDoS attacks. By distinguishing genuine DDoS attack utilizing this technique applies fitting resistance component to protect against DDoS attacks. They made overlay organize on switches that was under their control. The approaching stream was observed and number of packets in each stream was recorded. This recorded data helps in isolating glimmer swarm from real movement. They assessed the created component utilizing 1998 FIFA World CUP genuine informational indexes of blaze group and genuine attack tools, Mstream.

B. S. K. Devi, et al. [9] proposed Interface Based Rate Limiting (IBRL) algorithm for moderating recognized DDoS attacks in the system. It ensures that enough data transmission is accessible for honest to goodness activity amid attack. System checking framework sent in exploratory testbed gather the movement follows in organizes. This movement is investigated for measuring its effect amid attack utilizing host and system based measurements, for example, packet loss, latency, connect use and throughput took after by rate-restricting on the attack movement in order to permit genuine clients. Trial comes about show increment in throughput of honest to goodness traffic.

In [10], A. Mishra, et al. nearly portrayed different defense systems, diverse attacking instruments and preferences impediments of these strategies. The procedures for interruption location and moderation are grouped on the premise of blame resistance and nature of administrations gave.

In [11], Z. Chao-yang, et al. given a definite investigation of existing refusal of administration attack counteractive action standards. Four sorts of barrier procedures are clarified. In the first place strategy is protecting utilizing switch utilizing reverse way sending. Second strategy includes utilizing TCP catch for TCP obstructing for constraining SYN attack. Third technique is creating trusted stage in which a chain of trust and validation is shaped in view of confided in root. Fourth strategy utilizes confirmation framework for giving validation.

Conclusion

In this Preventing Distributed Denial-of-Service Flooding Attacks with Dynamic Path Identifiers paper, we’ve got presented the design, implementa-tion and analysis of D-PID, a framework that dynamically changes path identifiers (PIDs) of inter-domain methods so as to stop DDoS flooding attacks, once PIDs area unit used as inter-domain routing objects. we’ve got represented the look details of D-PID and enforced it in a very 42-node paradigm to verify its practicableness and effectiveness. we’ve got bestowed numerical results from running experiments on the paradigm. The results show that the time spent in negotiating and distributing PIDs area unit quite little (in the order of ms) and D-PID is effective in preventing DDoS attacks. we’ve got conjointly conducted in depth simulations to judge the value in launching DDoS attacks in D-PID and also the overheads caused by D-PID. The results show that D-PID considerably will increase the value in launching DDoS attacks whereas incurs very little overheads, since the additional variety of GET messages is trivial (only one.4% or 2.2%) once the retransmission amount is three hundred seconds, and also the inflammatory disease update rate is considerably but the update rate of informatics prefixes within the current web.To the simplest of our data, this work is that the commencement toward victimization dynamic PIDs to defend against DDoS flooding attacks. we have a tendency to hope it’ll stimulate a lot of researches during this space.