Real-time Monitoring Model for defending against DDoS attacks

Source: Computer and Information Technology Author: Tang Lijuan Zhang Yongping sun kezheng

Denial of Service (DoS) and Distributed Denial of Service (DDoS) have become one of the greatest threats to network security. How to defend against DDoS attacks is currently a hot topic. However, the current defense mechanism barely monitors DDoS attacks in real time. This paper describes a Real-time Monitoring Model of neural networks based on radial basis functions, which can monitor DDoS attacks in real time without increasing network traffic, in addition, all types of DDoS attacks can be detected.

1. Preface

As Internet applications become more and more widespread, network security becomes a major obstacle to Internet development. In particular, distributed denial of service (DoS) attacks pose a huge threat to the Internet. Currently, hackers have successfully attacked several well-known websites, such as Yahoo, Microsoft, SCO, mazon.com, ebuy, CNN.com, BUY.com, ZDNet, and Excite.com, network services were interrupted for several hours, resulting in millions of dollars in economic losses. DDoS attacks are highly destructive and difficult to defend, so they have aroused widespread attention around the world. The anti-DDoS real-time monitoring model described in this article can quickly monitor whether the host or server is under DDoS attacks. If it detects a sudden increase in data streams as attack streams, it can quickly send alerts to network administrators, take measures to reduce the harm caused by DDoS attacks.

2. DoS attack Principle

2.1 concepts and principles of DoS Attacks

WWW Security FAQ [1] defines a DoS attack as an attack that systematically destroys a computer or network and prevents it from providing normal services. DoS attacks occur when a computer is accessed, or when network resources are intentionally blocked or degraded. Such attacks do not need to destroy data directly or permanently, but they intentionally disrupt resource availability. The most common DoS attacks target computer network bandwidth or network connectivity. Bandwidth attacks use a large amount of traffic to overwhelm available network resources, so that legitimate users' requests cannot be responded, resulting in decreased availability. Network Connectivity attacks consume the computer's available operating system resources by using a large number of connection requests. As a result, the computer cannot process normal user requests.

2.2 concepts and principles of DDoS attacks

WWW Security FAQ [1] defines a DDoS attack as a collaborative DOS attack by many computers to attack one or more targets. In the Client/Server mode, DDoS attack attackers can achieve good results, far better than combining multiple single DOS attacks. They use many computers with vulnerabilities as attack platforms and accomplices. DDoS attacks are the most advanced form of DOS attacks. Different from other forms of attacks, DDoS attacks can be configured in a distributed manner on the Internet, so as to strengthen the attack capability and cause a fatal blow to the network. DDoS attacks never try to destroy the victim's system, so the conventional security defense mechanism is ineffective for them. The main purpose of a DDoS attack is to destroy the victim's machines and thus affect the requests of legitimate users.

DDoS attack Principle 1 is shown in.

Figure 1 DDoS attack schematic

As shown in figure 1, a complete DDoS attack system includes the following four roles:

(1) Attacker: The machine used by the hacker, also known as the attack console. It controls the entire attack process and sends attack commands to the master.

(2) MASTER: the host is a host that attackers illegally intrude into and control. These Hosts control a large number of proxy attack hosts. Install specific programs on these master terminals so that they can accept special commands sent by attackers and send these commands to the proxy attack host.

(3) proxy attack side: it is also a batch of hosts that attackers intrude into and control. It runs the attack program and accepts and runs commands sent from the master. The proxy attack host is the performer of the attack and truly sends an attack to the victim host.

(4) Victims: target host or server under attack.

To launch a DDoS attack, the attacker first scans a vulnerable host on the Internet, then enters the system and installs a backdoor program on it. Then, install the attack program on the host that the attacker invades. One part of the program serves as the master side of the attack, and the other part serves as the proxy attack side of the attack. Finally, each part of the host initiates an attack on the target under the action of an attacker. Because attackers are behind the scenes, they will not be tracked by the monitoring system during the attack, making the identity of the attackers more difficult to detect.
2.3. DDoS attack tools

Trinoo [2] is the first widely distributed DDoS attack tool and widely used. Trinoo [3] is a bandwidth-consuming attack tool that uses one or more IP addresses to initiate collaborative UDP flood attacks. The attack uses UDP data packets of the same size. The attack target is the random port on the affected machine. Earlier versions of Trinoo support source IP address spoofing. Typically, the Trinoo agent is installed on a system that can cause remote buffer overflow. This vulnerability in the software allows attackers to use the second-level cache of the victim system for remote editing and operation proxy. The operator uses UDP or TCP to communicate with the proxy. Therefore, the intrusion detection system can only detect UDP traffic by sniffing. This channel can be encrypted and the password can be protected. However, the current password is not transmitted encrypted, so it can be sniffed or detected. Currently, the Trinoo tool does not provide source IP address spoofing, so its attack capability can be further expanded.

Tribe Flood Network (TFN) [4] is also a DDoS attack tool that allows attackers to launch attacks that consume bandwidth and resources at the same time. It uses the command line interface to communicate between the attacker and the control master program, but the communication between the proxy and the master or between the master and the attacker is not encrypted. It is very difficult for TFN to initiate a collaborative Denial-of-Service attack because it can generate multiple types of attacks, generate spoofed source IP address data packets, and randomize the target port. It can fool one or 32-bit source IP addresses or the last 8 digits. Some packet attacks initiated by TFN include smurf, UDP flood, tcp syn flood, ICMP reply request flood, and ICMP targeted broadcast.

TFN2K [5] is a DDoS attack tool based on the TFN structure. TFN2K attacks increase the encryption of communication messages between all components of the attack [6]. Attackers can use the key-based CAST-256 algorithm to encrypt the communication between the attacker and the master program. The controller can send attack commands through TCP, UDP, and ICMP. You can use either of the three random methods or use all of the three methods, then it is more difficult to find TFN2K attacks through network scanning.

Stacheldraht [7] is developed based on TFN and some disadvantages of The TFN tool are removed. It combines the characteristics of Trinoo (operator/client structure), which are derived from TFN. It can also be automatically upgraded on the agent side. Stacheldraht also provides a secure remote connection between the attacker and the operator's System Using symmetric encryption technology. The new version of Stacheldraht adds many new features and different digital signatures.

The Mstream [8] tool changes the ACK mark of TCP packets to attack the target. Mstream is a simple point-to-point tcp ack flood attack tool. It is transmitted through TCP and UDP packets, and the communication process is not encrypted. The master attacker remotely logs on to the victim's machine and the access operations are password-protected. This feature is not available in other DDoS attack tools.

Sharft [9] is a derived tool of Trinoo. It uses UDP to communicate with the proxy. Attackers use TCP remote connection to communicate with the operator. Sharft attacks can run independently, or they can be combined with UDP, TCP, or ICMP flood attacks. The source IP address and source port number in the data packet are set to random. In the attack, the packet size is fixed. A new feature is that the operator's IP address and port can be changed in real time during attacks, making it difficult for the detection tool to detect them. Another distinctive feature of Shaft is that it can change the master server and port of control in real time, making intrusion detection tools more difficult to detect, more importantly, shaft provides statistical features for flood attacks. This statistical feature is very useful to attackers. Through these features, attackers can find out when the victim's system will crash completely, so that they can know when to stop adding machines for DDoS attacks.

After analyzing the above effective DDoS attack tools, we can find that DDoS attacks have the following features:

① The Source IP address of the data packet is set to random;

② The Source Port and destination port of the data packet are set to random;

③ Some flags (URG, ACK), fragments, TCP attributes, TTL, and client SEQ serial numbers are generated by the pseudo-random number generator.

DDoS attacks do not need to crack passwords or steal system information, as long as they can launch attacks in any corner of the network. DDoS attacks are composed of data packet streams from different source addresses. These attacks control hosts on the Internet to exhaust some key resources of the target machine, so that requests of legitimate users on the server are rejected. More importantly, DDoS attack streams do not have obvious features that can be used for direct and large-scale detection and filtering.
3. RBF-NN-based Real-time DDoS attack Monitoring Model
 

3.1 model Overview

The Real-time Monitoring Model consists of three modules:

1) Data Collector

Because TCP is the most widely used protocol and WWW is the most widely used service on the Internet. Therefore, this model targets TCP flood attacks. Of course, this model can also be used in UDP and ICMP protocols.

The TCP datagram format is 2.

Figure 2 TCP datagram format

The Data Collector uses the sniffer to capture the following fields of each data packet: source port number, client SEQ serial number, window size, and SYN, ACK, FIN, PSH, URG, and RST. At the same time, the timestamp of each data packet is recorded to divide the data packet into overlapping time frames. The number of different source ports and window sizes is used to evaluate each time frame. The SEQ serial number is a 32-bit random number generated by the client as a TCP connection authentication. Estimating different SEQ serial numbers requires a lot of storage space and computing power. The experimental results show that although the client's SEQ serial number is different, the characteristics of SEQ serial number can be estimated with a high 16-bit value. 16 bits can store 65535 bytes of long information.

The statistical information of each frame at a time comes from the frequency set when the following six marks appear: SYN, ACK, FIN, PSH, URG, RST. Experiments show that these marks provide important information when a DDoS attack occurs.

It should be emphasized that although the source IP address provides important information, it is not used in the collection process, mainly because of the following reasons:

① It requires high computing power to store each address;

② It cannot provide information about the package length;

③ The IP source address may have been changed