Low Rate DDoS attack using Improved Robust Random Early Detection

Mitigation Of Distributed Denial of Service Attack
At
Low Rate
using
Improved Robust Random Early Detection
Submitted By
Shreeya Shah (161060751013)
Guided By
Prof. Hardik Upadhyay
Assistant Professor
(GPERI-Mahesana)
Gujarat Technological University PG School,Ahmedabad
ITSNS Copyright@Shreeya Shah(161060751013)

Published Survey Paper

Contents
Introduction
Problem Definition
• Objective
• Scope
• Expected Outcome
Literature Review
Problem Identification
Proposed Solution
Implements
Conclusion and Future Work
References

Introduction
 A Distributed Denial of Service (DDoS)
attack is an attempt to make an online
service unavailable by overwhelming it
with traffic from multiple sources.
 They target a wide variety of important
resources, from banks to news websites,
and present a major challenge to making
sure people can publish and access
important information.
• Distributed Denial of Service Attack

Continue ….
According to current survey on 1st
August, 2017, the second quarter of
2017 saw DDoS attacks being more
and more frequently used as a tool for
political struggle.

Distribute Denial of Service at a Low Rate
DDoS at a low rate attack stream [1]
• DDoS at a low rate attack stream can be
defined by three parameters Ta, Tb, Rb[1].
• Ta = Attack period
• Tb = Attack burst width
• Rb = Attack burst rate
DDoS at a low rate attack is a variation of DDoS attack in which high rate of data is pushed to network
for very short period of time and this process repeats over regular intervals which corresponds to the
retransmission time out of TCP applications.

Continue …
• Stealthier than traditional DDoS
• Self-adaptive mechanism
• Making the attack stream more subtle
• Periodic Pulse
• Low Average rate and great concealment
• High rate for short time

Continue ...
• Pulsing Attack
A low-rate DDoS attacker exploits the vulnerability of TCP’s congestion-control
mechanism by periodically sending attack packets over short periods of time
repeatedly
• Constant Attack
Continuously launching attack packets at a constant low-rate

Problem Definition
• The Distributed denial of service attack at low rate works more poisonous from
the traditional Distributed Denial of Service attack.
• It works silently in the network.
• Its flow is hard to define from the legitimate flow.
• The traditional detection mechanism cannot be useful for Distributed Denial of
Service attack at a low rate.

Objective
• According to the characteristic of periodicity and short burst in DDoS at a low
rate, it is hard to detect into the network.
• As most of the DDoS attack detection systems are triggered by high rate traffic.
• Comparing the different Detection techniques for the Distributed Denial of
Service attack at a low rate, and finding the appropriate detection technique to
mitigate the attack having low false rate.

Scope
• The scope for this research area is to detecting the attack from the legitimate
traffic.
• Generally, adding the filter block or density check gives the better outcome and
less false rate for DDoS at a low rate,
though the effective and efficient result required for further research.

Expected Outcome
• By comparing the different detection techniques, having a better approach for
detecting the distributed denial of service attack at a low rate is expected result
here.
• To detect and mitigate the distributed denial of service attack with low false rate.
• Also the ratio of packet dropping should be decreased.

Literature Review
Random Early Detection
• Also known as Random Early Discard or Random
Early drop
• An overcome Algorithm to the Tail Drop
• It monitors the average queue size and drop the packets
based on probabilities
Figure: RED Algorithm [20]

Continue …
• RED is more fair than tail drop, in the sense that it does not possess a bias against
busty traffic that uses only a small portion of the bandwidth.
• According to Van Jacobson,
"there are not one, but two bugs in classic RED.“
• Pure RED does not accommodate quality of service (QoS) differentiation.

Robust Random Early Detection
• For Distribute Denial of service attack at
low rate , the classical Random Early
Detection Algorithm found vulnerable.
• The Robust RED (RRED) algorithm was
proposed to improve the TCP throughput
against LDDoS attacks.
• RRED algorithm can significantly
improve the performance of TCP under
Low-rate distribute denial-of-service
attacks.
Figure: RRED architecture[1]

Literature Survey
Paper 1
RRED: Robust RED Algorithm to Counter Low-Rate Denial-of-Service Attacks[1]
• Design and implementation of the RRED algorithm
• A detection and filter block is added in front of a regular RED block on a router.
• The basic idea behind the RRED is to detect and filter out LDoS attack packets
from incoming flows before they feed to the RED algorithm.

Paper 2
Improved RED Algorithm for Low-Rate DoS Attack[3]
• It is found that LDDoS attack stream has two characteristics.
1. The first one is that the strength of each attack is very high.
2. The second is that attack pulse has cycles.
• The router maintains the queue length value by amaxq, if it exceeds more than 4
times, and the intervals between them are equal, then all the upcoming packets
will be dropped.

Paper 3
Performance Analysis of RED & Robust RED[6]
• Here, both the experiments are performed with the LRDDoS and without it, which
shows the RRED more powerful and efficient over the classical RED.
• Simulation is done through NS-2 and results show that the RRED algorithm is
1) Highly robust
2) Can improve the performance of normal TCP under DDoS at a low rate.
3)Obviously it performs better than RED.

Paper 4
A TCP-friendly AQM algorithm to mitigate low-rate DDoS attacks[7]
• The existing robust random early detection (RRED) algorithm can preserve
normal TCP throughput under various LDDoS attacks, it fails to maintain the
fairness among TCP flows and counter large-scale LDDoS attacks.
• It is much easier to launch UDP-based LDDoS attacks that achieve severer attack
effect with much lower effort than to launch TCP-based attacks
• This paper proposes fair robust random early detection (FRRED) algorithm, a
TCP-friendly AQM algorithm to improve the performance in terms of throughput
and fairness

• Protocol based hashed partitioning
• Space Efficient Structure
• There are L levels and B bins, where L
is hash function and B maintains the
local indicator.
• If coming flow fI is attacking flow then
the L would be reduced by 1 else
increased.
• The max and min value of local
indicator are set as -1 and 10.
Continue …
[7]

Paper 5
FRRED: Fourier Robust RED Algorithm to Detect and Mitigate LDoS Attacks
• In this paper, the power spectrum density entropy is introduced to overcome the
distributed denial of service attack at low rate.
• Unlike the normal Robust-RED algorithm, an additional PSD-entropy filtering
block is added to increase the detection and filtering accuracy.
• Power spectrum density is based on the Fourier transformation for upcoming
signals.

Continue …
[9]
• For the normal TCP flow, the PSD is
equally distributed and thus the
probability will be uniformed while for
DDoS at a low rate, the PSD is
distributed at a small level and thus the
probability will be non-uniformed.

Problem Identification
• With the classical Random early detection the detection and mitigation of
LRDDoS was not possible.
• Thus, the Robust random early detection came under the picture to over come the
LRDDoS.
• Applying such different techniques for mitigating the DDoS at a low rate, there
still need for efficient solution with a low false rate.

Proposed Solution
• Here the proposed solution for identifying the attacking flow based on the CPR-
Congestion Participation Rate [5]
• A flow with a CPR higher than a predefined threshold is classified as an LDDoS
flow and will be consider for detection block.
• The Detection is done through the difference between the arrival time period of
the packets.

Implementation
NS – NS stands for Network Simulator Version 2/3.
It is an open-source event-driven simulator designed specifically for research in
computer communication networks.
Features of NS [22]
1. It is a discrete event simulator for networking research.
2. It provides substantial support to simulate bunch of protocols like TCP, FTP, UDP,
HTTP and DSR.
3. It simulates wired and wireless network.
4. It is primarily Unix based.
6. Object oriented support
7. C++ linkage
8. Discrete event scheduler

Installation of NS2 in Ubuntu
Thus, the NS2 installed
successfully.

RED algorithm implemented
Here, the TCP window size is 15 and
the link between routers contain the
25 packet size.

Modified RED algorithm
The source nodes are continuously having the TCP flow over the nodes working as routers.
The packet drop ratio is increasing here.

RRED implementation
RRED files are copied into the queue
folder of NS2 Simulator

Continue…
Parameters are added to the default file
of NS2 Simulator

Continue…
“Queue/red-robust.o ” added before the
$(OBJ_STL)

Continue …
Run the 3 commands after the changes
in following files.
make clean
make depend
Make
And thus the RRED is integrated in
NS2 Simulator.

Conclusion and Future Work
As off Now, RED and RRED algorithms are implemented in NS2.
Using them the further flow detection and mitigating of DDoS attack will be done.
As shown in the proposed model , the CPR calculation will be implemented for the flow
detection.

Review of Comments of DP-1
Concentrate on RED algorithm modification for detection.
• The modification of the RED algorithm is done using the main RED
algorithm.
• The flow detection using congestion ratio and packet arrival time is
being used for the modification.
Solve issues related in Low Rate DDoS papers must be solved and
implementation of proposed solution.
• The research gap from the papers is being referred and the
implementation of the proposed system is being started using NS2
simulator.

8. References
[1] Zhang, Changwang, Jianping Yin, Zhiping Cai, and Weifeng Chen. "RRED: robust RED algorithm to counter low-rate denial-of-service attacks." IEEE
Communications Letters 14, no. 5 (2010).
[2] Xiang, Yang, Ke Li, and Wanlei Zhou. "Low-rate DDoS attacks detection and traceback by using new information metrics." IEEE Transactions on Information
Forensics and Security 6, no. 2 (2011): 426-437.
[3] Ma, Li, Jie Chen, and Bo Zhang. "Improved RED Algorithm for Low-Rate DoS Attack." Advances in Electronic Commerce, Web Application and
Communication (2012): 311-316.
[4] Mohan, Lija, M. G. Bijesh, and Jyothish K. John. "Survey of low rate denial of service (LDoS) attack on RED and its counter strategies." In Computational
Intelligence & Computing Research (ICCIC), 2012 IEEE International Conference on, pp. 1-7. IEEE, 2012.
[5] Zhang, Changwang, Zhiping Cai, Weifeng Chen, Xiapu Luo, and Jianping Yin. "Flow level detection and filtering of low-rate DDoS." Computer Networks 56, no.
15 (2012): 3417-3431.
[6] Bhuyan, Monowar H., Dhruba Kumar Bhattacharyya, and Jugal K. Kalita. "Information metrics for low-rate DDoS attack detection: A comparative evaluation." In
Contemporary Computing (IC3), 2014 Seventh International Conference on, pp. 80-84. IEEE, 2014.
[7]Arora, Arsh, and Lekha Bhambhu. "Performance Analysis of RED & Robust RED." International Journal of Computer Science Trends and Technology (IJCST) 2,
no. 5 (2014): 51-55.
[8] Lin, Jiarun, Changwang Zhang, Zhiping Cai, Qiang Liu, and Jianping Yin. "A TCP-friendly AQM algorithm to mitigate low-rate DDoS attacks." International
Journal of Autonomous and Adaptive Communications Systems 9, no. 1-2 (2016): 149-163.
[9] Chen, Zhaomin, Thi Ngoc Diep Pham, Chai Kiat Yeo, Bu Sung Lee, and Chiew Tong Lau. "FRRED: Fourier robust RED algorithm to detect and mitigate
LDoS attacks." In Zooming Innovation in Consumer Electronics International Conference (ZINC), 2017, pp. 13-17. IEEE, 2017.

Continue…[12] Gu, Q. and Liu, P., 2007. Denial of service attacks. Handbook of Computer Networks: Distributed Networks, Network Planning, Control, Management, and New Trends and Applications, 3, pp.454-468.
[13] Mathew, 2013, Low rate Denial of Service (LDoS) Attack Detection, Gyandhara International Academic Publication, Thane, India
[14] “Low rate TCP attack” https://reproducingnetworkresearch.wordpress.com/2017/06/05/cs244-17-low-rate-tcp-dos-attacks/ Accessed: 2017-10-10
[15]”DDOS ATTACKS” https://www.incapsula.com/ddos/ddos-attacks/
Accessed: 2017-10-10
[16]“TCP-ACKTimeout” https://commons.wikimedia.org/wiki/File:TCP_ACK_Timeout.png
Accessed:2017-10-10
[17] “Security + technotes”
http://www.techexams.net/technotes/securityplus/attacks-DDOS.shtml
[18] “How to Stop a DDoS Attack in Its Tracks (Case Study)”
https://kinsta.com/blog/ddos-attack/
[19] Lin, Dong, and Robert Morris. "Dynamics of random early detection." In ACM SIGCOMM Computer Communication Review, vol. 27, no. 4, pp. 127-137. ACM, 1997.
[20] “Random Early Detection”
https://en.wikipedia.org/wiki/Random_early_detection
[21] “Low rate attack”
https://security.radware.com/ddos-knowledge-center/ddospedia/low-rate-attack/
[22] “NS2 Architecture”
http://www.tutorialsweb.com/ns2/NS2-1.htm
[23] “Robust Random Early Detection ”
https://en.wikipedia.org/wiki/Robust_random_early_detection

Thank You !

Low Rate DDoS attack using Improved Robust Random Early Detection

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Low Rate DDoS attack using Improved Robust Random Early Detection

Similar to Low Rate DDoS attack using Improved Robust Random Early Detection (20)

Recently uploaded

Recently uploaded (20)

Low Rate DDoS attack using Improved Robust Random Early Detection