The document presents a literature review and proposed solution for mitigating distributed denial of service (DDoS) attacks at low rates. It discusses how low rate DDoS attacks can evade detection by traditional mechanisms. The literature review covers past work on the Robust Random Early Detection (RRED) algorithm and its effectiveness against low rate attacks. The proposed solution enhances RRED by adding a detection block that identifies attacking flows based on their Congestion Participation Rate. The implementation of RRED in NS2 is described to allow further testing and evaluation of flow detection techniques for mitigating low rate DDoS attacks.
Why Teams call analytics are critical to your entire business
Low Rate DDoS attack using Improved Robust Random Early Detection
1. Mitigation Of Distributed Denial of Service Attack
At
Low Rate
using
Improved Robust Random Early Detection
Submitted By
Shreeya Shah (161060751013)
Guided By
Prof. Hardik Upadhyay
Assistant Professor
(GPERI-Mahesana)
Gujarat Technological University PG School,Ahmedabad
ITSNS Copyright@Shreeya Shah(161060751013)
3. Contents
Introduction
Problem Definition
• Objective
• Scope
• Expected Outcome
Literature Review
Problem Identification
Proposed Solution
Implements
Conclusion and Future Work
References
ITSNS Copyright@Shreeya Shah(161060751013)
4. Introduction
A Distributed Denial of Service (DDoS)
attack is an attempt to make an online
service unavailable by overwhelming it
with traffic from multiple sources.
They target a wide variety of important
resources, from banks to news websites,
and present a major challenge to making
sure people can publish and access
important information.
ITSNS Copyright@Shreeya Shah(161060751013)
• Distributed Denial of Service Attack
5. Continue ….
According to current survey on 1st
August, 2017, the second quarter of
2017 saw DDoS attacks being more
and more frequently used as a tool for
political struggle.
ITSNS Copyright@Shreeya Shah(161060751013)
6. Distribute Denial of Service at a Low Rate
ITSNS Copyright@Shreeya Shah(161060751013)
DDoS at a low rate attack stream [1]
• DDoS at a low rate attack stream can be
defined by three parameters Ta, Tb, Rb[1].
• Ta = Attack period
• Tb = Attack burst width
• Rb = Attack burst rate
DDoS at a low rate attack is a variation of DDoS attack in which high rate of data is pushed to network
for very short period of time and this process repeats over regular intervals which corresponds to the
retransmission time out of TCP applications.
7. Continue …
• Stealthier than traditional DDoS
• Self-adaptive mechanism
• Making the attack stream more subtle
• Periodic Pulse
• Low Average rate and great concealment
• High rate for short time
ITSNS Copyright@Shreeya Shah(161060751013)
8. Continue ...
• Pulsing Attack
A low-rate DDoS attacker exploits the vulnerability of TCP’s congestion-control
mechanism by periodically sending attack packets over short periods of time
repeatedly
• Constant Attack
Continuously launching attack packets at a constant low-rate
ITSNS Copyright@Shreeya Shah(161060751013)
9. Problem Definition
• The Distributed denial of service attack at low rate works more poisonous from
the traditional Distributed Denial of Service attack.
• It works silently in the network.
• Its flow is hard to define from the legitimate flow.
• The traditional detection mechanism cannot be useful for Distributed Denial of
Service attack at a low rate.
ITSNS Copyright@Shreeya Shah(161060751013)
10. Objective
• According to the characteristic of periodicity and short burst in DDoS at a low
rate, it is hard to detect into the network.
• As most of the DDoS attack detection systems are triggered by high rate traffic.
• Comparing the different Detection techniques for the Distributed Denial of
Service attack at a low rate, and finding the appropriate detection technique to
mitigate the attack having low false rate.
ITSNS Copyright@Shreeya Shah(161060751013)
11. Scope
• The scope for this research area is to detecting the attack from the legitimate
traffic.
• Generally, adding the filter block or density check gives the better outcome and
less false rate for DDoS at a low rate,
though the effective and efficient result required for further research.
ITSNS Copyright@Shreeya Shah(161060751013)
12. Expected Outcome
• By comparing the different detection techniques, having a better approach for
detecting the distributed denial of service attack at a low rate is expected result
here.
• To detect and mitigate the distributed denial of service attack with low false rate.
• Also the ratio of packet dropping should be decreased.
ITSNS Copyright@Shreeya Shah(161060751013)
13. Literature Review
ITSNS Copyright@Shreeya Shah(161060751013)
Random Early Detection
• Also known as Random Early Discard or Random
Early drop
• An overcome Algorithm to the Tail Drop
• It monitors the average queue size and drop the packets
based on probabilities
Figure: RED Algorithm [20]
14. Continue …
• RED is more fair than tail drop, in the sense that it does not possess a bias against
busty traffic that uses only a small portion of the bandwidth.
• According to Van Jacobson,
"there are not one, but two bugs in classic RED.“
• Pure RED does not accommodate quality of service (QoS) differentiation.
ITSNS Copyright@Shreeya Shah(161060751013)
15. Robust Random Early Detection
ITSNS Copyright@Shreeya Shah(161060751013)
• For Distribute Denial of service attack at
low rate , the classical Random Early
Detection Algorithm found vulnerable.
• The Robust RED (RRED) algorithm was
proposed to improve the TCP throughput
against LDDoS attacks.
• RRED algorithm can significantly
improve the performance of TCP under
Low-rate distribute denial-of-service
attacks.
Figure: RRED architecture[1]
16. Literature Survey
Paper 1
RRED: Robust RED Algorithm to Counter Low-Rate Denial-of-Service Attacks[1]
• Design and implementation of the RRED algorithm
• A detection and filter block is added in front of a regular RED block on a router.
• The basic idea behind the RRED is to detect and filter out LDoS attack packets
from incoming flows before they feed to the RED algorithm.
ITSNS Copyright@Shreeya Shah(161060751013)
17. Paper 2
Improved RED Algorithm for Low-Rate DoS Attack[3]
• It is found that LDDoS attack stream has two characteristics.
1. The first one is that the strength of each attack is very high.
2. The second is that attack pulse has cycles.
• The router maintains the queue length value by amaxq, if it exceeds more than 4
times, and the intervals between them are equal, then all the upcoming packets
will be dropped.
ITSNS Copyright@Shreeya Shah(161060751013)
18. Paper 3
Performance Analysis of RED & Robust RED[6]
• Here, both the experiments are performed with the LRDDoS and without it, which
shows the RRED more powerful and efficient over the classical RED.
• Simulation is done through NS-2 and results show that the RRED algorithm is
1) Highly robust
2) Can improve the performance of normal TCP under DDoS at a low rate.
3)Obviously it performs better than RED.
ITSNS Copyright@Shreeya Shah(161060751013)
19. Paper 4
A TCP-friendly AQM algorithm to mitigate low-rate DDoS attacks[7]
• The existing robust random early detection (RRED) algorithm can preserve
normal TCP throughput under various LDDoS attacks, it fails to maintain the
fairness among TCP flows and counter large-scale LDDoS attacks.
• It is much easier to launch UDP-based LDDoS attacks that achieve severer attack
effect with much lower effort than to launch TCP-based attacks
• This paper proposes fair robust random early detection (FRRED) algorithm, a
TCP-friendly AQM algorithm to improve the performance in terms of throughput
and fairness
ITSNS Copyright@Shreeya Shah(161060751013)
20. • Protocol based hashed partitioning
• Space Efficient Structure
• There are L levels and B bins, where L
is hash function and B maintains the
local indicator.
• If coming flow fI is attacking flow then
the L would be reduced by 1 else
increased.
• The max and min value of local
indicator are set as -1 and 10.
Continue …
ITSNS Copyright@Shreeya Shah(161060751013)
[7]
21. Paper 5
FRRED: Fourier Robust RED Algorithm to Detect and Mitigate LDoS Attacks
• In this paper, the power spectrum density entropy is introduced to overcome the
distributed denial of service attack at low rate.
• Unlike the normal Robust-RED algorithm, an additional PSD-entropy filtering
block is added to increase the detection and filtering accuracy.
• Power spectrum density is based on the Fourier transformation for upcoming
signals.
ITSNS Copyright@Shreeya Shah(161060751013)
22. Continue …
ITSNS Copyright@Shreeya Shah(161060751013)
[9]
• For the normal TCP flow, the PSD is
equally distributed and thus the
probability will be uniformed while for
DDoS at a low rate, the PSD is
distributed at a small level and thus the
probability will be non-uniformed.
23. Problem Identification
• With the classical Random early detection the detection and mitigation of
LRDDoS was not possible.
• Thus, the Robust random early detection came under the picture to over come the
LRDDoS.
• Applying such different techniques for mitigating the DDoS at a low rate, there
still need for efficient solution with a low false rate.
ITSNS Copyright@Shreeya Shah(161060751013)
24. Proposed Solution
• Here the proposed solution for identifying the attacking flow based on the CPR-
Congestion Participation Rate [5]
• A flow with a CPR higher than a predefined threshold is classified as an LDDoS
flow and will be consider for detection block.
• The Detection is done through the difference between the arrival time period of
the packets.
ITSNS Copyright@Shreeya Shah(161060751013)
25. Implementation
NS – NS stands for Network Simulator Version 2/3.
It is an open-source event-driven simulator designed specifically for research in
computer communication networks.
Features of NS [22]
1. It is a discrete event simulator for networking research.
2. It provides substantial support to simulate bunch of protocols like TCP, FTP, UDP,
HTTP and DSR.
3. It simulates wired and wireless network.
4. It is primarily Unix based.
6. Object oriented support
7. C++ linkage
8. Discrete event scheduler
ITSNS Copyright@Shreeya Shah(161060751013)
27. RED algorithm implemented
ITSNS Copyright@Shreeya Shah(161060751013)
Here, the TCP window size is 15 and
the link between routers contain the
25 packet size.
28. Modified RED algorithm
ITSNS Copyright@Shreeya Shah(161060751013)
The source nodes are continuously having the TCP flow over the nodes working as routers.
The packet drop ratio is increasing here.
32. Continue …
ITSNS Copyright@Shreeya Shah(161060751013)
Run the 3 commands after the changes
in following files.
make clean
make depend
Make
And thus the RRED is integrated in
NS2 Simulator.
33. Conclusion and Future Work
ITSNS Copyright@Shreeya Shah(161060751013)
As off Now, RED and RRED algorithms are implemented in NS2.
Using them the further flow detection and mitigating of DDoS attack will be done.
As shown in the proposed model , the CPR calculation will be implemented for the flow
detection.
34. Review of Comments of DP-1
Concentrate on RED algorithm modification for detection.
• The modification of the RED algorithm is done using the main RED
algorithm.
• The flow detection using congestion ratio and packet arrival time is
being used for the modification.
Solve issues related in Low Rate DDoS papers must be solved and
implementation of proposed solution.
• The research gap from the papers is being referred and the
implementation of the proposed system is being started using NS2
simulator.
ITSNS Copyright@Shreeya Shah(161060751013)
35. 8. References
[1] Zhang, Changwang, Jianping Yin, Zhiping Cai, and Weifeng Chen. "RRED: robust RED algorithm to counter low-rate denial-of-service attacks." IEEE
Communications Letters 14, no. 5 (2010).
[2] Xiang, Yang, Ke Li, and Wanlei Zhou. "Low-rate DDoS attacks detection and traceback by using new information metrics." IEEE Transactions on Information
Forensics and Security 6, no. 2 (2011): 426-437.
[3] Ma, Li, Jie Chen, and Bo Zhang. "Improved RED Algorithm for Low-Rate DoS Attack." Advances in Electronic Commerce, Web Application and
Communication (2012): 311-316.
[4] Mohan, Lija, M. G. Bijesh, and Jyothish K. John. "Survey of low rate denial of service (LDoS) attack on RED and its counter strategies." In Computational
Intelligence & Computing Research (ICCIC), 2012 IEEE International Conference on, pp. 1-7. IEEE, 2012.
[5] Zhang, Changwang, Zhiping Cai, Weifeng Chen, Xiapu Luo, and Jianping Yin. "Flow level detection and filtering of low-rate DDoS." Computer Networks 56, no.
15 (2012): 3417-3431.
[6] Bhuyan, Monowar H., Dhruba Kumar Bhattacharyya, and Jugal K. Kalita. "Information metrics for low-rate DDoS attack detection: A comparative evaluation." In
Contemporary Computing (IC3), 2014 Seventh International Conference on, pp. 80-84. IEEE, 2014.
[7]Arora, Arsh, and Lekha Bhambhu. "Performance Analysis of RED & Robust RED." International Journal of Computer Science Trends and Technology (IJCST) 2,
no. 5 (2014): 51-55.
[8] Lin, Jiarun, Changwang Zhang, Zhiping Cai, Qiang Liu, and Jianping Yin. "A TCP-friendly AQM algorithm to mitigate low-rate DDoS attacks." International
Journal of Autonomous and Adaptive Communications Systems 9, no. 1-2 (2016): 149-163.
[9] Chen, Zhaomin, Thi Ngoc Diep Pham, Chai Kiat Yeo, Bu Sung Lee, and Chiew Tong Lau. "FRRED: Fourier robust RED algorithm to detect and mitigate
LDoS attacks." In Zooming Innovation in Consumer Electronics International Conference (ZINC), 2017, pp. 13-17. IEEE, 2017.
ITSNS Copyright@Shreeya Shah(161060751013)
36. Continue…[12] Gu, Q. and Liu, P., 2007. Denial of service attacks. Handbook of Computer Networks: Distributed Networks, Network Planning, Control, Management, and New Trends and Applications, 3, pp.454-468.
[13] Mathew, 2013, Low rate Denial of Service (LDoS) Attack Detection, Gyandhara International Academic Publication, Thane, India
[14] “Low rate TCP attack” https://reproducingnetworkresearch.wordpress.com/2017/06/05/cs244-17-low-rate-tcp-dos-attacks/ Accessed: 2017-10-10
[15]”DDOS ATTACKS” https://www.incapsula.com/ddos/ddos-attacks/
Accessed: 2017-10-10
[16]“TCP-ACKTimeout” https://commons.wikimedia.org/wiki/File:TCP_ACK_Timeout.png
Accessed:2017-10-10
[17] “Security + technotes”
http://www.techexams.net/technotes/securityplus/attacks-DDOS.shtml
Accessed: 2017-10-10
[18] “How to Stop a DDoS Attack in Its Tracks (Case Study)”
https://kinsta.com/blog/ddos-attack/
Accessed: 2017-10-10
[19] Lin, Dong, and Robert Morris. "Dynamics of random early detection." In ACM SIGCOMM Computer Communication Review, vol. 27, no. 4, pp. 127-137. ACM, 1997.
[20] “Random Early Detection”
https://en.wikipedia.org/wiki/Random_early_detection
Accessed: 2017-10-10
[21] “Low rate attack”
https://security.radware.com/ddos-knowledge-center/ddospedia/low-rate-attack/
Accessed: 2017-10-10
[22] “NS2 Architecture”
http://www.tutorialsweb.com/ns2/NS2-1.htm
Accessed: 2017-10-10
[23] “Robust Random Early Detection ”
https://en.wikipedia.org/wiki/Robust_random_early_detection
Accessed: 2017-10-10
ITSNS Copyright@Shreeya Shah(161060751013)