Master's Thesis

Cooperative Defense Mechanisms against Distributed Denial of Service (DDoS) Attacks
Presented by:
Prachi Gulihar
Roll No- 31603216
DEPARTMENT OF COMPUTER ENGINEERING
NATIONAL INSTITUTE OF TECHNOLOGY, KURUKSHETRA
Under the Supervision of:
Dr. B.B. Gupta
Assistant Professor, Department of
Computer Engineering, NIT Kurukshetra
Master of Technology Dissertation

INTRODUCTION LITERATURE REVIEW PROPOSED METHODOLOGY RESULT ANALYSIS CONCLUSION FUTURE WORK REFERENCES<<
2NATIONAL INSTITUTE OF TECHNOLOGY, KURUKSHETRADepartment of Computer Engineering
Presentation Layout
• Introduction
• Present Statistics
• Motivation
• Research Issues and Challenges
• Existing Techniques
• Proposed Methodology
• Simulation Analysis
• Results and Discussion
• Conclusions
• Future Scope
• References

Introduction
• Recently, the study of economics of Internet has emerged as a fast emerging field of study
for cyber defense.
• Security professionals have realized that while designing any security mechanism it is
vital to keep in consideration the “theory of mind”.
• The concept of “tragedy of commons” and a sustainable pricing strategy is the one which
is able to cater to the competitive advantage plays an important role in distributing the
limited Internet resources.
NATIONAL INSTITUTE OF TECHNOLOGY, KURUKSHETRADepartment of Computer Engineering

• DDoS attack is one of the biggest challenges faced by the Internet today, the largest
reported DDoS attack was of volume 400 Gpbs in year 2014.
• Nowadaysthe Internetplaysavital rolein the growthof the economyforany nation. DDoS
attacks areoneof the majorthreat that hurting this growthasit affectsthesystemsandnetwork
which usesthe Internetfortheir business work.
• Thevictims bandwidth is flooded with the excessiveamountof malicious orfaketraffic dueto
which, the victim is unableto servethe legitimate users.
Distributed Denial of Service

5NATIONAL INSTITUTE OF TECHNOLOGY, KURUKSHETRADepartment of Computer Engineering NATIONAL INSTITUTE OF TECHNOLOGY, KURUKSHETRADepartment of Computer Engineering
DoS vs DDoS Attack

30
16
8 7 6
12
4 2
10
0
10
20
30
40
DDoS attackvector frequency
Present Statistics
Types of DDoS attacks

Motivation
• A very large volume of malicious traffic is produced by misbehaving users who either knowingly or unknowingly launch flooding
Distributed Denial of Service attacks from their systems.
• The ability of DDoS attack to generate massive volumes of unwanted traffic has made it one of the biggest threats the Internet is vulnerable
to , the primest marks of DDoS attack which went on for two days can be traced back to year 1999 .
Evolution of DDoS attacks
and Defense mechanisms

• There are two main characteristics because of which the DDoS defense mechanisms have been unable to provide
reliable protection.
a) inability to distinguish between the malicious traffic and benign traffic.
b) attack sources are distributed across different sites, difficult to trace them.
• The reasons for failure of security in any system are two-fold. First is the poor design and second is the poor
incentive.
• The innovative concept of online auctions as a reputation system has motivated the researchers to explore more
such options. A striking example of economic analysis was shown in January 2005 when the power of online music
sharing shifted from music vendors to individual publishers.
Motivation (Contd.)

IRC model of DDoS attack network

Reflector model of DDoS
attack network
machine.

Direct vs Reflective flooding mechanism

DNS Amplification Attack

Smurf vs DNS Amplification

DDoS Action Cycle

e based.• order.
Local
Cache
Sibling
Cache
Parent
CacheRegional
ISPs
Backbone
ISPs
Local
ISPs
Sibling
Cache
Parent
Cache
Sibling
Cache
Hierarchy of caches in the Internet Chain of incentives in Internet

Low priority
traffic
High
priority
traffic
Services
Services distribution Architecture of Policy Based Networking

e based.
Classification of Incentive Schemes

Research Issues and Challenges
• Algorithm Mechanism- cheat-proof strategy based mechanisms which ensure that the illegitimate
behavior is avoided at the design level instead of rectifying after deployment.
• Fair Allocation- The issue already in scarce network resources is the exponential growth in the
number of bits used for communication which causes complexity issues even for a small group.
• Network Analysis- Conflict dynamics of any network is strongly influenced by its topology
because the robustness properties of different topologies are different.

Research Issues and Challenges (Contd.)
• Degree Distribution- Focusses on why the networks with individual costs of link connectivity
which outweigh the overall community benefit are created. leads us to the open research issue of
degree distribution.
• Project Failures- Although better computer systems management tools are available to work with
larger systems, but still the failure rate remains 30%.
• Human Psychology- Designing any policy for charging the internet use is based on human
psychology in many ways. First factor is the degree of difficulty, second is the usability and third
is deception.

Existing Techniques
Approach Advantages Limitations
Router based Pushback with
Client Puzzles [5]
Puzzle work load is transferred to the upstream path
routers which decreases work load of processing on
the path routers.
It is not effective in performing rate-limiting defense on the
malicious traffic inside the aggregate.
 Fails to mitigate the attack traffic which is distributed within the
inbound links in a uniform manner.
Software Puzzle [6]
Attackers cannot inflate their puzzle-solving
capabilities using GPU.
Can be easily integrated with the data puzzle
schemes existing on the server side because it is
made upon a data puzzle.
 Easily deployed.
Generation of puzzle at the server side makes it a time consuming
process as the victim server only has to put in time for construction
of the puzzle.
No provision for construction of the software puzzle at the client-
side.
Bitcoin Blockchain [7]
Fair client puzzles are computed independent of
power of client machine’s computing resources.
Client cannot save the puzzles to respond afterwards
at a later stage with an overwhelming count of
correct puzzle solutions at a single point of time.
Blocks in a bitcoin blockchain are generated approximately every
ten minutes which is makes it impractical for client puzzle
applications.
Outsourced puzzles [8]
Robust puzzle distribution mechanism.
 Offline computation of puzzles
One server is able to compute tokens associated with other servers
resulting in diffusion of trust across other participants.

Existing Techniques (Contd.)
Approach Advantages Limitations
Game Theory with Nash equilibrium
[9]
 Applicable in defending both distributed and
single-source attacks.
Does not support larger payoffs to be feasible in the game.
Standard Model Client Puzzles [10]
Less number of modular multiplication
operations for puzzle generation by defending
server.
Faster cumulative verification time.
Slower puzzle generation time.
Slower solution verification time as compared to hash based
puzzles.
Aggregate congestion control
and Pushback [11] ACC rate limits the aggregates rather than IP sources Not effective against uniformly distributed attack sources
Passport [12]
Makes use of symmetric key cryptography to put
tokens on packets that verify the source
• Attackers may get capabilities from colluders
• It only prevents the hosts in one AS from spoofing the IP addresses
of other ASs
Defensive Cooperative
Overlay Mesh [13] Defense nodes collaborate and cooperate together
• Classifier nodes require an inline deployment.
• Unable to handle attacks from legacy networks.
Stateless Internet Flow Filter [14] Capability-based mechanism
• Always active
• Processing and memory costs overheads

Proposed Defense Scheme
Proposed a multi-level defense approach using congestion level control and anomaly based techniques
can be explained by the following four steps which are executed in a consecutive manner of
execution:
• Detection of DDOS attack.
• Challenging the attacking sources.
• Suppression of malicious packets.
• Diverting the traffic flood.

Description of the Algorithm
• In the incoming traffic, every incoming packet is placedinto its respectivemodule, accordingto the volume of
the attack traffic – normal,caution,peak.
• Ifthis volumeis lessthan the normal level then the defense mechanism is not activated and the traffic is sent to
the destination machine.
• If the volume destined towards the victim rises above the caution level, then the puzzlegenerationmoduleis
activatedwhichchecksthepacketsforPoWasauthoritytosendrequeststotheserver.Onlytheauthorizedclient
requestsareforwarded.
• Ifthevolumeoftheincomingtrafficrisesabovethepeaklevel,thenallofthetrafficisdivertedIn the incoming traffic,
every incoming packet is placedinto its respectivemodule, accordingto the volume of the attack traffic –
normal,caution,peak.

DDoS Defense using Client Puzzles

25NATIONAL INSTITUTE OF TECHNOLOGY, KURUKSHETRADepartment of Computer EngineeringDepartment of Computer Engineering
Input: Incoming traffic Xin
Start Vin = null;
//set initial volume metric as null
Fetch (Xin[t], Vin[t]);
If (Vin[t] < V[tx ]) //no defense
{Forward_ISP (Xin[t])}
//client puzzle P
ElseIf (V[tx] < Vin[t] < V[ty])
{
S : Generate(P);
S -> C : Send(P);
C : S=Solve(P);
C->S : Send(S);
If (S==Solution[P])
{Forward_ISP (Xin[t]);}
Else
{Forward_Garbage(Xin[t]);}}
//dynamic provisioning
Else
{Forward_DPM(Xin[t]);}
Forward_ISP (Xin[t])
{Handle (Xin[t]);}
//diversion
Forward_DPM(Xin[t])
{
Send(Xin[t]) -> PolicyHandler;
Forward(Xin[t]) -> HelpingServers;
}
//blacklisting
Forward_Garbage(Xin[t])
{Discard(Xin[t]);
SourceIP(Xin[t]) -> logServer; }
End
Pseudo Code

Resource Allocation Policy
The resource allocation policy used by ORA module can be explained by the
following three phases which are executed in a consecutive manner of
execution.
• Cache server selection
• Resource allocation
• Iterative pricing

Resource Allocation Policy (Contd.)

Dynamic Provisioning System

ORA Module
Input: Cache servers Csi, configuration(u,m,t) Where, u= server utilization, m= free cache, t= throughput
Start WOA(u, m, t);
fitness = u + (-m) + (-b);
If m_reqd> m
m = -infinity;
Else m = absolute(m_reqd - m);
If t_reqd> t
t = -infinity;
Else t = absolute(t_reqd - t);
Add Csi ->winnerlist;
Send[winnerlist] ->Auction();
Auction() {
Fetch(Rank, winnerlist);
Utility= (bid_price – incurred_price) * 1/Rank;
Disperse_traffic[Xin] -> Max(Utility[Csi])}
For all Csi
If (Cache_NotAllocated)
{
P[next_round]=P[previousround]+Incentive[current_round];
Send(Participation_Credit P)->Csi
Update_bid()
{
New_bid= old_bid – P;
Proceed(new_bid);
}}
Else
{ Incentive[current_round]=NULL;
Proceed(old_bid); }
Stop

Advantages
• Lineal Deployment: The PoW ensures easy deployment on the existing infrastructure without
any major modifications on server machine.
• On-Demand DDoS Mitigation: Defense comes under action only when the attack is happening
else remains inactive which lowers the maintenance costs.
• Non-distinguishable DDoS Defense: Proof-of-Work (PoW) scheme prioritises the connection
requests reducing the collateral damage done to the legitimate traffic due to non-filteration of
malicious traffic.
• Risk Transfer: The Risk Transfer mechanism is well suited for the securing network layer
attacks as even if the internal devices are unsecure, dynamic provisioning is enough to prevent
DDoS attacks.

Advantages (Contd.)
• Combination of services: The marketplace mechanism should allow the users to express
complementary requirements
• Flexibility and predictability: The buyer desires an anticipated deal which can be modified and
adjusted with changing needs.
• Economic efficiency: The policy design should maximize the gains of the participating parties
and should minimize the wastage of the resource.
• Double-sided competition: The prices should solely depend on the condition of supply and
demand and should neither be biased to seller nor to buyer.
• Functional constraints : Socio-economic objective function needs to be combined with
constraints of the network for optimal results.

Simulation Analysis
• Basic network to test flooding attack is set up with the help of Network
Simulator 2.
• Anticipation of mitigation rate of the proposed framework is done under two
conditions, firstly when the defense mechanism is in place and secondly,
without it.
• A heterogeneous network comprising of different types of traffic is taken, and
defense is done under three attack load condition of the network traffic.

Simulation Analysis (Contd.)
• Simulation of the model is tested under the two types of DDoS attack: TCP flood and
UDP flood.
• In Dynamic Provisioning Module simulation, minimum charge policy in kept in policy
handler.
• The schedule of workflows is preprocessed in MATLAB R2013a and is fed to the whale
algorithm and the results are stored in a CSV file which is inputted to the AA using
Engine API.

MATLAB screenshot

AA screenshot

NS2 screenshot

Detection Rate vs. Number if Iterations
Results and Discussions
84
86
88
90
92
94
96
98
100
100 200 300 400 500 600 700 800 900 1000
DetectionRate(%)
No. Of Iterations

Throughput vs. Number of Iterations
Results and Discussions (Contd.)
0
100
200
300
400
500
600
700
800
900
1,000
100 200 300 400 500 600 700 800 900 1000
Throughput(kbps)
No. Of Iterations

ure 4.4. Optimization results of the proposed approach
Balanced sharing of diverted traffic
0
500
1,000
1,500
2,000
2,500
-200 -160 -120 -80 -40 0 40 80 120 160 200
CacheTraded(inmb)
Difference in number of servers and clients
Balanced
Excess
Shortage

Auction results of the proposed approach
ure 4.4. Optimization results of the proposed approach

0
100
200
300
400
500
600
700
0 1 2 3 4 5 6 7 8 9 10
VolumeofPackets
Simulation Time
Benign Packets
After Defense
Before Defense
Volume of Packets vs Simulation Time for Benign Packets

Volume of Packets vs Simulation Time for Malicious Packets
0
100
200
300
400
500
600
700
800
900
1000
1 2 3 4 5 6 7 8 9 10
VolumeofPackets
Simulation Time
Malicious Packets
After Defense
Before Defense

Conclusions
• This method authenticates and permits only the authoritative clients to gain access to the services offered by the
server using client puzzles as Proof-of-Work (PoW).
• This volume based activation of defense scheme ensures the design goal of on-demand mitigation.
• The proposed resource allocation mechanism distributes the free cache resource fairly, efficiently and with
incentives to participate in collaborative defense mechanism.
• Whale optimization algorithm finds out the cache servers in best position to help and makes the allocation optimal.
• Continuous double auction scheme ensures fair collaboration by allowing the both victim server and helping servers
to offers bids.

Future Scope
• Our future work will be focused on testing the proposed approach in the
real-time environment, as well with more attack scenarios.
• The research problem of helping servers allowing others to use their
machine in DDoS defense for money is an interesting part to investigate.

1. Prachi Gulihar and B.B. Gupta, “Anomaly based Mitigation of Volumetric DDoS Attack Using Client Puzzle as
Proof-of-Work” in the Proceedings of IEEE 3rd International Conference on Recent Trends in Electronics,
Information & Communication Technology (RTEICT), Bangalore, May 2018.
2. Prachi Gulihar and B.B. Gupta, “Cooperative Mitigation of DDoS Attacks Using an Optimized Auction Scheme
on Cache Servers” in the Proceedings of the 2nd International Conference on Advanced Informatics for Computing
Research (ICAICR), Springer, Shimla, July 2018.
3. Prachi Gulihar and B.B. Gupta, “Taxonomy of Payment Structures and Economic Incentive Schemes in
Internet” in the Journal of Information Technology Research (JITR), 2019.
4. Prachi Gulihar and B.B. Gupta, “Classification of Cooperative Distributed Denial of Service Defense (DDoS)
Schemes” in the Handbook of Computer Networks and Cyber Security (CNCS): Principles and Paradigms,
Multimedia Systems and Applications, Springer, 2019.
List of Publications

References
[1] Gupta, B. B., Joshi, R. C., &Misra, M. (2009). Defending against distributed denial of service attacks: issues and challenges. Information Security
Journal: A Global Perspective, 18(5), 224-247.
[2] Khor, S. H.. “Deployable Mechanisms for Distributed Denial-of-Service (DDoS) Attack Mitigation” , 2010.
[3] Kumarasamy, Saravanan, and R. Asokan. "Distributed Denial of Service (DDoS) Attacks Detection Mechanism." arXiv preprint
arXiv:1201.2007 , 2012.
[4] Wu, Yongdong, et al. "Software puzzle: A countermeasure to resource-inflated denial-of-service attacks." IEEE Transactions on Information
forensics and security 10.1, 2015: 168-177.
[5] Boyd, Colin, and Christopher Carr. "Fair client puzzles from the bitcoin blockchain." Australasian Conference on Information Security and
Privacy. Springer, Cham, 2016.
[6] Wu, Y., Zhao, Z., Bao, F., & Deng, R. H. (2015). Software puzzle: A countermeasure to resource-inflated denial-of-service attacks. IEEE
Transactions on Information forensics and security, 10(1), 168-177.
[7] Rodrigues, B., Bocek, T., & Stiller, B. (2017). Enabling a Cooperative, Multi-domain DDoS Defense by a Blockchain Signaling System
(BloSS). Semantic Scholar.
[8] Waters, Brent, et al. "New client puzzle outsourcing techniques for DoS resistance." Proceedings of the 11th ACM conference on Computer and
communications security. ACM, 2004.

[9] Fallah, M. (2010). A puzzle-based defense strategy against flooding attacks using game theory. IEEE transactions on dependable and secure
computing, 7(1), 5-19.
[10] Kuppusamy, Lakshmi, et al. "Practical client puzzles in the standard model." Proceedings of the 7th ACM Symposium on Information,
Computer and Communications Security. ACM, 2012
[11] R. Mahajan, S. M. Bellovin, S. Floyd, J. Ioannidis, V. Paxson, and S. Shenker, Controlling high bandwidth aggregates in the network,
presented at Computer Communication Review, pp.62-73, 2002.
[12] S. Kandula, D. Katabi, M. Jacob, and A. W. BergerBotz-4-sale: Surviving organized ddos attacks that mimic flash crowds, in Proc. Of
Symposium on Networked Systems Design and Implementation (NSDI), Boston, May 2005.
[13] J. Mirkovic, P. Reiher, and M. Robinson, Forming Alliance for DDoS Defense, in Proc. of New Security Paradigms Workshop, Centro
Stefano Francini, Ascona, Switzerland, 2003.
[14] B. K. Szymanski, "Auction as a Dynamic Pricing Mechanism for E-Services", Service Enterprise Integration, Chapter 5, Edited by Cheng
Hsu, Springer Science and Business Media, LLC, New York, 2006.
[15] Kalkan, K., &Alagöz, F. (2016). A distributed filtering mechanism against DDoS attacks: ScoreForCore. Computer Networks, 108, 199-209.
[16] Shuai, C., Jiang, J., & Ouyang, X. (2012). A lightweight cooperative detection framework of DDoS/DoS attacks based on counting bloom
filter. Journal of Theoretical & Applied Information Technology, 45(1).
References (Contd.)

References (Contd.)
[17] Fortier, D., Spradlin, J. C., Sigroha, P., & Fulton, A. (2014). U.S. Patent No. 8,909,751. Washington, DC: U.S. Patent and
Trademark Office
[18] Mirjalili, S., & Lewis, A. (2016). The whale optimization algorithm. Advances in Engineering Software, 95-100.
[19] Jang, M. W. (2004). The actor architecture manual. Department of Computer Science, University of Illinois at Urbana-Champaign.
[20] A. Iosup, H. Li, M. Jan, S. Anoep, C. Dumitrescu, L. Wolters, and D. H. J. Epem (2008). “The grid workloads archive,” FGCS,
vol. 24, no. 7, pp. 672–686.
[21] Fallah, Mehran. "A puzzle-based defense strategy against flooding attacks using game theory." IEEE transactions on dependable
and secure computing 7.1 , 2010: 5-19.
[22] Fujiwara, I. (2012). Study on combinatorial auction mechanism for resource allocation in cloud computing
[23] Britton T., Liu-Johnston I., Cugnière I., Gupta S., Rodriguez D., Barbier J., & Tricaud, S. Analysis of 24 Hours Internet Attacks.
environment.

Thank You for
Your Attention!
Q/A

Master's Thesis

Recommended

Recommended

More Related Content

What's hot

What's hot (19)

Similar to Master's Thesis

Similar to Master's Thesis (20)

More from G Prachi

More from G Prachi (20)

Recently uploaded

Recently uploaded (20)

Master's Thesis