Protecting DDoS Attacks with
SOA and Forensic Analysis
A Solution for Protecting Distributed Denial of Service
Mechanism
Introduction
Structure of Proposed System
Implementation
Analysis and Discussion
Conclusion
mechanism: Security in Internet systems has become increasingly important in recent days. Distributed Denials of Service (DDoS) attacks are rapidly mounted by cyber criminal people to extort money from online business. The Distributed Denial of Service (DDoS) of attacks normally targeted at a particular service provider to exhaust the network and system resources of the provider.
Since the scale of the attack is limited as large-scale attack and medium scale attack. The large-scale attacks increasingly take care by the Internet Service Provider (ISP). In general the medium scale attack normally may not operated by Internet Service Provider (ISP). As a result, the victim of the attack is left to deal with the attack on its own accord. This paper proposes a start of authority and forensic analysis approach to build a system against Distributed Denial of Service attacks targeting online businesses (medium scale attacks).
1. Introduction
A Denial of Service (DoS) attack is an attempt to make a computer resource (e.g. the network bandwidth, CPU time, etc.) unavailable to its intended users. To obtain the necessary network and CPU resources, attackers tend to use a large number of machines to launch Distributed Denial of Service (DDoS) attacks.
According to the scale of the attacks, DDoS attacks can be classified into large-scale and medium-scale attacks. A large-scale attack causes widespread damage and affects a large portion of the network. The ISP operators can observe the effect of a large-scale attack.
There are so many counter measures had existed for defending Distributed Denial of Service (DDoS). In [3], the router security mechanism is used to defend the DDoS attacks. In case of congestion in router it will simply drop the packet. In [4], security mechanism has to check each and every IP packets so accessing speed will be reduced.
approach is not feasible. In [10], cooperative filtering and cooperative traffic smoothing by caching will be quite effective against DDoS attacks. The backbone ISP has to provide regional ISP in order to avoid the DDoS attacks.
In [9], in this approach the Internet server can easily infer the hop count information from the time to live (TTL) field of IP header. Using mapping between IP address and their hop counts, sever can distinguish spoofed IP packets from legitimate one.
In a medium-scale attack, only a few servers or data centers are affected. As a result, the ISP operators might not be able to observe such an attack. The ISP operators care less about the medium-scale attacks, as the effects of such attacks are not obvious to the ISP operators. As a result, the victims have to undertake the task of defending their servers against DDoS attacks.
However, small or medium-sized businesses might not have the expertise to interpret and utilize the data generated by the tools. In this project, a scheme for countering DDoS attacks is proposed. The scheme is based-on the SOA and Forensic Analysis approach. It intends to help the small and medium-sized web services providers to cope with medium-scale Cyber Slam attacks that are not observed by the ISP operators.
2. Preliminaries
For the purposes of security mechanism against Distributed Denial of Service (DDoS) are to protect Band width, CPU time and processing speed from malicious user. The preliminary knowledge of Secret shared key cryptography, Message Digest, Digital Signature and Forensic Analysis that relate to this study will be reviewed in this section.
2. 1. Shared key Cryptography
Symmetric key cryptography uses a single key for encryption and decryption. Because both the sender and the receiver must know the same key, it is also referred to as "shared key” Cryptography. In addition, the key can only be known by the sender (Operation Provider) and receiver (clients) to maintain integrity, so it is sometimes referred to as "secret key" cryptography.
Figure 1 Share key Concept
2. 2. Message Digest
The SHA hash functions are five cryptographic hash functions designed by the National Security Agency (NSA) and published by the NIST as a U.S. Federal Information Processing Standard. SHA stands for Secure Hash Algorithm. Hash algorithms compute a fixed-length digital representation (known as a message digest) of an input data sequence (the message) of any length. They are called “secure” when (in the words of the standard), “it is computationally infeasible to:
find a message that corresponds to a given message digest, or
find two different messages that produce the same message digest.
Any changes to a message will, with a very high probability, result in a different message digests.” The latter four variants are sometimes collectively referred to as SHA-2. SHA-1 produces a message digest that is 160 bits long.
2. 3. Digital Signature Standard
DSS means Digital Signature Standard. The National Institute of standards and technology [NIST] has published Federal Information Processing Standard FIPS 186, known as the Digital Signature Standard [DSS]. The DSS makes use of the secure hash algorithm (SHA), presence a new digital signature technique, the digital signature algorithm (DSA).The DSS was original proposed in 1991 and revised in 1993 in response to public feedback concerning the security of the scheme. There was a further minor revision in 1996. In 2000, an expanded version of the standard was issued as FIPS. The latest version also incorporates digital signature algorithms based on RSA and on Elliptic curve cryptography.
The DSS uses an algorithm that is designed to provide only the digital signature function. The DSS approach also makes use of hash functions the hash code is provided as input to a signature function along with a random number k generated for this particular signature.
2. 4. Forensic analysis
Digital forensics is a branch of forensic science concerned with the use of digital information (produced, stored and transmitted by computers) as source of evidence in investigations and legal proceedings. Investigative process of digital forensics can be divided into two stages here. They are
Examination: Examination stage consists in an in-depth systematic search of evidence relating to the incident being investigated. The outputs of examination are data objects found in the collected information. They may include log files, data files containing specific phrases, timestamps, and so on.
Analysis: The aim of analysis is to draw conclusions based on evidence found.
2. 5. Decision making algorithm
The request coming from Clients / Attackers are to be processed by the Operation provider. In some situation, based on the time consumption, bandwidth utilization and Processing Speed, the operation provider decides and requests the authenticator to authenticate the current client / Attacker request.
Advantages of proposed algorithm
Reduction of false positive: In this proposal the valid user ay not be identified as attacker
Reduction false negative: The reduction of false negative achieved by the attacker might not be allowed as valid user.
Strong security: With help of online and offline authentication and verification system the strong security achieved.
Performance: The proposed system gives more security and yet effective simultaneous message digest and digital signature algorithms.
3. Structure of the proposed system
The proposed system will provide higher level of data security than the existing system by enforcing both message digest and digital signature encryption to avoid DDoS attack. The detail of design as shown in Figure 2 consists of following modules. The over all modules are clients / attacker, Service Hub, Operation provider with decision-making, Authenticator with forensic analysis andshared key Generator. The details of each module as follows.
Figure 2 Design Diagram
3. 1. Client / attacker
The Client must do registration operation. After registration client may get
shared key assigned by operation provider. The request operations of client consist of query and image. Operation provider can carry out the query or image request in normal mode. In case of client / attacker request, the authenticator sends the request to client / attacker to validate with help of message digest and Digital signature concept.
The attacker may sniff the request and get the IP address, then he may impersonate as valid user based on victim client IP address. Using victim client IP address, generate multiplication of same query/image or different query and send as request to operation provider.
3. 2. Service Hub
Service Hub module consists of reception of request and sending response from or to clients or operation provider or authenticator. The details information can be
stored at queue in case of multiple requests from clients.
Clients request / response
Operation provider request / response
Authenticator details
3. 3. operation provider with decision making
The operation provider module consists of query processing and image response.
The operation provider may decide the request came from client or attacker based on decision-making rules set.
Decision making Rules (if then rules)
1. If request from client / attacker have repeated same query then Call Authenticator.
2. If request from client / attacker have repeated different query then call Authenticator.
3. If request from clients / attacker have same queries from different environment then call Authenticator.
4. If request from client / attacker have large size the call Authenticator.
5. If request from client / attacker have same image from different environment then call Authenticator.
3. 4. Authenticator (online) with Forensic analysis (offline)
The Authenticator module consists of Message Digest, Digital Signature and Victim IP address searching from Log File.
Message digest: Message digest carried out with help of SHA 1 algorithm with 128-bit operation. The actual messages needed to digest are as follows.
ID of authenticator
Sequence Number
Current Time
Message
Digital Signature: The digital signature creation consists of message digest encrypted (DSS) with help of corresponding shared key of victim (client).
Forensic analysis: The forensic analysis module consists of log file stored in database. This is used for offline authentication. In most case the same attacker uses victim IP address and carried out the Denial of Service from Different environment.
3. 5. Shared key generation
The shared key generator module consists of generating prime number with more than 10 digits range and assigned to valid clients at time of registration. The generated prime number can be with help of pseudo random generator algorithm.
4. Implementation
The Implementation of proposed system done by using c# language. We have taken client input and then the request passed through service hub to operation provider. After the operation provider processed the request, the result sent back to client. The proposed system is implemented by odes of operations. The following module will explain about the implementation of the proposed system.
Normal mode: When operation provider does not detect any attack activity, i.e. the operations provider’s system resources can cope with service request, the system works in normal mode.
1. Service request are first send to ServiceHub.
2. The ServiceHub forward the requests to the operations provider.
3. The operations provider sends the results back to the client through the ServiceHub.
Under attack mode:An operations provider decides which mode the system works in. The authenticators offer their services through their own ServiceHubs. The operations provider and the authenticators provide their services through their ServiceHubs. They send and receive messages through their ServiceHubs. Only their ServiceHubs know their locations. Thus, they cannot exchange messages directly.
In the under-attack mode, the operations provider informs its ServiceHub of the authentication services. The ServiceHub will forward the service requests to the ServiceHubs of the respective authenticators. During the authentication process, the authenticators might need to exchange further messages relating to authentication information with the clients. So authenticator calls forensic analysis method to verify the signature.
If client signature already existing in attackers signature record then authenticator drop the request, otherwise the authenticator call the security algorithm routine to check validation process. If a service request is authenticated successfully, the authenticator sends the request to the operations provider through their respective ServiceHubs. After processing the request, the operations provider sends the result back to the client through its ServiceHub.
5. Analysis and discussion
The proposed Defending Distributed Denial of Service (DDoS) with Start of Authority and Forensic analysis done and the result carried out for requesting query and image download events. Since these cryptosystem use shared key, the cryptanalyst or attacker neither recover secret key from authenticator digital signature nor guess the exact key for digital signature of attacker.
To prove the feasibility of our DDoS attack security mechanism, we analyze its security robustness under following two types medium scale of attack: repeated query request from same node or from different node and downloading large image file from same node or from distributed environment. Under these attacks illegal users are assumed to intercept operation provider from network, but do not have the shared key in case of authenticator verify the identity of user node. Hence attacker do not have shared key the authenticator drop the request came from attacker node. The following scenario discuss the authentication mechanism.
Initial stage: Client and operation provider have agreed on share key KEYclient-provider to encrypt authentication information.
Authentication validation: The authenticator decrypt the authentication information of client only if client used shared key KEYclient-provider. So the possession of shared key is proof of identity of client.
Challenge string: If no authentication information is attached to the request, a challenge string will be sent from the authenticator to the client. Challenge string consist of Id of authenticator (ID), Sequence number (SEQ-NUM), Creation time (C-TIME), Digital Signature of Authenticator SIGautheticator.
Message Digest: One way hash function is used to get message digest. Message digest consist of concatenation of ID, SEQ-NUM, and C-TIME Digital signature. Obtain by encrypting message digest with KEYprovider. KEYprovider is the known by Authenticator and provider alone.
Here authenticator IP address not knows by client or attacker. The ID in challenge string is assigned by operation provider, so the ID cannot be infer as IP address by attacker. The operations provider informs the authenticator of its ID and KEYprovider when the operations provider switches to the under-attack mode.
Digital Signature: When a request is received by an authenticator, the authenticator first checks whether the request has an authentication token attached. If the request does not contain an authentication token, the authenticator sends a challenge string back to the sender of the request. If the authentication token exists in the request, the authenticator
(a) Uses KEYprovider to decrypt SIGauthenticator to obtain
(SIGAuthenticator)-1. KEYprovider.
(b) Uses KEYclient-provider to decrypt SIGclient to obtain
(SIGclient)-1. KEYclient-providor.
The authenticator computes the digest of the concatenation of ID, SEQNUM and C-TIME. If (a) the digest is not equal to (b) then the request fails the authentication check. Otherwise the client authenticated.
6. Conclusion
The proposed system increases the efficiency and security of the data by using message digest, digital signature, decision making algorithm and forensic analysis concepts. In addition, a strong encryption technique has adopted in the proposed system by providing shared key in authentication process. The false positive and false negative can be reduced many times through offline and online authentication. Also we can achieve more security on DDoS attack for medium scale attacks than the existing system. The proposed system provides better way to detect DDoS attack over network with high security. Also proposed system helps to utilize the bandwidth effectively processing time.
7. References
[1]. B. Schneier, “Applied Cryptography”, Second Edition, John Wiley & Sons, 1996.
[2]. R. Housley, W. Polk, W. Ford, and D. Solo, “Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile”, IETF RFC3280.
[3]. J. Ioannidis and S. M. Bellovin, “Implementing pushback: Router-based defense against DDoS attacks”, Proc. of Network and Dist. System Security Symposium, 2002.
[4]. A. C. Snoeren, C. Partridge, L. A. Sanchez, C. E. Jones, F. Tchakountio, B.Schwartz, S. T. Kent and W. T. Strayer, “Single-packet IP traceback”, IEEE/ACM Transactions on Networking (TON)Volume 10 , Issue 6, 2002, pp. 721 – 734.
[5]. T. Anderson, T. Roscoe, and D. Wetherall, “Preventing Internet denial-of-service with capabilities”, In Proc. Of Hotnets-II, Cambridge, MA, Nov. 2003.
[6]. Srinivas Mukkamala, Andrew H. Sung, “Identifying Significant Features for Network Forensic Analysis Using Artificial Intelligent Techniques”, International Journal of Digital Evidence, Volume 1, Issue 4, 2003.
[7]. M. Brambilla, S. Ceri, M. Passamani, A. Riccio, “Managing Asynchronous Web Services Interactions”, Proc. Of the IEEE Intl Conf on Web Services, 2004.
[8]. E. Kohler, “Denial of Service Defense in Practice and Theory”, USENIX’05, http://www.usenix.org/event/usenix05- /tech/slides/kohler.pdf.
[9]. Haining Wang, Cheng Jin, Kang G. Shin, “ Defense Against Spoofed IP Traffic Using Hop-Count Filtering”, IEEE/ACM Transaction Networking, vol. 15, No. 1, Feb 2007.
[10]. Yun Huang, Xianjun Geng, Andrew B. Whinston, “Defeating DDoS Attacks by Fixing the Incentive Chain”, ACM Transactions on Internet Technology, Vol. 7, No. 1, Feb 2007
[11]. Daniel S. Yeung, Shuyuan Jin, Xinhao Wang, “ Covariance-Matrix Modeling and Detection Various Flooding Attacks”, IEEE Transactions on Systems, Man, and Cybernetics-part A: Systems and Humans, vol. 37, No. 2, March 2007.
[12]. Ruiliang Chen, Jung-Min Park, Randolph Marchany, “ A Divide-and-Conquer Strategy for Thwarting Distributed Denial-of-Service Attacks”, IEEE Transactions on Parallel and Distributed Systems, Vol. 18, No. 5, may 2007.
[13]. Xinfeng Ye, Santokh Singh, “A SOA Approach to Counter DDos Attacks”, in Proc of 2007 IEEE International Conference on Web Services (ICWS 2007), pp. 567-574, 9-13 July 2007.
[14].http://soasecurity-jw.blogspot.com/2007/02/ soa-security-and-denial-of -service.html
The Recent solution for Information Security