seminar doc reference

8/7/2019 seminar doc reference

1/25

Efficiency of using Mobile Agents to trace MultipleSources of Attack

A Seminar Report Submitted to

JAWAHARLAL NEHRU TECHNOLOGICAL UNVERSITY, ANANTAPUR.

In Partial Fulfillment of the Requirements for the Award of the degree of

MASTER OF TECHNOLOGY

IN

COMPUTER SCIENCE

RUFUS CHAKRAVARTHY SHARMA (09121D0516)

Under the guidance of:

Mr. K. Munivara Prasad, M.E., (Ph.D),

Assistant Professor (SL),

Dept of CSE, SVEC.

Under the supervision of:

Prof. K. Delhi Babu, M.S.,(Ph.D)

Head of the Department,

Dept of CSE, SVEC.

SREE VIDYANIKETHAN ENGINEERING COLLEGE

(Affiliated to JNTUA, ANANTAPUR)

Sree Sainath Nagar, Tirupathi 517 102

2009-2011


2/25

DECLARATION

I hereby declare that this project report titled Efficiency of using

Mobile Agents to trace Multiple Sources of Attack is a genuine

seminar work carried out by me, in M.Tech (Computer Science)degree

course of JAWAHARLAL NEHRU TECHNOLOGICAL UNIVERSITY,

ANANTAPUR and has not been submitted to any other course or

University for the award of any degree by me.

Signature of the Student

(RUFUS CHAKRAVARTHY SHARMA)


3/25

ACKNOWLEDGEMENT

Before getting into the thickest of things, I would like to thank the

personalities who were part of my seminar work in numerous ways, those

who gave me outstanding support from birth of this seminar work.

I sincerely thank PADMASRI Dr. M.Mohan Babu, Chairman and

Dr V. Sreenivasulu, Director and Dr. P.C.Krishnamachary, Principal

for providing necessary infrastructure and resources for the

accomplishment of my seminar at Sree Vidyanikethan Engineering

College, Tirupati.

I hereby wish to express our deep sense of gratitude to

Prof. K. Delhi Babu, Head of the CSE department and

Mr. K. Munivara Prasad, M.E., (Ph.D), Assistant Professor (SL),

CSE department without their cooperation, help, suggestions and

involvement we would not have been able to complete this seminar

successfully. We are very much grateful to all the faculty members of the

CSE department for their value based imparting of the theory and

practical subjects, which we have put to use in our project work. We also

thank the members of the non-teaching staff for their cooperation and

timely help.

Finally, I would like to take this opportunity to specially thank ourparents for their kind help, encouragement and moral support. Last, but

not the least, I would like to thank all our friends who extended their help

either directly or indirectly in my seminar work.

RUFUS CHAKRAVARTHY SHARMA


4/25

ABSTRACT

Recently, network resource has become extremely vulnerable to

Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks,

which have become a pressing problem due to scarcity of an efficient

method to locate the real attacker. Especially, as network topology

becomes more advanced and complex, IP traceback is difficult but

necessary. For protection against DoS/DDoS even partial information

about the attack path is useful as it allows to throttle such attacks at

distant router. Existing traceback mechanisms have serious drawbacks

such as high false positive, enormous storage requirements at routers,

and huge additional network traffic. As such, we make use of mobile

agents for real-time traceback of multiple attack sources. The mobile

agent traceback scheme presented in [2] and the proposed improvement

in this paper are not only efficient as compared to other existing schemes

but also has the following advantages: it is flexible, autonomous,

lightweight and protocol-independent which makes it particularly suitable

for the Internets varieties of the network topology and protocols.


5/25

CONTENTS

1. INTRODUCTION

2. EXISTING SYSTEM

3. PROPOSED SYSTEM

4. DESIGN

5. APPLICATIONS

6. CONCLUSION

7. REFERENCES


6/25

1. INTRODUCTION

DENIAL of Service (DoS) and Distributed Denial of Service (DDoS)

attacks are among the top threats to the Internet infrastructure [1]. DoS

and DDoS attacks may quickly incapacitate a targeted business, causing

loss of revenue and productivity. Furthermore, such attacks are among

the hardest security problems to address because they are simple to

implement, difficult to prevent, and very difficult to trace. In the past

several years, DoS and DDoS attacks have increased in frequency,

severity and sophistication [1]. Mechanisms for protecting against

DoS/DDoS have focused on tolerating attacks by mitigating their effects

on the victim. This approach can provide an effective stop-gap measure,

but it does not eliminate the problem nor does it discourage attackers. As

such, it would be more efficient to apply network forensics to track down

the source of these attacks ideally stopping the attacker at the source.

IP traceback is a special network forensic mechanism that enables

victims, administrators or forensic investigators to trace attacks back to

their origins. IP traceback is required as in most cases the source address

in the attack packet is often not the real source of attack as attackers

typically use spoofed IP addresses to cover their trail. Real time source

identification of an attack (DoS/DDoS) can be most helpful for stopping

the attack as well as identifying attackers such that firewalls can be

configured to block packets from such sources in the future. In [2], weproposed the use of mobile agents for real-time IP traceback of the

source of attack. In this paper we investigate, the efficiency of using

mobile agents for tracing multiple sources of attack.


7/25

2. EXISTING SCHEMES

Figure 1 depicts the attack traceback problem for multiple sources

of attack which corresponds to a tree of link lists rooted at the victim (V),

where each leaf represents a link list end point. Every node on the

network can be a potential attack origin (A) and every router an internal

node along a path between some node and the target. The attack path

from node Ai is the unique ordered list of routers between node Ai and the

victim computer. Another attack path for attack originating from node Aj

is path Routerj1, Routerj2, and Routerj3 as shown in Figure 1.

Fig. 1. An instance of multiple source attack.

A. Link Testing

Link testing (sometimes referred to as hop-by-hop tracing) is the

basic approach to real time traceback of the source of an attack. Once the

attack has been recognized, it is required, starting from the router closest

to the victim, to test manually its upstream links to other routers until it is

determined which link is used to carry the attacker's traffic. Ideally, this

procedure is repeated recursively on the upstream router until the source

is reached. ISPs support is required. Link testing is a reactive method


8/25

and requires the attack to remain active until the trace is completed. One

implementation of link testing is input debugging [3] whereby

administrators determine incoming network links for specific packets. If

the router operator knows the attack traffics specific characteristics(called the attack signature), then its possible to determine the incoming

network link on the router. The ISP must then apply the same process

to the upstream router connected to the network link and so on,

until the traffics source is identifiedor until the trace leaves the

current ISPs border. In the later case, the administrator must contact

the upstream ISP to continue the tracing process. This techniques most

severe drawback is the substantial management overhead in

communicating and coordinating efforts across multiple network

boundaries and ISPs. It requires time and personnel on both the victims

and ISPs side, meaning there is no direct economic incentive for ISPs to

provide such assistance. DDoS attacks compound this problem

because attack traffic could originate from machines under the

jurisdiction of many separate ISPs and thus this technique is less

suitable for distributed denial-of-service attacks.

Another technique that falls into the link-testing category is

controlled flooding [4]. This technique works by generating a burst of

network traffic from the victims network to the upstream network

segments and observing how this intentionally generated flood

affects the attack traffics intensity. This approach is possible only

during ongoing attacks. Using a map of the known Internet topology

around the victim, these packet floods are targeted specifically at

certain hosts upstream from the victims network; they iteratively

flood each incoming network link on the routers closest to the victims

network. From changes in the attack traffics frequency and intensity, the

victim can deduce the incoming network link on the upstream router and

repeat the same process on the router one level above. The mostsignificant problem with controlled flooding is that the technique itself is


9/25

a sort of DoS attack, which can disrupt legitimate traffic on the

unsuspecting upstream routers and networks. This, of course, makes it

unsuitable for widespread routine usage on the Internet. Also, it cannot

find the paths when the attack traffic comes from many links, thus it isnot suitable for tracing DDoS attacks.

B. Logging

Another category of IP Traceback employs logging at routers,

which store information about forwarded packets. The victim of an

attack can query a specific router to find out whether that router

forwarded a specific packet. The router would check in its log to find

if the specific packet was routed by that router. Here traceback is

carried out after the attack has taken place. Instead of storing the whole

packet, in hash-based IP Traceback [5,6], it is suggested that only

a hash digest of the packets relevant invariant portions be stored in

an efficient memory structure called a Bloom filter. Still this approach is

limited in practice due to the resource-intensive requirements in terms of

processing and storage. It also takes time to query all the different

routers and for the routers to analyze the logged data. Recent work

has focused on improving this technique for example by reducing

the amount of storage capacity required. Thus packet logging schemes

are also not suitable for tracing multiple sources of attacks as is the case

with DDoS.

C. ICMP Traceback

The principle idea behind the ICMP traceback scheme is for

every router to sample (to limit additional network traffic), with low

probability (e.g., 1/20,000), one of the packets it is forwarding and

copy the contents into a special ICMP traceback message (called an

iTrace) which includes information about the adjacent routers (IP and

MAC addresses) along the path to the destination. During a flooding-style attack, the victim host receives enough iTraces to be able to


10/25

reconstruct a path back to the attacker [7]. Concerning DDoS

attack, very few ICMP traceback messages will be obtained from

distant routers, though intention-driven-ICMP scheme could improve the

traceback. The main problem with this mechanism is that ICMP traffic isincreasingly differentiated and may be dropped out by a firewall and

that even using low probability to sample packets it still generates

additional network traffic. Finally, the ICMP messages may have to

be authenticated (key distribution infrastructure needed) to deal with

the problem of attackers sending false ICMP Traceback messages. In

[12] an improved variation of the ICMP traceback is described.

D. Packet Marking SchemePacket marking schemes [8, 9, 10, 11, 13] involves routers

marking one or more packets by augmenting them with additional

information about the path they are traveling. The destination could then

use the information appended in the marked packets to reconstruct the

path to the attacker using a path reconstruction procedure. The

convergence time of the path reconstruction algorithm is the number

of packets that the victim must observe to reconstruct the attack path.

Packet marking scheme does allow to detect multiple sources of

attack but it has many disadvantages including the processing overhead

of the routers, the high number of packets often required to reconstruct

the attack path, and the large number of bits that is required to be stored

in the IP header fields. Moreover, this mechanism may produce false-

positive paths (that are not part of the attack paths), cannot handle

fragmented packets, does not work with IPv6 and is not compatible with

IPSec.


11/25

3. EXISTING SCHEMES

In [2], we propose the use of mobile agents for tracing single

source and multiple source of attack summarized as follows. As soon as

an attack is detected, a mobile agent is initialized with the attack packet

signature and launched to the router (gateway router) which sent the

attack packet to the network. The mobile agent, being autonomous, scans

for the incoming packets at that router to determine the previous router

which sent the packet to the current router. Once this is determined the

mobile agent halts its execution and moves to the previous router address

in the network and so on until the first router which routed the attack

packet is determined. Mobile agents are convenient and appropriate for

tracing single as well as multiple sources of attack due to their cloning

capability.


12/25

Fig. 2. Coping with multiple source of attack. Agent clones itself andinvestigates different attack paths.

For multiple source attack, when the attack is discovered, an agent

is launched. When the agent discovers multiple packets corresponding tothe packet signature but with different incoming port/router addresses,

the agent can clone itself and move to each of the different routers on the

attack paths as shown in Figure 2. For security measures, the agents

should have a control parameter which determines the number of times

an agent can clone itself.

During experimentation in [2] though, it was observed that in the

case of multiple source of attack, at least one source of attack was

identified but not all even though the agents were programmed to clone

when they detect attack packets coming from different upstream routers.

This is because once the mobile agent identifies one attack packet based

on the signature; the mobile agent acts on that specific attack packet and

moves on, ignoring other attack packets being sent from other sources as

in the case of a DDoS attack. As indicated in [2], in the case of multiple

attacks with the algorithm, at least 1 source of attack was always

identified, and all sources of attack were rarely identified.

Thus, for traceback of multiple sources of attack, the mobile agent

has to be programmed to sample the attack packets for a specified period

of time (t) on each router. If all the attack packets sampled are observed

to be from the same source of attack, then it can be concluded that attack

originates from single source and the agent moves upstream. But if attack

packets are observed to arrive from several upstream routers, then this

indicates multiple sources of attack and the agent will clone itself as many

times as the number of different identified upstream links and move to

the different upstream routers. Figure 3 depicts the traceback algorithm

modified from [2] to cater for traceback of DDoS (multiple sources) of

attack. The next section evaluates the efficiency of the improved

algorithm.


13/25

Fig. 3. Improved Traceback Algorithm of the mobile agent for tracingmultiple sources of attack.

WORKING PROCESS:

We evaluate the performance of the proposed scheme through

simple simulation experiments. The aim is to study the efficiency of the

multiple attack traceback process when using mobile agents. The JADE

(Java Development Environment) [14, 15] has been used to implement

the agent system. The router was simulated as consisting of a stationary

agent (router agent) with which the mobile agent interacts with, to find

the attack packet and the upstream router. The ns-2 (network simulator)

[16] was also used to determine the network dynamics such as time

taken to traceback. A random attack tree with m attackers and one victim

was generated. The attack paths are made to converge at the victim to

form an attack tree as shown in Figure 2. The number of attackers ratio


14/25

defined as per equation 1 should ideally be 1 if all attackers are

successfully identified.

However, it was observed that this was not always the case when

the simulation was run even with the improved algorithm. When the

mobile agent was made to consider more than one packet i.e. it sampled

the attack packets with a probability p, the number of attackers ratio

increased. The higher the sampling probability i.e. more packets analyzedat a node, the higher was the number of attackers ratio as shown in

Table 1, 2, 3, 4, 5 and 6 below. Note that multiple attackers were

assumed to be at the same distance or different distance from the victim.

TABLE 1NUMBER OF ATTACKERS RATIO WHEN PROBABILITY = 0.1 AND 100

ATTACK PACKETS ARE OBTAINED BY THE ROUTER IN THE ATTACK PATH

No. of Attackers No. of IdentifiedAttackers

No. of AttackersRatio

5 4 0.8

10 7 0.7

15 7 0.5

20 8 0.4

Since DDoS attack often implies numerous attack packets sent by

multiple attackers, it can be seen that sampling attack packets at a low

probability is sufficient to be able to identify all the sources of attack as

shown in Table 2. Otherwise, using a higher sampling probability ensures

that more sources of attack are identified. A sampling probability of 0.5i.e. half of the attack packets are sampled, leads to the identification of all


15/25

sources of attack considering that the attackers send about 100 attack

packets each as shown in Table 6. Figure 4 below depicts some of the

experiment results.





5 5 1

10 10 1

15 15 1

20 20 1

TABLE 3

NUMBER OF ATTACKERS RATIO WHEN PROBABILITY = 0.2 AND 100




5 5 1

10 9 0.9

15 9 0.6

20 20 0.55

TABLE 4

NUMBER OF ATTACKERS RATIO WHEN PROBABILITY = 0.3 AND 100ATTACK PACKETS ARE OBTAINED BY THE ROUTER IN THE ATTACK PATH


16/25



5 5 1

10 10 1

15 12 0.8

20 14 0.7





5 5 1

10 10 1

15 15 1

20 17 0.85




17/25



5 5 1

10 10 1

15 15 1

20 20 1

Fig. 4. No. of attackers ratio for varying sampling rate

Some DoS/DDoS attacks involved 1 000 packets per second, though

some attacks ran as much as 600 000 packets per second [17]. A low

sampling probability may often be enough to identify all sources of attack.

A low sampling probability also implies less processing overhead.


18/25

For capture of all sources of attack, in the case of sporadic DDoS

attack where there are many attack sources and each attacker contribute

few attack packets, it is concluded that the mobile agent should to stay

on the router during the whole duration of the attack and analyze eachattack packet. As soon as a new upstream router is identified, the router

should clone and dispatch the cloned mobile agent to new upstream

router while the mobile agent stays and continues to sample the attack

packet for new upstream links.

4. DESIGN

USECASE DIAGRAM


19/25

SEQUENCE DIAGRAM


20/25

ACTIVITY DIAGRAM


21/25

DATA FLOW DIAGRAM


22/25

5. APPLICATION

ISP Level.


23/25

DMZ.

Website Hosts/Web Servers

Distributed Databases.

Cloud Computing.

6. CONCLUSION

An efficient traceback scheme is required to identify the sources of

DoS attacks which impose an imminent threat to the availability of

Internet services. In this paper, we have evaluated the efficiency of a real

time IP traceback scheme using mobile agents for multiple source attack.

One of the most important advantages of the scheme is the fact that it

provides autonomous tracing due to the mobile agents as compared to

the existing traceback schemes. Traceback occurs in a few seconds. For

instance, to trace a 13-hop attack path, may take 19 seconds. The time

taken depends on the network though. If there is more network load, the

traceback time is higher. The improved algorithm in this paper increasesthe number of attackers that can be traced in the case of a DDoS given

that the mobile agent is made to sample the attack packets on each node

in the attack path starting from the node closest to the victim, as shown

by simulation results. The proposed scheme can also easily be adapted on

IPv6 networks. Future work also being considered is the use of mobile

agents for traceback of attacks originating from mobile devices using

mobile IP.

7. REFERENCES

[1] Armoogum S., Mohamudally N., Efficiency of using Mobile Agents totrace Multiple Sources of Attack, 2009


24/25

[1] CSI/FBI Computer Crime and Survey report, 2008.[2] Armoogum S., Mohamudally N., November 2008b. Mobile Agents forIP Traceback. In the proceedings of the third IEEE InternationalConference on Digital Information Management ICDIM2008.[3] R. Stone, CenterTrack: An IP Overlay Network for Tracking DoS

Floods, Proc. 9th Usenix Security Symp., Usenix Assoc., 2000, pp.199212.[4] H. Burch and B. Cheswick, Tracing Anonymous Packets to TheirApproximate Source, Proceedings of the 14th Conference on SystemsAdministration, Usenix Assoc., 2000, pp. 313322.[5] Alex C.Snoeren, Craig Partridge, Luis A.Sanchez, Christine E.Jones,Fabrice Tchakountio, Stephen T.Kent and W.Timothy Strayer, Hash-Based IP Traceback, SIGCOMM, August 2001[6] Luis A.Sanchez , Walter C.Milliken, Alex C.Snoeren, FabriceTchakountio, Christine E.Jones, Stephen T.Kent, Craig Partridge, and

W.Timothy Strayer, Hardware Support for a Hash-Based IPTraceback , In the proceedings of the DARPA InformationSurvivabilityConference and Exposition, 2001[7] Steve Bellovin et al., ICMP Traceback Messages, IETF InternetDratf, Version 4, Feb 2003 (Work in progress)[8] Stefan Savage, David Wetherall, Anna Karlin, and Tom Anderson,Practical network support for IP traceback, In the Proceedings of the2000 ACM SIGCOMM Conference, August 2000.[9] W. Lee and K. Park, On the Effectiveness of Probabilistic PacketMarking for IP Traceback under Denial of Service Attack, Proc.

IEEE INFOCOM, IEEE CS Press, 2001, pp. 338347.[10] M. Adler, Tradeoffs in Probabilistic Packet Marking for IPTraceback, Proc. 34th ACM Symp. Theory of Computing, ACM Press,2002, pp. 407418.[11] D. Song and A. Perrig, Advanced and Authenticated MarkingSchemes for IP Traceback, Proc. IEEE INFOCOM, IEEE CS Press,2001, pp. 878886.[12] Cheol-Joo Chae, Seoung-Hyeon Lee, Jae-Seung Lee, Jae-Kwang Lee,A Study of Defense DDoS Attacks using IP Traceback, The 2007International Conference on Intelligent Pervasive Computing. IPC, pp.

402-408[13] Yang Xiang, Wanlei Zhou, Zhongwen Li and Qun Zeng, Onthe Effectiveness of Flexible Deterministic Packet Marking for DDoSDefense, the 2007 IFIP International Conference on Network andParallel Computing Workshops.[14] JADE (Java Agent DEvelopment Framework), available at< http://jade.tilab.com/>[15] Fabio Luigi Bellifemine, Giovanni Caire, Dominic Greenwood:Developing Multi-Agent systems with Jade. ISBN: 978-0-470-05747-6

[16] ns-2, user information available at< http://nsnam.isi.edu/nsnam/index.php/User_Information>


25/25

[17] Moore D., Voelker G. M., and Savage S., 2001. Inferring InternetDenial-of-Service Activity, In the Proceedings of the 2001 USENIX

Security Symposium.

seminar doc reference

Documents

Transcript of seminar doc reference