09-06-2012, 05:37 PM
Traceback of DDoS Attacks using Entropy Variations
Traceback of DDoS Attacks using Entropy.pdf (Size: 368.76 KB / Downloads: 14)
INTRODUCTION
IT is an extraordinary challenge to traceback the source of
Distributed Denial-of-Service (DDoS) attacks in the
Internet. In DDoS attacks, attackers generate a huge amount
of requests to victims through compromised computers
(zombies), with the aim of denying normal service or
degrading of the quality of services. It has been a major threat
to the Internet since year 2000, and a recent survey [1] on the
largest 70 Internet operators in the world demonstrated that
DDoS attacks are increasing dramatically, and individual
attacks are more strong and sophisticated. Furthermore, the
survey also found that the peak of 40 gigabit DDoS attacks
nearly doubled in 2008 compared with the previous year. The
key reason behind this phenomena is that the network security
community does not have effective and efficient traceback
methods to locate attackers as it is easy for attackers to
disguise themselves by taking advantages of the vulnerabilities
of the World Wide Web, such as the dynamic, stateless, and
anonymous nature of the Internet [2],[3].
BACKGROUND AND RELATED WORK
A. Background of DDoS Attacks
DDoS attacks are targeted at exhausting the victim's
resources, such as network bandwidth, computing power, and
operating system data structures. To launch a DDoS attack, the
attacker(s) first establishes a network of computers that will
be used to generate the huge volume of traffic needed to deny
services to legitimate users of the victim. To create this attack
network, attackers discover vulnerable hosts on the network.
Vulnerable hosts are those that are either running no antivirus
or out-of-date antivirus software, or those that have not been
properly patched. These are exploited by the attackers who
use the vulnerability to gain access to these hosts. The next
step for the attacker is to install new programs (known as
attack tools) on the compromised hosts of the attack network.
The hosts running these attack tools are known as zombies,
and they can be used to carry out any attack under the control
of the attacker. Numerous zombies together form an army or
botnet [3], [35].
SYSTEM MODELING FOR IP TRACEBACK ON ENTROPY
VARIATIONS
A. A Sample Network with DDoS Attacks
In order to clearly describe our traceback mechanism, we use
Fig. 1 as a sample network with DDoS attacks to demonstrate
our traceback strategy.
In a DDoS attack scenario as shown in Fig. 1, the flows with
destination as the victim include legitimate flows, such as f3,
and a combination of attack flows and legitimate flows, such
as f1 and f2. Compared with non-attack cases, the volumes of
some flows increase significantly in a very short time period
in DDoS attack cases. Observers at routers R1, R4, R5 and V
will notice the dramatic changes, however, the routers who are
not in the attack paths, such as, R2 and R3, will not be able to
sense the variations. Therefore, once the victim realizes an
ongoing attack, it can pushback to the LANs which caused the
changes based on the information of flow entropy variations,
and therefore, we can identify the locations of attackers.
