As a result of growing dependence on the Internet by both the general public and service providers, the availability of Internet services has become a concern. While DoS attacks cause inconvenience for users and revenue loss for service providers, their effects on critical infrastructures like the smart grid and public utilities could be catastrophic. For example, an attack on a smart grid system can cause cascaded power failures and lead to a major blackout.
In this book, we study Distributed Denial of Service (DDoS) attacks by using operational network data. Testing and developing DoS practical attack detection and mitigation systems is crucial. However, it was previously not possible to use operational networks for studying DoS. Therefore most studies used computer simulations. We experiment using operational system data and perform real attacks without disturbing the original system. This lets us evaluate the performance of our approaches compared with a real ground truth.
Using our approach, we analyzed the detection performance of anomaly-based DDoS detection approaches using both the packet count and entropy of packet header fields. These approaches are tested on low and high network utilization levels to see the effect network excess capacity has on attack detection. We compared our results with previously published ones and pointed out the significant differences we found. These differences were caused by the inappropriate assumptions about network background and attack traffic in network simulations. In addition, we present a new detection approach: Cusum - Entropy which performs additional signal processing on the entropy of the packet header field to improve detection efficiency.
Information theory metrics, like Shannon entropy and generalized entropy, are common in recent DDoS detection publications. They are effective features for detecting these attacks. However, intrusion detection systems (IDS) using entropy-based detection approaches can easily become victims of spoofing attacks. An attacker can sniff the network and calculate background traffic entropy before a (D)DoS attack starts. They can spoof attack packets to keep the entropy value in the expected range during the attack. We explain the vulnerability of entropy-based network monitoring systems. Then, we presented a proof of concept entropy spoofing attack and show that by exploiting this vulnerability, the attacker can either avoid detection or degrade detection performance to an unacceptable level.
Attack detection is important for DDoS mitigation systems. The performance of detection approaches varies depending on the network conditions like changing utilization level. It is even possible to conceal a network anomaly in order to deceive a detection system. In addition, when a detection system moves away from the victim on the network, accurate detection requires more time; and most of the time it is too late when an attack is detected. We designed our mitigation system to increase service availability by scaling up the system resources using multiple cloud service providers when it is necessary. The system reduces the operation cost by reducing the number of caches when they are unnecessary. The experiment results showed the effectiveness of the proposed system.
This book provides an extensive analysis of the Distributed Denial of Service (DDoS) problem using operational network data. To design an effective attack mitigation system, it is important to understand how attackers leverage system flaws. Researchers should investigate the techniques attackers use and recreate the attack scenarios to gain better insight. In addition, to have a better understanding of system behavior under different circumstances, an operational system data should be used in these studies. When designing a DDoS mitigation system, understanding how to perform a successful DDoS attack on an operational network, fundamental concepts of detecting these attacks and deceiving the attack detection approaches are invaluable knowledge.
1.1Performance Testing and Analysis of DDoS Detection Approaches
When studying Internet security, researchers typically cannot test new methods on the operational network, because of the risk of disturbing users. Most studies use simulated network background and attack traffic [69, 113, 570], scenario specific data sets [349, 653], or simulated attacks on live traffic traces [100, 96, 294, 195, 438, 114]. However there is no known formula for modeling network traffic [613], so it is not possible to accurately simulate it. Results obtained when using DDoS detection approaches on an operational network should differ significantly from simulation-based results.
In this work, we presented a novel approach to performing a disruptive network security experiment using operational network data without jeopardizing the network. We used Clemson University campus network traffic as background traffic and performed DDoS attacks on our experiment setup using the Clemson University Condor [135] computer cluster. We used this approach to analyze the efficiency of detection methods on an operational network. We concentrated on anomaly-based detection approaches using packet count and entropy of packet header fields. These approaches are tested on low and high network utilization levels to see the effect of network excess capacity on attack detection.
1.2Deceiving DDoS Detection
Information theory-based metrics (Hartley entropy, Shannon entropy, Renyi’s entropy, generalized entropy, Kullback-Leibler divergence and generalized information distribution) are popular and widely used for intrusion detection because of their low computation overhead [63]. Google Scholar cites more than 250 entropy-based DDoS detection journal articles and conference papers published in 2014.
We presented an important vulnerability of network monitoring systems using entropy. We introduced a proof of concept spoofing attack showing it is possible to deceive entropy-based DoS detection approaches [454, 455]. To deceive entropy-based DoS detection, we generated spoofed packets to make the traffic entropy during the attack indistinguishable from the entropy before the attack. Our attack not only deceived the detection approach, but also helped the denial of service attack. Furthermore, entropy spoofing can be combined with DDoS attacks to generate attack traffic which is invisible to entropy-based DDoS detection systems. In addition, false positives also degrade detection and by using entropy spoofing an attacker can generate false positives to degrade detection efficiency.
1.3DDoS Mitigation
Detecting a DDoS attack before it reaches the victim is important. The attack detection becomes more difficult and accurate detection requires more time when the detection system moves away from the victim on the network [641] and generally it is too late by the time a DDoS flooding attack is detected.
Instead of waiting for an accurate detection to start mitigation, using cloud services, such as Amazon EC2 and Rackspace, to mitigate DDoS attacks [309, 369, 636] is a known technique. However, mitigation costs are very high for getting dedicated redundant resources. In addition, DDoS attacks might cause disruption of the services of clouds which allocate resources on demand [607, 632] and relying on one cloud service provider creates a single point of failure for the mitigation system.
We designed our mitigation system to increase service availability by scaling up the system resources using multiple cloud service providers when it is necessary. In our proposed system, the web server is hidden behind web caches. During an attack or a flash crowd, the server load will be distributed over multiple web caches, which are located in physically separated places. The system will reduce the operation cost by reducing the number of caches when they are not necessary.
1.4Organization
The content of this book is outlined as follows. This chapter, Chapter 1 describes the motivation behind the work by exploring the issues and challenges of DDoS attack detection and mitigation. It also provides motivation for our topic.
Chapter 2 gives background about DDoS attacks, their history and their current state. We present a literature review of DDoS attack detection and mitigation approaches and point out shortcomings with the current art. This is followed by Chapter 3, which provides a detailed history of the major stages in the development of DDoS attacks. They were originally little more than pranks that took advantage of the weakness of the early infrastructure. Over time they have evolved to be sophisticated distributed criminal enterprises that can generate enough traffic to overwhelm small countries. They have become instruments of war between nation states.
We follow the historical evolution of DDoS with a discussion of legal issues in Chapter 4. This chapter explains the laws related to DDoS attacks. We note that penalties for executing a DDoS attack can be rather severe. A number of hacktivists have been surprised by the ramifications of their participating in protests that use DDoS attacks. We will also discuss the ethical arguments for and against possible uses of DDoS attacks.
Chapter 5 discusses Internet Protocol (IP) network traffic. We will illustrate example histograms of IP network traffic. This introduction will help students understand what network communications traffic looks like, why IP histograms look the way they do, and the chall...
