7/27/2019 paper_ppt

1/9

INTRODUCTION

Availability is defined as the property of data and services being

accessible to an authorized party within a reasonable time of

request.each network system must be available to its user i.e

minimum security.Dos attacks can destroy or exhaust resources by

generating large amounts of bogus traffic towards victim. they

prevent permissible access to resources of the victim.the taxonomy

of ddos attacks and their respective defence mechanism are definedin this paper.

There are mainly threee approaches of defeating attacks:

1: detection

2: prevention.

3: response

Detection mechanism tries to detect attacks after they have

happened. Proactive measures try to secure systems and protocols

against attacks, while response mechanism tries to detect the attack

and reduce their aftershock. The paper focuses on a detection

mechanism that detects the attack at early stage. The paper starts

with a brief terminology. It then goes through proactive detection

phases and ends with the description of the SNMP-based

implementation and conclusion.

7/27/2019 paper_ppt

2/9

TERMINOLOGY

Denial of service attacks (dos): it refers to any technique that is

used to prevent a host or network of hosts on internet from eitheraccessing the internet or responding to requests from other hosts

on the internet. There are three or four types of machines in each

dos-attack, attacker, slaves, target.

Distributed denial of service attack.(ddos) is a kind of dos attack

which uses thousands of more slaves through the internet. after the

attacker commands the slaves they send failure packets to the

target. even if target is not shutdown ,the large amount of bogus

packets consume the target bandwidth and legitimate packets

cannot pass through the artificial traffic towards the target. this is

shown in the diagram below.

Slaves

7/27/2019 paper_ppt

3/9

nms agent

network management system(nms): is a system capable of

recording the activity of the network system. SNMP management

is often called internet management and is often called internet

management system and is widely used.

Simple network management protocol(SNMP):is a protocol

defined by internet engineering task force(IETF).this management

system consists of managed nodes ,management stations and

management protocol. an agent keeps information about its

managed node running one or more SNMP agent. An agent keeps

information about its node in database called managementinformation base (MIB).

MIB defines the information that will be maintained by associated

SNMP agent. they are comprised of managed objects and are

master

S1

S4

S3

S2

target

7/27/2019 paper_ppt

4/9

identified by object identifiers.MIB variables are used in control

and supervision of traffic in network. Their values will change

with passing packets.

A QUICK REVIEW OF THE ATTACK MODEL.

7/27/2019 paper_ppt

5/9

ATTACKER

CLIENT

NODE NODE NODE NODE

VICTIM

7/27/2019 paper_ppt

6/9

The attacker, sitting at home, uses client software to send

commands to the nodes. The nodes inturn send floods of packets,

or malformed packets to crash the system(or both),

towards the victim.

Typically, the client software that the attacker is using to direct

these attacks is not on his home system, but sitting on another

system(usually a compromised host with several hops from

attackers home system to help prevent authorities from tracking

down the attacker).From here a set of commands are currently sent

using ICMP packets, with the data possibly encrypted.TFN2K

advances this sheath mode of communication by allowing for

remote one-way communication, decoy packets and fairlysophisticated encryption.

The nodes themselves can number in thousands. With one node,

millons of packets can be sent in one minute. Using up all the

available bandwidth a victim might have. With thousands

geographically dispersed node billions of packets could certainly

Cripple any victim, including victims with multiple ISP as well as

high bandwidth routers.

7/27/2019 paper_ppt

7/9

WEAKNESSES IN THE ATTACK MODEL WHICH WE CAN

EXPLOIT.

WEAKNESS IN ATTACKER:

The biggest weakness for attacker is two critical phases---

checking his/her work, and communication with the client.It is

entirely possible that the attacker will do a DNS lookup of the

address of the target ,possibly ping or try to access the site via a

web browser right before or after the attack starts.These accesses

may appear in the log files in the target machine.

If the client software is running on the home machine ,it is possiblethat the nodes running the attack software will tell telltale signs of

connectivity ,such as the home machines IP address viewable in a

netstat listing.

WEAKNESS IN CLIENT:

Similar weaknesses exist for client as for attacker.If the attacker is

running the client software on a remote machine,it is possible that

the attacker mya noy have the legitimate access to that machine but

may have left some signs of it.

WEAKNESS IN NODES:

The nodes which could number in thousands ,are obviously

housing and running the attack software that launches the ddos

attack.Commercial scanners such as hacker shields and others have

or will shortly have check for these.

7/27/2019 paper_ppt

8/9

DETECTING ATTACKS

In this phase we define the MIB variables that changed when

attack packets reach the target. This can be done in two ways:

Using domain knowledge about the characteristics of the attack.

For example we know in advance that mstream attack send large

amount of TCPAck packets on to the target, therefore when the

attack packets reach the the target tcpInsegs MIB changes.

Comparing MIB variables behavior during attack and normal

operation and the time differences between the processes

determine the precursors of the attack.

THIS INVOLVES FOLLOWING PHASES:

STAGE 1 STAGE 2

S

Which mib changed at the victim. Which mib is relevant?

STAGE 3.

What are the thresholds?

M

S

S

S

VM

S

S

S

V

M S

S

S

V

7/27/2019 paper_ppt

9/9

CONCLUSION:

Pattern based methods which try to detect the attacksresult in errors. The ANAMOLY method which we discussed is by

far the best method for proactive detection of ddos attacks.

Depending on which ddos attack is used it is possible to send

packets towards the offending address and cause the attacks to shut

down. By using zombie_zapper program,it might be possible to

shut off the attacking ddos nodes.

Further work is needed to train our system in high capacitynetworks to improve the capacity of this system.To this day the

hacking community is still at large eyeing this area for exploitation.

REFRENCES:

K.Kendall a database of computer attacks for evaluation of

intrusion detection system,. MIT Press.

www.packetstorm.com

IIT Kanpurs Hackers workshop IITKHACK04.

http://www.packetstorm.com/http://www.packetstorm.com/http://www.packetstorm.com/