An Effectual Identification and Prevention OF DDOS Attacks in Web Using Divide-And-Conquer Algorithm

8/12/2019 An Effectual Identification and Prevention OF DDOS Attacks in Web Using Divide-And-Conquer Algorithm

1/6

C

S

C

International Journal of Computer Networks and Communications Security

VOL.1, NO.6, NOVEMBER 2013, 272277Available online at: www.ijcncs.orgISSN 2308-9830

An Effectual Identification and Prevention OF DDOS Attacks inWeb Using Divide-And-Conquer Algorithm

T.R KAVITHA 1, G. VELMAYIL 2

1 Research Scholar, Department of Computer Science, Quaid-e-Millath College for women,

Tamilnadu, India2Assistant Professor, Department of computer science, Quaid-e-Millath College for women,

Tamilnadu, India

E-mail:1

[email protected],2

[email protected]

ABSTRACT

In this modern computerized world, large number of new technologies has been emerging. With thetremendous growth of internet services, websites are becoming indispensable. Websites are the commonsource through which they are made accessible to all. The possibility of sharing information throughnetworking has been growing in geometrical progression. In this connection it is to be noted networkattacks, In other words, DDoS attacks also are growing in equal proportion. Websites become accessibleto large number of users, it may sometimes lead to overload of the server due to the maximum utilization.The result is server performance goes down and the processing time becomes slow. Sharing of informationis being carried out by means of server and client. The client requests for the data from the server and the

server provides the response for the client-request. Here the client can violate the server performance bysending continuous or anomaly requests. The result is the server performance becomes degraded. This paper discusses how best the degradation of the performance can be identified and prevented using somealgorithm proposed in the methodology. In this work the blocking and preventing is done using a differentmechanism based on the category of the client.

Keywords: Server, Client, Response, Request, Degradation, Blocking, Category.

1 INTRODUCTION

Of the several means for communication, mostcommonly used technology is the networking. Theinformation is shared by the methodology ofsending and receiving the request and response

respectively. In the case of multiple requests to thesame server, the server responds to the clientrequest in a FIFO manner. In this case, the server

performance can be degraded due to multiplerequests sent to the server by the clients. This istermed as attack [1]. This kind of attack may beavoided by means of the technique termed as DDoS(Distributed Denial of Service). When the numberof users gets increased accessing the websites, the

performance of the server gets down. Due to much burden on the server, the response time getsdelayed. When the process becomes slow, the ratio

of the users accessing to the site also gets downThe result is the server performance becomesdegraded. Apart from this, it may also happen dueto the attack of Hackers.

Websites become accessible to large number ofusers through internet, it may sometimes lead to

overload of the server due to the maximumutilization. The result is server performance goesdown and the processing time becomes slow.Server just accepts all requests, stores it in queueand sends the response continuously and therebyhackers will perform faster and reducing the

performance quality of the server by increasinghigh network traffic. Due to the overload of theserver, network traffic will be increases to corruptserver bandwidth. Hence Intruders can easily attacktowards its their destination and they make the siteless popular by making its performance very slow


2/6

273

Dr. E. Fariborzi, H. A. Kazemabad / International Journal of Computer Networks and Communications Security, 1 (6), November 2013

due to heavy traffic and overhead. This kind of performance degradation is termed as Hackers (or)Intruders [7].

Hackers are the persons who abuse or waste theserver bandwidth unnecessarily in order to makethe server performance low and thus they make thewebsite not to be used by the web users in webservice. Thus, to deny the access of the intruders tothe website, introduces a new technology of DDoSin a new manner. The proposed scheme is toimplement a special kind of technique to recognizeand prevent the attack carried out by the hackersand block them from using the site. This is termedas Denial of Service and thus is carried out amongthe web users and is commonly referred to asDistributed Denial of Service (DDoS) [3]. Adenial-of-service attack (DoS attack) or distributeddenial-of-service attack (DDoS attack) is an attemptto make a computer resource unavailable to itslegitimate users [2].

1.1 Problem Definition

The denial-of-service (DoS) attacks consist of anoverwhelming quantity of packets being sent to avictim - these packets arrive in such high quantitiesthat some key resource at the victim (network

bandwidth, memory or I/O buffers, CPU time tocompute responses) is quickly exhausted [14]. Thevictim subsequently either crashes or spends somuch time handling the attack traffic that it cannotattend to its real work, thereby depriving legitimateclients access to the victim. The distributed denial-of-service (DDoS) attacks are more sophisticatedattacks where multiple sources of traffic try tooverwhelm the victim, often leading to acatastrophic failure of the service provided by thevictim [17].

In paper [1], it was discussed the client is blocked based upon the number of accesses made by theclient. If the number of access exceeds a certainlimit, the server would stop responding to the clientand thus the client is totally blocked. For example,if this is to be implemented on a commercialorganization, there is a possibility of blocking thegenuine customer also. Thus this would lead togenuine customer dissatisfaction. To avoid this kindof problem, this paper provides an efficientmethodology to block and prevent the user basedon the category consideration. In that case the usergets response according to the categorization.

2 PROPOSED METHOD

The next step of the proposed work is tocategorize the anomaly clients who send the attack.

This is carried out with the help of the databasemaintained in the first step. Based upon the entry inthe database, the client category is detected whetherthey are registered client or nonregistered client. Inthe case of non-registered client, they are blockedtemporarily until the peak period is over. In case ofregistered client, the client is provided withresponse inspite of the peak period. In the proposedmethodology, two types of counts are maintained.These are Access Count and Warning Count. TheAccess Count is the count that can be incrementedevery time when the client sends the request. TheWarning Count is the count that can be incrementedonce when the unregistered client sends anomalousrequest.

The non-registered client can be blockedtemporarily and the access count is incremented byone along with the warning count during the peak

period. After the peak period of the server, theclient can be unblocked and they are provided withthe response. In this kind of processing, theunregistered client can be blocked permanentlywhen the warning count reaches certain limit.Otherwise, their request is to be processed and theresponse is provided to the client.

The proposed methodology not only prohibits theaccess of unauthorized users or the non-registeredclients, but also prohibits the access of authorizedusers those who send multiple requests often. Thisis the core of the problem. Thus the first step in the

proposed methodology is categorizing users asauthorized user or unauthorized user. The next stepis providing response to the authorized users and

blocking the unauthorized users. The unauthorizedusers are further categorized based on two types ofcounts time-namely, access counts and warningcounts. The access count users can be permitted tohave access to the server even though they areconsidered unauthorized users. Thus byimplementing this methodology in an organization

would help provide both mechanisms such as preventing the unauthorized users and also preventing the server performance becomingdegraded.

Once the hacker is identified and blocked, then ithas to deny the services for the intruders fromaccessing the website. This is done by the proposed


3/6

274


DDoS Divide-and-Conquer Algorithm, to preventthem from accessing the website. This proposedmethodology consists of algorithm to maintain theuser list and to prevent the attacks. The algorithmnamed DDOS Divide-and-Conquer Algorithm andits explanation is given below.

2.1 Block Diagram for Identification of Attacks

Fig. 1. Identification of attacks under DDoS

2.2 Flow Chart

The diagrammatic representation of the flow ofthe DDoS Divide-and-Conquer algorithm is givenas a flowchart below:

Fig. 2. Prevention of attacks using proposed algorithm

3 DDOS DIVIDE-AND-CONQUERALGORITHM

STEP 1: GET HTTP Request from Clients

STEP 2: PARSE [HTTPHEADER]STEP 3: STORE database entries details in thelist IP Addr, SessionID, Date, Time, S.no -> Temp

Track TableSTEP 4: Use Divide-and-Conquer Search Method(TempTrack, S.no.First, S.no.Last) IP is foundSTEP 5: If Number of Session value is equivalentto Maximum valueSTEP 6: Matched value of step 5 is true thenReduce Number of SessionSTEP 7: Matched value of step 5 is false thenRecheck Number of Session GOTO ->STEP 8STEP 8 : If (Number of Session = 1 ANDSessionRequest =High)

STEP 9: Matched value of step 8 is true thenDeny Accessibility permissions to IP addressSTEP 10: Matched value of step 8 is false Recheckmaximum Request GOTO ->STEP 10STEP 11 : If (Number of Session >1 ANDSessionRequest = High)

STEP 12: Matched value of step 11 is true then Endspecified sessionSTEP 13: Matched value of step 11 is false then

Recheck maximum request GOTO ->STEP 14STEP 14 : If (TTL>=MAX)STEP 15: Matched value of step 14 is true then theTTL value is exceeded and terminate theconnectionSTEP 16: Matched value of step 14 is false then donothingSTEP 17: END

// If the list has 2 or more itemsStep 4.1: if (S.no.First < S.no.Last)

// See "Choice of pivot" section below for

possible choicesStep 4.2: Choose any pivotIndex such thatS.no.First pivotIndex S.no.Last// Get lists of bigger and smaller items and finalposition of pivotStep 4.3: pivotNewIndex:=partition(TempTrack,S.no.First, S.no.Last,pivotIndex)

// Recursively sort elements smaller than thepivot


4/6

275


Step 4.4: DDOS(TempTrack, S.no.First, pivotNewIndex - 1)

// Recursively sort elements at least as big as thepivotStep 4.5: DDOS(TempTrack, pivotNewIndex + 1,S.no.Last)Step 4.6: function partition(TempTrack,S.no.First, S.no.Last,pivotIndex)Step 4.7: pivotValue := TempTrack [pivotIndex]Step 4.8: swap TempTrack [pivotIndex] andTempTrack [S.no.Last]

// Move pivot to endStep 4.9: storeIndex := S.no.FirstStep 4.10: for i from S.no.First to S.no.Last - 1 //S.no.First i < S.no.LastStep 4.11: if TempTrack[i] < pivotValueStep 4.12: swap TempTrack[i] andTempTrack[storeIndex]Step 4.13: storeIndex := storeIndex + 1Step 4.14: swap TempTrack[storeIndex] andTempTrack [S.no.Last]

// Move pivot to its final placeStep 4.15: return storeIndex

3.1 Algorithm Explanation

First step of the algorithm is to get request fromthe user. In order to detect the intruders, the entryof all users and their activities are maintained ashistory in the database. The history also containsthe information about the users with theircorresponding IP address, session id, entry time,date, serial no, and their accessing site. Based onthe history, can easily identify all the usersaccessing the server. Each user entering the internetis assigned a unique IP address. This IP address isalso stored in the database along with the usersentry details. The particular user can be identified

by this IP address.This all entry details are stored as history list, if

the list is contains n number of items, thenimplement a technique called DDoS Divide-and-Conquer algorithm. The list has to be partitioned byusing D&C Search method and the divided resultwill be stored in the Temporary track table. By theuse of user entry details, check with the number ofsession value is maximum. If the match returns truevalue, then reduce number of session. Otherwise,rechecked with maximum number of session. If thedetails are not matched, then check whether the

number of session value is one, which is equivalentto maximum session request value. If the details arematched, then the user is treated as blocked userand the access is denied. Otherwise, rechecked withmaximum session request value. If both thematched result returns false then it is comparedwith, more than one number of session value isequivalent to the maximum session request value, Ifthis is true end that particular or specified session.Otherwise, the user is rechecked with maximumnumber of session request. Finally, the initial TTL(Time-To-Live) value is compared with themaximum assigned value. If the matched result istrue then terminates the connection and end the

process. Otherwise, their request is accepted andthe response is provided to the user efficiently.Thus this algorithm provides a better method to

block and prevent from the intruders fromaccessing the web page

4 EXPERIMENTAL RESULTS

The experimental result of this paper is carriedout by implementing the algorithm in a suitablearea such as in the commercial website. In thiscommercial site, we categorize the user into twogroups such as: Registered Users and non-Registered Users. First, the Registered Users areallowed to access the site. They provide the requestand wait for the response. To this kind of user, theserver provides response without analysing therequest. For each and every request of theregistered users, the responses are provided. Afterthis, the second category of users namelyunregistered users are allowed to access to theserver. If this kind of unauthorized user is foundaccessing to the server during the peak hour, hisrequest is temporarily blocked and this client isadded in the list of warning count. These users areagain monitored whether they exceed the thresholdlimit. If they found so, they are categorized under

block list permanently. If they are found accessingto the site within the threshold limit, they areallowed to have access to the site. If once the

hacker is identified and blocked, then the particularunauthorized user service is not provided to accessto deny the services for the intruders fromaccessing the website. This is done by the proposedDDoS Divide-and-Conquer Algorithm, to preventthem from accessing the website. Thus theexperimental setup was constructed and thedemonstration was made and the entry is noted toidentify and prevent the difference between theattacks made by both kinds of users


5/6

276


5 CONCLUSION

The aim of this paper is to study and deviseefficient and practical algorithms to tackle theWebsites based distributed denial-of-serviceattacks, and it focuses to identify and prevent theattack carried out by the hackers and block themfrom using the site and it also provides how best thedegradation of the performance can be prevented byusing N factor DDoS Divide-and-Conquer algori-thm proposed in the methodology to improve server

performance and deny the accessibility permissionsto the hackers.

In this work the blocking is done using a differentmechanism based on the user categorization. Toimprove tracing back the attackers on a global scaleis always a difficult and tedious task. For increasingthe accuracy of finding attackers, it usescategorizat-ion and Divide-and-Conquer method.To invoke this method by monitoring sever loadand network traffic when attains maximal value.Hence there will be no traffic congestion for webusers to access the web server with minimal storageoverhead and it is effective. Thus the proposedalgorithm is suitable for satisfying the organizat-ions requirements. Thus this paper makes anattempt to provide an efficient and well suitablealgorithm to identify the attack or threat made bythe user on server performance and prevent theserver from that kind of attack. In future, thisalgorithm can be enhanced with proper steps to

satisfy large number of requests.

6 REFERENCES

[1] Dr. K. Kuppusamy and S. Malathi, AnEffective Prevention of Attacks using GI TimeFrequency Algorithm under DDoS, IJNSA

journal, Vol. 3, No. 6, November 2011,PP.249-257.

[2] WONG, Tsz Yeung., On Tracing Attackers ofDistributed Denial-of-Service throughDistributed Approaches, Ph.D. thesis, TheChinese University of Hong, September, 2007.

[3] M. Muthuprasanna.,Distributed divide-and-conquer techniques for effective DDoS attackdefense, G. Manimaran Iowa State UniversityAmes.

[4] K. Park and H. Lee. On the effectiveness ofroute-based packet filtering for distributedDoS attack prevention in power-law internets.In Proc. ACM SIGCOMM, San Diego, CA,August 2001.

[5] J. Li, J. Mirkovic, M. Wang, P. Reiher, and L.Zhang , SAVE: source address validity

enforcement protocol. In INFOCOM, June2002.

[6] F. Baker, Requirements for IP version 4routers. RFC 1812, June 1995.

[7] C. Jin, H. Wang, and K. Shin, Hop-countfiltering: An Effective Defense AgainstSpoofed DDoS traffic. In Proceedings of the10th ACM conference on Computer andCommunications Security,October 2003.

[8] Kihong Park, Heejo Lee, On the Effectivenessof Probabilistic Packet Marking for IPTraceback under Denial of Service Attack,

Network Systems Lab, Department ofComputer Sciences, Purdue University, WestLafayette.

[9] Junaid Israr, Mouhcine Guennoun, and HusseinT. Mouftah, Mitigating IP Spoofing byValidating BGP Routes Updates , IJCSNS,VOL.9 No.5, May 2009, PP 71-76.

[10] Internet Attack Methods and Internet SecurityTechnology, Second Asia InternationalConference on Modelling & Simulation, 2008.

[11] Cliff C. Zou, Nick Duffield, Don Towsley,Weibo Gong, Adaptive Defense AgainstVarious Network Attacks , University ofMassachusetts, AT&T Labs Research, FlorhamPark, NJ, 2006.

[12] Guangsen Zhang, Decentralized InformationSharing for Detection and Protection against

Network Attacks, Ph.D. thesis, january 2006.[13] Shigeyuki Matsuda, Tatsuya Baba, Akihiro

Hayakawa, and Taichi Nakamura, Design andImplementation of Unauthorized AccessTracing System, Proceedings of the 2002Symposium on Applications and the Internet(SAINT.02), 2002 IEEE.

[14] William Stallings, Network security EssentialsApplications and standards, Fourth Edition,Pearson Education.

[15] Larry Rogers, "What Is a Distributed Denial ofService (DDoS) Attack and What Can I DoAbout It?" February 2004,http://www.cert.org/homeusers/ddos.html

[16] Chirala Lokesh, B. Raveendra Naick, G. Nagalakshmi, ETM: a novel EfficientTraceback Method for DDoS Attacks.International Journal of Computer Science andManagement Research , Vol 1. Issue 3,October 2012.

[17] Distributed Denial of Service Tools,http://www.cert.org/incident_notes/IN-99-07.html

[18] http://en.wikipedia.org/wiki/Divide_and_conquer_algorithm.


6/6

277


AUTHOR PROFILES:

T.R Kavitha received theMaster degree in ComputerTechnology (five yearsintegrated course) fromSt.Josephs College of Engin-eering, Anna Univer-sity,Chennai, Tamilnadu in 2011.She is a research student ofQuaid-e-Millath College for

Women, Chennai, Tamilnadu. She is pursuingM.Phil degree in Computer Science in the field ofcomputer networks. Currently, she is an AssistantProfessor at Meenakshi College for Women,Chennai, Tamilnadu, India. DDoS attacks and

Network Security.

G.Velmayil is an AssistantProfessor in Department ofComputer Science, Quaid - E

Millath Govt College forWomen (Autonomous),Madras University, Chen-nai,Tamilnadu, India. Shereceived the Master degree inComputer applications and

M.Phil degree in Computer Science fromBharathidasan University having 17 years ofteaching experience. She has organized variousworkshops, seminars and conferences. She is

currently pursuing her Ph.D in the field of computernetworks. Her research interest includes DDoSattacks, IP Spoofing and Network Security.

Documents

An Effectual Identification and Prevention OF DDOS Attacks in Web Using Divide-And-Conquer Algorithm