A Game Theoretic Approach for SYN Flood Attacks of Web Server

(1)

International Journal of Emerging Technology and Advanced Engineering

Website: www.ijetae.com (ISSN 2250-2459,ISO 9001:2008 Certified Journal, Volume 3, Issue 11, November 2013)

A Game Theoretic Approach for SYN Flood Attacks of Web

Server

B.Basaveswara Rao

1

, K.Chandan

2

, K.Gangadhara Rao

3

1

Computer Centre, 2Department of Statistics, 3Department of CSE, Acharya Nagajuna University, Guntur-522501, A.P INDIA

Abstract - In this paper, a non-cooperative two person

zero-sum static game(with in a discrete interval of time) is formulated and analyzed for the interaction between the SYN flood attacker and the web server administrator. The SYN flood game (SFG) payoffs are calculated based on Erlang loss queuing model. The solution of the SFG leads to mixed strategy and analyzed for different scenarios the numerical illustrations are also provided. The SFG is beneficial to the attacker even when the defender is defending at maximum level. This theoretical approach of SFG facilitates the web server administrator to take care of SYN flood attacks and to provide the better security by tuning the TCP connection keep-alive time (tout) parameter.

Keywords- Blocking probability, Erlang loss queueing

model, SYN flood attacks, Two person zero sum game, Web server.

I. INTRODUCTION

The Internet is constantly under threat from network attacks. Many defense methods and systems were proposed to deal with these attacks. These would typically in the first place detect the on-going attack traffic and then block (filter) the attack traffic if needed. A SYN flood attack is one type of degradative attacks and is also devastating because there is no way to detect it priori. In fact this was the method which made several web portals to come to standstill.

Research on this type of SYN flood attacks, traditionally employs static protective measures, which are not sufficient to secure a complex network system. SYN flooding architecture is a passive information processing paradigm and it is a big challenge to take correct optimal proactive real-time defense decisions during the early stages of the attack. Game theoretical analysis is useful in analyzing, modeling, providing decision and control processes for network security. However very little work has been done by researchers regarding the computation of the game value using Erlang loss queuing models. Game theory plays an important role in many practical situations like SYN flooding, Bandwidth attacking and intruder detection. The objective of this paper is to formulate SFG and calculate game values analytically using Erlang loss queuing model. Then identify the defender’s loss when defending the SYN attacks and not to defend the SYN attacks.

II. LITERATURE SURVEY

In recent years the game theory has been proposed by several studies for a theoretical analysis of a network specifically the Internet. Tansu Alpcan and Tamer Basar (2003) studied the attacker–defender problems in sensor networks. The same authors (2004) presented a game theoretic approach to intrusion detection in virtual sensor networks. Peng Liu and Wanyu Zang (2003) worked on a general incentive-based method to model Attacker Intent Objectives and Strategies (AIOS), and adopted game theoretic approach to infer AIOS. Lye and Wing (2005) used a game theoretic method to analyze the security of computer networks. Yu Liu et. al. (2006a) formulated both zero-sum and nonzero-sum games for attacker– defender interaction. In another paper(2006b) suggested a new Bayesian hybrid detection approach for the defender, in which a lightweight monitoring system is used to estimate the opponent’s actions, and a heavyweight monitoring system acts as a last resort of defense. The same authors (2006c) proposed a new Bayesian hybrid detection system for the defender, which balances energy costs and monitoring gains. Mark E. Snyder et. al. (2007) modeled the defender as a coarse-grained, relative volume based statistical filter. Wei Sun et al (2008) , analyzed information security in the E-Commerce based on game theory and applied to information security.

III. FORMULATION OF SFG

(2)

International Journal of Emerging Technology and Advanced Engineering

Website: www.ijetae.com (ISSN 2250-2459,ISO 9001:2008 Certified Journal, Volume 3, Issue 11, November 2013) In this paper only single attacker and single defender

in the system of web server attack with SYN flooding is considered. It is assumed that at any point of time one client is an attacker. The remaining clients are legitimate clients and there is only one defending software tool installed within the web server which has only one type of strategy for defending the SYN flooding i.e. tune the time out value. The Backlog Queue is a victim of static resource structure in the server domain. The attacker aims to saturate the Backlog Queue without being detected where as defender tries hard to detect the attacks at the earliest to avoid the dropping of legitimate connections due to over flow of Backlog Queue.

We propose a theoretical game approach for the SYN flooding attacks. In this game model the interaction between the administrator and the attacker is modeled as a non-cooperative two person zero-sum game with incomplete information. The game is a non-cooperative because the administrator and the attacker have different goals and they do not have a common goal to get a optimum utilization of the system. The administrator’s main objective is to improve QoS for the legitimate clients and to complete the service of more number of legitimate clients within time. Whereas the attacker’s objective is to create an environment so that that the service of legitimate clients would get delayed and also to reject the more number of legitimate clients within a short span of time. The goals of the two players are conflicting and quite opposite to each other, so the SFG is a non-cooperative game,

In SFG the administrator payoff is decreased when the attacker increases the SYN flood rate and the monitory benefit also decreases to administrator because of the number of legitimate clients getting rejected. Whereas the attacker may not have any monitory benefit however there will be a substantial malicious satisfaction. An increase of one players payoff implies a decrease in the other players payoff. So SFG has to be formulated as a zero-sum game. Both the players select their strategy choices simultaneously without the knowledge of their counterpart. So this is a static game and the outcomes of the defender are presented in the payoff matrix.

In our game model, the attacker has two options “attack” and “not to attack”. The defender also has two strategies “monitor” and “not to monitor”.

3.1 Payoff Matrix

The outcomes of the SFG classified into four scenarios and the outcome of the each scenario from defender side is explained and the pay of matrix is formulated.

Where cm is the defender’s monitoring cost (some

resources like memory, CPU time etc., utilization cost and execution of defending soft-ware cost). The monitoring cost includes detection cost and defending cost, and the defender defends up to g≥cm.

In this scenario both attacker and defender also active, so it is called as a ADA scenario.

(ii) If the attacker attacks, and the defender is not monitoring then defender’s payoff is -g, because some of the legitimate connections would fail. In this scenario only attacker is active, so it is called as a AA scenario.

(iii) If the attacker is not attacking and the defender is monitoring the server, then the payoff is -ca. Where

ca is detecting mechanism implementation cost and

defender detects up to g≥ca .In this scenario only

defender is active , so it is called as a DA scenario.

(iv) If the attacker is not attacking the defender also not monitoring the server, his payoff is 0.In this scenario both attacker and defender are not active, so it is called as a ADNA scenario.

As per the outcomes of the defender one can clearly understands that the SFG is feasible if and only if g≥cm>

ca The payoff matrix is formulated as follows:

Attacker

Defender

Attack (strategy-I)

q

Not to attack (strategy-II)

1-q

(Monitor(strategy-1)

p g - cm - ca

Not to Monitor(strategy-2)

1-p

-g 0

3.2 SFG Analysis.

Minmax,( - ca ) ≠ maxmin (0), hence there is no saddle

point. In this case a mixed strategy is evolved. To calculate the game value v, defender strategy-1 for defending probability p, and attacker strategy-I for attacking probability q ae calculated as follows:

v=[(g–cm)(0)–(–ca)(–g)]/[(g–cm)+0–(–ca–g)]

= –gca/2g+ca–cm,

p=[0 – (–g) ] / [ (g–cm)+0 – (–ca–g) ] =g /2g+ca–cm,

(3)

International Journal of Emerging Technology and Advanced Engineering

Website: www.ijetae.com (ISSN 2250-2459,ISO 9001:2008 Certified Journal, Volume 3, Issue 11, November 2013) The values of cm and ca are known constant values by

the defender in advance based on the choice of execution of defiance and detection mechanism. But the value of g

depends on the attacker attacking efficiency and defender defending mechanism efficiency. So the g is a crucial and an important value for finding values of v, p and q. For this reason we provide a procedure for calculating the value of g using Erlang loss queuing model in the next section.

IV. CALCULATION OF GVALUE

To calculate the gain value for both attacker and defender, the website that has only one web server which is used. The web clients access the website and get information from static or dynamic web pages. For any commercial web site administrator, main objective is to maximize the revenue and to produce a good service to legitimate users. To fulfill this, the administrator tries to reduce the failure of legitimate connections and protect the server from attacks. The g value depends on the number of legitimate connections successfully completed. Daniel Boteanu (2007) analyzed and tested the server under Denail of Service (DoS) attack as an M/M/C/C queuing model, where C is maximum number of half-open connections that can be served at the same time. We used this analytical model for our calculations. The attacker generates TCP connections at the rate of λm

and the legitimate users generate TCP connections at the rate of λl . The legitimate connection holding time rate is

µl and the attacker TCP connection holding rate is µm =

1/tout i.e., time out value (tout) of the TCP connection. The overall TCP connection arrival rate of all users is λ and the overall TCP connection holding rate is µ. The TCP connection traffic intensity is defined as ρ= λ/µ. The calculation procedure of ρ is given in Annexure-I as per the original tcpdump output and the server is not in attacking mode. Pe is connection dropping probability , µl

is the legitimate connections service rate and the connection expired probability Ce (the server tried to

serve the connection but not succeeded within a timeout value) . The connection failure occurs, when the connection is either rejected or expired. The connection-failed probability (Cf) is defined as a sum of the

connection rejected probability B(



,C) and connection expired probability Ce. From Gross and Harries (1985)

the











C

s

for

C

s 0 s C

!

/

)

!

/

(

=

C)

,

B(

Daniel Boteanu et.al.(2007) calculated the connection failed probability as Cf = B(



,C) + Ce

Where Ce=Pe(1–B(



,C)) ,and Pe = e–tout*.µc µc is the

rate of legitimate connections completed time. Then the value of g calculated as

g=(1–Cf)* λl * r. (1)

Where r is defined as revenue for each completed legitimate connection.

The gains for the attacker and defender are calculated by the current status of Backlog Queue parameters they are λl, λm and µc. The game is a static game, the values of

λl, λm and µc are collected in discrete intervals of time

because SFG is a static game within a discrete interval of time but it is a dynamic game over a period of time. In this paper we study only static nature of the SFG. The calculation of g as follows:

Assign the configured values of tout and C. Assign the values for λl, λm and µc

Calculate Pe and µl = µc / (1 – Pe). µ=µl * µm (λl µm + λm µl)]/(λm µl2+λl µm2) calculate ρ =( λl +λm )/ µ and B(ρ ,C) Calculate g as per equation (1).

V. NUMERICAL EXAMPLES

This section presents the application of different strategies with different scenarios to evaluate the formulated SFG as an analytical model. By observing the SFG, we are studying the attacker attacking strategy because of the both pay offs are dependent on g. The attacker attacking and defender monitoring scenario is called as a Attacker and Defender Active scenario (ADA). The attacker attacking and defender not to monitoring case is called as a Attacker Active scenario (AA). For both scenarios to calculate the value of g and then calculate the values of v,p and q for different values of λm and µm where as in AA scenario the value

of µm is taken as constant. We assign the values for r

=10 units, cm =5 units ca = 2 units and C= 1024 half-open

connections. The values λl = 2 con/sec and µc =3.73

(4)

International Journal of Emerging Technology and Advanced Engineering

-2.0000 -1.5000 -1.0000 -0.5000 0.0000 0.5000 1.0000

v

,p

a

nd

q

10 -75 15-70 20-65 25-60 30-55 35-50 40-45 45-40 50-35 55-30 60-25 65-20 70-15 75-10 80-5 85-2

[image:4.595.50.282.138.291.2]

λm-tout

Figure 1:Effect on v,p,q in ADA Scenario for various vaues of λm and tout

v

p

q

Figure 1

It is observed that from, Fig 1

(i) For given combination of λm , tout the value of

V decreases up to λm =40 con/sec and tout= 45

sec and then slightly increases.

(ii) For given combination of λm , tout the p and q

values increases up to λm =40 con/sec and tout=

45 sec and then slightly decreases.

(iii)When the defender will not get any benefit to tune the value of after tout= 45 sec.

-0.6 -0.4 -0.2 0 0.2 0.4 0.6

[image:4.595.51.279.398.571.2]

v,p,q 10 15 20 25 30 35 40 45 50 55 60 65 70 75 80 85 λm

Figure 2:Effect on v,p,q in AA Scenario for various vaues of λm and

tout=75 sec.

v p q

Figure 2

It is observed that from, Fig 2

For given combination of λm , tout values the v,p and q

values are increase up to λm =50 con/sec and stabilize

these values when λmincreases.

The pe value is all most all zero for the tout value is

greater than 30 for constant value of µc = 3.73 con/sec.

In this case the cf is also zero, so the B (



,c) is become a

connection failed probability.

VI. CONCLUSIONS

In this paper, a game theoretical approach for SYN flooding defending system called as a SFG model is

In our SFG model, the g value is calculated on the basis of Erlang loss queuing model when web server under and normal and attack modes. This static game solution leads to mixed strategy and the game is beneficial to attacker even though the defender is maximum defending. The maximum loss for the defender is for any attacking rate is gca/(2g+ca–cm). From fig 1

and fig 2 the values of v,p and q trends are shows that the ADA scenario is better than AA scenario. This game theoretical approach provides knowledge for administrators, in terms of “the damage factor”, and how to defend the attacks with proper tuning of timeout value when SYN flood attacks.

Similar approach can be extended to the other different defending strategies like a queue length based adaptive control, SYN request arrival control and also analyze non-cooperative and non-zero sum game.

Annexure –I

The tcpdump output data captured at a web server under normal mode is given below for calculation of λl

and µc. This sample data refers to one connection that is

established in a period of one second.

18:37:50.472172 IP 209.191.87.218.40132 >

202.111.173.73.80: S 3627804073:3627804073(0) win

65535 <mss 1460,nop,wscale 1,nop,nop,timestamp

4099998509 0>

18:37:50.472236 IP 202.111.173.73.80 >

209.191.87.218.40132: S 1936844947:1936844947(0)

ack 3627804074 win 5792 <mss

1460,nop,nop,timestamp 1294611877

4099998509,nop,wscale 2>

18:37:50.738073 IP 209.191.87.218.40132 >

202.111.173.73.80: . ack 1 win 33304

<nop,nop,timestamp 4099998535 1294611877>

18:37:50.741358 IP 209.191.87.218.40132 >

202.111.173.73.80: P 1:150(149) ack 1 win 33304

18:37:50.741405 IP 202.111.173.73.80 >

(5)

International Journal of Emerging Technology and Advanced Engineering

18:37:50.743914 IP 202.111.173.73.80 >

209.191.87.218.40132: P 1:266(265) ack 150 win

1448 <nop,nop,timestamp 1294612148 4099998536>

18:37:50.744085 IP 202.111.173.73.80 >

209.191.87.218.40132: F 266:266(0) ack 150 win

1448 <nop,nop,timestamp 1294612148 4099998536>

18:37:51.009908 IP 209.191.87.218.40132 >

202.111.173.73.80: . ack 267 win 33171

18:37:51.013097 IP 209.191.87.218.40132 >

202.111.173.73.80: F 150:150(0) ack 267 win 33304

18:37:51.013119 IP 202.111.173.73.80 >

209.191.87.218.40132: . ack 151 win 1448

18:37:51.063282 IP 209.191.87.218.40135 >

202.111.173.73.80: S 761883291:761883291(0) win

65535 <mss 1460,nop,wscale 1,nop,nop,timestamp

4099998568 0>

From the above TCP connection one can observe that the the SYN packet arrived at the server at the time of 18:37:50.472172 . The server responds the SYN request at the time of 18:37:50.472236 with SYN ACK. Then client responds at the time of 18:37:50.738073 with ACK. Now the connection is established with three-way handshake mechanism. The connection gets closed at 18:37:51.009908 with four-way handshake mechanism. The connection holding time at half-open state is difference between the connection arrival time and completion time of the three-way handshake time. In the one second interval there is a one SYN request in the data, so the connection arrival rate λl is 1 con/sec. Then

the service time or holding time of the connection at half-open state is (18:37:50.738073 - 18:37:50.472172) 267901 ms. This holding time is an average holding time then the holding rate or service rate, µc is 3.73 con/sec.

If the configured values of tout is 50 sec , C is 1024 half-open connections and the attacker attack rate λm is

35 con/sec, then the calculated values are µ is 0.02 con/sec, ρ is 1800 and B(



,C) is 0.48808 i.e 50% of legitimate connections are blocked approximately.

REFERENCES

[1 ] Daniel Boteanu, Jose M. Fernandez, John McHugh, and John

Mullins, “Queue management as a DoS counter-measure?,” in Proc. Information Security Conference (ISC), 2007.

[2 ] Huiquiang Wang, Ying Liang, Xiaowu Liu, “Stochastic Game

Theoretic Method of Quantification for Network Situational Awareness,” International Conference on Internet Computing in Science And Engineering, pp.312-316, 2008.

[3 ] Kong-wei Lye and Jeannette M.Wing, “Game Strategies in

Netweork Security,” International Journal f Information Security, vol. 4, pp. 71-86, 2004.

[4 ] Mark E. Snyder, Ravi Sundaram, Mayur Thakur, “A

game-theoretic Framework for Bandwidth Attacks and Statistical Defenses,” IEEE Conference on Local Computer Networks , pp 556-566, 2007.

[5 ] Peng Liu and Wanyu Zang , “Incentive-Based Modeling and

Inference of Attacker Intent, Objectives, and Strategies,” in

Proceedings of the 10th_{ACM conference on Computer and}

Communications Security (CCS03), pp. 179-189, 2003.

[6 ] Tansu Alpcan and Tamer Basar , “A Game Theoretic Approach to

Decision and Analysis in Network Intrusion Detection,” in proc.

42nd_{IEEE Conference on Decision and Control (CDC),}

pp.2595-2600, Hawaii, 2003.

[7 ] Tansu Alpcan and Tamer Basar, “A Game Theoretic Analysis of

Intrusion Detecetion in Access Control Systems,” in Proc. 43rd

IEEE Conference on Decision and Control (CDC), 2004.

[8 ] tcpdump:http://www.tools.ietf.org./html/rfc2398.

[9 ] Wei Jiang, Hong-Ji Zhang, Zhi-hong Tian, Xin-fang Song, “A

game Theoretic Method for Decision and Analysis of the Optimal Active Defense Strategy,” in Proc. International Conference on Computational Intelligence and Security.pp 819-823, 2007.

[10 ]Wei Sun, Xiangwei kong,Dequan He, Xingang You, “Information

Security Game Analysis with Penalty Parameter,” International Symposium on Electronic Commerce and security , pp. 453-456, 2008.

[11 ]Yu Liu, Cristina Comaniciu, Hong Man, “A Game Theoretic

Approach to Efficient Mixed Strategies for Intrusion Detection” ,

Proceedings of IEEE , International Conference on

Communications( ICC 2006a).

[12 ]Yu Liu, Cristina Comaniciu, Hong Man, “A Bayesian Game

Approach for Intrusion Detection in wireless Ad Hoc Networks,” , In Proceedings of the ACM workshop on Game theory for communications and networks . vol.99,2006b.

[13 ]Y.Liu, C. Comaniciu, H.Man, “Modeling Misbehavior in Ad Hoc