An Exprimental Analysis of Proactive Detection of
Distributed Denial of Service Attacks
Cobra Rahmani, Mohsen Sharifi, Tala Tafazzoli
Computer Engineering Department,
Iran University of Science and Technology
{rahmani_cobra, mshar}@iust.ac.ir
Iranian Telecommunications Research Center
[email protected]
ABSTRACT
Detection methods in Distributed Denial of Service attacks try to detect attacks before the target machine is shutdown. There are two major methods for attack detection in target, Anomaly and Pattern-Based. Pattern-based methods are sensitive to attack signatures and as such cannot detect attacks when the attack patterns change slightly. Anomaly methods, on the other hand, work on the basis of network traffic volume and measure abnormal traffic volume. So they can detect attacks more easily. One of the best solutions for anomaly detection of attacks is
proactive detection in Network Management System (NMS),
represented by Wenke Lee et al. in NCSU university. This method tries to detect precursors of attacks before the traffic reaches the target. It uses Management Information Base (MIB) variables in NMS to detect precursors of attacks. MIB variables that change in the attacker through the attack can be precursors of the attack. These MIB variables are related to some target MIB variables that change when the bogus traffic reaches the target. They can be extracted using statistical tests for causality. This paper presents an experimental analysis of this method. In contrast to previous work, the results of our experiments have shown lower computational overhead in finding the key MIB variables at the attacker. When the key MIB variables were found at the attacker, comparison between their normal and attack runs determined the attack signatures. When these signatures were observed in the Network Management System (NMS), it meant that an attack has occurred. Futhermore, we have implemented an SNMP-based system to detect some attacks in our network test bed. Five attacks were tested and analyzed in our experiment and MIB variables were recorded for each type of attack: Trin00, Targa3, TFN, Mstream and PingFlood.
Keywords: Distributed Denial of Service (DDoS), Auto Regressive Models, System Identification, Granger Causality Test (GCT), Network Management System (NMS), Management Information Base (MIB) Variables, Simple Network Management Protocol (SNMP), Security.
1. Introduction
Availability is defined broadly as the property of data and services being accessible to an authorized party within a reasonable time of request [15]. Each networked system must be available for its users, that is minimum security. DDoS attacks can destroy or exhaust resources by generating large amounts of bogus traffic towards victim. They prevent permissive access to the resources of the victim. A taxonomy of DDoS attacks and their respective defensive mechanisms are given in [16].
There are basically three main approaches for defeating attacks: 1) Detection, 2) Prevention, and 3) Response. Detection mechanisms try to detect attacks after they have happened. Preventive mechanisms try to secure systems and protocols against attacks, while response mechanisms try to detect attack sources and reduce their after shock.
This paper focuses on a detection mechanism which detects attacks at early stages. It analyzes the results of our experimentations with the proactive detection approach in our chosen test bed. The paper starts with a brief terminology. It then goes through proactive detection phases and reports the results of our experiments alongside our analyses. It ends with the description of our SNMP-based implementation and conclusion.
2. Terminology
Denial of Service (DoS) refers to any technique that is used to prevent a host or network of hosts on the Internet from either accessing the Internet or responding to requests from other hosts on the Internet. There are three or four types of machines in each DoS attack: attacker, slaves and target.
The attacker finds computers and installs the DDoS tools on them. These are slave machines from which the disabling traffic is generated. This traffic sends to the victim.
Distributed Denial of Service (DDoS) is a kind of DoS
Attack, which uses thousands or more slaves through the
Internet. A schema from DDoS attack topology is
depicted in Figure1. After the attacker commands the
slaves, they send failure packets to the target. Even if the
target is not shutdown, the large amounts of bogus
packets consume the target bandwidth and legitimate
packets cannot pass through the artificial traffic towards
the target.
Figure 1. DDoS attacks topology in proactive detection (Target and some Slaves are under NMS supervision)
Network Management System (NMS)is a system capable of recording the activity of the system. SNMP management is often called Internet management, and is most widly used in network management system [17].
Simple Network Management (SNMP) is a protocol defined by the Internet Engineering Task Force (IETF). SNMP defines a mechanism to monitor and manage network devices. An SNMP network management system consists of Managed Nodes, Management Stations and Management Protocol. One or more Managed Nodes, running one or more SNMP agents. An agent keeps information about its managed node in a database called a Management Information Base (MIB). One or more network Management Stations, which run network management software and display network information. The management station is called the host. A network Management Protocol determines how the managed node and the management station can communicate with each other over the network.
Management Information Base (MIB) defines the information that will be maintained by the associated SNMP agent. They are comprised of managed objects and are identified by object identifiers. MIB variables are used in the control and supervision of traffic in the network. Their values will change with passing packets. There are four types of MIB variables that are used in our experiments. They are from IP, ICMP, UDP and TCP groups.
3 Proactive detection scenario
The proactive detection method presented by Wenke Lee et al. [1] consists of two steps: off-line and on-line steps. In off-line step, we should find some MIB variables at the attacker that change when disabling traffic is sent. These variables are calledthe key MIB variables at the target. By these variables it is
possible to predict packet flooding before they reach the target.
In on-line step we must detect attacks by key MIB variables at the attacker. It has been assumed that some of slaves and target are under Network Management System. They are NMS agents and act autonomously. We have used Simple Network Management Protocol (SNMP) as NMS agents.
Seven computers were chosen as the test bed for our experimentation: one as master, one as target and others as potential attackers or slaves. During the attack, normal
operations were undergoing on the computers and all computers were logged. These computers were a part of a LAN. The operating systems of these machines (master, target and slaves) were Redhat linux 7.2, and we used ucd-snmp-4.2.1 for logging.
We needed two Runs: Attack and Normal runs.
Attack Runs: Five DDoS attacks were run. During each attack,
two machines were slaves, one was master, one was target and others were potential attackers. Each run took 2 hours long and the attack was run two times in each run. Master machine was not under NMS supervision.
Normal Runs: Six computers were logged at normal time for an
hour. MIB variables in tcp, ip, udp and icmp groups were collected at a sample rate of 5 seconds.
There were three phases for finding the key MIB variables at the attacker in off-line step (Figure 2):
Phase 1) detecting attacks,
Phase 2) detecting correlations,
Phase 3) detecting precursors to attack.
3.1 Detecting attacks
In this phase we defined MIB variables that changed when attack packets reached the Target. There were two ways for determining this variables at the target:
Using domain knowledge about the characteristics of the attack [2]. For example, we know in advance that in Mstream attack, the slaves send large amounts of TCPAck packets to the target. Therefore when the attack packets reach the target, tcpInSegs MIB changes.
Comparing MIB variables behavior during attack and normal operation. Variables whose behaviors changed significantly during attack, were known as key variables at the target. Time series were used to model the variables’ behavior. For the case of denial of NMS agent NMS agent Slave Master Slave Slave Target NMS agent Slave Slave NMS agent
Figure 2. Off-line phases in proactive detection
service attacks, the traffic variations at the target were high. Just by averaging time series along properly chosen intervals, it was possible to detect the presence of the attack.
3.2 Detecting correlation
After finding MIB variables at the target, we must find key variables at the attacker. These variables change when slaves send packets to the target. They have causal relations with the key variables when packets reach the target. The causal relation between these MIB variables could be proven by Granger Causality Test (GCT).
Granger Causality Test is used in economics for analyzing
time series, and determines whether knowledge about one econometric variable helps in predicting another variable or not [9]. Causality is defined as follows:
" u causes y if knowledge of past u reduces the variance of the
errors in forecasting y beyond the variance of the errors which would be made from the knowledge of past y alone[13].”
Granger Causality Test uses statistical methods to test whether past information on a variable u provides any statistical information about a variable y. GCT compares the Mean Squarer Error (MSE) of an Auto Regressive Moving Average (ARMA) model with the Mean Squarer Error (MSE) of an Auto Regressive model. By assuming delay with length p we first solve the following equation (1), whereby u does not affect y up to delay of p unit; we say Lag p instead of delay p. Also p is the order of model. Higher p causes higher computation rate in model and lower p causes lower computation.
y(k + 1) =
∑
= p i 1 iα
y(k - i + 1) +∑
= p i 1 iβ
u(k - i + 1) +e
1(k) (1)The null hypothesis of GCT is as follows:
H0:
β
i = 0, i = 1, 2, · · ·, pWith null hypothesis equation (1) is restricted to equation (2):
y(k + 1) =
∑
= p i 1 iα
y(k - i + 1)+e
1 (k) (2)We have solved equations one and two with system identification in control, equation 1 as ARMA and equation 2 as AR.
if R1 and R0 be MSE of above models:
R1 =
∑
= T t t e 1 2 1( ) R0 =∑
= T t t e 1 2 0()g is granger value that presents causality relation between u and y. g=
)
1
2
/(
1
/
)
1
0
(
−
−
−
p
T
R
p
R
R
≈
F(p,T-2p-1) (3)If the g value is greater than a specified critical value
(F(p,T-2p-1)), Then u have causality relation with y. F(p,T-2p-1) is the Fisher distribution function with parameters p and T-2p-1. Higher values of g represents stronger relation of causality between u and y. This estimation has been presented in Granger Test [13].
Another description for ARMA model that has been represented in system identification is:
)
1
(
...
)
(
)
(
...
)
1
(
)
(
t
+
a
1y
t
−
+
+
a
t
t
−
na
=
b
1u
t
−
nk
+
+
b
u
t
−
nk
−
nb
+
y
na nbSystem identification allows building mathematical models of a dynamic system based on measured data. We have tried to solve equations by estimating na, nb and nk in Matlab. nk is delay and equals zero; because in high-speed networks, the packets sent from slave to target, reach there in a fraction of second. In GCT,
na=nb= p are the orders of AR and ARMA model. T is the
number of samples.
We have used this test to determine whether we have any variable at the attacker that detects the attack before the target is down. This happens when master commands the slave and slave sends disabling traffic to the target. We have modeled key variables at the target with the AR model. Also we have modeled an input-output system in which the output was the key variable at the target and the inputs were one of the 78 MIB variables at the attacker with the ARMA model. Then we obtained the g value for each model.
3.3 detecting precursors to attack
After detecting casual relations between MIB variables, we had to determine the key MIB variables at the attacker that occur before the attack. These MIB variables have been determined in the previous step, and had causal relations with the attack. Now we needed a trigger or a key event at the attacker MIB variables. M S S S V M S S S V M S S S V
Phase1 Phase2 Phase3
Which MIBs changed at the victim
in attack time? M1,M2 and M2 at the slaves? M3, M4 Which MIBs are relevant to M1
M1,M2
M1,M2 M3,M4
What are the thresholds for M3 and M4 in attack time?
Once these features are determined, we can extract proactive rules. These rules were used for implementing an alarm system in NMS. The way we determined the jumps in these MIB variables was through monitoring of the values of their time series, also through building a normal profile of jumps from normal run MIB variables. Attacks with MIB variables that had jumps larger than the largest jumps in normal runs, determined the key MIB variables [1].
4 Analysis and Experimental Results
Five DDoS attacks (TFN2K pingflood[5], TFN2K targa3[5], TFN[2], Trinoo[2] and Mstream[4]) were run in Attack runs. During each attack, two machines behaved as slaves, one as master, one as target and others as potential attackers. Each run took 2 hours long and the attack was performed twice in each run. The master machine was assumed not to be under NMS monitoring .Six computers were logged at normal run for an hour. MIB variables in tcp, ip, udp and icmp groups were collected at a sample rate of five seconds. Because of network topology, the time taken for the master to command the slaves to initiate the attack, the time taken for the slaves to start sending disabling network traffic to the target, and the time disabling traffic reached the target were almost the same.
Let us now analyze the results of the previously-mentioned three phases.
4.1 Detecting attacks
We have used the two methods mentioned in section 3.1. We extracted the key variables at the target by using the domain knowledge. Then we analyzed the MIB variables’ graphs at the target. Extracted MIB variables for the five attacks at the target were as follows. In the following graph the horizontal axis is timestamp (the time of logging was five seconds) and the vertical axis is the value of the MIB variable.
Mstream
Mstream sent a large number of TCP ACK packets to the target and used IP spoofing, thus the values of TcpInSegs MIB increased at the target. TcpInSegs shows the total number of tcp segments entered to the machine (Figure 3). Furthermore, we averaged MIB variables at the target and found that ipInReceives, ipOutRequests, tcpInSegs and tcpOutSegs could be used as key variables at the target.
Figure 3. TcpInSegs diagram in Mstream attack.
Ping Flood
From the domain knowledge we know that ping flood sends a large volume of icmpEchoRequest packets to the target, so icmpInEchos is the key variable at the target. We averaged time series of MIB variables at the target, and found out that ipInReceives, ipOutRequests, icmpInMsgs, icmpInEchos and icmpOutEchoReps change significantly during attack and could be a candidate key variable at the target.
Targa3
In Targa3 attack, a combination of uncommon IP packets are sent to the target. These packets have problems such as invalid fragmentation, protocol, packet size, options, offsets, tcp segments and routing flags. The MIB variables that show IP errors are key variables. We chose ipReasmFails. This variable shows the number of IP packets that have problems when assembling [8]. By averaging time series of all MIB variables at the target we found that ipInReceives, icmpInMsgs, icmpOutDestUnreachs and udpInErrors could be the key variables at the target.
Trinoo
In Trinoo, packets are sent to a random UDP port at target. Because there is no process to receive these packets, udpNoPorts has a high value. The target computer sends icmpDestUnreachable packets in response to the received packets and icmpDestUnreachable variable increases. By Averaging MIB variables at the target we found that ipInReceives , ipIndelivers , icmpOutMsgs , icmpOutDestUnreachs also could be candidate MIB variables.
TFN
TFN can send four types of attacks (UDP flood, SYN flood, ICMP flood and Smurf). We have used TFN just for sending UDP flood. This attack is the same as Trinoo but is weaker. It sends the UDP packets to random ports at the target and increases the udpNoPorts on it. We analyzed the graphs of MIB variables at the target. We found that ipInReceives, icmpOutMsgs, icmpOutDestUnreachs, and ipOutRequests change significantly during attack.
4.2 Correlation Detection
To solve statistical equations, we used system identification in Matlab [12]. MIB variables at the potential attackers with gct more than 95% significance level were considered to be granger cause of the key variables at the target. In this example we calculated p, T-2p-1 for degree of freedom and extracted the F value for each attack. MIB variables for which g were greater than the F value were a good candidate for the next step. Results are shown in the following tables.
In contrast to previous works we chose low order instead of high order: Because choosing high order results a model that matches exactly the data, but has more computation overhead. Also lower orders may give lower fits or high mean squarer error for given models. We once chose high orders as previous work and ones low orders; then achieve fitted values. The results are shown in table 1. In Lee's work, have chosen high lags but we found good fits with lower lags. In the worst case fitted value reduced 10%. Therefore we obtain Lower lags with less computational overhead. The GCT values for lower lags had the same results as higher lags. Tables 2 to 6 have shown g values at second choosing order.
Table 1. ARMA parameters in two time choise
Table 2. Key MIB variables at the attacker (Ping flood)
Table 3. Key MIB variables at the attacker (Targa3)
Rank MIB g 1 Udp Out Datagrams 3.29
2 IpOut Requests 2.91
3 Icmp inDest Unreacho 2.78
4 IcmpInMsgs 2.73
5 Udp In Datagrams 1.93
Table 4. Key MIB variables at the attacker (TFN)
Table 5. Key MIB variables at the attacker (Mstream)
Table 6. Key MIB variables at the attacker (Trinoo)
These g values are higher than critical levels corresponding to F(p,T-2p-1). Therefore related MIB variables to these g values may have causal relation to attack.
4.3. Attack precursors detection
In this step we separated all MIB variables at the attacker that had causal relation with target MIB variables. Then calculated jumps of those MIBs and compared these jumps with normal jumps. We constructed the normal profile of jumps. If there were a great difference between normal jumps and attack jumps, they were extracted as key variables and were used in the detection; otherwise we did not use those MIB variables for detection. These MIB variables at the attacker machine are related to the time that master commands the slaves to initiate the attack and the time that the slaves start sending disabling network traffic to the target . ipOutRequests MIB values for five attacks during normal runs, recorded in our test bed, are shown Fitted value The order of ARMA model in GCT (second time) Fitted value The order of ARMA model in GCT (first time) The order of ARMA model in GCT ( Lee' s paper) Attacks 80.35% 10 81% 100 120 Ping Flood 60.59% 10 72.15% 120 100 Targa3 57.4% 10 59% 80 100 Trinoo 90.59% 10 91.96% 120 - TFN 27.62% 10 34% 20 - Mstream Rank MIB g 1 IpOutRequest 17.39 2 IcmpOutEchoReps 4.48 3 IcmpInMsgs 4.78 4 Udp Out Datagrams 4.35 5 Udp In Datagrams 4.33 Rank MIB g 1 IpOutRequest 10.05 2 IcmpInMsgs 8.77 3 icmpOutEchoReps 8.77 4 TcpInSegs 7.11 5 IpOut Discards 6.08 Rank MIB g 1 IpOutRequests 70.22 2 IcmpInMsgs 8.22 3 IcmpInEchos 8.22 4 IcmpOutEchos 8.22 5 IpInReceives 4.78 6 IpInDelivers 3.09 7 IcmpOutMsgs 1.99 Rank MIB g g [1] 1 IpOutRequest 5.23 5.26 2 UdpInErrors 1.99 2.63 3 IcmpInEchos 1.71 - 4 icmpOutEchoReps 1.71 - 5 IcmpInMsgs 1.69 1.99 6 IcmpInEchoReps 1.69 2.04 7 IcmpOutMsgs 1.58 - 8 TcpInSegs 1.45 1.31 9 IpInDelivers 1.44 2.65
in Figure 4. Thresholds extracted for other key MIB variables at the attacker are also shown.
Figure 4. MIB values at the slaves in the attack time
5. Implementation
We have implemented SNMP-based agents sensetive to abrupt changes in key MIB variables at the attacker. IpOutRequests thresholds for five attacks are shown in Figure 4. In this way thresholds for other key MIB variables at the attacker were extracted in our test bed. Finally we have constructed the following proactive rules which were used for attack detection in our network: If (ipOutRequests > 3000) { If ( udpInErrors > 0 || icmpInEchoReps > 5 ) { If ( icmpOutDestUnreachs > 10 ) then “TFN2K: PING FlOOD ”
else if ( ipOutDiscards > 10 ) then “TFN2K: TARGA3 ” else “TFN2K” } else If (udpOutDatagrams > 1000 || icmpInDestUnreachs > 4 ) then “TRIN00” }
else if ( ipOutRequests > 550 ) then “TFN” If ( ipOutRequests > 100000 ) then “Mstream”
6. Conclusion and Further Work
Our experiments indicated that the Lee’s method is a satisfactory method for proactive detection of DDoS attacks. Pattern-based methods which try to detect attack patterns, simply result in errors. They cannot detect attacks when the attack patterns change. Proactive detection methods do not suffer from such defect. Given that these attacks generate high volume of traffic, quite higher than normal traffic, it was shown reasonable to measure the volume of traffic in normal and attack conditions and compare them in order to detect such attacks. Although our experiments have shown a high rate of success in detecting attacks when using this kind of measurement, we are well aware of the shortcoming of our experiments: using the
average traffic in our test bed. Further work is needed to train
our system in high capacity networks to see the performance of the method. There is a high possibility that in high capacity networks, false alarms may increase and detection rate may decrease. TFN behaved like this in our average test bed. When intruders tried to install their slaves on high capacity machines, attacks were not detectable easily.
Acknowledgements
This research was supported by the Iran Telecommunication Research Center (ITRC) and the experiments were carried out in network management group.
7.References
1. W. Lee, R. K. Prasanth, B. Ravichandran, R. K. Mehra, “Proactive Detection of Distributed Denial of Service Attacks using MIB Traffic Variables, A Feasibility Study”, Proceedings of the 7th IFIP/IEEE International Symposium on Integrated Network Management, Seattle, WA - May 14-18, 2001.
2. P. J. Criscuolo. “Distributed Denial of Service - Trin00, Tribe Flood Network, Tribe Flood Network 2000, and Stacheldraht”, Technical Report CIAC-2319, Department of Energy - CIAC (Computer Incident Advisory Capability), February 2000.
3. K. Kendall.“A Database of Computer Attacks for the Evaluation of Intrusion Detection Systems”, Master’s Thesis, Massachusetts Institute of Technology, June 1999. 4. David Dittrich, George Weaver, Sven Dietrich, Neil Long, The "mstream" Distributed Denial of Service Attack Tool,
May 2000.
http://packetstorm.decepticons.org/distributed/Mstream_ Analysis.txt
5. Jason Barlow, Woody Thrower, TFN2K–An Analysis, February 2000.
http://packetstorm.decepticons.org/distributed/TFN2k_An alysis.htm
6. M. Thottan and C. Ji. “Proactive Anomaly Detection using Distributed Agents”, IEEE Network, pages 21–27, September 1998.
7. Christopher Chatfield, The Analysis of Time Series: An Introduction, Chapman and Christopher, 1989.
2 0 0 4 0 0 6 0 0 1 0 0 0 2 0 0 0 5 0 0 0 0 1 0 0 0 0 0 M I B V a l u e ( C o u n t e r ) T i m e S t a m p ( s e c ) 5 2 51 5 3 5 1 0 0 2 0 0 3 0 0 4 0 0 M s t r e am T r in o o P in g F l o o d T F N T a r g a3 2 0 0 0 0 0 N o r m a l i p . Ip O ut R e q u e st s
8. K. McCloghrie, M. Rose, Management Information Base for Network Management of TCP/IP-Based Internets: MIB-II, RFC 1158, March 1991.
9. Bivariate Granger Causality Test,
http://www.sas.com/rnd/app/examples/ets/granger/index.h tm.
10. Helmut Lütkepohl, Introduction to Multiple Time Series Analysis, Springer-Verlog, 1993.
11. Ljung Lennart, System Identification: Theory for the User, Prentice Hall, 1987.
12. System Identification Toolbox , Matlab Help.
13. G. William Schwert, “Tests of Causality, The message in innovations”, University of Rochester, 1979.
http://schwert.ssb.rochester.edu/message.pdf.
14. Richard A. Johnson , Gourik K. Bhattacharyya , Statistics Principles and Methods, 1992.
15. J. Leiwo, T. Aura, P.Nikander, “Towards Network Denial of Service Resistant Protocols”, In Proc. of the 15th International Information Security Conference (IFIP/SEC), August 2000.
16. Jelena Mirkovic, Janice Martin, and Peter Reiher, “A Taxonomy of DDoS Attacks and DDoS Defense Mechanisms”, UCLA Technical Report #020018, 2002. 17. M. Subramanian, Network Management: Principles and Practice, Addison-Wesley, 2000.
