Impact Analysis of DDoS Attacks on Video Streaming Service

(1)

International Journal of Emerging Technology and Advanced Engineering

Website: www.ijetae.com (ISSN 2250-2459, ISO 9001:2008 Certified Journal, Volume 6, Issue 6, June 2016)

98

Impact Analysis of DDoS Attacks on Video Streaming Service

Daljeet Kaur

1

, Monika Sachdeva

2

, Rinkle Mehto

3

1,2

Asso. Prof of Comp. Science & Engg. Dept. & SBSSTC, Ferozepur, India 3 _{M.Tech (Comp. Science & Engg.) & SBSSTC, Ferozepur, India}

Abstract— The ability of Distributed Denial of Service (DDoS) attack creates huge volume of unwanted traffic and It degrades internet services severely. So it is widely regarded as a major threat for the current Internet. A flooding-based DDoS attack is a very common way in which a victim machine is attacked by sending a large amount of malicious traffic and the services are severely degraded and hence lot of business loses are incurred due to these attacks. To objectively evaluate DDoS attack's impact, and the effectiveness of a potential defense, we need precise, quantitative and comprehensive DDoS impact metrics that are applicable to Video Streaming services. To meet this requirement, the cyber-defense Technology Experimental Research (DETER) testbed has been developed. In this paper, we have created dumb-bell topology and generated background traffic as Video Streaming traffic. Different types of DDoS attacks are also launched along with Video Streaming traffic by using attack

tools available in DETER testbed. Finally

,

In order to analyse

the impact of DDoS attacks on internet services, we need DDoS impact metrics that are applicable to video streaming services. In this paper, we have used the real time attack traces in order to analyse the impact of DDoS attack on video streaming services. The impact of DDoS attack is analysed in terms of metrics such as throughput, Jitter and percentage link utilization.

Keywords—Keyword Bandwidth, DDoS, Internet, jitter, Throughput.

I. INTRODUCTION

A Distributed Denial of Service (DDoS) attack is an attack to prevent the users from using the resources of a victim’s computer. It is a large scale attack in a co-ordinated fashion, which is typically launched indirectly with the help of other computers in the Internet. A DDoS attack can originate from anywhere in the network and typically overwhelms the victim server by sending a huge number of packets. There are several kinds of DDoS attacks. There are two main classes of such attacks: (1) bandwidth depletion and (2) resource depletion attacks. In case of bandwidth depletion attack, the victim network is flooded with unwanted traffic that prevents legitimate traffic from reaching the victim computer. In the other case of resource depletion attacks, the attack is targeted to tie up the resources of the victim computer [1] [2].

Fig.1 DDoS attacks

A Denial of Service attack is an attempt by a person or a group of persons to cripple an online service. This can have serious consequences, especially for companies like Amazon and eBay which rely on their online availability to do business. In the not so distant past there have been some large scale attacks targeting high profile internet sites [3, 4, 5 and 6]. Consequently, there are currently a lot of efforts being made to come up with mechanisms to detect and mitigate such attacks. As shown in fig 1, A flood attack involves zombies sending large volumes of traffic to a victim system, to congest the victim system’s network bandwidth with IP traffic. The victim system slows down, crashes, or suffers from saturated network bandwidth , preventing access by legitimate users. Flood attacks have been launched using both UDP (User Datagram Protocol) and ICMP (Internet Control Message Protocol) packets. In a UDP Flood attack, a large number of UDP packets are sent to either random or specified ports on the victim system. Often, the attacking DDoS tool will also spoof the source IP address of the attacking packets. This helps hide the identity of the secondary victims since return packets from the victim system are not sent back to the zombies, but to the spoofed addresses. UDP flood attacks may also fill the bandwidth of connections located around the victim system. This often impacts systems located near the victim [7].

(2)

International Journal of Emerging Technology and Advanced Engineering

99

[image:2.612.68.261.281.448.2]

Flooding DDoS attacks consume resources such as network bandwidth by overwhelming bottleneck link with a high volume of packets. Vulnerability attacks use the expected behaviour of protocols such as TCP and HTTP to the attacker’s advantage. The computational resources of the server are tied up by seemingly legitimate requests of the attackers and thus prevent the server from processing transactions or requests from authorized users. Flooding DDoS is basically a resource overloading problem. The resource can be bandwidth, memory, CPU cycles, file descriptors and buffers etc., the attackers bombard the scarce resource(s) by sheer flood of packets.

Fig. 2 Packets drop under DDOS attack

In Figure 2 a flood of packets is shown, which congests the link between ISP’s edge router and border router of victim domain [9]. Attack packets keep coming as per distribution fixed by attacker, whereas legitimate clients cut short their packet sending rates as per flow control and congestion signals. A situation comes when whole of bottleneck bandwidth is seized by attack packets. Over the last decade, Distributed Denial of Service (DDoS) attacks have continued to proliferate, becoming one of the primary threat types facing virtually every industry and business area that is exposed to the public Internet. Therefore, DDoS protection must be at the core of a successful security strategy.

DDoS attacks attempt to bring down and infiltrate Web sites by flooding the site's origin server with bogus requests, often from multiple locations and networks. If allowed to proceed unchecked, this DDoS attack traffic can produce results ranging from slow page loads to a complete blockage of legitimate site traffic [10].

II. EXPERIMENT SETUP

[image:2.612.329.560.338.569.2]

We used DETER Testbed to evaluate our metrics in experiments. The test bed is located at the USC Information Sciences Institute and UC Berkeley, and allows security researchers to evaluate attacks and defenses in a controlled environment. Emulab [11] and DETER [12] allow users to gain exclusive access to a desired number of PCs, located at a central facility and isolated from the Internet. These can be loaded with a user-specified OS and applications, and users obtain root privileges.

Fig. 3 Experimental Topology

(3)

International Journal of Emerging Technology and Advanced Engineering

100

set ns [new Simulator] source tb_compat.tcl #Create the topology nodes

foreach node { V S R1 R2 L1 L2 A1 A2 control } { #Create new node

set $node [$ns node] #Define the OS image

tb-set-node-os [set $node] FC4-STD

#Have SEER install itself and startup when the node is ready

tb-set-node-startcmd [set $node] "sudo python /share/seer/v160/experiment-setup.py Basic"

}

#Create the topology links

set linkRV [$ns duplex-link $V $R1 100Mb 3ms DropTail] set linkRS [$ns duplex-link $S $R1 100Mb 3ms DropTail] set linkRR2 [$ns duplex-link $R1 $R2 3Mb 3ms DropTail] set linkRA1 [$ns duplex-link $R2 $A1 50Mb 3ms DropTail]

set linkRA2 [$ns duplex-link $R2 $A2 50Mb 3ms DropTail]

set linkRL1 [$ns duplex-link $R2 $L1 50Mb 3ms DropTail]

set linkRL2 [$ns duplex-link $R2 $L2 50Mb 3ms DropTail]

[image:3.612.54.292.137.472.2]

$ns rtproto Static $ns run

Fig. 4 Experimental Topology

In our experiment, We have used dumb-bell topologies for creating traffic in our experiments. Topology, (shown in figure 3) is for Video streaming application in which R1 and R2 are routers, node S is server and L1, L2 are clients. They send legitimate requests to server S via router R1 and R2. The bandwidth of all legitimate links is set to be 50Mbps, bandwidth of link between router R1 and server is 100Mbps and the bandwidth of bottleneck link (R1-R2) is 3Mbps. Node A1 in topology acts as attacking node and it sends attack traffic to server S via router R1 and R2. The link between R1 and R2 is called bottleneck link. The purpose of attack node is to consume/congest the bandwidth of bottleneck link so that legitimate traffic could not get accessed by the server S.

The configuration of said traffic parameters used to send legitimate traffic is demonstrated in Table I:

TABLEI

LEGITIMATE TRAFFIC PARAMETERS USED IN EXPERIMENTS

Parameters Value

Traffic type Streaming Clients for Streaming L1

Server S

Thinking Time for Video Streaming (.008,.009) File size for Video Streaming (10,20) Video file Run 660 Protocol type Rtp

The effect of DDoS attacks on the performance of Video Streaming service is analyzed below:

A. Througput

A backbone link is attacked to force the edge router at the ISP of victim end to drop most legitimate packets during a DDoS attack. In Figure 5 and Figure 6 we have measured throughput in terms of good-put and bad-put to get the measure of actual loss. The throughput is divided into good-put and bad-put respectively. Good-put is defined as no. of bits per second of legitimate traffic that are received at the server whereas bad-put gives no. of bits per second of attack traffic that are received at the server.

Goodput of Video Streaming under UDP Attack

0 0.5 1 1.5

1

.0

1

10 19 28 37 46 55 64 73 82 91

100 109 118

Time (Sec)

T

h

ro

u

g

h

p

u

t

(M

b

p

s

)

Flat Attack Ramp-pulse Attack Pulse Attack

[image:3.612.307.578.184.363.2] [image:3.612.326.575.526.628.2]

(4)

International Journal of Emerging Technology and Advanced Engineering

101

Badput of Video Streaming under UDP Attack

0 2 4 6

[image:4.612.51.291.133.242.2]

1.0 9.0₁₇.0₂₅.0₃₃.0₄₁.0₄₉.0₅₇.0₆₅.0₇₃.0₈₁.0₈₉.0₉₇.0 105. 0 113. 0 121. 0 Time (Sec) T h ro u g h p u t (M b p s ) Flat Attack Ramp-pulse Attack Pulse Attack

Fig. 6 Bad-put-put of Video streaming through bottleneck link during UDP attack

Jitter:-jitter is defined as a statistical variance of the RTP data packet inter-arrival time. In the Real Time Protocol, jitter is measured in timestamp units. Jitter is defined as a statistical variance of the RTP data packet inter-arrival time. As Shown in figure 7, legitimate packets delivered with constant inter-arrival time from streaming device but during attack, there is statistical variance of the RTP data packet inter-arrival time.

Jitter during UDP Attack

0 0.02 0.04 0.06 0.08 0.1 0.12

1 9 17 25 33 41 49 57 65 73 81 89 97

Time (Sec) In te r -A r r iv a l T im e

Jitter of Ramp-pulse Attack Pulse Attack Flat Attack

Fig. 7 Measurement of Jitter during UDP Attack on Video Streaming Service

Link utilization

Bottleneck bandwidth utilization is defined as percentage of bandwidth that is carrying legitimate traffic. As shown in figure8, Bottleneck bandwidth utilization is nearly 100% without attack. During Attack, Bottleneck bandwidth utilization drops more than 50%. As normal TCP traffic follows congestion control signals [14][15]. so when a TCP packet is dropped, it further drops the rate of traffic originating at TCP source. But attack traffic does not follow these signals, so legitimate traffic sharply declines whereas attack traffic grows heavily.

Avg Backbone Link Utilization

0 50 100 150

1

.0 ₉.0

[image:4.612.324.576.135.237.2]

1 7 .0 2 5 .0 3 3 .0 4 1 .0 4 9 .0 5 7 .0 6 5 .0 7 3 .0 8 1 .0 8 9 .0 9 7 .0 1 0 5 .0 1 1 3 .0 1 2 1 .0 Time (Sec) % L in k U ti li z a ti o n Flat Attack Pulse Attack Ramp-pulse Attack

Fig .8 Average Bottleneck Bandwidth Utilization in Video Streaming

III. CONCLUSION

DDoS attacks are rising as a threat. Over the last few years, these attacks have grown in intensity and now have traffic volumes of up to 400 Gbps. These attacks are easy to carry out and do not require great knowledge or access to zero-day vulnerabilities. The duration of the attacks is often just a few hours or even minutes, but this can be enough to inflict a lot of damage at the target site.

REFERENCES

[1] Thomas Dubendorfer, Matthias Bossardt, Bernhard Plattner; Adaptive Distributed Traffic Control Service for DDoS Attack Mitigation; Proceedings of the 19th IEEE International Parallel and Distributed Processing Symposium (IPDPS'05) - Workshop 17 - Volume 18, 2005.

[2] Stephen Specht, Ruby Lee; Taxonomies of Distributed Denial of Service Networks, Attacks, Tools, and Countermeasures; Department of Electrical Engineering, Princeton Architecture Laboratory for Multimedia and Security, Technical Report CE-L2003-03, May 16, 2003.

[3] CNN. Cyber-attacks batter Web heavyweights, February2000/www.cnn.com/2000/TECH/computing/02/0

/cyber.attacks

[4] CNN .Immense. Network assault takes down Yahoo,February http://www.cnn.com

[5] Netscape. Leading web sites under attack, February 2000technews.netscape.com ―Journal of Computer Science [6] CERT coordination center. Denial of Service attacks

http://www.cert.org/tech_tips/denial_of_service.html

[7] Distributed Denial of Service: Taxonomies of Attacks,Tools and Countermeasures Stephen M. Specht ElectricalEngineering Princeton University

[8] Mirkovic, J. and Reiher, P. ―A Taxonomy of DDoS Attack and DDoS Defense Mechanisms,‖ ACM SIGCOMM Computer Communications Review, Volume 34, No. 2, pp. 39-53, April, 2004. [9] Kumar, K., Joshi, R. and Singh, K. ―An Integrated Approach for

[image:4.612.49.290.367.473.2]

(5)

International Journal of Emerging Technology and Advanced Engineering

102

[10] www.akamai.com.

[11] White, B., Lepreau, J., Stoller, L., Ricci, R., Guruprasad, S., Newbold, M., Hibler, M., Barb, C. and Joglekar, A., An Integrated experimental environment for distributed systems and networks. In Proceedings of the Fifth Symposium on Operating Systems Design and Implementation (OSDI02), (Dec. 2002). Pp 255-270.

[12] Benzel, T., Braden, R., Kim, D., Neuman, C., Joseph, A., Sklower, K., Ostrenga, R. and Schwab, S., Experience with DETER: A Testbed for Security Research. In Proceedings of Tridentcom, March 2006.

[13] D. kaur, M. Sachdeva and K. Kumar,‖ Impact Analysis of DDoS Attacks on FTP Services‖ International Conference on Recent Trends in Information, Telecommunication and Computing, ISBN 978-94-91587-21-3,pp. 220-228, March 21, 2014.

[14] Kisimoto, M. ―Studies on Congestion Control Mechanisms in the Internet – AIMD-based Window Flow Control Mechanism and Active Queue Management Mechanism‖ , Master Thesis, Osaka University, 2003