How To Prevent A Distributed Denial Of Service (Ddos) Attacks In Web Services

Dynamic Managements of the Firewall Policy to Mitigate DDoS Attacks

in Web Services

Young-Long Chen

_{, Ying-Chen Chen}

Department of Computer Science and Information Engineering, National Taichung Institute

of Technology,

No.129, Sec. 3, Sanmin Rd., Taichung, Taiwan

Abstract

The network attacks occur often; the internet is used more frequently. In order to prevent the distributed denial-of-service (DDoS) attacks more effectively, we find and block the attack's sources in the shortest time to result that legal user work normally. In this paper, we propose a new scheme which we use the characteristics of web services, to record user's source IP, through the firewall and the control computer with real-time dynamic policy rules. It can quickly identify the source of attack and grouping according to user permissions. Therefore, we can block attacks when the web is attacked by DDoS. Our scheme can reduce service interrupted time and the impact of DDoS.

Keywords:

1. Introduction

Since 1998 [1], through the internet protocol network vulnerabilities, hackers usually send a large number of masquerade data to make the host network services become crowded, even to cause server collapsed. Many well-known network service companies have suffered this type of attacks, and many users can not use the network services provided by these companies. The number of those affected is so large that it is difficult to estimate. Against the DDoS attacks' behaviors, currently mostly using some characteristics of network, some scholars have proposed many different ways to judge the status of DDoS attack and to determine defense methods. These ways mostly use statistical method and classification to analyze the related data such as source internet protocol (IP) address, protocol, packet, data flow, etc. as shown in Fig. 1.

To prevent the DDoS attack means that you should find the source of attack in the shortest possible time and then block it. Most scholars use package filter method [2-3] to find the source of attack. Mohamed and some other scholars proposed wavelet transform [4] methods to find the source, whereas Keunsoo Lee et al put forward cluster analysis [5] method to solve the problem. No matter which method you use to look for the source, its purpose is to prevent DDoS attacks.

Use the flow to judge the DDoS attacks. In [6], Cabrera et al. proposed in 2001 that observation of changes of network flow determines whether the objective is subjected to attacks. Network Management System will analyze the flow of IP-based Transmission Control Protocol (TCP), User Datagram Protocol (UDP), Internet Control Message Protocol(ICMP) packets and Simple Network Management Protocol (SNMP). Each management information base (MIB) change recorded the variation of communication rate when the network or system is in normal state or is attacked. Use MIB value analysis method; in 2008, Jaehak Yu [7] and other scholars proposed adopting SVM method to analyze MIB values, which makes the analysis of DDoS values become faster and more accurate. In the same year Keunsoo Lee et al. [5] also proposed making use of classification method to analyze whether the DDoS attacks are happening.

Fig 1. The architecture of DDoS attacks. Fig 2. SSL protocols

When some website is being attacked, many IP addresses are the first time to visit the website. Jung [8] found in 2002 that when a large number of IP addresses suddenly appear in the website which is attacked, only a few of them have visited the website before. In 2005 Lee et al. [9] confirmed with experiments that this method can tell whether it is the attack of the IP address and its accuracy reaches 99.95%. Basheer [10] and other scholars pointed out, in the method proposed in 2006, that they can use packet characteristic to classify and make a comparison for the three characteristics (Ftp etc.) of server packets. Vasilios et al. [11] and Kejie Lu [12] made a further analysis of characteristics of small packets in 2007 to let the DDoS attack be identified more quickly.

In order to mitigate DDoS attacks, quickly identify the source of attack, Shigang Chena [13], provided a packet filtering method in 2007. Hyunsang Choi [14] and other scholars offered a quick way of parallel coordinate attack visualization (PCAV) in 2009, using the network flow feature in the router to connect the source IP with the target IP. When an IP is being attacked, then a great number of IP will connect to this IP which is attacked.

In order to provide a more secure environment, some web service offer encryption service between web page browser and host. For instance, the secure socket layer (SSL) protocol or the transport layer security (TLS) protocol [15-16] is shown in Fig. 1. Through SSL connection, we can enter the account and password, and then login. There are many means to certify legitimate users. Most banks' online inquiries and transactions are carried out in this way. SSL security is related to the length of encryption. Currently, the length of encryptions is 128 bits and the up bound of the length of encryptions is 1024 bits. The longer the length of encryption results that the more calculate time is needed, as shown in Fig. 2.

2. Dynamic adjustment of the firewall policy (DAFP)

To mitigate DDoS attacks, we can find the source of attacks in the shortest possible time and prevent it. If we can directly list source location of legitimate user from the web service, and can automatically make dynamical to set with the firewall, then we can save time to find the source of attack, and we also ensure that the user who have already legally logged in can continue to use the web Service.

2.1. Grouping user by permission

First, the use of page is divided into three groups according permission. The first group is guest. There are no account and password for the user of this group. The second group is user. Every user in this group has his account and password. The third group is the administrator (Admin). In addition to account and password, the users use SSL to login. The overall diagram is structured as shown in Fig. 3. For the first and second group of users, the http transmission can be used for TCP/IP port 80. The third group of users can be used for TCP/IP port 443 because of its https format.

2.2. Change the network structure

Let this firewall have the user's IP information in detail, we added the control computer between the firewall and the web host which can control the firewall. The main function of this computer can change the firewall policy rules in a timely manner. When alert of flow anomaly occurs, the firewall timely acquires IP data of users for all three levels admin, user, and guest from web host. Immediately, we change the firewall policy rules to prevent the flow of illegal IP. For safety reasons, we use local area network (LAN) IP or the VPN method to connect the control personal computer (CPC) to Web host and use console mode to connect CPC with firewall. If the function of CPC was placed in the web host, when the host is invaded, the fire wall may be subjected to damage and then does not work, as shown in Fig. 4.

2.3. Data normalization

We use the SMNP to get flow values of firewall (m) and the amount of usage of the firewall packet (p). Since the rate of each network is different, the flow values obtained (m) can’t be unified, so we use the formula to convert to a percentage as shown in (1). For the usage of packet of firewall, the packets handle both flow and other functions of firewall, so the available amount of usage of packet is the highest value minus the lowest value, and then converted to a percentage as shown in (2).

M%= ( m / Mmax ) × 100% (1) P% = ( p / Pmax - Pmin ) ×100% (2)

2.4. Dynamic firewall policy scheme

In our proposed scheme, the firewall policy rules can be modified timely by the CPC. For example, when the network flow reaches Xn, the firewall sends an event to the CPC. After receiving the notice from the firewall, the CPC immediately requests the web hosting user's IP information. As soon as it can convert to firewall instruction, the firewall immediately blocks the user' IP which is not the three groups of user, as shown in Fig. 5.

Table 1. Definition of Symbols

Symbols Definition

m firewall Real-time network traffic Mmax firewall max network traffic

p firewall Real-time packet traffic Pmin firewall min packet traffic

Pmax firewall max packet traffic

M% firewall Real-time network traffic % P% firewall Real-time packet traffic %

Event

/ / set the X1, X2, …, Xn and other dynamic firewall rules to trigger the rule, X1> X2>…> Xn

If M% > X1 or P%> X1

/ / When the flow rate is greater than the percentage of the processor or the percentage is greater than X1

Permit admin-group ip

/ / admin-group by allowing

Deny all

/ / deny non all

Else

If M%> X2 or P%> X2

/ / When the flow rate is greater than the percentage of a percentage greater than X2 or X2 processor

Permit user-group ip Permit admin-group ip

/ / Allow admin-group User-group by

Deny all

/ / stop all the rest

Else

‧ ‧ ‧

If M%> Xn or P%> Xn

/ / When the flow rate is greater than the percentage is greater than the percentage of Xn or Xn processor

Permit guest-group ip Permit user-group ip Permit admin-group ip

/ / Allow admin-group User-group guest-group

Deny all

/ / stop all the rest

Else

/ / lower than the Xn value

Permit all

/ / allow all passed

Fig 6. Change firewall policy scheme

The next, we define the dynamic operation which will trigger the firewall. We set the value of P% and M% to trigger the firewall policy. M% ranges from 0% to 100%, P% also ranges between 0% and 100%, the trigger value is set to X. However, as the trigger value can be defined more than one, so as X1, …, Xn, as shown in Fig. 6.

3. Experiments

In order to prove that our method can be realized, we use the lab's computers, and install the relevant software and hardware to simulate our method.

3.1. Construction of network environment

3.1.1. Software construction

To install a Linux network host, we use web server which supports PHP syntax and lab’s personal computer (PC) as user’s PC. We select Drupal as the host’s web program. Drupal is a kind of software which opens source code. According to permission of page use, we divide users into three groups to manage. First, the user of the guest-group includes visitors without account and password. The user of the second group is the user-group which includes user who has their own accounts and passwords. The user of the third is Admin-group. This users in admin-group are the web manager or important users.

For the part of control software is the web service and the firewall monitoring with Control System (WFMC), we select the C language to write. The main function of the program is to trigger the rules that alter firewall when the network flow or the packet of firewall is becoming high. The rules triggered can be set or altered in the program.

3.1.2. Construction of network

In the network of a computer room, add a firewall to protect the web host. In order to avoid the anomaly of the network connection, we installed two network interface controllers in web host. One is connected to the firewall to provide web services. The other is connected to CPC to make the CPC easy to query IP address of each user. The CPC does not only receive the information of web host, but also controls the rules of firewall. In this part, we can connect to console port of firewall through the COM 1 port of CPC, and alter the settings of firewall through terminal connection.

3.1.3. Test data capture of CPC and control function of firewall

Since our scheme has three levels of the different permission of page users, in order to complete the experiment, we use lab’s computers and open the web page. For some computers, you need account and password to login the web page, whereas for other some computers you can browse page as a visitor who has not an account. Other two computers are for the Administrators. The control program of CPC can communicate with web host through network to obtain the user’s IP address, and divide the users into three levels. In this part of fire control, we use interface of console to give directly orders to the firewall. We use the most common syntax of IP access-list to carry out the actions of IP preventing and allowing. For the control program of CPC, we can take data of users, firewall network traffic and packets from web host. In this experiment, we have defined 3 trigger points, as shown in Table 2.

Table 2. WFMC even list

Symbols Definition

X1=80 Allow admin-group only

X2=70 Allow admin-group, user-group only

X3=60 Allow admin-group, user-group, guest-group only

3.2. Simulate DDoS attack

To simulated DDoS attacks, we use the most common instruction ping. With multiple computers simultaneously send to the network host, to raise the network flow of web host. The network flow of firewall and Packets also begin to increase. Max network traffic is 20 (Mbps) and max packet is 2000 (p/s). You can see the related variation from WFMC in CPC, as shown in Fig. 7. The DDoS attacks to result that the network traffic and packets increase.

3.3. Quickly find out the source of attack

Keunsoo Lee [5] and some other scholars proposed classification of the source data to identify the network source of attack, it takes some time to collect and calculate. But we set source IP of web service as allowed-access list through the CPC of DAFP, and prevent other remaining sources at M%> 60. It takes only about 60 (sec) to finish it, as shown in Fig. 8. Experiment results show that our scheme can reduce the real-time network traffic in instant.

3.4. Attacker in the guest-group

In this experiment, DAFP can quickly prevent the sources of non-web users. When the network is being attacked, according to the user’s priority in web host, you can browse the source. With reverse derivation, you can know the source of attack. If the attacker is a network user, although it has started the preventing solution of X3=60%, the network flow and the number of packets will still raise, as show

in Fig. 9. When it reaches 70%, it will start X2=70% preventing solution to decrease the network attack.

The rule of our method can be dynamic changed according to the setting value. In Fig. 10, experiment results show that our scheme can reduce the real-time network traffic in instant.

Fig 9. Attacker in the guest-group Fig 10. Start X2=70% preventing solution

3.5. Different groups are allowed

We found from the firewall that network flow and packets increased until the value reaches the preset value X3=60%, it begins to start the blocking mechanism, only allowing admin-group,

user-group and guest-group to pass and preventing the rest. At this time, we use that Keunsoo Lee [5] proposed classification of the source data to identify the network source of attack. The network flow and packets of firewall begin to decrease and return to previous state. If it does not decrease, when the flow and packets increase to 70%, the dynamic rule will be changed to only allowing admin-group and user-group to pass,as shown in Fig. 6.

4. Conclusions

When the DDoS attacks, we analysis the internet packet type or packet header characteristics, it will spend a lot of time computing those attack sources because the huge numbers of source IP. After you find the attack sources, then you can operate the deny actions. To reduce service interrupted time, this paper proposes a dynamic management of the firewall policy which can quickly prevent the DDoS attacks. We can obtain legal user’s IP real-time information by web server. In our scheme, different level users can pass in different phases and reduce interrupt service. Our scheme can also be applied to the FTP server, E-mail server, and those commonly used network server.

5. Acknowledgement

Sponsored by National Science Council (NSC), this paper is published as part of the research finding under grant number NSC 99-2622-E-025-001-CC3. We feel ourselves indebted to all the support provided by NSC Taiwan.

6. References

[1] Da Zhu, Yang Zhang, Bo Cheng, Budan Wu, and Junliang Chen, "HSCEE: A Highly Flexible Environment for Hybrid Service Creation and Execution in Converged Networks", JCIT, Vol. 6, No. 3, pp. 264 ~ 276, 2011

[2] Chung C. Chang, Kou-Chan Hsiao, "A SOA-Based e-Learning System for Teaching Fundamental Information Management Courses", JCIT, Vol. 6, No. 4, pp. 298 ~ 305, 2011

[3] Anping Zhao, Yu Yu, "Semantic Link based Multi-granularity Service Relationship Detection", IJACT, Vol. 3, No. 5, pp. 52 ~ 61, 2011

[4] Reihaneh Khorsand Motlagh Esfahani, Farhad Mardukhi, Naser Nematbakhsh, "Reputation Improved Web Services Discovery Based on QoS", JCIT, Vol. 5, No. 9, pp. 206 ~ 214, 2010

[5] Jia Mei, Huaikou Miao, Yihai Chen, Honghao Gao, "Verifying Web Services Composition Based on Interface Automata Using SPIN", JDCTA, Vol. 4, No. 8, pp. 23 ~ 33, 2010

[6] S. C. Lin, & S. S. Tseng, Constructing detection knowledge for DDoS intrusion tolerance. Expert Systems with Applications, Vol. 27, pp. 379–390, 2004.

[7] M. Sung, J. Xu, IP traceback-based intelligent packet filtering: a novel technique for defending against internet DDoS attacks, IEEE Trans. Parallel Distrib. Systems, Vol. 14, No. 9, pp. 861–872, 2003.

[8] U. Tupakula, V. Varadharajan, Counteracting DDoS attacks in multiple ISP domains using routing arbiter architecture, in Proc. IEEE International Conference on Networks, pp. 455–460, 2003.

[9] M. Hamdi, N. Boudriga, Detecting Denial-of-Service attacks using the wavelet transform, Computer Communications, Vol. 30, pp. 3203–3213, 2007.

[10]K. Lee, J. Kim, K. Kwon, Y. Han, S. Kim, DDoS attack detection method using cluster analysis, Expert Systems with Applications, Vol. 34, pp. 1659–1665, 2008.

[11]J. B. D. Cabrera, L. Lewis, X. Qin, W. Lee, R. K. Prasanth, B. Ravichandran, R. K. Mehra, Proactive detection of distributed denial of service attacks using MIB traffic variables-A feasibility study, In Proc. IEEE international symposium on integrated network management, pp. 1-14, 2001.

[12]J. Yu, H. Lee, M. Kim *, D. Park, Traffic flooding attack detection with SNMP MIB using SVM, Computer Communications, Vol. 31, pp. 4212-4219, 2008.

[13]J. Jung, B. Krishnamurthy, M. Rabinovich, Flash crowds and denial of service attacks: Characterization and implications for CDNs and web sites, In Proc. ACM conference on computer and communications security, pp. 30–41, 2002.

[14]F. Y. Lee, S. Shieh, Defending against spoofed DDoS attacks with path fingerprint. Computers and Security, Vol. 24, No. 7, pp. 571–586, 2005.

[15]B. Al-Duwairi, G. Manimaran, Distributed packet pairing for reflector based DDoS attack mitigation, Computer Communications, Vol. 29, pp. 2269-2280, 2006.

[16]V. A. Siris, I. Stavrakis, Provider-based deterministic packet marking against distributed DoS attacks, Journal of Network and Computer Applications, Vol. 30, pp. 858–876, 2007.

[17]K. Lu, D. Wu, J. Fan, S. Todorovic, A. Nucci, Robust and efficient detection of DDoS attacks for large-scale internet, Computer Networks, Vol. 51, pp. 5036–5056, 2007.

[18]S. Chena, Y. Tanga, W. Dub, Stateful DDoS attacks and targeted filtering, Journal of Network and Computer Applications, Vol. 30, pp. 823–840, 2007.