- Distributed Denial of Service (DDoS) attack has been the most devastating attack on computer network and internet at large. Several techniques have been deployed to mitigate this attack. However, detecting the source of DDoS attack remains unsolved in the literature. The aim of this paper is to develop a traffic analyzer for the detection of DDoS attack source. The approach used consists of sniffing, analysis and isolation of source and destination IP address with their respective timestamp of packets that flow through the network in which system was deployed. Traffic analyzer has the ability of saving the captured packet for possible examination and analysis by forensic expert. Traffic Analyzer was developed as a console based application using python programming language which is limited to run on Linux distribution. A network was simulated using GNS3 consisting of the attacker and the victim machine (both run on kali Linux). The result of this work was shown after the developed traffic analyzer was used to collect traffic from the simulated victim machine, thereby showing the traffic and their header information. The arrival time of each IP address that comes inside the network was logged. With this the analyzer was used to determine the type and source of DDoS attack.
INTRODUCTION
From the beginning of 21st century, there have been an evolving threat toour cyberspace, these attacks are classified majorly as attack against confidentiality, integrity and availability of information. Distributed Denialof Service (DDoS) attack have been the most devastating attack on our network and internet at large and they are being tagged as the attack against availability of information whereby the information that are meant to be available for a legitimate user is being denied by the server because the attacker is accessing the server and sending unsolicited request to this machine thereby causing the legitimate client inability to access its resources. A Distributed Denial of Service (DDoS) is where the source of attack is more than one and often thousands of unique or spoof IP addresses. Perpetrators of DDoS attacks often target sites or services hosted on highprofile web servers such as banks, credit card payment gateways, but motives of revenge, blackmail or hacktivism can be behind other attack like the attacks reputable companies or countries.
II.
At the present time, more and more critical
infrastructures arebeing used by organizations and they are
increasingly relying upon the internet in order to carry out
their day to day operations [1]. Internet attacks are at
increasing rate and threat are also increasing to cripple
Information Technology infrastructures [
With the increase in large attacks that directly targets the large businesses and government institutions around the world, one of the most significant issues that can be considered by both commercial and governmental organizations is to protect its information from malicious jeopardizing that is, the adoption network security is more important now more than ever because of the increase in attacks every day by day due to the automated tools being use against internet-connected systems by attackers [1]–[4].
Denial of service (DoS) or Distributed Denial of Service
(DDoS) attacks is one of the most devastated internet attack
against internet connected system in this era and they can be
defined as attempts to make a computing or network
resource unavailable to its users or as an attack that pose a
highly damageable threat to the CIA (Confidentiality,
Integrity and Availability) of services that resides on the
network [4]–[
Basically, DDoS attack architecture consists of three components which are master, slave and the victim. They collaboratively work together towards achieving their malicious goals. Figure l shows the model of a typical DDoS attack. The master takes control of the botnet without the knowledge of their owners, because they have been previously infected with a Trojan or a backdoor program. The compromised machines called botnet are being control by the bot-master, often through Command and Control (C&C) channels, and simultaneously used to track a victim using the public internet infrastructure [9].
Internet crime like DDoS attack is still at large and on the rise there is not yet an effective and efficient system to know where the malicious packet come from, or where the suspect is located so that he/she can be identify, track, report, arrest and punish for its offence [1].
The summary of the review based on this research work is shown below in Table 1.
III.
SYSTEM DESIGN
In order to have detailed understanding about the proposed system. This section explains functions of the proposed system using system flowchart and UML Use Case Diagram
The propose traffic analyzer for detection of DDoS attack source flowchart is depicted below in figure 2. Because of the sniffing and reporting features of this system, running the system will enable it to start capturing packet from the Ethernet frame either through wireless or wired network. This packet would contain the following relevant information: Source and Destination IP address Source and Destination MAC address Source and Destination Port number
After the collection of this information, it will store the destination and source IP address of every new packet and then check if the source and destination is existing inside the hash table which can be refer to as dictionary in python. If the information is existing, it will add the occurrence of this IP addresses into their respective hash table for further network traffic analysis.
This section uses the UML use case diagram to explain the proposed system. Use case diagram has been known to consist of mainly the actors and their respective functions. Figure 3 depict the proposed system in which the actor is represented by as proposed system with its respective features which to sniff packet, analyze traffic and report engine.
The sniff packet use case represents the ability of the system to be able to capture packet that comes in and out of the network computer putting the following criteria into consideration.
Source and Destination IP address Source and Destination MAC address Source and Destination Port number
The network traffic analysis component would check for the following information which can be useful in case if there is an existence of DDoS attack in that particular network.
The packet protocol The packet header
The report engine consists of two functions which are logging evidence creation after the system termination. The following information are logged in order to examine the existence of DDoS attack.
Source and Destination IP address Their respective timestamp
start
New Packet_In Read packet header
Isolate source and destination IP and MAC
address Store host and dest IP
into hash table NO
Does the IP exist Add to hash table
YES Add to the no of occurrence in hash table Log info save
Stop Improving on RBPBoost Algorithm Limited to known attack detection Able to develop a system for analyzing capture data from IBR Ability to receive a .pcap file and transform it into report format Limited packets An information-theoretic framework models for flooding attacks using Botnet on ITM and effective attack detection using Honeypots DDoS attack Detection and defense approach DDoS detection techniques Limited to characterizing IBR information to their respective payloads to processing
smaller Limited to small and homogenous network Stability of centroid-based rules for non-spherical shapes Focusing on botnet detection on network –level traces Limited to equal weight simple correlation Only applicable in stationary mode Technique depends on CUSUM Limited to detection of attack when the DDoS attack is targeting a host not the entire network Greedy layer wise unsupervised training strategy Training deep neural network for DDoS detection Techniques works for unsupervised training only Valuation method of probability loss of arbitrary request passing on mass network service A statistical CUSUM-based detection technique Entropy based algorithm Detection technique for DoS/DDoS/DRDoS attacks in network mass service Detection of DDoS attack Early detection of DDoS attack in software defined network Combining multiple independent data sources to study large DDoS attacks A measurement study for analyzing DDoS attack for multiple data sources.
Using PMD technique and labelling of incoming packet in detection of sniffing and DDoS attack Flexible Deterministic Packet Marking technique Flexible Deterministic Packet Marking technique Detection and isolation of DDoS attack with packet sniffing in a SCADA network The both techniques work separately in detecting their target An IP traceback system that is having high probability of finding the source of DDoS attack An IP traceback system that is having high probability of finding the source of DDoS attack Processing of packet consume more resources It requires human intervention. i.e. it is not automated. May not be able to give high performance in a large network Using entropy based algorithm RBPBoost was trained and tested with DARPA, CONFICKER, IBR analyzer using python Data analysis and reporting tool.
Modelling and Countermeasures Using Botnet and Honeypots A data mining Centroid-based rule method Virtual mechanism Using ensemble-based DDoS attack detection and rate of change of unseen IP addresses honeynet data collection
Detection of IRC and HTTP botnet
The timestamp would be logged first followed by the respective IP address in order to map host IP address with their respective source address of every flow of packet in and out of the network in order to ease the investigation of potential DDoS attack source and where the attack is really targeting.
IV.
. METHODOLOGY A.
In order to achieve this project, there are the requirement that must be met for both the software that would be used in building the system and the hardware specification needed to simulate the DDoS embedded network. 1) 2)
GNS3 software for the DDoS embedded network simulation Kali linux operating system (for both and victim and attacker’s machine).
Virtual machine (Virtual Box or VMware) The specification that would be needed in other to perform achieve this project is minimum of 500GB hard drive, 8GB RAM and 2.35GHz quad core laptop
over the other programming languages because python is beginner’s friendly and the choice of language penetration testers and forensic analyst and entire cyber security field at large.
Proposed System b) Socket: This module offers access to the socket interface of BSD and is available on all current Unix systems, Windows, MacOS, and possibly additional platforms. This module provides everything you need to build socket servers and clients.
c) Struct library: It does changes between Python values and C structs characterized as Python bytes objects which are use to handle binary data stored in files or from network connections, amid other sources. Format Strings is use as solid descriptions of the C structs plan and the intended change to/from Python values.
d) Datetime library: This module is responsible for providing classes in order to manipulate dates and times in both simple and multipart ways. While date and time arithmetic is maintained in this module, the motivation of this application is to efficiently extract attribute for output formatting and manipulation
e) Time library: It provides various time-related functions. Almost all the functions defined in this module call platform C library functions with the similar name.
f) Textwrap: It is one of the module that perform text processing services. This module provides the functions of wrapping or filling one or two text strings. It also has some convenience functions, as well as Textwraper, the class that does all the work. Textwrap is would be use in the formatting and arrangement of string.
This section reports the implementation of the developed system (Traffic Analyzer), and also Distributed Denialof Service (DDoS) attack network simulation which was used as the test bed in order to carry out the system testing of the developed system.
B.
Below are the tools that are used in achieving our DDoS test bed in order to further test the workability of our developed system.
GNS3 is a network simulator that allows simulation of networks. It consist of Dynamips (a cisco router emulator) and also contains Pemu (a cisco PIX firewall emulator) as well as tight incorporation with wireshark (packet capture and protocol analyzer).
hping is a command-line oriented TCP/IP packet analyzer/assembler. It supports TCP, UDP, ICMP and RAWIP protocols, has a traceroute mode, the capability to send files between an enclosed channel, and many other features. one of the features of hping command is network testing, this network testing feature was use to perform DDoS attack against the victim’s machine.
The system testing environment was achieved by simulating a network which was in carrying out Distributed Denialof Service attack of the attacker’s machine while the develop system is set up on the victim’s machine. Figure 4 shows how this was achieved using Graphical Network Simulator (GNS3).
The router shown in this figure 4 was configured in order to connect the two-dissimilar network of /24 netmask, the attacker’s network (192.168.1.0/24) and the victim’s network (10.10.0.0/24). The Kali linux operating system to act as our attacker and victim in our test bed.
The developed system was implemented on the Kali linux clone because is the system that was configured to act as the victim machine while the Kali linux at the left-hand side of figure 4 was configured to act as our attacker machine. Figure 5 shows the implementation of our developed system using python programming language version 3. Both Kali linux and Kali linux clone are assigned IP address of 192.168.1.2 and 10.10.1.3 respectively.
When this developed system is run on any system, it turns the system network interface card (NIC) into promiscuous mode then it begin to sniff every that comes in and out of that network the system is connected to, analysis the traffic and log IP addresses information by mapping the source and destination IP address with their timestamp and finally save all the capture packet in a pcap file format. legitimate traffic and it may be DDoS attack. With this, the examiner can then terminate the traffic analyzer to get the save capture file, open it with any pcap reader to check for the MAC address of the suspected IP addresses, all the IP addresses have the same MAC gives proof the evidence that they are all spoof address form a particular source and it is likely to be a DDoS attack.
This traffic analyzer was use in analyzing internet control message protocol (ICMP) packet which gives every parameter of ICMP packet with their values and displaying the IPv4 header with their necessary information.
In a situation whereby the network administrator or whoever is responsible of inspecting the system arrive, all that is needed first is to go to the detection log (figure 6) to check for the IP address log and the respectively timestamp.
This is experiment the attacker’s machine was assigned an IP address of 192.168.1.4 while the victim’s machine was assigned an IP address of 10.10.1.10.
Hping command tool is also use in performing DDoS attack using spoofed IP source. This command enables the attacker’s machine to send TCP request the victim’s machine in which the IP address is spoof in every request that was sent to the victim’s machine.
After this command was launched, the traffic analyzer on the victim’s machine start capturing packet coming in and analyzing it second Ethernet frame.
Although traffic analyzer was unable detect the real source IP address of the packet but fortunately because most automated software being used to perform DDoS attack do not spoof the attacker’s MAC address, it only spoofs their IP address which enable traffic analyser to still a lead of who the attacker’s machine is using the MAC address
The detection log shown in figure 7 also shows the logging of the spoof IP addresses with their respective timestamp. looking at the timestamp, that is, how close a request is being sent to the victim before another IP address will make the examiner suspect that the traffic is not a
After the DD0S attack was terminated, the save captured packet g0tten fr0m this experiment was ana1yse using statistica1 (IO Graph) in wireshark t0 get the graphica1 presentati0n 0f the DD0S attack 0n the victim machine.
Figure 8 disp1ays the graph 0f packet sent 0n the y-axis against x-axis 0f time 1 sec0nd interva1. The b1ack 1ine indicate the t0ta1 t0ta1 traffic, red 1ine indicate the tcp reset whi1e the green 1ine indicate tcp syn. 100king at the figure be10w we can deduce that the rate 0f packet that entered the victim machine in the first 40 sec0nds rises t0 250 packet per sec0nd and a1s0 the tcp syn and tcp reset are a1m0st 0n the same range. This means that tcp reset by the attacker’s machine after every tcp synch0nizati0n reset which d0es n0t c0nc1ude any successfu1 three way handshake. The has pr00f the traffic is n0t a 1egitimate traffic but rather an i11egitimate traffic with the characteristics 0f DD0S attack because IP address are being change after every tcp reset.
This DD0S attack resu1t in the victim’s machine unab1e t0 resp0nd t0 even ping request because 0f the machine res0urces has been 0verwhe1med.
CONCLUSION
Development of a traffic analyzer for the detection of Distributed Denial of Service attack has been successfully designed, implemented, tested. This new developed system would help its user to detect anomalous in their production network. It will also help network forensic analyst to easily examine the packet capture from its client network with the help of the save captured packet and detection log features of traffic analyzer. The detection log is always saved as a text file which enables an easy disaster recovery of it, in case if the system crashes, because base on experience, text file is easier to recover compare pcap. Therefore, even though both the captured packet and the detection was lost in an event of disaster, there are still chances of recovery the text file which can also give us some clue what really happened. [7] N. E. W. Features, “CISC0 4240 INTRUSI0N PREVENTI0N SENS0R, (2682), l4,” 2004.
System for Characterising Internet Background [13] I. van Zyl, “Creating a flexible data processing engine for large packet capture datasets,” 2014. [17] M. Alenezi and M. Reed, “Methodologies for detecting DoS/DDoS attacks against network servers,” in Conference on Systems and Networks, 2012, pp. 92–98.