=Paper=
{{Paper
|id=Vol-1830/Paper71
|storemode=property
|title=Development of a Traffic Analyzer for the Detection of DDoS Attack Source
|pdfUrl=https://ceur-ws.org/Vol-1830/Paper71.pdf
|volume=Vol-1830
|authors=Joseph Adebayo Ojeniyi,Maruf Olalekan Balogun,Fasola Sanjo,Onwudebelu Ugochukwu
}}
==Development of a Traffic Analyzer for the Detection of DDoS Attack Source==
https://ceur-ws.org/Vol-1830/Paper71.pdf
International Conference on Information and Communication Technology and Its Applications
(ICTA 2016)
Federal University of Technology, Minna, Nigeria
November 28 – 30, 2016
Development of a Traffic Analyzer for the Detection of DDoS Attack Source
Joseph Adebayo Ojeniyi1, Maruf Olalekan Balogun2, Fasola Sanjo3, and Onwudebelu Ugochukwu4
1,2
Department of Cyber Security Science, Federal University Technology, Minna, Nigeria
3
Department of Computer Science, University of Ibadan, Ibadan, Nigeria
4
Department of Computer Science, Federal University Ndufu-Alike Ikwo, Abakaliki, Nigeria
1
ojeniyija@futminna.edu.ng, 2marufbyte@gmail.com, 3sanjo@elsmedia.com, 4anelectugocy@yahoo.com
Abstract— Distributed Denial of Service (DDoS) attack has can be behind other attack like the attacks reputable
been the most devastating attack on computer network and companies or countries.
internet at large. Several techniques have been deployed to
mitigate this attack. However, detecting the source of DDoS II. LITERATURE REVIEW
attack remains unsolved in the literature. The aim of this
paper is to develop a traffic analyzer for the detection of DDoS
attack source. The approach used consists of sniffing, analysis A. Related Work
and isolation of source and destination IP address with their At the present time, more and more critical
respective timestamp of packets that flow through the network infrastructures arebeing used by organizations and they are
in which system was deployed. Traffic analyzer has the ability increasingly relying upon the internet in order to carry out
of saving the captured packet for possible examination and their day to day operations [1]. Internet attacks are at
analysis by forensic expert. Traffic Analyzer was developed as increasing rate and threat are also increasing to cripple
a console based application using python programming Information Technology infrastructures [2].
language which is limited to run on Linux distribution. A With the increase in large attacks that directly targets the
network was simulated using GNS3 consisting of the attacker
large businesses and government institutions around the
and the victim machine (both run on kali Linux). The result of
world, one of the most significant issues that can be
this work was shown after the developed traffic analyzer was
used to collect traffic from the simulated victim machine,
considered by both commercial and governmental
thereby showing the traffic and their header information. The organizations is to protect its information from malicious
arrival time of each IP address that comes inside the network jeopardizing that is, the adoption network security is more
was logged. With this the analyzer was used to determine the important now more than ever because of the increase in
type and source of DDoS attack. attacks every day by day due to the automated tools being
use against internet-connected systems by attackers [1]–[4].
Keywords-network attack, DoS, DDoS, traffic analyzer, Denial of service (DoS) or Distributed Denial of Service
detection log, python programming language (DDoS) attacks is one of the most devastated internet attack
against internet connected system in this era and they can be
defined as attempts to make a computing or network
resource unavailable to its users or as an attack that pose a
I. INTRODUCTION highly damageable threat to the CIA (Confidentiality,
From the beginning of 21st century, there have been an Integrity and Availability) of services that resides on the
evolving threat toour cyberspace, these attacks are classified network [4]–[6]. DoS attack often involve using a single
majorly as attack against confidentiality, integrity and computer in preventing the legitimate users from accessing
availability of information. Distributed Denialof Service the network resources while the advance DoS attack which is
(DDoS) attack have been the most devastating attack on our Distributed Denial of Service (DDoS) attack involves
network and internet at large and they are being tagged as the multiple compromised computer being used to send attacks
attack against availability of information whereby the to a victim at the same period during the attacking time [4],
information that are meant to be available for a legitimate [5]. DDoS attack is mainly achieved with the help of botnet
user is being denied by the server because the attacker is which are refers to as compromised systems under the
accessing the server and sending unsolicited request to this instructions of their master or handlers [7]. Botnet can also
machine thereby causing the legitimate client inability to be refer to as zombie and they are responsible for generating
access its resources. A Distributed Denial of Service (DDoS) the attack traffic towards the victim [8].
is where the source of attack is more than one and often Basically, DDoS attack architecture consists of three
thousands of unique or spoof IP addresses. Perpetrators of components which are master, slave and the victim. They
DDoS attacks often target sites or services hosted on high- collaboratively work together towards achieving their
profile web servers such as banks, credit card payment malicious goals. Figure l shows the model of a typical DDoS
gateways, but motives of revenge, blackmail or hacktivism attack. The master takes control of the botnet without the
111
� International Conference on Information and Communication Technology and Its Applications (ICTA 2016)
knowledge of their owners, because they have been hash table which can be refer to as dictionary in python. If
previously infected with a Trojan or a backdoor program. the information is existing, it will add the occurrence of this
The compromised machines called botnet are being control IP addresses into their respective hash table for further
by the bot-master, often through Command and Control network traffic analysis.
(C&C) channels, and simultaneously used to track a victim
using the public internet infrastructure [9]. B. UML Use Case Diagram
Internet crime like DDoS attack is still at large and on the This section uses the UML use case diagram to explain
rise there is not yet an effective and efficient system to know the proposed system. Use case diagram has been known to
where the malicious packet come from, or where the suspect consist of mainly the actors and their respective functions.
is located so that he/she can be identify, track, report, arrest Figure 3 depict the proposed system in which the actor is
and punish for its offence [1]. represented by as proposed system with its respective
features which to sniff packet, analyze traffic and report
engine.
The sniff packet use case represents the ability of the
system to be able to capture packet that comes in and out of
the network computer putting the following criteria into
consideration.
Source and Destination IP address
Source and Destination MAC address
Source and Destination Port number
The network traffic analysis component would check for
the following information which can be useful in case if
there is an existence of DDoS attack in that particular
network.
The packet protocol
The packet header
The report engine consists of two functions which are
logging evidence creation after the system termination. The
following information are logged in order to examine the
existence of DDoS attack.
Source and Destination IP address
Figure 1. Showing the typical set-up of a DDoS attack
Their respective timestamp
B. Summary of Review start
The summary of the review based on this research work
New Packet_In
is shown below in Table 1.
III. SYSTEM DESIGN Read packet header
In order to have detailed understanding about the
Isolate source and
proposed system. This section explains functions of the destination IP and MAC
proposed system using system flowchart and UML Use Case address
Diagram
Store host and dest IP
A. System flowchart into hash table
The propose traffic analyzer for detection of DDoS attack
source flowchart is depicted below in figure 2. Because of
NO Does the IP exist YES
the sniffing and reporting features of this system, running the
system will enable it to start capturing packet from the
Ethernet frame either through wireless or wired network. Add to hash Add to the no
table of occurrence
This packet would contain the following relevant in hash table
information:
Source and Destination IP address Log info
Source and Destination MAC address
Source and Destination Port number save
After the collection of this information, it will store the Stop
destination and source IP address of every new packet and
Figure 2. Attack source flowchart
then check if the source and destination is existing inside the
112
� International Conference on Information and Communication Technology and Its Applications (ICTA 2016)
TABLE I. SUMMARY OF RELATED WORKS
Author/Year Methodology Achievement Limitation
[10] Using entropy based algorithm Entropy network based anomaly detection Limited to solving single label
method problem
RBPBoost was trained and tested with Improving on RBPBoost Algorithm Limited to known attack detection
[11] DARPA, CONFICKER,
[12] IBR analyzer using python Able to develop a system for analyzing capture Limited to characterizing IBR
data from IBR information to their respective
payloads
[13] Data analysis and reporting tool. Ability to receive a .pcap file and transform it Limited to processing smaller
into report format packets
[14] Modelling and Countermeasures Using An information-theoretic framework models Limited to small and homogenous
Botnet and Honeypots for flooding attacks using Botnet on ITM and network
effective attack detection using Honeypots
[4] A data mining Centroid-based rule DDoS attack Detection and defense approach Stability of centroid-based rules for
method non-spherical shapes
[2] Virtual honeynet data collection Detection of IRC and HTTP botnet Focusing on botnet detection on
mechanism network –level traces
[9] Using ensemble-based DDoS attack DDoS detection techniques Limited to equal weight simple
detection and rate of change of unseen correlation
IP addresses
[15] Greedy layer wise unsupervised training Training deep neural network for DDoS Techniques works for unsupervised
strategy detection training only
[16] Valuation method of probability loss of Detection technique for DoS/DDoS/DRDoS Only applicable in stationary mode
arbitrary request passing on mass attacks in network mass service
network service
[17] A statistical CUSUM-based detection Detection of DDoS attack Technique depends on CUSUM
technique
[8] Entropy based algorithm Early detection of DDoS attack in software Limited to detection of attack when
defined network the DDoS attack is targeting a host
not the entire network
[18] Combining multiple independent data A measurement study for analyzing DDoS
sources to study large DDoS attacks attack for multiple data sources.
[19] Using PMD technique and labelling of Detection and isolation of DDoS attack with The both techniques work separately
incoming packet in detection of sniffing packet sniffing in a SCADA network in detecting their target
and DDoS attack
[1] Flexible Deterministic Packet Marking An IP traceback system that is having high Processing of packet consume more
technique probability of finding the source of DDoS resources
attack
[20] Flexible Deterministic Packet Marking An IP traceback system that is having high It requires human intervention. i.e. it
technique probability of finding the source of DDoS is not automated. May not be able to
attack give high performance in a large
network
The timestamp would be logged first followed by the 1) Hardware and Software requirement
respective IP address in order to map host IP address with GNS3 software for the DDoS embedded network
their respective source address of every flow of packet in and simulation
out of the network in order to ease the investigation of Kali linux operating system (for both and victim and
potential DDoS attack source and where the attack is really attacker’s machine).
targeting. Virtual machine (Virtual Box or VMware)
The specification that would be needed in other to
perform achieve this project is minimum of 500GB
hard drive, 8GB RAM and 2.35GHz quad core
IV. . METHODOLOGY laptop
2) Tools and libraries needed:
A. System Requirement a) Python programming language: Python was chosen
In order to achieve this project, there are the requirement over the other programming languages because python is
that must be met for both the software that would be used in beginner’s friendly and the choice of language penetration
building the system and the hardware specification needed to testers and forensic analyst and entire cyber security field at
simulate the DDoS embedded network. large.
113
� International Conference on Information and Communication Technology and Its Applications (ICTA 2016)
1) Graphical Network Simulator3 (GNS3)
Sniff Packet GNS3 is a network simulator that allows simulation of
networks. It consist of Dynamips (a cisco router emulator)
and also contains Pemu (a cisco PIX firewall emulator) as
well as tight incorporation with wireshark (packet capture
Network Traffic and protocol analyzer).
Analysis 2) Hping
hping is a command-line oriented TCP/IP packet
analyzer/assembler. It supports TCP, UDP, ICMP and RAW-
IP protocols, has a traceroute mode, the capability to send
Report Engine files between an enclosed channel, and many other features.
one of the features of hping command is network testing, this
network testing feature was use to perform DDoS attack
Proposed System
against the victim’s machine.
Figure 3. use case diagram of traffic analyzer C. DDoS Test Bed to test Traffic Analyzer
The system testing environment was achieved by
b) Socket: This module offers access to the socket simulating a network which was in carrying out Distributed
interface of BSD and is available on all current Unix Denialof Service attack of the attacker’s machine while the
systems, Windows, MacOS, and possibly additional develop system is set up on the victim’s machine. Figure 4
platforms. This module provides everything you need to shows how this was achieved using Graphical Network
build socket servers and clients. Simulator (GNS3).
The router shown in this figure 4 was configured in order
c) Struct library: It does changes between Python to connect the two-dissimilar network of /24 netmask, the
values and C structs characterized as Python bytes objects attacker’s network (192.168.1.0/24) and the victim’s network
which are use to handle binary data stored in files or from (10.10.0.0/24). The Kali linux operating system to act as our
network connections, amid other sources. Format Strings is attacker and victim in our test bed.
use as solid descriptions of the C structs plan and the
intended change to/from Python values.
d) Datetime library: This module is responsible for
providing classes in order to manipulate dates and times in
both simple and multipart ways. While date and time
arithmetic is maintained in this module, the motivation of
this application is to efficiently extract attribute for output
formatting and manipulation
e) Time library: It provides various time-related
functions. Almost all the functions defined in this module
call platform C library functions with the similar name.
f) Textwrap: It is one of the module that perform text
processing services. This module provides the functions of
wrapping or filling one or two text strings. It also has some
convenience functions, as well as Textwraper, the class that Figure 4. DDoS test bed for the system testing
does all the work. Textwrap is would be use in the
formatting and arrangement of string.
D. System Testing and Result
The developed system was implemented on the Kali
V. IMPLEMENTATION AND RESULTS linux clone because is the system that was configured to act
as the victim machine while the Kali linux at the left-hand
A. Introduction side of figure 4 was configured to act as our attacker
machine. Figure 5 shows the implementation of our
This section reports the implementation of the developed developed system using python programming language
system (Traffic Analyzer), and also Distributed Denialof version 3. Both Kali linux and Kali linux clone are assigned
Service (DDoS) attack network simulation which was used IP address of 192.168.1.2 and 10.10.1.3 respectively.
as the test bed in order to carry out the system testing of the When this developed system is run on any system, it
developed system. turns the system network interface card (NIC) into
promiscuous mode then it begin to sniff every that comes in
B. Tools needed for system implementation and out of that network the system is connected to, analysis
Below are the tools that are used in achieving our DDoS the traffic and log IP addresses information by mapping the
test bed in order to further test the workability of our source and destination IP address with their timestamp and
developed system. finally save all the capture packet in a pcap file format.
114
� International Conference on Information and Communication Technology and Its Applications (ICTA 2016)
legitimate traffic and it may be DDoS attack. With this, the
examiner can then terminate the traffic analyzer to get the
save capture file, open it with any pcap reader to check for
the MAC address of the suspected IP addresses, all the IP
addresses have the same MAC gives proof the evidence that
they are all spoof address form a particular source and it is
likely to be a DDoS attack.
Figure 5. Implementation of Traffic Analyser
Figure 7. Detection log from the DDoS attack
Figure 6. IP address log
This traffic analyzer was use in analyzing internet control
message protocol (ICMP) packet which gives every
parameter of ICMP packet with their values and displaying
the IPv4 header with their necessary information.
In a situation whereby the network administrator or
whoever is responsible of inspecting the system arrive, all
that is needed first is to go to the detection log (figure 6) to
check for the IP address log and the respectively timestamp.
E. DDoS attack using IP spoofing Figure 8. Graph 0f DD0S
This is experiment the attacker’s machine was assigned
an IP address of 192.168.1.4 while the victim’s machine was After the DD0S attack was terminated, the save captured
assigned an IP address of 10.10.1.10. packet g0tten fr0m this experiment was ana1yse using
Hping command tool is also use in performing DDoS statistica1 (IO Graph) in wireshark t0 get the graphica1
attack using spoofed IP source. This command enables the presentati0n 0f the DD0S attack 0n the victim machine.
attacker’s machine to send TCP request the victim’s machine Figure 8 disp1ays the graph 0f packet sent 0n the y-axis
in which the IP address is spoof in every request that was against x-axis 0f time 1 sec0nd interva1. The b1ack 1ine
sent to the victim’s machine. indicate the t0ta1 t0ta1 traffic, red 1ine indicate the tcp reset
After this command was launched, the traffic analyzer on whi1e the green 1ine indicate tcp syn. 100king at the figure
the victim’s machine start capturing packet coming in and be10w we can deduce that the rate 0f packet that entered the
analyzing it second Ethernet frame. victim machine in the first 40 sec0nds rises t0 250 packet per
Although traffic analyzer was unable detect the real sec0nd and a1s0 the tcp syn and tcp reset are a1m0st 0n the
source IP address of the packet but fortunately because most
same range. This means that tcp reset by the attacker’s
automated software being used to perform DDoS attack do
machine after every tcp synch0nizati0n reset which d0es n0t
not spoof the attacker’s MAC address, it only spoofs their IP
address which enable traffic analyser to still a lead of who c0nc1ude any successfu1 three way handshake. The has pr00f
the attacker’s machine is using the MAC address the traffic is n0t a 1egitimate traffic but rather an i11egitimate
The detection log shown in figure 7 also shows the traffic with the characteristics 0f DD0S attack because IP
logging of the spoof IP addresses with their respective address are being change after every tcp reset.
timestamp. looking at the timestamp, that is, how close a This DD0S attack resu1t in the victim’s machine unab1e
request is being sent to the victim before another IP address t0 resp0nd t0 even ping request because 0f the machine
will make the examiner suspect that the traffic is not a res0urces has been 0verwhe1med.
115
� International Conference on Information and Communication Technology and Its Applications (ICTA 2016)
VI. CONCLUSION [8] S. M. Mousavi, “Early Detection of DDoS Attacks in Software
Defined Networks Controller Early Detection 0f DDoS Attacks in
Development of a traffic analyzer for the detection of Software Defined Networks Controller,” 2014.
Distributed Denial of Service attack has been successfully [9] S. Bhatia, “Detecting Distributed Denial-of-Service Attacks and Flash
designed, implemented, tested. This new developed system Events.”
would help its user to detect anomalous in their production [10] B. Przemyslaw, J. Bartosz, and S. Marcin, “An Entropy-Based
network. It will also help network forensic analyst to easily Network Anomaly Detection Method l,” 2015.
examine the packet capture from its client network with the [11] M. Kale and D. M. Choudhari, “DDoS Attack Detection Based on an
help of the save captured packet and detection log features of Ensemble of Neural Classifier,” vol. 14, no. 7, pp. 122–129, 2014.
traffic analyzer. The detection log is always saved as a text [12] D. Yates, “A System for Characterising Internet Background
Radiation,” 2014.
file which enables an easy disaster recovery of it, in case if
the system crashes, because base on experience, text file is [13] I. van Zyl, “Creating a flexible data processing engine for large
packet capture datasets,” 2014.
easier to recover compare pcap. Therefore, even though both
[14] K. M. Prasad, A. R. M. Reddy, and M. G. Karthik, “Flooding attacks
the captured packet and the detection was lost in an event of to Internet Threat Monitors ( ITM ): Modeling and Countermeasures
disaster, there are still chances of recovery the text file which using Botnet and Honeypots,” J. Comput. Sci., vol. 3, no. 6, pp. 159–
can also give us some clue what really happened. 172, 2011.
[15] H. Larochelle, Y. Bengio, and P. Lamblin, “Exploring Strategies for
REFERENCES Training Deep Neural Networks,” vol. 1, pp. 1–40, 2009.
[1] M. S. Asalkar, Sameer A. Bhatnagar, S. Ashish, and A. K. Rahul, [16] G. Shangytbayeva, G. Kazbekova, U. Imanbekova, S. Munsyzbaeva,
“Flexible Determinisic Packet Marking : An IP Traceback System To and N. Shangytbayev, “Detecti0n Techniques 0f DoS / DDoS /
Find Real Source Of Attack,” 2014. DRDoS Attacks in Networks of Mass Service,” 2015.
[2] J. S. Bhatia, R. K. Sehgal, and S. Kumar, “Botnet Command [17] M. Alenezi and M. Reed, “Methodologies for detecting DoS/DDoS
Detection using Virtual Honeynet,” vol. 3, no. 5, pp. 177–189, 2011. attacks against network servers,” in Conference on Systems and
[3] E. M. Angurala and E. M. Rani, “Design and Develop an Intrusion Networks, 2012, pp. 92–98.
Detection System Using Component Based Software Design,” no. [18] Z. M. Mao and O. Spatscheck, “Analyzing large DDoS Attacks Using
April, pp. 854–860, 2014. Multiple Data,” in International Conference on large-Scale Attack
[4] W. Bhaya and M. E. Manaa, “A Proactive DDoS Attack Detection Defense, 2006, pp. 161–168.
Approach Using Data Mining Cluster Analysis,” vol. 5, no. 4, pp. 36– [19] S. Shitharth and D. P. Winston, “A Comparative Analysis between
47, 2014. Two Countermeasure Techniques to Detect DDoS with Sniffers in a
[5] Y. Orzach, “Network Forensic with Wireshark,” vol. 3, no. 7, 2014. SCADA Network,” Procedia Technol., vol. 21, pp. l79–l86, 2015.
[6] K. M. Prasad, A. R. M. Reddy, and K. V Rao, “DoS and DDoS [20] P. G. Kukreja and D. N. Rewadkar, “Flexible Deterministic Packet
Attacks: Defense, Detection and TracebackMechanisms -A Survey,” Market : An IP Traceback Scheme,” vol. 40, no. 1, p. l595–l60l, 2015.
Glob. J. Comput. Sci. Technol., vol. 14, no. 7, 2014.
[7] N. E. W. Features, “CISC0 4240 INTRUSI0N PREVENTI0N
SENS0R, (2682), l4,” 2004.
116
�