Levonevskiy D.K., Fatkieva R.R.

St.Petersburg Institute for Infromatics and Automation of Russian Academy of Sciences, Russia

 

DDOS ATTACK DETECTION METHOD BASED ON THE STATISTICAL RESEARCH OF THE TRAFFIC MATRICS

 

DDoS (Distributed Denial of Service) attacks appeared nearly with the advent of the World Wide Web and the raise of its popularity. Since that time DDoS attacks remain to be one of the most significant threats for the Web services [1]. This fact, the same way as the permanently growing hackers’ skills, is evidence that the existing means of protection from DDoS attacks require further development and there is a necessity of research in this sphere.

This paper considers an approach to the DDoS attacks detection based on the behavioral analysis of the computer system under attack. For this purpose there were defined the metrics, which are appropriate to use while detecting attacks. These metrics are functions of the traffic being measured on the server network interface. The attacks’ influence on the statistical parameters of these metrics was revealed during the analysis.

The network traffic was taken on a server (model SunFire X2200 M2) with operating system Linux Ubuntu 10.04. The server is a host for a PHP-based Web-site, which is an interface to Octave, the engineering computations system. Also there is a sniffer, an application that intercepts the traffic and measures its features). The measurement is detailed and takes into consideration not only the total amount of incoming and outcoming data, but also amount and number of packets sorted by protocols – IP (Internet Protocol), TCP (Transmission Control Protocol), UDP (User Datagram Protocol), and number of TCP flags [2].

To figure out the influence of an attack on the system, the measurement was performed as follows. The server worked 10 minutes in normal conditions, communicating with conditionally legitimate Web-clients. After that an attack was started. Within this research three most extensive types of DDoS attacks were modeled: HTTP flood, SYN flood and UDP flood. As any of them appears, we can observe the increase of the incoming and outcoming traffic (Fig. 2).

a

b

Fig. 2. Increase of the network traffic by SYN flood (a – incoming, b – outcoming)

The changing amount of traffic does not necessarily prove the existence of an attack. If we want to have an opportunity to judge the system state, we should perform a detailed traffic analysis and define the most informative metrics enabling the attack identification. The metrics are given below.

1. Ratio of the incoming IP traffic to the outcoming:

,

where  and  denote the amount of the incoming and outcoming IP traffic in a unit of time. The expediency of this value is explained by the fact that the server under attack loses the ability to respond to the requests. The increase of the incoming traffic speed without the corresponding increase of the outcoming traffic speed causes the raise of , which means that there is a higher probability of a DDoS attack. Fig. 3 illustrates this effect.

a

b

c

Fig. 3. Change of  after the appearance of an attack

(a – HTTP flood, b – SYN flood, c – UDP flood)

2. Number of the critical application threads may be used to detect application level attacks. As HTTP flood is a typical attack for a Web-server, it is useful to measure the number of Apache threads . If the Web-server makes requests to other applications (for example, to a database or to an engineering computation system), one must also measure numbers of their threads.

3. Difference

,

where  is a number of the outcoming ACK flags in the TCP traffic in a unit of time, a number of the incoming ACK flags. This value is sensitive for all kinds of DDoS attacks. It is shown for instance, how it changes with the appearance of SYN flood. Negative value shows that the server loses the ability to respond to the clients’ requests with the ACK-packets.

4. Ratio

,

where  is the amount of the incoming UDP traffic,  amount the incoming TCP traffic, can clarify the existence of UDP flood. UDP is a protocol of the one-way data transferring. Although there are some UDP packets in the Web-server traffic, UDP is not typical for HTTP connections. Multiple exceeding of the UDP traffic in comparison with TCP traffic allows to detect the UDP flood.

5. Frequencies of SYN and PSH flags in the incoming packets enables estimating the data transferring efficiency:

Here  and  are the SYN and PSH flag frequency,  and  are the numbers of SYN and PSH flags in the incoming packets, is the total number of the incoming TCP packets.

SYN packets are transferred between the client and the server while establishing a TCP connection. Data exchange begins after that, and no SYN flags are used more with this client. Thus the number of incoming SYN flags is equal to the number of connection requests, and the frequency of SYN flags determines the part of subservient packets in the TCP traffic.

The raised PSH flag determines that the data placed in the packet have to be delivered to the application level software. In case of a Web server the data are HTTP requests and responses, containing Web pages. Therefore the frequency of PSH flags determines the useful load of network channel.

The attacker who performs SYN flood does not intend to hand over any data to the server and tries to overload his connection queue with a large quantity of auxiliary requests.

6. Average TCP packet length

where T_TCP is the total amount of the TCP traffic in a unit of time, N_TCP is the number of TCP packets. If this value is near to the minimal possible length of a packet (about 65 bytes), there is also a possibility of blocking the server with auxiliary requests.

Appearance of a DDoS attack leads to the change of distibutions for a set of metrics. This set is determined by the type of the DDoS attack. For example, the  histogram during the start of SYN flood changes as follows (Fig. 4):

a

b

c

Fig. 4.  histogram (a – before an attack, b – in the beginning, c – being attacked)

Metrics sensitivity to the different kinds of attacks is determined by an attack’s influence on the distribution factors and shown in the Table 2

To consider how DDoS attacks affect on the metrics distributon, we will plot the graphs of   moving averages and standard deviations. The moving average method enables, in the first place, performing the low-frequency filtration of the time series to reduce the noise, and in the second place, figuring out the dynamics of the metrics. For example, Fig. 5, 6 show the graphs for the SYN flood.

Fig. 5. Change of the metrics’ moving average since the beginning of the SYN flood

(a – , b – , c – , d – and )

a

b

c

d

Fig. 6. Change of the metrics’ standard deviation since the beginning of the SYN flood (a – , b – , c – , d – and )

The facts revealed during the research demonstrate that the distribution features of the traffic-based metrics are liable to the influence of DDoS attacks. This allows to form an approach to development of an intrusion detection system. Operating systems possess and allow to use libraries, with the help of which one can intercept the network traffic in order to analyze it. By means of these libraries an application measures the traffic and computes the values of the considered above metrics and their functions. The findings can be used to make decision, whether there is an attack and it is necessary to launch the locking subsystem.

The automatic attack detection can be based on the following values:

1. Threshold levels of the mentioned metrics: some of them can be an ample evidence of an attack (for example, on a Web server the inequality over a long period of time indicates the UDP flood with a high probability).

2. The moving average change speed of the metrics and their constituents that runs up to the maximum values at the moments of the beginning or end of attacks; the determination of the threshold values to be a sign of an attack may be performed with the help of forming of normal conditions template.

The improvement of detection accuracy can also be achieved by consideration of all mentioned above features in aggregate. As the influences of every DDoS attack type are known and differ from the other types, it seems to be possible not only to establish a fact of an attack, but also to determine its type.

 

References:

[1] DoS/DDoS, or a brute force attack. // Hacker. 2010. – Nr. 47.

[2] Computer networks. Principles, technologies, protocols. Olifer V.G., Olifer N.A. – St.Petersburg.: Piter, 2006. – 958 pages.

[3] Fatkieva R.R, Levonevskiy D.K. Attack detection by means of singular spectrum analysis. // Trudy SPIIRAN. – 2013. – Nr. 25.