Defending against a DDoS attack can happen either proactively or reactively (Mirkovic and Reiher 2004, 49). In this thesis, I speak about reactive means, i.e. detection and mitigation.
A DDoS attack detection can happen at different points on the network stack depending on what kind of DDoS attacks the detection method tries to identify, what is the purpose of detection and what kind of mitigation strategies the administrators want to implement. A simple measure to combat the simplest attacks is to implement preconfigured settings to a host or network firewall (e.g. an IP list, or ports that are not used), which blocks all requests from a host that matches the criteria (Raghavan and Dawson 2011, 283). However, this does not work with more sophisticated attacks that attackers are using nowadays, and the firewall itself might be vulnerable as it tries to combat an influx of packets and hosts that it needs to block. A separate detection system takes the responsibility to detect attacks to address the issue.
An intrusion detection system (IDS) can be deployed in the routers, switches hubs or separate analysis units on the network segments. They are usually called network intrusion detection systems (NIDS), but an IDS can also be deployed on the host. Thus they are named as a host intrusion detection system (HIDS). (Whitman and Mattord 2011, 298-302) An IDS on its own simply detects an attack and notifies the administrator. To handle attacks and remove any delay in response, intrusion prevention systems (IPS) have been developed which already
encompass a set of steps the system can take in case it detects an attack. These technologies are usually deployed together; they are called intrusion detection and prevention systems (IDPS) (Whitman and Mattord 2011, 293).
A Host IDPS is deployed on a host that the system observes and informs the administrators of any changes to the filesystem or a specific folder that might be of interest for the attackers.
The strength of an HIDPS is that it can check the traffic going in and out in addition to all the changes happening to the system. It can also analyze encrypted packets, as it resides on the target host of the packet. They can perform the tasks of the network IDPS for the host traffic.
(Whitman and Mattord 2011, 302-304.) An example of an open source HIDPS is OSSEC1. Network Intrusion Detection and Prevention Systems (NIDPS) oversee the traffic in the net-work, by analyzing it and notifying the administrator who can take appropriate actions to mit-igate the attack. An NIDPSs falls into one of three categories: signature matching, anomaly detection and a hybrid model of both mechanisms. (Rastegari, Hingston, and Lam 2015, 1.) An example of an NIDPS is Snort, an open source tool2.
A signature-based system works such as an anti-virus program, where a set of features (e.g.
a known sequence of packets or a certain time interval of packets that is characteristic for a known attack) have already been programmed to a so-called signature database. This infor-mation is then compared to the packets that the systems come in contact with to see if they match any of the signatures. Other packet validity verification methods can also be used. For example, abnormal packets that do not fit the description of the TCP/IP protocol definition or application layer protocols such as the HTTP or the XML. Many denial-of-service attacks work by sending malformed requests to consume the processors and memory of the servers.
(Whitman and Mattord 2011, 298-299.) It works relatively well and without causing normal traffic to labeled as intrusive very often, but it cannot detect completely unseen or zero-day attacks. (Amoli and Hämäläinen 2013, 1.) That is where anomaly detection works the best.
Anomaly detection is also divided into a statistical analysis and a stateful protocol analysis.
The statistical analysis can also be called behavior analysis. The methods are based on a
1. ossec.github.io 2. www.snort.org
baseline traffic patterns which are gathered from the network when it is not under attack and the traffic is presumed to be "normal." A baseline is a set of features captured, e.g. types of packets, a number of flows or time of arrival. A section of the traffic in the live system is then captured and matched against the normal state of traffic using statistical analysis or machine learning techniques. When the packets do not fall into an acceptable range from the
"normal," they are flagged as anomalous. At his point, the administrator gets a message, and further steps can be taken. (Whitman and Mattord 2011, 305.)
Anomaly detection does not need to know the attack before it happens, and it is not tied to a specific type of traffic, as long as the set of features under inspection contain the anomalies from which the attack can be detected. A statistical analysis may use resources extensively in the host, and it might not be able to tell the difference between normal and malicious traffic if the attacker disguises the attack traffic to look normal on purpose. Also, when the target system experiences a wide range of traffic from inactivity to high load and diverse to uniform traffic, anomaly-based systems cause many false positives. Thus, signature-based systems are frequently favored over anomaly-based. (Whitman and Mattord 2011, 305.) A stateful protocol analysis (or what Mirkovic and Reiher (2004, 49) call Standard Anomaly Detection Strategy) is based on detecting deviations from a known set of features that are present in the normal use of a protocol. These features are defined by the vendor of the protocol. (Whitman and Mattord 2011, 306.) A method that relies on the protocol standard as a measure of normality is called standard mechanism. This method only produces true positives, as all normal use of the protocol does not cause an alarm. On the other hand, the method does not detect attacks that use the protocols normally, e.g. application layer DoS.
(Mirkovic and Reiher 2004, 49.) As an example, the systems has knowledge of the number of HTTP packets a browser could send in a second when a user uses the website in a normal way. In a case of an abnormal influx if packets, a human user can be ruled out and the traffic can be marked as anomalous.
Several detection methods have been developed to notice DDoS attacks. Figure 7 shows categories of the detection methods. Few intrusion detection systems are deployed in an application layer firewall, right before a web application to mitigate any incoming attack.
The firewall can inspect encrypted packet for malicious content and protect the application.
Intrusion detec-tion systems
Signature-based Anomaly-based
Stateful protocol analy-sis (Standard)
Statistical analysis (Trained)
Hybrid (signature & anomaly) models
Figure 7. Classification of intrusion detection and prevention systems and their detection methods (Mirkovic and Reiher 2004, 49.) (Whitman and Mattord 2011, 293-305.)
These firewalls have to deployed so they do not become a bottleneck in case of high volumes of traffic to the application (Raghavan and Dawson 2011, 251).