TRACEBACK OF DDOS ATTACKS USING ENTROPY VARIATIONS
ABSTRACT
Distributed Denial-of-Service (DDoS) attacks are a critical threat to the
Internet. However, the memoryless feature of the Internet routing mechanisms
makes it extremely hard to trace back to the source of these attacks. As a
result, there is no effective and efficient method to deal with this issue so
far. In this paper, we propose a novel traceback method for DDoS attacks that
is based on entropy variations between normal and DDoS attack traffic, which is
fundamentally different from commonly used packet marking techniques. In
comparison to the existing DDoS traceback methods, the proposed strategy
possesses a number of advantages—it is memory nonintensive, efficiently
scalable, robust against packet pollution, and independent of attack traffic
patterns.
Existing System:
A number of IP traceback approaches have been
suggested to identify attackers [19], [20], and there are
two major methods for IP traceback, the probabilistic
packet marking (PPM) [21], [22], [23], [24] and the deterministic packet
marking (DPM) [25], [26], [27], [28]. Both of these strategies require routers
to inject marks into individual packets. Moreover, the PPM strategy can only
operate in a local range of the Internet (ISP network), where the defender has
the authority to manage. However, this kind of ISP networks is generally quite
small, and we cannot traceback to the attack sources located out of the ISP
network. The DPM strategy requires all the Internet routers to be updated for
packet marking. However, with only 25 spare bits available in as IP packet, the
scalability of DPM is a huge problem [22]. Moreover, the DPM mechanism poses an
extraordinary challenge on storage for packet logging for routers [29].
Therefore, it is infeasible in practice at present. Further, both PPM and DPM
are vulnerable to hacking [30], which is referred to as packet pollution
Proposed System
we propose a novel mechanism for IP traceback using
information theoretical parameters, and
there is no packet marking in the proposed strategy; we,
therefore, can avoid the inherited shortcomings of the
packet marking mechanisms. We categorize packets that are passing through a router into flows,
which are defined by the upstream router where a packet came from, and the
destination address of the packet. During nonattack periods, routers are
required to observe and record entropy variations of local flows. In this
paper, we use flow entropy variation or entropy variation interchangeably. Once
a DDoS attack has been identified, the victim initiates the following pushback
process to identify the locations of zombies: the victim first identifies which
of its upstream routers are in the attack tree based on the flow entropy
variations it has accumulated, and then submits requests to the related
immediate upstream routers. The upstream routers identify where the attack
flows came from based on their local entropy variations that they have
monitored. Once the immediate upstream routers have identified the attack
flows, they will forward the requests to their immediate upstream routers,
respectively, to identify the attacker sources further; this procedure is
repeated in a parallel and distributed fashion until it reaches the attack
source(s) or the discrimination limit between attack flows and legitimate flows
is satisfied
Software & Hardware
Requirements
Software Requirements
Java1.5 or More
MS-Sql Server
Hardware Requirements
Hard disk : 80 GB
RAM : 1 GB
Processor : Pentium
No comments:
Post a Comment
Note: only a member of this blog may post a comment.