Third International Symposium on Information Assurance and Security

Detection and Honeypot Based Redirection to Counter DDoS Attacks in ISP

Domain

Anjali Sardana, Krishan Kumar, R. C. Joshi

Indian Institute of Technology, Roorkee
{anjlsdec, kksaldec , joshifcc}@iitr.ernet.in

Abstract preventing them from processing transactions or

The inherent vulnerabilities in TCP/IP architecture requests.
give dearth of opportunities to DDoS attackers. The In many cases when a sustained high bandwidth
array of schemes proposed for detection of these attack reaches servers it is not possible to contain the
attacks in real time is either targeted towards low rate attack at border gateway as the offending packets have
attacks or high bandwidth attacks. Presence of low already consumed the finite bandwidth available on the
rate attacks leads to graceful degradation of QoS in connection to the ISP. In this case, having a good
the network thus making them further undetectable. In relationship and clear communication channels with
this paper, we propose a scheme that uses three lines ISP are essential. High bandwidth attacks will have an
of defense. The first line of defense is towards detecting impact on the ISP’s network. Since they are closer to
the presence of low rate as well as high bandwidth the source of the attack they are in a better position to
attacks based on entropy variations in small time filter the offending traffic. However low rate attacks
windows. The second line of defense identifies and tags are critical component and remain undetected until the
attack flows in real time. The last line of defense is network functionality becomes unstable thus targeting
redirecting the attack flows to honeypot server that QoS.
responds in contained manner to the attack flows, thus Current DoS research focuses on three tracks: (1)
providing deterrence and maintaining QoS at ISP mitigation techniques: which aim to mitigate the effect
level. We validate the effectiveness of the approach of DoS attacks assuming that we can not accurately
with simulation in ns-2 on a Linux platform. distinguish illegitimate packets; (2) classification-
based techniques: which move the classification
process away from the server, either to achieve simpler
1. Introduction classification criteria or to replicate the classification
process, making it less vulnerable to attacks; and (3)
Denial-of-Service (DoS) is an intentional attempt by attack-tracking techniques: which try to identify DoS
attacker to compromise availability of a service to attack sources, to stop them and discourage attackers.
legitimate users [1]. Distributed Denial-of-Service The proposed scheme works at ISP level and serves
attacks (DDoS) degrade or completely disrupt services on three lines of defense to protect a public domain
to legitimate users by eating up communication, server. Firstly, sample entropy variations at a point of
computational and memory resources of the target presence (POP) identify the presence of attack [4].
through sheer volume of packets. DDoS attacks are Secondly the flows are tagged as attacks in subsequent
amplified form of DOS attacks where attackers direct time windows. Lastly, we propose a honeypot based
hundreds or even thousands of compromised “zombie” redirection that can retain a connection with the
hosts against a single target [2]. As per survey attacker along with providing deterrence from public
conducted by FBI/CSI in 2004 [3], these attacks are domain server, thus giving a desirable QoS even in
second most dreadful attacks in terms of revenue losses presence of attack. Connection retention is to obtain
after information thefts. information about the attackers by logging their
The two most basic types of DDoS attacks are actions.
bandwidth attacks and application attacks. Bandwidth This paper will focus on the simulation modeling
attacks consume resources such as network bandwidth and analysis of proposed scheme. The organization of
by overwhelming it with a high volume of packets. the paper is the following. First, the related work is
Application attacks use the expected behavior of presented in Section 2. Section 3 describes the
protocols such as TCP and HTTP to the attacker’s approach for detection, characterization and
advantage by tying up computational resources and redirection. Simulation experiments are explained in

0-7695-2876-7/07 $25.00 © 2007 IEEE 191

DOI 10.1109/IAS.2007.23

Authorized licensed use limited to: NATIONAL INSTITUTE OF TECHNOLOGY TIRUCHIRAPALLI. Downloaded on May 11, 2009 at 02:50 from IEEE Xplore. Restrictions apply.
 Section 4. Section 5 shows the results and analysis. distribution of traffic features. For low as well as high
Last, the conclusion and the future work are presented rate attacks, traffic distributions have appreciable
in Section 6. deviation from normal to provide signs of DDoS
attack. The characterization of attack traffic is done by
2. Related Work first choosing suspicious flows based on volume and
then monitoring acks sent by the server for these flows.
Existing DDoS solutions are classified into four These schemes focus only on detection of attack
broad categories in [2]: Prevention, Detection and whereas the real culprits i.e. attack sources are not
characterization, Traceback, and Tolerance and trapped. The ideal solution for DDoS defense aims at
mitigation. Prevention is a mechanism which stops the mitigating attack at source. As characterization of
attacks before they are actually launched. The attack sources is very difficult to achieve ideally so a
approaches to stop IP spoofing [5], filtering malicious feasible solution is to redirect traffic from suspected
IP addresses based on experience [6], and repairing attack sources that can work in efficient manner to
security holes by patches [7] falls under this category. tolerate the attack. We also aim to sustain the services
The process of identifying that a network or server is of our protected server under high bandwidth DDoS
under attack after launch of the attack is called attacks using tolerance based scheme , however in our
detection. Detection can be passive, proactive, and on- work we have complemented tolerance and mitigation
line. Characterization means differentiating attack by dynamically rate limiting incoming traffic at edges
packets from legitimate packets. Signature based [8] based on share of traffic per edge router, and per flow.
techniques can detect attacks launched using known
DDoS attack tools, however to detect novel attacks 3. Approach
anomaly based techniques [9-11] are currently in Figure 1 shows the procedural flowchart of the
practice. Traceback aims to locate the actual attack approach.
sources regardless of the spoofed source IP addresses
used by attackers. Traceback solutions includes
controlled flooding [12], overlay network [13], ICMP Monitoring of Flows
messages [14], and IP packet marking [15] [16] based
techniques. Finally, Tolerance and mitigation aims to
Statistical Analysis
eliminate or curtail the effects of an attack and try to
maximize the quality of services under attack.
A commonly used detection approach is either Detec tion

signature-based [8] or anomaly-based [9-11]. By

contrast, an anomaly based detection system observes Charac terization of Flows
the normal network behavior and watches for any
divergence from the normal profile. Due to the
Redirection Using
diversity of user behaviors and the emergence of new Honeypots
network applications, it is difficult to obtain a general
and robust model for describing the normal traffic
Off-line Response
behaviors. As a result, legitimate traffic can be Time Analysis
classified as attack traffic (false positive) and attacker
traffic is classified as legitimate (false negative). To Figure 1: The procedural flowchart of the approach
minimize the false positive/negative rate, a larger
number of parameters are used to provide more 3.1. Detection
accurate normal profiles. However, with the increase of
the number of parameters, the computational overhead Detecting DDoS attacks involves first knowing
to detect attack increases. Though schemes in [9-11], normal behavior of our system and then to find
have been successful in isolating large traffic changes deviations from that behavior. The normal profile or
(such as bandwidth flooding attacks), but slow rate, behavior is obtained using entropy H ( X ) as a
isotropic attacks can not be detected and characterized parameter to measure traffic feature distributions. The
because these attacks do not cause detectable packets for each flow are monitored in a time window.
disruptions in traffic volume. In [17] a generic As in IPv4 packets, there is no flow ID header
framework has been proposed to mitigate DoS attacks. information, so we designate different flow IDs to a
We demonstrate the utility of a more sophisticated unique 4-tuple SourceIP, SourcePort, DestinationIP,
treatment of DDoS anomalies, as events that alter the DestinationPort encountered in incoming packet. The

192

Authorized licensed use limited to: NATIONAL INSTITUTE OF TECHNOLOGY TIRUCHIRAPALLI. Downloaded on May 11, 2009 at 02:50 from IEEE Xplore. Restrictions apply.
 traffic destined to our server and not the complete ( H c ( X ) > ( H n ( X ) + a × d )) ∪
traffic is monitored at link through which POP is ( H c ( X ) < ( H n ( X ) − a × d )) ( 2)
connected to the server to backbone. POP collects
Here a ∈ I where I is set of integers and d is
information in a time window and calculates sample
deviation threshold. Tolerance factor a is a design
entropy H (X ) .
parameter and d is absolute maximum deviation in
A metric that captures the degree of dispersal or
concentration of a distribution is sample entropy. We Entropy H ( X ) from average value H n ( X ) while
start with frequency distribution profiling for network without attack.
X = {n i , i = 1,......, N } that feature i occurs n i times in the
sample. Then the sample entropy H ( X ) is 3.2. Characterization
H (X ) = −∑
N
( p i ) × log 2 ( p i ) (1)
In detection phase if H c ( X ) is more than normal
i =1

∑i =1 n i
N
Where p i = ni / S and S =
H n ( X ) then suspected malicious flows tend to have
The value of sample entropy lies in the range lower frequency values of packet arrivals and the
0 − log 2 N . The metric takes on the value 0 when the attack is termed as low rate degradation attack. While
distribution is maximally concentrated, i.e., all if H c ( X ) is less than normal H n ( X ) then
observations are the same. Sample entropy takes on the
value log 2 N when the distribution is maximally suspected malicious flows have high values of number
of packet arrivals and the attack is coined as high rate.
dispersed, i.e. n1 = n 2 = ....n n . We have done time series
Once the attack is launched at POP Ps , we have
analysis of traffic at POP Ps connected to protected aggregate of attack flows and normal flows. Let F
server. Consider a random process represent set of active flows. Then
{ X (t ), t = j∆, j ∈ N } running at Ps , where ∆ a F = Fn ∪ Fa (Fn ∩ Fa = φ) (3)
constant time interval is called time window, N is the
Where Fn represent actual normal flows and Fa is set
set of positive integers, and for each t , X (t ) is a
of actual attack flows. Our main task in this module is
random variable. Here X (t ) represents the number of *
to find Fa = { f 1 , f 2 ,... f m } ⊂ F
packet arrivals for a flow in t − ∆ , t . The entropy can
the set of m malicious flows. Ideally,
be computed as above.
It is found in our simulation without attack that ( Fa* ∩ Fa = F a) AND( Fa* ∩ Fn = φ )
Entropy H ( X ) value varies within very narrow limits Now the main problem is to find m :-
after slow start phase is over. This variation becomes • as for low rate attacks, m number of least
narrower if we increase ∆ i.e. monitoring period. We *
measured packet arrival flows constitute Fa .
take average of H (X ) and designate that as normal
• and for high rate attacks, m number of
entropy H n ( X ) . The basic idea is to remove small highest measured packet arrival flows form
scale perturbations by averaging over slightly longer- Fa* .
intervals of time. However it is also desirable that the
window duration should not exceed a limit. By this To answer these questions if we can find Φ a , the
way, normal profile of traffic in terms of entropy is expected total attack traffic then from following
obtained by our approach. To detect the attack, the
equation, we can find m and Fa* .
entropy H c ( X ) is calculated in shorter time m
window ∆ . We assume that the system is under attack
at time ta , which means that all attacking sources start
∑X
j =1
i
j
(t d + ∆) ≤ Φ a (4)

emitting continuously, whenever there is appreciable Where i is designated flow, j varying from 1 to m
deviation from H n ( X ) , attack is said to be detected. for least or highest measured packet arrivals, and
The network is in normal state for time t < t a and X (t d + ∆) represent packet arrivals for flow i in
next time window after attack is detected. The
turns into attacked state in time t a . Let t d denote our
expected value Φ a , is calculated as Φ a = Φ td − Φ n ,
estimate on t a . At time t d following event triggers
where Φ td the total traffic is received in {t d − ∆, t d }

193

Authorized licensed use limited to: NATIONAL INSTITUTE OF TECHNOLOGY TIRUCHIRAPALLI. Downloaded on May 11, 2009 at 02:50 from IEEE Xplore. Restrictions apply.
 and Φ n is averaged total traffic till t d − ∆ from the
time bottleneck link utilization is 1.
*
The set Fa got through this process is further pruned
by omitting flows from F which have been active at
time t d − ∆ since we assume that all attack flows
start at the same time.

3.3. Redirection using Honeypots

The flow is tagged as attack or legitimate flow in

the above step. Instead of just dropping the attack ISP domain ISP backbone link

flows enroute or resetting sessions they are actively Point of Presence (POP)
Link between ISPs POP Link to server
Honeypot Server
Protected FTP Server
redirected from hostile sources to a honeypot. Customer domain

Honeypot server responds to attack flows in exactly

same manner as would the actual server to legitimate Figure 2. A short scale simulation topology
clients. Production server and a honeypot both are with
the same IP. Since the connection with suspected flows 4.1. Basic parameters of simulation
is retained, the flows that we tag as suspicious can be
treated again as normal flow if the entropy measures Table 1 provides the basic parameters set for
come in the limit of legitimate flows. Those flows can simulation.
be transferred back to actual server in subsequent time
window. This reduces false negatives. However if Table 1. Basic Parameters of Simulation
persistently in many time windows the flow remain S.No. Parameter Value
suspicious connection remains directed at honeypot 1. Simulation Time 60 seconds
server. Also one can potentially gain more information 2.. Number of legal 100 per ISP
about the attacker. sources domain
Total
4. Simulation Experiments 4*100=400
3. No. of attackers 1-25 per ISP
Simulation is performed using ns2 [18] network domain.
simulator. Total= 1-100
4. Access bandwidth for 1Mbps
4.1. Topology legitimate customers
5. Bottleneck 310Mbps
GT-ITM [19] topology generator is used to create Bandwidth
our simulation topology. We have represented transit 6. Mean attacker rate 0.1-1.0Mbps
domain routers as POPs of the ISP and stub domains as (low rate)
customer domains attached to POPs as shown in fig. 2. 2.7-3.7Mbps
There are four ISP domains with two peers each i.e. (high rate)
two other ISP domains are directly attached at POPs. 7.. Attack duration 20-50 seconds
We have represented transit domain routers as POPs of
the ISP and stub domains as customer domains 4.2. Attack detection parameters
attached to POPs as shown in fig. 2. There are four ISP
domains with two peers each i.e. two other ISP Table 2 Attack Detection Parameter
domains are directly attached at POPs. S.No. Parameter Value
1. Window Size .2 seconds
2. Tolerance factor a for 3-10
entropy deviation

Simulations are carried at different values of tolerance

factor a for different attack strengths.

194

Authorized licensed use limited to: NATIONAL INSTITUTE OF TECHNOLOGY TIRUCHIRAPALLI. Downloaded on May 11, 2009 at 02:50 from IEEE Xplore. Restrictions apply.
 5. Results and Discussion 9
Various aspects are discussed in this section: 8.9
8.8
5.1. Threshold setting 8.7

Entropy (H)
8.6 Normal
8.5
We conducted simulation experiments for finding 8.4 Under
out threshold for entropy under normal condition as per 8.3 Attack
simulation parameters given in previous section. The 8.2
normal range of entropy by using frequency 8.1
8
distribution of number of packets per flow ID

1.5
6.3
11.1
15.9
20.7
25.5
30.3
35.1
39.9
44.7
49.5
54.3
59.1
(SourceIP, SourcePort, DestinationIP, and Time (seconds)
DestinationPort) in time windows of 0.2 seconds is
shown in fig. 3. Simulation is also carried by taking Figure 2: Entropy for low rate DDoS attack
longer window of 1.0 second. Deviations are still lesser
as expected however average is almost same.
8.5
8.3
It is found that once the utilization of bottleneck 8.1
link is 100%. Entropy value also lies in small range as

Entropy (H)
7.9
7.7 H(3Mbps)
depicted in fig. 2. 7.5 H(N)
Maximum absolute deviation from average ( d ):- 7.3
7.1
0.03393 6.9
The server as per its capacity planning and normal 6.7

profile of legitimate clients in terms of request bytes 6.5

1.5
6.3
11.1
15.9
20.7
25.5
30.3
35.1
39.9
44.7
49.5
54.3
59.1
normally have an estimate of maximum number of
clients to be served at any instant of time. On these Time(seconds)
bases though we have bottleneck of 310Mbps but still Figure 3: Entropy for high rate DDoS attack
on the higher side for better link utilization we assume
to serve up to 400 legitimate clients with maximum However initially it can rise but with proper
1Mbps (average 0.8Mbps) request bytes per client. adjustment of window and start time, the same can also
Though our work is simulation based, but on actual be lumped. In this case, the flows which have
network for profiling purpose this kind of experiments comparatively higher share of packets are reasons of
can be conducted to find H n ( X ) and d . anomaly. Similar trends exist for high rate attacks at
different attack strengths with variation only in
deviation from normal value.
5.2. Detection of attack

As soon as any event in “2” triggers, attack is said 5.3. Variation in response time due to honeypot
to have occurred. Figure 2 shows entropy profile when redirection
our network is put under low rate attack. In this case
attack is launched with 100 attackers with mean rate In figure 4, the average response time increases with
0.3Mbps per attacker. Clearly in first time window increase in attack load for a fixed client load. There
after attack is launched at 20 seconds, there is jump in steep rise in average response time after initial stability
entropy value. The positive jump and persistent high is because of the fact that as the aggregate load (client
value as compared to normal reflects that it is a low load and attack load) become greater than bottleneck
rate attack and the flows which are causing this bandwidth of 310 Mbps, the legitimate packets are
anomaly have comparatively lesser frequency than dropped at POP. Repeated attempt for file transfer
already existing ones. In case of high rate attacks, from legitimate clients leads to a sharp increase in
entropy value tends to be lower than normal. In our average response time. The figure 4 also shows an
simulation using total attack strength of 300Mbps with edge over previous case due to presence of Honeypot
100 attackers, the Entropy variation is reflected in server in same IP as FTP server. Although the average
figure 3. response time increases with increase in attack load,
the absolute average response time is less.

195

Authorized licensed use limited to: NATIONAL INSTITUTE OF TECHNOLOGY TIRUCHIRAPALLI. Downloaded on May 11, 2009 at 02:50 from IEEE Xplore. Restrictions apply.
 180 Computer Communications Review, Volume 34, Number
Average Response Time
160 April 2004.
No Honeypots;200 Clients

140
Presence of Honeypots;200
Clients
[3] Computer Crime Research Center. “2004 CSI/FBI
120
Computer Crime and Security Survey,” Available at:
http://www.crime- research.org/news/11.06.2004/423/.
100
[4] K. Kumar, R. C. Joshi, and K. Singh, “Detecting Low
80
Rate Degrading and High Bandwidth Disruptive DDoS
60 Attacks in ISP Domain,“ In Proceedings of ISCF-2006, pp.
40 83-88, December, 2006.
20 [5] P. Ferguson, D. Senie, “Network ingress filtering:
0 Defeating denial of ser-vice attacks which employ IP source
0 20 40 60 80 100 address spoofing,” RFC 2267, the Internet Engineering Task
Attack Load Force (IETF), 1998.
Figure 4. Comparison of variation in average [6] T. Peng, C. Leckie, and K. Ramamohanarao,“Protection from
response time with attack load for a given client Distributed Denial of Service attack using history-based IP
load (200 Clients) with and without honeypots. filtering,” In Proceedings of ICC 2003, USA, 2003.
[7] X. Geng, and A.B. Whinston, “Defeating Distributed
Denial of Service attacks,” IEEE IT Professional ,pp 36–42,
This is due to the fact that suspected attack flows 2002.
are directed towards Honeypot server and FTP server [8] M. Roesch, “Snort—Lightweight Intrusion Detection
remains free of attack, thus giving average response for Networks,” In Proceedings of LISA ’99, 1999.
time that maintains QoS. [9] T. M. Gil, and M. Poletto, “Multops: a data-structure for
bandwidth attack detection," In Proceedings of the 10th
6. Conclusions and future work USENIX Security Symposium, 2001.
[10] R. B. Blazek, H. Kim, B. Rozovskii, and A.
Tartakovsky, “A novel approach to detection of denial-of-
Our detection scheme is able to identify low rate service attacks via adaptive sequential and batch sequential
and high rate DDoS attacks reliably in ISP domain. change-point detection methods," In Proceedings of IEEE
The appreciable change in entropy indicates that traffic Systems, Man and Cybernetics Information Assurance
flow distributions are an effective way of detecting Workshop, 2001.
DDoS attacks. The increased entropy value signs low [11] J. Mirkovic, G. Prier, and P. Reiher, “Attacking DDoS
rate attack whereas dip in level of entropy marks high at the source,” In Proceedings of ICNP 2002, Paris,
rate attack. The characterization of flows is done in France, pp. 312–321, 2002.
subsequent time windows giving a real time solution. [12] H. Burch, and B. Cheswick, “Tracing anonymous
packets to their approximate source,” In Proceedings of 2000
The flows tagged as suspicious are redirected to
USENIX LISA Conference, pp.319–327, 2000.
honeypots. The proposed scheme greatly reduces the [13] R. Stone, “CenterTrack: An IP overlay network for
response time for legitimate users in the presence of an tracking DoS floods,” In Proceedings of 2000 USENIX
attack. Hence the scheme has the potential to defend Security Symposium, pp. 199–212, July 2000.
against DDoS attacks along with maintaining a [14] S. Bellovin, “The ICMP traceback message,” IETF
desirable QOS. Ns-2 has been used as a testbed for Internet Draft, 2000.
validation of the scheme. [15] D. Dean, M. Franklin, and A. Stubblefield, “An
The characterization of flows is volume based algebraic approach to IP traceback," ACM Transactions on
wherein sophisticated attacker may be able to emulate Information and System Security 5(2), 119-137, 2002.
[16] U.K. Tupakula, and V. Varadharajan, “A practical
the legitimate traffic. To overcome this, signal
method to counteract Denial of Service Attacks, “
processing based techniques can be used in conjunction Proceedings of the 26th Australian Computer
with the proposed scheme. Secondly, the overhead of Conference in Research and Practice in Information
state monitoring pose a DoS attack in itself. Future Technology, ACM International Conference Proceeding
focus is to distribute these overheads amongst multiple Series, pp. 204–275, 2003.
ingress POPs of ISP and validate the scheme using [17] A. Sardana , B. Gandhi and R. C. Joshi, “A Novel
goodput and NPSR as evaluation parameters. Framework for Characterization, Source Identification and
Mitigation of DoS Attacks, ” In Proceedings of ISCF-2006,
References pp. 99-108, December, 2006.
[18] NS Documentation Available:
[1] R.K.C. Chang, “Defending against Flooding-Based http://www.isi.edu/nsnam/ns
Distributed Denial-of-Service Attacks: A Tutorial,” IEEE [19] GT-ITM Traffic Generator Documentation and tool
Communication Magazine, 2002. http://www.cc.gatech.edu/fac/EllenLegura/graphs.html
[2] J. Mirkovic, and P. Reiher, “A Taxonomy of DDoS
Attack and DDoS defense Mechanisms,” ACM SIGCOMM

196

Authorized licensed use limited to: NATIONAL INSTITUTE OF TECHNOLOGY TIRUCHIRAPALLI. Downloaded on May 11, 2009 at 02:50 from IEEE Xplore. Restrictions apply.