International Journal of EmergingTrends & Technology in Computer Science(IJETTCS)

Web Site: www.ijettcs.org Email: editor@ijettcs.org, editorijettcs@gmail.com

Volume 3, Issue 2, March April 2014 ISSN 2278-6856


Volume 3, Issue 2 March April 2014 Page 271


Abstract : Denials of Service (DoS) attacks constitute one of
the major threats and are among the hardest security
problems in todays Internet. Distributed Denial of Service
(DDoS) attacks are enhancements to DoS attacks and the
impact of these can be proportionally severe. With little or no
advance warning, a DDoS attack can easily exhaust the
computing and communication resources of its victim within
a short period of time. Because of the seriousness of the
problem many defense mechanisms have been proposed to
combat these attacks. The vital step in dealing with this
problem is the networks ability to detect such attacks. To
train and analyze countermeasures, researchers typically
simulate the DDoS attacks traffic by either the specialized
simulator (i.e. software, hardware) or the comprehensive
testbed. This paper presents a structural approach to simulate
DDoS attack on Network emulation and simulation tools.
These tools are widely used for preproduction, studies and
research purposes. This success is due to the quality of result
they provide compared to the real equipments. Another
advantage of the network simulators is that the cost of studies
and experiences are exponentially reduced especially for
networks that use expensive hardware or a big number of
nodes. The existing emulation/simulation tools suffer from
some limitations like the nodes number that cannot exceed
hundreds, have simulation concept or not scalable. In the
work done for fighting against Distributed Denial of Service
(DDoS) based on Botnet (malicious programs that take the
control of many machines on behalf of the owners in order to
attack services or send spams), a real time test of the trace-
back and counter-attack algorithms is needed. So the
emulation tool should be scalable in order to create thousands
thousands of bots with fewer resources. In our paper we have
used virtualization using Oracle VM VirtualBox 4.2.6 to
simulate DDoS attack scenario The aim of this paper is to
present this new scalable framework that help to emulate
network equipments and application based on UDP and TCP
protocols with a huge number of nodes.

Keywords: Simulation; Emulation; Network emulation;
Network security; Botnet; TCP/IP; DDoS;
Virtualization; VMWare; VirtualBox.

1. INTRODUCTION
DDoS attacks are one of the most threatening computer
network security problems as they handicap legitimate
network usage and cause substantial damage. The
devastating negative impact inspires the network security
researcher costing great effort to understand and learn
them, together with developing and deploying feasible
and effective countermeasures against them. Since
quantitative DDoS attacks are seldom obtainable from the
real network environment [7], the critical research step is
to set up and run the simulated DDoS attacks. Typically,
this step requires substantial configuration effort.
Distributed Denial of Service (DDoS), is a relatively
simple, yet very powerful technique to attack Internet
resources. DDoS attacks add the many-to-one dimension
to the DoS problem making the prevention and mitigation
of such attacks more difficult and the impact
proportionally severe. DDoS exploits the inherent
weakness of the DoS, Distributed Denial of Service
(DDoS) based on Botnet is one of the most dangerous and
widely used attacks in the internet [1] [2]. This kind of
attacks needs a hundred thousands of bots in order to
generate a huge number of requests or traffic and then
make the target service unreachable using the techniques
like the Internet Control Message Protocol (ICMP) flood,
the SYN flood, R-U-Dead-Yet (RUDY) attack and slow
Read attack [3]. To study the DDoS attack scenario one
needs to simulate the actual DDoS attack. Many methods
have been used to launch such attacks and study the
fundamental mechanism behind these attacks.

As the fundamental but popular way, the practical attack
tools, which are obtained from the hackers side, are still
being utilized by the security researchers for their
researches. If both attack tools and network traffic been
configured appropriately, the simulation would have
many similarities with the real DDoS attacks. Kumar et
al. [5] describe eight attack tools and make comparisons
between them. Nevertheless, the most significant
drawback of the real attack tools implementations is that
most of the applied attack tools (i.e. TFN2K [4]) have
been developed more than ten years ago. Consequently,
most of the used up-to-date network devices and software
have embedded corresponding countermeasure
mechanisms to identify and against such tool generated
attack traffic and cause the experiments failure.

2. BACKGROUND AND MOTIVATION
This section explains the existing test methods and the
reasons behind developing such framework.

2.1 The existing test methods
Many researches were done for detecting DDoS or
fighting against them by providing new architectures and
algorithms like probabilistic packet marking algorithm
that allows detecting the attack source [4] and the
architecture that detects the DDoS/Brute forcing attacks
for destroying the Botnet behind [5]. However,
researchers have to implement a big network with a big
machines number in order to test their proposals.
Simulation and Analysis of DDoS Attacks by
Specialized Simulator using Virtualization

Sonal Sinha
1
, Madhulika Sharma
2


1, 2
Computer Science & Engineering
AIET, Lucknow
International Journal of EmergingTrends & Technology in Computer Science(IJETTCS)
Web Site: www.ijettcs.org Email: editor@ijettcs.org, editorijettcs@gmail.com
Volume 3, Issue 2, March April 2014 ISSN 2278-6856


Volume 3, Issue 2 March April 2014 Page 272


Recent work [2] has pointed out three basic requirements
for computer network security experiments: (1)
hypotheses must be falsifiable; (2) experiments must be
controllable; and (3) experiments must be repeatable and
reproducible. As we refer to the DDoS attacks experiment
implementation, another three requirements [8] have been
outlined: (1) Specify, save and replay an experiment
(specifiable and reproducible); (2) deploy, run and stop an
experiment (controllable); and (3) monitor the simulated
DDoS attack in progress and to save the results to disk for
later replay or analysis (surveillancable and saveable). As
controllable and reproducible are overlapped in both
requirement sets, they have priority to be guaranteed in
our experiment.
Although it may desirable to meet all of these
requirements, each simulator and testbed may have
its own strengths and limitations. We classify DDoS
attacks generation approaches into two main strategies:
Simulator Simulation and Testbed Emulation. Both
simulator simulation and testbed emulation mimic the
expected DDoS attacks traffic behavior. We assume that
the key differences between these two strategies are the
size and the implementation methodology. From the view
of size, the simulator is the system typically contains a
single hardware with the configuration application,
whereas the testbed includes multiple hardware to build a
network with an administration server. From the view of
implementation methodology, the simulator is typically
been applied with the comprehensive virtual
configuration through the provided GUI, whereas the
testbed need to configure the physical devices manually.
Thus it is comparatively costly to simulate DDoS attack
scenario and its analysis using emulator. Therefore in our
paper we will be using Simulator Simulation for the
study.

2.2 Simulator Simulation
Since GUI provides the configuration options to virtually
set up the nature of simulated DDoS attacks (e.g. topology
of network, number of bots, characteristics of traffic, etc.),
the key advantage of simulator simulation is that the
simulation can be virtually created quickly and
inexpensively, whereas the main shortage is that
simulated networks may behave very differently from real
or emulated network when under attack [3]. We will be
using virtualization using Oracle VirtualBox 4.2.6

3. Oracle V M Virtual Box (formerly
SunVirtualBox, Sun xVM VirtualBox and
innotek VirtualBox)
is a virtualization software package for x86 and
AMD64/Intel64-based computers from Oracle
Corporation as part of its family of virtualization
products. It was created by innotek GmbH, purchased in
2008 by Sun Microsystems, and now developed by
Oracle. It is installed on an existing host operating
systemas an application; this host application allows
additional guest operating systems, each known as a
Guest OS, to be loaded and run, each with its own virtual
environment. Supported host operating systems include
Linux, Mac OS X, Windows XP, Windows Vista,
Windows 7, Windows 8,Solaris, and OpenSolaris; there
are also ports to FreeBSD and Genode. Supported guest
operating systems include versions and derivations. of
Windows, Linux, BSD, OS/2,Solaris, Haiku and others.
Since release 3.2.0, VirtualBox also allows limited
virtualization of Mac OS X guests on Apple hardware,
though OSX86 can also be installed using VirtualBox
Users of VirtualBox can load multiple guest OSs under a
single host operating-system (host OS). Each guest can be
started, paused and stopped independently within its own
virtual machine (VM). The user can independently
configure each VM and run it under a choice of software-
based virtualization or hardware assisted virtualization if
the underlying host hardware supports this. The host OS
and guest OSs and applications can communicate with
each other through a number of mechanisms including a
common clipboard and a virtualized network facility.
Guest VMs can also directly communicate with each
other if configured to do so.
VirtualBox is a cross-platform virtualization application.
It gets installed on existing Intel or AMD-based
computers, whether they are running Windows, Mac,
Linux or Solaris operating systems. Secondly, it extends
the capabilities of the existing computer so that it can run
multiple operating systems (inside multiple virtual
machines) at the same time. So, for example, you can run
Windows and Linux on your Mac, run Windows Server
2008 on your Linux server, run Linux on your Windows
PC, and so on, all alongside your existing applications. A
number of virtual machines can be installed and run --
the only practical limits are disk space and memory.
VirtualBox is deceptively simple yet also very powerful. It
can run everywhere from small embedded systems or
desktop class machines all the way up to datacenter
deployments and even Cloud environments. After the
installation of VirtualBox following steps can be followed
to launch aDDoS Attack.
Information gathering is the prime aspect for launching
an attack as well se prevention of attack. Unless one has
the information about the network deployment and
vulnerabilities associated with the deployment attack
cant be made possible. Along with this fact prevention
and countermeasures will also not be possible without
Information Gathering. Information gathering is both
utmost necessary and compulsory for the attacker as well
as the administrator. Information gathering can be
roughly divided into three major steps:

Foot printing / Network Discovery: Nslookup and Whois
tools are used
Scanning: Angry IP Scanner and Zenmap are used
Enumeration: Nmap is used for enumeration and Nessus
for vulnerability assessment.
International Journal of EmergingTrends & Technology in Computer Science(IJETTCS)
Web Site: www.ijettcs.org Email: editor@ijettcs.org, editorijettcs@gmail.com
Volume 3, Issue 2, March April 2014 ISSN 2278-6856


Volume 3, Issue 2 March April 2014 Page 273


After the scanning and enumeration since the
vulnerability has been assessed, attack is launched
through ARP Cache Poisoning using the tool ettercap and
IP Spoofing. These steps are very important as far as
launch of DDoS attack is concerned. In DDoS the
attacker machine spoofs its identity and attack is
launched with the help of multiple systems (Agents and
Handlers) through spoofing the IP of those machines. For
packet sniffing Wireshark tool can be used.

4. CONCLUSION
The main target of DDoS attacks traffic simulation is to
facilitate DDoS related detection and prevention
researches, notably to be replayed to test the detection
capability of IDS/IPS and examine the relevant detection
algorithm. We have introduced DDoS attacks traffic
simulation by applying the virtualization using Oracle
VirtualBox 4.2.6. After the scanning of the virtually
created network and enumeration the vulnerability can be
assessed, attack is launched through ARP Cache
Poisoning using the tool ettercap and IP Spoofing In this
approach ARP Cache Poisoning is done by the attacker
system to gain control over agents and handlers i.e. to
spoof the identity. Then SYN Flood attack is launched
for Denial of Services which can be easily viewed on the
GUI provided by the VirtualBox. .

References
[1] Chao Li, Wei Jiang and Xin Zou. Botnet: Survey and
Case Study.Innovative Computing, Information and
Control (ICICIC), 2009
[2] Daniel Plohmann and Elmar Gerhards-Padilla.Case
Study of the Miner Botnet. Cyber Conflict (CYCON),
2012
[3] Poongothai, M. Simulation and analysis of DDoS
attacks. Emerging Trends in Science, Engineering
and Technology (INCOSET), 2012
[4] E. Cole. Hackers Beware. Indianapolis, In: New
Riders,2002.
[5] A. Kumar, P. Selvakumar, and S. Selvakumar.
Distributed Denial-of-Service (DDoS) Threat in
Collaborative Environment - A Survey on DDoS
Attack Tools and Traceback Mechanisms. In
Proceedings of IEEE International Advance
Computing Conference (IACC 2009), volume 1,
pages 12751280, 2009.
[6] H. Lee, T. Kwon, and H. Kim. NS-2 Based IP
Traceback Simulation Against Reflector Based DDoS
Attack. Artificial Intelligence and Simulation, pages
9099, 2005.
[7] M. Li, J. Li, and W. Zhao. Simulation Study of Flood
Attacking of DDOS. In Proceedings of International
Conference on Internet Computing in Science and
Engineering (ICICSE08), pages 286293, 2008.
[8] D. Schmidt, S. Suriadi, A. Tickle, A. Clark, G.
Mohay, E. Ahmed, and J . Mackie. A Distributed
Denial of Service Testbed. IFIP Advances in
Informat


AUTHORS:

Sonal Sinha, MTech. In Computer Science
(p) from AIET lucknow affiliated to Uttar
Pradesh Technical University, Lucknow..
B.Tech in Information Technology from Uttar
Pradesh Technical University, Lucknow in 2004.

Ms. Madhulika Sharma Assistant Professor & HOD
CSE, AIET Lucknow. B.Tech and M.Tech. in Computer
Science and Engineering from Birla Institute of
Technology Ranchi.