Scribd
Upload
1K views

Traceback of DDoS Attacks Using Entropy Variations Abstract

This document proposes a novel traceback method for DDoS attacks based on entropy variations between normal and attack traffic. It is more scalable and robust than existing probabilistic or deterministic packet marking techniques. The method monitors and records flow information at routers independently without modifying routing software. When an attack is detected, the victim can start a traceback procedure to efficiently identify attackers in real-time by distributing the workload across the network. Experimental results show accurate traceback is possible within 20 seconds for large-scale attacks involving thousands of compromised hosts.

Uploaded by

Jason Statham
Copyright
© Attribution Non-Commercial (BY-NC)
Available Formats
Download as DOC, PDF, TXT or read online on Scribd
1K views

Traceback of DDoS Attacks Using Entropy Variations Abstract

This document proposes a novel traceback method for DDoS attacks based on entropy variations between normal and attack traffic. It is more scalable and robust than existing probabilistic or deterministic packet marking techniques. The method monitors and records flow information at routers independently without modifying routing software. When an attack is detected, the victim can start a traceback procedure to efficiently identify attackers in real-time by distributing the workload across the network. Experimental results show accurate traceback is possible within 20 seconds for large-scale attacks involving thousands of compromised hosts.

Uploaded by

Jason Statham
Copyright
© Attribution Non-Commercial (BY-NC)
Available Formats
Download as DOC, PDF, TXT or read online on Scribd
You are on page 1/ 3

Traceback of DDoS Attacks using Entropy Variations

ABSTRACT
Distributed Denial-of-Service (DDoS) attacks are a critical threat to the Internet. However, the memory-less feature of the Internet routing mechanisms makes it extremely hard to trace back to the source of these attacks. As a result, there is no effective and efficient method to deal with this issue so far. In this paper, we propose a novel trace back method for DDoS attacks that is based on entropy variations between normal and DDoS attack traffic, which is fundamentally different from commonly used packet marking techniques. In comparison to existing DDoS traceback methods, the proposed strategy possesses a number of advantages - it is memory nonintensive, efficiently scalable, robust against packet pollution and independent of attack traffic patterns. The results of extensive experimental and simulation studies are presented to demonstrate the effectiveness and efficiency of the proposed method. Our experiments show that accurate trace back is possible within 20 seconds (approx.) in a large scale attack network with thousands of zombies We describe work in progress on trace back of DDos attacks . Its main purpose is to retrieve the datas under the DDos attacks. The remainder of the paper is organized as follows. First, we sent a message from the server to the client. Next, we check whether the sent packet is normal packet or a hacked packet . Then we traces the IP address of the hacker using a router. Finally, we present our conclusion and future work.

SCOPE OF THE SYSTEM:


Traceback of the DDoS attacks is used to improve the security of the communication between the server and the client.and, because of their importance they have become an integral part of modern network security technology. Current solutions of defense for network security are mostly static methods, which are used to collect, analyze and extract evidences after attacks. The approach includes hacking detection, retrieving information. They rely upon the tracing of the IP of the hacker using network entropy variations.

OBJECTIVES AND SUCCESS CRITERIA:


Host-based systems are able to determine if an attempted attack was indeed successful,and can detect local attacks, privilege escalation attacks and attacks which are encrypted. However, such systems can be difficult to deploy and manage, especially when the number of hosts needing protection is large. Furthermore, these systems are unable to detect attacks against multiple targets of the network

It is an extraordinary challenge to traceback the source of Distributed Denial-of-Service (DDoS) attacks in the Internet. In DDoS attacks, attackers generate a huge amount of requests to victims through compromised computers (zombies), with the aim of denying normal service or degrading of the quality of services. IP traceback means the capability of identifying the actual source of any packet sent cross the Internet IP traceback schemes are considered successful if they can identify the zombies from which the DDoS attack packets entered the Internet.

A. Detection
Detection (or recognition) occurs in traceback system when there is a attack in the communicating packets.

B. Hacking
Hacking is the process of stealing a data or an information which is passed by the server to the client. Hacking can be easily achieved when there is a loss in security.

C. Traceback
Traceback is the process of identifying the IP address of the hacker.Traceback is the major concept involved in the retrieval of the information.Traceback involves the router which is always activated in a network.

D. Entropy Variation
Entropy variation is used to detect the status of the moving packets.Based on the entropy variation retrieval of the information is achieved.

EXISTING SYSTEM:
A number of IP traceback approaches have been suggested to identify attackers , and there are two major methods for IP traceback, the probabilistic packet marking (PPM) and the deterministic packet marking (DPM) . Both of these strategies require routers to inject marks into individual packets. Moreover, the PPM strategy can only operate in a local range of the Internet (ISP network) where the defender has the authority to manage. However, this kind of ISP networks is generally quite small, and we cannot traceback to the attack sources located out of the ISP network. The DPM strategy requires all the Internet routers to be updated for packet marking. However, with only 25 spare bits available in as IP packet, the scalability of DPM is a huge problem. Moreover, the DPM mechanism poses an extraordinary challenge on storage for packet logging for routers . Therefore, it is infeasible in practice at present. Further, both PPM and DPM are vulnerable tohacking,which is referred to as packet pollution.

PROPOSED SYSTEM:

The proposed strategy is fundamentally different from the existing PPM or DPM traceback mechanisms, and it outperforms the available PPM and DPM methods.Because of this essential change, the proposed strategy overcomes the inherited drawbacks of packet marking methods, such as limited scalability, huge demands on storage space and vulnerability to packet pollutions .The implementation of the proposed method brings no modifications on current routing software. Both PPM and DPM require update on the existing routing software which is extremely hard to achieve on the Internet. On the other hand, our proposed method can work independently as an additional module on routers for monitoring and recording flow information, and communicating with its upstream and downstream routers when the pushback procedure is carried out.The proposed method will be effective for future packet flooding DDoS attacks because it is independent of traffic patterns. Some previous work depend heavily on traffic patterns to conduct their traceback. For example, they expected that traffic patterns obey Poisson distribution or Normal distribution. However, traffic patterns have no impact on the proposed scheme; therefore, we can deal with any complicated attack patterns, even legitimate traffic pattern mimicking attacks. The proposed method can archive real time traceback to attackers. Once the short term flow information is in place at routers, and the victim notices that it is under attack, it will start the traceback procedure. The workload of traceback is distributed, and the overall traceback time mainly depends on network delays between the victim and the attackers.

HARDWARE REQUIREMENTS:

Processor Processor Ram Hard Disk SOFTWARE REQUIREMENTS: Operating System Techniques Front End

: Intel Pentium IV

: 512MB. : 40 GB.

: Windows XP. : JDK 1.6 : Java swings

You might also like