INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE

A. Dahiya et al., Vol.9, No.3, pp.140-153

Honeynetbased Defensive mechanism Against

DDoS Attacks

Abhinav Dahiya1 , Kamaldeep Joshi1 , Rainu Nandal1 , Rajkumar Yadav2 , Satinder Bal Gupta2
1
Department of Computer Science and Engineering, University Institute of Engineering and Technology, Maharshi
Dayanand University, Rohtak, Haryana, India
2
Department of Computer Science and Engineering Indira Gandhi University, Meerpur, Rewari
Corresponding Author: [email protected]

ORCID iD: 0000-0002-3096-5407, 0000-0002-3238-0234, 0000-0003-0350-0388, 0000-0003-0605-8759,

0000-0002-6056-1489
Research Paper Received: 05.02.2020 Revised: 08.05.2020 Accepted: 01.06.2020

Abstract—Internet we are using today is expanding faster than we could have imagined. Since the dawn of the Internet, there has
been an exponential increase in the number of web sites and so the quantity of data on these websites. The hackers attack the web
sites to collect useful information and also to make other legitimate users devoid of the information or services they required. Such
problems and other similar types of attacks can be handled by “Honeypot” system which takes all attacks on itself and studies the
attack patterns to detect similar kind of attacks in future.Honeypots allow all the attacks on itself and make attackers think that they
have the access of real system and meanwhile honeypots will study all the attack pattern of attackers. The authors have created
a network of various Honeypots to enhance the efficiency. Before honeypots, a filtering algorithm is used which with the help of
pre-defined sink server will predict whether a given packet is malicious or not, here help of ISP service provider can also be taken if
sink server doesn’t have any information about the sender of given data packets. Then to further enhance the capability of honeynet
cloud, a various different type of services can be deployed at honeynet clouds like HTTP, CBR and FTP. Here, the authors have
used NS2 simulator to run the proposed work and the results are taken in the form of graphs like throughput of all three different
types of honeypots, bandwidth and packet loss of all services provided by destination servers. Detection rate of malicious packets
are calculated and comparison has be done between different services provided by honeynet cloud.

Keywords—DDoS, Honeypot, Security, NS2, Sink-Server, Intruder, Honeynet-cloud

1. Introduction unique number provided by UIDAI (Unique Identifi-

cation Authority of India) and CREDIT/DEBIT card
The quantity of gadgets associated with PC sys- details has been put away in extensive databases
tems and the Internet is developing quickly day by and so forth. Vital records, reports and photographs
day. This has prompted an expansion in the quantity are put away on clouds and drives which keeps this
of system based assaults. Private data of each indi- information on an enormous database in centraliz-
vidual utilizing web like PAN (Permanent Account ing form. This expansion is trailed by a surging
Number), AADHAAR number which is a 12 digit amount of surveillance issues. Advanced dangers

140
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE
A. Dahiya et al., Vol.9, No.3, pp.140-153

and susceptibility are discovered each time, and A decent method to explore new dangers is to
networking system is a long way from being secure. catch the noxious movement well-ordered as it en-
Various latest advancements are used to stop these ters a system. It merits seeing the answers attackers
attacks. About 76% of Indian businesses were hit give in the deadlock like situation, for example,
by cyber-attacks in 2018, the highest after Mexico contacting other aggressors or transferring different
and France, according to a study by Sophos, a trojan like rootkits. As time goes on, we get differ-
global leader in network and endpoint security. India ent Honeypots with specific functions, like shadow
is the at first position among the countries facing honeypots, honey farms and honey-tokens. These
dictionary attacks followed by China. Dictionary different forms will be discussed in the literature
attack is a brute force method where an attacker review later in section II.
uses all dictionary words to create a password. The honeypot technique can be used in various
India holds the 7th position in comment spammer areas like IDS that is industrial control system,
countries while China tops followed by US, Russia which collects data and information from various
and Ukraine. Comment spam is a term referencing attacks and smartphones. If it is mixed along with
a wide category of spammer posting or spambot Intrusion Detection System (IDS) and firewall, it
which use social sites, forums, blogs, wikis etc to handles the false negative and false positive rate
post unsolicited things in through any media. We and also adds another layer of Security. Also, it
cannot rely wholly on IDS and firewalls to keep is compatible with encryption or communication
the data completely secured. Firewalls are regularly through IPV6, not like other securities.
installed around the border of a network so as to
stop unapproved approach by penetrating particular
ports and data. They can easily block all incoming
request in order to block illegal request but also
block some genuine requests in this process. An
intrusion detection system can likewise be utilized
to dissect approaching request however because of
its ”false alert issues”, they are very little in use in
case they are the only layer of security [1].

With such a tremendous number of problems,

we need a mechanism to identify these assaults.
One such protection system is the utilization of
honeypots. A honeypot is a crucial security entity
used for sacrificing its asset to research unapproved Figure 1. Basic structure of Honeypot
accesses to so as to find potential vulnerabilities in
operational frameworks and eliminate the danger. In the solutions proposed so far by researchers,
These are like traps for suspecting user. Honeypot work had been done in improving the detection and
is installed on a network to attract the attackers. It prevention rate. Architectures have been proposed
gathers the information from the trapped user and to improve the efficiency as well as the overall
used for future attacks as shown in Figure 1. throughput of the network. Honeypot is added as

141
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE
A. Dahiya et al., Vol.9, No.3, pp.140-153

an additional security layer along with the Intrusion towards itself so that no attacker will not be able
Detection System (IDS). There is not much work to access the destination servers. This paper studies
present where a honeynet cloud is explored with the various services at honeypot and in order to do
different kinds of services. In the proposed scheme, so following are its objectives:
honeynet cloud is employed with multiple subnets
1. To study the previous literature work related
which deal with different kinds of traffic flows
to honeypot, honeytoken and honeynet.
like HTTP, FTP and DNS etc. In this paper, the
2. To find the detection rate of attacks at the
authors aim to deal with DDoS attacks by utilizing
system.
honeypots and honeynet cloud. The authors have
3. To add a new service which will be paid in
contributed in the existing state of the art of this
nature which will provide the sink server with
domain by adding a new service which will provide
additional information about the attackers and
the sink server more information about the attackers
their attacking method.
and their attacking method. Further sections are
4. To compare the bandwidth and throughput of
arranged as follows: section II will discuss some
all three services at Honeynet that is HTTP,
significant paper in this domain which makes us
FTP and CBR.
work in this direction followed by section III which
contains the research work done. Section III will
describe experimentation and result from analysis
2. Literature Survey
followed by section IV which finally will conclude
In this section, the authors have discussed some
the paper.
of the important schemes related to their work. i.e.
the researches which had use honeypot technology
1.1. Research Gap/Problem statement
to combat DDoS attacks.

In previous papers, work had been done in im- In [2], Brown et. al. have carried out a study
proving the detection and prevention rate. Architec- considering different cloud platforms, for example,
tures have been proposed to improve the efficiency Amazon EC2, Windows Azure, IBM SmartCloud
as well as the overall throughput of the network. along with honeypot to analyze different attack
Honeypot is added as an additional security layer packets. USA and China are the countries which
along with the Intrusion Detection System(IDS). carry out HTTP and SSH based DDoS attacks
Researches related to various services within in predominantly. But this study was bounded to EC2
honeynet are very limited. For example, various and Azure. Low interaction honeypot was mainly
servers at honeynet to handle attacks related to focused on the proposed approach.
various services like HTTP, FTP etc can be added. In [3], Buvaneswariet. al. have utilized IHoneycol
Their bandwidth along with throughput comparisons as an incentive provider to local ISPs in order
are very limited. to combat DDoS attacks effectively. This whole
framework consists of Firecol-IPS and Honeypot-
1.2. Objectives IPS that diverted DDoS attack traffic near to source
and destination respectively. Twin attack and ping of
The specific aim of a honeypot system is to death attacks are efficiently handled by the proposed
limit the DDoS attacks by transferring all attacks approach. This protocol is lightweight but has high

142
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE
A. Dahiya et al., Vol.9, No.3, pp.140-153

computational overhead. with network session. This method has a defiancefor

In [4], an intrusion detection system has been very large number of flows of network from many
designed for a cloud environment using honeypot hosts to single host.
technology for reducing the false alarm ratio. Im- Bercovitch.et.al [8] gives a honeytoken generating
plementation rules have been built by this technique tool which is automatic in nature to create fake
where brokers accessed the data send by cloudlets. data elements in the database having three phases:
The attack is detected by the honey gateway that is Rule extraction fetches the rules from databases so
deployed at each echelon of cloud nodes. The main that the fake data items look real, then in second
disadvantage of this scheme is that implementation phase different honeytokenwere generated on the
at each OSI layer, its speed gets decreased. basis of rule extracrionphase known as Honeytoken
In [5], ADTRVH (Ant-based DDoS detection generation phase and after that rating is given to
technique using roaming virtual honeypots) has newly generated honeytoken on the basis of its
been proposed by the authors. Authors have used ant similarity to real data items.
colony optimization algorithm to control the traffic In [9] Asaf.et.al carried out the study in two
flows in the victim network. Pheromone deposit phases. In the first phase,generic methods are used
has been used to detect the frequency of DDoS to create the honeytoken which are quite similar to
attacks and tracing back the attackers to their actual real life dataset. In the second phase, the authors
IP addresses. Database of attack signatures and carried out the study to show that although the
log files are regularly updated as the new attack honeytoken are implanted in databases but nature
signatures have been found in the network. of user doesn’t change.
In [6], authors have analysed the incoming and
outgoing data traffic from a particular network. They
3. Research Work
have utilized the inbound and outbound ratio to find In this section, the authors have discussed the pro-
any discrepancy in the data traffic flows. Some rule- posed honeypot based defensive framework against
based defensive mechanisms have been permitted to DDoS attack. A two layer defensive framework
estimate the occurrence of DDoS attack. Monitoring utilizing honeypot has been proposed in this paper.
tools deployed by the proposed scheme results in the DDoS attack is a cumulative malicious attempt by
generation of some mitigation rules. Conjunction a network of compromised machines to make an
and disjunction of data packets parameters have online service completely unavailable for legitimate
been used to filter out the malicious data traffic from users. Consequences of a DDoS attack could be very
the intended traffic towards a specific server. This devastating to an organization as an attacker doesn’t
fact leads to inefficiency of the proposed approach need many resources to perform a DDoS attack. But
as it cannot be fitted into every network state. a few hours of downtime can make a huge loss to
In [7] Zargar et al. figures out various insider a victim. Honeypots have been used for years by
threats in any enterprise using raw log s and traf- researchers to combat DDoS attacks. Honeypots are
fic.This solution is not fully comprehensive which nothing but the potential victims which can offer
only detects the deviation of attacker from normal more vulnerabilities and loopholes to an attacker
behaviour, and then create a system generated alert. and can act as trap to lure cyber attackers. Hon-
This particular way can be used with high rate along eypots provide information to the defenders about

143
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE
A. Dahiya et al., Vol.9, No.3, pp.140-153

Table 1
Evolution of Honeypot Against DDoS attacks
YEAR INNOVATION TECHNOLOGY USED
1990-91 “HONEYPOT” term coined Honeypot term was made in public domain for the first time
through two books ”The Cuckoo’s Egg” [10] and,” An Evening
with Berferd in Which a Cracker Is Lured, Endured, and
studied” [11].
1997 First ever public honeypot i.e. “Deception toolkit” First, ever public honeypot was created by Fred Cohnen [12].
1998 Honeypot by the administration of US Honeypot created by Martin Rash for the U.S. administration
[13]
CybercopSting First commercial honeypot [13].
BackOfficer Friendly The launch of Backoffice Friendly Honeypot [14]
1999 Honeynet Project Lance Spitzner along with a team of 50 members founded a
no profit research group [15],
2000-2001 Adopted by organizations. Honeypot was adopted by various big organizations to tackle
the attackers and many worms [13].
2002 Solaris Honeypot Exploits like dtspcd were detected by Solaris Honeypot [13]
Honeyd Nugatory daemon honeypot [16] formed.
Honeynet High level research interaction honeypot [17], [18].
Honeynet against DDoS Honeynet technology against Distributed DoS [19].
2003 Honeytoken A new concept of honeytoken was coined [20].
Eyeore A new Honeywall CDROM Eyeore [21].
Mirage Coequal to snort against DDos [22].
2004 Roaming Honeypot Introduced by Khattab to curb DDoS [23].
2005 Roo Honeywall CDROM Roo.
2006 Hybrid protean honeypot Combination of hybrid and protean based honeypot to handle
DDoS [24].
2007 Server-client honeypot Creation of honeypots for client-server architecture [25].
2008 HTTP based attack Honeypots for attacks based on HTTP [14].
2010 Glastopf Creation of dynamic and low interaction honeypot [19].
Architecture having two level Created by Sardana to curb dual level architecture [26].
2011 Honydroid A high interaction honeypot [27].
2012 Cloud environment honeypots Brown study the employment of honeypots on cloud comput-
ing like windows azure and Amazon EC2 [2].
2013 IHoneycol Combination of honeypot and firecol. [3]
Hostage A low interaction honeypot for mobiles [28].
Nomadic A mobile phone honeypot concept [29].
Labsac A virtual honeypot network for Android [30].
2014 Attack detection in cloud Honeypot use in Cloud environment.
2015 Ampot Ampot used against DDoS [31].
Honeymesh Prevention of DDoS attacks in virtualized honeypot [32].
Shadow honeypot for wireless access point Here shadow honeypot has the extra advantage of anomaly
detection [33]
2016 DDoS detection on Ant base Detects DDoS attacks using roaming virtual Honeypots [5].
Honeyphy Construct honeypots for cyber physical system [34].
Honeymix An intelligent honeypot [35].
IAAS infrastructure cloud Combination of honeywall, honeycomb and honeyd in IAAS
[36].
2017 Privacy issues in honeynet and honeypot. EU laws were used to check to protections of information used
by honeypots and honeynet [37].
URL redirections Honeypots that checks each URL redirection [38].

144
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE
A. Dahiya et al., Vol.9, No.3, pp.140-153

the number and type of attempts an attacker has by the organization. Moreover, IP spoofing along
made in order to infiltrate a network. A honeypot with hierarchical architecture of the botnet makes
is configured in such a way that it always seems very difficult for organizations to detect the original
exploitable to an attacker. In the following section, attacker. Figure 2 shows the architecture of proposed
various components of the proposed architecture scheme. Filtering module consists of sub-modules
will be discussed along with their functionalities. like fetching module, analysis module, traffic rerout-
ing module and behavioural analysis module which
3.1. Proposed Model’s Architecture will be discussed in the following sub sections.

In this section, various communicating units and a) Fetching Module

their functionalities have been illustrated. Figure 2 Fetching module is the first sub module of
shows the proposed architecture of an organization the filtering mechanism. It tends to fetch the
that want to defend its interests against DDoS IP headers of the incoming data packets. IP
attacks. Each module and its sub modules are dis- header of every packets contains very impor-
cuusedin details in the following sub-sections. tant information about the sender or sender’s
network. Attackers need to forge only the IP
3.1..1 Ingress Filtering Module header fields in order to spoof its IP address.
Therefore, in this module IP headers of data
Ingress filtering module is deployed at the edge packets are fetched and given as input to the
router of the network. Filtering module tries to filter next sub module.
malicious packets from the data traffic flow before b) Collating Module
entering into the organization’s network. Basically, Collating module works on the IP headers
filtering module tries to stop DDoS attacks at the fetched in the previous module. It collects im-
boundary of the network. Filtering module consists portant information from the IP address like
of a data log which constantly and timely been source’s IP address, port number, offset field,
updated with new attack signatures or patterns. destination IP address, port number, packet size
Every data packet requested by a user is compared etc. This information is used to detect new at-
against the information stored in data log. Ingress tack signatures and log server can be constantly
filtering is a defensive technique which is used and timely updated according to this informa-
to handle IP spoofing. Ingress filtering is used to tion. With new advancements in technology and
ingoing data flow traffic (that tends to enter the techniques attackers are always one step ahead
victim network from other networks) IP spoofing is of us. They are highly incentivized to carry out
a technique used by attacker to forge the IP address new types of DDoS attacks. Solutions proposed
of the data packet to hide the original source or so far by researchers can detect DDoS attack
to impersonate other sender. IP spoofing enables that already exists. They are not trained to detect
attackers to not being detected by the defenders new types of DDoS attacks.
and to confuse target servers between malicious c) Traffic Rerouting Module
data packets and legitimate ones. Using IP spoof- Traffic rerouting module diverts the legitimate
ing for carrying out DDoS attack is a very old traffic to the intended destination while illegit-
technique to bypass the security systems deployed imate ones are diverted towards the honeynet

145
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE
A. Dahiya et al., Vol.9, No.3, pp.140-153

packet, is calculated at non-attack period

with the help of ISP. To further make it
robust, threshold is divided in three level
: Normal, Sceptical and Alert. If the fre-
quency or payload(size) of data packets
sent is considerably high, then its threshold
value will be put under Sceptical level. But
if the value of both frequency and size
of data packets is high then its threshold
value will be put under Alert level. If
threshold value of incoming packet starts
getting Sceptical, it will further investigate
the request with the help of ISP. If on
further investigation, gets on Alert level, it
Figure 2. Architecture of proposed scheme will be marked as illegitimate and will be
sent to Honeynet Cloud and blacklist and
sink servers will be updated.
and sink node. Honeynet is deployed by the
d) Behavioral Analysis
organization to lure attackers and consists of a
Values of parameters that have been considered
number of open vulnerabilities. Different traffic
by an organization to handle DDoS attacks are
load levels have been embedded with a wide
calculated by this module. These values are then
range of threshold values. If the threshold value
stored in the log server for future references and
is within the control of defensive mechanism
further mitigation.
than all the traffic is diverted towards the server.
If the threshold is in betweenSceptical and Alert
level, then the traffic is diverted towards the
honeynet. Threshold values must be set granu- 3.2. Sink Node
larly as it can make a system oscillate between
different states often resulting into instability of
the defensive mechanism. Sink node handles the data traffic marked as ille-
– Threshold Value: The process of calculat- gitimate which cross the maximum threshold value
ing threshold values is done by monitoring set and cannot be handled by the server. All the traf-
data traffic during non-attack period and fic irrespective of malicious and non-malicious will
with the help of ISP. There could be many be send towards sink node. A time window has been
parameters of calculating threshold value set by the sink node and stores all the information
but here in this paper two parameters have about the malicious packets. A blacklisted server
been considered :“Frequency of data packet has been used to store all the information. All the
sent” and “Size of data payloads”. Average malicious IP addresses are stored in the blacklisted
value of frequency with which request for server. This blacklisted server is constantly updated
data is sent and payload of data request as the data packets arrived at the sink node.

146
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE
A. Dahiya et al., Vol.9, No.3, pp.140-153

3.3. Honeynet Cloud present in honeynet cloud. This is being done to

befool the attacker and make honeypots appear
Honeynet cloud is composed of heterogeneous more real systems to attackers. This technique is
honeynets that can handle various TCP, UDP and employed to overcome the fingerprinting problem
HTTP data packets. Different numbers of honeypots which is caused due to static IP addresses of honey-
are deployed to construct a honeynet. The data pots. It is very necessary to change the IP addresses
request from user passed through various sub mod- regularly to perplex the attacker and diverts his
ules has reached to honeynet through data request attention from the real server.
mapping module. IP address of each honeypot is
constantly changed by the dynamic provisioning 3.6. Demilitarized Zone (DMZ)
module to make it more real to the attacker and
to avoid being detected by attacker. Fingerprinting
It is the best location for a Destination or other
is the major problem caused due to static IP address
servers to be deployed in a network. Internal and
of the honeypot. It is very important to change IP
external placements of honeypots have their own re-
address of the honeypot regularly to confuse the
spective disadvantages. This is the placement point
attacker and make it appear more real to the attacker.
which shields the disadvantages of both kinds of
Data traffic is diverted towards the honeynet if
placement. Every organization consists of this zone.
the threshold value lies within the Sceptical and
It listen service request from the rest of the Internet.
Alertlevel.
A proved legitimate packet is only headed towards
3.4. Data Request Mapping Module this zone for further processing.

Data request mapping module is deployed be- 3.7. ISP service provider
tween filtering module and honeynet. It is the re-
sponsibility of this module to send data requests ISP service provider is attached to the sink server.
from users to their right destination according to When collating module collects the IP address from
the algorithm discussed below. In this algorithm, the the packet, algorithm checks it in the sink server, if
matrix value is used. If its value is 0 then it means it not found as illegitimate IP address, sink server
it illegitimate packet and if 1 then legitimate packet. may consult ISP for double check. This service will
All packets are made to gone through this algorithm be no free of cost, as we are asking ISP to check
, this algorithm check the source IP address from into its database for the history of IP address of
packets with database on sink server which has incoming packets.
history of all data attacks. This module decides
which honeynet sub network is going to receive a
4. Experimentations and Results
particular data packet or a packet will be sent to
server or sink node.
In this section, the authors have discussed the
3.5. Dynamic Provisioning Module simulation performed and results obtained. For that,
first of all study of the tool on which the sim-
Dynamic provisioning module has functionality to ulation have been performed is discussed. Then,
constantly change the IP addresses of each honeypot the parameters that have been considered while

147
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE
A. Dahiya et al., Vol.9, No.3, pp.140-153

volume based DDoS attack. There are two factors

which form the basis of parameters considered i.e.
low variation in attack traffic or high variation
in attack traffic. Choosing suitable parameters to
evaluate the performance of any scheme is a very
important task. Legitimate data traffic values must
be collected during non-attack period to maintain
the repository of log files and to update attack
signatures. These log files can be used further to
have comparative analysis during the attack or after
the attack period. So, following parameters have
been considered while analysing the performance
of the model:

a) Illegitimate packet drop rate: A DDoS attack

defense mechanism tends to reduce the number
of illegitimate packets from a traffic flow by
discriminating them from the legitimate packets
selectively. It is defined as the ratio of total
illegitimate packets dropped to the total traffic
flow.
b) Benign Packet drop rate: We want defense
mechanism to not only defend against DDoS
attack but provide QoS to the benign users. It
is defined as the ratio of total legitimate packets
reached to destination to the total traffic flow.
c) Throughput: It reflects performance of the sys-
performing simulation and after that whole simu- tem. It the total amount of data packets trans-
lation process is discussed. The authors have used mitted in a unit time.
i.e. Ns2 for performing simulation. Ns2 stands for d) Failure rate: This metric is defined at the appli-
network simulator version 2. Ns2 is an event driven cation layer which is defined as ratio of number
open source simulating tool used for research in service requests unattended (not processed) by
communication network domain specifically. It used the victim server to the total number of ser-
to study dynamic behaviour of the computer and vice requests sent by sender. While performing
communication networks. NAM is network anima- the simulation, the authors have taken total
tor which is GUI of Ns2. In the proposed model, 15 nodes as shown in Figure 3. Each of the
the authors deals with volume based DDoS attacks. nodes represents either the clients or servers.
There does not exist any standards or benchmarks Of the total 15 nodes there are 6 client nodes,
to guide researchers on how to take parameters for 3 are legitimate nodes and 3 are attacker nodes.
analysing performance of a defensive model against Attacker nodes are represented with respective

148
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE
A. Dahiya et al., Vol.9, No.3, pp.140-153

attacker label and legitimate nodes are labelled to different types of honeypot i.e. HTTP honeypot
as legitimate nodes. The 3 legitimate nodes etc.All nodes are connected by wired connections.
shown are for different applications protocols All connections are duplex in nature where two way
like HTTP or FTP etc. Sixth node is ingress communications is possible at a time.
filtering modulewhich filters the incoming data In the simulation, the authors have used distance
flow from respective legitimate nodes and at- vector (DV) Routing protocol. This routing protocol
tacker nodes. is used in wired communication system. In DV,
each node sends periodic route updates for every 2
seconds. The simulation has 18 seconds duration.
The complete analysis and output will be within
the timeframe of 18 seconds. Within this simulation
time both attacker node and legitimate node will
send data and will be handled by the proposed
scheme.
In Figure 4, node 3 (attacker1) also started send-
ing data packets. Ingress filtering module again will
ask to Sink server which will check its database
filled with recent attack history. Sink server with the
Figure 3. Initial topology of proposed scheme help of ISP will send ACK as negative, then filtering
module will transfer the attacker node 3 data packets
towards honeynet where honeynet will give the data
packet to honeypot dealing with HTTP requests
and it will start analysing it. During this complete
duration, data packet from legitimate node 0will
keep communicating with HTTP service without
any problem. In Figure 5, queue at link between
node 4 to node 5 start getting overwhelmed. Node 4
is receiving data packets more than it could handle.
Only attacker packets are getting dropped at this
moment as node 4 to node 5 is for only attack
Figure 4. System state of proposed scheme
packets which are being sent to honeynet clouds
when attacker node also requests for HTTP
for attack packet analysis. At this point a very small
service.
data packet drop can be seen on link node 4 to 9.
Seventh node is Sink server which is attached to
ingress filtering module which helps it to differen- 4.1. Graphs Description
tiate between attack and legitimate traffic. Eighth
node is destination node which is further attached After the simulation gets complete, the results
to HTTP server node, FTP server node and CBR of the simulation in the form of graphs have been
server node. Further, honeynet cloud is attached discussed.

149
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE
A. Dahiya et al., Vol.9, No.3, pp.140-153

Figure 5. System state of proposed scheme Figure 7. Bandwidth of all three services at the
when attack packet drop is significantly higher destination server.
for HTTP service.
number 11, a server for CBR services. Graph curve
HP3.tr of blue color shows the bandwidth of node
number 12, a server for FTP services.

Figure 6. Throughput of all three honeypots in

honeynet.
Figure 8. Net throughput of all three services at
the destination server.
In Figure 6, net throughput of all three honey-
pot in the honeynet are shown. Graph curve Hon- In Figure 8, net throughput of all three ser-
eyTH1.tr of red color shows the throughput of node vices at the destination servers are shown. Graph
number 6 which is a Honeypot for HTTP services. curve TH1.tr of red color shows the throughput
Graph curve HoneyTH2.tr of green color shows the of node number 10 which is a server for HTTP
throughput of node 7, a Honeypot for CBR services. services. Graph curve TH2.tr of green color shows
Graph curve HoneyTH3.tr of blue color shows the the throughput of node number 11, a server for CBR
throughput of node number 8 which is a Honeypot services. Graph curve TH3.tr of blue color shows
for FTP services. the throughput of node number 12, a server for FTP
In Figure 7, net bandwidth of all three services services.
at the destination servers are shown. Graph curve In Figure 9, net packet loss of all three services
HP1.tr of red color shows the bandwidth of node in the destination servers are shown. Graph curve
number 10, a server for HTTP services. Graph curve Loss1.tr of red color shows the packet loss of node
HP2.tr of green color shows the bandwidth of node number 10 which is a server for HTTP services.

150
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE
A. Dahiya et al., Vol.9, No.3, pp.140-153

5. Conclusion

In order to evaluate the results of the emulation,

the authors use ns2 simulations. It is performed
to calculate the detection rate of attacks and com-
parison of various services provided by destination
servers in the form of graphs in different time
windows. Simulation time is taken 18 seconds here.
Figure 9. Packet loss rate of all three services
There is a heterogenous network of honeynet cloud
at the destination servers
as well as of destination servers. Three types of
services are provided by the honeynet cloud. In
the simulation, only one node is taken for each
Graph curve Loss2.tr of green color shows the
of the services. Detection rate of the simulation
packet loss of node number 11, a server for CBR
can be calculated using trace file tracefile.tr which
services. Graph curve Loss3.tr of blue in color
is an output file for recording the data of the
shows the packet loss of node number 12, a server
simulation. Here detection rate is for the illegitimate
for FTP services.
packets sent by attacker to create the DDos and to
curtail the Quality of service. It shows the ingress
filtering module provides us with the detection rate
of around 76% and when the proposed method is
implemented without the heterogenous network of
honeynet cloud, it happens to be 63%. Detection rate
is improved due to introduction of new component
in the proposed architecture that is ISP.

References

Figure 10. Packet delay rate of all three services [1] G.C. Tjhai, C. Gina, M. Papadaki, S. M. Furnell, L. Nathan. “In-
at the destination servers. vestigating the Problem of IDS False Alarms: An Experimental
Study using Snort”, In IFIP International Information Security
Conference, Springer, Boston, MA, pp. 253-267. 2008 October
1949.
In Figure 10, packet delay rate of all three services
[2] S. Brown, R. Lam, S. Parsad, S. Ramasubramanian, J. Slauson.
at the destination servers are shown. Graph curve “Honeypots in the Cloud”, University of Wisconsin-Madison,
delay1.tr of red color shows the packet delay rate Vol.11, 2012.
[3] M. Buvaneswari, T. Subha. “Ihoneycol: a collaborative technique
of node number 10 which is a server for HTTP
for mitigation of DdoS attack”, International Journal of Emerg-
services. Graph curve delay2.tr of green color shows ing Technology and Advanced Engineering, Vol.3, pp. 176-179,
the packet delay rate of node number 11, a server for January 2013.
CBR services. Graph curve delay3.tr of blue color [4] R. Meghani, S. Sharma. “Security from various Intrusion Attacks
using honeypots in cloud”, International Journal of Emerging
shows the packet delay rate of node number 12, a Technology and Advanced Engineering, Vol.4, pp. 468-473, May
server for FTP services. 2014.

151
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE
A. Dahiya et al., Vol.9, No.3, pp.140-153

[5] S. Rajalakshmi, V.M. Kuthadi, T. Marwala. “Ant-based dis- [22] S. Yeldi, S. Gupta, T. Ganacharya, S. Doshi, D. Bahirat, R.
tributed denial of service detection technique using roaming Ingle, A. Roychowdhary. “Enhancing network intrusion detection
virtual Honeypots”, IET Communications, Vol.10, pp. 929-935, system with honeypot”, TENCON 2003. Conference on Conver-
19 May 2016. gent Technologies for Asia-Pacific Region, IEEE, Vol. 4, pp.1521-
[6] M. Aupetit, Y. Zhauniarovich, G. Vasiliadis, M. Dacier, Y. 1526, 2003.
Boshmaf. “Visualization of actionable knowledge to mitigate [23] S.M. Khattab, C. Sangpachatanaruk, D. Moss, R. Melhem, T.
DRDoS attacks”, In 2016 IEEE Symposium on Visualization for Znati. “Roaming honeypots for mitigating service-level denial-
Cyber Security (VizSec), pp. 1-8, Octomber 2016. of-service attacks”, 24th International Conference on Distributed
[7] A. Zargar, A. Nowroozi, R. Jalili. “XABA: A zero-knowledge Computing Systems, Proceedings, IEEE, pp.328-337, 2004.
anomaly-based behavioral analysis method to detect insider [24] H. Artail, H. Safa, M. Sraj, I. Kuwatly, Z. Al-Masri. “A
threats”, In 2016 13th International Iranian Society of Cryptology hybrid honeypot framework for improving intrusion detection
Conference on Information Security and Cryptology (ISCISC), systems in protecting organizational networks”, computers &
pp. 26-31, September 2004. security,Vol.25, No.4,pp.274–288, 2006.
[8] M. Bercovitch, M. Renford, L. Hasson, A. Shabtai, L. Rokach, [25] C. Seifert, I. Welch, P. Komisarczuk. “Honeyc-the low-
and Y. Elovici. “HoneyGen: An automated honeytokens gener- interaction client honeypot”, Proceedings of the 2007 NZCSRCS,
ator”, Proceedings of 2011 IEEE International Conference on Waikato University, Hamilton, New Zealand,Vol.6, 2007.
Intelligence and Security Informatics, pp.131–136, 2011. [26] A. Sardana, R. Joshi. “An auto-responsive honeypot architec-
[9] A. Shabtai, M. Bercovitch, L. Rokach, Y. Gal, Y. Elovici, and E. ture for dynamic resource allocation and QoS adaptation in
Shmueli. “Behavioral study of users when interacting with active DDoS attacked networks”, Computer Communications,Vol.32,
honeytokens”, ACM Transactions on Information and System No. 12,pp.1384-1399, 2009.
Security (TISSEC), Vol.18, No.3, pp. 1-21, 2016. [27] C. Mulliner, S. Liebergeld, M. Lange. “Poster: Honeydroid-
[10] C. Stoll. “The cuckoo’s egg: tracking a spy through the maze of creating a smartphone honeypot”, IEEE Symposium on Security
computer espionage”, New York: Pocket Books Nonfiction, 2005. and Privacy,Vol, pp.1-2, 2011.
[11] B. Cheswick.“An evening with Berferd in which a cracker is [28] E. Vasilomanolakis, S. Karuppayah, M. Fischer, M. Fischer, M.
lured, endured, and studied”, AT&T Bell Laboratories, 1991. Muhlhauser, M. Plasoianu, L.Pandikow, W. Pfeier. “This network
[12] http://www.all.net/dtk. “Deception toolkit”, Open Sourse, Latest is infected: Hostage-a low-interaction honeypot for mobile de-
access time for the website is 20 March 2019. vices”, Proceedings of the Third ACM workshop on Security and
[13] L. Spitzner. “Honeypots: tracking hackers”, Addison- privacy in smartphones & mobile devices, pp.43–48, 2013.
Wesley,Vol.1,2003. [29] S. Liebergeld, M. Lange, C. Mulliner. “Nomadic honeypots:
[14] A. Ahmad, M. Ali, and J. Mustafa. “Benefits of honeypots in A novel concept for smartphone honeypots”, Proc. W’shop on
education sector”, International Journal of Computer Science and Mobile Security Technologies (MoST’13), together with 34th
Network Security,Vol.11, pp.24-28, October 2011. IEEE Symp. on Security and Privacy, Vol.4,pp.1-4, 2013.
[15] https://www.honeynet.org/blog/4. “The Honeynet project”, [30] V. B. Oliveira, Z. Abdelouahab, D. Lopes, M.H. Santos, V.P.
Open Sourse Project, Latest access time for the website is 20 Fernandes. “Honeypotlabsac: a virtual honeypot framework for
March 2019. android ”, International Journal of Computer Networks & Com-
[16] http://www.citi.umich.edu/u/provos/honeyd/. “Honeyd- munications,Vol.5, pp.159-172, 2013.
Network”, Open Sourse Project, Latest access time for [31] L. Krämer, J. Krupp, D. Makita, T. Nishizoe, T. Koide, K. Yosh-
the website is 20 March 2019. ioka, C. Rossow. “Amppot: Monitoring and defending against
[17] A. Chuvakin. “Honeynets: High Value Security Data”: Anal- amplification ddos attacks”, International Symposium on Recent
ysis of real attacks launched at a honeypot”, Network Secu- Advances in Intrusion Detection,pp.615–636, 2015.
rity,Vol.2003, pp.11-15, 2003. [32] H. A. Deshpande, “Honeymesh: Preventing distributed denial
[18] J.K. Jones, G.W. Romney. “Honeynets: an educational resource of service attacks using virtualized honeypots”, IJERT,Vol.4, No.
for IT security”, Proceedings of the 5th conference on Informa- 8,pp.263-267, 2015.
tion technology education, ACM,pp.24-28, 2004. [33] N. Agrawal, S. Tapaswi. “Wireless rogue access point detec-
[19] N. Weiler. “Honeypots for distributed denial-of-service at- tion using shadow honeynet”, Wireless Personal Communica-
tacks”, Proceedings. Eleventh IEEE International Workshops tions,Vol.83, No.1,pp.551–570, 2015.
on Enabling Technologies: Infrastructure for Collaborative [34] S. Litchfield, D. Formby, J. Rogers, S. Meliopoulos, and R.
Enterprises,pp.109-114, 2002. Beyah. “Rethinking the honeypot for cyber-physical systems”,
[20] A. B. Petruni, Robert “Honeytokens as active defense”, EC- IEEE Internet Computing,Vol.20, No.5,pp.9–17, 2016.
Council Cyber Research,Vol.11, No. 10,pp.1-14, 2011. [35] W. Han, Z. Zhao, A. Doupé, G.J. Ahn. “Honeymix: Toward sdn-
[21] http://old.honeynet.org/papers/cdrom/eeyore/. “Know Your En- based intelligent honeynet”, Proceedings of the 2016 ACM In-
emy:Honeywall CDROM Eeyore”, Open Sourse, Latest access ternational Workshop on Security in Software Defined Networks
time for the website is 20 March 2019. & Network Function Virtualization,pp.1–6, 2016.

152
INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE
A. Dahiya et al., Vol.9, No.3, pp.140-153

[36] C. Saadi, H. Chaoui. “Cloud computing security using ids-am-

clust, honeyd, honeywall and honeycomb”, Procedia Computer
Science, Vol.85, pp. 433-442, 2016.
[37] P. Sokol, J. Mı́šek, M. Husák. “Honeypots and honeynets: issues
of privacy”, EURASIPJournal on Information Security, Vol.4,
pp.1-9, February 2017.

153
Copyright of International Journal of Information Security Science is the property of
International Journal of Information Security Science and its content may not be copied or
emailed to multiple sites or posted to a listserv without the copyright holder's express written
permission. However, users may print, download, or email articles for individual use.