A self-aware approach to denial of service defence

Page 1

This article was originally published in a journal published by
Elsevier, and the attached copy is provided by Elsevier for the
author’s benefit and for the benefit of the author’s institution, for
non-commercial research and educational use including without
limitation use in instruction at your institution, sending it to specific
colleagues that you know, and providing a copy to your institution’s
administrator.
All other uses, reproduction and distribution, including without
limitation commercial reprints, selling or licensing copies or access,
or posting on open internet sites, your personal or institution’s
website or repository, are prohibited. For exceptions, permission
may be sought for such use through Elsevier’s permissions site at:
http://www.elsevier.com/locate/permissionusematerial

Page 2

Author's personal copy
*Corresponding author. Tel.: +44 2075946342; fax: +44
2075946274.
E-mail addresses: e.gelenbe@imperial.ac.uk (E. Gelenbe),
georgios.loukas@imperial.ac.uk (G. Loukas).
A self-aware approach to denial of service defenceq
Erol Gelenbe*, George Loukas
Intelligent Systems and Networks Group, Department of Electrical and Electronic Engineering,
Imperial College, London SW7 2BT, United Kingdom
Available online 18 October 2006
Abstract
Denial of service (DoS) attacks are a serious security threat for Internet based organisations, and effective methods are
needed to detect an attack and defend the nodes being attacked in real time. We propose an autonomic approach to DoS
defence based on detecting DoS flows, and adaptively dropping attacking packets upstream from the node being attacked
using trace-back of the attacking flows. Our approach is based on the Cognitive Packet Network infrastructure which uses
smart packets to select paths based on Quality of Service. This approach allows paths being used by a flow (including an
attacking flow) to be identified, and also helps legitimate flows to find robust paths during an attack. We evaluate the pro-
posed approach using a mathematical model, as well as using experiments in a laboratory test-bed. We then suggest a more
sophisticated defence framework based on authenticity tests as part of the detection mechanism, and on assigning priorities
to incoming traffic and rate-limiting it on the basis of the outcome of these tests.
? 2006 Elsevier B.V. All rights reserved.
Keywords: Denial of service; Self-aware; Cognitive packet network; Internet
1. Introduction
DoS attacks are known to the network research
community since the early 1980s; indeed, in his
1985 paper on TCP/IP weaknesses, Morris writes
[1] ‘‘The weakness in this scheme (the IP protocol)
is that the source host itself fills in the IP source host
id, and there is no provision to discover the true ori-
gin of the packet’’. A typical generic DoS attack is
practically always distributed (DDoS): the attacker
takes control of a large number of lightly protected
computers (e.g., without firewall and up-to-date
antivirus software) and orders them to send simulta-
neously a large number of packets to a specific tar-
get. The attacker exploits the weakness of IP by
faking their source IP address (‘‘IP spoofing’’). As
a result, some routers and links in the vicinity of
the target are overwhelmed, and a number of legit-
imate clients cannot connect to it anymore. Typical
targets are the servers of e-commerce web-sites,
which can suffer significant financial loss. Other tar-
gets may be news web-sites, corporate networks,
banks, etc. To cite just two examples, (1) the Arabic
and English language web sites of the satellite televi-
sion network Al-Jazeera suffered two days of Inter-
net disruptions caused by American hackers as
1389-1286/$ - see front matter ? 2006 Elsevier B.V. All rights reserved.
doi:10.1016/j.comnet.2006.09.009
qThis work is supported by the UK Engineering and Physical
Sciences Research Council under Grant EPSRC GR/S52360/01
for the project on ‘‘Self-Aware Networks and Quality of Service’’
at Imperial College London.
Computer Networks 51 (2007) 1299–1314
www.elsevier.com/locate/comnet

Page 3

Author's personal copy
usually for revenge, or as a token of power and to
demonstrate their programming skills. Now they
are considered to be an important weapon in the
hands of cyber-criminals and for cyber-warfare.
DoS attacks have reportedly been used against Busi-
nesscompetitors,forextortionpurposes,forpolitical
revenge for showing pictures of dead and captive
American soldiers in Iraq (Source: BBC, ‘‘Hackers
cripple Al-Jazeera sites’’, http://news.bbc.co.uk/2/
hi/technology/2893993.stm), and (2) a corporate
executive in Massachussets was charged with using
DoS attacks to cause a total of $2 billion in losses
to three of his main competitors (Source: Security-
Focus – ‘‘FBI busts alleged DDoS Mafia’’, http://
www.securityfocus.com/news/9411).
After a landmark attack occurred against several
major online organisations in one week of February
2000 [7], DoS became an important topic of
research. One of the first defensive measures pro-
posed was Ingress Filtering, which is an approach
to thwart IP address spoofing by configuring routers
to drop arriving packets that arrive with IP
addresses which are deemed to be outside a predeter-
mined ‘‘acceptable’’ range [2]. Of course, it requires
that the receiving router has sufficient power and
sufficient knowledge to examine the source address
of each packet and distinguish between valid and
invalid ones. Although not enough on its own, vari-
ations of Ingress Filtering can be used as a good
lightweight first step to identify part of the attacking
traffic. Later, it was suggested that the real IP
address could in fact be inferred with a technique
called ‘‘IP traceback’’ [6,9,18]. The traceback mech-
anism uses probabilistic packet marking to allow the
victim to identify the network path traversed by
attack traffic without requiring interactive opera-
tional support from Internet Service Providers
(ISPs). However, injecting false traceback messages
into the packet stream can help attackers hide their
origin, even a rough estimate of the sources of attack
packets can help the DDoS defence. IP traceback
can also be applied after the attack is over to protect
against future attacks; such ‘‘post-mortem’’ tech-
niques [8] can be used to analyse the characteristics
of attacking traffic (such as rates and more detailed
statistical characteristics) and the slave nodes or
entry points that it uses.
Althoughmanyintelligentdefence techniquesand
architectures have been proposed, the evolution of
the DoS phenomenon implies that new means of
attack will arise. Until a few years ago, DoS attacks
were used by hackers to knock web pages off-line,
reasons,andevenasaformof‘‘legitimate’’protest.It
is this variety of targets and types of attack that dic-
tate the need for flexible defence systems which can
react according to both the attacker’s aims and the
defender’s needs. Thus in this paper we propose
and evaluate an autonomic approach, based on net-
work self-observation and adaptive reaction, to
defendnetworknodesagainstDoSattacks.Thetech-
niques that we propose, implement and evaluate,
exploit the Cognitive Packet Network architecture
introduced in [3] and discussed in [19,21].
1.1. A generic framework for denial of service
protection
A complete protection architecture should include
the following elements:
• Detection of the existence of an attack. The
detection can be either anomaly-based or signa-
ture-based, or a hybrid of those two. In anom-
aly-based detection, the system recognises a
deviation from the standard behaviour of its cli-
ents, while in the latter it tries to identify the
characteristics of known attack types.
• Classification of the incoming packets into valid
(normal packets) and invalid (DoS packets). As
in detection, one can choose between anomaly-
based and signature-based classification tech-
niques.
• Response. In the most general sense, the protec-
tion system either drops the attacking packets
or it redirects them into a trap for further evalu-
ation and analysis.
Therefore we start with the postulate that we will
consider a generic DDoS defence scheme that is
based on the following principles:
• The node which is targeted by a DDoS attack
(the victim node) has the ability to detect or to
be informed about the attack, based either on a
local or distributed detection scheme. All nodes
upstream, from the victim up to the source(s) of
the attack, will also be informed of the ongoing
threat.
• The victim node and the informed nodes will
react by dropping packets which are thought to
be part of the attack.
• The attack itself can produce buffer overflows
and saturation of network resources such as
CPU capacity, due to the inability of the nodes
1300
E. Gelenbe, G. Loukas / Computer Networks 51 (2007) 1299–1314

Page 4

Author's personal copy
recognised as being ‘‘loyal clients’’.
• Did the source of the packet first appear before or
after the detection of the attack?
Since DoS attacks are almost exclusively distrib-
uted, the distributed aspect can make it easier to
detect their existence. Since attack flows do not
or routers to handle the resulting heavy packet
traffic.
• The detection scheme is always imperfect, so that
both false alarms and detection failures are possi-
ble. Imperfections are possible both with regard
to the detection of the attack as a whole, and
the identificationof the packets that belong to this
attack. Thus, for any packet that flows in the net-
work we need to consider a probability of correct
identification as being an attacking packet, and a
probability of false alarm, which means that some
attacking packets will be missed and some non-
attacking packets may be incorrectly dropped.
The classification of packets or flows as being a
DoS attack or being valid is probably the weak point
of DoS defence techniques. Many classification
methods that have been suggested tend to use a set
of specialised rules for specific types of traffic. The
classification can then be carried out either by pas-
sive observation or by actively asking the network’s
apparent clients to demonstrate their validity.
1.1.1. Passive tests
Some passive tests which can be used for all types
of traffic include the following:
• Is the source of the packet a known ‘‘loyal client’’?
In our approach, we take for granted that DoS
attackers will spoof their addresses. However,
that does not mean that the source IP address
of a packet is not useful information. For exam-
ple, if User-X, who has a static IP address, visits
his favorite news web-site every day at 9 am,
stays for a while and consumes a reasonable
amount of bandwidth, there is no reason for this
web-site’s detection mechanism to suspect that
his packets are potentially harmful, except if his
behaviour is somehow dramatically different
from the usual one. Thus, in times of congestion,
even if there is no official service differentiation,
User-X should not be blocked in favor of a
User-Y, who has not been recognised as a regular
client and consumes a lot of bandwidth. To our
knowledge current DoS detection mechanisms
do not treat preferentially users who may be
all traverse the Internet through the same paths,
they reach the victim destination at different
times, resulting in a gradual increase of the
incoming traffic. This ramp-up behaviour [17]
can be a good indication that a DDoS attack is
being initiated. A longer ramp-up time will also
be associated with a greater number of spoofed
source IP addresses. Consequently, it also means
that the IP addresses which arrive after the
DDoS starts and before it ends are more likely
to be illegitimate. Again, early detection is obvi-
ously a great advantage to identifying the
spoofed set of IP addresses.
• Is the client honouring his/her QoS agreements?
We are particularly interested in QoS-driven net-
work environments in which clients may specify
that they are a specific type of customer, or
request a certain level of QoS. In case the QoS
request is accepted, then the degree with which
the agreement will be honoured by the client is
a strong indication of his/her validity. DoS
attackers and misbehaving clients would both fail
this test.
• Does the time-to-live (TTL) field in an IP packet
agree with the value that can be inferred from the
packet’s apparent source address?
This test refers to the ingenious idea described in
[12] which exploits the fact that although the
attacker can forge any field in the IP header,
he/she cannot falsify the number of hops a
packet needs to reach its destination starting
from its source address. Their very simple algo-
rithm infers the number of hops traversed until
then (from the TTL field) and compares them
to the value that can be inferred for this source,
which is stored in a relevant table. If those two
values are significantly different, that is a clear
indication of IP spoofing, and is a good reason
to treat this source’s packets as being illegitimate.
In the CPN protocol, the header field r_len (route
length) in a packet can be used instead of TTL.
These different passive tests have the advantage
of being relatively light-weight, but are by them-
selves not sufficient to achieve accurate classifica-
tion. More accuracy inevitably requires more
specialisation.
In [25] a set of anomaly-based classification crite-
ria for flows and connections is proposed. For
instance, a TCP flow may be classified as an attack
flow if its packet ratio (TCPrto) is above a set thresh-
old.Similarly,fortheICMPprotocoltheyproposeto
E. Gelenbe, G. Loukas / Computer Networks 51 (2007) 1299–1314
1301

Page 5

Author's personal copy
attacks against web-servers [14].
use ICMPrtoas a detector. For the UDP protocol, a
‘‘normal flow model’’ is proposed to be a set of
thresholdsbased onthe upper bound of allowed con-
nections per destination, the lower bound of allowed
packets per connection, and the maximum allowed
sending rate per connection. The classification of
connections is also done based on limits of the con-
nections’ allowed packet ratios and sending rates.
One more option for validity tests is to use crite-
ria based on the type of service. This approach is
close to the QoS-driven approach of our ongoing
work on CPN. For example, a network which offers
Voice-over-IP (VoIP) services should include VoIP-
specific classification criteria.
The limits and thresholds used by all these types
of tests can be set by using the network administra-
tor’s experience, or with an automatic learning pro-
cess in all or some of the nodes using data collected
from on-going observation.
1.1.2. Active tests
The ramp-up behaviour of traffic also occurs dur-
ing ‘‘flash crowds’’ when there is a sharp increase in
the number of legitimate visitors to a web-site based
on some significant event, and DoS attackers have
recently started exploiting this fact by abandoning
full strength bandwidth floods in favor of attacks
which escape detection by imitating the signature
characteristics of flash crowds. In response to this,
detection mechanisms should try to distinguish
between flash crowds and attacks after a ramp-up
has been detected. Fortunately, flash crowd flows
are generated by human users, while DDoS flows
are generated by compromised computers, and one
can potentially use Reverse Turing tests to tell the
difference. Over the last three years, Graphical Tur-
ing tests or visual CAPTCHAs, or simply CAPT-
CHAs (Completely Automated Public Turing Test
to Tell Computers and Humans Apart), have been
commonly used to block automated requests to
web-sites, such as the automated email account reg-
istration which has plagued Hotmail and Yahoo in
the past. A human can easily tell the sequence of let-
ters that appear in a CAPTCHA’s image, while
computers usually cannot (Fig. 1), so that CAPT-
CHAs have been suggested to counter DDoS
However, issuing a graphical Turing test and
expecting an answer requires that a connection be
established between the attacker and the web-server,
thus rendering the authentication mechanism a
potential DoS target. The authors of [24] address
this issue and suggest minor modifications to the
TCP protocol to overcome it. They also argue that
it is not the actual answer to the test but the behav-
iour of the client that matters. A human would solve
the puzzle either immediately or after reloading the
page a few times. A computer would probably con-
tinue requesting the web page. We agree with these
ideas but believe that despite its value, a DoS detec-
tion mechanism cannot depend solely on CAPT-
CHAs. In all arms races it is only a matter of time
for a countermeasure to arrive on the scene. Dedi-
cated applicationsbuilt
researchers achieve up to 92% success in solving
commonlyusedtypes
Advances in Artificial Intelligence along with simple
craftiness limit the value of CAPTCHAs, while
visual CAPTCHAs are also a major impediment
to computer users whose vision is impaired. Thus,
although we are not sure that CAPTCHAs can be
the sole method of classification, it is reasonable
to suggest that DoS attacks can be more readily
detected if we can distinguish between humans
and computer generated traffic, along with other
techniques that recognise legitimate and DoS flows.
Other methods have also been proposed for actively
challenging the clients’ legitimacy [15]. Some may
achieve impressive levels of detection accuracy, but
all suffer from the common weakness of being
exploitable as DoS vessels themselves, in the same
way as simple ACKs are used as DoS vessels in
the reflector DoS attack [5]. It is also obvious that
the benefit of a greater number of validity tests lies
in the accuracy of the classification, while the result-
ing cost may include greater delay in the decision
and more processing overhead.
by ComputerVision
of CAPTCHAs[16].
2. A mathematical evaluation of denial of service
protection
Before we address the issue of how we propose to
implement a DDoS detection and protection mech-
anism, let us discuss an approach that we have
developed [20] to analyse the impact of DDoS pro-
tection on overall network performance based on
the probabilities of detection and of false alarm.
We assume an abstract network model in which
DoS packets are identified with a certain probability
Fig. 1. This captcha of ‘‘smwm’’ obscures its message from
computer interpretation by twisting the letters [taken from http://
en.wikipedia.org/wiki/Captcha].
1302
E. Gelenbe, G. Loukas / Computer Networks 51 (2007) 1299–1314