International Journal JOURNAL of Advanced OF Research in Engineering and Technology (IJARET), INTERNATIONAL ADVANCED RESEARCH IN ENGINEERING ISSN 0976

6480(Print), ISSNAND 0976 6499(Online) Volume 5, Issue 1, January (2014), IAEME TECHNOLOGY (IJARET)

ISSN 0976 - 6480 (Print) ISSN 0976 - 6499 (Online) Volume 5, Issue 1, January (2014), pp. 145-153 IAEME: www.iaeme.com/ijaret.asp Journal Impact Factor (2013): 5.8376 (Calculated by GISI) www.jifactor.com

IJARET
IAEME

ANALYZING THE PERFORMANCE OF BANDWIDTH STARVATION ATTACK IN LAN

Sharada Valiveti1,
1 2

Hetuk Upadhyay2

and Dr. K Kotecha3

(Computer Science and Technology, Nirma University, Ahmedabad, India) (Computer Science and Technology, Nirma University, Ahmedabad, India) 3 (Computer Science and Technology, Nirma University, Ahmedabad, India)

ABSTRACT Cyber Security is a blooming area of research in the current Trends. Communication Technology has penetrated everyone's life. Where on one hand, people are developing latest technologies and tools to enhance the living standard of an individual, Attackers are continuously trying to break the code of conduct of Networks. Bandwidth Starvation Attack is one such Distributed Denial of Service (DDoS) attack. Due to this attack, performance of the network suffers. In this paper, a Bandwidth Starvation Attack is performed in a wired Network that comprises of computers connected to each other through the Switch. The proposed approach deals with an idea of Intrusion Detection System (IDS) present inside router. Since all packets are forwarded through the router only, an IDS implemented in the router may protect the system in a better way. Since the network here is a Wired Network, we can have IDS on a standalone system that can handle these types of attacks. A signature based host IDS is proposed herewith so that all the signatures of the attack are inside the IDS from the beginning and thus we can identify the packets as quickly as possible. Keywords: Attack in LAN, Bandwidth Starvation attack, Distributed Denial of Service (DDoS) attack, Intrusion Detection System (IDS) I. INTRODUCTION Bandwidth Starvation attack, implemented using the DDoS (Distributed Denial of Service) attack is quite effective and has a devastating effect on network. In this attack, attacker floods tons of packets into the network towardsthe target server. In order to do so, the attacker takes over many PCs thatare connected to the internet and converts them into zombies. Zombies arethe unused Computers which are controlled by the attacker; these zombiescan perform any malicious activity and in effect,
145

International Journal of Advanced Research in Engineering and Technology (IJARET), ISSN 0976 6480(Print), ISSN 0976 6499(Online) Volume 5, Issue 1, January (2014), IAEME

the Network underperforms.At times, zombies are also involved in sending Spam Mails and spyware distribution. Due to these, there is a personal loss to an ignorant individual ortechnical malfunctioning of the Computer or information loss. The attacker communicates with the army of zombies which are calledbotnets and make those zombie PCs send packets into network towards thetarget server. To protect against this attack, there are many algorithms thatwork distributed and then decide about presence of any intrusion. Here wepropose a technique that is implemented on a router. If all routers would beable to implement such an IDS independently as part of Operating Systemof the Router, it would be convenient to avoid such attacks that penetratefrom one network to another network through routers. There are several ways of looking at the Bandwidth Starvation Attack.This attack can be used by malware to bring down the performance of network. At times hotspots keep flooding the network to show their presence,even the attackers can implement the flooding by simple commands and because of which, effectively the network suffers. As a stepping stone to thedevelopment of a Router based Intrusion Detection System, a BandwidthStarvation Attack is implemented in the network and the plotted results areanalyzed. In subsequent work, the IDS will be deployed for detecting thepresence of Bandwidth Starvation Attack. Also, the methodology that weuse to propose to detect such an attack is mentioned. Firstly, the Bandwidth Starvation Attack is created to analyze the impactof the attack on the network. For the same, Smurf 4.0C program is used whichuses the ICMP Echo Request Messages to the target server. Here, the serverwhich does the necessary intrusion related handling is located at the Router.So the target is the Router in this case. After creating an attack to router, next task is to identify the attackpackets which are the ICMP echo request packets as we know. The proposedapproach identifies packets entering the router. Such malicious packets areto be identified which may be involved in such an attack. To identify suchpackets, since implementation is made using ICMP Messages, a Signaturebased Intrusion Detection System can be used. This also concludes that thesignature of the packet is already inside IDS to protect against this kind ofattack. After identifying the attack on router, IDS can take appropriate stepsto prevent the attack from happening. 1.1 Project Scope There are several assumptions considered towards implementing the said Denial of Service (DoS) attack. Following are the assumptions made: Wired network is used in implementing this attack A software router is used to handle the routing process in the realnetwork comprising of several computers Implementation done for the router to handle Packet contents and understand their role in network management II. LITERATURE SURVEY Denial of service attack is the attack which targets various types of applications, network resources or just one machine through various commands and can easily flood packets. The kind of Denial of Service attack that is focused upon in this paper is the Bandwidth Starvation Attack. This attack is the one in which the network is flooded to jam the bandwidth which prevents other genuine nodes also to communicate. There are two types of flooding attacks: SYN flood Data flood In the subsequent subsections, study of SYN Flood and Data Flood Attacksare discussed in detail.
146

International Journal of Advanced Research in Engineering and Technology (IJARET), ISSN 0976 6480(Print), ISSN 0976 6499(Online) Volume 5, Issue 1, January (2014), IAEME

2.1 SYN flood attack SYN Flood is a TCP flooding attack technique through which attacker first sends TCP packets with SYN request. Here SYN request means that theclient wants to communicate with the server and requesting connection withserver. In reply, server allocates one free connection to the client and waits forthe acknowledgement (ACK). But attacker does not give any type of ACKand sends another SYN request with another IP and continues till servercannot issue any more connections. To protect the server from this kind ofattacks, following techniques are implemented. Reduce the timeout period from the default to a short time Significantly increase the length of the backlog queue from the default Disable non-essential services, thus reducing the number of ports thatcan be attacked All these solutions can be bypassed and the attack can still take place. There are some effective methods so that this kind of attack can be stopped. 2.1.1 SYN KILL [1] A tool named SYN KILL lessens the impact of SYN flooding attacks, and in many cases defeat attacks completely. The program requires the ability to monitor and inject network traffic to and from the machines it is protecting. Ethernet for example satisfies this requirement. The program is called a monitor, because it reads and examines all TCP packets on the LAN after setting its network interface into promiscuous mode. The program is called active, because it can generate TCP packets in response to observed traffic and inject them into the network. As shown in Figure 1, SYN request goes through SYN KILL and thevictim. Victim then sends the ACK to the source. Now the software sendsACK to the victim on behalf of the source and waits till the timeout takesplace. If the source does not reply during due course of time, the connectionis dropped and software sends reset packet to the victim. If reply comes thencommunication goes continues.

Fig 1: Timeline Diagram of SYN KILL[1]

2.1.2 DelAypRoBing (DARB)[2] Delay is estimated using a method called DelAypRoBing(DARB)i.e Delay Probing. The DARBtraces outgoing paths toward network destinations by sending packets with special time-tolive (TTL) fields in the IP layer and then recording their timeof deaths. The IP TTL field limits the lifetime of packets transmitted acrossthe Internet and is decremented by each forwarding device
147

International Journal of Advanced Research in Engineering and Technology (IJARET), ISSN 0976 6480(Print), ISSN 0976 6499(Online) Volume 5, Issue 1, January (2014), IAEME

(routers). If the TTL field reaches to zero before the destination host is reached, the router drops the offending packets and transmits an ICMP (Internet Control Message Protocol) Packet. If TTL exceeds in transit, error message is sent tothe original host, informing the original host of the packet's timeout. If thepacket has been created appropriately, the destination host should return a final packet to the original host when the packet reaches its destination.The time stamps of both the sent out packets and ICMP replied packets arerecorded to calculate the delay between the original host and each router.The adopted DARB is similar to trace route, which works by sending packetswith progressively longer TTL value. 2.2 Data flooding attack The data is flooded to the victim using zombies. Zombies give rise to theDistributed Denial of Service Attacks. Zombies are the computer systemswhich are not in use; which can be made to use by any of the system ornetwork administrators. Possible solutions of the attack are as listed below: 2.2.1 Adaptive Bandwidth Allocation [3] A queuing algorithm is proposed to achieve better performance. By separating normal users from malicious users using Average Packet Rate (APR),the Bandwidth is balanced as per the Bandwidth Flows and thereby, QualityBy User (QBU) is achieved to safeguard the normal users. Usually, packet flows of normal users are in small amount and in short time span, whereaspacket flows of malicious users are in large amount and in long time span,which might flood the network and stop network providers from providingservices to users. 2.2.2 Ingress/Egress filtering [4] Ingress Filtering is a restrictive mechanism to drop traffic with IP addressesthat do not match a domain prefix connected to the ingress router. Egress filtering is an outbound filter, which ensures that only assigned or allocatedIP address space leaves the network. A key requirement for ingress or egress filtering is knowledge of the expected IP addresses at a particular port. Forsome networks with complicated topologies, it is not easy to obtain thisknowledge. Unfortunately, this technique cannot operate effectively in physical networks where asymmetric Internet routes are not uncommon. 2.2.3 SIFF(Stateless Internet Flow Filter) [5] The SIFF system provides a server with the ability to establish privilegedcommunication with the clients. Privileged packets carry capabilities thatare verified by the routers in the network, and are dropped when the verification fails.SIFF are programmed to give preferential treatment to privilegedpackets, so that privileged packets are never dropped in favor of unprivilegedones. 2.2.4 Router based packet filtering [4] Route based filtering extends ingress filtering and uses the route informationto filter out spoofed IP packets. If an unexpected source address appears inan IP packet on a link, then it is assumed that the source address has beenspoofed, and hence the packet can be filtered. RPF uses information aboutthe BGP routing topology to filter traffic with spoofed source addresses.But due to the recent router changes, BGP message spoofing and proper IP selection can bypass this filtering. 2.2.5 History based IP filtering [4] Normal day IP and attack day IP are different. This is the fundamentalidea for this filtering technique. This filtering technique uses the IP AddressDatabase(IAD) to keep track of the IP Address. In an attack, if listed IPAddress is found in the IAD, then only allowed the packets are allowed to gothrough; otherwise the packets are dropped.
148

International Journal of Advanced Research in Engineering and Technology (IJARET), ISSN 0976 6480(Print), ISSN 0976 6499(Online) Volume 5, Issue 1, January (2014), IAEME

2.2.6 Capability based method [4] Source first sends request packets to its destination. Router marks (pre-capabilities) are added to request packet while passing through the router. Ifpermission is granted, the destination returns the capabilities, if not; it doesnot supply the capabilities in the returned packet. Such systems require largecomputational capacity and space requirement is also too high. 2.2.7 Secure Overlay Service (SOS) [4] According to this methodology, traffic is first sent to Secure Overlay Access Point (SOAP). Authenticated traffic is routed to node called beacon byconsistent hash mapping. From there, another node called secret servlet isused for further authentication. Secret servlet forwards verified traffic to thevictim. 2.2.8 Secure Address Validity Enforcement(SAVE) [4] SAVE protocol enables routers to update the information of expected sourceIP addresses on each link and block any IP packet with an unexpected sourceIP address. Protocol updates information rapidly but if not universally deployed, IP spoofing is possible. III. IMPLEMENTATION METHODOLOGY 3.1 Outcome from the Literature Survey From the Literature Survey, it may be concluded that performing a Distributed Denial of Service Attack requires Multiple Computers to play a roleusing zombies. Multiple computers mean different IP Addresses work colluding to perform the same attack at the same time. This leads to congestionin the network. Also, study shows that in implementing the related IntrusionDetection System, the network either needs intrusion database or coordination amongst other routers for gathering more information. Thus there is aneed to have a solution where, primarily one of the nodes (router) can function as an Intrusion Detection System at the boundary of the network anddecide whether to permit or drop packets from entering the network. Thisway, we can try to protect a smaller network also as in Home Network. A Host based Intrusion Detection System(HIDS), implemented in therouter is proposed here, since the scheme is suitable for a Wired Network.This IDS is signature based because the database of the malicious packetsis in router/IDS and so that the router do not have to deal with any otherintrusion database and do not have to coordinate with other routers. 3.2 Implementation Tool Here XORP software router is used as a tool to implement the Host basedIntrusion Detection System. XORP is an open source software router whichallows the users to modify protocols and also provides features to implementnew protocols in it. This tool supports Command Line Interface (CLI) based approach to configure router. XORP supports all commands which are quitesimilar to the physical router, but not all commands are as same as thephysical router. This tool is best supported on Ubuntu 10.04.4 with kernel 2.6.x. 3.3 Implementation methods An IDS is implemented in the software router. Working of a simple workingrouter is discussed in this section. First of all, packet comes to an in-bound interface of a router. First, inbound Access Control List (ACL) checks whetherthe packet is allowed or not. If the packet is not allowed, that packet is discarded and if it is allowed, the packet is sent forward to the routing table. Ifthe routing information is there for the packet, then it is forwarded to chooseoutbound interface otherwise discarded.
149

International Journal of Advanced Research in Engineering and Technology (IJARET), ISSN 0976 6480(Print), ISSN 0976 6499(Online) Volume 5, Issue 1, January (2014), IAEME

At the outbound interface, outbound ACL also checks whether these packets are allowed or not. If they are allowed, the router sends packets to routing queue otherwise it discard the packets. Thus normal routing works withsome level of security of ACL. Now our proposed idea of IDS is used insidethe router so flowchart of the router changes at some place. The flowchart incorporating the integration of Intrusion Detection Systemin the Router is discussed herewith. Many minor changesare made with regards to the working of a router. An IDS is placed afterACL so that unnecessary verification of packets which are not allowed as inbound traffic is automatically eliminated. After by-passing the ACL, IDSchecks the packet for malicious type from its database of signature that isinside the router. If the packet signature matches the malicious type, thepacket is discarded otherwise the packet is sent to the routing table.A simple signature based IDS may also be configured inside the router.The first packet comes and gets its contents verified inside IDS the signature database. Afterthat, it gives the result of the signature and acts accordingly. If the signaturematches, the packet is malicious and it discards, else it sends the packets forfurther processing. IV. IMPLEMENTATION OF DDoS ATTACK RESULT An attack is performed on the router in controlled environment using thecomputers configured as zombies. The attack was carried out by the computers in the Network Security laboratory. The attack is performed usingsimple ICMP packets and the network is flooded. 4.1 Packet Modification ICMP packets are the packets which do not support the protocol like TCP orUDP because ICMP does not use any port. It is comparatively very easy tochange the header of the ICMP packet because it is easy to change IP headerand ICMP header. The code using which the IP and the ICMP header ischanged is as shown in Figure 2.

Fig 2. Modified IP and ICMP headers It may be noted that the corresponding code and all the parameters ofthe header, can changed. Total length of the IP packet is given as the sumof the IP header and ICMP header and the custom packet size(psize). TheIP Header Length (IHL) is set to 5 because we are not using all the fields ofan IP Header. We use IPv4 for the packet. Time to Live (TTL) is set to 200for long distance. TTL can be set up to 255 but it is set to 200 for the said experiment. Type of Service field (TOS) is set to 0, Fragment Offset to 0 andprotocol to ICMP because ICMP echo request is being used to perform thisattack. Here we use source address as the address of the attacker computerand destination address as the given address in the argument by the zombies.
150

International Journal of Advanced Research in Engineering and Technology (IJARET), ISSN 0976 6480(Print), ISSN 0976 6499(Online) Volume 5, Issue 1, January (2014), IAEME

Checksum is calculated by the function in chk_sum for both IP and ICMPheader and type as 8 and code as 0. Thus total header size of IP is 20 andICMP is 8 and rest is DataStream of size 0. The capacity of the Ethernet cable is 1500 bytes and total header lengthis 28 so we can append 1472 Bytesof DataStream. 4.2 Implementation For this, smurf 4.0 version is used fromsmurf program. This program is modified as ICMP echo request and sentto the given destination. We see that in the output, the arguments of theprograms are given as following: Destination IP address is given by the attacker/zombie File name from which padding bits are used Number of packets Delay between two consecutive packets (If this argument is 0, normaldelay is introduced i.e. 0.001 due to which the flooding takes place.) Size of the packet being sent by the program Using all these arguments, the said program is executed and the floodingtakes place across the network. Broadcast address like 10.1.255.255 is givenwhich is a broadcast address of the lab in which this attack was performed. 4.3 Implementation Results This attack was performed using multiple systems, attack one system inwhich our router is implemented. Figure 3 shows bandwidth utilization before attack and after attack.

Fig 3. Bandwidth utilization The graphs are plotted with time (Along X Axis) versus number of packets(Along Y Axis) which are being received by the router. Graph shown inFigure 3 shows how the bandwidth is being utilized during the attack. Itmay be noted that initially, the utilization of bandwidth is low; after sometime when the attack has taken place the bandwidth utilization increases. Figure 4 shows the ICMP packets. We can see here that in the beginning the graph is at 0 packets but when the packets start to flood in to systemthe graph goes increasingly high and reaches to the height of the bandwidthutilization graph. Figure 5 shows the TCP layer data flow. It may be
151

International Journal of Advanced Research in Engineering and Technology (IJARET), ISSN 0976 6480(Print), ISSN 0976 6499(Online) Volume 5, Issue 1, January (2014), IAEME

notedthat as the ICMP graph gets higher the TCP graph goes lower in graph;this implies that the attack was creating effectively. ectively. Router cannot get TCPpackets that which it is receiving earlier.

Fig 4. ICMP packet flooding attack

Fig 5. TCP packet flow

Figure 6 shows the UDP packets data dat flow during the attack. The figurealso gurealso highlights that UDP data goes lower in the graph as the attack proceeds.

152

International Journal of Advanced Research in Engineering and Technology (IJARET), ISSN 0976 6480(Print), ISSN 0976 6499(Online) Volume 5, Issue 1, January (2014), IAEME

Fig 6. UDP packet flow

V. CONCLUSION Intermediate results show that ICMP echo request packets can create a bandwidth starvation attack. This attack has very tremendous effect e ect on the network that no other packets can reach to the destination because of all the ICMP echo request packets are in process. These ICMP Echo Request Packets create the Bandwidth Starvation Attack. The future work aims at identifying IP headers which may carry such malicious attacking packets. The IP header is anyhow referred by the Router in the process of forwarding the packets to suitable destination. So there is no additional overhead in the Router for identifying such ICMP Echo Smurf based attacks and overcome them through suitable IDS strategies. REFERENCES [1] C. L. Schuba, I. V. Krsul, M. G. Kuhn, E. H. Spafford, Spafford, A. Sundaram, and D. Zamboni, "Analysis of a denial of service attack on tcp," IEEE Computer Society Washington, no. 208, 1997. B. Xiao, W. Chen, Y. He, and E. H.-M. H. M. Sha, "An active detecting method against syn synflooding attack," Academic Press, Inc. Orlando, FL, USA, vol. 68, pp.56,470, Apr. 2008. C.-H. Lin, J.-C. Liu, H.-C. C. Huang, and T.-C. T. C. Yang, "Using adaptive bandwidth allocation approach ach to defend ddosattacks.," in MUE, pp.176-181, pp.176 181, IEEE Computer Society, 2008. B. B. Gupta, R. C. Joshi, and M. Misra, "Distributed denial of service prevention techniques," CoRR, vol. abs/1208.3557, 2012. A. Yaar, A. Perrig, and D. Song, "Si_: A stateless internet flow filter to mitigate ddosooding attacks," in In IEEE Symposium on Security and Privacy, pp. 130-143, 130 143, 2004. Prof. S.B. Javheri and nd Shwetambari Ramesh Patil, Attacks Classification in Network, International Journal of Information Technology and Management Information Systems (IJITMIS), Volume 4, , Issue 3, 2013, pp. 1 - 11, ISSN Print: 0976 6405, ISSN Online: 0976 6413.
153

[2] [3] [4] [5] [6]