1. “THRESHOLD BASED KERNEL LEVEL
HTTP FILTER (TBHF)”
for DDoS Mitigation
by
MOHAMED IBRAHIM AK 82008132041
LIJO GEORGE 82008132515
Dept. of CSE
TEC, Trichy
INTERNEL GUIDE EXTERNAL GUIDE
Mr. A. NARENTHIRA KUMAR Dr. S. SELVAKUMAR
Asst. Professor Professor
Dept. of CSE Dept. of CSE
TEC, Trichy NIT, Trichy
2. OUTLINE
Abstract
Insight into DDoS attack
Existing and Proposed system
Algorithm
Modules
TBHF Driver
Technology
Conclusion
References
Slide 2 Dept. of CSE, TEC. 3 April 2012
3. Abstract
Application layer attack
Client Side Scripting
High rate flooding attack
No manifestation
Data on the flow analysis
Threshold based Decision Support System
Vulnerability Status: Effective – Real time
Slide 3 Dept. of CSE, TEC. 3 April 2012
4. OUTLINE
Abstract
Insight into DDoS attack
Existing and Proposed system
Algorithm
Modules
TBHF Driver
Technology
Conclusion
References
Dept. of CSE, TEC. 3 April 2012
5. DDoS attack - Actors
Individuals
Julian Assange - Wikileaks
Blackhat underground community
‘Anonymous’, ‘Lords of Dharmaraja’
Government sponsored
China - GhostNet
Israel - Stuxnet
Slide 4 Dept. of CSE, TEC. 3 April 2012
6. DDoS attack - Scenario
Coordinated attack on a given target system
through many compromised systems.
Attacker
Medium
…
M1 M2 M3 Mn
Compromised
Systems
C C C … C C … C
Target
Slide 5 Dept. of CSE, TEC. 3 April 2012
7. DDoS attack - Analysis
Slide 6 Dept. of CSE, TEC. 3 April 2012
8. DDoS attack - Timeline
July 2011
Live Journal Hit by Massive Cyber Attack
March 2011 (Korean Websites)
40 websites under DDoS attack
February 2011 (Total Choice Hosting Network)
7,00,000 packets per second
600 Mbps
January 2011
FBI executed 40 search warrants for DDoS attacks
Low Orbit Ion Cannon tool
Slide 7 Dept. of CSE, TEC. 3 April 2012
9. OUTLINE
Abstract
Insight into DDoS attack
Existing and Proposed system
Algorithm
Modules
TBHF Driver
Technology
Conclusion
References
Dept. of CSE, TEC. 3 April 2012
10. Existing System
Predominately in Server side
Page access behaviour
Captcha
Black list
Signature based detection
Slide 8 Dept. of CSE, TEC. 3 April 2012
11. Proposed System
Client side
Threshold based
Real time
Monitoring
Detection
Prevention
Detects zero-day vulnerability
Slide 9 Dept. of CSE, TEC. 3 April 2012
12. OUTLINE
Abstract
Insight into DDoS attack
Existing and Proposed system
Algorithm
Modules
TBHF Driver
Technology
Conclusion
References
Dept. of CSE, TEC. 3 April 2012
13. Algorithm
1. Capture traffic:
a. Filter outbound TCP packets
b. Filter HTTP packets
c. if(packet type == “GET”)
Action == inspect;
d. else
Action == allow;
2. Extract parameters:
a. remote IP
b. Time
Slide 10 Dept. of CSE, TEC. 3 April 2012
14. Algorithm Contd…
//r.addr1, r.addr2, …, r.addri -> remote IP
//T1, T2, …, Ti -> packet time
// ∆t -> Time stamp
3. Inspect:
a. If(r. addri not in array)
addr[i] = r.addri;
t[i] = Ti;
b. else if (r. addri in array && (T(i+1) – Ti)<=∆t)
r.count[i]++;
c. Else
Reset r.count[];
Slide 11 Dept. of CSE, TEC. 3 April 2012
15. Algorithm Contd…
//N -> Threshold value
4. Decision Making:
a. If(r.count[i] >= N)
Action = allow packet;
b. else
Action = drop packet;
Slide 12 Dept. of CSE, TEC. 3 April 2012
16. Software Requirements
Attacker end
PHP (Front end)
MySQL (Back end)
WampServer 2.2a
Analysis
Wireshark
Prevention
Windows Filtering Platform (WFP)
Slide 13 Dept. of CSE, TEC. 3 April 2012
17. OUTLINE
Abstract
Insight into DDoS attack
Existing and Proposed system
Algorithm
Modules
TBHF Driver
Technology
Conclusion
References
Dept. of CSE, TEC. 3 April 2012
18. Modules
Capture Traffic
• Filter
• Out Bound
• TCP Packet
• HTTP Packet
• HTTP ‘ GET ‘ Packet
Extract Parameters
• IP
• Time of packet Arrival
Inspect
• TBHF policy
Decision Making
• Dropped or Allowed
Slide 14 Dept. of CSE, TEC. 3 April 2012
19. Modules – Capture Traffic
Filter
Outbound packets
TCP packets
HTTP packets
HTTP GET packets
Slide 15 Dept. of CSE, TEC. 3 April 2012
20. Modules – Extract Parameters
Scan
HTTP GET packets
Extract
Remote IP
Arrival time
Store
UINT32 array
Slide 16 Dept. of CSE, TEC. 3 April 2012
21. Modules – Inspect, Decision
Making
Inspect
Time stamp
Remote IP
IP count
Decision Making
Threshold
Slide 17 Dept. of CSE, TEC. 3 April 2012
22. OUTLINE
Abstract
Insight into DDoS attack
Existing and Proposed system
Algorithm
Modules
TBHF Driver
Technology
Conclusion
References
Dept. of CSE, TEC. 3 April 2012
23. Positioning of TBHF in kernel
space
Slide 18 Dept. of CSE, TEC. 3 April 2012
25. Life Cycle
Capturing
Packet
Filtering
Inference Outbound
Packet
TBHF
Filtering TCP
Inspection
Driver Packets
Extract Time
Filtering HTTP
of
‘ GET ‘ Packet
Packet
Extract
‘ IP ‘
Info
Slide 20 Dept. of CSE, TEC. 3 April 2012
27. OUTLINE
Abstract
Insight into DDoS attack
Existing and Proposed system
Algorithm
Modules
TBHF Driver
Technology
Conclusion
References
Dept. of CSE, TEC. 3 April 2012
28. Technology
Windows Filtering Platform (WFP)
Supports from Longhorn
Manipulate packet at OSI layers
Slide 22 Dept. of CSE, TEC. 3 April 2012
29. Conclusion
Deployed in kernel level
Priority to overwrite packets
Real time prevention
DDoS participation is prevented
Future Enhancement
Mobile platforms
Slide 23 Dept. of CSE, TEC. 3 April 2012
30. References
Ying Xuan, Incheol Shin, My T. Thai, and Taieb
Znati, “Detecting Application Denial-of-Service
Attacks: A Group-Testing-Based Approach”
IEEE Transactions on Parallel and Distributed
Systems, Vol. 21, No. 8, pp. 1203-1216, August
2010.
Takeshi Yatagai, Takamasa Isohara, and Iwao
Sasase, “Detection of HTTP-GET flood Attack
Based on Analysis of Page Access Behaviour”,
IEEE Conference on Communications, Computers
and Signal Processing, August 2007
http://msdn.microsoft.com/en-
us/library/windows/desktop/aa366510%28v=vs.85
%29.aspx
Slide 24 Dept. of CSE, TEC. 3 April 2012