Communications Network Research Institute

Detecting Distributed Denial of Service (DDoS) Attacks in Wireless Mesh Network

PhD Student (November 2009 - present)

Funding Agency: China Scholarship Council

Overview

This project develops a new method that combines WLAN Resource Measurement (WRM) techniques with a Bayesian Decision Theory (BDT) to detect DDoS attacks in wireless mesh networks (WMNs). Wireless security plays a significant role in the development of the IEEE 802.11 WLAN standard, i.e. IEEE 802.11i and IEEE 802.11w. However, a hacker can easily attack the network through a protocol flaw or from vulnerabilities in a software application. A DDoS attack usually involves a large number of nodes quickly targeting a single node and the result can be hugely destructive. This requires an efficient, fast and low false alarm detection method to mitigate such as attack.

Background

A WMN is a new network topology which provides broadband wireless Internet services to a large community of users. It resolves the limitations and significantly improves the performance of ad-hoc WLAN networks. It consists of mesh routers (mesh nodes) which form the wireless backbone and mesh clients access the network through mesh routers. It is characterized by a multi-hop, multi-channel, self-organization, and auto-configuration structure as shown in Figure 1.These features brings many advantages for the client, such as robustness, low cost, easy to deploy, flexible wireless service and higher bandwidth to mobile users.

Figure 1: The WMN Topology

Vulnerabilities and Threats to WMNs

WMNs are vulnerable to attack due to the absence of trusted central authority and the open nature of the wireless medium. Malicious nodes can easily intrude on the network and launch a jamming attack, eavesdrop on the communications and inject malicious packets. It can cause the trust relationship to change among nodes due to the dynamic topology and multi-hop routing. Because of the mesh nodes’ lower price, it has limited memory and computational capacity. The node gateways provide access to the wired Internet for the whole network and usually become the primary target for the hacker. Once the gateway is attacked, it can no longer provide normal service as the performance of the whole network will be compromised.

There are different kinds of attacks that can be encountered in a WMN. At the PHY layer, there are signal jamming and device tampering. At the MAC layer, there are MAC spoofing, Virtual Jamming and DoS Attack. At the network layer, there are blackhole, grayhole, wormhole, rushing attack and so on. However, the DoS attack is the most serious attack and exists at the MAC layer and network layer. Therefore, this work will focus on detecting the DoS attack and DDoS Attack.

DoS Attack and DDoS Attack.

A Denial of Service (DoS) attack means that attacker uses legitimate requests to consume a large amount of network resources to prevent the legitimate users from accessing the network resources such as bandwidth, processing time or service.

Figure 2: The DDoS Attack Model

Distributed Denial of Service (DDoS) attack makes use of a large population of compromised clients to attack the network by UDP flooding attack, TCP-SYN flooding attack and so on. It is much more serious and difficult to detect than the DoS attack because of its “distributed” nature and numerous attackers. It is difficult to trace back due to the large number of controlled clients. The diversification of attack modes and sophisticated attack techniques in different type of network and different layer make the existing security mechanism hard to prevent invasion.

We define a successful DDoS attack as follows: A hacker makes use of the flaws of wireless products to control two or more victims to prevent the legitimate traffic stream from reaching the Gateway and starves the legitimate users in the WMN of network resources.

A successful DDoS attack is shown in Figure 2. It consists of the following elements:

Hacker: The organizer of the DDoS attack.
Victims: The compromised users controlled by the hacker by the means of malicious intruding, virus, or remote controlling. We also call them malicious nodes.
Botnet: The victims network, a big botnet consists of thousands of compromised nodes. It can destroy the network server such as Google, Yahoo and other large web servers in very short time.
Legitimate nodes: The normal nodes in WMN which are attacked or starved by malicious nodes.

A successful DDoS attack exhibits the following characteristics:

The legitimate nodes can only gain limited bandwidth or other resources.
The malicious nodes can gain the required resources to access the network.
The gateway will process and respond a large number of packets which cause it to operate slowly.
The packet drop rate will rapidly increase.
Many packets will use forged addresses and fabricated contents.

Detection of DDoS Attack in WMNs

DDoS attacks are very harmful for the WMNs because they can rapidly consume network resources. However, DDoS attacks are difficult to detect quickly with high accuracy due to three challenging factors:

Accurate Detection - The ideal detection performance is distinguishing between the situations of DDoS attack and network saturation due to heavy traffic loads. It is difficult to achieve this goal because of the attack diversity. There are ICMP flooding attack, UDP flooding attack, TCP-SYN flooding attack and many increasingly complicated attacks etc. Another reason is due to the lack of congestion-control mechanism such as TCP-Reno mechanism in mesh networks, the behavior of DDoS attacks become similar to saturation scenario. Heavy network traffic launched by DDoS attacks is an important distinction, therefore how to make a classification of “abnormal” and definition of “heavy” is essential for effective detection.
Fast detection - A successful DDoS attack consists of thousands victims flooding the network with high traffic volumes in a relatively short time period. A good detection mechanism should have the capacity to respond quickly and raise the alarm for the onset of a malicious attack before significant damage is caused.
Low overload detection - The detection mechanism should not occupy too much of the network resources in responding to the attacks. Otherwise it will result in a high additional overload to the network making the detection process ineffective.

In order to detect the DDoS attack with improved performance, we propose a combination detection method where the Wireless Resource Management (WRM) technique is combined with Bayesian Decision Theory (BDT). The operation of the WRM specifically targets the operation of the contention-based MAC mechanism in the IEEE 802.11 WLANs where every station must compete for accessing to the medium.

Under the WRM framework the channel capacity may be categorised according to three values:

Cmin which corresponds to the bandwidth available to every station under the worst possible operating condition where every station is in saturation.
Cavail which corresponds to the bandwidth available to every station under normal operating conditions.
Cmax which corresponds to the maximum bandwidth that is available to a station under ideal operating conditions where it is the only station present on the channel.
BWload which corresponds to a station's load bandwidth on the channel. When saturation occurs, BWload = Cavail.

The Cmax and Cmin values represent the maximum and minimum bandwidth that a station in the medium can achieve, Cavail describes the current availability for this station. The relationship between these three values is:

Cmin < Cavail < Cmax

Before DDoS attack, every station can access the network resource fairly and normally even in the saturation case. However, when DDoS attack occurs, the malicious nodes will gain much more bandwidth with high Cavail, Cmax, Cmin values. The legitimate nodes will gain their required bandwidth with low Cavail, Cmax, Cmin values and the mesh routers will experience lower Cavail value.

Using this classification and the characteristic features of a DDoS attack, we intend to use the Cmin, Cavail and Cmax values at the mesh nodes to measure the appropriate threshold for distinguishing between the cases of normal and abnormal operation.

Detection Flow-chart

The DDoS detection algorithm is divided into the several steps as shown in Figure 3:

Collection - We use a probe node to locally monitor, capture the frames, filter the control frames such as RTS, CTS packets and collect the information from the mesh nodes in WMNs.
Analysis – Using this captured frame information, the contention, average access time and load time can be measured and load time calculated.
Calculation – The Cmin value, Cavail value and Cmax value for every node are calculated using the WRM technique and are recorded as a set: O{Cmin, Cavail, Cmax}.
Record & Construction - Record the normal flows from the mesh nodes with their Cmax, Cmin, Cavail values in initial period and determine the DDoS threshold according to Bayesian Decision Theory.
Determination – If the flows parameters are not matched to the threshold, then an abnormal traffic scenario is detected.
Confirmation – Check the address and contents of packets or other characters to validate the DDoS attack as most DDoS attacks use forged address and contents.
Update – If the abnormal flow is not determined to be a DDoS attack, then update the detection threshold.

Figure 3: Flow-chart of the DDoS algorithm

Data Collection & Calculation

Two methods are used to implement this algorithm: In an experimental testbed where we use a PC with a wireless Netgear card and libpcap driver to monitor the network, filter the control frames like RTS, CTS frame and collect the packet information such as load time, access time, free time shown in Figure 4. Using NS2 simulation, the trace file can provide the complete information of packers. Then calculate the Cmax, Cavail and Cmin values by using the WRM technique.

Figure 4: Testbed Implementation of the DDoS Detection Mechanism

Simulation Setup

NS2 simulation tool, Eclipse C++, Linux OS
1,000 random topologies , 50 mesh routers, 50m Tx_range (an example shown in Figure 5)
Different Neighbors: 1 to 5 neighbors
Different Attackers: 1 to 10 attackers
Different traffic rates from mesh nodes and large traffic rate from attack nodes (described in Table 1)

Figure 5: An example of random topology in NS2 (5attackers, 3 neighbours)

Table 1: The parameters of normal traffic and DDoS traffic

Figure 6 shows the dramatic changes in throughput for mesh clients when DDoS attack happens. The throughput of mesh clients decreases close to zero, and the attacker nodes can gain the higher throughput which illustrates the fast and destructive of DDoS attack.

Figure 6: The throuhput performance of DDoS attack, 5 clients, 5 attacker, attack time: 30s-100s

We choose a 10 second interval in the DDoS Before Attack (BA) period, DDoS During Attack (DA) period and DDoS After Attack (AA) period to draw a Probability Distribution Function (PDF) graph shown in Figure 7. The red line corresponds to the DA value, the green line corresponds to the BA values and the blue line corresponds to the AA value. It indicates that Cmax, Cavail, Cmin values undergo a significant change during the DA period.

Figure 7: The Cmax, Cavail, Cmin values in the BA, DA, and AA periods in a scenario of 5 neighbors

New DDoS Metric

We propose a new metric called DDoS_metric which has two forms:

and

In a 1,000 random topologies simulation test, we calculate these two values with different numbers of neighbors and different numbers of attacks: 1 to 5 neighbours, 1 to 10 attackers with 5 neighbours, choose 10 second in the DDoS Before Attack (BA) period and DDoS During Attack (DA) period. The DDoS_metric1 and DDoS_metric2 values are drawn in a PDF graph for the BA period and AA period in Figure 8 where the red line represents the DA value and the green line represents the BA value.

Figure 8: DDoS_metric1 (top) and DDoS_metric2 (bottom) in scenario of 5 neighbors

Figure 8 shows that the performance of the two DDoS_metric values in DA period and BA period where it can be observed that DDoS_metric1 is much more distinct than DDoS_metric2 as a feature when attack level is higher and node density is lower. On the contrary, in the scenario of higher density and lower attack level, DDoS_metric2 is more dominant.

Bayesian Decision Theory

We choose Bayesian Decision Theory(BDT) to calculate the threshold for classifying the attack patterns and normal patterns.

In DDoS detection algorithm, we use the δ symbol to represent DDoS_metric. The likelihood ratio function is described in formula (3), the likelihood ratio Λ(δ) is used to establish a detection threshold:

This formula is equal to:

The δ(DDoS) value can be calculated by above formula for obtaining the δ value which set as decision threshold for δ(DDoS) value in different node density and different attackers(as shown in Figure 9).

Figure 9: the likelihood ratio function Λ(δ) and δ value in different scenarios (top: 1-10 attackers; bottom: 1-5 neighbors)

A good detection mechanism should not only realise successful detection, but also requires a low false alarm rate for reducing the overload and computational complexity. A Loss Pass Filter(LPF) was used to remove the noise from the measurements.

The detection successful rate has been shown to reach 99% in all scenarios of 2-5 neighbors with 5 attackers and 1 to 10 attackers with 3 neighbors. Some results are shown in Table 2.

Table 2: Detection results in various scenarios

Determining the Performance and Efficiency of the Detection Algorithm

Now, some important parameters for determining the effectiveness of the detection scheme are proposed and defined:

False Positive Ratio (FPR): If a normal flow is determined to be a DDoS flow by the detection, this scenario represents a false positive. The FPR should be as low as possible.
False Negative Ratio (FNR): If a DDoS flow is determined to be a normal flow with no alarm raised, this scenario represents a false negative. To maintain the security of the network, the FNR should be as low as possible.
Response Time (Tr): Tr represents the detection time in response to the attack. For a DDoS attack from its initial stage to stable stage, it needs a period of time, we call it Tddos. The detection time Tr must be less than launch time of DDoS, i.e.Tr << Tddos, otherwise this method will be invalid.

A good detection algorithm needs low FPR, FNR, and a small Tr, so our goal is to minimize the FPR and FNR and minimizing Tr as far as possible with an efficient algorithm.