- Open Access
A study on efficient detection of network-based IP spoofing DDoS and malware-infected Systems
© The Author(s) 2016
- Received: 15 May 2016
- Accepted: 18 October 2016
- Published: 26 October 2016
Large-scale network environments require effective detection and response methods against DDoS attacks. Depending on the advancement of IT infrastructure such as the server or network equipment, DDoS attack traffic arising from a few malware-infected systems capable of crippling the organization’s internal network has become a significant threat. This study calculates the frequency of network-based packet attributes and analyzes the anomalies of the attributes in order to detect IP-spoofed DDoS attacks. Also, a method is proposed for the effective detection of malware infection systems triggering IP-spoofed DDoS attacks on an edge network. Detection accuracy and performance of the collected real-time traffic on a core network is analyzed thru the use of the proposed algorithm, and a prototype was developed to evaluate the performance of the algorithm. As a result, DDoS attacks on the internal network were detected in real-time and whether or not IP addresses were spoofed was confirmed. Detecting hosts infected by malware in real-time allowed the execution of intrusion responses before stoppage of the internal network caused by large-scale attack traffic.
- Intrusion Detection System
- Internal Network
- Botnet Detection
- Extract Feature Information
- Anomaly Detection Engine
Hardware performance has seen astonishing advancements with the improving environment of information services. The network infrastructure available today is capable of sending gigabytes of data in just a few seconds. The downside of such developments is that information systems and network infrastructure are more prone to malware-induced cyber-attacks. According a recent report on malware, Linux-based botnets account for the highest proportion of DDoS attacks at 45%, and they pose major threats to the information services of companies when installed in embedded devices such as Wi-Fi, routers, and NAS (Ferguson and Senie 2000; Baker and Savola 2004).
According to a report by Akamai Technologies (Akamai 2015), Linux-based XOR DDoS malware is able to launch DDoS attacks of up to 150 Gbps, and malware-infected systems can attack an average of 20 websites per day. To install and execute malware, attackers acquire the administrative rights of a vulnerable system and run a Shell command in order to install a malware program containing a rootkit function, which allows them to hide their presence.
As demonstrated above, the development of IT has resulted in threats unseen in the past and corporate information service environments are at a greater risk than ever. XOR DDoS malware, one of the most threatening types of malware that can infect Linux-based systems, launches massive IP-spoofed DDoS attacks that paralyze internal networks. Companies have selected Linux-based systems over the more vulnerable Windows operating system as a method of security enforcement, but the various techniques and tools developed by attackers are posing significant threats to businesses.
Past research has focused on the detection of outbound-to-inbound DDoS attacks (Duan et al. 2008; Wang et al. 2007; Feinstein et al. 2003) or the detection of attacks by analyzing information retrieved from botnet agents in internal systems (François et al. 2011; Abu Rajab et al. 2006). However, few studies exist on the detection of network-based attacks when the internal network is under massive volumes of DDoS traffic caused by the IP-spoofed DDoS malware or other infections. For instance, when a DDoS attack occurs due to a malware-infected system in the Demilitarized Zone (DMZ), SYN flooding takes place in the network section from the host system to the security system. The depletion of network resources disrupts network services in the corresponding bandwidth. Rapid detection and response to malware-infected systems is the most effective way of ensuring the availability of the internal network (Perdisci et al. 2013; Beverly et al. 2009; Bremler-Barr and Levy 2005).
This paper applies the DDoS malware finder (DMF) algorithm in order to detect abnormalities when the host of an internal network is infected with DDoS malware based on Spoofed IP Address and launches massive volumes of DDoS attacks. The DMF algorithm derives patterns from feature information of DDoS malware based on Spoofed IP Address and applies the matching rule to enable real-time detection. Malware-infected systems are identified with reference to the DMF table.
The rest of this paper is organized as follows: second section describes the background of the study and related work, third section contains the motivation and challenge, fourth section gives the system overview, fifth section presents the system model, and sixth section is the evaluation. The last section is the conclusion.
Capturing network traffic by XOR DDoS
06:05:24.260515 IP x.x.x.x.7318 > y.y.y.y.80: Flags [S], seq 479609867:479610763,win65535,length896
06:05:24.260540 IP x.x.x.x.2104 > y.y.y.y.80: Flags [S], seq 137948748:137949644,win65535,length896
06:05:24.260560 IP x.x.x.x.58852 > y.y.y.y.80: Flags [S], seq 3856952941:3856953837,win65535,length 896
06:05:24.260574 IP x.x.x.x.4375 > y.y.y.y.80: Flags [S], seq 286734425:286735321,win65535,length896
06:05:24.260583 IP x.x.x.x.62129 > y.y.y.y.80: Flags [SE], seq 4071711351:4071712247,win65535,length896
Ultimately, the most effective way of ensuring network availability is the rapid detection and response to systems that generate huge volumes of traffic after being infected with IP-spoofed DDoS malware. This is also related to the reliability of information services.
One method of preventing malware infection is to install vaccine programs for all Linux-based systems, but this is not the best solution for companies. Installing vaccines on all Linux systems is not only expensive, but also requires the software license to be renewed each year.
This study proposes a method that can detect network-based IP-spoofed DDoS attacks and efficiently identify malware-infected systems.
Attribute information of a DMF table
Sequence number to traffic
Same group number with the same destination IP
Media access control (MAC)
Destination IP connection time
Interval from previous traffic
Destination IP connection hits
Interval from previous traffic connected to destination IP
Hits to the destination IP over 3 min
Traffic anomaly status
The DMF table consists of the attribute information of traffic headers. The time interval is calculated if there is a match between the IP addresses and MAC addresses of real-time traffic with the property values in the DMF DB. Time-interval values are used to check for IP-spoofed DDoS malware infection.
Instead of referring to traffic payload, the proposed algorithm relies on the feature information of the IP-spoofed DDoS malware for malware detection.
The purpose of the experiment is to detect malware-infected systems after detecting IP-spoofed DDoS based on an analysis of real-time traffic. This section examines the system model for the proposed method.
Gathering on the network traffic
Extraction on the feature information
Creation of the DMF table
The SN field of the DMF table represents the traffic sequence and the SGN field means the number of the group connecting to the same destination IP.
The traffic header IP address and MAC address is extracted and stored in the SRCIP, DSTIP, and MAC fields for the DMF table. The communication protocol between the two hosts and the access time are also stored.
The TIN field represents the interval between previous traffic and current traffic.
The CND field represents the connection hits to the destination IP and the RATD field represents the reconnect interval of the destination IP.
The STATE field is categorized into two types. If the TIN field value and RATD value are zero and the CNTI field divided by 180 s is ≤1 then the field value is set as “abnormal”. All other instances are set as “normal”. Table 3 shows the algorithm for creating the DMF table.
Analysis of feature information
Detection of IP-spoofed DDoS attack
As shown in Fig. 12, analysis results of the attributes of IP-spoofed DDoS malware showed that it was periodically communicating with the C&C server and the attack target was downloaded from the C&C server and updated. The IP-spoofed DDoS attack was powerful enough to cause an outage to the core network in a gigabit Ethernet environment.
Finding of a system infected by IP-spoofed DDoS malware
Upon detecting the IP-spoofed DDoS attack with the proposed methodology, it is necessary to find the malware-infected host and eliminate the cause. Because of IP address spoofing, it is impossible to block a particular IP address in the firewall, and even if we were to block a range of IP addresses, the internal network would either come to a halt or have extreme delays as a result of the large volume traffic generated by the malware. Therefore, it is necessary to quickly quarantine the host that is generating the DDoS attacks to an edge network.
Intrusion response on infected system
The test environment for the assessment of the proposed algorithm was a Gigabit Ethernet network environment with IP-spoofed DDoS malware installed in the server farm of the DMZ network. For the installation of the proposed algorithm, the system configuration included an Intel i7 CPU with eight cores, 16 GB of RAM, and 2Tbyte of HDD. The Java programming language was used to program the prototype in order to verify the performance of the proposed algorithm.
Comparison of the proposed method and the intrusion detection system
The performance comparison of the proposed algorithm and IDS
Intrusion detection system (IDS)
Detection of DDoS attack
Detection of IP-spoofed DDoS attack
Detection of system infected by malware
Results of the verification of the proposed algorithm and the IDS on a testing environment showed that both were able to adequately detect DDoS attacks; however, the IDS could not detect IP-spoofed DDoS attacks and malware-infected hosts.
Detection time of IP-spoofed DDoS malware
Figure 16 shows the detection time for IP-spoofed DDoS attacks and malware-infected systems. Graph A represents the time at which IP-spoofed DDoS attacks occur due to the local host being infected with malware, while Graph B is the discovery time of when the local host has been infected with IP-spoofed DDoS malware.
Installation of malware in the test server and launch of IP-spoofed DDoS attacks.
Analysis of attack features and false positives after varying the IP address of the test server.
Analysis of attack features and false positives after replacing the server hardware.
Accuracy of experiment result
TP rate = 0.988, FP = 12
TP rate = 0.987, FP = 8
TP rate = 0.995, FP = 2
TP rate = 0.99, FP = 1
TP rate = 1, FP = 0
The accuracy of detecting systems infected with IP-spoofed DDoS malware was assessed under the test environment described above, and averages were obtained from 1000 runs. The detection accuracy was approximately 98% and 12 false positives occurred during the experiment. False positives were detected when there was an error with the network configuration or when ARP spoofing occurred.
Past research has focused on the detection of outbound-to-inbound DDoS attacks or malware-infected hosts in internal network. However, various challenges have yet to be addressed for detecting and responding to inbound-to-outbound DDoS attacks launched by malware-infected local hosts. If DDoS attacks originating from local hosts cannot be effectively resolved, normal network services become difficult due to bandwidth exhaustion. This experiment found that the malware-infected system generated more than one million SYN flooding packets per minute and the network traffic was approximately 64 GB.
This proposed method enables the effective detection of IP-spoofed DDoS attacks and malware-infected systems. False positives were detected in two cases. In the first case, errors in network configuration after server replacement caused anomalous traffic. In the second case, changes in the MAC address under ARP spoofing resulted in anomalous traffic. In actual information system environments, errors in network configuration lead to problems in communication, thereby allowing them to be identified before operating information services. The detection of ARP spoofing indicates an intrusion of the internal network and adequate measures must be taken to remove the malware.
A key factor in enhancing corporate reliability is the stability of information services provided through the Internet. While various security solutions are available today, DDoS attacks still pose significant threats to information service providers and security administrators.
When a system infected with IP-spoofed DDoS malware launches massive volumes of DDoS traffic in the internal network, a fundamental solution is to detect and remove the malware-infected system. This is because flooding packets generated by the local host affect network communications using the Interior Gateway Protocol (IGP) as well as the Exterior Gateway Protocol (EGP). A real-world example is the 6-h halting of network services by an Internet service provider under an IP-spoofed DDoS attack despite being equipped with various security solutions, such as DDoS countering equipment and an intrusion prevention system (Strayer et al. 2006; Stone-Gross et al. 2009). If DDoS attacks are not detected in advance and responded to, there is likely to be a negative impact on the reliability of information services provided by such companies.
Using the algorithm proposed in this paper, it is possible to effectively detect IP-spoofed DDoS attacks and rapidly respond to malware-infected systems. The proposed algorithm derives patterns from features of IP-spoofed DDoS malware and matches information in the headers of real-time traffic with DMF table property values to detect IP-spoofed DDoS attacks and malware-infected systems. The efficiency of the proposed algorithm was demonstrated through various experiments and its applicability to actual operating environments was verified under a testbed environment.
Conceived and designed the experiments: JWS, SJL. Performed the experiments: JWS, SJL. Analyzed the data: JWS, SJL. Wrote the paper: JWS, SJL. Both authors read and approved the final manuscript.
The authors wish to thank their colleagues for insightful discussions and their feedback at various stages of the research. They also wish to thank the anonymous reviewers for their suggestions and feedback to improve the paper.
Both authors declare that they have no competing interests.
Open AccessThis article is distributed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, distribution, and reproduction in any medium, provided you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made.
- Abu Rajab M, Zarfoss J, Monrose F, Terzis A (2006) A multifaceted approach to understanding the botnet phenomenon. In: Proceedings of the 6th ACM SIGCOMM on internet measurement—IMC’06. doi:10.1145/1177080.1177086
- Akamai (2015) XOR DDoS threat advisory—the Akamai blog. In: Blogs.akamai.com. https://blogs.akamai.com/2015/09/xor-ddos-threat-advisory.html. Accessed 7 Feb 2016
- Arbor Networks (2015) Arbor networks detects largest ever DDoS attack in Q1 2015 DDoS report—Arbor Networks. In: Arbornetworks.com. https://www.arbornetworks.com/arbor-networks-detects-largest-ever-ddos-attack-in-q1-2015-ddos-report. Accessed 5 Feb 2016
- Baker F, Savola P (2004) Ingress filtering for multihomed networks. doi:10.17487/rfc370410.17487/rfc3704
- Beverly R, Berger A, Hyun Y, Claffy K (2009) Understanding the efficacy of deployed internet source address validation filtering. In: Proceedings of the 9th ACM SIGCOMM conference on internet measurement conference—IMC’09. doi:10.1145/1644893.1644936
- Bremler-Barr A, Levy H (2005) Spoofing prevention method. In: Proceedings IEEE 24th annual joint conference of the IEEE computer and communications societies. doi:10.1109/infcom.2005.1497921
- Duan Zhenhai, Yuan Xin, Chandrashekar J (2008) Controlling IP spoofing through interdomain packet filters. IEEE Trans Dependable Secure Comput 5(1):22–36. doi:10.1109/tdsc.2007.70224 View ArticleGoogle Scholar
- Feinstein L, Schnackenberg D, Balupari R, Kindred D (2003) Statistical approaches to DDoS attack detection and response. In: Proceedings DARPA information survivability conference and exposition. doi:10.1109/discex.2003.1194894
- Ferguson P, Senie D (2000) Network ingress filtering: defeating denial of service attacks which employ IP source address spoofing. doi:10.17487/rfc2827
- François J, Wang S, State R, Engel T (2011) BotTrack: tracking botnets using NetFlow and PageRank. In: Lecture notes in computer science, pp 1–14. doi:10.1007/978-3-642-20757-0_1
- Freiling FC, Holz T, Wicherski G (2005) Botnet tracking: exploring a root-cause methodology to prevent distributed denial-of-service attacks. In: Lecture notes in computer science, pp 319–335. doi:10.1007/11555827_19
- Gu G, Perdisci R, Zhang J, Lee W (2008) BotMiner: Clustering analysis of network traffic for protocol- and structure-independent botnet detection. In: Usenix.org. https://www.usenix.org/legacy/event/sec08/tech/full_papers/gu/gu_html/. Accessed 18 Feb 2016
- John W, Tafvelin S (2007) Analysis of internet backbone traffic and header anomalies observed. In: Proceedings of the 7th ACM SIGCOMM conference on internet measurement—IMC’07. doi:10.1145/1298306.1298321
- Liu B, Bi J (2015) DISCS: a distributed collaboration system for inter-AS spoofing defense. In: 2015 44th international conference on parallel processing. doi:10.1109/icpp.2015.25
- Park K, Lee H (2001) On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law internets. SIGCOMM Comput Commun Rev 31(4):15–26. doi:10.1145/964723.383061 View ArticleGoogle Scholar
- Perdisci R, Ariu D, Giacinto G (2013) Scalable fine-grained behavioral clustering of HTTP-based malware. Comput Netw 57(2):487–500. doi:10.1016/j.comnet.2012.06.022 View ArticleGoogle Scholar
- Sakib MN, Huang C-T (2016) Using anomaly detection based techniques to detect HTTP-based botnet C&C traffic. In: 2016 IEEE international conference on communications (ICC). doi:10.1109/icc.2016.7510883
- Stone-Gross B, Cova M, Cavallaro L, Gilbert B, Szydlowski M, Kemmerer R, Vigna G (2009) Your botnet is my botnet. In: Proceedings of the 16th ACM conference on computer and communications security—CCS’09. doi:10.1145/1653662.1653738
- Strayer W, Walsh R, Livadas C, Lapsley D (2006) Detecting botnets with tight command and control. In: Proceedings. 2006 31st IEEE conference on local computer networks. doi:10.1109/lcn.2006.322100
- Tegeler F, Fu X, Vigna G, Kruegel C (2012) BotFinder. In: Proceedings of the 8th international conference on emerging networking experiments and technologies—CoNEXT’12. doi:10.1145/2413176.2413217
- Wang H, Jin C, Shin KG (2007) Defense against spoofed IP traffic using hop-count filtering. IEEE/ACM Trans Netw 15(1):40–53. doi:10.1109/tnet.2006.890133 View ArticleGoogle Scholar
- Wang B, Li Z, Tu H, Ma J (2009) Measuring Peer-to-Peer Botnets Using Control Flow Stability. In: 2009 International Conference on Availability, Reliability and Security. doi:10.1109/ares.2009.59
- Zeidanloo HR, Bt Manaf A, Vahdani P, Tabatabaei F, Zamani M (2010) Botnet detection based on traffic monitoring. In: 2010 International Conference on Networking and Information Technology. doi:10.1109/icnit.2010.5508552
- Zhao D, Traore I, Sayed B, Lu W, Saad S, Ghorbani A, Garant D (2013) Botnet detection based on traffic behavior analysis and flow intervals. Comput Secur 39:2–16. doi:10.1016/j.cose.2013.04.007 View ArticleGoogle Scholar