A study on efficient detection of network-based IP spoofing DDoS and malware-infected Systems
© The Author(s) 2016
Received: 15 May 2016
Accepted: 18 October 2016
Published: 26 October 2016
Large-scale network environments require effective detection and response methods against DDoS attacks. Depending on the advancement of IT infrastructure such as the server or network equipment, DDoS attack traffic arising from a few malware-infected systems capable of crippling the organization’s internal network has become a significant threat. This study calculates the frequency of network-based packet attributes and analyzes the anomalies of the attributes in order to detect IP-spoofed DDoS attacks. Also, a method is proposed for the effective detection of malware infection systems triggering IP-spoofed DDoS attacks on an edge network. Detection accuracy and performance of the collected real-time traffic on a core network is analyzed thru the use of the proposed algorithm, and a prototype was developed to evaluate the performance of the algorithm. As a result, DDoS attacks on the internal network were detected in real-time and whether or not IP addresses were spoofed was confirmed. Detecting hosts infected by malware in real-time allowed the execution of intrusion responses before stoppage of the internal network caused by large-scale attack traffic.
Hardware performance has seen astonishing advancements with the improving environment of information services. The network infrastructure available today is capable of sending gigabytes of data in just a few seconds. The downside of such developments is that information systems and network infrastructure are more prone to malware-induced cyber-attacks. According a recent report on malware, Linux-based botnets account for the highest proportion of DDoS attacks at 45%, and they pose major threats to the information services of companies when installed in embedded devices such as Wi-Fi, routers, and NAS (Ferguson and Senie 2000; Baker and Savola 2004).
According to a report by Akamai Technologies (Akamai 2015), Linux-based XOR DDoS malware is able to launch DDoS attacks of up to 150 Gbps, and malware-infected systems can attack an average of 20 websites per day. To install and execute malware, attackers acquire the administrative rights of a vulnerable system and run a Shell command in order to install a malware program containing a rootkit function, which allows them to hide their presence.
As demonstrated above, the development of IT has resulted in threats unseen in the past and corporate information service environments are at a greater risk than ever. XOR DDoS malware, one of the most threatening types of malware that can infect Linux-based systems, launches massive IP-spoofed DDoS attacks that paralyze internal networks. Companies have selected Linux-based systems over the more vulnerable Windows operating system as a method of security enforcement, but the various techniques and tools developed by attackers are posing significant threats to businesses.
Past research has focused on the detection of outbound-to-inbound DDoS attacks (Duan et al. 2008; Wang et al. 2007; Feinstein et al. 2003) or the detection of attacks by analyzing information retrieved from botnet agents in internal systems (François et al. 2011; Abu Rajab et al. 2006). However, few studies exist on the detection of network-based attacks when the internal network is under massive volumes of DDoS traffic caused by the IP-spoofed DDoS malware or other infections. For instance, when a DDoS attack occurs due to a malware-infected system in the Demilitarized Zone (DMZ), SYN flooding takes place in the network section from the host system to the security system. The depletion of network resources disrupts network services in the corresponding bandwidth. Rapid detection and response to malware-infected systems is the most effective way of ensuring the availability of the internal network (Perdisci et al. 2013; Beverly et al. 2009; Bremler-Barr and Levy 2005).
This paper applies the DDoS malware finder (DMF) algorithm in order to detect abnormalities when the host of an internal network is infected with DDoS malware based on Spoofed IP Address and launches massive volumes of DDoS attacks. The DMF algorithm derives patterns from feature information of DDoS malware based on Spoofed IP Address and applies the matching rule to enable real-time detection. Malware-infected systems are identified with reference to the DMF table.
The rest of this paper is organized as follows: second section describes the background of the study and related work, third section contains the motivation and challenge, fourth section gives the system overview, fifth section presents the system model, and sixth section is the evaluation. The last section is the conclusion.
Background and related work
Malware Must Die team members first detected XOR DDoS in September 2014. A Trojan malware was used to hijack Linux machines in order to build a botnet for DDoS (Akamai 2015).
The bandwidth of DDoS attacks coming from the XOR DDoS botnet has ranged from a few gigabits per second to 150Gbps. The botnet has attacked up to 20 targets per day, 90% of which are in Asia. Two DDoS attacks were caused by the XOR DDoS botnet on the weekend of August 22–23. One of the attacks measured nearly 50 Gbps and the other reached nearly 100 Gbps. XOR DDoS is an example of attackers building botnets from Linux systems instead of Windows-based machines. Other recent examples of Linux-based malware include the Spike DDoS toolkit and IptabLes and IptabLex malware. There is an increasing number of Linux vulnerabilities for malicious actors to target, such as the heap-based buffer overflow vulnerability found earlier this year in the GNU C Library. However, XOR DDoS itself does not exploit a specific vulnerability (Arbor Networks 2015; Akamai 2015).
Although a significant amount of literature has been produced on botnet detection, botnet detection approaches using flow analysis techniques have only emerged in the last few years.
Zhao et al. (2013) proposed a new approach to detect botnet activity based on traffic behavior analysis by classifying network traffic behavior using machine learning. Traffic behavior analysis methods do not depend on the packets payload, which means that they can work with encrypted network communication protocols. Network traffic information can usually be easily retrieved from various network devices without affecting significantly network performance or service availability. The proposed approach detects botnet activity by classifying behavior based on time intervals.
BotHunter (John and Tafvelin 2007) consists of intrusion detection system (IDS) components, used to observe inbound and outbound traffic flow, and a dialog correlation engine that generates the flow of bot infections. The two BotHunter plugins are the Statistical sCan Anomaly Detection Engine (SCADE) and the Statistical payLoad Anomaly Detection Engine (SLADE).
SCADE performs inbound scan detection and outbound scan detection by categorizing anomalies as high-severity (HS) or low-severity (LS). SLADE, based on a byte-distribution payload detection technique, inspects the payloads of all packets sent by the service being monitored and provides warnings when the N-gram frequency exceeds the normal range (Gu et al. 2008).
While BotHunter offers a remote repository for users to evaluate bot activities and collect information, it is difficult to detect anomalies in bots that use encrypted channels in order to communicate with the Command and Control (C&C) server and stealth-scanning bots. Since bot infection is determined based on the behavioral patterns of modified bots, bots with signatures updated from variations in traffic patterns are also not easy to identify. To resolve these issues, it is necessary for the server to automatically collect and analyze patterns, as well as to constantly renew them (Tegeler et al. 2012; Gu et al. 2008).
Zeidanloo et al. (2010) proposed a botnet detection approach based on the monitoring of network traffic characteristics in a similar way to BotMiner. In their work, a three stages process of filtering, malicious activity detection and traffic monitoring is used to group bots by their group behavior. The proposed approach divides the concept of flows into time periods of 6 h and clusters these flow intervals with known malicious activity. The effects of different flow interval durations were not presented, and the accuracy of the approach is unknown (Zhao et al. 2013).
Wang et al. (2009) presented a detection approach of peer-to-peer based botnets by observing the stability of control flows in initial time intervals of 10 min. They developed an algorithm which measures the stability of flows and exploits the property that bots exhibit similar behavior in their command search and perform these tasks independently of each other and frequently. They show that by varying parameters in their algorithm, they were able to classify 98% of Storm C&C data as stable, though a large percentage of non-malicious peer-to-peer traffic were also classified as such (Zhao et al. 2013).
Motivation and challenge
Capturing network traffic by XOR DDoS
06:05:24.260515 IP x.x.x.x.7318 > y.y.y.y.80: Flags [S], seq 479609867:479610763,win65535,length896
06:05:24.260540 IP x.x.x.x.2104 > y.y.y.y.80: Flags [S], seq 137948748:137949644,win65535,length896
06:05:24.260560 IP x.x.x.x.58852 > y.y.y.y.80: Flags [S], seq 3856952941:3856953837,win65535,length 896
06:05:24.260574 IP x.x.x.x.4375 > y.y.y.y.80: Flags [S], seq 286734425:286735321,win65535,length896
06:05:24.260583 IP x.x.x.x.62129 > y.y.y.y.80: Flags [SE], seq 4071711351:4071712247,win65535,length896
Ultimately, the most effective way of ensuring network availability is the rapid detection and response to systems that generate huge volumes of traffic after being infected with IP-spoofed DDoS malware. This is also related to the reliability of information services.
One method of preventing malware infection is to install vaccine programs for all Linux-based systems, but this is not the best solution for companies. Installing vaccines on all Linux systems is not only expensive, but also requires the software license to be renewed each year.
This study proposes a method that can detect network-based IP-spoofed DDoS attacks and efficiently identify malware-infected systems.
Attribute information of a DMF table
Sequence number to traffic
Same group number with the same destination IP
Media access control (MAC)
Destination IP connection time
Interval from previous traffic
Destination IP connection hits
Interval from previous traffic connected to destination IP
Hits to the destination IP over 3 min
Traffic anomaly status
The DMF table consists of the attribute information of traffic headers. The time interval is calculated if there is a match between the IP addresses and MAC addresses of real-time traffic with the property values in the DMF DB. Time-interval values are used to check for IP-spoofed DDoS malware infection.
Instead of referring to traffic payload, the proposed algorithm relies on the feature information of the IP-spoofed DDoS malware for malware detection.
The purpose of the experiment is to detect malware-infected systems after detecting IP-spoofed DDoS based on an analysis of real-time traffic. This section examines the system model for the proposed method.
Gathering on the network traffic
Extraction on the feature information
Creation of the DMF table
The SN field of the DMF table represents the traffic sequence and the SGN field means the number of the group connecting to the same destination IP.
The traffic header IP address and MAC address is extracted and stored in the SRCIP, DSTIP, and MAC fields for the DMF table. The communication protocol between the two hosts and the access time are also stored.
The TIN field represents the interval between previous traffic and current traffic.
The CND field represents the connection hits to the destination IP and the RATD field represents the reconnect interval of the destination IP.
The STATE field is categorized into two types. If the TIN field value and RATD value are zero and the CNTI field divided by 180 s is ≤1 then the field value is set as “abnormal”. All other instances are set as “normal”. Table 3 shows the algorithm for creating the DMF table.
Analysis of feature information
Detection of IP-spoofed DDoS attack
As shown in Fig. 12, analysis results of the attributes of IP-spoofed DDoS malware showed that it was periodically communicating with the C&C server and the attack target was downloaded from the C&C server and updated. The IP-spoofed DDoS attack was powerful enough to cause an outage to the core network in a gigabit Ethernet environment.
Finding of a system infected by IP-spoofed DDoS malware
Upon detecting the IP-spoofed DDoS attack with the proposed methodology, it is necessary to find the malware-infected host and eliminate the cause. Because of IP address spoofing, it is impossible to block a particular IP address in the firewall, and even if we were to block a range of IP addresses, the internal network would either come to a halt or have extreme delays as a result of the large volume traffic generated by the malware. Therefore, it is necessary to quickly quarantine the host that is generating the DDoS attacks to an edge network.
Intrusion response on infected system
The test environment for the assessment of the proposed algorithm was a Gigabit Ethernet network environment with IP-spoofed DDoS malware installed in the server farm of the DMZ network. For the installation of the proposed algorithm, the system configuration included an Intel i7 CPU with eight cores, 16 GB of RAM, and 2Tbyte of HDD. The Java programming language was used to program the prototype in order to verify the performance of the proposed algorithm.
Comparison of the proposed method and the intrusion detection system
The performance comparison of the proposed algorithm and IDS
Intrusion detection system (IDS)
Detection of DDoS attack
Detection of IP-spoofed DDoS attack
Detection of system infected by malware
Results of the verification of the proposed algorithm and the IDS on a testing environment showed that both were able to adequately detect DDoS attacks; however, the IDS could not detect IP-spoofed DDoS attacks and malware-infected hosts.
Detection time of IP-spoofed DDoS malware
Figure 16 shows the detection time for IP-spoofed DDoS attacks and malware-infected systems. Graph A represents the time at which IP-spoofed DDoS attacks occur due to the local host being infected with malware, while Graph B is the discovery time of when the local host has been infected with IP-spoofed DDoS malware.
Installation of malware in the test server and launch of IP-spoofed DDoS attacks.
Analysis of attack features and false positives after varying the IP address of the test server.
Analysis of attack features and false positives after replacing the server hardware.
Accuracy of experiment result
TP rate = 0.988, FP = 12
TP rate = 0.987, FP = 8
TP rate = 0.995, FP = 2
TP rate = 0.99, FP = 1
TP rate = 1, FP = 0
The accuracy of detecting systems infected with IP-spoofed DDoS malware was assessed under the test environment described above, and averages were obtained from 1000 runs. The detection accuracy was approximately 98% and 12 false positives occurred during the experiment. False positives were detected when there was an error with the network configuration or when ARP spoofing occurred.
Past research has focused on the detection of outbound-to-inbound DDoS attacks or malware-infected hosts in internal network. However, various challenges have yet to be addressed for detecting and responding to inbound-to-outbound DDoS attacks launched by malware-infected local hosts. If DDoS attacks originating from local hosts cannot be effectively resolved, normal network services become difficult due to bandwidth exhaustion. This experiment found that the malware-infected system generated more than one million SYN flooding packets per minute and the network traffic was approximately 64 GB.
This proposed method enables the effective detection of IP-spoofed DDoS attacks and malware-infected systems. False positives were detected in two cases. In the first case, errors in network configuration after server replacement caused anomalous traffic. In the second case, changes in the MAC address under ARP spoofing resulted in anomalous traffic. In actual information system environments, errors in network configuration lead to problems in communication, thereby allowing them to be identified before operating information services. The detection of ARP spoofing indicates an intrusion of the internal network and adequate measures must be taken to remove the malware.
A key factor in enhancing corporate reliability is the stability of information services provided through the Internet. While various security solutions are available today, DDoS attacks still pose significant threats to information service providers and security administrators.
When a system infected with IP-spoofed DDoS malware launches massive volumes of DDoS traffic in the internal network, a fundamental solution is to detect and remove the malware-infected system. This is because flooding packets generated by the local host affect network communications using the Interior Gateway Protocol (IGP) as well as the Exterior Gateway Protocol (EGP). A real-world example is the 6-h halting of network services by an Internet service provider under an IP-spoofed DDoS attack despite being equipped with various security solutions, such as DDoS countering equipment and an intrusion prevention system (Strayer et al. 2006; Stone-Gross et al. 2009). If DDoS attacks are not detected in advance and responded to, there is likely to be a negative impact on the reliability of information services provided by such companies.
Using the algorithm proposed in this paper, it is possible to effectively detect IP-spoofed DDoS attacks and rapidly respond to malware-infected systems. The proposed algorithm derives patterns from features of IP-spoofed DDoS malware and matches information in the headers of real-time traffic with DMF table property values to detect IP-spoofed DDoS attacks and malware-infected systems. The efficiency of the proposed algorithm was demonstrated through various experiments and its applicability to actual operating environments was verified under a testbed environment.
Conceived and designed the experiments: JWS, SJL. Performed the experiments: JWS, SJL. Analyzed the data: JWS, SJL. Wrote the paper: JWS, SJL. Both authors read and approved the final manuscript.
The authors wish to thank their colleagues for insightful discussions and their feedback at various stages of the research. They also wish to thank the anonymous reviewers for their suggestions and feedback to improve the paper.
Both authors declare that they have no competing interests.
Open AccessThis article is distributed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, distribution, and reproduction in any medium, provided you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made.
- Abu Rajab M, Zarfoss J, Monrose F, Terzis A (2006) A multifaceted approach to understanding the botnet phenomenon. In: Proceedings of the 6th ACM SIGCOMM on internet measurement—IMC’06. doi:https://doi.org/10.1145/1177080.1177086
- Akamai (2015) XOR DDoS threat advisory—the Akamai blog. In: Blogs.akamai.com. https://blogs.akamai.com/2015/09/xor-ddos-threat-advisory.html. Accessed 7 Feb 2016
- Arbor Networks (2015) Arbor networks detects largest ever DDoS attack in Q1 2015 DDoS report—Arbor Networks. In: Arbornetworks.com. https://www.arbornetworks.com/arbor-networks-detects-largest-ever-ddos-attack-in-q1-2015-ddos-report. Accessed 5 Feb 2016
- Baker F, Savola P (2004) Ingress filtering for multihomed networks. doi:https://doi.org/10.17487/rfc370410.17487/rfc3704
- Beverly R, Berger A, Hyun Y, Claffy K (2009) Understanding the efficacy of deployed internet source address validation filtering. In: Proceedings of the 9th ACM SIGCOMM conference on internet measurement conference—IMC’09. doi:https://doi.org/10.1145/1644893.1644936
- Bremler-Barr A, Levy H (2005) Spoofing prevention method. In: Proceedings IEEE 24th annual joint conference of the IEEE computer and communications societies. doi:https://doi.org/10.1109/infcom.2005.1497921
- Duan Zhenhai, Yuan Xin, Chandrashekar J (2008) Controlling IP spoofing through interdomain packet filters. IEEE Trans Dependable Secure Comput 5(1):22–36. doi:https://doi.org/10.1109/tdsc.2007.70224 View ArticleGoogle Scholar
- Feinstein L, Schnackenberg D, Balupari R, Kindred D (2003) Statistical approaches to DDoS attack detection and response. In: Proceedings DARPA information survivability conference and exposition. doi:https://doi.org/10.1109/discex.2003.1194894
- Ferguson P, Senie D (2000) Network ingress filtering: defeating denial of service attacks which employ IP source address spoofing. doi:https://doi.org/10.17487/rfc2827
- François J, Wang S, State R, Engel T (2011) BotTrack: tracking botnets using NetFlow and PageRank. In: Lecture notes in computer science, pp 1–14. doi:https://doi.org/10.1007/978-3-642-20757-0_1
- Freiling FC, Holz T, Wicherski G (2005) Botnet tracking: exploring a root-cause methodology to prevent distributed denial-of-service attacks. In: Lecture notes in computer science, pp 319–335. doi:https://doi.org/10.1007/11555827_19
- Gu G, Perdisci R, Zhang J, Lee W (2008) BotMiner: Clustering analysis of network traffic for protocol- and structure-independent botnet detection. In: Usenix.org. https://www.usenix.org/legacy/event/sec08/tech/full_papers/gu/gu_html/. Accessed 18 Feb 2016
- John W, Tafvelin S (2007) Analysis of internet backbone traffic and header anomalies observed. In: Proceedings of the 7th ACM SIGCOMM conference on internet measurement—IMC’07. doi:https://doi.org/10.1145/1298306.1298321
- Liu B, Bi J (2015) DISCS: a distributed collaboration system for inter-AS spoofing defense. In: 2015 44th international conference on parallel processing. doi:https://doi.org/10.1109/icpp.2015.25
- Park K, Lee H (2001) On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law internets. SIGCOMM Comput Commun Rev 31(4):15–26. doi:https://doi.org/10.1145/964723.383061 View ArticleGoogle Scholar
- Perdisci R, Ariu D, Giacinto G (2013) Scalable fine-grained behavioral clustering of HTTP-based malware. Comput Netw 57(2):487–500. doi:https://doi.org/10.1016/j.comnet.2012.06.022 View ArticleGoogle Scholar
- Sakib MN, Huang C-T (2016) Using anomaly detection based techniques to detect HTTP-based botnet C&C traffic. In: 2016 IEEE international conference on communications (ICC). doi:https://doi.org/10.1109/icc.2016.7510883
- Stone-Gross B, Cova M, Cavallaro L, Gilbert B, Szydlowski M, Kemmerer R, Vigna G (2009) Your botnet is my botnet. In: Proceedings of the 16th ACM conference on computer and communications security—CCS’09. doi:https://doi.org/10.1145/1653662.1653738
- Strayer W, Walsh R, Livadas C, Lapsley D (2006) Detecting botnets with tight command and control. In: Proceedings. 2006 31st IEEE conference on local computer networks. doi:https://doi.org/10.1109/lcn.2006.322100
- Tegeler F, Fu X, Vigna G, Kruegel C (2012) BotFinder. In: Proceedings of the 8th international conference on emerging networking experiments and technologies—CoNEXT’12. doi:https://doi.org/10.1145/2413176.2413217
- Wang H, Jin C, Shin KG (2007) Defense against spoofed IP traffic using hop-count filtering. IEEE/ACM Trans Netw 15(1):40–53. doi:https://doi.org/10.1109/tnet.2006.890133 View ArticleGoogle Scholar
- Wang B, Li Z, Tu H, Ma J (2009) Measuring Peer-to-Peer Botnets Using Control Flow Stability. In: 2009 International Conference on Availability, Reliability and Security. doi:https://doi.org/10.1109/ares.2009.59
- Zeidanloo HR, Bt Manaf A, Vahdani P, Tabatabaei F, Zamani M (2010) Botnet detection based on traffic monitoring. In: 2010 International Conference on Networking and Information Technology. doi:https://doi.org/10.1109/icnit.2010.5508552
- Zhao D, Traore I, Sayed B, Lu W, Saad S, Ghorbani A, Garant D (2013) Botnet detection based on traffic behavior analysis and flow intervals. Comput Secur 39:2–16. doi:https://doi.org/10.1016/j.cose.2013.04.007 View ArticleGoogle Scholar