HF-Blocker: Detection of Distributed Denial of Service Attacks Based On Botnets
Subject Areas : Network SecurityBita Amirshahi 1 * , Ali Ahangari 2
1 - Department of Computer Eningeering and Information Technology, Payame Noor University,
PO BOX 19395-3697 Tehran, IRAN
2 - Department of Computer Eningeering and Information Technology, Payame Noor University, PO BOX 19395-3697 Tehran, IRAN
Keywords: HTTP Flood, HTTP, web servers, DDoS attacks, botnet,
Abstract :
Abstract—Today, botnets have become a serious threat to enterprise networks. By creation of network of bots, they launch several attacks, distributed denial of service attacks (DDoS) on networks is a sample of such attacks. Such attacks with the occupation of system resources, have proven to be an effective method of denying network services. Botnets that launch HTTP packet flood attacks against Web servers are one of the newest and most troublesome threats in networks. In this paper, we present a system called HF-Blocker that detects and prevents the HTTP flood attacks. The proposed system, by checking at the HTTP request in three stages, a Java-based test, check cookies and then check the user agent, detects legitimate source of communication from malicios source, such as botnets. If it is proved the source of connection to be bot, HF-Blocker blocks the request and denies it to access to resources of the web server and thereby prevent a denial of service attack. Performance analysis showed that HF-Blocker, detects and prevents the HTTP-based attacks of botnets with high probability.
[1] H. Binsalleeh, On the Analysis of the Zeus Botnet Crimeware Toolkit, National Cyber Forensics and Training Alliance Canada, 2010.
[2] H. R. Zeidanloo, A. A. Manaf, "Botnet command and control mechanisms," In the proc. of Second International Conference on Computer and Electrical Engineering, (ICCEE '09), pp. 564-568, 2009.
[3] Paul Barford, Vinod Yegneswaran, An Inside Look at Botnets, Computer Sciences DepartmentUniversity of Wisconsin, Madison, 2006.
[4] C. Douligeris and D. N. Serpanos, "Network security: current status and future directions," Wiley-IEEE Press, 2007.
[5] B. B. Gupta, M. Misra, R. C. Joshi, ―FVBA: A Combined Statistical Approach for Low Rate Degrading and High Bandwidth Disruptive DDoS Attacks Detection in ISP Domain, In the proceedings of 16th IEEE International Conference on Networks (ICON-2008), DOI: 10.1109/ICON.2008.4772654, New Delhi, India, 2008.
[6] D. Dagon, G. Gu, C. P. Lee, and W. Lee, “A Taxonomy of Botnet Structures,” In the Proc. of ACSAC 2007, Miami, FL, USA.
[7] S. Kandula, D. Katabi, M. Jacob, and A. Burger, “Botz-4Sale: Surviving DDos Attacks that Mimic Flash Crowds,” inProc. USENIX NSDI 2005. Boston, MA, May 2005.
[8] Al-Duwairi B, Manimaran G (2009) JUST-Google: A search engine-based defense against botnet-based DDoS attacks. IEEE International Conference on Communications (ICC '09).
[9] C. Dixon, T. Anderson and A. Krishnamurthy, “Phalanx: Withstanding Multimillion-Node Botnets,”In Proc. Of NDSI 2008.
[10] D. McPherson, ―Worldwide Infrastructure Security Report," Arbor Networks, January 19th, 2010, avilable at: http://ipv6.org.sa/sites/default/files/World_Infrastructure_Security_Report_2011.pdf.
[11] Eli Tilevich, Yannis Smaragdakis, “Appletizing: Running Legacy Java Code Remotely From a Web Browser”, International Conference on Software Maintenance and Evolution (ICSME), 2005.
[12] Ari Juels, Markus Jakobsson, “Cache Cookies for Browser Authentication”, Security and Privacy, 2006 IEEE Symposium on , May 2006.
[13] Stefan Frei, Thomas Duebendorfer, “Understanding the Web browser threat: Examination of vulnerable online Web browser populations and the "insecurity iceberg", 2008.
[14] Ahmad Mudhar, “Evaluation of the CSF Firewall”, 2013.
[15] Laura Chappell, “Wireshark Network Analysis, The Official Wireshark Certified Network Analyst Study Guide”, 2009