Threshold Based Kernel Level HTTP Filter (TBHF) for DDoS Mitigation

Full Text (PDF, 600KB), PP.31-39

Views: 0 Downloads: 0

Author(s)

Mohamed Ibrahim AK 1,* Lijo George 1 Kritika Govind 2 S. Selvakumar 2

1. Trichy Engineering College, Tiruchirappalli, Tamil Nadu, India

2. National Institute of Technology, Tiruchirappalli, Tamil Nadu, India

* Corresponding author.

DOI: https://doi.org/10.5815/ijcnis.2012.12.03

Received: 2 Apr. 2012 / Revised: 13 Jul. 2012 / Accepted: 10 Sep. 2012 / Published: 8 Nov. 2012

Index Terms

HTTP GET, Shortened URL, Kernel, Windows Filtering Platform

Abstract

HTTP flooding attack has a unique feature of interrupting application level services rather than depleting the network resources as in any other flooding attacks. Bombarding of HTTP GET requests to a target results in Denial of Service (DoS) of the web server. Usage of shortened Uniform Resource Locator (URL) is one of the best ways to unknowingly trap users for their participation in HTTP GET flooding attack. The existing solutions for HTTP attacks are based on browser level cache maintenance, CAPTCHA technique, and usage of Access Control Lists (ACL). Such techniques fail to prevent dynamic URL based HTTP attacks. To come up with a solution for the prevention of such kind of HTTP flooding attack, a real time HTTP GET flooding attack was generated using d0z-me, a malicious URL shortener tool. When user clicked the shortened URL, it was found that the user intended web page was displayed in the web browser. But simultaneously, an avalanche of HTTP GET requests were generated at the backdrop to the web server based on the scripts downloaded from the attacker. Since HTTP GET request traffic are part of any genuine internet traffic, it becomes difficult for the firewall to detect such kind of attacks. This motivated us to propose a Threshold Based Kernel Level HTTP Filter (TBHF), which would prevent internet users from taking part in such kind of Distributed Denial of Service (DDoS) attacks unknowingly. Windows Filtering Platform (WFP), which is an Application Programming Interface (API), was used to develop TBHF. The proposed solution was tested by installing TBHF on a victim machine and generating the DDoS attack. It was observed that the TBHF completely prevented the user from participating in DDoS attack by filtering out the malicious HTTP GET requests while allowing other genuine HTTP GET requests generated from that system.

Cite This Paper

Mohamed Ibrahim AK, Lijo George, Kritika Govind, S. Selvakumar, "Threshold Based Kernel Level HTTP Filter (TBHF) for DDoS Mitigation", International Journal of Computer Network and Information Security(IJCNIS), vol.4, no.12, pp.31-39, 2012. DOI:10.5815/ijcnis.2012.12.03

Reference

[1]www.infosecisland.com/blogview/10442-DDoS-Attacks-Possible-via-URL-Shortener.html.
[2]Patsakis C, Asthenidis A, Chatzidimitriou A., "Social Networks as an Attack Platform: Facebook Case Study", Eighth International Conference on Networks, ICN '09, March 2009: p. 245-247.
[3]Takeshi Yatagai, Takamasa Isohara, and Iwao Sasase, "Detection of HTTP-GET flood Attack Based on Analysis of Page Access Behavior", IEEE PACRIM '07: p. 232–235.
[4]Daniel Lopresti, "Leveraging the CAPTCHA Problem", Second International Workshop on Human Interactive Proofs, Bethlehem, PA, May 2005, Vol. 3517/2005 p. 97-110.
[5]www.developers.google.com/speed/docs/best-practices/ caching#LeverageBrowserCaching.
[6]Huy D. Truong, Christopher F. Turner, Cliff C. Zou, "iCAPTCHA: The Next Generation of CAPTCHA Designed to Defend Against 3rd Party Human Attacks" IEEE International Conference on Communications (ICC), June 2011, p. 1-6.
[7]J. Van der Merwe, A. Cepleanu, K. D'Souza, B. Freeman, A. Greenberg, D. Knight, R. McMillan, D. Moloney, J. Mulligan, H. Nguyen, M. Nguyen, A. Ramarajan, S. Saad, M. Satterlee, T. Spencer, D. Toll, S. Zelingher, "Dynamic Connectivity Management with an Intelligent Route Service Control Point", INM '06 Proceedings of the 2006 SIGCOMM workshop on Internet network management, September 2006, p. 29-34.
[8]www.cisco.com/en/US/prod/collateral/vpndevc/ps5879/ps6264/ps5888/prod_white_paper0900aec d8011e927.html.
[9]www.secureworks.com/research/threats/botnet.