Mitigating the Distributed Denial of Service (DDoS) Attacks in Campus Local Area Network (CLAN)

The Campus Local Area Network (CLAN) of academic institutions interconnect computers ranging from one hundred to about twenty five hundred and these computers are located in academic building(s), hostel building(s), faculty quarter(s), students amenities centre, etc. all around the campus. The students, faculty and the supporting staff members use the network primarily for internet usage at both personal and professional levels and secondarily for usage of the available services and resources. Various web based services viz: Web Services, Mail Services, DNS, and FTP services are generally made available in the campus LAN. Apart from these services various intranet based services are also made available for the users of the LAN. Campus LAN users from the hostels change very frequently and also sometime become targets (we call as soft targets) to the attackers or zombie because of either inadequate knowledge to protect their own computer/ laptop, which is also a legitimate node of the campus LAN; or their enthusiastic nature of experimentation. The interconnectivity of these legitimates nodes of the campus LAN and that of the attackers in the World Wide Web, make the computers connected in the LAN (nodes) an easy target for malicious users who attempt to exhaust the resources by launching Distributed Denial-of-Service (DDoS) attacks. In this paper we present a technique to mitigate the distributed denial of service attacks in campus wide LAN by limiting the bandwidth of the affected computers (soft targets) of the virtual LAN from a unified threat management (UTM) firewall. The technique is supported with help of bandwidth utilization report of the campus LAN with and without implementation of bandwidth limiting rule; obtained from the UTM network traffic analyser. The graphical analyser report on the utilization of the bandwidth with transmitting and receiving bits of the campus LAN after implementation of our bandwidth limiting rule is also given.


INTRODUCTION
A campus wide local area network (LAN) is a computer network that spans in an academic campus connecting the academic departments located within a relatively small area. Most of the campus wide LANs are confined to a group of buildings interconnected with each other through either optical fibre cable (OFC) using Fibre Distributed Data Interface (FDDI) Technology or unshielded twisted pair (UTP) cable located within 100 metres distance or inside the Department using layer-2 manageable switches. It connects workstations and personal computers called as nodes (individual computer) to various servers available in a LAN and are also connected to internet through a layer -3 switches via Firewall (optional) for access to the internet. Each node has its own central processing unit with which it executes programs; but it is able to access data and devices and users share resources like files, printers, drives etc. or other applications U s e r s can also use the LAN to communicate with each other, by sending email or engage in chat sessions, playing games, sharing resources etc. [1]. LANs are capable of transmitting data at very fast rates, as they are interconnected through OFC or UTP and also because the data has a short distance to cover. A large campus wide LAN can accommodate many thousands of computers (nodes) by dividing into logical groups with different Default Gateway in a subnet and creating Virtual LANs (VLAN) with Spanning Tree Protocol (STP) to avoids the broadcast storms of L2 Switch. Sometime wireless LAN facility for a specific area, conference room or smart class room is created for users who can get access to resources available in a campus wide LAN as well as get access to the internet.
VLANs support logical grouping of network nodes to reduce broadcast traffic and allow more control in implementing security policies. VLANs are implemented in the campus wide LAN to enhance security and traffic control; to ease network adds, moves, and changes; to contain broadcasts. It helps to enhance manageability of switched LANs [2]. With the migration from shared to switched LANs the term VLAN has become a common term not only within standards committees and engineering departments, but in many network management centres and campuses [ 3]. Generally these VLANs are implemented in a campus wide LAN by creating and writing rules in a network address table of layer -3 switches. Network managers of the campus wide LAN define VLANs based on the following characteristics: physical ports, protocol type, MAC address, and IP subnets. Since the primary objective of implementing VLANs is to enhance network manageability during the network planning and design stages, centralized VLAN management is an important requirement. When VLANs can be defined remotely, and managed from central location network managers can more easily design their networks based on business objectives such as improved service to users, while also continuously monitoring VLAN performance and adjusting VLAN policies and definitions.
However, the interconnectivity among computers in the campus LAN and that of the World Wide W eb, renders the computers connected in the LAN (nodes) an easy target for malicious users who attempt to exhaust their resources and launch Distributed Denial-of-Service (DDoS) attacks through SYN flooding from the user end to the entire campus wide local area network users. In a SYN flood an attacker sends a succession of SYN requests to a target's system in an attempt to consume enough server resources to make the system unresponsive to legitimate traffic. A SYN flood attack works by not responding to the server with the expected ACK code. The malicious client can either simply not send the expected ACK, or by spoofing the source IP address in the SYN, causing the server to send the SYN-ACK to a falsified IP address -which will not send an ACK because it "knows" that it never sent a SYN [4] .
The server will wait for the acknowledgement for some time, as simple network congestion could also be the cause of the missing ACK, but in an attack increasingly large numbers of half-open connections will bind resources on the server until no new connections can be made, resulting in a denial of service to legitimate traffic. Some systems may also malfunction badly or even crash if other operating system functions are starved of resources in this way.
In this paper we present a technique to mitigate the distributed denial of service attacks in campus wide LAN by limiting the bandwidth of the affected VLAN through a unified threat management firewall. W e also present here the report from the network traffic analyser on the utilization of the bandwidth during the DDoS attack with the SYN flooding with transmitting and receiving bits and the report after implementation of our bandwidth limiting rule.

HISTORY OF DDOS ATTACKS
A Denial of Service attack is a malicious attempt by a single person or a group of people to cause the victim, site, or node to deny service to its customers. In a denial-of-service attack a legitimate users of a service is prevented from using that service. There are two general forms of DoS attacks: those that crash services and those that flood services. The most common types of DoS attack are:


Consumption of computational resources, such as bandwidth, disk space, or CPU time.
 Disruption of configuration information, such as routing information.
 Disruption of state information, such as unsolicited resetting of TCP sessions.
 Disruption of physical network components, such as preventing the access to the servers.
When the malicious attempt is derived from a single host of the network, it constitutes a Denial of Service attack. On the other hand, it is also possible that a lot of malicious hosts coordinate to flood the victim with an abundance of attack packets also termed as SYN flooding, so that the attack takes place simultaneously from multiple points. This type of attack is called a Distributed Denial of Service, or simply DDoS attack [5]. In DoS attacks IP address of the attacker is forged through spoofing so that the location of the attacker cannot easily be identified and to also to prevent filtering of the packets based on the source address. A u g u s t 2 5 , 2013

DDoS Attack Description
DoS attacks attempt to usurp the available resources of the victim's campus wide network. These resources can be network bandwidth, computing power, or operating system data structures. To launch a DDoS attack, the attacker first install the malicious code into one vulnerable machine (may be one workstation, laptop or even a file server) which is either running no antivirus software or out-of-date antivirus software, or those that have not been updated to the latest signature of the antivirus software. The affected machine then first build a network of computers, also called as attack network comprising in a single VLAN or in multiple VLAN. The computers in the attack network are used to produce the volume of traffic needed to deny services to computer users. To create this attack network, attackers discover vulnerable sites or hosts on the network.
The next step for the intruder is to install new programs (known as attack tools) on the compromised hosts of the attack network. The hosts that are running these attack tools are known as zombies, and they can carry out any attack under the control of the attacker. Many zombies together form what we call an army [6].
For initial identification of the vulnerable hosts [7,8,9] the attackers use scanning techniques, such as Random scanning, Hit-list scanning, Topological scanning, Local subnet scanning, Permutation scanning.
 Random scanning: In this an attacker probes IP addresses randomly from the IP address space and checks their vulnerability. When it finds one it installs the malicious code into the machine and the process is continued.  Hit-list scanning: In this an attacker already starts with a pre-collected list of a large number of potentially vulnerable machines. In their effort to create their army, they begin scanning down the list in order to find more vulnerable machines.  Topological scanning: In this an attacker uses information contained on the victim machine (an alreadycompromised host) in order to find new targets. New targets are found by looking f o r URLs of the unaffected machines in the disk of the victim machine that it wants to infect. Then it renders these URLs targets and checks their vulnerability.  Local subnet scanning: This type of scanning acts behind a firewall in an area (the soft targets) that is considered to be infected by the malicious scanning program. The compromised host looks for targets in its own campus wide local area network. It uses the information that is hidden in the private IP addresses generally used to configure any campus wide LAN of an academic institution. More specifically, a single copy of the scanning program is running behind a firewall and tries to break into all vulnerable machines that would otherwise be protected by the firewall. This mechanism can be used in conjunction with other scanning mechanisms: for example, a compromised host can start its scans with local subnet scanning, looking for vulnerable machines in its local network. As soon as it has probed all local machines, it can continue the probing process by switching to another scanning mechanism in order to scan off-local network machines.  Permutation scanning: In this technique all machines share a common pseudorandom permutation list of IP addresses constructed using any block cipher of 32 bits with a preselected key [8].
A campus virtual community named Myclub2.com [11] is introduced through a case study which establishes, labours its design goals and value degree settings of network behaviour, analyses users initial motivation and induced motivation. The work also elaborates the setting mode and the function system of incentive mechanism. Ramamoorthi et al introduces an anomaly detection mechanism to detect DDoS attacks using Enhanced Support Vector Machine (ESVM) with string kernels [12]. In this work normal user access behavior attributes is used as training samples for ESVM, which produces the model file. Application and Network layer DDoS attacks are also classified in the work with ESVM. Zhijun et al describes two typical types of DDoS, Flood DDoS (FDDoS) and Low-rate DDoS (LDDoS) attacks [13]. Through experimental results it shows that FDDoS sends a large amount of traffic to the victim which is easy to be detected whereas LDDoS organizes a small quantity of traffic to the victim but it is difficult to detect. A scheme to counter application layer DDoS attack and to schedule the flash crowd during DDoS attacks is introduced [14]. In this scheme, an Access Matrix is defined to capture the access patterns of the legitimate clients and the normal flash crowd.

DDoS Attack Propagation
There are three groups of mechanisms for propagating malicious code and building attack networks [10]. These are Central source propagation, Back-chaining propagation, Autonomous propagation. The description along with their graphical representation is presented in table 1 in the following page. A u g u s t 2 5 , 2013 After the discovery of the v u l n e r a b l e victim, toolkit request is sent and then attack toolkit is transferred from a central source to the newly made victim. After the toolkit is transferred, an automatic installation of the attack tools takes place on this victim, controlled by a scripting mechanism.

Backchaining propagati on
The attack toolkit is transferred to the victim from the attacker. More specifically, the attack tools that are installed on the attacker include special m e t h o d s for accepting a connection from the victim and sending a file to it that contains the attack tools. This backchannel file copy can be supported by simple port listeners that copy file contents.

Autonomo us propagatio n
The attacker transfers the attack toolkit to the victim at the exact moment that it breaks into that system. This mechanism differs from the previously mentioned mechanisms in that the attack tools are planted into the compromised host by the attackers themselves and not by an external file source

DDoS Attack Methodology
A perpetrator in DDoS attack attempts either Internet Control Message Protocol (ICMP) flood or SYN flood in a campus LAN. In ICMP flooding Smurf attack, Ping flood, and Ping of death are tried. A smurf attack relies on misconfigured network devices that allow packets to be sent to all computer hosts on a particular network via the broadcast address of the network, rather than a specific machine. The network then serves as a smurf amplifier. In such an attack, the perpetrators will send large numbers of IP packets with the source address faked to appear to be the address of the victim. The network's bandwidth is quickly used up, preventing legitimate packets from getting through to their destination. Ping flood is based on sending the victim an overwhelming number of ping packets, usually using the "ping" command. It is very simple to launch, the primary requirement being access to greater bandwidth than the victim. Ping of death is based on sending the victim a malformed ping packet, which might lead to a system crash.
A SYN flood occurs when a host sends a flood of TCP/SYN packets, often with a forged sender address. Each of these packets is handled like a connection request, causing the server to spawn a half-open connection, by sending back a TCP/SYN-ACK packet (Acknowledge), and waiting for a packet in response from the sender address (response to the ACK Packet). However, because the sender address is forged, the response never comes. These half-open connections saturate the number of available connections the server is able to make, keeping it from responding to legitimate requests until after the attack ends. The SYN flooding methodology is explained graphically in the figure. It is clear from the Fig 1  that the perpetrator send series of SYN request and receives Ack without responding to the Ack-Req. and thus half open connections at the server side is created and thus exhaust the all the ports that the server can open for providing service. This prevents a legitimate user to get the service form the server. A u g u s t 2 5 , 2013 . Methodology   Fig 1: SYN Flooding

in Campus LAN
The DDoS attack in a campus LAN is confirmed when there is severe flip flop between the availability and non-availability of internet and intranet connectivity. Generally as the campus LAN is heavily used by its users, a support maintenance team is deployed to provide support and administer the campus LAN. In case of non-availability or any flip flop as mentioned above, the team is informed and a call is registered regarding the unavailability of the services. The DDoS attack in a campus LAN can be confirmed through the mechanism as given below: In support of the above we present our university case study report with snapshot in fig 2, 3

Limiting DDoS Fig 4: Report of ARP collected from firewall
To mitigate the effect of DDoS attack we apply the bandwidth limiting methodology by creating a separate rule for the affected VLAN. The Screen Shot of the Quality of Service (QoS) Policy after application of the limiting rule is presented at fig 5. We call the limiting rule as "qos_bandwidth", which is policy based firewall rule" defined in figure 5. The QoS policy type is Committed and implemented on Individual Upload/ Download having different priorities from "0" to "7"; "0" means the highest priority (applicable for VOIP, etc.) and "7" means the lowest priority (applicable for P2P, etc.). We apply the bandwidth limiting rule in the upload and download to 1024 Kb and 2048 Kb so that the flooding by the affected victims of the identified VLAN does not consume the entire bandwidth of the campus LAN. In fig 6, we present the Port A bandwidth usage report taken from the firewall after applying the rule in the firewall with QoS as "qos_bandwidth" policy. The figure clearly shows the flooding of the Campus LAN is restricted and the received and the transmitted bits which were causing the choke of LAN bandwidth is removed. The Snapshots given at Fig 7 clearly shows the inbound traffic generated from the Private IPs only which is true/ideal in case of a campus LAN as all users of the campus are configured with private IP address. The snapshot further elaborates the "Packets Received by the Firewall /filter" and the "Packets dropped by the Kernel of the Firewall". It can be seen from the figure that zero packets have been dropped by the kernel.

ACKNOWLEDGMENTS
We extend our thanks to the Cyberoam Support Team at Ahmedabad, India.