ddosdaps4web: Web'e Yönelik DDoS Tespit ve Koruma Yöntemi

Her koruma tespitle başlar. Dağıtık servis engelleme (DDoS) saldırıları, ağları veya bilgisayarlara yoğun kullanım sonucunda verdikleri servisi engellenmektedirler. Günümüzde bilgisayarlardaki yazılımsal ve donanımsal gelişmelere rağmen, kısa bir zaman dilimi DDoS ataklarının kötücül etkilerini gerçekleştirmesi için yeterli olmaktadır. Bu sebepten ötürü DDos saldırılarını engellemek için gerçek zamanlı bir tespit ve koruma sistemine ihtiyaç duyulmaktadır. Geleneksel ağ tabanlı koruma sistemleri uygulama katmanı DDoS ataklarına karşı güvenlik sağlayamamaktadır. Bu çalışmada, HTTP tabanlı DDoS ataklarını tespit etmek ve sistemi korumak için ddosdaps4web isimli DDoS tespit ve koruma sistemi öne sürülmüştür. ddosdaps4web üç servisten faydalanmaktadır: (1) Tüm HTTP isteklerinin depolanıp, istek başlıklarından detaylı analiz için bilgi çıkartımı yapılmasını sağlayan depolama servisi, (2) her dakika çalışan ve ön tanımlı istek limitlerine göre kötücül istekleri tespit etmeyi sağlayan izleme servisi, ve (3) gelen bütün istekleri keserek, oluşturulan kurallara göre kötücül olanları devre dışı bırakan durdurucu servisi. ddosdaps4web rastgele oluşturulmuş 10000 HTTP isteği üzerinden test edilerek DDoS doğru tespit oranı %94 olarak bulunmuştur.

Anahtar Kelimeler:

Servis engelleme, dağıtık servis engelleme, güvenlik, web, HTTP, DoS, DDoS

ddosdaps4web: DDoS Detection And Protection System For Web

Protection starts with detection. Distributed denial of service (DDoS) attacks flood networks or computers in order to deny their services. Due to advances in the modern computers in terms of hardware and software, a small amount of time is enough to complete their malicious actions. Therefore, a real-time detection and protection is required in order to prevent DDoS attacks. Traditional network based protection systems are not able to provide a security for application layer DDoS attacks. In this paper, we propose a DDoS detection and protection system namely ddosdaps4web in order to detect and protect the system from HTTP based DDoS attacks. ddosdaps4web uses three services: (1) Storage service stores all HTTP requests and extracts information from request headers for further analysis, (2) Monitoring service runs every minute to detect malicious requests through predefined request limits and constructs rules in order to prevent current and upcoming attacks, and (3) Interceptor service filters all incoming requests to eliminate malicious ones through the constructed rules. ddosdaps4web is evaluated by randomly generated 10000 HTTP requests and its accuracy is calculated as 94%.

Keywords:

Denial of Service, Distributed Denial of Service, Security, Web, HTTP, DoS, DDoS,

PDF

___

“What is Cross Site Scripting and How Can You Fix it?,” 2011.[Online].Available:http://www.acunetix.com/websitesecurity/cross-site-scripting/.[Accessed:14-Nov-2015].
L.SteinandJ.Stewart, “WWW Security FAQ: Securing AgainstDenialofServiceAttacks,”W3C,2015.[Online]. Available: http://www.w3.org/Security/Faq/wwwsf6.html.[Accessed:14-Nov-2015].
S.R.DeviandP.Yogesh,“DetectionOfApplication Layer DDOS Attacks Using Information Theory Based Metrics,” Comput. Sci. Inf. Technol., pp. 217–223,2012.
Y. Xie and S. Z. Yu, “Monitoring the application-layer DDoSsttacksforpopularwebsites,”IEEE/ACMTrans.Netw., vol. 17, no. 1, pp. 15–25,2009.
J. Yuan and K. Mills, “Monitoring the macroscopic effect ofDDoS flooding attacks,” IEEE Trans. Dependable Secur. Comput., vol. 2, no. 4, pp. 324–335,2005.
S. Ranjan, R. Swaminathan, M.Uysal, A. Nucci, and E. Knightly, “DDoS-shield: DDoS-resilient scheduling to counter application layer attacks,” IEEE/ACM Trans. Netw., vol. 17, no. 1, pp. 26–39,2009.
J. Wang, X. Yang, and K. Long, “Web DDoS detection schemes based on measuring user’s access behavior with large deviation,” in GLOBECOM -IEEE Global Telecommunications Conference,2011.
G. Oikonomou and J. Mirkovic, “Modeling human behavior for defense against flash-crowd attacks,” in IEEE International Conference on Communications,2009.
S. Kandula, D. Katabi, M. Jacob, and A. Berger, “Botz-4-sale: Surviving organized DDoS attacks that mimic flash crowds,” Proc. 2nd ..., pp. 287–300,2005.
J. Jung, B. Krishnamurthy, and M. Rabinovich, “Flash crowds and denial of service attacks: Characterization and implications for CDNs and web sites,” in Proceedings of the 11th international conference on World Wide Web (WWW ’02), 2002, pp.293–304.
K. Park, V. S. Pai, K.-W. Lee, and S. Calo, “Securingweb service by automatic robot detection,” in Proceeding ATEC ’06 Proceedings of the annual conference on USENIX '06 Annual Technical Conference, 2006, p.23.
R. Basu, R. K. Cunningham, S. Member, S. E. Webster,andR. P. Lippmann, “Detecting Low-Profile Probes and Novel Denial-of-Service Attacks,” in Proceedings of the 2001 IEEE Workshop Information Assurance and Security,2001.
S. N. Shiaeles, V. Katos, A. S. Karakos, and B. K. Papadopoulos, “Real time DDoS detection using fuzzy estimators,” Comput. Secur., vol. 31, no. 6, pp. 782–790, 2012.
“Amazon IP Check Web Service,” Amazon, 2015. [Online]. Available:http://checkip.amazonaws.com/.[15] “GeoIP Products -Maxmind Developer Site,” maxmind,2015. [Online]. Available: http://dev.maxmind.com/geoip/.[Accessed:14-Nov-2015].
“IPv6 Deployment Hits 2%, Keeps Growing | Internet Society.”[Online].Available: http://www.internetsociety.org/blog/2013/09/ipv6-deployment-hits-2-keeps-growing. [Accessed:14-Nov-2015].
“Google’s IPv6 Stats Pass 3% Less Than 5 Months After Passing 2%! | Deploy360 Programme.” [Online]. Available: http://www.internetsociety.org/deploy360/blog/2014/02/googles-ipv6-stats-pass-3-less-than-5-months-after-passing-2/. [Accessed: 14-Nov-2015].
“APNIC at the Global IPv6 Summit 2014 | APNIC.” [Online].Available:https://www.apnic.net/publications/news/2014/apnic-at-the-global-ipv6-summit-2014. [Accessed:14-Nov-2015].
T. Fawcett, “An introduction to ROC analysis,” Pattern Recognit. Lett., vol. 27, pp. 861–874,2006