A comprehensive study of distributed Denial-of-Service attack with the detection techniques

Received Oct 21, 2019 Revised Feb 2, 2020 Accepted Feb 10, 2020 With the dramatic evolution in networks nowadays, an equivalent growth of challenges has been depicted toward implementing and deployment of such networks. One of the serious challenges is the security where wide range of attacks would threat these networks. Denial-of-Service (DoS) is one of the common attacks that targets several types of networks in which a huge amount of information is being flooded into a specific server for the purpose of turning of such server. Many research studies have examined the simulation of networks in order to observe the behavior of DoS. However, the variety of its types hinders the process of configuring the DoS attacks. In particular, the Distributed DoS (DDoS) is considered to be the most challenging threat to various networks. Hence, this paper aims to accommodate a comprehensive simulation in order to figure out and detect DDoS attacks. Using the well-known simulator technique of NS-2, the experiments showed that different types of DDoS have been characterized, examined and detected. This implies the efficacy of the comprehensive simulation proposed by this study.


INTRODUCTION
Distributed denial of service (DDoS) is one of the common attacks within wide range of networks where the recognition and prevention of such attack has always been a hot issue in network security research [1][2][3][4]. DDoS detection and defence systems have many shortcomings such as high false positive rate, low execution efficiency, and lack of linkage between detection and defence [5][6][7]. Therefore, eliminating false positives, improving execution efficiency, and enhancing the linkage between detection and defence processes have always been the focuses of research [8][9][10][11][12].
With the diversity and different characteristics of DoS, the process of detecting such attack is still facing obstacles [13][14][15][16]. Şimşek & Şentürk [17] have proposed method that utilize the pre-congestion in order to analyze the flow of data during this period. The authors had an assumption that low-rate distributed DoS is one of the hardest to be detected due to their similarity to the normal behavior. Therefore, the authors have focused on the periods have no congestions in order to diagonis the features. The features extracted from such periods have been incorporated to form a new filtering approach for detecting DDoS attacks. Results of simulation showed fair progress on characterizing DDoS attacks.
Bukharov et al. [18] have proposed a game-based method for simulating DoS attacks. The proposed method has utilized a scenario where the intruder would be attracted in order to gain information regarding his real intentions. Results of simulation showed that the proposed method has the ability to detect wide range of DoS attacks. Wang et al. [19] have proposed a DoS detection method based on honeynet technology. The proposed method was intended to observe and analyze the characteristics of every behavior in order to detect specific pattern. Finally, the proposed method aimed at detecting such patterns which might correspond to DoS attacks. Results of simulation showed progress on detecting DoS attacks. Mohd et al. [20] have examined the distributed DoS that might occur on Internet of Things (IoT) networks. The authors have utilized OMNET++ in order to create a virtual environment that simulate the IoT networks. During such simulation, the authors have characterized several DDoS attacks. As depicted from the literature, it is obvious that the examination of DoS attacks is still a challenging task where wide range of such attack would be encountered especially with the variety of networks nowadays. Therefore, this paper aims to accommodate a comprehensive simulation to examine the types of DoS, as well as, attempting to detect these attacks.

RESEARCH METHOD
One of the most serious problems is DDoS, and many defenses have been proposed to address this threat. In order to compare and evaluate these solutions, a common evaluation platform is required. The methodology of this paper consists of three parts: a typical attack scenario consisting of the dimensions of legitimate traffic and target network resources, testing the methodological criteria that capture performance metrics and are affected by the effectiveness of attacks and defenses it is composed. In order to do so, the following steps have been applied:  Detect and filter one-way legitimate traffic from traffic identified as a possible attack.  Detect attack using multiple detection criteria.  It is legitimate from attack traffic. Finally,  Attack samples from attack traffic, summarize attack functions in a readable format and machine-readable form, and facilitate the application of clustering methods. This makes it easy to collect attack samples from many public traces. All of these pastes are automated by a series of tools. Figure 1 shows applying the simulation process to attack cases requiring more attackers and usage scenarios. In our simulation methodology we follow these steps:  First Step: In first step is to create a network topology with an NS-2 tell script for each attack.  Second Step: In second step is to attach the legitimate traffic records to perform legitimate traffic on topology nodes. After that, real-time attack tracks are linked to topologies to generate attack traffic. These attack records are analyzed. Then simulation is again performed, all traffic is monitored, and an offline analysis is performed. The output trace file is then used to measure the attack. The simulation topology used for this experiment contains a legitimate client pool containing various nodes that are used to generate legitimate traffic. To generate legitimate traffic, real-time tracks are used. With these traces, the nodes generate TCP traffic. An attacker used UDP traffic to launch an attack.
The purpose of the attack is to consume the bandwidth of the bottleneck link so that legitimate traffic could not send the packets. Each simulation time is 2 seconds. Legitimate traffic is based on TCP, so it goes through the slow boot phase. The total number of legitimate clients in the legitimate client pool is 8. The total traffic load and bottleneck bandwidth represent the scenario of a busy connection.
In our experiments, legitimate traffic is generated using real time tracks. The legitimate traffic is based on TCP. Here we have considered 13 legitimate clients that want to communicate with the TCP Sink node. Real-time data sets are again used to generate DDoS attacks. The amount and complexity of traffic in records is very high and very difficult to understand. The tracks used to create an attack are stored in tr format. Some results are simulated by gnuplot and other extracted information and then passed to excel to produce the graphical results.

Simulation
The simulator used in this paper was the NS2 simulator. Network Simulator Version 2, widely known as NS2, is an event driven simulation tool that is useful in studying the dynamic nature of communication networks [21]. The cost of building a real distributed testing environment is very high. Simulation is an important method in network research, as simulation can be used to analyze network related problems under different protocols, cross traffic and topologies with much less cost [22][23][24]. The most wellknown network simulator is NS2. NS2 simulator covers a large number of applications, protocols, network types, network elements and traffic models. Therefore, we use NS2 simulator for this thesis. Simulation of wired as well as wireless network functions and protocols (e.g., routing algorithms, TCP, UDP) can be done using NS2. In general, NS2 provides users with a way of specifying such network protocols and simulating their corresponding behaviors. Due to its flexibility and modular nature, NS2 has gained constant popularity in the networking research community.
At the simulation level, NS-2 uses the OTcl (Object-Oriented Tool Command Language) programming language to interpret user simulation scripts [25]. The OTcl language is actually an objectoriented extension of the Tcl language. At the top level, NS is the interpreter for the user's Tcl script. Tcl language is fully compatible with the C ++ programming language.
NS creates two main analysis reports simultaneously and also explains the OTcl script. One of them is the Network Animator (NAM) object, which shows simulated visual animations. The other is a tracking object that consists of the behavior of all objects in the simulation. NS projects are usually shipped with various software packages (ns, nam, tcl, otcl, etc.) and are referred to as an "all-in-one package," but they can also be searched and downloaded separately. This study used a stable version of the ns 2.15 ns all-in-one package and installed it in the Red Hat Enterprise Linux 5 operating environment. This working ".tcl" file was written and parsed with a text editor. "tr" file. Figure 2 shows the flowchart of the simulation.

Simulation models
Models illustrate the movements of nodes and the connection between models in LAN and WLAN within the space of simulation. In WLAN the foremost manner used for simulation is Random Waypoint quality model. During this model the nodes passage from waypoint to subsequent with a haphazardly chosen speed (uniformly distributed between 0-20 m/s). A selected speed and period is chosen for each transition. When the stipulated transition period ends the node might pause for a selected period of your time before beginning its transition towards subsequent waypoint. Nodes within the simulation discovered move consistent with a model that's acknowledge because the "random waypoint" model selects an oblong field. Quality models were created for the simulations mistreatment thirty-one nodes, most speed of twenty m/s, topology boundary of a thousand × a thousand and simulation time of fifty sec.
The instructions of experimenting the simulation can be explained as follows:  For analyzing given scenarios then write down TCL script then simulate by ns2.  Then the traces file and name file which is created during executing TCL scripts for each single scenario.  Create a final procedure.  Create nodes which will be present the specific topology. Here in experiments each scenario has numbers of nodes.  Create the way of connection between nodes waypoints to represents wireless connection or links to connect the nodes in LAN.  Set up the LAN by specifying the nodes, and assign values for bandwidth, delay, queue type and channel to it.  Specific the protocols to sending message or pockets such as TCP and/or UDP connection(s) and the FTP/CBR.  Schedule the different events like simulation start and stop, data transmission starts and stop.  Call the finish procedure and mention the time at what time your simulation will end.  Execute the script with ns. Tables 1 and 2 show both hyper-parameters and parameters of the simulation respectively.

RESULTS AND ANALYSIS
To analyse the performance of the NS-2 simulator, there will be five cases of simulation that had been done. The first simulation is done in TCP traffic, second simulation is done in TCP flood, third simulation is done in TCP SYN flood, fourth simulation is done in ICMP flood and fifth simulation done in spoofing.

Simulation result of TCP traffic
A hierarchical design enforced to make wireless situation and local area network situation. This design includes a root node and 3 to four clusters sub networks it is depends on the attack as are shown within the next section. Every cluster includes mobile nodes. The hierarchical design is additionally non-public addressing theme. A pool of personal address is getting used for distribution private address to every node in each cluster. At the beginning of simulation every time associate address is being picked up from address pool and assign to the present node. When, a cluster node desires to speak with alternative node that resides in alternative cluster, all the traffic flows from root node. Within cluster node will communicate directly while not forwarding traffic to entryway.
Hierarchical design is getting used in implementation as a result of aggressor node desires to attack a node that flow most traffic of the network. During this situation, most network traffic flows from root node. As it can be seen in Figure 3 after the run simulation for DDoS attack in 222.0 MS the attack starts to send pockets from nodes to yellow node which represents the victim computer or server. After a while cause of the huge numbers of pockets sends the server will be stopped or killed and cannot receive any requests from any computer. As shown in the graph in Figure 4. As Topology concern, there are only two data connection between clusters for experiment purpose, one from cluster 15 to 16 and another with 6, 7, 8, to 9 as shown in Figure 5.

Simulation result of TCP flood
In this thesis, section a scenario for each DDoS attack will be simulated. Some of the topology will be wireless and others WLAN. The simulation scenario of this type of attack consists of 5 groups each group has 7 nodes.

Num_nodes = num_group * num_size
So, the Number of Nodes 35 nodes . Message port is forty-two to send message kind one cluster to alternative; every agent keeps track of what messages it's seen and solely forwards those that it hasn't seen before. This demonstration conjointly includes a server and a communications protocol backlog queue. The communications protocol backlog queue is employed to carry a packet's request, till it receives its final acknowledgement or till its period of time expires. Initial the consumer sends a SYN packet request to the server. Once the server receives the packet, it sends back to the sender node a SYN-ACK request packet. The client's request is hold on the communications protocol backlog queue. As before long because the consumer receives the SYN-ACK request, it'll reply to the server with a SYN-ACK-ACK. The server can receive the client's SYN-ACK-ACK and an association to the server is established. The client's initial request is aloof from the communications protocol backlog queue. The method can continue during this same manner whenever a brand-new request has arrived. Each message is of the shape "ID: DATA" wherever ID is a few arbitrary message symbol and knowledge is that the payload. So as to cut back memory usage, the agent stores solely the message ID as shown in Figure 6.

Simulation result of SYN TCP flood
The SYN flood attack demonstrates a two-way acknowledgement. This demonstration exhibits of however associate degree actual SYN flood attack happens and what happens throughout that point amount. The topology includes thirty-five nodes node zero is server. Two nodes, whose color is red, represent victims. The server is that the targeted nodes, the protocol drop tail queue stores all received SYN request with their information science addresses. The wait time is that the lifespan of every packet since it had been received by the server and waits for a final acknowledgement from the assailant. Throughout the SYN flood attack, a mix of attackers and traditional computers begin to form requests to ascertain an association to the server. Attackers can begin causation out an outsized variety of [*fr1] open SYN packets, employing a spoofed supply information science address, to form letter of invitation to attach to the server. The packet of the attacker's SYN request packet is BLACK. Once the server receives the request it'll transport a SYN-ACK request to the spoofed information science address and expect its response that it'll ne'er receive. The packet color changes to YELLOW. Every request is going to be keep within the protocol backlog queue and can expire once its wait time runs out. For this demo the wait time is found next to every packets request on the protocol backlog queue. At a similar time, the regular computers can begin creating requests to attach to the server yet. The protocol backlog queue can become full since it's attempting to method request quicker than it will handle them. At now a trash bin and a lock .The lock represents the protocol backlog queue is full so no new SYN request may be accepted. The trash bin represents a number of the packets being born. It shows access being denied as a result of the protocol backlog queue is full. Once the wait time of every packet, that is xxxii seconds for this demonstration, runs down the SYN packet are going to be aloof from the protocol backlog queue. The new incoming packets are going to be accepted as shown in Figure 7. Ping enable node to verify that informatics exists and settle for request. Ping works by causation a web management Message Protocol (ICMP) Echo Request to such interface on the network and anticipating a reply. After execute the code the next process will be shown as follow:  Node 1 received ping answer from 4.  Node 2 received ping answer from 5.  Node 3 received ping answer from 6.  Node 4 received ping answer from 1.  Node 5 received ping answer from 2.  Node 6 received ping answer from 3.  No pockets have been dropped.
After that each single node gets ping answer, here there are no packets dropped since there is a direct connection between all the pair of nodes via node 0.  Figure 8 depicts the aforementioned nodes. Therefore this is often sometimes not a decent alternative. Using simple algorithm in the victim's router to check the size of the pockets, the pocket size with greater than 1500 bytes, its IP will be blocked for 30 minutes.

Simulation result of spoofing
A spoofing attack could be a state of affairs during which associate assailant with success masquerades as associate other node by determination knowledge and thereby gaining an illegitimate advantage. This attack consists in targeting routing data whereas it's being exchanged: making routing loops, attracting or offensive network traffic from selected nodes, extending and shortening supply routes, generating pretend error messages, partitioning the network, etc. Which the attacker transmits bursts of duration L at rate R in a deterministic on-off pattern that has period T. When the rate R coupled with existing traffic becomes greater than the link capacity loss is incurred. Each simulation done is seen as in Figure 9 with the attacking node being seen as the red node and the genuine nodes as those in black. The nodes were initially simulated between two extremes of 7 nodes and 20 nodes and progressively increased in between that range during the stress testing phase of the project. By setting the duration L to be more than the RTT of the flows and period T to be slightly more than minimum RTO value, TCP flows can be forced to repeatedly time out, thus obtaining virtually zero throughputs. After executed the TCL code there are three extra files will be generated the file with name ICMP with tr extension will be used to generate xgrapgh as shown in Figure 10. To sum up, this study has successfully accomplished the objectives in which a comprehensive simulation has been conducted in order to highlight new attacks.

CONCLUSION
This paper has conducted a comprehensive simulation in order to figure out and detect DDoS attacks. Using NS-2 simulator, the experiments showed that different types of DDoS have been characterized, examined and detected. This implies the efficacy of the comprehensive simulation proposed by this study. For future researches, examining specified networks such as IoT in terms of configuring DDoS would be a great opportunity.