An auto-responsive honeypot architecture for dynamic resource allocation and QoS adaptation in DDoS attacked networks

  • Authors:

  • Anjali Sardana;Ramesh Joshi

  • Affiliations:

  • Indian Institute of Technology, Roorkee, Uttarakhand 247 667, India;Indian Institute of Technology, Roorkee, Uttarakhand 247 667, India

  • Venue:
  • Computer Communications
  • Year:
  • 2009

Quantified Score

Hi-index 0.24

Visualization

Abstract

Distributed Denial of Service (DDoS) attacks generate flooding traffic from multiple sources towards selected nodes. Diluted low rate attacks lead to graceful degradation while concentrated high rate attacks leave the network functionally unstable. Previous approaches to such attacks have reached to a level where survivable systems effort to mitigate the effects of these attacks. However, even with such reactive mitigation approaches in place, network under DDoS attack becomes unstable and legitimate users in the network suffer in terms of increased response times and frequent network failures. Moreover, the Internet is dynamic in nature and the topic of automated responses to attacks has not received much attention. In this paper, we propose a proactive approach to DDoS in form of integrated auto-responsive framework that aims to restrict attack flow reach target and maintain stable network functionality even under attacked network. It combines detection and characterization with attack isolation and mitigation to recover networks from DDoS attacks. As first line of defense, our method uses high level specifications of entropy variations for legitimate interactions between clients and servers. The network generates optimized entropic detectors that monitor the behavior of flows to identify significant deviations. As the second line of defense, malicious flows are identified and directed to isolated zone of honeypots where they cannot cause any further damage to the network and legitimate flows are directed to a randomly selected server from pool of replicated servers. This approach leads the attacker to believe that they are succeeding in their attack, whereas in reality they are simply wasting time and resources. Service replication and attack isolation alone are not sufficient to mitigate the attacks. Limited network resources must be judiciously used when an attack is underway. Further, as third line of defense, we propose a Dynamic Honeypot Engine (DHE) modeled as a part of Honeypot Controller (HC) module that triggers the automatic generation of adequate nodes to service client requests and required number of honeypots that interact with attackers in contained manner. This load balancing in the network makes it attack tolerant. Legitimate clients, depending upon their trust levels built according to their monitored statistics, can track the actual servers for certain time period. Attack flows reaching honeypots are logged by Honeypot Data Repository (HDR). Most severe flows are punished by starting honeypot back propagation sessions and filtering them at the source as the last line of defense. The data collected on honeypots are used to isolate and filter present attack, if any and as an insight into future attack trends. The judicious mixture and self organization of servers and honeypots at different time intervals also guaranties promised QoS. We present the exhaustive parametric dependencies at various phases of attack and their regulation in real time to make the service network DDoS attack tolerant and insensitive to attack load. Results show that this auto-responsive network has the potential to maintain stable network functionality and guaranteed QoS even under attacks. It can be fine tuned according to the dynamically changing network conditions. We validate the effectiveness of the approach with analytical modeling on Internet type topology and simulation in ns-2 on a Linux platform.