This document summarizes research analyzing the impact of distributed denial of service (DDoS) attacks on file transfer protocol (FTP) services. The researchers created a test network topology in the DETER cybersecurity testbed to simulate FTP traffic between clients and a server. They launched various DDoS attack types against the FTP server to measure the impact on network performance metrics like throughput, link utilization, and packet survival ratio. The attacks were found to degrade these metrics and disrupt the FTP services. The study provides insights into how DDoS attacks negatively impact network services like FTP.
2. 221
An attacker or hacker gradually send attack programs on insecure machines. These compromised machines
are called Handlers or Zombies and are collectively called bots and the attack network is called botnet in
hacker’s community depending upon sophistication in logic of implanted programs. In this, hackers send
control instructions to masters, which then communicate it to zombies for launching attack. As shown in
Figure 1, typical DDoS attack has two stages, the first stage is to compromise susceptible systems that are
accessible in the Internet and then install attack tools in these compromised systems. This is known as turning
the computers into “zombies.” In the second stage, the attacker sends an attack command to the “zombies”
through a secure channel to launch a bandwidth attack against the targeted victim(s).
Figure 1. Attack Modus Operandi
The current attacks on some web sites like Amazon, Yahoo, e-Bay and Microsoft and their resultant
disruption of services have uncovered the weakness of the Internet to Distributed Denial of Service (DDoS)
attacks. It has been observed through reports that TCP is used in more than 85% of the DoS attacks [2]. The
TCP and UDP SYN flooding is the most commonly-used attack. It consists of a stream of spoofed and TCP
and UDP SYN packets directed to a listening ports of the victim. The Web servers are not only but also any
systems connected to the Internet providing UDP and TCP-based network services, such as FTP servers or
Mail servers, are also susceptible to the UDP and TCP SYN flooding attacks.
II. RELATED WORK
To measure the effect of DDoS defense approaches, analyzation of impact of DDoS attack is very important.
As per [3],[4], no benchmarks are available for measuring effectiveness of DDoS defense approaches.
Mostly the existing strategies compare good-put and normal packet survival with and without attack and with
defense [5]. Some of defense approaches [6] have calculated the response time. By measuring normal packets
survival ration proves to be most important because it clearly reflects accuracy of the defense and normal
packet loss [7], [8]. Jelena et al. [9], [10] have used percentage of failed transactions (transactions that do not
follow QoS thresholds) as a metric to measure DDoS impact. They define a threshold-based model for the
relevant traffic measurements, which is application specific. It indicates poor services quality when a
measurement exceeds its threshold. One another metric i.e Server timeout has been also used [11]. Because
legitimate traffic drop i.e. collateral damage is not indicated. Sardana et al. [12] have used good put, mean
time between failure and average response time as performance metrics whereas Gupta et al. [13] have used
two statistical metrics namely, Volume and Flow to detect DDoS attacks. As per [9] metrics such as good-
put, bad-put, response time, number of active connections , ratio of average serve rate and request rate, and
normal packet survival index [8] properly signal denial of service for two way applications such as HTTP,
FTP and DNS, but not for media traffic that is sensitive to one-way delay, packet and jitter.
3. 222
III. RECENT INCIDENTS
It is observed that 2010 should be viewed as the year distributed denial of service (DDoS) attacks became
main stream, says Arbor Networks [14].
TABLE I. RECENT DDOS INCIDENTS ON IMPORTANT WEB SITES [15]
Arbor Networks [14] in its Sixth Annual Worldwide Infrastructure Security Report, released by revealed that
DDoS attack Size has increased to 100 Gbps for first time and it is up by 1000% since 2005. This year has
witnessed a sharp escalation in the scale and frequency of DDoS attack activity on the Internet. DDoS attacks
have been launched against many high profile websites and popular Internet services. In addition to hitting
the 100 Gbps attack barrier for the first time, application layer attacks hit an all-time high. The Table I lists
some of the recent DDoS attacks incidents [14][15].
IV. PERFORMANCE METRICS
Due to seriousness of DDoS problem and growing sophistication of attackers have led to development of
numerous defense mechanisms [16],[17]. But the growing number of DDoS attacks and their financial
implications still needs of a comprehensive solution. Moreover, as we studied that attackers share their attack
codes to fight against these attacks, Internet community needs to devise better ways to accumulate details of
these attacks. Only then a comprehensive solution against DDoS attacks can be devised. Technically, when
DDoS attacks are launched, the various network performance metrics are affected. In current work, our
focus is on measuring these network performance metrics and then comparing them with and without attacks.
As mentioned in Table II, We have measured impact of DDoS attack using following metrics:
Date DDoS target /Incidents Consequences/Description
2012, October Web site of Capital One Bank The incident was the second attack allegedly
waged by a hacktivist group against the bank,
2012, March South Korea and United states Websites
It is similar to those launched in 2009
2012, January
Official Web-site of the office of the
vice president of Russia It caused the site to be down by more than 15
hours.
2011, November Asian Ecommerce Company
Flood of Traffic was launched and 250,000
Computers are infected with malware
participated
2011, November Server
The traffic load has been immense with
several thou-sands request per second.
2011, October
Site of National Election Com-mission
of South Korea
Attacks were launched during the morning
when citizens would look up information and
attack leads to fewer turnouts
2011, March On Blogging Platform Live Journal
Experienced serious functionality problems
for over 12 Hours and resumed on April 4
and 5, 2011
2010, December
Master Card, PayPal, Visa and Post
Finance
Attack was launched in support of
WikiLeaks.ch and its founder. Attack lasts
for more than 16 hours.
2010, November Whistleblower site Wikileaks
Attack size was 10 Gbps. Caused the site
unavailable to visitors. Attack was launched
to prevent release of secret cables.
2010, November whistleblower site Wikileaks
Attack size was 2-4 Gbps. Attack was
launched just after it released confidential US
diplomatic cables.
2010, November Domain registrar Register.com
Impacted DNS, hosting and webmail clients
2010, November Burma’s main Internet provider
Disrupted most network traffic in and out of
the country for 2 days. Geopolitical
motivated attack. Attack size was of 1.09
Gbps (average) & 14.58 Gbps (maximum) .
Attack vectors were TCP Syn/rst 85%,
flooding 15%.
2010, September Fast growing botnet Botnet’s motive was to provide commercial
service
4. 223
TABLE II. METRICS FOR ATTACK’S IMPACT ANALYSIS
Throughput: Throughput is defined as the rate of sending or receiving of data by a network. It is a good
measure of the channel capacity of a communications link, and connections to the internet are which is
mostly rated in terms of how many bits they pass per second (bit/s). Throughput is measured in terms of
good-put and bad-put respectively. Good-put is defined as no. of bits per second of legitimate traffic that
are received at the server and bad-put is defined as no. of bits per second of attack traffic that are
received at the server.
Backbone Link Utilization: Backbone Link Utilization is defined as percentage of bandwidth that is
being used for good put (legitimate traffic)
Normal Packet Survival Ratio: This metric is used to measure impact of attack as we can measure
impact of attack as a percentage of legitimate packets delivered during the attack. If this percentage is
high, then the service continues with little interruption.
V. EVALUATION IN TESTBED EXPERIMENT
We have used DETER testbed to evaluate our metrics in experiments using SEER (Security Experimentation
EnviRonment) GUI BETA6 environment [18][19]. This test bed is located at the USC Information Sciences
Institute and UC Berkeley and security researchers used this testbed to evaluate attacks and defenses in a
controlled environment.
A. Experimental Topology
Figure 2 shows the experimental topology and Figure 3 shows our experimental topology definition for FTP
applications in which R1, R2, R3 and R4 are routers, node S is server and L1-L20 are clients. These clients
are used to send legitimate requests to server S via router R1 and R2. The bandwidth of all links is to be set
100Mbps, and 1.5Mbps is the bandwidth of bottleneck link (R1-R2). In this topology node A1 acts as
attacking node and it sends attack traffic to server S via router R1 and R2. The link between R1 and R2 is
called bottleneck link.
Figure 2. Experimental Topology
Metric
Description
Throughput (α)
Vα= (ьl + ьa)/Δ, ьl , ьa and Δ
represents no. of legitimate bytes, no. of
attack bytes and time window for
analysis respectively.
Percentage Link
Utilization (£) £ represents percentage of bandwidth
that is being used for good put.
Normal Packet
Survival Ratio
(η)
η = pl /( pl + pa ), pl represents the no.
of legitimate packets and pa represents
total no of packets received at victim.
5. 224
set ns [new Simulator]
source tb_compat.tcl
#Create the topology nodes
foreach node { V S R1 R2 R3 R4 L1 L2 L3 L4 L5 L6 L7 L8 L9 L10 L11 L12 L13 L14 L15 L16 L17 L18
L19 L20 A1 A2 control }
{
#Create new node
set $node [$ns node]
#Define the OS image
tb-set-node-os [set $node] FC4-STD
#Have SEER install itself and startup when the node is ready
tb-set-node-startcmd [set $node] "sudo python /share/seer/v160/experiment-setup.py Basic"
}
#Create the topology links
set linkRV [$ns duplex-link $V $R1 100Mb 3ms DropTail]
set linkRS [$ns duplex-link $S $R1 100Mb 3ms DropTail]
set linkRA1 [$ns duplex-link $A1 $R3 100Mb 3ms DropTail]
set linkRA2 [$ns duplex-link $A2 $R4 100Mb 3ms DropTail]
set linkRR3 [$ns duplex-link $R2 $R3 100Mb 3ms DropTail]
set linkRR4 [$ns duplex-link $R2 $R4 100Mb 3ms DropTail]
set linkRR2 [$ns duplex-link $R2 $R1 1.5Mb 0ms DropTail]
set lannet0 [$ns make-lan "$L1 $L2 $L3 $L4 $L5 $R3" 100Mb 0ms]
set lannet1 [$ns make-lan "$L6 $L7 $L8 $L9 $L10 $R3" 100Mb 0ms]
set lannet2 [$ns make-lan "$L11 $L12 $L13 $L14 $L15 $R4" 100Mb 0ms]
set lannet3 [$ns make-lan "$L16 $L17 $L18 $L19 $L20 $R4" 100Mb 0ms]
$ns rtproto Static
$ns run
Figure 3. Experimental Topology Definition
The purpose of attack node is to congest the bandwidth of bottleneck link so that legitimate traffic could not
get accessed by the server S.
We have generated a random network consist of FTP clients, servers and attack source. Multiple legitimate
clients connected with server and one attack source is used as DDoS flooding attacker in our emulated
network,. This emulates the real situation of DDoS flooding attack.
B. Legitimate Traffic
We have used FTP traffic in our experiment is used and there are 20 legitimate client nodes which send
requests to the server S for 1-30 seconds and then 61-90 seconds with following thinking time. The
configuration of said traffic parameters used to send legitimate traffic is demonstrated in Table III :
TABLE III. EMULATION PARAMETERS USED IN EXPERIMENT
Parameters Values
Clients L1-L20
Server S
Attack Host A1
Thinking Time Minmax(0.01,0.1)
File Size Minmax(512,1024)
Emulation Time 90 sec
Bottleneck Bandwidth 1.5Mb
Access Bandwidth 100Mb
Legitimate Request Time 1-30 sec and 61-90 sec
Attack Time 31-60 sec
Attack Type DDoS Packet Flooding
Server Delay 3ms
Access Link Delay 3ms
Backbone Link Delay 0ms
6. 225
C. Attack Traffic
In experimeny,we have used packet flooding attack to generate DDoS attack. Node A1 launches attack
towards S and thus consumes bandwidth of bottleneck in link R1-R2. UDP protocol is used for launching
attacks. Further attack types flat, ramp-up, pulse and ramp-pulse are used in our experiment. Attack traffic
from A1 starts at 31st second and stops at 60th second. Then we have analyzed impact of DDoS attacks on
FTP service. Table IV shows attack parameters used in our emulation experiment. We have generated
following flooding attack types:
Flat Attack: Flat attack is the attack in which high rate is achieved and maintained till the attack is
stopped.
Ramp-up Attack: In the Ramp-up attack the high rate is achieved gradually within the rise time specified
and is maintained until the attack is stopped.
Ramp-down Attack: In this attack the high rate is achieved gradually and after high time it falls to the low
rate with in low time.
Pulse Attack: Pulse attack is the attack in which the attack oscillates between high rate and low rate. It
remains at high rate for high time specified and then falls to low rate specified for the low tie specified and so
on.
Ramp-pulse Attack: In Ramp-pulse attack it is a mixture of Ramp-up, Rampdown and Pulse attack means it
used three attacks.
TABLE IV. ATTACK PARAMETERS USED IN EXPERIMENT [20]
VI. RESULTS AND DISCUSSIONS
The effect of DDoS attacks on the performance of FTP service is analyzed below:-
A. Throughput
For measuring the throughput, during a DDoS attack, backbone link is attacked to force the edge router at the
ISP of victim end to drop most legitimate packets. In Figure 4 and Figure 5, we have measured throughput in
terms of good-put and bad-put to get the measure of actual loss. The throughput is divided into good-put and
bad-put respectively. Good-put is defined as no. of bits per second of legitimate traffic that are received at the
server whereas bad-put gives no. of bits per second of attack traffic that are received at the server.
Attack Type Flooding Flooding Flooding
Flooding
Attack
Source
A1 A1 A1
A1
Attack Target S S S
S
Protocol UDP UDP UDP UDP
Length Min 100 200 200 100
Length Max 200 300 300 200
Flood Type Flat Ramp-up Pulse Ramp-pulse
High Rate 200 300 500 400
High Time 100 5000 6000 5000
Low Rate 100 100 200 200
Low Time 0 8000 5000 4000
Rise Shape 0 1.0 0 1.0
Rise Time 0 10000 0 10000
Fall Shape 0 0 0 1.0
Fall Time 0 0 0 10000
Sport Min 57 57 57 57
Sport Max 57 57 57 57
Dport Min 1000 1000 1000 1000
Dport Max 2000 2000 2000 2000
TCP Flags SYN SYN SYN SYN
7. 226
B. Backbone Link Utilizationt
As Backbone Link utilization is defined as percentage of bandwidth that is carrying legitimate traffic. It is
shown in Figure 6, that Backbone Link utilization is nearly 100% without attack. During Attack, Backbone
Link utilization drops more than 50%.
C. Normal Packet Survival Ratio (NPSR)
As NPSR is defined as ratio of good-put and bad-put. This is the percentage of legitimate packets that can
survive during attack. NPSR should be high. We can measure impact of attack as a percentage of legitimate
packets delivered during the attack. If this percentage is high, service continues with little interruption. NPSR
starts decreasing with increased rate of attack traffic and as bandwidth of the link is limited, so legitimate
packets starts dropping. As shown in Figure 7, 100% legitimate packets are delivered without attack but
during attacks, only 50% legitimate packets are delivered.
Figure 4. Good-put of FTP traffic through bottleneck link during UDP Attack
Figure 5. Bad-put of FTP traffic through bottleneck link during UDP Attack
Figure 6. Average Bottleneck Bandwidth Utilization in FTP Service during UDP Attack
Goodput of FTP Service under UDP Attack
0.2
0.7
1.2
1.7
1.0
11.0
21.0
31.0
41.0
51.0
61.0
71.0
81.0
91.0Time (Sec)
Throughput(Mbps)
Flat Attack
Rampup Attack
Ramp-pulse Attack
Pulse Attack
Badput of FTP Service under UDP Attack
0
0.1
0.2
0.3
0.4
1.00
8.00
15.00
22.00
29.00
36.00
43.00
50.00
57.00
64.00
71.00
78.00
85.00
91.53
Time (Sec)
Throughput(Mbps)
Flat Attack
Ramp-up Attack
Ramp-pulse Attack
Pulse Attack
Avg Link Utilization of UDP Attack
0
20
40
60
80
100
120
1.0
8.0
15.0
22.0
29.0
36.0
43.0
50.0
57.0
64.0
71.0
78.0
85.0
Time (Sec)
%LinkUtilization
Flat Attack
Pulse Attack
Ramp-pulse Attack
Ramp-up Attack
8. 227
Figure 7. Average Ratio of Legitimate FTP Packets Survival during UDP Attack
VII. CONCLUSIONS
DDoS attack incidents are increasing day by day. Not only, DDoS incidents are growing day by day but the
technique to attack, botnet size, and attack traffic are also attaining new heights. Effective mechanisms are
needed to elicit the information of attack to develop the potential defense mechanism. We evaluated our
metrics in experiments on the DETER testbed. DETER testbed allows to carry the DDoS attack experiment
in a secure environment. It also allows creating, plan, and iterating through a large range of experimental
scenarios with a relative ease. We pointed out the possibility of DDoS attacks on FTP application by
analyzing the characteristics of FTP application. DDoS attacks are launched on FTP server and measure the
impact of DDoS attacks on FTP service. Measurement of Service degradation due to DDoS attacks are
quantified in terms of Throughput, Normal Packet Survival Ratio and Backbone Link Utilization in this
paper. We generated attacks at different strengths so that DDoS attack’s impact can be measured. The attacks
are generated by keeping some realistic conditions in mind, such as Limited Bottleneck Bandwidth.
Moreover the quantitative measurements clearly indicated the impact of attack on FTP service.
Distributed Denial of Service attack is one of the major threats for current internet. In the present paper we
have measured the impact of DDoS attacks using a number of metrics. We are working on extending the
existing work as below: -
Adding some more realistic features to the topology, traffic parameters and Attack parameters
(such as ISP Level topology, Large Number of Legitimate Clients, High Legitimate Traffic Rate,
High Attack Rate), so as to get more accurate results of DDoS attack’s influence on FTP services.
Comparison of various DDoS Defense Mechanism using weighted metrics.
ACKNOWLEDGMENT
We would like to express our gratitude to Director, SBS State Technical Campus, Ferozepur, for providing
the academic environment to pursue research activities. We are extremely thankful to Dr. Krishan Kumar,
Associate Professor, Department of Computer Science & Engg., for their guidance and inputs. Finally the
authors wishes to appreciate the support extended by family and friends.
REFERENCES
[1] K. Xu, Z.L. Zhang, and S. Bhattacharyya, “Reducing unwanted traffic in a backbone network,” in Steps to Reducing
Unwanted Traffic on the Internet Workshop (SRUTI), 2005, pp. 9–15.
[2] A. Keromytis, V. Misra, D. Rubenstein(2002) SOS: Secure overlay services. In: ACMSIGCOMM Computer
Communication Review, Proceedings of the 2002 Conference on Applications, Technologies, Architectures, and
Protocols for Computer Communications, Pittsburgh, PA, vol. 32, pp 61–72
[3] J. Mirkovic and P. Reiher, A University of Delaware Subcontract to UCLA,
www.lasr.cs.ucla.edu/Benchmarks_DDoS_Def_Eval.html.
[4] J. Mirkovic, E Arikan, S. Wei, R. Thomas, S. Fahmy, and P. Reiher. “Benchmarks for DDOS Defense Evaluation”,
In Proceedings of Military Communications Conference (MILCOM), pp. 1-10, 2006.
Normal Packet Survival Ratio
0
0.2
0.4
0.6
0.8
1
1.2
1.0
9.0
17.0
25.0
33.0
41.0
49.0
57.0
65.0
73.0
81.0
89.0
Time (Sec)
NPSR(Mbps)
Flat Attack
Pulse Attack
Ramp-pulse Attack
Ramp-up Attack
9. 228
[5] Y. You. “A defense framework for flooding based DDoS Attacks”, M.S. Thesis, Queen’s University, Canada,2007.
[6] J. Mirkovic,P. Reiher,S. Fahmy,R. Thomas, A. Hussain, S. Schwab. “Measuring denial Of service”, 2nd ACM
workshop on Quality of protection QoP, pp. 53 – 58, 2006.
[7] S.Kumar,M.Singh,M.Sachdeva,K.Kumar,”Flooding based DDoS attacks and their influence on web services”,
International Journal of Computer Science and Information technology, Vol.2(3),pp 1131-1136,2011.
[8] K. Kumar. Protection from Distributed Denial of Service (DDoS) Attacks in ISP Domain, Ph.D. Thesis, Indian
Institute of Technology, Roorkee, India, 2007.
[9] J. Mirkovic, A. Hussain, B. Wilson, S. Fahmy, P. Reiher, R Thomas, W. M. Yao, S Schwab. “Towards user-centric
metrics for denial-of-service measurement” , in proceedings of the 2007 workshop on Experimental computer
science, San Diego, California.
[10] J. Mirkovic, S. Fahmy, P. Reiher, R. Thomas, A. Hussain, S. Schwab,and C. Ko. “Measuring Impact of DoS
Attacks”In Proceedings of the DETER Community Workshop on Cyber Security,Experimentation, June 2006.
[11] C. Ko, A. Hussain, S. Schwab, R. Thomas, and B. Wilson. “Towards systematic IDS evaluation", in Proceedings of
DETER Community Workshop, pp. 20- 23, June 2006.
[12] A. Sardana and R.C. Joshi, “An Integrated Honeypot Framework for Proactive Detection, Characterization and
Redirection of DDoS Attacks at ISP level,” International Journal of Information Assurance and Security (JIAS), 3
(1), pp. 1-15, March 2008. Available at http://www.mirlabs.org/jias/sardana.pdf.
[13] B.B. Gupta, R. C. Joshi, and M. Misra, “An ISP Level Solution to Combat DDoS Attacks using Combined
Statistical Based Approach,” Journal of Information Assurance and Security 3(2), 102-110, June 2008. Available at
http://www.mirlabs.org/jias/gupta.pdf.
[14] DoS Attacks Exceed 100 Gbps, Attack Surface Continues to Expand By Mike Lennon on February 01, 2011
available at http://www.securityweek.com/ddos-attacks-exceed-100-gbps-attacksurface-continues-expand .
[15] K.Arora, K.Kumar, M.Sachdeva,”Impact Analysis of Recent DdoS Attacks”, International Journal of Computer
Science and Engg., ISSN 0975-3397,Vol. 3,pp 877-884, 2011.
[16] D. kaur, M. Sachdeva and K. Kumar,” Study of Recent DDoS Attacks and Defense Evaluation Approaches”
International Journal of Emerging Technology and Advanced Engineering, ISSN 2250-2459(online), Volume 3,
Issue 1, pp. 332-336, January 2013. http://www.ijetae.com/Volume3Issue1.html
[17] R. Chen, J. Park, and R.Marchany, “A Divide and Conquer Strategy for Thwarting Distributed Denial of Service
Attacks,” Computer Journal of IEEE Transactions on Parallel and Distributed Systems, vol. 18, no. 5, pp. 577-588,
2007.
[18] D. kaur, M. Sachdeva and K. Kumar,” Study of DDoS Attacks using Deter Testbed”,International Journal of
Computing and Business Research, IISN:2229-6166, Vol 3,May 2012.
[19] J. Mirkovic, S. Wei, A. Hussain, B. Wilson, R. Thomas, S. Schwab, S. Fahmy, R. Chertov, and P. Reiher. “DDoS
Benchmarks and Experimenter’s Workbench for the DETER Testbed”, Proceedings of Tridentcom, 2007.
[20] D. kaur, M. Sachdeva,” Study of Flooding Based DDoS Attacks and Their Effect Using Deter Testbed”,
International Journal of Research in Engg and Tech.,ISSN:2319-1163,Vol 2,pp 879-884,2013.