Transcription
UTILIZING FIRST HOP REDUNDANCY PROTOCOL TO MITIGATE THEEFFECT OF DENIAL-OF-SERVICE ATTACKBYKHONG JOHNSONA REPORTSUBMITTED TOUniversiti Tunku Abdul Rahmanin partial fulfillment of the requirementsfor the degree ofBACHELOR OF COMMUNICATION AND NETWORKING (HONS)Faculty of Information and Communication Technology(Perak Campus)JANUARY 2018
UNIVERSITI TUNKU ABDUL RAHMANREPORT STATUS DECLARATION FORMTitle:Academic Session:I(CAPITAL LETTER)declare that I allow this Final Year Project Report to be kept inUniversiti Tunku Abdul Rahman Library subject to the regulations as follows:1.The dissertation is a property of the Library.2.The Library is allowed to make copies of this dissertation for academic purposes.Verified by,(Author’s signature)(Supervisor’s signature)Address:Supervisor’s nameDate:Date:
UTILIZING FIRST HOP REDUNDANCY PROTOCOL TO MITIGATE THEEFFECT OF DENIAL-OF-SERVICE ATTACKBYKHONG JOHNSONA REPORTSUBMITTED TOUniversiti Tunku Abdul Rahmanin partial fulfillment of the requirementsfor the degree ofBACHELOR OF COMMUNICATION AND NETWORKING (HONS)Faculty of Information and Communication Technology(Perak Campus)JANUARY 2018
DECLARATION OF ORIGINALITYI declare that this report entitled “Utilizing First Hop Redundancy Protocol toMitigate the Effect of Denial-Of-Service Attack” is my own work except as cited inthe references. The report has not been accepted for any degree and is not beingsubmitted concurrently in candidature for any degree or other award.Signature:Name:KHONG JOHNSONDate:6th APRIL 2018iiBCN (Hons) Communication and NetworkingFaculty of Information and Communication Technology (Perak Campus), UTAR
ACKNOWLEDGEMENTSI would like to express my sincere thanks and appreciation to my supervisors, Dr. GanMing Lee who has given me this bright opportunity to engage in an network securityproject. It is my first step to establish a career in networking and network security field.A million thanks to you.To a very special person in my life, Chow Wen Chai, for her unconditional supportduring hard times. Finally, I must say thanks to my parents and my family for theirlove, support and continuous encouragement throughout the course.iiiBCN (Hons) Communication and NetworkingFaculty of Information and Communication Technology (Perak Campus), UTAR
ABSTRACTThis paper is to determine whether first hop redundancy protocol is viable to mitigatethe effect of denial-of-service attack (DoS). Since DoS attack is significantlyinfluencing the security and reliability of networks, it urged the researches to come outa proposed solution to mitigate DoS attack. However, most of the proposed solutionsincrease the workload of the network devices especially the routers and thus lead tonetwork latency. For example, previous researchers suggested to put capabilities inevery packet sent to be acknowledged as wanted packet by the destination host. Thissolution not only increase the workload of router to stamp and check the capabilities onevery packet, it also derives other possible attack which is Denial-of-Capability attack.Henceforth, in this work, we would like to introduce an alternative solution to mitigateDoS attack without increasing the workload of network devices and yet efficient. Theproposed solution is to use First Hop Redundancy Protocol specifically the GatewayLoad Balancing Protocol (GLBP) to form a group of redundant routers. The redundantrouters share one virtual IP address as the IP gateway for the hosts. One of the routerswill be elected as Active Virtual Gateway (AVG) which will assign virtual MACaddress to other redundant routers known as Active Virtual Forwarder (AVF).Whenever packets sent to the virtual IP gateway, AVG will answer for the ARP requestfor the virtual IP address from the host. Then load balancing is achieved by the AVGreplying to the ARP requests with different virtual MAC addresses in round-robin basis.By doing so, the routers will not be buffer overflow and down, henceforth DoS attackcould be mitigated. In this work, a simulation will be carried out before implementingGLBP to show that DoS attack can be done successfully. Later, GLBP will beimplemented in a group of redundant routers and to simulate that DoS attack issuccessfully mitigated.ivBCN (Hons) Communication and NetworkingFaculty of Information and Communication Technology (Perak Campus), UTAR
TABLE OF CONTENTSTITLE . iDECLARATION OF ORIGINALITY .iiABSTRACT . ivTABLE OF CONTENTS . vLIST OF TABLES .viiLIST OF FIGURES . viiiLIST OF ABBREVIATIONS . xiiiChapter 1 : INTRODUCTION . 11.1.MOTIVATION AND PROBLEM STATEMENT . 11.2.PROJECT SCOPE . 11.3.PROJECT OBJECTIVES . 41.4.IMPACT, SIGNIFICANCE AND CONTRIBUTION . 51.5.BACKGROUND INFORMATION . 61.6.REPORT ORGANISATION . 8Chapter 2 : LITERATURE REVIEW . 92.1- EXISTING PROPOSED SOLUTIONS OVERVIEW . 92.2- PACKET FILTERING . 102.3- CAPABILITY . 102.4- CAPTCHA MECHANISM . 122.5- INGRESS FILTERING . 13Chapter 3 : PROPOSED METHOD/APPROACH . 153.1DESIGN SPECIFICATIONS . 153.2 EVALUATING PLAN FOR PERFORMANCE OF GLBP INMITIGATING SYN FLOOD ATTACK . 183.3MITIGATION OF ADDITIONAL TYPE OF DoS ATTACKS . 183.4SYSTEM DESIGN / OVERVIEW . 213.5IMPLEMENTATION ISSUES AND CHALLENGES . 303.6COST ANALYSIS . 303.7TIMELINE . 31Chapter 4 : TESTING RESULTS AND DISCUSSION . 354.1SYN FLOOD ATTACK . 354.2PING FLOOD ATTACK . 41vBCN (Hons) Communication and NetworkingFaculty of Information and Communication Technology (Perak Campus), UTAR
4.3ACK FLOOD ATTACK . 454.4Additional research results . 494.5DISCUSSION FOR SLOWLORIS ATTACK . 63Chapter 5 : CONCLUSION . 66Chapter 6 : BIBLIOGRAPHY . 68APPENDICES .A-1APPENDICES A:Router Configuration with GLBP implemented .A-1APPENDICES B: Configuration on PC running Apache Web Server. B-1APPENDICES C: Configuration on Attacker’s PC. C-1APPENDICES D: Final Year Project Biweekly Report .D-1APPENDICES E: POSTER . E-1APPENDICES F: Example of plagiarism check summary . F-1viBCN (Hons) Communication and NetworkingFaculty of Information and Communication Technology (Perak Campus), UTAR
LIST OF TABLESTable NumberTitlePageTable 3-1: Table for the network configuration with GLBP implemented . 17Table 3-2: Table for cost analysis . 30viiBCN (Hons) Communication and NetworkingFaculty of Information and Communication Technology (Perak Campus), UTAR
LIST OF FIGURESFigure NumberTitlePageFigure 1-1: Network topology for first simulation . 2Figure 1-2: Network topology for second simulation . 3Figure 1-3: GLBP operation (Gan, 2017). . 7Figure 2-1: Process of adding capability into packet in TVA network (Yang,Wetherall and Anderson, 2005) . 11Figure 2-2: Login page with CAPTCHA verification included (Elias, 2009) . 13Figure 2-3: CATPCHA verification before accessing to login page (Know YourMeme, n.d.) . 13Figure 3-1: Network topology for first simulation . 15Figure 3-2: Network topology for second simulation . 17Figure 3-3: Flowchart for SYN flood attack before GLBP . 21Figure 3-4: Network built for first simulation in Practical Lab . 22Figure 3-5: Flowchart for SYN flood attack after GLBP . 23Figure 3-6: Flowchart for SYN flood attack before GLBP . 24Figure 3-7: Flowchart for PING flood attack after GLBP . 25Figure 3-8: Flowchart for ACK flood attack before GLBP . 26Figure 3-9: Flowchart for ACK flood attack after GLBP . 26Figure 3-10: Flow chart for launching Slowloris attack . 27Figure 3-11: Flowchart of varying the packets sent interval before GLBP . 28Figure 3-12: Flowchart of varying the packets sent interval after GLBP . 29Figure 3-13: Gantt chart for current semester . 32Figure 3-14: Gantt chart for future semester. 34Figure 4-1: Page Load Time for first tab is 289ms (SYN flood) . 35Figure 4-2: Page Load Time for second tab is 120ms (SYN flood) . 35Figure 4-3: Page Load Time for third tab is 117ms (SYN flood) . 35Figure 4-4: Page Load Time for forth tab is 97ms (SYN flood) . 35Figure 4-5: Page Load Time for fifth tab is 106ms (SYN flood) . 35Figure 4-6: Page Load Time for first tab after SYN flood attack is 10.65s . 36Figure 4-7: Page Load Time for second tab after SYN flood attack is 29.21s . 36Figure 4-8: Page Load Time for third tab after SYN flood attack is 28.02s. 36Figure 4-9: Page Load Time for forth tab after SYN flood attack is 27.45s . 36viiiBCN (Hons) Communication and NetworkingFaculty of Information and Communication Technology (Perak Campus), UTAR
Figure 4-10: Page Load Time for fifth tab after SYN flood attack is 26.73s . 37Figure 4-11: Ping reply time before and after SYN flood attack . 38Figure 4-12: Page Load Time for first tab after mitigation of SYN flood attack is1.14s . 39Figure 4-13: Page Load Time for second tab after mitigation of SYN flood attack is1.18s . 39Figure 4-14: Page Load Time for third tab after mitigation of SYN flood attack is185ms . 39Figure 4-15: Page Load Time for forth tab after mitigation of SYN flood attack is172ms . 39Figure 4-16: Page Load Time for fifth tab after mitigation of SYN flood attack is181ms . 40Figure 4-17: Page load time of first tab before mitigation of PING flood attack is510ms . 41Figure 4-18: Page load time of 2nd tab before mitigation of PING flood attack is3244ms . 41Figure 4-19: Page load time of 3rd tab before mitigation of PING flood attack is508ms . 42Figure 4-20: Page load time of 4th tab before mitigation of PING flood attack is3222ms . 42Figure 4-21: Page load time of 5th tab before mitigation of PING flood attack is478ms . 42Figure 4-22: Page load time of 1st tab after mitigation of PING flood attack is 188ms. 43Figure 4-23: Page load time of 2nd tab after mitigation of PING flood attack is 176ms. 43Figure 4-24: Page load time of 3rd tab after mitigation of PING flood attack is 166ms. 43Figure 4-25: Page load time of 4th tab after mitigation of PING flood attack is 204ms. 44Figure 4-26: Page load time of 5th tab after mitigation of PING flood attack is 196ms. 44ixBCN (Hons) Communication and NetworkingFaculty of Information and Communication Technology (Perak Campus), UTAR
Figure 4-27: Page load time before mitigation of ACK flood attack for 1st tab is600ms . 45Figure 4-28: Page load time before mitigation of ACK flood attack for 2nd tab is1950ms . 45Figure 4-29: Page load time before mitigation of ACK flood attack for 3rd tab is1306ms . 46Figure 4-30: Page load time before mitigation of ACK flood attack for 4th tab is2736ms . 46Figure 4-31: Page load time before mitigation of ACK flood attack for 5th tab is6198ms . 46Figure 4-32: Page load time after mitigation of ACK flood attack for 1st tab is 180ms. 47Figure 4-33: Figure 4 32: Page load time after mitigation of ACK flood attack for 2ndtab is 188ms . 47Figure 4-34: Figure 4 32: Page load time after mitigation of ACK flood attack for 3rdtab is 178ms . 48Figure 4-35: Figure 4 32: Page load time after mitigation of ACK flood attack for 4thtab is 204ms . 48Figure 4-36: Figure 4 32: Page load time after mitigation of ACK flood attack for 5thtab is 172ms . 48Figure 4-37: Page load time when u1 as packets interval in SYN flood attack (BeforeGLBP) . 49Figure 4-38: Page load time when u10 as packets interval in SYN flood attack (BeforeGLBP) . 50Figure 4-39: Page load time when u100 as packets interval in SYN flood attack(Before GLBP) . 50Figure 4-40: Page load time when u1000 as packets interval in SYN flood attack(Before GLBP) . 50Figure 4-41: Page load time when u10000 as packets interval in SYN flood attack(Before GLBP) . 51Figure 4-42: Page load time when u100000 as packets interval in SYN flood attack(Before GLBP) . 51xBCN (Hons) Communication and NetworkingFaculty of Information and Communication Technology (Perak Campus), UTAR
Figure 4-43: Graph of page load time with SYN flood packets interval varies (BeforeGLBP) . 52Figure 4-44: Total packets sent with varying packets interval set . 53Figure 4-45: Page load time when u1 as packets interval in SYN flood attack (AfterGLBP) . 54Figure 4-46: Page load time when u10 as packets interval in SYN flood attack (AfterGLBP) . 54Figure 4-47: Page load time when u100 as packets interval in SYN flood attack (AfterGLBP) . 54Figure 4-48: Page load time when u1000 as packets interval in SYN flood attack(After GLBP) . 55Figure 4-49: Page load time when u10000 as packets interval in SYN flood attack(After GLBP) . 55Figure 4-50: Page load time when u100000 as packets interval in SYN flood attack(After GLBP) . 55Figure 4-51: Graph of page load time with SYN flood packets interval varies (AfterGLBP) . 56Figure 4-52: Graph of page load time with SYN flood packets interval varies (Beforeand After GLBP) . 56Figure 4-53: Page load time when u1 as packets interval in PING flood attack (BeforeGLBP) . 57Figure 4-54: Page load time when u10 as packets interval in PING flood attack(Before GLBP) . 57Figure 4-55: Page load time when u100 as packets interval in PING flood attack(Before GLBP) . 58Figure 4-56: Page load time when u1000 as packets interval in PING flood attack(Before GLBP) . 58Figure 4-57: Page load time when u10000 as packets interval in PING flood attack(Before GLBP) . 58Figure 4-58: Page load time when u100000 as packets interval in PING flood attack(Before GLBP) . 59Figure 4-59: Graph of page load time with PING flood packets interval varies (BeforeGLBP) . 59xiBCN (Hons) Communication and NetworkingFaculty of Information and Communication Technology (Perak Campus), UTAR
Figure 4-60: Page load time when u1 as packets interval in PING flood attack (AfterGLBP) . 60Figure 4-61: Page load time when u10 as packets interval in PING flood attack (AfterGLBP) . 60Figure 4-62: Page load time when u100 as packets interval in PING flood attack(After GLBP) . 60Figure 4-63: Page load time when u1000 as packets interval in PING flood attack(After GLBP) . 61Figure 4-64: Page load time when u10000 as packets interval in PING flood attack(After GLBP) . 61Figure 4-65: Page load time when u100000 as packets interval in PING flood attack(After GLBP) . 61Figure 4-66: Graph of page load time with PING flood packets interval varies (AfterGLBP) . 62Figure 4-67: Graph of page load time with SYN flood packets interval varies (Beforeand After GLBP) . 62Figure 4-68: HTTP GET header . 63Figure 4-69: Slowloris -GET . 63Figure 4-70: Slowloris – GET. 64Figure 4-71: GLBP failed to mitigate Slowloris attack . 64xiiBCN (Hons) Communication and NetworkingFaculty of Information and Communication Technology (Perak Campus), UTAR
LIST OF ABBREVIATIONSGLBPGateway Load Balancing yLANLocal Area ansmission Control Protocol/InternetProtocolOSOperating SystemxiiiBCN (Hons) Communication and NetworkingFaculty of Information and Communication Technology (Perak Campus), UTAR
CHAPTER 1: INTRODUCTIONChapter 1 : INTRODUCTION1.1.MOTIVATION AND PROBLEM STATEMENTDenial of service (DoS) is a cyber-attack where attacker attempts to preventlegitimate users from accessing information or services by intentionally excessive usingof the resources to an extent that they are not available to the legitimate users. As theimpact of abrupt growth of advance technologies, DoS attack has become an appallingthreat to the reliability of the Internet. According to the research done by Moore,Voelker and Savage (2006, p.1), they found 12,805 DoS attacks over 500 differentorganisations which are ranging from Amazon, Hotmail to small foreign ISP within 3weeks period. Moreover, a very serious DoS attack had happened on 21 October 2002where 7 out of 13 DNS roots servers in the world went down completely and 2 of themwere unfavourably ruined (McGuire, 2003). From the examples mentioned above, it isundeniable that DoS attack is one of the most serious security breaches that causestremendous negative effects across many fields. Although there are many researchersproposed solutions to mitigate DoS attack, their proposed solutions is notcomprehensive and even increase network latency. Therefore, this project would liketo provide an alternative to mitigate the effect of DoS attack without increasing networklatency.1.2.PROJECT SCOPEAt the end of this project, the deliverable will be simulation results. Based on thesimulation result obtained, the intention is to prove that by implementing GLBP, impactof DoS attack could be alleviated.To do so, first, a simulation will be conducted before implementing GLBP to showthat DoS attack can be successfully launched and cause the legitimate users not able toaccess the web services. The figure 1-1 below shows the network topology being setup:1BCN (Hons) Communication and NetworkingFaculty of Information and Communication Technology (Perak Campus), UTAR
CHAPTER 1: INTRODUCTIONFigure 1-1: Network topology for first simulationAssume that the interface of PC running Apache web server will be congested onceit received 5000 packets and above. In the first simulation, there will be an attackersending SYN packets continuously to the PC running Apache web server. Since thePC’s interface will receive more than 5000 packets after some time, so theoretically theinterface will be congested. Should the legitimate user want to access to web services,he/she will not be able to do so as the link or path to the PC running web server iscongested. This would be the anticipated simulation result obtained beforeimplementing GLBP.In the second simulation, GLBP will be enabled in a group of redundant routers.Then, TCP load balancing will be also configured to allow further load sharing betweentwo mirror servers. This is an improvement from the Proposal report, as it is to avoidthe server to become bottleneck of DoS attack. The figure1-2 below shows the networktopology for this second simulation:2BCN (Hons) Communication and NetworkingFaculty of Information and Communication Technology (Perak Campus), UTAR
CHAPTER 1: INTRODUCTIONFigure 1-2: Network topology for second simulationFor this round, when the attacker sending huge amount of SYN packets towardsthe PC running Apache web server, the packets are load balanced among the redundantrouters, thus the links or path to the PC running Apache web server will not be easilycongested. Then the packets will be further load balanced among the mirror serverswhen being forwarded to the destination. Since the links are not congested, legitimateuser is still able to access web service.By implementing GLBP, it is expected that effect of DoS attack could be mitigated.Should DoS attack still able to take down the routers, then modification or improvementon the GLBP might be done to ensure that it can mitigate DoS attack at the end.3BCN (Hons) Communication and NetworkingFaculty of Information and Communication Technology (Perak Campus), UTAR
CHAPTER 1: INTRODUCTION1.3.PROJECT OBJECTIVESThere are 3 main objectives for this project. First, the main objective is to studywhether DoS attack could be alleviated by implementing GLBP in redundant routers.Second, to prove that GLBP would be an alternative to mitigate various type of DoSattack using different attacking tools at t
utilizing first hop redundancy protocol to mitigate the effect of denial-of-service attack by khong johnson a report submitted to universiti tunku abdul rahman
