Enforcing A Source-end Cooperative Multilevel Defense Mechanism to Counter Flooding Attack

The exponential advancement in telecommunication embeds the Internet in every aspect of communication. Interconnections of networks all over the world impose monumental risk on Internet. Flooding attack is one of the major intimidating risks on Internet where legitimate users are prevented from accessing network services. Irrespective of the protective measures incorporated in the communication infrastructure, FA still persists due to the lack of global cooperation. Most of the existing mitigation is set up either at the traffic starting point or at the traffic ending point. Providing mitigation at one or the other end may not be a complete solution. To insist on a better protection against flooding attack, we propose a cooperative multilevel defense mechanism. The proposed cooperative multilevel defense mechanism consists of two level of mitigation. In the first level, we design a Threshold based rate limiting with a Spoofing Resistant Tag (TSRT), as a source end countermeasure for High Rate Flooding Attack (HRFA) and spoofing attack. In the second level, our accent is to discriminate normal traffic after Distributed Denial of Service (DDoS) traffic and drop the DDOS traffic at the destination end. Flow Congruence based Selective Pushback (FCSP), as a destinationinitiated countermeasure for the Low Rate Flooding Attack (LRFA). The source and the destination cooperate to identify and block the attack. A key advantage of this cooperative mechanism is that it can distinguish and channel down the attack traffic traffic nearer to the starting point of the attack. The presentation of the agreeable cooperative multilevel safeguard mechanism is approved through broad recreation in NS-2. Our investigation and the exploratory outcomes show that our plan can effectively identify and shield from the


Introduction
Ever improving technology together with ever expanding connectivity made Internet available to everyone at high speed and low cost. This growth of the telecommunication embeds the Internet in every aspect of communication. The Internet communication is based on Internet Protocol (IP) that relies on best effort service to forward packets from one end to another end. Irrespective of the legitimacy, packets are forwarded to the end host with minimal processing. This frictionless nature of the Internet made it vulnerable to various attack like Phishing, Malware, Password, Man in the middle, DoS.
Denial of Service (DoS) attack is a packet flooding attack that is capable of degrading the performance of the communication infrastructure. The Internet has made it easy to launch a PFA without the need for any special hardware or tool. Throughout Dos attack the illegitimate user floods plenty of attack traffic towards the destination. Traffic directed in this way to the destination makes the service provided by the destination to be unavailable to the legitimate user and also degrades the quality of services by consuming the resources provided by the destination.
McAfee Labs publishes quarterly threat reports about analytical examination and patterns in dangers measurements. Perceptions assembled by the McAfee Advanced Threat Research and McAfee Labs groups in 2018 [1] shows that DoS attack is the third biggest attack on the Internet. Their insights on different dangers recognized by Threat Research Labs is appeared in the Fig. 1. The DoS FA can be classified into HRFA and LRFA [2]. In HRFA, assailants send enormous volume of attack packet to deny the service provided by the destination. In LRFA, huge number of dispersed aggressors (bots) co-work in sending little amount of attack traffic to the objective to escape from discovery of attack. In both types of FA, the assailants try to degrade the quality of services to the legitimate users. Conveying an alleviation system is fundamental to battle the attack and to build the dependability and increase the reliability of destination server at the destination. The attack moderation system can be conveyed anywhere at the source, destination, halfway or in a dispersed way. Relieving the attack at the destination end is simple yet it is subject to bandwidth consumption [3]. Attack rate will be high at the source end itself for HRFA while the attack rate will be high only at the destination end for LRFA. The HRFA merges at the soonest point even at the source end edge router. On the other hand, LRFA unite towards the destination end. To provide a superior nature of service to the legitimate user it is preferred to deploy a cooperative multiple defense mechanism.
Most of the existing techniques use single level mitigation that are effective against HRFA or LRFA but not for both. An effective mechanism to protect the Internet from each attack is possible exclusively through a cooperative multilevel defense mechanism [4]. This fact motivated us towards multilevel mitigation. This effort is a move towards an enhanced countermeasure for FA by deploying the mitigation at the early point of convergence like source end for HRF attack [5] and destination end for LRF attack. Threshold based rate limiting and Spoofing Resistant Tag technique (TSRT) is deployed at the source end edge routers to mitigate HRFA. The LRFA that converges at the destination end can be encountered at the destination end by Flow Congruence based Selective Pushback (FCSP) technique. Further the attack source can be located by deploying a flow similarity-based pushback technique at the specific routers.
The paper is formulated with section 2, that discusses the relate work followed by section 3 that elaborates the network model and assumptions. Section 4 portrays the architecture and cooperative multilevel defense mechanism proposed. In continuation, section 5 concentrates on the viability and effectiveness of our mitigation technique. Finally, section 6 is all on conclusion.

2.
Related Work Extensive research has been made so far to mitigate the flooding attack . The literature survey reveals that the researchers focus towards source or destination end solution capable of detecting and/or preventing the attack. In this section, we discuss the existing defense towards flooding attack that are closely related to our work.
The StackPi [6] is a per packet-based marking technique capable of filtering the attack packets and detecting the spoofed source IP addresses. Individual packets are embedded with a total path recognizable value. Packet forwarded on a specific path will hold similar value embedded within it. During an attack, this unique piece of embedded information increases the feasibility to identify and drop packets travelling through the same path. Peng et al., [7] proposed probabilistic packet marking scheme for pushback of attack source. The packet marking is based on probability and code transformation. Yu et al., [8] proposed a trace back technique based on entropy variation of the flow rather than explicit packet marking. Zhang and Dasgupta [9] focus on router-based mitigation. They incorporated intelligence into the router. These routers are capable of incorporating cryptographic security that facilitate following back to the source of the attack launcher. Even though each technique overcomes the limitations of one or the other technique, it has its own limitations. In common, spoofing of packet marking by the attackers, requirement for large storage to reconstruct the path, high consumption of resources at the early stage of traceback and the involvement of all internet routers are the major limitations of the trace back techniques.
Ingress Filtering [10] avoids attack by using forged source IP address from entering into the network. ISP aggregates the traffic from more than one LAN. During aggregation of the traffic strict traffic separation is to be followed at the convergence router in-order to protect the network. Wang et al. [11] proposed a mechanism known as Internet Protocol easypass mechanism. It is a simple access control filter, incorporated at the edge router to mitigate flooding attack. Both this work provides protection at the source end of the attack. Also, they are capable to mitigating spoofing attack but not LRFA and HRFA with legitimate source IP. Keromytis et al [12] focused on separating the genuine traffic from attack traffic. They designed a dynamic topology based Secure Overlay Service (SOS) network to transmit the genuine traffic.
Zhijun et al. [13] tried to classify LRFA using time domain and frequency domain analysis. Xie et al. [14] identified the low rate TCP attack using mean distance algorithm at the ingress switches. Liu et al. [15] proposed a low rate DoS attack mitigation is classification algorithm that is based on K-nearest neighbor (KNN) algorithm that uses the features in the acknowledge (ACK) packet. Hop count value incorporated in packet provides some information on the legitimacy of the packet [16]. Expected hop count can be predicted and if there is an enormous difference between the received packet hop count and expected hop count then the packet is assumed to be attack packet and dropped. Information theory and advance entropy are used [17][18][19] to discriminate the legitimate access from the illegitimate. In general attack packets are handled only at the destination end leading to more packet loss, illegitimate packets consume scarcely available network resources are the problems with the above mentioned destination based solutions. Deka et al. [20] identified the spoofed attack using the relationship between the spoofed IP and the number of ports opened.
The literature review reveals that each technique is strong in their own focus but not on all attacks such as spoofing, HRFA, LRFA, replay attack. Our study reveals that the source end mitigation is capable of defending against spoofing and HRFA but not able to protect efficiently against the distributed LRFA. On the other hand, the destination end solution is highly efficient in detecting HRFA and LRFA but with the tradeoffs like resource consumption, processing overhead and so on. To overcome these shortcomings, we propose a cooperative multilevel mitigation mechanism.

Network Model and Assumptions
The sample network topology considered in our work is shown in Fig. 2, includes distributed LAN sites LAN1,, LAN8, routers R1,..., R11 and the destination. The nodes in the LAN sites may be legitimate or malicious, denoted as N or A respectively in Fig. 2. LAN sites and destination server are connected to the external network through a edge router. In our topology edge router R11 connects the destination server to the external network.

Fig. 2. Sample Network
Our proposed work relies on the following assumption. Each LAN site is connected to an edge router through which all legitimate or attack traffic drive into the network. The attack traffic may arise from the compromised host residing in any of the LAN site connected to the network. The flooding traffic includes spoofing attack, HRFA and LRFA traffic that is capable of bringing down the destination. The attacker may be an authorized or compromised insider, or an outsider of a particular LAN site. The LRFA target the destination with the help of botnet and we assume only one botnet is active at any particular instance of time. The attack traffic generated cannot inundate the ISP network but it is capable of locking down the destination. The necessary cryptographic keys are shared through secure channel. The network topology is static and stable. We have control over all the edge routers.

Security Analysis of the Network Model
The network model, Fig 2, that we consider is an IP-based network that is capable of providing security similar to that of a traditional IP network. The attack can arise from any of the LAN site. It may be a spoofing attack, HRFA, LRFA. Spoofing attack and HRFA may utilize or even it is capable of exhausting the available bandwidth. Overall, it degrades the services provided by the network. LRFA in-turn is capable of degrading the service provided by the destination server.
The traffic propelled through HRFA and LRFA converge at the destination side edge router. During this situation the destination gets flooded and the service provided by the destination gets degraded. It is very important to protect such edge routers to avoid degradation of service. Applying the mitigation only at the destination side edge router will affect the maximum utilization of the network resources. Applying the mitigation mechanism closest to the source helps in proper utilization of the network resources but does not detect the low rate attack. In spite, the mitigation can be done at different levels. Mitigation at the source protects the network from spoofing and high rate attack. In Fig. 2, the router R5, R8 are connected to more than one LAN. Applying ingress filtering will protect from spoofing attack from unknown IP address but not from known IP address for example, LAN 5 can spoof the address from LAN 7. Rest of the distributed attacks are detected at the destination end edge router. We provide an acceptable and efficient cooperative multilevel defense mechanism to protect the network and destination from spoofing attack, HRFA and LRFA.

Defense Proposal
The architecture diagram of the proposed cooperative multilevel defense mechanism is shown in fig 3. It defends against the spoofing attack, HRFA and LRFA directed towards the network and destination. At the source end we incorporate a first level of protection known as Threshold based Rate limiting and Spoofing Resistant Tag (TSRT). The contemplated TSRT protects the network from spoofing attack and HRFA. At the destination end we incorporate a second level of protection known as Self-Similarity based Selective Pushback technique (SSP). The contemplated SSP protects the destination from LRFA. The source end protection TSRT and the destination end protection SSP together build the cooperative multilevel defense mechanism that would provide an uninterrupted service.

Level-1 Mitigation : TSRT protection
The first level of mitigation, TSRT at the source end that is capable to protects the network from spoofing attack and HRFA is elaborated in this section. The network edge router, in fig 2, may connect more than one LAN site to the Internet, like LAN5 and LAN7 connected to R5 and LAN6 and LAN8 connected to R8. The routers that are deployed at the edge of the network must monitor both incoming and outgoing traffic that are from or to the LAN site. The routers then decide on forwarding or filtering the traffic as per the policies or filtering rules configured on it [10]. The ingress filtering policy configured in the edge router allows the IP traffic only with registers subnet address and prevent traffic with un-routable addresses. A compromised host residing within a LAN site may forward huge volume of attack traffic with its original IP address causing HRFA. Likewise, any LAN sites connected to a particular edge router can forward attack traffic with IP address of one other causing spoofing attack.
Router transmits the traffic generated by any host on the LAN sites to the network. Packet entering the network are controlled and secured by the TSRT mechanism deployed in the router. TSRT mechanism incorporates the Threshold (T) based rate limiting and Spoofing Resistant Token (SRT) based filtering. HRFA is controlled by fixing a Threshold (T) for the amount of traffic each host in the LAN can forward for a particular time. The threshold is fixed offline based on the number of packets arising from each host during the normal behavior. The packets that get through the rate limiting module are directed to the Spoofing Resistant Token (SRT) embedding module.  5. TSRT Algorithm The SRT protection mechanism incorporates two process, SRT tagging is done at the egress router of the LAN and SRT verification at the ingress router of the network. The pseudo random number (PRN) generator with the same seed value runs at both routers at the LAN and network side. It generates a 64-bit nonce to induce randomness into the SRT. In addition, both routers agree on a Hash algorithm 'H' used for generating the SRT. The packet that pass through the threshold limiting enters the SRT tagging module. SRT tagging module concatenate the present Time Stamp (TS) with the source IP address (SIPA) and xor it with the random number (PRN). The value that is generated is then hashed to generate the unique SRT as in equation 1. The SRT generated is then divided into 8, 16 and 8 bits and placed in the ToS ID and offset fields in the IP header respectively highlighted in Fig 4. In real time fragmentation of packet is very less to influence the packet delivery of the overloaded IP traffic [21]. SRT embedded packet is transmitted to the network side router. The router applies the general filtering rules to the incoming traffic and forwards the traffic to the SRT verification module. SRT generator uses the source IP address in the incoming packet to generate the SRT'. Generated SRT' is compared with the received SRT; if they are same then the packet is forwarded assuming to be non-attack packet. It is not possible to generate SRT and SRT is completely random which makes it effective solution to mitigate spoofing attack. TSRT mechanism is described in fig5. TSRT is effective in providing a complete protection to the network. It protects the network from Spoofing and HRFA at the early stage before even the attack traffic enter the network.
Once the verification is successful, the SRT is no more required and the fields occupied by it can be better utilized for push back mechanism to reduce additional overhead. The embedding pushback ID module in the network edge router replaces the SRT with its own IP address for source tracing.

Level-2 Mitigation : Flow congruence based Selective Pushback (FCSP)
The level-1 mitigation protects spoofing attack and HRFA but LRFA boycott the level-1 mitigation-TSRT. LRFA exhibit the property of genuine traffic more towards the source and reveals its ingenuity towards the destination [22]. The LRFA are more effective in corrupting the benefit accessible to the genuine stream. This nature of the LRFA overleaps the TSRT mechanism and brings forth the needfulness of a distinctive component to moderate LRFA. In this subsection, we describe our second level of mitigation SSP against LRFA.
LRFA advance from botnet, a prebuilt program installed in many compromised systems that act as a bot. These bot initiate LRFA into the network. The traffic that is induced by diverse bots is more congruent being evolved from the same program. All bots initiate the session at the same time [23,24] which induce flow congruence in the traffic that arrive at the destination. LRFA reflects the flow congruence in the arrival rate, time stamp, packet arrival interval, packet size etc. The flow congruence is high in LRFA when compared to genuine flow.
Our mitigation deployed at the destination side router monitors the new flow that arrives. The traffic flow rate fri is computed for each new flow fi that enters the router. This is done for each time slot δi for some particular time limit T. If the traffic flow rate fri is same for each time slot δi then we drop few packets purposefully. We try to use the nature of the TCP protocol, that when the flow fi does not receive acknowledgement for the traffic it had send it assumes that there is congestion in the network and reduces the traffic flow rate fri. In contrast the bots will not reduce its traffic. This facilitates our mitigation by reducing traffic flow rate fri for genuine packets and not for the LRFA. The flow fi that are identified as LRFA are dropped to protect the destination and enabling uninterrupted service for genuine flow.
The flow congruence mechanism is incorporated in every network edge router and activated on demand. Our flow congruence measurement is based on the standard Pearson Coefficient [25]. It is used to measure the degree of likeliness among two flows. If the Pearson coefficient value among the two flows is 1 then the flows more congruent to each other. The comparison is made among all the flow. From our analysis the congruence is fixed to 30%. if the congruence is less than 30%, there is a more chance for false positives. On the  On suspecting LRFA, the selective pushback mechanism is activated at the router. It generates an ICMP message and forwards it to the source edge router specifying LRFA and request for further screening or request the activation of the flow congruence mechanism in it. On receipt of the ICMP message, the source edge router activates the flow congruence mechanism on the local traffic and blocks the IP address having the same distance. The rest of the transit ICMP traffic is forwarded as such. The pushback algorithm is given in Fig. 8.

Performance analysis
The simulation topology used in our analysis is shown in Fig. 9. The cooperative mitigation mechanism proposed -TSRT and FCSP are incorporated in the edge routers. Each source side edge router performs a simple threshold-based rate limiting on the incoming packet as a preprocessing step. Incoming packets beyond the threshold are dropped. In addition, each source side edge routers are designed to perform SRT embedding and the network side edge routers perform SRT verification. The destination side end router R11performs flow congruence analysis on the incoming packets and initiates the pushback mechanism. The malicious packet drop as the effect of our flooding control mechanism is shown in Fig. 9. The router R5 shows the spoofed packet drop of the first level mechanism -TSRT and R1shows the packet drop of the second level mitigation -pushback.  Fig. 9. Simulation topology with illegitimate drop First, we simulate the level-1 mitigation mechanism in our simulation topology. We access the SRT filtering against the normal spoofing attack. The comparison is made between SRT filtering mechanism and existing spoofing protection mechanism -StackPi [6]. The comparative result in Fig. 10 shows that the SRT can achieve a complete protection against spoofing attack. Then we induced HRFA along with the spoofing attack and we compare it with entropy [8] based filtering. The result shown in Fig. 11 proves that our TSRT performs better in mitigating HRFA and spoofing attack. The entropy-based filtering can only act on the HRFA. Since it cannot identify the spoofed packet, it allows the spoofed packet within the limit to pass through. Our TSRT technique drops spoofed packets completely and restricts the high rate packets resulting in considerable improvements in performance over other techniques. We compare TSRT with other mitigation like entropy, Threshold based rate limiting, StackPi, SRT in fig 12. The graph shows that our TSRT performance is better comparing the other techniques.  Next we analyze the performance of the level-2 mitigation -FCSP. The test traffic is induced from the LAN. The test traffic generated from each LAN may be genuine or combination of genuine and attack traffic as represented in the sample network. We made our analysis by incorporating TSRT, FCSP, and both together forming the cooperative multilevel solution. The result shown in fig. 13 proves that the cooperative multilevel mechanism outperforms over single level mitigation.

Conclusion
Extensive research has been carried out to alleviate flooding attack. They are an effective relieving solution for either HRFA or Spoofing attack or LRFA but not for all. The solution that best suit for one type of attack remains void for the other type. Adding to it, providing protection at the source or destination will not be a complete solution to protect the network from all types of attack. We have proposed a Cooperative multilevel defense mechanism to fill the inadequacies. Our first contribution towards the cooperative multilevel defense mechanism is a Threshold based Spoofing Resistance Tag (TSRT) mechanism to identify and react against spoofing attack and HRFA. As a second level of mitigation, we implemented a flow congruence based selective pushback (FCSP) mechanism. We demonstrated the effectiveness of our cooperative multilevel scheme against a welldistributed denial of service attack. Simulation results show that our scheme detects and react effectively towards the flooding attack at the earliest point closer to the source of attack. The work can be extent to a multilayer multilevel mechanism. The mitigation mechanism can be even implemented using machine Learning Algorithms.