ddos lab 4
docx
keyboard_arrow_up
School
Clemson University *
*We aren’t endorsed by this school
Course
MISC
Subject
Electrical Engineering
Date
Jan 9, 2024
Type
docx
Pages
8
Uploaded by MateReindeerMaster1229
Laboratory 4 Name: Abhiram Kasturi CUID: C69791626
Abstract
This lab report discusses the results of an experiment in entropy detection spoofing used to identify and analyze Distributed Denial of Service (DDoS) attacks. It involves generating entropy
files from network traffic data and then spoofing these files to detect any irregularities caused by
DDoS attacks. The second part of the report focuses on dynamic DDoS mitigation. The main idea is to scale the number of machines dynamically to mitigate the DDoS attack.
Part - A:
Methodology
Setup:
This experiment involves First, we start the VM machine. In order to do that, we run the commands:
vboxmanage import .ova file
vboxmanage .ova file --type headless
In the VM machine, we will go to the DDoS_Lab6 folder. We will be working on this folder primarily through the experiment.
Process:
We will first generate the spoofed histogram file. We will use the ‘outputTime0604.hist’ as the input file. It will take 10-20 mins to finish. We will use the command:
./entropy_spoofV3.py outputTime0604.hist gen_spoofed.hist.out complete_attack_times 1.25 -c 1
We have now generated the spoofed histogram file.
Now we will generate the entropy files from the histogram files. We will use the original entropy file ‘outputTime0604.hist’ to generate the ‘one.entr’ file. ./calculate_entropyV2.py outputTime0604.hist one
Now we will generate the spoofed entropy file ‘two.entr’ using the ‘gen_spoofed.hist’ file.
We will use the command:
./calculate_entropyV2.py gen_spoofed.hist two
Now we move the two entropy files to the DDoS_Lab6 directory. Now we will compare the entropy files.
We will now plot the graph of the entropy file before and after spoofing for a visual understanding. Here we will use the generated file one.entr, which represents the before spoofing entropy file, and two.entr, which represents the after spoofing entropy file. To plot the graph, we will use the commands:
./plot.py -d one.entr 1
./plot.py -d two.entr 1
From the above graphs, we can see that an attack can be detected with ease in the case of before spoofing. We can see that a threshold of a little over 0.8 can trigger and indicate that there is a DDoS attack. But if we see the graph of the after-spoofing entropy file, we cannot visually say when the attack has taken place. This gives definite proof that entropy spoofing makes it hard to detect a DDoS attack.
Now we will create a histogram file using all the captured traffic data from Lab 1 to 3. For this, we will move all the pcap files to the ‘root/DDoS_Lab6/Appendix/autoTest/’ directory. We will log in to the CnC machine where the pcap files are located. Then we will send the pcap files to the intended destination using the SCP command and select all the pcap files (*.pcap).
Now when we check the ‘autoTest’ directory, we should be able to see all the pcap files. After gathering all the pcap files, we will use the following command to generate the histogram file. The following command will take all the pcap files in the autoTest folder and generate the ‘autoTest.hist’ histogram file.
./pcap2hist.py
Now we will generate a spoofed histogram from the generated histogram file. In this step, we will use the generated histogram file from the above step, ‘autoTest.hist’, and will generate a spoofed histogram ‘spoof_autoTest.hist’ file.
The command used in this step is: ./entropy_spoofV3.py autoTest.hist spoof_autoTest.hist.out complete_attack_times 1.25 -c 1
From the above two histogram files, i.e., original ‘autoTest.hist’ and spoofed ‘spoof_autoTest.hist’, we will generate entropy files ‘one.entr’ and ‘two.entr’.
We will use the commands:
./calculate_entropyV2.py autoTest.hist one
./calculate_entropyV2.py spoof_autoTest.hist two
Now, we will move the above two generated entropy files to the DDoS_Lab6 directory.
Finally, we will compare the two entropy files by plotting time-series graphs. We will use the commands:
./plot.py -d one.entr 1
./plot.py -d two.entr 1
Questions:
Execute ./entropy_spoofV3.py script for three different values of the scale (close to 1) and see if you can get better results.
Discuss the pros and cons of using entropy to detect DDoS attacks.
Advantages:
●
Entropy-based detection provides better detection capability compared to volume-based methods.
●
Comparing the rate of entropy of packet header fields can help identify anomalous traffic
patterns and detect changes in randomness.
●
Entropy-based methods are independent of traffic patterns, which reduces computation time.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
●
Entropy-based methods provide additional information to categorize different types of anomalies, with higher variance in data points in the histplot leading to higher entropy rates.
Disadvantages:
●
The threshold value for entropy-based detection cannot be dynamically updated, making
it less useful for intrusion detection methods.
●
Entropy-based detection may not effectively detect DDoS attacks with varying traffic rates, even after changing the scale in spoofed entropy.
●
Entropy-based detection takes more time compared to other methods and may generate
a large number of false positive alarms.
What is the difference between the two scenarios (using the provided histogram file and generating it from pcap files), and why did the plot.py script not work for our pcap generated entr file ?
The difference between the two is that in the first scenario, the histogram file already exists and is provided. In contrast, in the second scenario, the histogram file must be generated from pcap files.
The plot.py script may not have worked for the pcap-generated entropy file because the format or structure of the entropy file may be different from the expected format or structure of the script. The script may have been designed to work with specific types of entropy files, such as those generated by specific tools or methods, and may not be compatible with other types of entropy files. Additionally, there may be differences in the data or metadata contained in the entropy file, which may affect the ability of the script to read and interpret the file correctly.
Part - B:
Methodology
Setup:
First, we log in to the DDM DNS machine hosted at the address 192.168.10.112. After logging in, there is a file named ‘ddm.py.’ Now rename the file to my username, ‘kasturi.py.’
Now running the python file using the command:
python3.6 kasturi.py
Now we will connect to the Cnc machine hosted at 192.168.10.111.
After connecting, we will now monitor the response time of the url ‘
http://edge.ddm.lan
’. We use the command:
./ping_web.sh http://edge.ddm.lan
Now we will launch a flood attack on the url ‘
http://edge.ddm.lan
’. We will use the command:
pssh -h bot.txt -t30 ‘sleep 1; hping3 —udp -d 10000 -p 80 -–flood http://edge.ddm.lan & sleep 10; pkill hping3’
We can check the proxy status in the ddm dns machine.
Now we check the webpage load time after the flood attack. We can observe that there has been an increase in the webpage load time.
Now in an another terminal, we will target the ‘
www.victim.lan
’ or 192.168.10.112.
We will monitor the response time of the url using the command:
./ping_web.sh 192.168.10.112
Now we will run a flood attack on the same URL. We will use the command:
pssh -h newbot.txt -t30 ‘sleep 1; hping3 —udp -d 10000 -p 80 –flood 192.168.10.112 & sleep 10; pkill hping3’
We can see that the url ‘
http://edge.ddm.lan
’ has a longer load time when compared to ‘
www.victim.lan
’
Now we will increase the parameter -d value from 10000 to 100000. We can see the response time for the url ‘
http://edge.ddm.lan
’
Here we can see the response time for the url ‘
www.victim.lan
’ –
Questions:
1. Can this system withstand a DDoS attack? Why or why not?
When a sudden DDoS attack occurs, a Dynamic DDOS Mitigation (DDM) system initially struggles to maintain response time due to the attack's high volume. Web caches are deployed to mitigate the attack and prevent further reduction in response time.
Although response time remains normal for the initial few seconds, it gradually improves as the DDM system brings additional web caches into service. In a gradually increasing attack, response time can be maintained for up to a minute.
As the DDoS attack persists, the web caches may eventually fail, but the DDM system can quickly deploy new web caches to steady the response time. A DDM system can withstand a DDoS attack by continuing to deploy web caches as necessary.
2. In what cases would you use a DDM system? Why do you think it is valuable in that case?
DDM systems can be used in various scenarios to protect against DDoS attacks. One example is a data center environment where a company hosts their web applications. DDM systems can be deployed in such an environment to protect the web servers from DDoS attacks. This can be
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
achieved using techniques such as rate limiting, traffic filtering, and traffic redirection. Additionally, DDM systems can monitor network traffic and detect anomalous patterns that may indicate an ongoing attack. In such cases, the DDM system can take immediate action to mitigate the attack by redirecting traffic to dedicated scrubbing servers or blocking traffic from known malicious IP addresses.
DDM systems can also be used in other scenarios, such as e-commerce websites, online gaming platforms, and financial institutions. In these scenarios, the availability and performance of the services are critical, and any disruption caused by DDoS attacks can result in significant financial losses. Therefore, deploying a DDM system can provide a layer of protection against such attacks and ensure that the services remain available to legitimate users.
3. Discuss what you would change if you were to implement this system on the Internet?
The DDM system can be used on the internet to protect web servers and websites against constant firewall threats of DDoS attacks. This system is capable of providing continuous protection against attacks of a smaller scale and can hold the response time and webpage load time of the servers during the attack. The system activates web caches to mitigate the attack and uses two web caches to hold the DDoS traffic, while the third web cache improves the response time. However, when deploying this system on large websites such as Amazon or other cloud services, it is important to consider that there will be numerous nodes where the attack can occur. All nodes must be well protected and continuously monitored to ensure the entire system remains safe from the attack. Increasing the number of web caches used in the DDM system can protect the entire website. Since these websites are hosted on web servers, the extended DDM system must be implemented on the server to ensure all nodes running on it are safe.
4. Discuss the advantages and disadvantages of these alternatives:
a. Using a commercial service like cloudflare.
b. Setting up your own DDM service for your company.
c. Finding a diverse group of companies to set up a cost-sharing solution that provides
DDM services as needed to members.
Each of the three DDM service options has its own advantages and disadvantages. Choosing a commercial service like Cloudflare offers the advantage of having an established and reputable provider with a large network and experience in mitigating DDoS attacks. However, it can be expensive and may not be customizable to the company's specific needs.
Setting up your own DDM service for your company can be tailored to your needs and provide greater control over the system. However, it can be costly to set up and maintain and may have a different level of expertise and experience than a commercial provider.
Finding diverse companies to set up a cost-sharing solution for DDM services allows for cost savings and shared expertise. However, coordination between the different companies may be challenging, and the level of expertise and experience may vary among the participants.
Related Documents
Related Questions
Please solve this exam style question, clearly and simply.
arrow_forward
Using the 74LS00 NAND gate
chip, construct the circuit in the
schematic and complete the
accompanying truth table.
B
arrow_forward
A given computer has a single cache memory (off-chip) with a 2 ns hit time and a 98% hit rate. Its main memory has 40 ns access time. i. What is the computer’s effective access time?ii. If an on-chip cache with a 0.5 ns hit time and a 94% hit rate is added to it, what is the computer’s new effective access time?iii. How much of a speedup does the on-chip cache give the computer?
arrow_forward
Create an Arduino program with the following condition.
Print the states of the potentiometer and LED in the Serial
monitor.
A. Turns LED 1 on and LED 2 off when the pot is rotated
between 25% and 50%
B.
Turns LED 1 off and LED 2 on when the pot is rotated
between 50% and 75%
C. Flashes LED 1 at 5Hz and turns, LED 2 off when the pot
is rotated less than 25%
D. Turns LED 1 off and flashes LED 2 at 5Hz when the pot
is rotated more than 75%
arrow_forward
i) Use an XOR gate and an AND gate to build a half adder and complete the truth table below. Take a picture/snapshot of your circuit and attach it here:
ii) Join two half adders in part i) together to form a full adder and complete the truth table below. Take a picture/snapshot of your circuit and attach it here:
iii) Join 4 full adders together to form a 4-bit ripple adder and perform the following operation. Provide screen shots of your circuits showing the corresponding binary inputs and outputs.
iiii) Now, try implementing the full adder in Part ii)
a) Provide screen shots of your circuits showing clearly the corresponding binary inputs and outputs for 1+1 in binary. State in this report clearly which are the inputs and outputs on the circuit board
b) join two full adders together so that it can perform 2-bit addition and substraction. Provide screen shots of your circuits showing clearly the corresponding binary inputs and outputs for
01 + 11 and 10 – 01 in binary.
State in this…
arrow_forward
A) Choose the correct statement:
Choose at least one correct answer
Group of answer choices
a) In CMOS circuits (circuits built with CMOS gates) logical values of 1 and 0 are defined as the passage or non-passage of current, respectively.
b)Digital electronic systems only work with supply voltages of 0 and 1V.
c)The voltage levels defining the logical 0 and 1 depend on the circuit supply voltage.
d)In a 5V powered circuit, the logical value 1 is defined as a voltage of exactly 5V.
B) In a stress test for elite athletes a physical system is used to measure the performance of the individual. Indicate which of these signals are digital signals:
Group of answer choices
a) Heart rate ⇒ Type: Numeric; Range: Integers from 35 to 300
b)Respiratory Rate ⇒ Type: Numerical; Range: integers from 8 to 40.
c)Performance ⇒ Type: Real number; Range: [0-1]
d)Weight ⇒ Type: Weight; Range: [25-100 kg]
e)ECG (Electrocardiogram) ⇒ Type: Voltage; Range: [0.5-4 mV].
f)Temperature ⇒ Type: Temperature, Range:…
arrow_forward
2(b) Examine the memory circuit of figure below:
Sine-tine
74LSI3 ap
Contr bus
decoder sp
de
A
PROM
PROM
Cs
PROMO
PROM
CS
cs
-Determine the total capacity (in Kbytes) of the given memory system.
-How many address lines does each PROM require access all its locations?
-Calculate the address range for the given memory system.
-What is the maximum capacity (in Kbytes) of the given memory system?
-Calculate the new address range for the given memory system
arrow_forward
3
arrow_forward
SEE MORE QUESTIONS
Recommended textbooks for you
Introductory Circuit Analysis (13th Edition)
Electrical Engineering
ISBN:9780133923605
Author:Robert L. Boylestad
Publisher:PEARSON
Delmar's Standard Textbook Of Electricity
Electrical Engineering
ISBN:9781337900348
Author:Stephen L. Herman
Publisher:Cengage Learning
Programmable Logic Controllers
Electrical Engineering
ISBN:9780073373843
Author:Frank D. Petruzella
Publisher:McGraw-Hill Education
Fundamentals of Electric Circuits
Electrical Engineering
ISBN:9780078028229
Author:Charles K Alexander, Matthew Sadiku
Publisher:McGraw-Hill Education
Electric Circuits. (11th Edition)
Electrical Engineering
ISBN:9780134746968
Author:James W. Nilsson, Susan Riedel
Publisher:PEARSON
Engineering Electromagnetics
Electrical Engineering
ISBN:9780078028151
Author:Hayt, William H. (william Hart), Jr, BUCK, John A.
Publisher:Mcgraw-hill Education,
Related Questions
- Please solve this exam style question, clearly and simply.arrow_forwardUsing the 74LS00 NAND gate chip, construct the circuit in the schematic and complete the accompanying truth table. Barrow_forwardA given computer has a single cache memory (off-chip) with a 2 ns hit time and a 98% hit rate. Its main memory has 40 ns access time. i. What is the computer’s effective access time?ii. If an on-chip cache with a 0.5 ns hit time and a 94% hit rate is added to it, what is the computer’s new effective access time?iii. How much of a speedup does the on-chip cache give the computer?arrow_forward
- Create an Arduino program with the following condition. Print the states of the potentiometer and LED in the Serial monitor. A. Turns LED 1 on and LED 2 off when the pot is rotated between 25% and 50% B. Turns LED 1 off and LED 2 on when the pot is rotated between 50% and 75% C. Flashes LED 1 at 5Hz and turns, LED 2 off when the pot is rotated less than 25% D. Turns LED 1 off and flashes LED 2 at 5Hz when the pot is rotated more than 75%arrow_forwardi) Use an XOR gate and an AND gate to build a half adder and complete the truth table below. Take a picture/snapshot of your circuit and attach it here: ii) Join two half adders in part i) together to form a full adder and complete the truth table below. Take a picture/snapshot of your circuit and attach it here: iii) Join 4 full adders together to form a 4-bit ripple adder and perform the following operation. Provide screen shots of your circuits showing the corresponding binary inputs and outputs. iiii) Now, try implementing the full adder in Part ii) a) Provide screen shots of your circuits showing clearly the corresponding binary inputs and outputs for 1+1 in binary. State in this report clearly which are the inputs and outputs on the circuit board b) join two full adders together so that it can perform 2-bit addition and substraction. Provide screen shots of your circuits showing clearly the corresponding binary inputs and outputs for 01 + 11 and 10 – 01 in binary. State in this…arrow_forwardA) Choose the correct statement: Choose at least one correct answer Group of answer choices a) In CMOS circuits (circuits built with CMOS gates) logical values of 1 and 0 are defined as the passage or non-passage of current, respectively. b)Digital electronic systems only work with supply voltages of 0 and 1V. c)The voltage levels defining the logical 0 and 1 depend on the circuit supply voltage. d)In a 5V powered circuit, the logical value 1 is defined as a voltage of exactly 5V. B) In a stress test for elite athletes a physical system is used to measure the performance of the individual. Indicate which of these signals are digital signals: Group of answer choices a) Heart rate ⇒ Type: Numeric; Range: Integers from 35 to 300 b)Respiratory Rate ⇒ Type: Numerical; Range: integers from 8 to 40. c)Performance ⇒ Type: Real number; Range: [0-1] d)Weight ⇒ Type: Weight; Range: [25-100 kg] e)ECG (Electrocardiogram) ⇒ Type: Voltage; Range: [0.5-4 mV]. f)Temperature ⇒ Type: Temperature, Range:…arrow_forward
- 2(b) Examine the memory circuit of figure below: Sine-tine 74LSI3 ap Contr bus decoder sp de A PROM PROM Cs PROMO PROM CS cs -Determine the total capacity (in Kbytes) of the given memory system. -How many address lines does each PROM require access all its locations? -Calculate the address range for the given memory system. -What is the maximum capacity (in Kbytes) of the given memory system? -Calculate the new address range for the given memory systemarrow_forward3arrow_forward
arrow_back_ios
arrow_forward_ios
Recommended textbooks for you
- Introductory Circuit Analysis (13th Edition)Electrical EngineeringISBN:9780133923605Author:Robert L. BoylestadPublisher:PEARSONDelmar's Standard Textbook Of ElectricityElectrical EngineeringISBN:9781337900348Author:Stephen L. HermanPublisher:Cengage LearningProgrammable Logic ControllersElectrical EngineeringISBN:9780073373843Author:Frank D. PetruzellaPublisher:McGraw-Hill Education
- Fundamentals of Electric CircuitsElectrical EngineeringISBN:9780078028229Author:Charles K Alexander, Matthew SadikuPublisher:McGraw-Hill EducationElectric Circuits. (11th Edition)Electrical EngineeringISBN:9780134746968Author:James W. Nilsson, Susan RiedelPublisher:PEARSONEngineering ElectromagneticsElectrical EngineeringISBN:9780078028151Author:Hayt, William H. (william Hart), Jr, BUCK, John A.Publisher:Mcgraw-hill Education,
Introductory Circuit Analysis (13th Edition)
Electrical Engineering
ISBN:9780133923605
Author:Robert L. Boylestad
Publisher:PEARSON
Delmar's Standard Textbook Of Electricity
Electrical Engineering
ISBN:9781337900348
Author:Stephen L. Herman
Publisher:Cengage Learning
Programmable Logic Controllers
Electrical Engineering
ISBN:9780073373843
Author:Frank D. Petruzella
Publisher:McGraw-Hill Education
Fundamentals of Electric Circuits
Electrical Engineering
ISBN:9780078028229
Author:Charles K Alexander, Matthew Sadiku
Publisher:McGraw-Hill Education
Electric Circuits. (11th Edition)
Electrical Engineering
ISBN:9780134746968
Author:James W. Nilsson, Susan Riedel
Publisher:PEARSON
Engineering Electromagnetics
Electrical Engineering
ISBN:9780078028151
Author:Hayt, William H. (william Hart), Jr, BUCK, John A.
Publisher:Mcgraw-hill Education,