Fig 2: Half open connection
Initially the client establish TCP
connection to server by sending the request to server and set the SYN flag.
After recieving the SYN request from
client, server responds by sending ACK message with 16 bit identity field to
packet source IP address
The legitmate client receives that message and
may or may not send final ACK message
that is ignored by server. If client is spoofed, he will not receive the ACK
message by server.
After that, the client again establish
the connection with server by sending SYN message to server along with 16 bit
identity field previously received from server.
Server then checks the IP address and
identity field value, if it is correct then server sends ACK message to client
otherwise the it will drop the request.
After receiving ACK message from server,
client then sends the final ACK message and the connection will be successfully
his techniques, the problem of half open connection can be avoided and spoofed
IP address can be detected as well.
problem that will be solved is how to detect DDOS attacks that are within the
threshold level. For example if a source is sending 60 requests in a minute and
threshold is set to 40 request per minute then the system will drop these
request and will block the source. Now if requests from attackers are within
the threshold level, it will try to keep the server busy so that it cannot
serve legitimate users.
of the technique is Auto Scaling21.
In terms of cloud computing, Auto Scaling is scaling up the resources according
to need. If attackers are using the resources they will try to keep the
resource busy so that legitimate users can not use that resource. By scaling up
resources to a certain limit, allow legitimate users to use the resource and if
any user is using resources more than a selected time limit and resource limit,
connection should be dropped or blocked. Auto scaling involves limitations on
scaling up of resources and on duration. For example if scaling limit21
is set to 80% of CPU utilization then if utilization increases from 80% for the
duration of one minute, additional CPUs will be allocated. And similarly if CPU
utilization is less than 80% for duration of one minute, additional CPUs will
be scaled down.
will propose techniques to detect spoofed IP address and technique to detect
the DDOS attack within threshold because in most of the literature only attacks
within threshold are detected. For IP address detection, two techniques will be
proposed and will be tested on Wireshark. The report on comparison results will
Aims and Objectives
To Prevent DDOS attacks in cloud
computing by proposing techniques for:
Detection of packets from spoofed IP addresses
Detecion of DDOS attacks within the
time and Deliverables
1st JAN – 5th AUG
Framework for preventing DDOS attacks
6th AUG -10th OCT
11th OCT – 10th
Research paper on preventing DDOS
attacks by detecting spoofed IP addresses.