Development of a system for protecting against DDoS attacks at the L7 level of the OSI model - HTTP Flood

. In today's world of globalization and the development of information technology, it is not possible to build a business and production without using the latest advances in science and technology related to information technology. The most promising branches of the direction of information technology are the development and application of cryptographic means of protecting information for various purposes, including the use by government bodies and commercial organizations, the implementation of electronic document management tools, the expansion of the use of encryption schemes based on public keys and means of protecting web resources from DoS attacks. It is necessary to give the following assessment that the problem of countering and repelling Denial of Service attacks is an urgent problem in connection with the widespread introduction of information technologies and the globalization of the Internet, which, in turn, requires effective protection methods corresponding to the adequate cost of providing services. This paper proposes a practical implementation of a technique for detecting one of the most common DDoS attacks at the L7 level of the OSI model - HTTP Flood.


Introduction
In the modern world when the information technologies go wide and all the areas of communication and people's relation rely on it, business, marketing, infrastructure building -all aspects of our life are being developed with the use of the information technologies, and the most recent and complex tools are applied. In addition, it's quite an important task to set up and implement a proper legal mechanisms on national lever in Russian Federation and make the process more flexible and fitting into the current environment. Ones of the most perspective areas in the development of the information technologies are creation and implementation of cryptographic methods for ensuring data security which can be applied in all areas of our world. In addition, DDoS attacks can be utilized for financial purposes as well, like paying the attackers to avoid company's reputation problems.
Currently, a number of variables make it difficult to reflect and effectively resist spread attacks. The fact that the vast majority of attacks do not entail starting a communication session with the attacking source further makes it difficult to identify an attacker. Furthermore, even if an attacker is found, it sometimes seems impossible for him to be punished because of flaws in the law in many states.
Summarizing the foregoing, it is important to make the following assessment: Given the widespread adoption of information technologies as well as the globalization of the Internet, the issue of preventing and repelling attacks based on denial of service is a pressing one that necessitates effective defense measures that are commensurate with said reasonable expenses associated with offering solutions.
In this research, an approach for identifying HTTP Flood, one of the most prevalent DDoS assaults at the OSI model's L7 level, is proposed. This method is based on a mathematical model that simulates client-server communication. The ability of a more accurate attack detection depends on the model taken into consideration in the study, which takes into account the unique characteristics of specific parameters describing the functioning of the network and the server. Also, the developer suggests a software implementation of this method, described as a functionality extension module for the system for reflecting a significant volume of erroneous requests from the attacking side HTTP Flood reject. The adoption of this kind of technique aims to defend against assault the vital assets of business organizations as well as people in order to deliver services.

Features of the implementation of attacks such as DDoS
The main goal of the attack based on denial-of-service is to disrupt the accessibility of data assets by removing an object susceptible to the attack from a working state, which, in turn, makes the resources inaccessible to legitimate users of the information system. An attack of this type can have two sources of occurrence, the first is due to the exploitation of vulnerabilities in the software of the victim's information system, the second is due to the sending of such a large number of network packets that it overloads the server (for example, HTTP flood) [3].
Comparing both methods, the first requires the attacker to have extensive knowledge and high qualifications, while the second is based on the use of so-called brute force. Let's consider the second option in more detail. Its essence lies in the fact that a large load of the server's computing resources is carried out due to the fact that a lot of of packets are sent from the end of the intruder, which must be processed by the server. Such a high load on the server leads to the fact that the server is unable to process requests from valid users of the information system, which, as a result, can lead to a significant increase in the processing of requests on the server, or to its failure.
It is also necessary to take into account that among such attacks, two types of anomalies are distinguished, the load on the computing resources of the information system and the load on the bandwidth of the communication channel. The technique proposed in the current work is focused on protection against attacks of the second type, and further we will consider the option that the server's computing resources are sufficient to process all packets sent to it.
When implementing Denial of Service attacks, the attacker does not care about the server's processing of the sent packets. Thus, an attacker can send requests from false and irrelevant user agents, as well as from false IP addresses, which, in turn, acts as an obstacle to effectively detecting and countering such attacks.
Also, for the successful implementation of a DoS attack, it is necessary to have a high bandwidth of the communication channel. Due to this factor, this attack is carried out simultaneously from several hosts. In this case, this type of denial of service attack is called DDoS. As mentioned earlier, for the implementation of a distributed attack, the attacker often uses working machines that are not the property of the attacker, called "Zombies". Among the ways to infect such hosts, the most common is the introduction of a Trojan program into the software of computers of real network users. Further, at the command of the attacker, which serves as the beginning of the attack, the embedded program transforms the workstation, which has access to the global network, into a source of illegitimate requests, the purpose of which is to overload the computing resources of the information system server.

DDoS Attack Detection Principles
Some experts believe that no special tools are required to detect Denial of Service attacks, since the fact of such an attack on a service is very obvious. Under some factors, this statement has a right to exist. But, at the same time, in the entire history of the existence of this kind of attacks, a large number of cases were noted when the existence of an attack was noticed several days after its start, which as a consequence may have an excess of costs for paying for Internet traffic, which can also be detected only at the time of paying bills for using the provider's network. Moreover, most of the protection methods are ineffective when installed on the target of an attack, but at the same time, they are more effective when detected on network backbones.
Thus, the most appropriate way to establish protection is to establish a protection system at an intermediate level between the client and the server in order to effectively repel attacks. Also, for effective reflection, it is necessary to have qualified knowledge about the type, nature and other distinctive characteristics of various Denial of Service attacks, which makes it possible to ensure the security of information systems as quickly as possible with less effort. Services and organizations involved in ensuring security against such attacks have the ability to determine the specified traffic characteristics, as well as make the necessary settings for the target server system to minimize damage. Thus, they have the opportunity to set the given conditions, but what exactly is the reason for the denial of service is not possible due to the fact that this fact can occur due to an abnormal event on the target server.
According to the rules of the security policy, upon establishing the fact of a Denial of Service attack, it is required to register it immediately for further analysis. Then, under certain specific conditions (an ongoing attack, or the need to make adjustments to the traffic filtering rules), the use of a security service may be required to restore the normal functioning of the service, as well as legitimize the incoming traffic. When attacks are detected, it is also advisable in some cases to use the functionality of traffic redirection through other communication channels, as well as the use of spare servers to save copies. It should be noted that ensuring the protection of information systems against attacks of this type is a non-trivial task, for the implementation of which various protection methods can be used, depending on the type of information to be protected.
According to above, methods for detecting DDoS attacks are conventionally divided into 3 groups [4]:  signature -based on the analysis of the quality of incoming traffic;  statistical -methods based on quantitative analysis of incoming traffic;  hybrid -methods consisting of a combination of the above methods.

Known DDoS Protection Methods
The organization of protection against distributed denial-of-service attacks is a rather complex undertaking. First of all, it is necessary to mention that it is rather difficult to correctly determine the source of the threat, besides, the owners of the hosts often do not suspect that their resource is being attacked at a certain point in time and, moreover, the users from whose devices the attack is carried out, are completely unaware of this fact. Also, the process during which the identification of parasitic traffic takes place is very laborious in itself. From a security standpoint, Denial of Service attacks are the most dangerous threat in the network, and therefore taking the necessary effective measures to counter them is a difficult task for organizations providing protection services against these types of attacks. Thus, the most effective way to detect such attacks is to analyze the abnormal behavior of network traffic.
Due to the fact that malicious traffic is very similar to legitimate traffic, it is difficult to distinguish it from real traffic from legal users of the information system. Because of this, the following components are important for organizing a network security strategy: firewalls, intrusion detection systems, routing to black holes, and others. It should also be noted that the use of these technologies does not guarantee complete protection against DDoS attacks [5][6][7].

Algorithmic application ofthe createdmethod
The created technique for repelling attacks will consist of the following components, as shown in Figure 1: a proxy-server applying a method for filtering incoming queries as well as a victim server where the assaulted data framework is physically found.

Suggested method for filtering requests
Some end-user queries are being directed to a proxy server, where they are handled, after which a reaction to the client can too be produced on the intermediary. If not, it is sent, identical to the victim's one, to the target server, with the subsequent transfer of the response from it to the client. Figure 2 schematically shows a system with a proxy server. That is, in this system, a proxy server can act both as a server and as a client. At the moment of receiving requests from the client part of the information system, it is a server, and in relation to the target server, it is a client.
Following, we'll consider the method of the intermediary server in more detail. Firstly, the server is waiting to receive client requests on port 80 (HTTP). Then, for each request, a new data processing thread is created in a separate way, in which the request is processed. An IP address is blocked upon receiving an inquiry on the proxy server, and either a 403 answer is issued to the requester or the request is routed to the destination server.
In all other circumstances, the query will be routed to the remote computer where the content is required or, if one has been specified, to another proxy server. In this scenario, there will be one more cache miss (an unsuccessful attempt to use the cache). A200 answer is returned after the target server has processed the client's request, and it is initially sent to the proxy before being forwarded to the client. The proxy server also keeps track of statistical information when communicating with the targeted machine.

Testing software modules
In the current chapter, the modules of the developed software will be described, as well as examples of the operation of the software tool. The tool is implemented as an attack monitor and protection monitor emulator. It is assumed that the attack monitor is an organized botnet network consisting of infected devices connected to the global Internet, and the protection monitor is software installed on a proxy server that filters traffic. Let's consider in more detail the components of the attacking side. First, let's look at the Attack Options section, which is depicted in Figure 3. This window contains 3 input fields. In the "Domain" field, enter the domain name of the site to be attacked. The IP field indicates the IP address of the server or hosting on which the site is physically located, and this data can also be automatically pulled from DNS by pressing the "Tab" button. The "Load" field indicates the average number of invalid requests per second, which can also be interpreted as attackers. Also on this window is the "Attack" button, when clicked, attacking requests to the specified IP address are activated. Figure 4 shows the parameters of the specified domain name, which are taken from the domain-specific DNS zone, in particular, the A-record of the domain name. The main part of the attack monitor is located in the "List of bots" section ( Figure 5), where the IP address of the source of the invalid request, the user agent and the response code that can be received from both the target server and the proxy server are recorded. Next, we will consider the components of the protection monitor. Figure 6 shows a graph of incoming requests and blocked ones, where the blue bar indicates the number of requests coming from legal users of the information system, red -the number of blocked requests, and orange -the total server load, expressed in the number of requests per second. There is also a graph (Figure 7) showing the processor load of processed requests, expressed as percentage. Further on the protection monitor there is a filter configuration window (Figure 8), according to which requests are blocked at the proxy server input. On this window, there is a possibility to manually add criteria, in accordance with which the blocking on the proxy server is carried out. Then, when you click on any point at any point in time on the request and bans graph, an additional window will open, displaying all received requests at a specific point in time, where those requests whose source IP addresses were blocked are highlighted in red (Figure 9). Now that we've covered the main functionality of the software, let's take a closer look at it in action. So, let's consider a situation in which a certain site "donstu.ru" was attacked by a botnet with an average frequency of 15 requests per second, as shown in Figure 10. Also, when displaying information about incoming requests at a certain point in time, we see that the requests that were sent to the target server for processing are highlighted in white, and blocked requests are marked in red with the correspondingly added tag "blocked" to the request, which will be on the attacking side displayed as "No response", as in Figure 11, since when the proxy server blocks the IP address, no response is provided to the attacker in order to minimize resource consumption for processing requests. Further, if it is necessary to make additional adjustments to the filtering system, it is possible to add the IP address and user agents to the black list in the "Filter parameters" section as follows: "IP" "176.141.189.48" or "agent" "IDBot". It is also necessary to note the following feature of the filtering system: when the processor utilization level reaches 90%, the rate of the number of requests per second is calculated, after which the average frequency of requests from a specific IP address is calculated, and, if it exceeds the rate by 75%, then the IP -the source address is timed out.

Conclusion
The difficulty of safeguarding data security for all global Internet users is particularly acute in the modern world. It is essential to secure the security of all information communicated across messaging services, including general and confidential data, as well as the accessibility of shared and received data resources in the event of Denial of Service assaults. The ability to identify and prevent Cyberattacks, particularly Distributed Denial of service threats, the most prevalent kind of DDoS attack [8][9][10][11], is of interest to many software developers.
Within that research, an endeavor was undertaken to construct an imitation computer program with a user-friendly software application that can be run from whatever platform and incorporates the established method for identifying and preventing the defined type of attack. The most common DDoS attacks were also categorized during the phase of the endeavor, a filtering approach based on the L7 request proxying approach was offered, and as a consequence, a software application that practically demonstrates the efficacy of the devised algorithm was implemented. In the report, I have given a thorough description of the digital product testing and illustrated the key steps in the software tool's functioning.