Special Issue of International Journal of Computer Applications (0975 – 8887) on Communication Security, No.6 Mar.2012, www.ijcaonline.org 28 An Approach to Increase Bandwidth Utilization under Suspected Flood Attack Raman Singh University Institute of Engineering and Technology Panjab University Chandigarh Harish Kumar University Institute of Engineering and Technology Panjab University Chandigarh R.K. Singla DCSA, Panjab University Chandigarh ABSTRACT Bandwidth is very crucial and limited resource available, so it should be properly utilized. Network congestion occurs when a link or node is carrying large amount of data in case of flood attack and quality of service deteriorates. Effects of flood attack include queuing delay, packet loss or the blocking of new connections. As a consequence incremental increases in offered load leads to either small increase in network throughput, or to an actual reduction in network throughput. Modern networks use congestion control and avoidance techniques to avoid such congestion collapses. One of widely used queuing algorithm is Drop Tail which is used in most of the routers to avoid congestion and to encourage smooth flow of packets. In this paper we propose a technique to better utilize bandwidth under flood attack. Simulations of the proposed technique have been carried out to compare it with the DropTail. Ns-2 is used as the simulation tool. In this simulation experiment, different types of traffic like tcp, udp are considered. Routers are attacked with different attack intensities to determine the effect of proposed method under various circumstances. General Terms Bandwidth Management Keywords Network Congestion, Bandwidth Management, Drop Tail Queue, Queuing Algorithms. 1. INTRODUCTION Bandwidth management is the process of measuring and controlling the communication parameters like traffic, number of packets etc. on a network link, to avoid network congestion and poor performance [1]. Drop-Tail is a simple queue management algorithm used by Internet routers to decide about dropping packets during trouble time. In contrast to other algorithms like Random Early Detection (RED) and Weighted Random Early Detection (WRED), in Tail Drop all the traffic is not differentiated. Each packet is treated identically. With tail drop, when the queue is filled to its maximum capacity, the newly arriving packets are dropped until the queue has enough room to accept incoming traffic. Once a queue has been filled, the router begins discarding all additional datagrams, thus dropping the tail of the sequence of datagrams. This paper is organized into six sections. Section-2 discusses the suspected flood attack and bandwidth management. Section-3 explains about the proposed bandwidth management method under suspected flood attack. Section-4 describes about the simulation setup and parameters used. In section-5, results have been presented and explained. Finally, section-6 sets the conclusion and future work. 2. SUSPECTED FLOOD ATTACK AND BANDWIDTH MANAGEMENT Flood attack is the denial of service (DoS) attack in which large amount of traffic from distributed agents/bots are flooded to the victim server in order to bring down the network services of that server. The flooded traffic can be of any types like TCP/IP, UDP, ICMP, ECHO traffic etc. The DoS attack floods the target system by sending bogus requests, and the target system become unable to provide normal services [2]. Suspected flood attack is a type of attacks in which there is no surety that whether the attack is intentional or un-intentional. An example of un-intentional flood attack is sudden popularity of a website like if some result is declared and millions of candidates login to see details. Another can be very interesting news published and everyone wants to read that news. Sometime it happens that some event/tragedy occurs in anywhere in world and Internet users all over the world start to search for that event/tragedy. These types of traffic surges are un-intentional. Due to the growth in Internet traffic and variety of applications, it is difficult to characterize the traffic patterns on an IP network in advance. Network traffic can be classified by using some parameters like port, payload classification and classification based on statistical traffic properties [3]. The anomalies which are produced by some worms or DoS attack can be detected or classified by traffic classification [4]. A technique which is based on self- similarity to detect low rate ICMP based Distributed Denial of Service (DDoS) attack is suggested in [5]. In [6] a model is proposed which is capable of collecting data for detecting malicious packets then examining protocol features to detect and validate attack. This model is designed specifically for detection of attacks on ICMP protocol. A database of encapsulated headers of packets is maintained and then rule applies on this to detect possible attacks. In order to save the company's servers, routers or network link from exhaustion of bandwidth an approach which is based on Hidden Markov Model (HMM) is proposed to maintain the dynamics of Access Matrix (AM). This approach has higher attack detection rate with lower false positive rate [7]. An approach by combining pattern based and anomaly based detection is suggested. It has good detection rate and low false alarm rate. It also simplifies feature selection which plays major role in anomaly detection. Pattern language for modeling state machine is also proposed to deal with higher layer or lower layer protocols issues in anomaly detection [8]. Researchers have suggested many techniques to classify malicious behavior from genuine behavior. Review of soft computing in order to detect or classify malicious activities is provided in [9].