Design and Development of Anti-DoS/DDoS Attacks Framework Using IPtables

Abstract

Denial-of-Service (DoS) is a network security problem that poses a serious challenge to trustworthiness of services deployed on the servers. The aim of DoS attacks is to make services unavailable to legitimate users by flooding the victim with legitimate-like requests and current network architectures allow easy-to-launch, hard-to-stop DoS attacks. Threat of DoS attacks has become even more severe with DDoS (Distributed Denial-of-Service) attack .It is an attempt by malicious users to carry out DoS attack indirectly with the help of many compromised computers on the Internet. Attackers can compromise a huge number of computers by spreading a computer worm using vulnerabilities in popular operating systems. This exhausts the victim network of resources such as bandwidth, computing power, etc., the victim is unable to provide services to its legitimate clients and network performance is greatly deteriorated, moreover, with little or no advance warning, a DDoS attack can easily exhaust these resources within a short period of time. Service providers are under mounting pressure to prevent, monitor and mitigate DoS/DDoS attacks directed toward their customers and their infrastructure. Defending against those types of attacks is not a trivial job, mainly due to the use of IP spoofing and the destination-based routing of the Internet, though there are many proposed methods which aim to alleviate the problem like Firewalls, Traffic Volume Normalization, Intrusion Detection Systems, Ingress filtering, IP Traceback , SYN Proxy etc. This work discusses about the efficient packet filtering technique using firewall to defend against DoS/DDoS attacks. Firewall scripts are written using command-line tool IP Tables in Linux to deny the suspicious traffic. Packet sniffer tool is used to showcase the effectiveness of the scripts in mitigating the various kinds of DoS/DDoS attacks.