INTRODUCTION Availability is defined as the property of data and services being accessible to an authorized party within a reasonable time

of request.each network system must be available to its user i.e minimum security.Dos attacks can destroy or exhaust resources by generating large amounts of bogus traffic towards victim. they prevent permissible access to resources of the victim.the taxonomy of ddos attacks and their respective defence mechanism are defined in this paper. There are mainly threee approaches of defeating attacks: 1: detection 2: prevention. 3: response Detection mechanism tries to detect attacks after they have happened. Proactive measures try to secure systems and protocols against attacks, while response mechanism tries to detect the attack and reduce their aftershock. The paper focuses on a detection mechanism that detects the attack at early stage. The paper starts with a brief terminology. It then goes through proactive detection phases and ends with the description of the SNMP-based implementation and conclusion.

TERMINOLOGY Denial of service attacks (dos): it refers to any technique that is used to prevent a host or network of hosts on internet from either accessing the internet or responding to requests from other hosts on the internet. There are three or four types of machines in each dos-attack, attacker, slaves, target.

Distributed denial of service attack.(ddos) is a kind of dos attack which uses thousands of more slaves through the internet. after the attacker commands the slaves they send failure packets to the target. even if target is not shutdown ,the large amount of bogus packets consume the target bandwidth and legitimate packets cannot pass through the artificial traffic towards the target. this is shown in the diagram below.

Slaves

S1

S2

master

target S3

S4

nms agent

network management system(nms): is a system capable of recording the activity of the network system. SNMP management is often called internet management and is often called internet management system and is widely used. Simple network management protocol(SNMP):is a protocol defined by internet engineering task force(IETF).this management system consists of managed nodes ,management stations and management protocol. an agent keeps information about its managed node running one or more SNMP agent. An agent keeps information about its node in database called management information base (MIB). MIB defines the information that will be maintained by associated SNMP agent. they are comprised of managed objects and are

identified by object identifiers.MIB variables are used in control and supervision of traffic in network. Their values will change with passing packets.

A QUICK REVIEW OF THE ATTACK MODEL.

ATTACKER

CLIENT

NODE

NODE

NODE

NODE

VICTIM

The attacker, sitting at home, uses client software to send commands to the nodes. The nodes inturn send floods of packets, or malformed packets to crash the system(or both), towards the victim. Typically, the client software that the attacker is using to direct these attacks is not on his home system, but sitting on another system(usually a compromised host with several hops from attackers home system to help prevent authorities from tracking down the attacker).From here a set of commands are currently sent using ICMP packets, with the data possibly encrypted.TFN2K advances this sheath mode of communication by allowing for remote one-way communication, decoy packets and fairly sophisticated encryption. The nodes themselves can number in thousands. With one node, millons of packets can be sent in one minute. Using up all the available bandwidth a victim might have. With thousands geographically dispersed node billions of packets could certainly Cripple any victim, including victims with multiple ISP as well as high bandwidth routers.

WEAKNESSES IN THE ATTACK MODEL WHICH WE CAN EXPLOIT. WEAKNESS IN ATTACKER: The biggest weakness for attacker is two critical phases--checking his/her work, and communication with the client.It is entirely possible that the attacker will do a DNS lookup of the address of the target ,possibly ping or try to access the site via a web browser right before or after the attack starts.These accesses may appear in the log files in the target machine. If the client software is running on the home machine ,it is possible that the nodes running the attack software will tell telltale signs of connectivity ,such as the home machines IP address viewable in a netstat listing. WEAKNESS IN CLIENT: Similar weaknesses exist for client as for attacker.If the attacker is running the client software on a remote machine,it is possible that the attacker mya noy have the legitimate access to that machine but may have left some signs of it. WEAKNESS IN NODES: The nodes which could number in thousands ,are obviously housing and running the attack software that launches the ddos attack.Commercial scanners such as hacker shields and others have or will shortly have check for these.

DETECTING ATTACKS In this phase we define the MIB variables that changed when attack packets reach the target. This can be done in two ways: Using domain knowledge about the characteristics of the attack. For example we know in advance that mstream attack send large amount of TCPAck packets on to the target, therefore when the attack packets reach the the target tcpInsegs MIB changes. Comparing MIB variables behavior during attack and normal operation and the time differences between the processes determine the precursors of the attack. THIS INVOLVES FOLLOWING PHASES: STAGE 1
S M S V M

STAGE 2
S S S Which mib is relevant? V

S S Which mib changed at the victim.

STAGE 3. S

S S

What are the thresholds?

CONCLUSION: Pattern based methods which try to detect the attacks result in errors. The ANAMOLY method which we discussed is by far the best method for proactive detection of ddos attacks. Depending on which ddos attack is used it is possible to send packets towards the offending address and cause the attacks to shut down. By using zombie_zapper program,it might be possible to shut off the attacking ddos nodes. Further work is needed to train our system in high capacity networks to improve the capacity of this system.To this day the hacking community is still at large eyeing this area for exploitation.

REFRENCES: K.Kendall a database of computer attacks for evaluation of intrusion detection system,. MIT Press. www.packetstorm.com IIT Kanpurs Hackers workshop IITKHACK04.