The ColShield system
The ColShield system (Figure 1) uses a semi-centralized architecture maintaining a group of local IPDS that is installed near the local routers and a global IPDS that is installed near the gateway router. This paper focuses on spoof-based collaborative detection of collaborative flooding DDoS attacks. The ColShield system consists of four main components which mutually involve in mitigating collaborative flooding DDoS attacks. The Figure 1 shows the architectural view of the ColShield system. The ColShield components are described as follows: The admission controller is responsible for allocating initial bandwidth for each node using a bandwidth allocation algorithm. The admission controller accepts the node that completes the registration process successfully. The nodes have to initially register with the network by sending few confidential information. At the end of registration process, the admission controller allocates a bandwidth b
n
and a bandwidth validity time, i.e., TTL for each node. The traffic analyzer component comprises of two components namely the timer monitor and the bandwidth monitor. The timer monitor maintains the clock values [21],[25] being sent periodically by each node. These clock values are compared with the threshold value. The nodes that match the threshold value are forwarded to the bandwidth monitor for analyzing the traffic abnormalities. Finally, the admission controller, the timer monitor and the bandwidth monitor altogether informs the collaborative mitigation manager about their observation in abnormalities of each node. The collaborative mitigation manager decides whether to accept or to reject the node and its traffic. However, since the entire traffic cannot be possibly monitored altogether by a single global IPDS component, we promote the usage of multiple IPDS components for efficient detection and filtering of the attack.
The global IPDS maintains a node profile which consist of the following information namely the client node's IP address, the client node's MAC address, the client node's timer value, the client node's location proof information [30], the client node's allotted bandwidth and the TTL value. The global IPDS also maintains a local profile which consists of the IP address of the local IPDS, the total number of client nodes connected to it and its neighboring local IPDS. The local IPDS maintains a profile which consists of the timer values of each client node, the number of flows within each client node, its corresponding port number and the corresponding client node to which the flow is being transmitted or received.
Clever spoof detection
IP spoofing [10] is the main gateway for collaborative DoS attacks [9] which is considered as a most complex attack in which the attackers create raw IP packets with valid IP and TCP headers. An attacker might spoof a single source address or multiple source addresses. It is a difficult task for the listener to detect and filter the spoofing attacks with multiple source addresses than detecting spoofing attacks with single source address. Spoofing attacks can be prevented by using network ingress filters [3],[12],[16] and egress filters in proper network locations. IP Security (IPsec) also provides an excellent defense against IP spoofing, but this protocol generally cannot be required because its deployment is currently not suitable to work with wireless mesh networks [32]. Filtering does not solve the problem of collaborative flooding of DoS attacks and it is a quite challenging task to block spoofing attacks with multiple source addresses. Hence clever spoof detection is necessary to mitigate collaborative DoS attacks. The clever spoof detection process is depicted in Figure 2 and it is carried out in two phases. The admission controller initiates the detection process in phase 1 (Algorithm 1) and timer manager completes the detection process in phase 2 (Algorithm 2). During phase 1, the bandwidth allocation is done for each node and in phase 2, the inter-arrival time samples are monitored for each node. We monitor the inter-arrival time samples at each node in order to detect the presence of IP spoofing in wireless mesh networks thereby providing a way to mitigate collaborative flooding attacks.
Admission controller
We model the backbone of the wireless mesh network (WMN) R as a directed graph G = (V, E) where V represents the set of client nodes in the network and E represents set of directed links. V = N + M where N = n1, n2, … n
r
is the set of registered nodes in the network and each client node n ∉ N. M is the set of monitor nodes in the network and it is represented as M = G
m
+ {L
m
} where G
m
represents the global IPDS and L
m
represents the local monitor. The network consists of a group of intrusion protection and detection systems (IPDS) with a single global IPDS, G
m
and a cluster of local IPDS L
m
. Each client node n before it joins a network has to send a join request message, R
j
(n) to the global IPDS G
m
. The G
m
requests a confidential message REQ
c
(n) to client node n to prove its identity. The client in turn replies with its confidential message RES
c
(n) to the G
m
. The confidential reply message consists of four pieces of information namely, IP address of the client node IP
n
, MAC address of the client node MAC
n
, Timer value of the client node z
n
(t
i
) and LP
n
, the location proof information [33] of the client node which refers to the actual distance of the client node n from the global IPDS G
m
. z
n
(t
i
) = z
n
(t
c
) + K
sec
where z
n
(t
c
) is the client node's current time and K
sec
is the client node's secret key. The length of the secret key K
sec
is 16 bits and its initial value is obtained by adding the least significant 8 bits of IP address with the least significant 8 bits of MAC address along with a 16 bit random number. These 32 bits are hashed into a 16 bit secret key value which forms the length of K
sec
. The subsequent values of K
sec
is incremented by 1 bit from the initial value every t
i
time interval. The LP
n
value is obtained by adding the client node's current distance from the global IPDS D
n
with the client node's current available time z
n
(t
c
). Thus if a client node wants to prove its identity, the IP
n
, MAC
n
and LP
n
values should match z
n
(t
i
). The G
m
by checking the validity of confidential information, replies with a successful join and grants a bandwidth b
n
along with TTL to the client node n. TTL is the bandwidth validity period for client node n. The client node after receiving the bandwidth becomes a part of the network. In this phase, the initial stage of spoof detection is done.
Traffic analyzer
Each ColShield IPDS analyzes the traffic within its detection window range. The traffic analyzer consists of two components of which the timer monitor completes the spoof detection process and the bandwidth monitor [35] initiates the flood detection process (Algorithm 3). The timer monitor involve in checking the periodic timer values of each mesh client node. Each mesh client node after joining the network is under the control of the local IPDS. The registered mesh client node, in order to prove its identity to the local IPDS sends periodic timer values to its local IPDS, i.e., L
m
. The timer values are the inter arrival time samples of each mesh client node being sent periodically. The local monitor checks the validity of the client node by comparing whether the subsequent inter-arrival timer values match the threshold. The local IPDS concludes the client node as abnormal if the inter-arrival timer values did not match the threshold value by which spoofed node is detected. The timer monitor is described by a timer function,
(1)
where E(z
n
(t) is the determined threshold value for node n and z
n
(t
i
) is the actual real-time timer value of node n to be compared with. If z
n
(t
i
) = E(z
n
(t)) then q
n
= 0 and the timer value of node n is benign. If z
n
(t
i
) ≠ E(z
n
(t)) then the timer value of node n is suspected to be malicious and has to undergo a condition check to confirm the attack. z
n
(t
i
) values can exceed within an upper limit α and a lower limit β where α and β are pre-specified constant parameters and α = β = 1. If the value of z
n
(t
i
) is greater than E(z
n
(t)) then the z
n
(t
i
) value for node n is considered to be malicious if it exceeds the α value. (i.e.) z
n
(t
i
) + α = E(z
n
(t)). Likewise, if the z
n
(t
i
) value is less than E(z
n
(t)) then the z
n
(t
i
) value for node n is considered to be malicious if it exceeds the α value. (i.e.) z
n
(t
i
) − β = E(z
n
(t)). The local IPDS L
m
monitors the periodic time samples of all nodes at a given time slot t
i
. For a node n the actual real-time timer values is given as,
(2)
z
n
(t
i
) value can be further expressed as,
(3)
where, and .
The bandwidth monitor has the responsibility to monitor the bandwidth consumption of each client node. During this phase, the local IPDS involve in detecting flooding attacks. The bandwidth monitor categorizes the traffic flow as normal and abnormal. The traffic is said to be normal if the amount of bandwidth consumption adhere to the limit and abnormal traffic consumes a higher bandwidth than the limit. The bandwidth consumption in the sense includes the bandwidth consumed by a single node, per-node per-flow bandwidth and per-node multiple-flow bandwidth. We consider the bandwidth allocation for the global and local IPDS to be stable and predefined. Our aim is to allocate bandwidth for each client node n ∉ N and to monitor whether each client node utilizes their allotted bandwidth. Let I
u
be the bandwidth update interval which is the time between the last bandwidth allocation and current bandwidth reallocation for each client node. Each client node is permitted to utilize only their allotted bandwidth. Nodes failing to use b
n
might have been deviated to . The deviation of b
n
and must not exceed ϖ. The local IPDS checks whether the fraction of bandwidth allotted for each client node is normal. The local IPDS does this by using the formula, b
n
≤ B
r
/N where B
r
is the total bandwidth allotted to the mesh client nodes in the network. The local IPDS checks whether the fraction of bandwidth utilized per-flow during a single time interval by each client node is within the allotted bandwidth. The per-node per-flow bandwidth is given by, b
nf
≤ b
n
/C
n
where C
n
is the number of flows established between a mesh client node and another. The local IPDS also checks whether the fraction of bandwidth consumption for all flows per-node during subsequent time intervals. The per-node multiple-flow bandwidth is given by,
(4)
where f represents the number of flows established between a mesh client node and another node and t represents the time interval of the allotted bandwidth. If any abnormalities were found, the local IPDS detects the attacker node and its port number.

Collaborative mitigation
We focus on spoof-based collaborative mitigation of collaborative flooding DDoS attacks (Algorithm 4) [36]. All the local IPDS and the global IPDS collaboratively involve in mitigating the flooding attacks (Algorithm 5). The local IPDS L
m
executes the bandwidth monitoring algorithm for detecting the attacker client node. Once it detects the attacker client node, it first blocks the port number under attack and then blocks the future traffic to and from the specified port number. It then informs the neighboring local IPDS NL
m
about the attacker client node by sending an ALERT message which contains the IP address of the attacker client node and an ALERT message which is depicted in Figure 3. Now the local IPDS along with its neighbors inform the global IPDS about the attacker. When the global IPDS receives the ALERT message, it blocks future traffic to and from that client node under attack and revokes the allotted bandwidth from that client node. Now the client node under attack is released from the network and it cannot communicate with the nodes in the spoofed network. Thus flooding attack is collaboratively mitigated in this phase. Again if the released node wishes to join the network, it has to re-register and obtain new bandwidth from the network. The attacker in any case cannot bypass the bandwidth monitor test and thus it fails which leads to repeated re-registration process. The effectiveness of ColShield lies with the traffic analyzer which aims at analyzing abnormal traffic from the client nodes. Our paper focuses on detecting spoof-based collaborative flooding attacks (i.e., detecting collaborative flooding attacks that occur through IP spoofing). ColShield can detect 85% of spoofed nodes and once spoofing attacks are detected, collaborative flooding attacks are easily detected and mitigated because collaborative flooding attacks don't have much effect on spoof free nodes.
ColShield metrics
ColShield maintains the following metrics:
-
1)
Traffic flow metric: This metric helps to calculate the total number of communications taken place in the network when we install the ColShield system in the network. The total traffic flow at the global IPDS is given by,
(5)
where f
out
(L
m
) is the sum of all outgoing traffic flow coming out from all the local IPDS. All mesh client nodes has to pass through the local IPDS to send and receive messages. Therefore, the total traffic flow at the local IPDS is obtained by adding the total incoming and outgoing traffic flow at each mesh client node. The total traffic flow at the local IPDS is given by,
(6)
where f
in
(n) is the client node's incoming traffic and f
out
(n) is the client node's outgoing traffic. The total traffic flow at the mesh client nodes is given by,
(7)
where fc(n) is the client node's control flow traffic and fd(n) is the client node's are the control flow traffic and data flow traffic at the mesh client nodes.
The control flow traffic at the mesh client node n is given by,
(8)
where f
cin
(n) is the client node's incoming control flow traffic and f
cout
(n) is the client node's outgoing control flow traffic. The data flow traffic at the mesh client node n is given by,
(9)
where f
din
(n) is the incoming data flow traffic at the client node and f
dout
(n) is the outgoing data flow traffic at the client node. The total number of control messages exchanged between the mesh clients, the local IPDS and the global IPDS are required to calculate the communication overhead.
-
2)
Throughput metric: The proposed system guarantees a minimum throughput of λ and all client nodes should adhere within this throughput. i.e.,
The throughput is affected by the fraction of bandwidth allocated to each client node. The client nodes for which the bandwidth is allocated through the bandwidth allocation protocol are considered for achieving wireless mesh network throughput.
-
3)
Bandwidth allocation metric: b
n
is the fraction of bandwidth allotted to each client node n ∈N and B
r
= B − B
mb
where B is the total bandwidth allotted to the network, B
mb
is the bandwidth allotted for the local and global IPDS and B
r
is the bandwidth allotted to each mesh client nodes who joins the network. The bandwidth constraint is given by,
-
4)
Bandwidth deviation metric: The bandwidth deviation metric is given by,
Each client node is allotted a bandwidth b
n
within the network and they are permitted to utilize only their allotted bandwidth. Nodes failing to use b
n
might have been deviated to bn'. The deviation of b
n
and must not exceed ϖ whose value is 0.1. If the deviation exceeds ϖ then it leads to rejection of that client node.