# P4 Paper ## 17 龍帆軒 20210324 ### Firewall rule with token bucket as a DDoS protection tool #### Abstract The paper says that most of the methods of DDoS protection are based on using firewall and IDS/IPS mechanisms to fight attacks are not sufficient enough. This paper the author presents a new method for counteracting DDoS - firewall rule with token bucket implementation from QoS method. #### Enhanced QoS Method ##### Discribtion Tradition firewalls will only block the incoming traffic on specific ports or IP address ranges. This paper will present a new firewall method by limiting the incoming traffic on a firewall and allow servers to deal with already established connection. ##### Firewall rule with token bucket The role of input firewall is to control the incoming traffic on the network edge. For example, on an HTTP server, usually the TCP port 80 has to be opened for incoming connections. This port is still open when an attack occurs. This is what leads to server overload. So a special firewall module is developed, the role of it is to filter the traffic and limit it according to the policy. ##### Pseodocode ``` packet_counter:=packet_counter + 1 if packet_counter < packet_limit then packet pass else begin if IP address in listIP then packet pass; else packet drop; end; if times_slots ends then begin if packet_counter>packet_limit then overdrop_times=overdrop_times + 1; packet_counter=0; if overdrop_times>some_limit then packet_limit=packet_limit/2; overdrop_times=0; else packet_limit=packet_limit*2; overdrop_times=0; end; ``` ### Developing of Algorithm of HTTP FLOOD DDoS Protection #### Abstract This method on mathematical model that reproduces the interaction of clients with the server. It takes account the individual characteristics of parameters describing operation of network and server, which affects to the possibility of more affective attack detection. #### Implementation of The Blocking Algorithm The developed system requires two components, proxy server and target server. The proxy server implements the filtering algorithm for incoming requests from clients, and the target server is which the attacked system is located. When sending a request, it connects to the proxy server, then the next connection to the target server is made with the proxy. #### Detection and Filtering Algorithm The first thing the proxy server recieves is a request where the protection condition can be in two states: active orr off. In the case of active protection, the second part of the algorithm is activated, which the request can be dilivered to the server if it has additional verification. That means the incoming request can be blocked. In active protection, the request parameters are enumerated, where the IP address of both, the domain name of the site being attack, user agent, the time the request was recieved, are all determined. After enumerating, it is checked whether the parameters falls into the list of checked ones, which are the source IP address and the user agent of the request. If the parameters does not fall into the list, the next stage is activated; otherwise a check is performed to check whether the request parameters are in the list of block ones. The last stage of the algorithm is to check the server load on it. If the load on the server exceeds 73%, the frequency of requests and frequency of calls are calculated. The calculated values are compared with the norm of the call frequency, if the request frequency exceeds the norm, the incoming request is blocked. ###### tags: `P4`