31-10-2010, 08:35 PM
DDOS ATTACKS AND DEFENSE MECHANISMS: A CLASSIFICATION
SEMINAR REPORT
Submitted by
AKHIL G V
DEPARTMENT OF COMPUTER SCIENCE & ENGINEERING
COLLEGE OF ENGINEERING TRIVANDRUM
2010
[attachment=7071]
Abstract:
Denial of Service (DOS) attacks are an immense threat to internet sites
and among the hardest security problems in today’s Internet. Of particular
concern because of their potential impact - are the Distributed Denial of Service
(DDoS) attacks.With little or no advance warning a DDoS attack can easily
exhaust the computing and communication resources of its victim within a short
period of time. This paper presents the problem of DDoS attacks and develops a
classification of DDoS defense systems. Important features of each attack and
defense system category are described and advantages and disadvantages of each
proposed scheme are outlined. The goal of the paper is to place some order into
the existing attack and defense mechanisms, so that a better understanding of
DDoS attacks can be achieved and more efficient defense mechanisms and
techniques can be devised.
Introduction:
Denial of Service (DOS) attacks constitutes a severe problem in the Internet. The
impact of DOS attacks has been well demonstrated in the computer network
literature. The main aim in the DOS is the disruption of services by attempting to
limit access to a machine or service instead of subverting the service itself. This
kind of attacks aims at rendering a network incapable of providing normal
service by targeting either the network’s bandwidth or its connectivity. These
attacks achieve their goal by sending at a victim a stream of packets that swamps
his network or his processing capabilities. The term is generally used with regards
to computer networks, but is not limited to this field, for example, it is also used in
reference to CPU resource management. There are two general forms of DoS
attacks: those that crash services and those that flood services. One common
method of attack involves saturating the target machine with external
communications requests, such that it cannot respond to legitimate traffic, or
responds so slowly as to be rendered effectively unavailable. In general terms, DoS
attacks are implemented by either forcing the targeted computer(s) to reset, or
consuming its resources so that it can no longer provide its intended service or
obstructing the communication media between the intended users and the victim so
that they can no longer communicate adequately.
Denial-of-service attacks are considered violations of the
IAB’s internet proper user’s policy and also violate the acceptable use policies of
virtually all Internet service providers. They also commonly constitute violations
of the laws of individual nations. Distributed Denial of Service (DDoS) is a
relatively simple, yet powerful, technique to attack Internet resources. DDoS
attacks add the many-to-one dimension to the DOS problem making the prevention
more difficult and the impact proportionally severe. There are no apparent
characteristics of DDoS streams that could be directly and wholesomely used for
their detection.
DOS ATTACKS:
A DOS attack can be described as an attack designed to render a computer or
network incapable of providing normal services. A DOS attack is considered to
take place only when access to a computer or network resource is intentionally
blocked or degraded as a result of malicious action taken by another user. These
attacks don’t necessarily damage data directly, or permanently, but they
compromise the availability of the resources. DOS attacks can be classified as
follows:
Network Device Level: DOS attacks in the Network Device Level include
attacks that might be caused either by taking advantage of bugs in software or by
trying to exhaust the hardware resources of network devices.
OS Level: In the OS Level DOS attacks take advantage of the ways operating
systems implement protocols. Application-based attacks: A great number of
attacks try to settle a machine or a service out of order either by taking
advantage of specific bugs in network applications that are running on the target
host or by using such applications to dram the resources of their victim.
Data Flooding: An attacker may attempt to use the bandwidth available to a
network, host or device at its greatest extent, by sending massive quantities of
data and so causing it to process extremely large amounts of data.
Attacks based on protocol features: DOS may take advantage of certain standard
protocol features, for example several attacks exploit the fact that IP source
addresses can be spoofed.
SYMPTOMS AND MANIFESTATIONS:
The United States Computer Emergency Response Team defines symptoms of
denial-of-service attacks to include:
• Unusually slow Network performance (opening files or accessing web sites)
• Unavailability of a particular web site
• Inability to access any web site
• Dramatic increase in the number of spam emails received—(this type of DoS attack is considered an email - bomb).
Denial-of-service attacks can also lead to problems in the network 'branches'
around the actual computer being attacked. For example, the bandwidth of a router
between the Internet and a LAN may be consumed by an attack, compromising not
only the intended computer, but also the entire network.
If the attack is conducted on a sufficiently large scale, entire geographical regions
of Internet connectivity can be compromised without the attacker's knowledge or
intent by incorrectly configured or flimsy network infrastructure equipment.
DDOS ATTACKS:
Definition and strategy of DDoS attacks
A DDoS attack uses many computers to launch a coordinated DOS
attack against one or more targets. Using client/server technology, the perpetrator
is able to multiply the effectiveness of the DOS significantly by harnessing the
resources of multiple unwitting accomplice computers, which serve as attack
platforms. A DDoS attack is composed of four elements,
• The real attacker.
• The handlers or master compromised hosts, who are capable of controlling multiple agents.
• The attack daemon agents or zombie hosts, who are responsible for generating a stream of packets toward the intended victim.
• A victim or target host.
A DDoS attack can be described as follows:
Recruitment: The attacker chooses the vulnerable agents, which will he used to
perform the attack.
Compromise: The attacker exploits the vulnerabilities of the agents and plants
the attack code, protecting it simultaneously from discovery and deactivation.
Communication: The agents inform the attacker via handlers that they are
ready.
Attack :
The attacker commands the onset of the attack. Sophisticated and
powerful DDoS toolkits are available to potential attackers increasing the
danger of becoming a victim in DOS or DDoS attack. Some of the most known
DDoS tools are Trinoo, TFN, Stacheldraht, TFNZK, mstream and Shaft.
DDoS attack classification :
There are two main classes of DDoS attacks: bandwidth depletion and
resource depletion attacks.
A bandwidth depletion attack is designed to flood the victim network with
unwanted traffic that prevents legitimate traffic from reaching the victim
system. Bandwidth attacks can be divided to flood attacks and amplification
attacks. A resource depletion attack is an attack that is designed to tie up the
resources of a victim system. This type of attack can be divided to protocol
exploit attacks and malformed packet attacks. DDoS attacks can also be
classified in two general categories: direct attacks and reflector attacks. Direct
attacks have already been described in the previous section. A reflector is an
indirect in which intermediary nodes, are used as attack launchers. A reflector is
any IP host that will return a packet if sent a packet.
DDoS APPLICATION SYSTEMS:
Sophisticated and powerful DDoS
toolkits are available to potential attackers increasing the danger of becoming a
victim in DOS or DDoS attack. Some of the most known DDoS tools are
Trinoo, TFN, Stacheldraht, TFNZK, mstream and Shaft.
Trin00:
The trinoo or trin00 is a set of computer programs to conduct a DDOS
attack. It is believed that trinoo networks has been set up on thousands of systems
on the Internet that have been compromised by remote buffer overrun exploit.
Trin00 affects Windows and many Unix OS. In this
application system the attacker scans for exploits, and gains root access.The scan
results in a list of "owned" systems ready for setting up back doors, sniffers, or the
trinoo daemons or masters.Attacker can telnet into a Master to initiate commands,
which are distributed amongst its Daemons. Then the Daemons attack the target
with a UDP or TCP packet bombardment.
Trin00 wad used in the February 2000 attacks on eBay, Amazon, CNN, etc.
A Trin00 network has been connected to the February 2000 distributed denial of
service attack on the Yahoo! Website. Trin00 is famous for allowing attackers to
leave a message in a folder called cry_baby. The file is self replicating and is
modified on a regular basis as long as port 80 is active.
Stacheldraht:
Stacheldraht is a piece of software written by Random for Linux and
Solaris systems which acts as a distributed denial of service (DDoS) agent.
Stacheldraht uses a number of different DoS attacks, including: UDP flood, ICMP
flood, TCP SYN flood and Smurf Attack. The stacheldraht network is made up of
one or more handler programs and a large set of agents.The attacker uses an
encrypting "telnet alike" program to connect to and communicate with the
handlers.The attacker(s) control one or more handlers using encrypting clients.
Each handler can control many agents.The agents are all instructed to coordinate a
packet based attack against one or more victim systems by the handler. It combines
features of Trin00 with TFN , and adds encryption.
INCIDENTS OF DDOS ATTACKS:
• The first major attack involving DNS servers as reflectors occurred in January
2001. The target was Register.com. This attack, which forged requests for the MX records of AOL.com (to amplify the attack) lasted about a week before it could be traced back to all attacking hosts and shut off. It used a list of tens of thousands of DNS records that were a year old at the time of the attack.
• On two occasions to date, attackers have performed DNS backbone DOS attacks on the DNS root servers. Since these machines are intended to provide service to all Internet users, these two denial of service attacks might be classified as attempts to take down the entire Internet, though it is unclear what the attackers' true motivations were. The first occurred in October 2002 and disrupted service at 9 of the 13 root servers. The second occurred in February 2007 and caused disruptions at two of the root servers.
• In February 2007, more than 10,000 online game servers in games such as Return to Castle Wolfstein, Halo,Counter - strike and many others were attacked by the hacker group RUS. The DDoS attack was made from more than a thousand computer units located in the republics of the former Soviet Union, mostly from Russia, Uzbekistan and Belarus. Minor attacks are still continuing to be made today.
• On June 25, 2009, the day Michael Jackson died, the spike in searches related to Michael Jackson was so big that Google news initially mistook it for an automated attack. As a result, for about 25 minutes, when some people searched Google News they saw a "We're sorry" page before finding the articles they were looking for.
• June 2009 the P2P site The PirateBay was rendered inaccessible due to a DDoS attack. This was most likely provoked by the recent sellout to Global gaming factory XAB, which was seen as a "take the money and run" solution to the website's legal issues. In the end, due to the buyers' financial troubles, the site was not sold.
CLASSIFICATION OF DDOS DEFENSE MECHANISMS:
We present two classifications of DDoS defense mechanisms
according to different criteria. The first classification categorizes the DDoS
defense mechanisms depending on the activity deployed and the second
classification divides the DDoS defenses according to the location deployment. We
describe in detail the DDoS defenses in the first classification and just refer to
the DDoS defenses and the way they are categorized in the second classification.
Classification by activity:
Intrusion Prevention:
The best mitigation strategy against any attack is if the attack never
occurs. There are many DDoS defense mechanisms that try to prevent
systems from attackers:
Using globally coordinated filters : Ingress Filtering, proposed by Ferguson and
Senie , is a restrictive mechanism to drop traffic with IP addresses that do not
match a domain prefix connected to the ingress router.
Egress filtering is an outbound filter, which ensures that only assigned or
allocated IP address space leaves the network. Egress filters do not help to
save resource wastage of the domain where the packet is originated but they
protect other domains from possible attacks.
Route- based filtering, proposed by Park and Lee, uses the route information to
filter out spoofed IF' packets.
Disabling Unused Services : If network services are unused, the services should
be disabled to prevent attacks.
Applying Security Patches : The host computers should update themselves with
the latest security patches for the bugs present and use the latest techniques
available to minimize the effect of DDoS attack.
Changing IP address : A solution, practical only for local DDoS attacks, is called
"moving target defense", in which we invalidate the victim computer's IP
address by changing it with a new one. Once the IP address is changed, edge
routers drop the attacking packets.
Disabling IP Broadcasts : By disabling IP broadcasts host computers can no l
onger be used as amplifiers in ICMP Flood and Smurf attacks.
Creating client bottlenecks : These remedies try to create bottleneck process on
Zombie computers and limit their attacking capability. RSA's Client Puzzles
algorithm and Turing test need the client to do some extra computation
before setting up a connection.
Firewalls: Firewalls have simple rules such as to allow or deny protocols, ports or
IP addresses. Some DoS attacks are too complex for today's firewalls, e.g. if there
is an attack on port 80 (web service), firewalls cannot prevent that attack because
they cannot distinguish good traffic from DoS attack traffic. Additionally, firewalls
are too deep in the network hierarchy. Routers may be affected even before the
firewall gets the traffic. Nonetheless, firewalls can effectively prevent users from
launching simple flooding type attacks from machines behind the firewall.
Some stateful firewalls like OpenBSD's pF, can act as
a proxy for connections, the handshake is validated (with the client) instead of
simply forwarding the packet to the destination. It is available for other BSDs as
well. In that context, it is called "synproxy".
Switches: Most switches have some rate-limiting and ACL capability. Some
switches provide automatic and/or system-wide rate limiting, traffic shapping,
delayed binding(TCP slicing), deep packet inspection and Bogon filtering (bogus
IP filtering) to detect and remediate denial of service attacks through automatic
rate filtering and WAN Link failover and balancing.
Intrusion Detection:
Intrusion detection systems detect DDoS attacks by using
the database of known signatures or by recognizing anomalies in system
behaviors.
• Anomaly detection
Anomaly detection relies on detecting behaviors that are abnormal with
respect to some normal standard. Many anomaly detection systems
and approaches have been developed to detect the faint signs of DDoS
attacks.
A scalable network monitoring system called NOMAD is
able to detect network anomalies by making statistical analysis of
IP packet header information. Lee and Stolfo use data mining
techniques to discover patterns of systems features that describe
program and user behavior and compute a classifier that can recognize
anomalies and intrusions. Cabrera et al. propose a Network Management
System for the detection of DDoS attacks in which key variables are
chosen with a statistical analysis, to achieve the early detection of the
attack.
A mechanism called congestion triggered packet sampling
and filtering is proposed by Huang et al. According to this approach,
a subset of dropped packets due tu congestion for statistical analysis
is selected. If anomaly is indicated by the statistical results, a signal is
sent to the router to filter the malicious packets. Gil et al. propose a
heuristic data-structure, which postulates if the detection of IP addresses
that participate in a DDoS attack is possible, and then measures could be
taken to block only these particular addresses. This approach cannot
prevent proportional attacks nor can it detect DDoS attacks that use
many zombies.
• Misuse detection
Misuse detection identifies well-defined patterns of known exploits and
then looks out for occurrences of such patterns. Several popular
network monitors perform signature-based detection, such as CISCO'S
NetRanger, NID, Realsecure, Snort.
Intrusion Response:
Once an attack is identified, the immediate response is to
identify the attack source and block its traffic accordingly. There are many
approaches that target in tracing and identifying the real attack source.
IP trace back : IP traceback traces the attacks back towards their origin, so
one can find out the true identity of the attacker and, achieve path
characterization. Some factors that render IP tracehack difficult is the stateless
nature of Internet routing and the lack of source accountability in TCP/IP
protocol.
ICMP traceback : ICMP traceback has been proposed by Bellovin. According to
this mechanism every router samples the forwarding packets with a low
probability and sends an ICMP traceback message to the destination. If enough
traceback messages are gathered at the victim, the source of traffic can be found
by constructing a chain of traceback messages. In order to face DDoS attacks
by reflectors, Barros proposes a modification of ICMF' tracehack messages. In
this approach, routers send ICMF' messages to the source of the currently being
processed packet rather than its destination.
link-testing traceback : A link-testing traceback technique is proposed by
Burch and Cheswick . It infers the attack path by flooding the links with large
burst of traffic and examines whether this induces any perhuhation on that
network. If so, this page link is probably a part of attack path.
CenterTrack : CenterTrack is an architecture proposed by Stone, which creates
an overlay network of IP tunnels by linking all edge routers to central tracking
routers, and all suspicious traffic is rerouted fiom edge routers to the tracking
routers.
Probabilistic Packet Marking : Probabilistic Packet Marking was originally
introduced by Savage et al who described efficient ways to encode partial route
path information and include the tracehack data in IF' packets. Song and Perrig
improved the performance of PPM and suggested the use of hash chains for
authenticating routers. This marking scheme is efficient and accurate in the
presence of a large numbers of DDoS attacks.
Hash-based IP traceback : Hash-based IP traceback has been proposed by
Snoeren, et al.This technique uses a Source Path Isolation Engine (SPIE)
which generates audit trails of trailic and can trace origin of single IF' packet
delivered by a network in recent past.
Intrusion Tolerance:
Intrusion tolerant research accepts that it is impossible to
prevent or stop DOS completely and focuses on minimizing the attack impact
and on maximizing the quality of its services. Intrusion tolerance can he divided
in two categories: fault tolerance and quality of service.The idea of fault tolerance
is that by duplicating the network‘s services and diversifying its access points, the
network can continue offering its services when one network page link is congested
by flooding traffic.Quality of Service (QoS) describes the assurance of the ability
of a network to deliver predictable results for certain types of applications or
traffic. Among fkameworks to provide Internet QoS, Integrated and
Differentiated Services have emerged as the principal architectures. Various
autonomous architectures have been proposed that demonstrate intrusion
tolerance during DDoS bandwidth consumption attacks. Characteristic examples
of Intrusion Tolerant QoS systems are the XenoService and the pushback
architecture.
CONCLUSION:
Undoubtedly, DDoS attacks are a serious problem for which
numerous defense mechanisms have been proposed. In this paper, we hied to
present a methodologythat would allow a classification of the DDoS
attack problem in order to be able to find more effective solutions.One great
advantage of the development of DDoS attack and defense classifications is
that effective communication and cooperation between researchers can be
achieved so that additional weaknesses of the DDoS field can be identified.
Their value in achieving &her research and discussion is undoubtedly large. A
next stepin this path would be to create sets of data and an experimental
testbed so that all these various mechanisms can be compared and evaluated.
BIBLIOGRAPHY:
• Jelena Mirkovic, Sven Dietrich, David Dittrich, and Peter Reiher. "Internet denial of Service. Attack and Defense Mechanisms". Prentice Hall 2005.
• Detecting and Reacting against Distributed Denial of Service Attacks
• IEEE International Conference on Communications,
• DDoS attacks and defense mechanisms: a classification
• This paper appears in: Signal Processing and Information Technology, 2003. ISSPIT 2003. Proceedings of the 3rd IEEE International Symposium on 2003.
• http:// staff.washington.edu/dittrich/misc/stacheldraht.analysis
• http://en.wikipediawiki/Denial-of-service_attack
• http://en.wikipediawiki/Ddos#Distributed_attack
