The prime reason for huge number of DDOS attacks in the internet is due to the availability of wide range of attacking tools. Very powerful attacking tools are available in the internet, which are released by the developers for free of cost. There are various different types of tools which are released every year to overcome the new protection mechanisms in place for security. Few common attacking tools are as follows
Trinoo: Trinoo which is also called as "Trin00" is famous for its usage in a distributed denial of service attack against Yahoo in the year February, 2000. It comprises of a master program and several agents on compromised systems. The master program is activated by the attacker using TCP, and the master program activates the agents via UDP on port 27444. The agents start to flood the victim's network with traffic. Trinoo uses UDP packets in flooding the victim network. Trinoo deploys Master / Slave architecture where the master and the slave are password-protected to prevent the WinTrinoo from taking over. Trinoo can be easily detected because it uses TCP.
The following TCP Ports are used by Trinoo for its operation
Attacker to Master: 27665/TCP
Master to Slave: 27444/UDP
Slave to Master: 31335/UDP
TFN: Tribe Flood Network (TFN) is a DDOS tool which is used to flood the target at by using several hosts at once. Four kinds of floods can be performed using TFN, ICMP Echo flood, Smurf Attack, UDP Flood, and SYN Flood. ICMP echo relay packets are used by the TFN attacker and master to communicate with each other.
TFN2K: Tribe Flood Network 2000 is similar to its predecessor TFN but it overcomes the countermeasures taken for its predecessor. Communications are made between master and the agents through ICMP, TCP, and UDP or all three together.
Shaft: Shaft follows the same working procedure of Trinoo, except for port numbers used for communication. The shaft network comprises of one or more handlers and several clients, where the attacker uses TELNET for communication. The control between handlers and the ports is switched in real time, which makes it difficult for the Intrusion Detection tools to detect. The communication between handlers and agents is done by transferring UDP packets. The attacker uses TCP connection to communicate with the handlers.
Attacker to handler: 20432/TCP
Handler to agent: 18753/UDP
Agent to handler: 20433/UDP
MStream: In MStream, the victim is flooded with TCP ACK. It uses TCP and UDP for communication, Telnet is used for communication between the handlers and agents, and the communications are not encrypted. A password protected login is used by the attackers to control the handlers remotely.
Stacheldraht: Stacheldraht is based on the source of both Trinoo and TFN attacks. UDP flood, SYN flood, and smurf attacks can be implemented by Stacheldraht. The attacker and handlers use encrypted TCP connection for communication between them. ICMP and TCP are used for communication between handlers and agents. All the communication channels are encrypted except for the ICMP heart beat packets sent by the agent to the handler.
The first principle of defence is to set a distributed defence instead of centralized defence, because it is a distributed attack using high rate of packets.
The second principle of defence is to ensure less collateral damage by High Normal Packet Survival Ratio (NPSR).
The third principle of defence is to deploy a model, where a centralised control is not needed, because the Autonomous Systems does not have centralised control in Internet.
The fourth principle of defence is to set a defence system which restricts the attack traffic before reaching the victim and differentiate the malicious traffic flow from legitimate traffic flow by using different attack signatures for different sources.
The fifth principle of defence is to deploy a mechanism which blends in with the existing architecture of the system and should invoke only when the attack is detected.
The sixth principle is to counterattack the attack source with an easy and efficient solution. It should be fast and flexible in detecting changes in attack pattern.
Even though there are number of prevention techniques developed for DDOS, the attacks are still continuing to happen. At this moment (March 2nd 2011), www.wordpress.com is under a largest DDOS attack they have encountered in last 6 years. Although DDOS attacks have been happening for over a decade, there is no perfect solution for it. There are several difficulties in developing a perfect DDOS prevention mechanism, they are as follows
Distributed Response System is required for preventing the DDOS attacks effectively, where the response will be deployed in the many points of the internet to stop the diverse agents from attacking. There are several types of DDOS attacks. Among them only few attacks can be stopped while happening, other attacks have to be prevented from happening. It is difficult to deploy the Distributed Response System diversely, because the internet is vast, even if the system is deployed, it cannot be guaranteed. So it does not encourage developers to develop applications based on this.
Lack of Attack Information is a main reason for under development in DDOS prevention techniques. Many DDOS affected victim's does not publicly disclose the fact that they were attacked, as it brings bad reputation to victim's organisation and the incidents are only reported to government organisations under the obligation of keeping them as a secret. Therefore the information about the attack type, duration of the attack, and number of agents is not available, which makes it very difficult to develop innovative techniques. Even though the attack tools are available on many internet sites, they are of no use.
Lack of Benchmarks, vendors make comments that their DDOS defence mechanism are best, which cannot be proved as there are no standardized testing approached for it. The Vendors develop the software and designers test the software in an advantageous way to them. As there are no benchmarks defined, the researchers can only compare the design issues with the existing defence mechanisms, but not the actual performance.
There are currently few problems for which researchers are looking for solutions, they are as follows.
Use of legitimate traffic in DDOS attacks.
The holes in Internet, for attacking.
The hidden identity of agents.
DOS Prevention & Detection Techniques
There are many DOS defence techniques developed and used from a decade. In this paper, few effective and widely used defence techniques will be discussed. The wide range of defence techniques are classified into different types. General Techniques, which are common techniques used by ISP's and individual servers for not becoming a part of DDOS attacks. Filtering Techniques, where ingress filtering, egress filtering, router based packet filtering, secure overlay service (SOS), Capability based filtering, history based IP filtering, and Source Address Validity Enforcement protocol are used. Detection Techniques are used to detect the attack before it causes serious damage to the victim's network. There are basically two groups of detection techniques; the first one is DOS Attack Specific detection, which uses the special features observed in DOS attacks. The second one is called Anomaly based Detection, which reports anomalies based on the behaviour of normal traffic.
Disabling IP broadcast; the IP broadcast address is sent large amount of ICMP echo traffic with a spoofed source address from the attackers. To defend this attack, the host machines and all the other neighbouring networks should disable IP broadcast.
Installing latest patches; the agents in DDOS attacks are formed by using the vulnerabilities in their systems. By installing latest security patches for all the applications, the systems will not be exploited.
Disabling unused services; by disabling unused network services, applications and open ports in hosts the vulnerabilities in the system can be reduced. Therefore prevents the systems from attackers.
Firewalls; the simple flood based attacks can be stopped by firewalls. Firewalls use simple rules like allowing or denying IP addresses, ports, and protocols. But, complex attacks using the port 80, which is used for web services cannot be stopped effectively by the firewalls, because it cannot differentiate the legitimate traffic from malicious traffic.
Global Defence Infrastructure; Global Defence Infrastructure uses different filtering rules which are deployed on the routers in the important parts of internet. This technique is only possible theoretically, because in internet everyone use their own security policies.
IP hopping; by using IP hopping, the victim's server IP address can be proactively changed time to time from a pool of homogenous servers. Once the victim's IP address is changed, all the edge routers will drop the attack packets. This prevention technique can be successful in only few cases, where the attack is mainly based on the IP address of the victim. This technique can be rendered useless by the attackers if they use a tracing function for Domain Name Service in their attack.
Ingress Filtering; In Ingress filtering, the inbound traffic's IP addresses should match with the Ingress router's domain prefix, otherwise packets from those IP addresses will be dropped. The Ingress filtering can also be used for port numbers, and protocol type. The main part of Ingress filtering technique is having knowledge about the expected IP addresses at a port, which is very difficult to obtain in some cases where the topologies of the networks are complicated. To gain this knowledge reverse path filtering technique is used. In this technique, the router looks for the networks it can reach through its interfaces. It looks up for source address of incoming traffic and checks whether the packets are traversing out of the same interface which they used for coming into the network. If they match, those IP addresses are allowed. This attack can be rendered useless, if the attacker spoofs the IP addresses from within the subnet. The main aim of this technique is to stop the DOS attacks with spoofed addresses. But, now days the attackers are exploiting as many as 10000 hosts to launch an attack. The attacker can use legitimate IP addresses of the agents to launch the attack, which ingress filter cannot detect. Thus, Ingress filter is ineffective in preventing DDOS attacks.
Egress Filtering; In Egress filtering, the outbound traffic leaving the network is monitored and the traffic which does not meet the security policies is dropped. Egress filtering helps in controlling the malicious traffic from leaving the network. The Egress filtering is very similar to the Ingress filtering technique. The main disadvantage of Egress filtering is, access to external networks is denied for internal users. But, the attack can be made inside the network, where there is no extensive protection. The Egress filtering techniques cannot be used for consumer networks, and small office environments.
Router Based Packet Filtering (RPF); The RPF is based on a principle that, every link has a limited set of source addresses in the core of internet. The packets are assumed to be spoofed, when an IP packet appears with an unexpected source address and only those packets are filtered. The spoofed source addresses are filtered by RPF by using the information from the Border Gateway Protocol (BGP) routing topology. The spoofed addresses can be significantly filtered by using RPF in at least 18 percent of the Automated Systems (AS) in the internet. The RPF technique has several limitations. The first limitation is complexity in implementing it practically in the Automated Systems. There are almost 10,000 AS's internet, which means RPF has to be installed in at least 1800 AS's, a very difficult task to achieve. The second limitation is, if there is any route change in legitimate traffic, the legitimate packets might be dropped by RPF. The third limitation is, the filters are configured using the valid BGP messages. If the attacker changes the BGP messages by hijacking a BGP session, then the filter rules can be set in attacker's favour. The RPF is not very effective against DDOS attacks. The RPF is vulnerable to dynamic internet routing, because it cannot update the routing information.
History based IP Filtering; The History based IP filtering uses IP Address Database (IAD) to store frequent IP addresses. In a normal network traffic, the IP addresses seen tend to remain stable. But, during a DOS attack, the source IP addresses are never seen before. By using the above concept, when there is any suspicion about an attack, the source IP addresses are compared with the IP addresses in the IAD and if they are not present in the IAD, the packets from those IP addresses are dropped. In order to ensure fast searching of IP addresses in IAD, Hash based techniques are used. This technique is very robust and easy to implement. There are few limitations in this technique; it is ineffective when the attacks are from legitimate IP addresses. The History based IP filtering needs an offline database to store the IP addresses, which is very costly.
Secure Overlay Service (SOS); The Secure Overlay Service (SOS) is used to provide secure communication between users and the victim. Secure overlay Access Point (SOAP) is used to verify the traffic from a source point. Only the authenticated traffic is routed by consistent hash mapping to a Special Overlay Node called Beacon, which forwards the authenticated traffic for further authentication to another Special Overlay Node called Secret Servlet. The Secret Servlet forwards only traffic chosen by the victim. The SOS succeeds in establishing a way for communication between victim and legitimate users during a DDOS attack. The main strength of SOS is its SOAP's in distribution level. But, the deployment of SOAP's widely is a difficult task. If attacker uses worm spread, the deployed SOAP's will be useless, and the target's network will be disrupted.
Source Address Validity Enforcement (SAVE); The basic objective of SAVE protocol is to provide the information about the expected range of IP addresses at each interface to the router. In SAVE protocol, the information about the expected Source IP addresses on each link is updated by routers, and the packets with unexpected IP addresses are blocked. The messages are constantly propagated with valid source address information from the source to all the destination locations, similar to the existing routing protocols, which allows all the routers along the way to develop an incoming table for associating each link of the router with a set of valid source address blocks. SAVE uses Incoming Tables to filter packets with spoofed IP addresses. The Incoming Tables are updated periodically to overcome the asymmetries of internet routing. SAVE is effective only when it is deployed universally, which is difficult to accomplish. The SAVE protocol is useless when the DDOS attacks use non spoofed IP addresses.
DOS Attack Specific Detection; Generally, an attacker sends large amount of traffic to the victim's to make the attack powerful. By sending huge amount of traffic, the victim will not be able to reply to all the packets, which creates an imbalance in flow rate between attacker and the victim.
The scheme developed using the Attack specific detection is called MULTOPS, which monitors the packet rate in both the source and destination to detect a DOS attack. The MULTOPS operates by assuming that the traffic between the source and destination are proportional during a normal operation. If there is a disproportional difference between the traffic in source and destinations, it indicates a DOS attack. The main disadvantage of MULTOPS is, it monitors packet rates for each IP address using dynamic tree structure, where the tree can become an easy target for Memory Exhaustion attack. To avoid this, another technique called TOPS was developed, which uses Hashing scheme to imbalance in Packet flows.
There are many limitations in MULTOPS scheme, where it assumes incoming and outgoing packet rates are proportional, which is not always true. For example, the real video streams are highly disproportional, where the packets coming in to the client are higher than the outgoing traffic.
Anomaly based Detection; there are basically two network based detection techniques, Signature based Detection, and Anomaly based Detection. The Signature based Detection technique matches the monitored traffic with the known characteristics of malicious traffic. It is very easy for the attackers to attack without being detected, by using different attack content and traffic. But, the Anomaly based detection technique creates a normal traffic profile and matches it with the monitored traffic, to detect the DOS attack. The most important part of Anomaly based detection is developing a normal traffic profile by using training data. The statistical modelling is very important in developing the profile by using different parameters like IP packet size, and IP packet length.
The main problem for anomaly based detection is, it is very difficult and nearly impossible to develop a profile which provides all kinds of normal traffic behaviour. The anomaly based detection is useless, where the attacker uses large number of hosts to attack, which makes the attack traffic normal and legitimate.