This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.
Denial of Service and Distributed Denial of Service attacks are the most common attacks which mainly intend to paralyze the network resources and services and prevent legitimate users from accessing these resources and services. DDoS differs from Dos in just that the attack stems from multiple systems to flood the bandwidth or the resources of the target system. With an increasing trend of ecommerce in the world economy a well timed Denial of service attack can cause huge collateral damage. Countless flavors of Dos attacks are widespread today and they continue to evolve. This report mainly addresses the different types of attacks known, their negative consequences and the counter measures possible to prevent these attacks.
In a DoS attack a malicious client attempts to partially or completely paralyzes the target system there by exhausting the target system which prevents any legitimate client to access the system. There is a sharp increase in the Dos attacks in the recent past which dint even spare well known e-merchants including Amazon.com, E*TRADE, Yahoo and EBay. DoS attacks are the precursors for the DDoS attacks which vary from the earlier in just one parameter which is the distribution strategy. There is lot of automated tools and bots available like Stacheldraht" and "Tribe Flood Network" which makes these kinds of attacks easier to execute with a maximum impact. The victims are not only the ecommerce sites unfortunately it extends to government websites.
Consequences are usually multiple which widely ranges from system error, paralysis or even crash. Much more devastating consequence is that the overflow might provide access to secure resources in the system. The Denial of Service attack harms the victim in two ways. Firstly the revenue is affected because of the disruption in the service provided to the client and Secondly the victims loose business and clients to a competitor because the denial of service. Among the Dos Attacks the congestive attacks are the most difficult type to handle. As everyone is dependent on the Internet for the economy which basically works on non-authenticated service model makes these kinds of attacks very easy to be executed.
Denial of Service (DoS) is an attack in which the attacker will send enormous amount of network packet streams with the aim of shutting down or preventing a network resource from serving its legitimate users. When multiple source or agents are deployed in accomplishing the goal, it is called as Distributed Denial of Service (DDoS) attack. The ultimate aim of these attacks is to make a legitimate service unavailable to legitimate users or to get access to a network resource with the cause of creating arbitrary damage.
1.2 Understanding Distributed and Denial of Service
The DoS and DDoS attacks normally deploy 2 approaches to accomplish their task of denying a service. The first approach is called the vulnerability attack, where the attack will target a particular vulnerability in a system. The second approach is called as the flooding attack where the attacker will launch enormous number of service requests from larger number of zombies simultaneously.
Figure 1: A Typical DDoS Attack Scenario
2 DDoS Attacks - Classification
The following are the 2 main classifications of DDoS attacks,
2.1 Bandwidth Depletion Attack
The bandwidth depletion attack will flood the target network with enormous number of garbage traffic to prevent the legitimate users from reaching the target system. The bandwidth depletion attacks can further be classified in to the following categories,
a) Amplification Attacks
b) Flood Attacks
Figure 2: DDOS Agent-Handler Attack Model
2.2 Resource Depletion Attack
The resource depletion attack will exhaust or shut down a particular resource of the target system and making it unavailable to legitimate users. The resource depletion attacks can further be classified in to the following categories,
a) Malformed Packet Attacks
b) Protocol Exploit Attacks
The DDoS attacks can also be generally classified in to the following 2 categories,
2.3 Direct Attacks
In case of direct attacks, the attacker will participate directly in launching the attack, but with a spooked IP address.
2.4 Reflector Attacks
In case of reflector attacks, the attack will be launched using intermediary nodes called as the reflectors. The characteristic feature of a reflector is to return a packet, if a packet is received.
Figure 3: DDoS IRC-Based Attack Model
3 DDoS Prevention
DDoS attacks can be targeted at any number of services or devices in a network and hence it proves to be more difficult to prevent the network devices from being susceptible to DDoS attack. Even a legitimate traffic can turn in to a DDoS attack, if it creates recursive operations and consume the server resource. Hence, there no single point solution to DDoS attacks and the following actions should be combined to have a effective DDoS prevention mechanism in place.
3.1 Network Design with High Redundancy and Availability
Having high redundancy of critical network resources will prevent single point of failure in case of DDoS attacks. Though this proves to be costly to implement, such as dual internet lines, but proves to be a effective solution.
Figure 4: DDoS Attack Taxonomy
3.2 Perimeter Defense
The filtering of traffic from spoofed IP addresses should start from the gateway router, such as implementing the ingress and egress filtering to prevent spoofed traffic from internal and external networks.
3.3 Defense In-Depth
The Intrusion Detection Systems (IDS) can detect the communication between the master and the zombies or the agents. This will be helpful in removing those zombies from the network, but the IDS cannot detect the new variants of the communication without signatures.
3.4 Host Hardening
Host hardening is the process of hardening the operating system by applying the latest patches for the current vulnerabilities, applying the proper security policies with the access control lists, changing the default passwords, closing the unwanted ports and tightening the system configurations.
3.5 Malware Detection & Prevention
All the hosts in the network must be installed with anti-virus and updated with the latest signatures to detect the virus and the file integrity checkers much be used to closely watch the unauthorized modification of data, to prevent any hosts from being infected by malware and making it a zombie for future DDoS attacks.
3.6 Periodic Scanning
Periodic vulnerability assessment will help to identify the hosts with vulnerabilities and closing those vulnerabilities in time, before the attackers exploit those vulnerabilities.
3.7 Policy Enforcement
The final thing to prevent the DDoS attacks is to enforce proper acceptable usage and resource management policies. There should be proper policies to ensure secure coding practices and pre-production testing to prevent any loopholes in the developed systems.
4 DDoS Detection & Defense Mechanism
As the DDoS attacks are getting more advanced day by day, with the evolution of new tools and techniques making it easier for even a normal internet user to launch automated attacks, adaptation of proper strategy is required to thwart the DDoS attacks successfully.
The countermeasures for the DDoS attacks should be modeled to adapt 3 stages of handling the attack. The first stage is the DDoS detection stage, where the DDoS traffic is identified. The second stage is the traffic segregation stage, where the malicious traffic will be segregated from the legitimate traffic. The third stage is the DDoS mitigation stage, where the effect of the DDoS attack will dissolved by nullifying it.
4.1 DDoS Detection
DDoS attacks involve 2 types of traffic in the execution, called as the Attack traffic and the Control traffic [Figure 1]. Varieties of security resources such as the Intrusion Detection System (IDS) are available to identify the DDoS attacks. The Anomaly based IDS and the Signature based IDS are widely used to identify the DDoS attacks. Signature based IDS is used to detect the Control traffic in DDoS attacks, based on the standard set of signatures, which will look for the port number or traffic targeting know vulnerabilities to connect with the zombies to trigger the attack. The Anomaly based IDS are used to detect the Attack traffic in DDoS by monitoring the network for unusual behaviors using statistical analysis. In case Anomaly based IDS the packet frequency and the bandwidth consumption will be analyzed at different locations in the network. The following 2 tests will be useful in analyzing and alerting of the DDoS attacks.
4.1.1 Persistence Threshold Test
The persistence threshold test involves 2 different threshold values, called as the Rate threshold and the Persistence threshold. The persistence threshold defines the monitoring period, whereas the rate threshold defines the bandwidth usage. The rate threshold is calculated based on the tolerance level and the network traffic volume average. This test work in such a way that, when the currently monitored traffic parameter exceeds the value defined in the rate threshold and if this continues until the time defined in the persistence threshold, then the system will alert the administrator.
4.1.2 Bucket Threshold Test
The persistence threshold test might result in false negatives, if the attacker floods the network in intervals less than the one defined in the persistence threshold. Bucket threshold test was introduced to overcome the problem.
Figure 5: Interval DDoS Attack
This testing technique divides the monitoring period in to smaller windows called as buckets. At any time there will be 2 observation windows available to compare the short interval traffic rate with the long interval traffic rate. When the comparison of the observation windows shows that the tolerance level is crossed, then system administrator will be alerted.
Figure 6: Bucket Threshold Test
The combination and concurrent usage of bucket and persistence threshold tests proved to be the most effective detection mechanism available in the market today.
4.1.3 Intrusion Detection Modeling
Distributed and cooperative or organized attacks can be effectively handled by deploying Intrusion Detection Systems in a geographically distributed manner. All these geographically distributed IDS devices will develop attack patterns based on the attacks targeting their monitored networks. The cooperative approach will correlate all these attack patterns to detect a possible attack executed by the attackers. Thus the correlated attack patterns will serve as the information database for detecting the attacks, as all the geographically distributed IDS devices contribute to the detection of attacks.
4.2 Segregation of Malicious Traffic
Once the detection mechanism alerts for malicious traffic, the next step will be the blocking of DDoS traffic. In-depth analysis of traffic will be required to identify the normal and malicious traffic patterns. Once these traffic patterns are developed, they will be used to block the abnormal traffic or to allow only the normal traffic. On-going attacks can be tackled by creating temporary filters to allow only the known legitimate traffic. Table  lists the different known attack patterns.
4.2.1 Identification of Non-TCP Attacks
The attack patterns listed in Table  can be used to create filters for preventing the malicious traffic from entering the network. Most of the flooding attacks can be prevented and nullified by using the Egress and Ingress filtering methodologies. But the basic flooding attacks targeting specific ports can be filtered using the firewall.
Table 1: Taxonomy of DDoS Attacks
4.2.2 Identification of TCP Attacks
When an attack used TCP as the protocol, it will be difficult to segregate malicious traffic, as it will require proper analysis of the network traffic, else will result in higher number of false positives. SYN flooding attacks are used to exploit a known vulnerability by making the server to enter in to an indefinite loop and making it to wait for ACK continuously by sending enormous number of spoofed SYN packets. The SYN flooding attacks will consume the network bandwidth as well as the server resources. The calculation of SYN and Non-SYN packet ration in the network will help to identify the SYN flood attacks. The ratio calculation can also be used to detect the RST & FIN flood attack scenarios. If other flags are used in the TCP flooding attacks, it can be identified by the packets returned from the server.
4.3 Identifying Legitimate Traffic
It is good to identify and segregate the legitimate traffic, instead of identifying the malicious traffic. Creating filters to segregate the malicious traffic will be difficult to implement, if the attacker uses random spoofed IP addresses, since it will result in the blocking of legitimate traffic as well. This issue can be handled, if we know the list of white listed legitimate IP addresses, we can simply allow the service only for the white listed sources. The following 2 techniques help in identifying the legitimate sources.
4.3.1 Connection Status
The white list of IP addresses or the legitimate IP addresses can be identified by monitoring the connection status established by the server with its clients. When the server returns an ACK packet to a client, then the destination IP address can be added to the white list.
4.3.2 Client Response Pattern
The legitimate clients can be identified with the flow control mechanism of the TCP. When network congestion occurs, the flow control mechanism will request the hosts to decrease the rate of sending to the available bandwidth in the target network. The legitimate hosts will respond to the request, by decreasing the traffic flow. But, the malicious hosts will not respond in the similar manner, as they will be mostly spoofed IP address which will not be available to reach or if they are present, they won't reduce the traffic speed, as their purpose is to flood. Using this differential pattern, the legitimate and malicious sources can be identified and segregated.
4.4 DDoS Mitigation
Once the DDoS attacks are detected and segregated from the legitimate traffic, the next step will be to nullify or dissolve the effect of the attack. This can be done by Proactive or the Reactive approaches. The disadvantage of Proactive approach is that, it proves to be more costly to implement. The following are few Proactive & Reactive approaches applicable for DDoS attacks.
Figure 7: DDoS Software Tools (Characteristics)
4.4.1 Blocking At The Upstream
Blocking the attack traffic at the firewall is not going to be useful in case of DDoS attacks. Instead the attacks should be blocked at the upstream nodes by sharing the defense logic and filter rules with the upstream nodes in active networks. This will help to distribute and reduce the network congestion and hence dissolving the attack intensity.
4.4.2 Kill The Zombie
The attacker uses the zombies as the attack agents to execute the DDoS attacks. So, these nodes should be killed by blocking the IRC ports / channels.
4.4.3 Load Balancing
Load balancing prove to be more effective in terms of normal operation as well as to handle the DDoS attacks. Critical network connections should be provided with an increased network bandwidth to with stand the DDoS traffic. Resource redundancy will help to have failsafe protection for critical resources in case of DDoS attacks.
Throttling technique can prove to be more effective in handling DDoS attack traffic, as it uses the logic of adjusting the incoming traffic to the safest level a server can handle. But, the disadvantage with this technique is that, it will be difficult to decipher the traffic to identify the malicious traffic.
4.4.5 Deflect Attacks
Honeypots prove to be most important component to protect the resource by deflecting the DDoS attacks and also to gain information about the attacker's activities. The Honeypots mimic the behaviors of legitimate network resources and attract the attackers to install the DDoS agents in it. This helps to understand the agent code and build a effective defense against future attacks.
Figure 8: DDoS Countermeasures
5 Post - Attack Forensics
The logs captured during the DDoS attacks can be used to derive the attack patters, which can be used to improve the current defense mechanisms in place and also to develop new filtering mechanisms against future DDoS attacks. The logs will help to trace back the attacks sources, if they are not spoofed and it also helps in forensic analysis and to assist law enforcement in case of serious damages caused by the attack.
DoS & DDoS attacks cannot be completely eliminated with the current Internet infrastructure. New attacks are evolving everyday and the attackers are coming out with new launch pads and automated techniques for launching complex attacks, which eliminated the technical barrier required for becoming the commander for the DDoS agent army, which can be targeted at any point in the Internet world and hence the attacks have become more frequent nowadays. Till today, there is no single point solution available for DDoS attacks. Single methodology cannot be used as a counter measure against the DDoS attacks. It should be coupled with the existing prevention methodologies to have effective results against the DDoS attacks. It is important to have relevant cyber policy and legislations to handle the DDoS issues to have an effective cooperation among the law enforcement agencies and the service providers.
International World Wide Web Conference Protecting Electronic Commerce From Distributed Denial-of-Service Attacks Jos´e Carlos Brustoloni
Awareness of distributed denial of service attacks' dangers: role of Internet pricing mechanisms Miguel A. Lejeune