Denial Of Service Attack In Ipv4 Computer Science Essay

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

In the late 1960s there was a great demand in various US universities and research centers for a network that would permit nationwide utilization of existing computer resources. In addition to this there was a desire for data exchange and interest in practical experiences, design, implementation, the use of network techniques in general and packet-switching in particular. Therefore the Advanced Research Project Agency, an US government organization, started developing a net called ARPANET. (ARPANET dealing with research project of military interests was renamed DARPA)

The demands for file transfer, remote login and email were on top of the list for NCP (Network Control Protocol, the predecessor of TCP/IP). The first use of ARPANET was in 1971.In 1973; a project was started, developing new lower layer protocols because the existing layers had become functionally inadequate. So Cerf and Kahn specified the following goals for the lower layer protocols in 1974:

independence from underlying network techniques and from the architecture of the host

universal connectivity throughout the network

end-to-end acknowledgments

standardized application protocols

In 1981 the TCP/IPv4 was standardized in ARPANET RFC's as RFC791 replacing an earlier definition (RFC760). Both the RFC's had same scope of operation but RFC 791 capitalized on the services of its supporting networks to provide various types of quality of services


Internet Protocol version 4 (IPv4) is the fourth revision in the development of the Internet Protocol (IP) and it is the first version of the protocol to be widely deployed. IPv4 is a connectionless protocol for use on packet-switched Link Layer networks (e.g., Ethernet). IP (Internet Protocol) has two primary responsibilities: providing connectionless, best-effort delivery of datagrams through a network; and providing fragmentation and reassembly of datagrams to support data links with different maximum-transmission unit (MTU) sizes. When you send or receive data, the message gets divided into little chunks called packets. Each of these packets contains both the sender's Internet address and the receiver's address. Because a message is divided into a number of packets, each packet can, if necessary, be sent by a different route across the Internet. Packets can arrive in a different order than the order they were sent in. The Internet Protocol just delivers them. It's up to another protocol, the Transmission Control Protocol ( TCP) to put them back in the right order.

The IP addressing scheme is integral to the process of routing IP datagrams through an internetwork. Each IP address has specific components and follows a basic format. These IP addresses can be subdivided and used to create addresses for sub-networks. Each computer (known as host) on a TCP/IP network is assigned an unique logical address (32-bit in IPv4) that is divided into two main parts: the network number and the host number. The network number identifies a network and must be assigned by the Internet Network Information Center (InterNIC) if the network is to be part of the Internet. An Internet Service Provider (ISP) can obtain blocks of network addresses from the InterNIC and can itself assign address space as necessary. The host number identifies a host on a network and is assigned by the local network administrator.

The key features of IPv4 are as follows:

Source and destination addresses are 32 bits (4 bytes) in length.

IPSec support is optional.

IPv4 header does not identify packet flow for QoS handling by routers.

Both routers and the sending host fragment packets.

Header includes a checksum.

Header includes options.

Address Resolution Protocol (ARP) uses broadcast ARP Request frames to resolve an IP address to a link-layer address.

Internet Group Management Protocol (IGMP) manages membership in local subnet groups.

ICMP Router Discovery is used to determine the IPv4 address of the best default gateway, and it is optional.

Broadcast addresses are used to send traffic to all nodes on a subnet.

Must be configured either manually or through DHCP.

Uses host address (A) resource records in Domain Name System (DNS) to map host names to IPv4 addresses.

Supports a 576-byte packet size.

Limitation of IPv4:

The current version of IP i.e. IPv4 has not changed substantially since Request for Comments (RFC) 791 published in 1981. IPv4 has proven to be robust, easily implemented, and interoperable. It has stood up to the test of scaling an internetwork to a global utility the size of today's Internet. However, the initial design of IPv4 did not anticipate the following:

The recent exponential growth of the Internet and the impending exhaustion of the IPv4 address space. Although the 32-bit address space of IPv4 allows for 4,294,967,296 addresses, previous and current allocation practices limit the number of public IPv4 addresses to a few hundred million. As a result, public IPv4 addresses have become relatively scarce, forcing many users and some organizations to use a NAT to map a single public IPv4 address to multiple private IPv4 addresses. Although NATs promote reuse of the private address space, they violate the fundamental design principle of the original internet that all nodes have a unique, globally reachable address, preventing true end-to-end connectivity for all types of networking applications. Additionally, the rising prominence of Internet-connected devices and appliances ensures that the public IPv4 address space will eventually be depleted.

The need for simpler configuration, most current IPv4 implementations must be either manually configured or use a state-ful address configuration protocol such as Dynamic Host Configuration Protocol (DHCP). With more computers and devices using IP, there is a need for a simpler and more automatic configuration of addresses and other configuration settings that do not rely on the administration of a DHCP infrastructure.

The requirement for security at the Internet layer Private communication over a public medium such as the Internet requires cryptographic services that protect the data being sent from being viewed or modified in transit. Although a standard now exists for providing security for IPv4 packets (known as Internet Protocol security, or IPsec), this standard is optional for IPv4 and additional security solutions, some of which are proprietary, are prevalent.

The need for better support for prioritized and real-time delivery of data Although standards for prioritized and real-time delivery of data-sometimes referred to as Quality of Service (QoS)-exist for IPv4, real-time traffic support relies on the 8 bits of the historical IPv4 Type of Service (TOS) field and the identification of the payload, typically using a User Datagram Protocol (UDP) or Transmission Control Protocol (TCP) port. Unfortunately, the IPv4 TOS field has limited functionality and, over time, has been redefined and has different local interpretations. The current standards for IPv4 use the TOS field to indicate a Differentiated Services Code Point (DSCP), a value set by the originating node and used by intermediate routers for prioritized delivery and handling. Additionally, payload identification that uses a TCP or UDP port is not possible when the IPv4 packet payload is encrypted.

Security Issues:

IPv4 was designed with no security in mind. Because of its end-to-end model, IPv4 assumes that security should be provided by the end nodes. For instance, if an application such as e-mail requires encryption services, it should be the responsibility of such application at the end nodes to provide such services. Listed below are few security issues and attacks faced by IPv4:

Denial of service attacks (DOS): in this kind of attack certain services are flooded with a large amount of illegitimate requests that render the targeted system unreachable by legitimate users.

An example of DOS attack that results from an architectural vulnerability of IPv4 is the broadcast flooding attack or Smurf attack

Malicious code distribution: viruses and worms can use compromised hosts to infect remote systems. IPv4's small address space can facilitate malicious code distribution.

Man-in-the-middle attacks: IPv4's lack of proper authentication mechanisms may facilitate men-in the-middle attacks. Additionally, ARP poisoning and ICM redirects can also be used to perpetrate this type of attacks.

Fragmentation attacks: this type of attacks exploits the way certain operating systems handle large IPv4 packets. An example of this type of attack is the ping of death attack. In a ping of death attack the target system is flooded with fragmented ICMP ping packets. With each fragment, the size of the reassembled ping packet grows beyond the packet size limit of IPv4 therefore, crashing the target system.

Denial of Service attack:

One of the most critical attacks is the Denial of service. A Denial of Service (DoS) attack is an attack which attempts to prevent the victim from being able to use all or part of their network connection. It may target a user, to prevent them from making outgoing connections on the network. A denial of service may also target an entire organization, to either prevent outgoing traffic or to prevent incoming traffic to certain network services, such as the organizations web page. This usually means crashing services or exhausting some limited services. DoS also exploit security flaws since IPv4 lacks in security.

Typical DOS attacks are:

Exhausting the network bandwidth of a site

Exhausting the [inbound] network connections of a service

Crashing a service using some security flaw

Crashing the computer running a service using some security flaw.

Lately heavy DOS attacks have been described. These attacks used a network of computers to distribute the attack sources over several network locations. These attacks were known as Distributed Denial of Service Attacks .New trends associated with widespread internet activity were reported by CERT/CC. Widespread deployment of DDoS networks based on tools like 'trinoo' and 'Tribe Flood Network' via various RPC related vulnerabilities. Many of the initial deployments were done manually, with intruders carefully testing for and selecting hosts positioned with high bandwidth availability. DDoS networks used classic handler/agent control topology with direct communication via custom TCP, UDP, and ICMP protocols. Packet flooding attacks used UDP floods, TCP SYN floods and ICMP echo request floods. A Distributed Denial of Service Attacks (DDOS) is an advanced version of DoS attack. Like DoS, DDOS also tries to deny the important services running on a server by broadcasting packets to the destination server in a way that the Destination server cannot handle it. The specialty of the DDOS is that, it relays attacks not from a single network/host like DoS. The DDOS attack will be launched from different dynamic networks.

DDOS consists of 3 parts. One is the Master; other is the Slave and lastly a Victim. The master is the attack launcher i.e. the person/machine behind all this. The slave is the network which is being compromised by the Master and Victim is the target site/server. Master informs the compromised machines, so called slaves to launch attack on the victim's site/machine. Hence it's also called co-ordinated attack and follows Master Slave configuration.

Master Slave Configuration:

In Master slave configuration the slave processes are installed on large number of compromised Internet hosts, where they report their successful installation to their master process. The master process thus collects a list of many compromised hosts running the slave process. The resulting master-slave network may include a large number of hosts in widely different network locations. The slaves carry one or several DOS routines that can be invoked remotely by the master process. The master process can also control the targets and parameters for the attack. Some of the commands are password protected to prevent unauthorized activation or deactivation of the attacks.

Slave processes can be installed on virtually any suitable system, as the loss of a single slave process has very little effect on the overall performance of the network. The master process can poll the status of its slave processes and keeps a list of known slaves. When the attacker connects to the master, a password is required before access is allowed. Once the correct password has been supplied, the attacker can issue commands to the master. The commands direct all the active slaves of the master process, so large-scale attacks can be launched and terminated very quickly. Master processes are often carefully protected and installed on systems where detection is unlikely because of bad administration practices or heavy user activity. An attacker can connect to a master process from virtually any Internet host, as the master accepts standard telnet-type connections. A single attacker may control several DOS master processes, giving instant access to huge numbers of slave processes.

Effect of DDOS:

Attacked systems will notice a huge increase in network traffic. Depending on the attack, the traffic may come from valid Internet addresses or from random addresses created by the slave processes.

If the attacked system is directly vulnerable to any DOS attacks performed by the slave processes, the system will crash or malfunction and cannot be reactivated without immediately crashing again.

If the attacked system does not crash from the attacks, its network capacity will quickly be exhausted. Reports indicate attack rates of several gigabits per second, which far exceed the capacity of most Internet sites.

Safety Measures:

There are several approaches you can take to defend against a DDoS attack: 

Black-holing or sinkholing: This approach blocks all traffic and diverts it to a black hole, where it is discarded. The downside is that all traffic is discarded -- both good and bad -- and the targeted business is taken off-line. Similarly, packet-filtering and rate-limiting measures simply shut everything down, denying access to legitimate users. 

Routers and firewalls: Routers can be configured to stop simple ping attacks by filtering nonessential protocols and can also stop invalid IP addresses. However, routers are typically ineffective against a more sophisticated spoofed attack and application-level attacks using valid IP addresses. Firewalls can shut down a specific flow associated with an attack, but like routers, they can't perform antispoofing. 

Intrusion-detection systems: IDS solutions will provide some anomaly-detection capabilities so they will recognize when valid protocols are being used as an attack vehicle. They can be used in conjunction with firewalls to automatically block traffic. On the downside, they're not automated, so they need manual tuning by security experts, and they often generate false positives.

Servers: Proper configuration of server applications is critical in minimizing the effect of a DDoS attack. An administrator can explicitly define what resources an application can use and how it will respond to requests from clients. Combined with a DDoS mitigation appliance, optimized servers stand a chance of continued operations through a DDoS attack.

DDoS mitigation appliances: Several companies either make devices dedicated to sanitizing traffic or build DDoS mitigation functionality into devices used primarily for other functions such as load balancing or firewalling. These devices have varying levels of effectiveness. None is perfect. Some legitimate traffic will be dropped, and some illegitimate traffic will get to the server. The server infrastructure will have to be robust enough to handle this traffic and continue to serve legitimate clients.

Over-provisioning: or buying excess bandwidth or redundant network devices to handle spikes in demand can be an effective approach to handling DDoS attacks. One advantage of using an outsourced service provider is that you can buy services on demand, such as burstable circuits that give you more bandwidth when you need it, rather than making an expensive capital investment in redundant network interfaces and devices.

For the most part, companies don't know in advance that a DDoS attack is coming. The nature of an attack will often change midstream, requiring the company to react quickly and continuously over several hours or days. Since the primary effect of most attacks is to consume your Internet bandwidth, a well-equipped managed hosting provider has both the bandwidth and appliances to mitigate the effects of an attack.


To overcome this security issue IPv6 was developed. It represents a considerable improvement compared to the old IPv4 protocol stack. The new suite of protocols provides innumerable features that improve both the overall functionality as well as some specific security functions. The IPSec with Authentication Header (AH) and Encrypted Security Payload (ESP) protects IPv6 hosts from all kinds of DoS attacks and also has the ability to recognize the spoofed source address (or original identity) of the malicious packets received.