This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.
Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks are specific attacks that attempt to prevent legitimate users from accessing networks, servers, services or other resources. Windows end-users and Internet routing technology have both become more frequent targets of intruder activity. The impacts of DoS attacks are causing greater collateral damage, and widespread automated propagation itself has become a vehicle for causing denial of service. While DoS attack technology continues to evolve, the circumstances enabling attacks have not significantly changed in recent years. This report presents various techniques for detection and preventing against various DoS and DDoS attacks. Important features of each attack and defense system countermeasure strategy of each proposed scheme are outlined.
A DDoS attacker attempts to disrupt a target by flooding it with illegitimate re-quests for information, exhausting bandwidth and overtaxing servers in order to deny its service to legitimate clients . One way to interfere with a legitimate operation is to exploit vulnerability present on the target machine or inside the target application. The attacker sends a few messages crafted in a specific manner that take advantage of the given vulnerability. Another way is to send a vast number of messages that consume some key resource at the target such as bandwidth, CPU time, memory, etc. The target application, machine, or network spends all of its critical resources on handling the attack traffic and cannot attend to its legitimate clients.
A denial-of-service attack is characterized by an explicit attempt by attackers to prevent legitimate users of a service from using that service. A distributed denial of service attack deploys multiple machines to attain this goal. The service is denied by sending a stream of packets to a victim that either consumes some key resource, thus rendering it unavailable to legitimate clients, or provides the attacker with unlimited access to the victim machine so he can inflict arbitrary damage.
1.2 Understanding Distributed and Denial of Service
There are two main approaches to denying a service, exploiting vulnerability present on the target or sending a vast number of seemingly legitimate messages. The first kind of an attack is usually called a vulnerability attack, while the second is called a flooding attack.
For example, some implementations of the 802.11 wireless access protocol have a vulnerability that allows an attack to deny service selectively to one user in the wireless network or promiscuously to all of them. In effect, the attacker can send a packet to the
wireless access point that claims to be from another user and that indicates that the user is finished and essentially wants to "hang up".
The wireless access point then no longer recognizes communications from the targeted user. That user can reestablish communications with the access point, but the attacker can shut it down again in the same way. Flooding attacks work by sending a vast number of messages whose processing consumes some key resource at the target. For instance, complex messages may require lengthy processing that takes up CPU cycles, large messages take up bandwidth, and messages that initiate communication with new clients take up memory. Once the key resource is tied up by the attack, legitimate users cannot receive service.
The basic idea behind DDoS attacks is to force a large number of individual systems connected to the Internet, to send bulk traffic to the same destination at the same time. The aggregated traffic that those systems produce can easily cripple the available network or system resources of the recipient. Thus the recipient, the victim, of this attack will no longer be able to have reliable network access or serve legitimate clients, if the victim is a network server. In today's DDoS attacks, a small set of systems that are usually called agents control a vast amount of systems that are usually called daemons or zombies. Those zombie systems will eventually launch the attack when instructed by the agents. The attacker, in order to be able to launch an effective DDoS attack, needs a large number of compromised systems that will act as zombies. This large number of systems can be obtained by any hacking procedure .
One unique characteristic of DDoS attacks, which makes them so difficult to defend against, is that during the actual attack there is only one way connection with the victim and no confirmation of the reception of the packets or any other form of interaction between the zombies and the victim is needed. This, unlike any hacking attempts that need to establish a two way connection with the victim, gives DDoS attacks the major advantage of being more or less completely untraceable. Due to the lack of any form of interaction between the zombies and the victim, the packets of a DDoS attack, produced by the zombie systems, do not contain the true source IP address thus there is no obvious or simple way to know the true sources of the DDoS attack traffic. Moreover there is no simple way to distinguish the attack traffic from the traffic produced by legitimate clients .
2 DDoS Attacks - Classification
The following are the 2 main classifications of DDoS attacks,
2.1 Bandwidth Depletion Attack
The bandwidth depletion attack will flood the target network with enormous number of garbage traffic to prevent the legitimate users from reaching the target system. The bandwidth depletion attacks can further be classified in to the following categories,
a) Amplification Attacks
b) Flood Attacks
2.2 Resource Depletion Attack
The resource depletion attack will exhaust or shut down a particular resource of the target system and making it unavailable to legitimate users. The resource depletion attacks can further be classified in to the following categories,
a) Malformed Packet Attacks
b) Protocol Exploit Attacks
The DDoS attacks can also be generally classified in to the following 2 categories,
2.3 Direct Attacks
In case of direct attacks, the attacker will participate directly in launching the attack, but with a spooked IP address.
2.3 Reflector Attacks
In case of reflector attacks, the attack will be launched using intermediary nodes called as the reflectors. The characteristic feature of a reflector is to return a packet, if a packet is received.
3 DDoS Detection & Defense Mechanism
As the DDoS attacks are getting more advanced day by day, with the evolution of new tools and techniques making it easier for even a normal internet user to launch automated attacks, adaptation of proper strategy is required to thwart the DDoS attacks successfully.
The countermeasures for the DDoS attacks should be modeled to adapt 3 stages of handling the attack. The first stage is the DDoS detection stage, where the DDoS traffic is identified. The second stage is the traffic segregation stage, where the malicious traffic will be segregated from the legitimate traffic. The third stage is the DDoS mitigation stage, where the effect of the DDoS attack will dissolved by nullifying it.
3.1 DDoS Detection
DDoS attacks involve 2 types of traffic in the execution, called as the Attack traffic and the Control traffic [Figure 1]. Varieties of security resources such as the Intrusion Detection System (IDS) are available to identify the DDoS attacks. The Anomaly based IDS and the Signature based IDS are widely used to identify the DDoS attacks. Signature based IDS is used to detect the Control traffic in DDoS attacks, based on the standard set of signatures, which will look for the port number or traffic targeting know vulnerabilities to connect with the zombies to trigger the attack. The Anomaly based IDS are used to detect the Attack traffic in DDoS by monitoring the network for unusual behaviors using statistical analysis. In case Anomaly based IDS the packet frequency and the bandwidth consumption will be analyzed at different locations in the network. The following 2 tests will be useful in analyzing and alerting of the DDoS attacks,
3.1.1 Persistence Threshold Test
The persistence threshold test involves 2 different threshold values, called as the Rate threshold and the Persistence threshold. The persistence threshold defines the monitoring period, whereas the rate threshold defines the bandwidth usage. The rate threshold is calculated based on the tolerance level and the network traffic volume average. This test work in such a way that, when the currently monitored traffic parameter exceeds the value defined in the rate threshold and if this continues until the time defined in the persistence threshold, then the system will alert the administrator.
3.1.2 Bucket Threshold Test
The persistence threshold test might result in false negatives, if the attacker floods the network in intervals less than the one defined in the persistence threshold. Bucket threshold test was introduced to overcome the problem. This testing technique divides the monitoring period in to smaller windows called as buckets. At any time there will be 2 observation windows available to compare the short interval traffic rate with the long interval traffic rate. When the comparison of the observation windows shows that the tolerance level is crossed, then system administrator will be alerted.
The combination and concurrent usage of bucket and persistence threshold tests proved to be the most effective detection mechanism available in the market today.
3.1.3 Intrusion Detection Modeling
Distributed and cooperative or organized attacks can be effectively handled by deploying Intrusion Detection Systems in a geographically distributed manner. All these geographically distributed IDS devices will develop attack patterns based on the attacks targeting their monitored networks. The cooperative approach will correlate all these attack patterns to detect a possible attack executed by the attackers. Thus the correlated attack patterns will serve as the information database for detecting the attacks, as all the geographically distributed IDS devices contribute to the detection of attacks.
3.2 Segregation of Malicious Traffic
Once the detection mechanism alerts for malicious traffic, the next step will be the blocking of DDoS traffic. In-depth analysis of traffic will be required to identify the normal and malicious traffic patterns. Once these traffic patterns are developed, they will be used to block the abnormal traffic or to allow only the normal traffic. On-going attacks can be tackled by creating temporary filters to allow only the known legitimate traffic. Table  lists the different known attack patterns.
3.2.1 Identification of Non-TCP Attacks
The attack patterns listed in Table  can be used to create filters for preventing the malicious traffic from entering the network. Most of the flooding attacks can be prevented and nullified by using the Egress and Ingress filtering methodologies. But the basic flooding attacks targeting specific ports can be filtered using the firewall.
3.2.2 Identification of TCP Attacks
When an attack used TCP as the protocol, it will be difficult to segregate malicious traffic, as it will require proper analysis of the network traffic, else will result in higher number of false positives. SYN flooding attacks are used to exploit a known vulnerability by making the server to enter in to an indefinite loop and making it to wait for ACK continuously by sending enormous number of spoofed SYN packets. The SYN flooding attacks will consume the network bandwidth as well as the server resources and making it unavailable to legitimate users. The calculation of SYN and Non-SYN packet ration in the network will help to identify the SYN flood attacks. The ratio calculation can also be used to detect the RST & FIN flood attack scenarios. If other flags are used in the TCP flooding attacks, it can be identified by the packets returned from the server.
3.3 Identifying Legitimate Traffic
It is good to identify and segregate the legitimate traffic, instead of identifying the malicious traffic. Creating filters to segregate the malicious traffic will be difficult to implement, if the attacker uses random spoofed IP addresses, since it will result in the blocking of legitimate traffic as well. This issue can be handled, if we know the list of white listed legitimate IP addresses, we can simply allow the service only for the white listed sources. The following 2 techniques help in identifying the legitimate sources.
3.3.1 Connection Status
The white list of IP addresses or the legitimate IP addresses can be identified by monitoring the connection status established by the server with its clients. When the server returns an ACK packet to a client, then the destination IP address can be added to the white list.
3.3.2 Client Response Pattern
The legitimate clients can be identified with the flow control mechanism of the TCP. When network congestion occurs, the flow control mechanism will request the hosts to decrease the rate of sending to the available bandwidth in the target network. The legitimate hosts will respond to the request, by decreasing the traffic flow. But, the malicious hosts will not respond in the similar manner, as they will be mostly spoofed IP address which will not be available to reach or if they are present, they won't reduce the traffic speed, as their purpose is to flood. Using this differential pattern, the legitimate and malicious sources can be identified and segregated.
3.4 DDoS Mitigation
Once the DDoS attacks are detected and segregated from the legitimate traffic, the next step will be to nullify or dissolve the effect of the attack. This can be done by Proactive or the Reactive approaches. The disadvantage of Proactive approach is that, it proves to be more costly to implement. The following are few reactive approaches applicable for DDoS attacks.
3.4.1 Blocking At The Upstream
A conventional strategy would be to block all the attack traffic at its firewall and filter out the attacker's traffic. This may not be sufficient in case of a DDoS attack. The idea would be to move ahead upstream nodes move closer to the attack source and block the traffic. This is implemented using Active Networks. The filter rules along with the defense logic are distributed to upstream nodes. Thus the attack is distributed and congestion can be dissolved. The node which alerts produces an agent which carries the fingerprints and a copy of the agent itself to the neighboring nodes. On arrival at each node the fingerprints are tried to match with the packets which are destined to the destination IP stated in the finger prints. It would destiny itself if no match is found else it would propagate to its neighbors.
3.4.2 Kill the Zombie
The Zombies or agents which the attacker uses to execute the attack can be killed if one of the Zombie is a node which uses any of the defense technique mentioned. Some of them use Internet Relay Chat (IRC) server. The IRC port and channel can be retrieved and zombies can be killed using kill or kill all.
4 Future Scope
DDoS is a complex problem involving hosts distributed all over the Internet and affecting numerous networks. While localized defenses alleviate damage from small-scale, easily characterizable attacks, more sophisticated threats can only be handled through a cooperative, Internet-wide defense. With the right direction of attack dissection strategy discussed which is the Detection, Segregation and mitigation has made it easy for the researchers move forward in three directions. Various IDS based systems has been studied which are geographically distributed has proposed . Secure Overlay Networks has been proposed as part of Active networks where the trace back is mitigated to other nodes in the overlay network. The main phase is detection and readiness after an attack is detected forms the complete security chain.
The attack is evolving, attackers are introducing automated tools which have reduced the technological barrier required to become the commander of an army of DDoS agents that can then be directed at any Internet target, due to which the DDoS attacks may become more frequent. There are varieties of approaches to creating a sufficient defense against DDoS attacks. The author has proposed a three phase solution where each individual phase to be properly implemented not only at victim site but also a cooperative approach has to be followed where individual machines in the Internet can be part of the Distributed defense, One single methodology as countermeasure may not be effective against DDoS attacks It has to be combined with existing traffic regulation methodologies in order to give better and faster results against DDoS attacks.