Abstract - DDOS means, Denial of services by distributed systems. The unavailability of the resources and services to the authorized users is cause by DDOS attacks. Although it is very difficult to create such type of attack but once it established it is the most dangerous attack. Prevention is better than cure. So we emphasize on the prevention of DDoS attacks for the network. It is important to be familiar and to learn about the weapons that attackers use for DDOS attacks. Attacker weapons in DDoS are DDoS tools. These are very useful tools in order to test the network security is enough powerful that It can prevent such type of attack practically. But easily availability of these tools helps the untrained person to do DDoS attacks.
This journal paper divide in to four parts first I will discuss about how actually DDoS attacks happen explaining deeply using the OSI reference model layers. Second what are the possible ways of tracing back to attacker? Third how can we prevent those attacks by discussing my own proposed system and existing systems. In my own system will also emphasize on the DDoS tools prevention mechanisms by analyzing some of them. Fourth discuss about the relationship between the attacker, master machine and zombie machines.
Index Terms-ddos attack, ddos prevention, tracing attacker, computer security, network security, network reliability.
Keeping in view the fast growing traffic on the internet there are hackers/intruders get the benefits out of this. By using the help of huge number of traffic hosts, zombies we called in DDoS, attackers can be easily hidden as trace back difficulties and attack the victim with huge force even the attacker system is like an ordinary personal pc. So for the victim, it is impossible to avoid such type of DDoS attacks. DDoS comes from the word DoS as many computers at the same time do DoS attacks formed DDoS. We can prevent such attacks when we are fully prepared for it. Just like in the war if you have atomic bomb attack we all know no body will get rid of this attack but now a days there is called anti bomb shelter, with in this shelter, there is higher chance to be safe. Now our emphasis is to make anti DDoS attack shell around the network, so there will be higher chances the network will be safe from DDoS attacks. It can be only possible by proper security, tracing, prevention mechanisms.
DDoS attack with reference to osi layers
Before going to discuss how the DDoS attacks happens in each OSI layer first have to look in to the basic architecture of DDoS Attack as shown in the Fig.1 Attacker attacks the victim with the help of handlers and agents. Handlers and agent provide important role in the successful attack of DDoS. In general the handler and agent machines owner don't know that they got these malicious software on their machine and part of the DDoS attack. Attacker installs the malicious software on the handler. There are four most common services this software is capable of.
- First, it provides the attacker tracking status system by providing the handler machine IP address. By this attacker can easily track and remotely control these handlers' machines.
- Second it will make more agents by installing malicious software's on many other machines called agent and control the agents by itself
- Third attacker can also instruct the handler to which IP address to be targeted.
- Fourth it also provides the facility to the attacker, when to attack the victim in term of time and date.
For the agents it is controlled by the handlers when the attacker gives the ip address of the victim to the handlers it passes to the agents and instruct them to attack on particular ip address.
The attacker uses all the layers of OSI reference model to successfully attack the victim. All the layers involved in the DDoS attacks. Spoofing, sniffing and flooding are the main concern with the attacker.
Spoofing, attacker hides himself by using false information. Spoofing can be done on the following OSI layers
- ARP spoofing Use OSI Layer 2
- IP spoofing Use OSI Layer 3
- TCP AND UDP Spoofed addresses Layer 5
- DNS Spoofing Use OSI Layer 7
In physical layer DoS attack is still possible by disconnecting the physical connection of the victim computer. But it is impossible in DDoS. ARP spoofing use Data link layer. Without ARP request many machines accept ARP replies . Then update its MAC table. One exception is the Solaris operating system. Solaris will only accept an ARP replies after the MAC table has reached a timeout value . There are many ARP spoofing software's e.g. arpoison, arpspoof . ARP Spoof Programs allows an attacker to specify the victim IP Address and the spoofed MAC address . DNS spoofing Redirection of client systems to incorrect sites" .
Attacker in DDoS majorly concerned with spoofing on the handlers machine that it no one able to trace back to the original source address.
Flooding attacker use many types of flooding on the different layers of OSI models
- TCP SYN flooding Use OSI Layer 4
- Fraggle Uses UDP echo packets OSI Layer 4
- Smurf ICMP ECHO Use OSI layer 3
- ICMP flood called Ping flood Use OSI Layer 3
Network layer ICMP flooding is possible. In transport layer the TCP SYN flooding, UDP flooding is possible. And in the Application layer the DNS spoofing is possible to choke the internet websites of the victims. Papasmurf another combination smurf and fraggle attack. Papasmurf either sends ICMP echo packets, UDP packets or both .
These flooding attacks used in DDoS Attacks which is done on the victim computer.
Tracking back to the attacker solution
DDoS attacks tracking actually deals with the achievement to identify the actual origin of packets. There are some possibilities to get trace information.
One router record information of packets and router should send additional information to packets to the destination. There are many approaches allow identifying the origin of attackers, some of them are probabilistic Packet Marking , ICMP trace messages  and Hash based IP Traceback.
But the problem with the traceback is it cannot trace the origins behind the firewalls. And it is more difficult in the case of reflector attack as attack comes from legitimate sources.
PREVENTIONS OF DDoS ATTACKS
Many solutions are exist in order to reduce the probability of DDoS attacks by actively monitoring the traffic, scanning for any malicious software, antivirus, and firewall protection.
In Past DDoS attacks cause millions of dollars, to big companies like cnn, yahoo, Amazon, inoo, tfn, stacheldraht, tfn2k, mstram and shaft . eBay and zdnet , by using DDoS tools like tr By analyzing these tools, we can also reduce the chances of these attacks by
- Blocking the port numbers on which these software usually attacks
- Searching on the specific ports in which these software runs/used by DDoS worms and virus
If there are no zombies and handlers, there will be no DDoS attack but how it can be achieved by:
To protect every computer system in the world for installation of master and agent malicious software's
- Scan every computer system for any symptoms of DDoS agents/master.
- Educate people about the cyber security.
- Close all the unused ports of the system
- Check your system using any services which is not useful.
- Daily update your systems. Install up-to-date antivirus system and firewall.
There are many existing solutions in order to prevent the DDoS Attacks.
- Ingress Filtering and Egress Filtering
- Pushback and Congestion Control
Ingress Filtering And Egress Filtering
Ingress filtering basically deals with the flow of traffic when it going to enter the network. It provides borderline security. Any traffic can only come in to the network through the public services port. It certainly prevented external traffic to connect to the non-authorization services within the network. Thus provide the defense system for the DDoS attacks.
One disadvantage of using the ingress filtering it makes the routing slow due to overhead.
Egress filtering manages the flow of traffic when it is going out of the network. It prevents any spoofed ip address used within the network to communicate with outside network.
Firewall always helps by dropping the packets where it finds huge amount of traffic is coming from particular IP address.
Pushback and Congestion Control
When considering the attack on the internet it's kind of congestion attack. As we know in DDoS attack the attacker transmit huge amount of traffic from one or more source to the victim host there is a technology to control DDoS traffic called Aggregate based congestion control and push back.
Aggregate based congestion control works on if any traffic shows the congestion based on exceeding specific bandwidth calculated on the characteristic of DDoS attacks. Acc judges by the congestion signature, then provide a function to block the traffic coming from the DDoS attack. Push back message help the router recognize the characteristic of DDoS attacks traffic.
RELATIONSHIP BETWEEN ATTACKER, ZOMBIE AND MASTER
Above diagram Fig.5. Shows the relationship between the Attacker, zombies and master in the case of Trinoo DDoS tool. By the trino software you can easily find out what the relations between attacker, zombies and master are. We came to know by the attacker software trino that the attacker connect to the master by TCP using the port 27665 and the zombies connected to the master by using the UDP connection of port number 27444 and port number 31335 respectively. But the connection between the attacker and the master is not necessarily to be TCP. Although some hackers also use the UDP between the attacker and master.
In the summary, we can design the reliable, stable network security in order to prevent the DDoS attacks. One solution is to provide awareness and educate people about the securities threats like DDoS that they should not be able to act as zombies as part of DDoS. Network security education to an ordinary pc user helps to prevent DDoS attacks. Previous attacks show that millions of computer used as zombies and handlers because they are not well protected. So the network security education and knowledge should be must and easily available to the people. Organizations should take step in this to provide suck type of education, awareness among the people. If there is not enough zombies are not available the DDoS to the people about the security. In future more tools for DDoS will come and we have to prepare for that to obtain absolute solutions to avoid such type of attacks that there will be no attack like distributed denial of service anymore.
Thank you for your attention.
At last journal paper has come to an end. It was really a great experience completing this journal. S.A.M Author deeply indebted and offer my sincerest gratitude to my seminar tutor and Prof Dr Abu Baker Lasebae whose stimulating suggestions, knowledge, specially patience, encouragement and conceptual support helped me in learning and successful accomplishment of this journal paper. I have gained valuable knowledge and extraordinary experience from them. In addition, it is a pleasure to express my gratitude wholeheartedly to all my teachers who have taught me. They taught us very beautifully. They provided help and guidance whenever and wherever it was requested. S.A.M Author thanks them all.
- Steve Gibson ,"DRDoS Distributed Reflection Denial Of Service," Gibson Research, "http://grc.com /dos/drdos.htm",
- Joachim Datko, "OSI Security Attacks," DATKO Regensburg, "http://www.datko.de/datko-securityattacks.html",
- Wireless tapping, "http://www.governmentsecurity .org /articles/WirelessTaping.php",
- Clavister Firewall, "Studies of various denial of service," "http://www.clavister.com/support/ kb/10067/?printerfriendly=1",
- K. Park and H. Lee, "On the Effectiveness of Probabilistic Packet Marking for IP Traceback under Denial of Service Attack," in Proc. of IEEE INFOCOM 2001, Mar. 2001.
- Steve Bellovin, Tom Taylor, "ICMP Traceback Messages", RFC 2026, Internet Engineering Task Force, February 2003.
- A.C. Snoeren, C. Patridge, L.A. Sanchez, W.T. Strayer, C.E Jones, F. Tchakountia, and S.T. Kent, "Hash Based IP Traceback", February 7, 2001.
- Markus Jakobsson, Moti Yung, Jianying Zhou, "Applied Cryptography and Network Security", Second Internation Conference, ACNS 2004 Yellow Mountain, China, June 2004 Proceedings.
- CERT Center," Carnegie Mellon University"," http://www.cert.org/incident_notes/ IN-2002-06.html".