DDOS Research Paper
14
Distribute denial of service (DDOS) attacks Caue Koisumi Cintra Stevens Institute of Technology Abstract Distributed Denial of Service (DDOS) attacks are a deadly against the availability of Internet services and resources. DDOS attackers infects large numbers of computers by exploiting software vulnerabilities to set up botnets. Then all these zombie computers are invoked to unleash a coordinated, large-scale attack against a victim’s systems. As specific countermeasures are being developed, attackers continue to enhance existing DDOS attack tools, developing new and derivative DDOS techniques and tools. Rather than always react to new attacks with specific countermeasures, it would be desirable to develop solutions that defend against known and future DDOS attack variants. However, this is really hard to do as is needed a great understanding of the scope and techniques used on DDOS attacks. This paper attempts to categorize DDOS attack networks, to classify the different techniques used in a DDoS attack, and to describe the characteristics of tools used to perform DDOS. Given this new understanding, propose classes of countermeasures that target the DDOS problem before, during and after an attack. 1
-
Upload
caue-koisumi-cintra -
Category
Documents
-
view
213 -
download
0
description
Research paper abour Distributed Denial of service.
Transcript of DDOS Research Paper
-
Distributedenialofservice(DDOS)attacks
CaueKoisumiCintraStevensInstituteofTechnology
Abstract
DistributedDenialofService(DDOS)attacksareadeadlyagainsttheavailabilityofInternetservicesandresources.DDOSattackersinfectslargenumbersofcomputersbyexploitingsoftwarevulnerabilitiestosetupbotnets.Thenallthesezombiecomputersareinvokedtounleashacoordinated,largescaleattackagainstavictimssystems.Asspecificcountermeasuresarebeingdeveloped,attackerscontinuetoenhanceexistingDDOSattacktools,developingnewandderivativeDDOStechniquesandtools.Ratherthanalwaysreacttonewattackswithspecificcountermeasures,itwouldbedesirabletodevelopsolutionsthatdefendagainstknownandfutureDDOSattackvariants.However,thisisreallyhardtodoasisneededagreatunderstandingofthescopeandtechniquesusedonDDOSattacks.ThispaperattemptstocategorizeDDOSattacknetworks,toclassifythedifferenttechniquesusedinaDDoSattack,andtodescribethecharacteristicsoftoolsusedtoperformDDOS.Giventhisnewunderstanding,proposeclassesofcountermeasuresthattargettheDDOSproblembefore,duringandafteranattack.
1
-
1.Introduction
TheInternetwasoriginallydesignedtolinktogetheracooperativeandcollaborativecommunityofresearcher(LIPSON,2002).Itwasntaconcernthinkaboutsecuritywhenthefirstthoughtsoftheinternetwasbeginning,becauseitwassupposedtobeanetworktosomeresearcherstoexchangeknowledge,soeveryuserwastrustablethatmeansthenetworkwouldalwaysbesecure.
Withtheevolutionoftheinternetsecurityissuesstartedtooccur,andinthe90soneofthemanytypesofsecurityattacksthatwerecreatedwastheDOS(DenialofService),thisattackisfairlysimpleandbasicallyconsistsinanattempttomakeanetworkresourceunavailableforitsrealusers.LateronthisattackevolvedtoDDOS(DistributedDenialofService)whichisbasicallythesamethingasDOS,butnowtheattackcomesfromseveralsourcesthatcanbespreadallovertheworld.Thisattacksareexecutedfordifferentkindsofreasons,themostcommonsthougharefinancialandpoliticalmotives.
Thecurrentstateofthecyberworldtodaystillisinlackofabilitytoprevent,correct,trackandtraceDDOSattacks,Theanonymityenjoyedbytodayscyberattackersposesagravethreattotheglobalinformationsociety,theprogressofaninformationbasedinternationaleconomy,andtheadvancementofglobalcollaborationandcooperationinallareasofhumanendeavor.(LIPSON,2002),wecanclearlyseethatwithgroupslikeLulzSecandAnonymousthatcanremainalotoftimelaunchingattacksbeforebeingcaught,orsomeotherhackersthatarenotcaughtatall.
2
-
2.WhatisDDOS?
DOSattacksarejustanexplicitattemptfromanattackertomakeaserverunabletoprovideservicestoitsusersbyfloodingorcrashingthesystem.Unlikeconventionalelectronicattacks,thereislittleinformationoreffortrequiredtoinitiateaDOSattackonthetargetwebsiteallthatisneededisthewebsiteaddress,aprogramthatcanperformarapidnumberofrequeststothetargetedwebsiteandabotnet(ForDDOSattacks)
ThefirstsprogramstomakeDOSremoteattacksstartedtoappearinthe90sandfortheseprogramstobeeffectivetheyneededlargesizecomputersornetworkslikefromanuniversity.In1997werediscoveredalargenumberoffailuresintheTCP/IP(TransmissionControlProtocol/InternetProtocol)andthenthenumberofattacksstartedtogrowusingIRC(InternetRelayChat)networkandexploitingknownvulnerabilitiesonWindowstocrashit.Thelate1999wastheariseoftheDDOSattacks,wheretheattackerscouldgetcontrolofothermachines(botsorzombies)tomaximizethepoweroftheattackagainsthisttarget.Inthe2000theDDOSattacksstartedtogettingmixedwithworms(malwareprogramthatcanreplicateitselfandinfectothercomputersthroughvulnerabilitiesinthenetwork)turningtheaffectedtargetsmorevulnerabletootherattacks.InJanuary2001MicrosoftswebsitesufferedapowerDDOSattackthatlastedforhoursandmadethewebpageunavailabletorealusers,duringsomeperiods98%oftheserviceswereaffectedbytheattack.EventheFBIwascalledtotakecareofthecase,showingthatevenahugecompanyasMicrosoftwasntimmuneagainstaDDOSattack.
DDOSattackscanbedividedinthreegeneralcategories:VolumeBasedAttacksthatconsistsinsaturatethebandwidthoftheattackedserver,anditspowerismeasuredinbitspersecond(bps).Someexamplesare:UDPfloods,ICMPfloodsandotherspoofedpacketfloods.ProtocolAttacksthattriestoconsumetheactualserverresourcesorfirewallsandloadbalancersanditsmagnitudeismeasuredinpacketspersecond.Someexamplesare:SYNfloods,PingofDeathandSmurfDDOS.ApplicationLayerAttacksthatconsistsinsendingapparentlylegitimaterequestswiththegoalofcrashthewebserver,anditsmeasuredinrequestspersecond.Someexamplesare:Slowloris,ZeroDayDDOSattacks,Windowsvulnerabilities.
3
-
3TypesofattackThereisseveralformsofDOSattacks,herearesomeofthemostcommonused.
3.1UDPFloodThisattackusestheUserDatagramProtocol(UDP),asessionlessnetworkingprotocol.ItfloodsrandomportsofaremotehostwithnumerousUDPpacketsmakingthehostconstantlychecksfortheapplicationlisteningatthatporthowevernoapplicationslistensatthatportsothehostneedstoreplywithanICMPDestinationUnreachablewhichendsupcausinganexcessiveuseofthehostresourcesthatcanleadtoinaccessibility.ThisattackisusedwithIPspoofingsothattheICMPreturnpacketswon'treachthemandhidingthenetworklocation.
4
-
3.2ICMPFloodorPingFloodTheprincipleissimilarfromtheUDPfloodattack,butnowthetargetisoverwhelmedwithICMPEcho(ping)requestspacketsusingamethodsendingICMPpacketscontinuouslywithoutwaitingforreply.TheattackedserverwilloftenattempttorespondwithICMPreplypacketswhichconsumebothincomingandoutgoingbandwidthwhichcanresultinanoverallsystemslowdown.
5
-
3.3SYNFloodThisattackexploitsthethreewayhandshake,aknownweaknessintheTCPconnectionsequence,whenaSYNrequestissenttobeginaTCPconnectionthehostneedstoanswerwithaSYNACKresponseandthenbeconfirmedbyanACKresponsefromtherequester.TheattackersendsmultipleSYNrequestsbuthedoesntrespondtothetargetsSYNACKresponses,ortheattackercansendtherequestsfromspoofedIPaddresses,sothevictimsserverkeepswaitingfortheresponsesforeachrequestsbindingresourcesuntilnonewconnectionscanbemade.
6
-
3.4PingofDeath(POD)GenerallythemaximumpacketlengthofanIPpacketonIPv4is65,535bytesandsendingapingofthissizecouldcrashthetargetscomputer,thisvulnerabilitystartedtobeingexploitedastheattackersstartedtosendalargeIPpacket(biggerthan65,536bytes)splittedinmultipleminorpacketssowhenthehostwouldassembletheminorpacketsitcouldendupcausingamemorybufferoverflowdenyingserviceforlegitimatepackets.Todayitsreallyhardforaservertocrashbecauseofthisattack.
3.5SlowlorisSlowlorisisahighlytargetedattackthatpermitsoneservertotakedownanotheronewithminimalbandwidthandsideeffectsonunrelatedservicesandports.Theattackerstrytokeepopenandforaslongaspossiblemanyconnectionswiththetargetedserver,thisisdonebyconstantlysendingHTTPheadersbutwithoutcompletetherequest.Thetargetedserverwillkeepthoseconnectionsopenandthiseventuallywillleadtoanoverflowoftheconnectionspoolleavinglegitimaterequestsfromclientsdeniedofservice.ItisspeciallyusedagainstApache,Tomcat,dhttpdandGoAheadWebServer.
7
-
3.6ZerodayDDOSZerodayattacksareunknownornewattacksexploitingvulnerabilitiesthatdontstilldonthaveasolution,sobasicallyitsanattackthatexploitsavulnerabilitythatthesoftwareownerdoesntevenknowaboutyetordidnthavedevelopedapatchtofixit.Somebigproblemsaboutthoseattacksisthattradingzerodayvulnerabilitiesarequitepopularintheblackhatcommunityandevenifthecompanydevelopapatchlater,youcomputermayalreadybeeninfectedwithwormsandtrojans.
4.AttackersandmotivesThereisalargediversityinattackersandtheirmotives.Andsometimestwoofthoseclassescanmerge,asexample:Anextorquistsgroupcanuseahacktivistexcusetoattackawebservicebuttheirrealpurposeistogetmoney.
4.1ExtorquistsTheseattackersthreatstheirtargetaskingformoneyortheywilltakedowntheirservers,theyworkwithafinancialpurpose.
4.2HacktivistsTheHacktivistgroupwastheonethatgotmostofthespotlightwithDDOSattacksinthelastyears,theygrewandunitedthemselvesreallyfastandstartedtomakeInternetStreetProtests(RichardStallman).SomehackgroupseventookdownUSgovernmentalsitescausingagreatsplurgeonthecommunity,theirmotivesaretotrytochangedecisionsmadebyorganizationsorthegovernment.
4.3Competitors,unsatisfiedemployeesandcustomersThereweresomecaseswhereacompanywouldlaunchaDDOSattackagainstacompetitortoharmtheirimagesothecustomerswouldtradecompaniesandtheywouldgetmoreprofit.ItcanalsohappenthatafiredorunsatisfiedemployeeorcustomerwouldlaunchaDDOSattackagainstacompanyasavendetta.
4.4ScriptKiddiesTheybasicallyareunskilledindividualsthatusesautomatedtoolscreatedbyotherstorealizeattacks,theirpurposenormallyistoimpressfriendsortrytobecomefamousandclimbupinthehackercommunity,somescriptkiddiescanlaunchanattackjustforthefunofit.
8
-
5.ToolsOneofthemotivesforthegreatgrowingoftheDOSattacksistheappearanceofmanyfreetoolsontheweb,herearesomeofthem.
5.1LOIC(Loworbitioncannon)ItsoneofthemostpopularfreeDOSattackingtoolontheweb,ithasauserfriendlyinterfacesoitseasytolearnanduse.ThetoolcanperformDOSattackbysendingTCP,UDPorHTTPrequeststothetargetssystem.Abotnetcanbeusedtoimprovethepoweroftheattackandmakeitadistributedattack.
5.2HOIC(Highorbitioncannon)ItwasmadeoutoftheconceptofLOIC,butthedeveloperstriedtoimproveitsstrenghtandincludedaboosterfeaturetomaketheattackstronger.
9
-
5.3XOICItsaverysimpleandeasytousetool,comeswithawhoisfeaturetofindIPandportandhave3modesofattack,abasictestmode,anormalDOSmodeandaDOSmodewithaTCP/HTTP/UDP/ICMPmessage.
5.4PylorisPyLorisisascriptabletoolfortestingaserver'svulnerabilitydenialofservice(DoS)attacks.PyLoriscanutilizeSOCKSproxiesandSSLconnections,andcantargetprotocolssuchasHTTP,FTP,SMTP,IMAP,andTelnet.
10
-
6.DefenseagainstDOSattacks
6.1Howtoprevent?
Untilnowthereisnosilverbullet(Brooks)againstDDOSattacks,butthereissomestrategiestomitigatetheattack.Somerecommendedstrategiestopreventattacksare:Incrementhostsecurity:AstheprimarycharacteristicoftheDDOSistheuseofabotnet,itisveryimportanttoimprovethesecurityofyourmachinessoitwontbecomeazombie.Installpatches:Themachinesusedaszombiesarenormallyinfectedwithknownvulnerabilities.Soitishighlyrecommendedthatyoualwaysupdateyoursystemwhenpossible.Applyantispoofingfilters:DuringtheDDOS,theattackerstrytohidetheirrealIPusingspoofingmechanismsthatforgesfakeIPsmakingithardertotracktheattackorigin.Soitisnecessarythattheaccessprovidersimplementantispoofingfiltersontheroutersentrance,sothenetworkoftheirclientscantusespoofing.Andthatalltheinternetnetwork,inageneralway,implementantispoofingfiltersontheborderroutersexitpreventingtheuseofspoofing.PreviousplanningagainstDDOS:ApreviousplanningandcoordinationisessentialtoguaranteeanadequateanswerwhenaDDOSattackstartstohappen.Thisplanningmustincludecounterattackprocedureswithyourbackboneprovider.
6.2Howtoreact?
6.2.1DDOStoolsareinstalledonyoursystem
Thiscanmeanthatyoursystemisbeingusedasamasteroragent.Itsimportanttodeterminewhatisthepartofthetoolsfoundandtrytodiscoverworthinformationthatwouldallowtrackingothercomponentsinthebotnet,prioritizingthediscoveringofmasters.Dependingonthesituation,itisrecommendedtotryshutdownimmediatelythemasters,butsometimesitcanbeworthtomonitortheactivitiestogatherinformation.
6.2.2IfyoursystemissufferingaDDOSattack
ThespoofingmechanismsusedonDDOSattacksmakesreallyhardtoidentifytheattacker,butifthereisamomentthatispossibletobacktraceandgettherealresponsible,itiswhentheattackishappening.Itiscriticaltohaveaquickcommunicationwithyourbackboneprovidertotrytotracktheattacker.ThereissometechniquestomitigatetheDDOSattackhappening.LoadBalancing:Networkproviderscanincreasebandwidthoncriticalconnectionstopreventthemfromgoingofflineinthemiddleofanattack.BalancingtheloadtoeachserverinamultipleserverarchitecturecanimprovenormalperformanceandmitigatetheeffectofaDDOSattack.
11
-
DropRequests:Thesystemcansimplydroprequestswhentheloadincreases.Thiscanbedonebytherouterortheserver.Alternatively,therequestermaybeinducedtodroptherequestbymakingtheitssystemsolveahardpuzzlethattakesalotofcomputepowerormemoryspace,beforecontinuingwiththerequest.Thiswillmaketheusersofzombiesystemsdetectperformancedegradation,makingthemawarethatsomethingwrongishappeningandleadingthemtolookandsolvetheproblem,gettingridofbeingazombiemachine.Outsourcedcompanies:ThereisanumberofoutsourcedcompaniesthatoffersserviceagainstDDOSattacks,theygiveyou24/7support,monitoringandinthemiddleofaneventtheyusetheirservertohelpmitigatetheattack.
7.Myanalysis.Nextstepsforfutureresearch
Distributeddenialofserviceattacksarestillrising,becausetheyarefairlyeasytoexecuteanditshardtogetbacktraced,anditseemsitwontstopsoon.Thereisnoeasysolutionagainstthesetypeofattacks,andthroughoutthehistorywecanseethatthehackerswerealwaysone,twoorevenmorestepsaheadfromthesecurityteamsfromcompanies.Butthereissomearrangementsthatshouldbedone.Raiseinternetusersawareness:Ifwecanmaketheinternetusersmoreawareofsecurityissues,wecanpreventthosemachinesfrombeingpartofabotnet,andwiththisthebotnetswillbecomesmallermakingtheDDOSattackwayweaker.Honeypots:Theyaresystemsmadewithknownvulnerabilitiestoinstigatetheattack.Itnotonlyavoidtheattackfromgoingtothecriticalareasofthesystembutitgatherrelevantdataandrecordsallabouthowtheattackisbeingperformed,whichtoolsarebeingused.Sowiththatkindofinformationyoucanfortifyyoursystemtopreventnextattacks.Thehackerselitearealreadywellawareofthistechnique,soinordertoimproveitseffectiveness,itmustbemadebettercamouflageforthehoneypotslookexactlylikerealsystems.PostattackForensics:WhenbeingunderaDDOSattackitisrecommendedtogatherthemostpossibledatatolateranalyzeandlookforspecificcharacteristicsintheattackingtraffic,thiscanbeusedtodevelopnewfilteringtechniquesagainstDDOS.Packettracestechniqueconsistsonthefactofinternettrafficcanbetracedbacktoitstruesource.Thisallowsbacktracetheattackerstraffictofindoutwhoistheattacker.Allthedatacollectedmustbestoredinasafedatabasesoitcanbeusedtodoforensicanalysisandassistlawenforcementincasesofsignificantfinancialdamage.
12
-
8.Conclusion
DDOSattacksarereallydangerousandcancausealotoftroubles,mixingthatwiththefactthatishardlytraceable,itmakesasafeandeffectiveattacktoperformagainstyourtargets.Thereisthemostcommonattacksthataremadebyafewpeoplewithsomebotnets,andthiscancauserealtroubletosmall/mediumcompanies,buttheydontreallyhasmucheffectivenessagainstlargecompaniesasAmazon,eBayandMicrosoft.Butthereisthehackerelitegroupsthathavealotofinfluenceinthehackersceneandcangatherahugenumberoffollowersandbotnetstoorchestrateapowerfulattackcapableoftakingdownevenlargecompanies.
Theinternetusersneedtostartthinkingmoreaboutthesecureoftheirownsystemstonotbecomeinfected,networkprovidersneedstomonitorbettertheirtraffictotrackattackersandhelpcompaniestoresistwhenbeingattackedandITcompaniesneedtoinvestmoreinfindingnewgeneralDDOSsolutions,andsharetheknowledgewithsmallercompanies.ThatwaytheDDOSattackcanbeweakenedandwontbethebigconcernthatitistoday.
13
-
9.References
Lipson,HowardF.TrackingandTracingCyberattacks:TechnicalChallengesandGlobalPolicyIssues.Pittsburgh,PA:CarnegieMellonUniversity,SoftwareEngineeringInstitute,2002.Print.
"GRC|SecurityNow!TranscriptofEpisode#8."GRC|SecurityNow!TranscriptofEpisode#8.N.p.,n.d.Web.10Dec.2013..
"ATimelineofHackingGroupLulzSec'sAttacks."Msnbc.com.N.p.,n.d.Web.10Dec.2013..
"DoSAttackKnocksOutMicrosoftSites."DoSAttackKnocksOutMicrosoftSites.N.p.,n.d.Web.10Dec.2013..
"NetworkDoSAttacksOverview."JUNOSSoftwareSecurityConfigurationGuide.N.p.,n.d.Web.10Dec.2013..
"DDoSProtection."DDoSProtection.N.p.,n.d.Web.10Dec.2013..
"DistributedDenialofServiceAttacks."N.p.,n.d.Web.10Dec.2013..
"AdvancedDDOSTools."ADVANCEDDDOSTOOLS~Prince4Hack.N.p.,n.d.Web.10Dec.2013..
"DOSAttacksandFreeDOSAttackingToolsInfoSecInstitute."InfoSecInstitute.N.p.,n.d.Web.10Dec.2013..
14
