DDOS Research Paper
-
Upload
caue-koisumi-cintra -
Category
Documents
-
view
213 -
download
0
description
Transcript of DDOS Research Paper
-
Distributedenialofservice(DDOS)attacks
CaueKoisumiCintraStevensInstituteofTechnology
Abstract
DistributedDenialofService(DDOS)attacksareadeadlyagainsttheavailabilityofInternetservicesandresources.DDOSattackersinfectslargenumbersofcomputersbyexploitingsoftwarevulnerabilitiestosetupbotnets.Thenallthesezombiecomputersareinvokedtounleashacoordinated,largescaleattackagainstavictimssystems.Asspecificcountermeasuresarebeingdeveloped,attackerscontinuetoenhanceexistingDDOSattacktools,developingnewandderivativeDDOStechniquesandtools.Ratherthanalwaysreacttonewattackswithspecificcountermeasures,itwouldbedesirabletodevelopsolutionsthatdefendagainstknownandfutureDDOSattackvariants.However,thisisreallyhardtodoasisneededagreatunderstandingofthescopeandtechniquesusedonDDOSattacks.ThispaperattemptstocategorizeDDOSattacknetworks,toclassifythedifferenttechniquesusedinaDDoSattack,andtodescribethecharacteristicsoftoolsusedtoperformDDOS.Giventhisnewunderstanding,proposeclassesofcountermeasuresthattargettheDDOSproblembefore,duringandafteranattack.
1
-
1.Introduction
TheInternetwasoriginallydesignedtolinktogetheracooperativeandcollaborativecommunityofresearcher(LIPSON,2002).Itwasntaconcernthinkaboutsecuritywhenthefirstthoughtsoftheinternetwasbeginning,becauseitwassupposedtobeanetworktosomeresearcherstoexchangeknowledge,soeveryuserwastrustablethatmeansthenetworkwouldalwaysbesecure.
Withtheevolutionoftheinternetsecurityissuesstartedtooccur,andinthe90soneofthemanytypesofsecurityattacksthatwerecreatedwastheDOS(DenialofService),thisattackisfairlysimpleandbasicallyconsistsinanattempttomakeanetworkresourceunavailableforitsrealusers.LateronthisattackevolvedtoDDOS(DistributedDenialofService)whichisbasicallythesamethingasDOS,butnowtheattackcomesfromseveralsourcesthatcanbespreadallovertheworld.Thisattacksareexecutedfordifferentkindsofreasons,themostcommonsthougharefinancialandpoliticalmotives.
Thecurrentstateofthecyberworldtodaystillisinlackofabilitytoprevent,correct,trackandtraceDDOSattacks,Theanonymityenjoyedbytodayscyberattackersposesagravethreattotheglobalinformationsociety,theprogressofaninformationbasedinternationaleconomy,andtheadvancementofglobalcollaborationandcooperationinallareasofhumanendeavor.(LIPSON,2002),wecanclearlyseethatwithgroupslikeLulzSecandAnonymousthatcanremainalotoftimelaunchingattacksbeforebeingcaught,orsomeotherhackersthatarenotcaughtatall.
2
-
2.WhatisDDOS?
DOSattacksarejustanexplicitattemptfromanattackertomakeaserverunabletoprovideservicestoitsusersbyfloodingorcrashingthesystem.Unlikeconventionalelectronicattacks,thereislittleinformationoreffortrequiredtoinitiateaDOSattackonthetargetwebsiteallthatisneededisthewebsiteaddress,aprogramthatcanperformarapidnumberofrequeststothetargetedwebsiteandabotnet(ForDDOSattacks)
ThefirstsprogramstomakeDOSremoteattacksstartedtoappearinthe90sandfortheseprogramstobeeffectivetheyneededlargesizecomputersornetworkslikefromanuniversity.In1997werediscoveredalargenumberoffailuresintheTCP/IP(TransmissionControlProtocol/InternetProtocol)andthenthenumberofattacksstartedtogrowusingIRC(InternetRelayChat)networkandexploitingknownvulnerabilitiesonWindowstocrashit.Thelate1999wastheariseoftheDDOSattacks,wheretheattackerscouldgetcontrolofothermachines(botsorzombies)tomaximizethepoweroftheattackagainsthisttarget.Inthe2000theDDOSattacksstartedtogettingmixedwithworms(malwareprogramthatcanreplicateitselfandinfectothercomputersthroughvulnerabilitiesinthenetwork)turningtheaffectedtargetsmorevulnerabletootherattacks.InJanuary2001MicrosoftswebsitesufferedapowerDDOSattackthatlastedforhoursandmadethewebpageunavailabletorealusers,duringsomeperiods98%oftheserviceswereaffectedbytheattack.EventheFBIwascalledtotakecareofthecase,showingthatevenahugecompanyasMicrosoftwasntimmuneagainstaDDOSattack.
DDOSattackscanbedividedinthreegeneralcategories:VolumeBasedAttacksthatconsistsinsaturatethebandwidthoftheattackedserver,anditspowerismeasuredinbitspersecond(bps).Someexamplesare:UDPfloods,ICMPfloodsandotherspoofedpacketfloods.ProtocolAttacksthattriestoconsumetheactualserverresourcesorfirewallsandloadbalancersanditsmagnitudeismeasuredinpacketspersecond.Someexamplesare:SYNfloods,PingofDeathandSmurfDDOS.ApplicationLayerAttacksthatconsistsinsendingapparentlylegitimaterequestswiththegoalofcrashthewebserver,anditsmeasuredinrequestspersecond.Someexamplesare:Slowloris,ZeroDayDDOSattacks,Windowsvulnerabilities.
3
-
3TypesofattackThereisseveralformsofDOSattacks,herearesomeofthemostcommonused.
3.1UDPFloodThisattackusestheUserDatagramProtocol(UDP),asessionlessnetworkingprotocol.ItfloodsrandomportsofaremotehostwithnumerousUDPpacketsmakingthehostconstantlychecksfortheapplicationlisteningatthatporthowevernoapplicationslistensatthatportsothehostneedstoreplywithanICMPDestinationUnreachablewhichendsupcausinganexcessiveuseofthehostresourcesthatcanleadtoinaccessibility.ThisattackisusedwithIPspoofingsothattheICMPreturnpacketswon'treachthemandhidingthenetworklocation.
4
-
3.2ICMPFloodorPingFloodTheprincipleissimilarfromtheUDPfloodattack,butnowthetargetisoverwhelmedwithICMPEcho(ping)requestspacketsusingamethodsendingICMPpacketscontinuouslywithoutwaitingforreply.TheattackedserverwilloftenattempttorespondwithICMPreplypacketswhichconsumebothincomingandoutgoingbandwidthwhichcanresultinanoverallsystemslowdown.
5
-
3.3SYNFloodThisattackexploitsthethreewayhandshake,aknownweaknessintheTCPconnectionsequence,whenaSYNrequestissenttobeginaTCPconnectionthehostneedstoanswerwithaSYNACKresponseandthenbeconfirmedbyanACKresponsefromtherequester.TheattackersendsmultipleSYNrequestsbuthedoesntrespondtothetargetsSYNACKresponses,ortheattackercansendtherequestsfromspoofedIPaddresses,sothevictimsserverkeepswaitingfortheresponsesforeachrequestsbindingresourcesuntilnonewconnectionscanbemade.
6
-
3.4PingofDeath(POD)GenerallythemaximumpacketlengthofanIPpacketonIPv4is65,535bytesandsendingapingofthissizecouldcrashthetargetscomputer,thisvulnerabilitystartedtobeingexploitedastheattackersstartedtosendalargeIPpacket(biggerthan65,536bytes)splittedinmultipleminorpacketssowhenthehostwouldassembletheminorpacketsitcouldendupcausingamemorybufferoverflowdenyingserviceforlegitimatepackets.Todayitsreallyhardforaservertocrashbecauseofthisattack.
3.5SlowlorisSlowlorisisahighlytargetedattackthatpermitsoneservertotakedownanotheronewithminimalbandwidthandsideeffectsonunrelatedservicesandports.Theattackerstrytokeepopenandforaslongaspossiblemanyconnectionswiththetargetedserver,thisisdonebyconstantlysendingHTTPheadersbutwithoutcompletetherequest.Thetargetedserverwillkeepthoseconnectionsopenandthiseventuallywillleadtoanoverflowoftheconnectionspoolleavinglegitimaterequestsfromclientsdeniedofservice.ItisspeciallyusedagainstApache,Tomcat,dhttpdandGoAheadWebServer.
7
-
3.6ZerodayDDOSZerodayattacksareunknownornewattacksexploitingvulnerabilitiesthatdontstilldonthaveasolution,sobasicallyitsanattackthatexploitsavulnerabilitythatthesoftwareownerdoesntevenknowaboutyetordidnthavedevelopedapatchtofixit.Somebigproblemsaboutthoseattacksisthattradingzerodayvulnerabilitiesarequitepopularintheblackhatcommunityandevenifthecompanydevelopapatchlater,youcomputermayalreadybeeninfectedwithwormsandtrojans.
4.AttackersandmotivesThereisalargediversityinattackersandtheirmotives.Andsometimestwoofthoseclassescanmerge,asexample:Anextorquistsgroupcanuseahacktivistexcusetoattackawebservicebuttheirrealpurposeistogetmoney.
4.1ExtorquistsTheseattackersthreatstheirtargetaskingformoneyortheywilltakedowntheirservers,theyworkwithafinancialpurpose.
4.2HacktivistsTheHacktivistgroupwastheonethatgotmostofthespotlightwithDDOSattacksinthelastyears,theygrewandunitedthemselvesreallyfastandstartedtomakeInternetStreetProtests(RichardStallman).SomehackgroupseventookdownUSgovernmentalsitescausingagreatsplurgeonthecommunity,theirmotivesaretotrytochangedecisionsmadebyorganizationsorthegovernment.
4.3Competitors,unsatisfiedemployeesandcustomersThereweresomecaseswhereacompanywouldlaunchaDDOSattackagainstacompetitortoharmtheirimagesothecustomerswouldtradecompaniesandtheywouldgetmoreprofit.ItcanalsohappenthatafiredorunsatisfiedemployeeorcustomerwouldlaunchaDDOSattackagainstacompanyasavendetta.
4.4ScriptKiddiesTheybasicallyareunskilledindividualsthatusesautomatedtoolscreatedbyotherstorealizeattacks,theirpurposenormallyistoimpressfriendsortrytobecomefamousandclimbupinthehackercommunity,somescriptkiddiescanlaunchanattackjustforthefunofit.
8
-
5.ToolsOneofthemotivesforthegreatgrowingoftheDOSattacksistheappearanceofmanyfreetoolsontheweb,herearesomeofthem.
5.1LOIC(Loworbitioncannon)ItsoneofthemostpopularfreeDOSattackingtoolontheweb,ithasauserfriendlyinterfacesoitseasytolearnanduse.ThetoolcanperformDOSattackbysendingTCP,UDPorHTTPrequeststothetargetssystem.Abotnetcanbeusedtoimprovethepoweroftheattackandmakeitadistributedattack.
5.2HOIC(Highorbitioncannon)ItwasmadeoutoftheconceptofLOIC,butthedeveloperstriedtoimproveitsstrenghtandincludedaboosterfeaturetomaketheattackstronger.
9
-
5.3XOICItsaverysimpleandeasytousetool,comeswithawhoisfeaturetofindIPandportandhave3modesofattack,abasictestmode,anormalDOSmodeandaDOSmodewithaTCP/HTTP/UDP/ICMPmessage.
5.4PylorisPyLorisisascriptabletoolfortestingaserver'svulnerabilitydenialofservice(DoS)attacks.PyLoriscanutilizeSOCKSproxiesandSSLconnections,andcantargetprotocolssuchasHTTP,FTP,SMTP,IMAP,andTelnet.
10
-
6.DefenseagainstDOSattacks
6.1Howtoprevent?
Untilnowthereisnosilverbullet(Brooks)againstDDOSattacks,butthereissomestrategiestomitigatetheattack.Somerecommendedstrategiestopreventattacksare:Incrementhostsecurity:AstheprimarycharacteristicoftheDDOSistheuseofabotnet,itisveryimportanttoimprovethesecurityofyourmachinessoitwontbecomeazombie.Installpatches:Themachinesusedaszombiesarenormallyinfectedwithknownvulnerabilities.Soitishighlyrecommendedthatyoualwaysupdateyoursystemwhenpossible.Applyantispoofingfilters:DuringtheDDOS,theattackerstrytohidetheirrealIPusingspoofingmechanismsthatforgesfakeIPsmakingithardertotracktheattackorigin.Soitisnecessarythattheaccessprovidersimplementantispoofingfiltersontheroutersentrance,sothenetworkoftheirclientscantusespoofing.Andthatalltheinternetnetwork,inageneralway,implementantispoofingfiltersontheborderroutersexitpreventingtheuseofspoofing.PreviousplanningagainstDDOS:ApreviousplanningandcoordinationisessentialtoguaranteeanadequateanswerwhenaDDOSattackstartstohappen.Thisplanningmustincludecounterattackprocedureswithyourbackboneprovider.
6.2Howtoreact?
6.2.1DDOStoolsareinstalledonyoursystem
Thiscanmeanthatyoursystemisbeingusedasamasteroragent.Itsimportanttodeterminewhatisthepartofthetoolsfoundandtrytodiscoverworthinformationthatwouldallowtrackingothercomponentsinthebotnet,prioritizingthediscoveringofmasters.Dependingonthesituation,itisrecommendedtotryshutdownimmediatelythemasters,butsometimesitcanbeworthtomonitortheactivitiestogatherinformation.
6.2.2IfyoursystemissufferingaDDOSattack
ThespoofingmechanismsusedonDDOSattacksmakesreallyhardtoidentifytheattacker,butifthereisamomentthatispossibletobacktraceandgettherealresponsible,itiswhentheattackishappening.Itiscriticaltohaveaquickcommunicationwithyourbackboneprovidertotrytotracktheattacker.ThereissometechniquestomitigatetheDDOSattackhappening.LoadBalancing:Networkproviderscanincreasebandwidthoncriticalconnectionstopreventthemfromgoingofflineinthemiddleofanattack.BalancingtheloadtoeachserverinamultipleserverarchitecturecanimprovenormalperformanceandmitigatetheeffectofaDDOSattack.
11
-
DropRequests:Thesystemcansimplydroprequestswhentheloadincreases.Thiscanbedonebytherouterortheserver.Alternatively,therequestermaybeinducedtodroptherequestbymakingtheitssystemsolveahardpuzzlethattakesalotofcomputepowerormemoryspace,beforecontinuingwiththerequest.Thiswillmaketheusersofzombiesystemsdetectperformancedegradation,makingthemawarethatsomethingwrongishappeningandleadingthemtolookandsolvetheproblem,gettingridofbeingazombiemachine.Outsourcedcompanies:ThereisanumberofoutsourcedcompaniesthatoffersserviceagainstDDOSattacks,theygiveyou24/7support,monitoringandinthemiddleofaneventtheyusetheirservertohelpmitigatetheattack.
7.Myanalysis.Nextstepsforfutureresearch
Distributeddenialofserviceattacksarestillrising,becausetheyarefairlyeasytoexecuteanditshardtogetbacktraced,anditseemsitwontstopsoon.Thereisnoeasysolutionagainstthesetypeofattacks,andthroughoutthehistorywecanseethatthehackerswerealwaysone,twoorevenmorestepsaheadfromthesecurityteamsfromcompanies.Butthereissomearrangementsthatshouldbedone.Raiseinternetusersawareness:Ifwecanmaketheinternetusersmoreawareofsecurityissues,wecanpreventthosemachinesfrombeingpartofabotnet,andwiththisthebotnetswillbecomesmallermakingtheDDOSattackwayweaker.Honeypots:Theyaresystemsmadewithknownvulnerabilitiestoinstigatetheattack.Itnotonlyavoidtheattackfromgoingtothecriticalareasofthesystembutitgatherrelevantdataandrecordsallabouthowtheattackisbeingperformed,whichtoolsarebeingused.Sowiththatkindofinformationyoucanfortifyyoursystemtopreventnextattacks.Thehackerselitearealreadywellawareofthistechnique,soinordertoimproveitseffectiveness,itmustbemadebettercamouflageforthehoneypotslookexactlylikerealsystems.PostattackForensics:WhenbeingunderaDDOSattackitisrecommendedtogatherthemostpossibledatatolateranalyzeandlookforspecificcharacteristicsintheattackingtraffic,thiscanbeusedtodevelopnewfilteringtechniquesagainstDDOS.Packettracestechniqueconsistsonthefactofinternettrafficcanbetracedbacktoitstruesource.Thisallowsbacktracetheattackerstraffictofindoutwhoistheattacker.Allthedatacollectedmustbestoredinasafedatabasesoitcanbeusedtodoforensicanalysisandassistlawenforcementincasesofsignificantfinancialdamage.
12
-
8.Conclusion
DDOSattacksarereallydangerousandcancausealotoftroubles,mixingthatwiththefactthatishardlytraceable,itmakesasafeandeffectiveattacktoperformagainstyourtargets.Thereisthemostcommonattacksthataremadebyafewpeoplewithsomebotnets,andthiscancauserealtroubletosmall/mediumcompanies,buttheydontreallyhasmucheffectivenessagainstlargecompaniesasAmazon,eBayandMicrosoft.Butthereisthehackerelitegroupsthathavealotofinfluenceinthehackersceneandcangatherahugenumberoffollowersandbotnetstoorchestrateapowerfulattackcapableoftakingdownevenlargecompanies.
Theinternetusersneedtostartthinkingmoreaboutthesecureoftheirownsystemstonotbecomeinfected,networkprovidersneedstomonitorbettertheirtraffictotrackattackersandhelpcompaniestoresistwhenbeingattackedandITcompaniesneedtoinvestmoreinfindingnewgeneralDDOSsolutions,andsharetheknowledgewithsmallercompanies.ThatwaytheDDOSattackcanbeweakenedandwontbethebigconcernthatitistoday.
13
-
9.References
Lipson,HowardF.TrackingandTracingCyberattacks:TechnicalChallengesandGlobalPolicyIssues.Pittsburgh,PA:CarnegieMellonUniversity,SoftwareEngineeringInstitute,2002.Print.
"GRC|SecurityNow!TranscriptofEpisode#8."GRC|SecurityNow!TranscriptofEpisode#8.N.p.,n.d.Web.10Dec.2013..
"ATimelineofHackingGroupLulzSec'sAttacks."Msnbc.com.N.p.,n.d.Web.10Dec.2013..
"DoSAttackKnocksOutMicrosoftSites."DoSAttackKnocksOutMicrosoftSites.N.p.,n.d.Web.10Dec.2013..
"NetworkDoSAttacksOverview."JUNOSSoftwareSecurityConfigurationGuide.N.p.,n.d.Web.10Dec.2013..
"DDoSProtection."DDoSProtection.N.p.,n.d.Web.10Dec.2013..
"DistributedDenialofServiceAttacks."N.p.,n.d.Web.10Dec.2013..
"AdvancedDDOSTools."ADVANCEDDDOSTOOLS~Prince4Hack.N.p.,n.d.Web.10Dec.2013..
"DOSAttacksandFreeDOSAttackingToolsInfoSecInstitute."InfoSecInstitute.N.p.,n.d.Web.10Dec.2013..
14