Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
2275
Authorized licensed use limited to: NATIONAL INSTITUTE OF TECHNOLOGY TIRUCHIRAPALLI. Downloaded on May 11, 2009 at 02:34 from IEEE Xplore. Restrictions apply.
type of attack: the inte mediate broadcast devices
(amplifiers) and the spoofed source address target (the
victim). The victim is the target of a large amount of traffic
that the amplifiers generate. ‘This attack has the potential to
overload an entire network.
SYN FZood attack is also known as the Transmission
Control Protocol (TCP) SEW attack, and is based on
exploiting the standard TCP three-way handshake. The
, Real Attacker I
i
TCP three-way handshake requires a three-packet exchange
. . .. ........ -
to be performed before a client can officially use the
service. A server, upon receiving an initial SYN
(synchronize/start) request firom a client, sends back a
Figure 1: The four components of a distributed denial of SYNIACK (synchronize/acknowledge) packet and waits for
service attack: a real attacker, a control master program, the client to send the final ACK (acknowledge). However,
attack daemons and the victim [4]. it is possible to send a barmge of initial SYN’s without
sending the corresponding ACK’s, essentially leaving the
server waiting for the non-existent ACK’s [3]. Considering
Although it seems-that the real attacker has little to do but that the server only has a limited buffer queue for new
sends out the “execute” command, helshe actually has to connections, SYN Flood results in the server being unable
plan the execution of a successful distributed denial of to process other incoming connections as the queue gets
service attack. The attacker must infiltrate all the host overloaded [8].
computers and networks where the daemon attackers are to
be deployed. The attacker must study the target’s network UDP Flood attack is based on UDP echo and character
topology and search for bottlenecks and vulnerabilities that generator services provided by most computers on a
can be exploited dilring the attack. Because of the use of network. The attacker uses forged UDP packets to connect
attack daemons and control master programs, the real the echo service on one machine to the character generator
attacker is not directly involved during the attack, whch (chargen) service on another nuchme. The result is that the
makes it difficult to trace who spawned the attack. two services consume all available network bandwidth
between the machmes as they exchange characters between
In the following-subsections, we review some well-known themselves. A variation of this attack called ICMP Flood,
attack methods (Smurf, SYN Flood, and User Datagram floods a machine with ICMP packets instead of UDP
Protocol (UDP) Flood) and the current distributed denial of packets.
service methods (Trinoo, Tribe Flood Network,
Stacheldraht, Shaft! and TFN2K). We describe defense
mechanisms that can be employed by networks, and briefly 2.2 Methods of Distributed Denial of Service
review the Yahoo! attack. Attacks
2.1 Methods of.Denia1 of Service Attacks In this section, we describe the: distributed denial of service
methods employed by an attacker. These techniques help
an attacker coordinate and execute the attack. These types
We described below some widely known basic denial of of attacks plagued the Internet in February 2000. However,
service attack methods that are employed by the attack these distributed attack techniques still rely on the
daemons. previously described attack methods to carry out the attacks.
Smurj-attack involves an attacker sending a large amount of The techniques are listed in chronological order. It can be
Internet Control Message Protocol (ICMP) echo traffic to a observed that as time has passed, the distributed techniques
set of Internet Protocol (IP) broadcast addresses. The (Trinoo, TFN, Stacheldraht, Shaft, and TFN2K) have
ICMF’ echo packets are specified with a source address of become technically more advanced and, hence, more
the target victim (spoofed address) [9].Most hosts on an IP difficult to detect.
network will accept ICMP echo requests [ 5 ] and reply to
them with an echo reply to the source address, in this case, Trinoo uses TCP to communicate between the attacker and
the target victim. This multiplies the traffic by the number the control master program. The master program
of responding hosts. On a broadcast network, there could communicates with the attack daemons using UDP packets.
potentially be hundreds of machmes to reply to each ICMP Trinoo’s attack daemons implement UDP Flood attacks
packet. The process of using a network to elicit many against the target victim [101.
responses to a single packet has been labeled as an Tribe Flood Network (TFN) uses a command line interface
“amplifier” [16]. There are two parties who are hurt by this to communicate between the attacker and the control master
2276
Authorized licensed use limited to: NATIONAL INSTITUTE OF TECHNOLOGY TIRUCHIRAPALLI. Downloaded on May 11, 2009 at 02:34 from IEEE Xplore. Restrictions apply.
program. Communication between the control master and the time-out waiting for the three-way handshake, and
attack daemons is done via ICMP echo reply packets. employ vendor software patches to detect and circumvent
TF”s attack daemons implement Smurf, SYN Flood, UDP the problem.
Flood, and ICMP Flood attacks [101. Disabling Unused Services: If UDP echo or chargen
Stacheldraht (German term for “barbed wire”) is based on services are not required, disabling them will help to defend
the TFN attack. However, unlike TFN, Stacheldraht uses against the attack. In general, if network services are
an encrypted TCP connection for communication between unneeded or unused, the services should be disabled to
the attacker and master control program. Communication prevent tampering and attacks.
between the master control program and attack daemons is Performing Intrusion Detection: By performing intrusion
conducted using TCP and ICMP, and involves an automatic detection, a host computer and network are guarded against
update technique for the attack daemons. The attack being a source for an attack, as while as being a victim of an
daemons for Stacheldraht implement Smurf, SYN Flood, attack. Network monitoring is a very good pre-emptive way
UDP Flood, and ICMP Flood attacks [ 101. of guarding against denial of service attacks. By monitoring
Shaft is modeled after Trinoo. Communication between the traffic patterns, a network can determine when it is under
control master program and attack daemons is achieved attack, and can take the required steps to defend itself. By
using UDP packets. The control master program and the inspecting host systems, a host can also prevent it from
attacker communicate via a simple TCP telnet connection. hosting an attack on another network [191.
A distinctive feature of Shaft is the ability to switch control
master servers and ports in real time, hence making
detection by intrusion detection tools difficult [ 113. 2.4 Yahoo! Attack
TFN2K uses TCP, UDP, ICMP, or all three to communicate
between the control master program and the attack The attacks on the major Web sites began in early February
daemons. Communication between the real attacker and 2000, with the first major attack being on Yahoo! on
control master is encrypted using a key-based CAST-256 February 7 [15]. The surprise attack took the Yahoo! site
algorithm [l]. In addition, TFN2K conducts covert down for more than three hours. It was based on the Smurf
exercises to hide itself from intrusion detection systems. attack, and most likely, the Tribe Flood Network technique.
TFN2K attack daemons implement Smurf, SYN, UDP, and At the peak of the attack, Yahoo! was receiving more than
ICMP Flood attacks [2]. one gigabit per second of data requests.
Yahoo! has stated that it was unprepared for thls magmtude
of an attack, and hence, was not ready to defend itself.
2.3 Defenses Against Attacks Yahoo! receives huge number of visitors every day, and
most likely believed that the bandwidth provided to the
Many observers have stated that there are currently no users by their Internet service providers would defend them
successful defenses against a fblly distributed denial of against any type of denial of service attacks. However, they
service attack. This may be true. Nevertheless, there are did not account for a large distributed denial of service
numerous safety measures that a host or network can attack from numerous servers and networks across the
perform to make the network and neighboring networks Internet.
more secure. These measures include:
Filtering Routers: Filtering all packets entering and leaving
the network protects the network from attacks conducted
from neighboring networks, and prevents the network itself 3. Simulation Scenarios
from being an unaware attacker [12]. This measure requires
installing ingress and egress packet filters on all routers. Using the simulation tools, we examine how various
Disabling IP Broadcasts: By disabling IP broadcasts, host queuing algorithms implemented in a network router
computers can no longer be used as amplifiers in ICMP perform during an attack, and whether legitimate users can
Flood and Smurf attacks. However, to defend against this obtain desired service. We use the ns-2 network simulator
attack, all neighboring networks need to disable IP [ 181 to simulate a distributed denial of service attack on a
broadcasts. targeted router.
Applying Security Patches: To guard against denial of We simulate a simplified version of the distributed denial of
service attacks, host computers must be updated with the service attack on a single targeted router, shown in Figure 2
latest security patches and techques. For example, in the [ 171. We simulate the attack using UDP packets. Our main
case of the SYN Flood attack [8], there are three steps that goal is to compare several queuing algorithms and to
the host computers can take to guard themselves from determine whether the queuing methods in the target router
attacks: increase the size of the connection queue, decrease could provide a better share of bandwidth to the legitimate
2277
Authorized licensed use limited to: NATIONAL INSTITUTE OF TECHNOLOGY TIRUCHIRAPALLI. Downloaded on May 11, 2009 at 02:34 from IEEE Xplore. Restrictions apply.
users during the attack. We measure the throughput 8 Class Based Queuing (Packet by Packet Round Robin
provided to the legitimate users and to the attackers when and Weighted Round Robin) queues packets according
using the following queuing algorithms: DropTail, Fair to criteria defined by an a,dministrator [14]. It provides
Queuing, Stochastic Fair Queuing, Deficit Round Robin, differential forwarding service for each class. Packets
Random Early Detection, and Class Based Queuing (Packet are divided into a hierarchy of classes defined by input
by Packet Round Robin and Weighted Round Robin). flows. For our simulations, we develop two classes of
Class Based Queuing: a class of known flows
(legitimate users) and a class of unknown flows. For
each class, we allocated a minimum bandwidth
allotment.
Clients __
4. Simulation Results
Figure 2: The simulated distributed denial of service attack
scenario [ 171. We now discuss the results obtained from our simulation
study. For each queuing algorithm, except DropTail, we
We conduct the ns-2 simulations using three network simulate topologies A, B, and C.
topologies. Each network topology consists of one In the case of DropTail queuing algorithm, we only simulate
legitimate user, one target host, and a varied number of topology A because only tw10 attackers were required to
attack daemons, asshown in Figure 3. overload the target router. The legitimate user has 0.1
In our simulation scenarios, we use a single target router Mbps, while the two attackers each have allocated 0.6 Mbps
with a 1 Mbps bandwidth. All network links have 1 Mbps bandwidth. Since the target router has a buffer sue of 1
bandwidth, with a delay of 100 ms. The legitimate user is Mbps, and the input links have 1.3 Mbps bandwidth,
defined as a UDP agent sending packets of size 500 bytes at overloading the buffer in the router only requires two
a rate of 0.1 Mbps. The attack daemons are defined as UDP attackers and packet loss in the router is to be expected.
agents sending packets of size 500 bytes at rates of 0.3 to The legitimate user’s bandwidth was reduced to zero once
1.0 Mbps. All sources generated constant bit rate (CBR) the attack executed by the two attack daemons was fully
traffic. engaged. As shown in Figure 4, the user’s bandwidth
(bottom curve) falls to zero at approximately 2.5 sec after
the beginning of the attack.
I
1.0 - _ _ _ _ _ _ _ _ _-*-t.i~c~-~.~-.
____....
. ~ . ~ ~
0.9 - Attacker2
TG;i-----
Figure 3: Simulated network topologies A, B, and C (left to 0.8 -
right). Target is the right most node in the networks. 0.7 -
0.6 -
; ...............
/”-7. :
... ..*
0.5 - i !.,/.._____-
y\
In our simulations, we use the following queuing algorithms 0.4 - ;
: /
’:
1
.
2278
Authorized licensed use limited to: NATIONAL INSTITUTE OF TECHNOLOGY TIRUCHIRAPALLI. Downloaded on May 11, 2009 at 02:34 from IEEE Xplore. Restrictions apply.
requested bandwidth. However, simulations based on classes (with known and unknown flags), the legitimate user
topology C resulted in several target routers being was able to obtain all requested bandwidth, as shown in
overloaded during the attack by the twelve attack daemons. Figure 6 (bottom).
For the simulation scenario with topology C, we allocated Unlike other queuing algorithms that we simulated, Class
0.1 Mbps to the legitimate user, 0.5 Mbps bandwidth was Based Queuing algorithms require extra overhead and effort
given to attackers 1-6, and 1.0 Mbps was given to attackers to be implemented, because input flows to a Class Based
7-12. The total input bandwidth of the attackers is 9.0 Queuing based routers must be a priori categorized and
Mbps. managed. Hence, this queuing discipline may not be a
Two queuing algorithms (Random Early Detection and feasible solution for routers with a large number of input
Class Based Queuing) are successful in providing links.
bandwidth requested by the legitimate user during the
simulations using network topology C. Fair Queuing,
Stochastic Fair Queuing, and Deficit Round Robin Queuing
are algorithms that provided little or no bandwidth to the
legitimate user during the attack. Although the user did not
receive full throughput with Random Early Detection
queuing, helshe continued to receive service through most
of the duration of the attack scenario, as shown in Figure 5
(bottom).
Time (sec)
0.0 2.0 4.0 6.0
UsZF
100.0 - -
0.4 c 90.0 - -
80.0 - -
70.0 - -
60.0 - -
Y."
50.0 - -
0.0 2.0 4.0 6.0 40.0 - -
30.0 - -
Bandwidth (Mbps) x 10-3 -
1
20.0 -
, I I User
-
40.0 A 10.0 -
35.0 0.0 -
Time (sec)
30.0
25.0
20.0
15.0
10.0
.
1 v \ \3 j
5-o
nn
0.0
4
2.0 4.0 6.0
' Time (Pef)
Figure 5 : Simulation results using Random Early Detection In summary, our simulationresults indicate that Class Based
queuing algorithm and network topology C. Shown are the Queuing had the best performance and provided the full
legitimate user's bandwidth, the twelve attacker's bandwidth, bandwidth that the legitimate user requested. The Random
and the total bandwidth for the target router (top), and the Early Detection algorithm was the best among algorithms
legitimate user's bandwidth (bottom). that required no additional overhead. It was able to provide
40% of the bandwidth requested by the user.
Finally, two variants of the Class Based Queuing algorithms
were successful in providing full bandwidth requested by
the legitimate user. In fact, with appropriately defined flow
2279
Authorized licensed use limited to: NATIONAL INSTITUTE OF TECHNOLOGY TIRUCHIRAPALLI. Downloaded on May 11, 2009 at 02:34 from IEEE Xplore. Restrictions apply.
5. Conclusions [6] CERP Coordination Center, Cert Advisories: “CA-2000-01
denial-of-service developments:” http://www.cert.org/advisories/
CA-2000-01 .html; “CA-99-17 denial-of-service tools,”
In this paper, we discussed distributed denial of service http://www.cert.org/advisories/CA-99- 17-denial-of-service-
attacks on the Intemet. We described how distributed tools.html; “CA-98-13-tcp-denial-of-service: vulnerability in
attacks are conducted, we reviewed some well known certain TCP/IP implementations,” http://www.cert.org/advisories/
distributed denial’of service techniques, and discuss various CA-98-13-tcp-denial-of-service.1itml.
defense mechanisms that could be employed by networks
[7] CERP Coordination Center, “Results of the distributed
and hosts. systems intruder tools workshop,” Nov. 1999,
We used network simulation tools to examine the http://www.cert.org/reports/dsit-workshop.pdf.
performance of various queuing algorithms in alleviating
[8] Cisco Systems, Inc., “Defining strategies to protect against
the distributed denial of service attacks and in providing
TCP SYN denial of sarvice attacks,” July 1999,
desired service to-the users. It was found that the majority http://www.cisco.com/warp/public/707/4.html.
of routing algorithms that we considered provided no
bandwidth to the legitimate user during the attack. [9] Daemon9, Infinity, and Routte, “IP-spoofing demystified:trust-
Nevertheless, even under persistent denial of service relationship exploitation,” Phruck Mug., June 1996,
attacks, Class Based Queuing algorithm could guarantee http://www.fc.net/phrack/files/p4.8/p48-14.hh-d.
bandwidth for certain classes of input flows, whle Random [lo] D. Dittrich, “The DOSprojwt’s ‘Trinoo’distributed denial of
Early Detection was successful in providing limited service attack tool,” Oct. 1999; “The ‘Stacheldraht’ distributed
bandwidth to legitimate users. Since implementation of a denial of service attack tool,” Dec. 1999; “The ‘Tribe Flood
Class Based Queuing algorithm required additional effort, Network’ distributed denial of service attack tool,” Oct. 1999,
there is a tradeoff between its performance and the http://www.washington.edu/People/dad.
implementation overhead. In summary, our simulation
[ I l l D. Dittrich, S. Dietrich, and N. Long, “An analysis of the
results indicated that implementing queuing algorithms in
‘Shaft’ distributed denial of device tool,” Mar. 2000,
network routers may provide the desired solution in http://netsec.gsfc.nasa.gov/-spoc.k/shaft_analysis.txt.
protecting users in cases of distributed denial of service
attacks. [12] P. Ferguson and D. Senie, “RFC 2267: Network ingress
filtering: defeating denial of s,ervice attacks which employ IP
source address spoofing,” Jan. 1998, http://info.intemet.isi.edu/in-
Acknowledgements notes/rfc/files/rfc2267.txt.
[ 131 S.Floyd and V. Jacobson, “Random early detection gateways
We thank V. Markovslu for h s assistance with the ns-2 for congestion avoidance,” IEELXACM Trans. Networking, vol. 1
network simulator: This research was supported by the no. 4, pp. 397-413, Aug. 1993.
NSERC Grant 216844-99 and the BC Advanced Systems
[I41 S. Floyd and V. Jacobson, “Link-sharing and resource
Institute Fellowship.
management models for packet networks,” ZEEE/ACM Trans.
Networking, vol. 3 no. 4, pp. 365-386, Aug. 1995.
[ 151 A. Harrison, “The denial-of-service aftermath,” Feb. 2000,
http://www.cnn.com/2000/TECE[/computing/O2/ 14ldos
References .aftermath.idg/index.html.
[I] C. Adams and J. Gilchrist, “RFC 2612: The CAST-256 [I61 C. A. Huegen, “The latest in denial of service attacks:
encryption algorithm,” June 1999, http://www.cis.ohio- ‘Smurfing’ description and information to minimize effects,” Feb.
state.edu/htbin/rfc/rfc2612.html. 2000, http://users.quadrunner.coin/chuegen/smurf.cgi.
[2] J. Barlow and W. Thrower, “TFN2K - an analysis,” [ 171 B. Martin, “Have script, will destroy (lessons in DOS),”Feb.
Feb. 2000, http://packetstorm.securifj~.com/distributed/TFN2k~ 2000, http://www.attrition.org.
Analysis.htm.
[ 181 ns-2 network simulator, http:/Iwww.isi.edu/nsnam/ns.
[3] S. Bellovin, “Security problems in the TCPIIP protocol suite,”
Comput. Commun.Rev., vol. 19, no. 2, pp. 32-48, Apr. 1989. [I91 T. H. Ptacek and T. N. Newsham, “Insertion, evasion, and
denial of service: eluding netuork intrusion detection,” Secure
[4] S. Bellovin, “Distributed denial of service attacks,” Feb. 2000, Networks, Inc., Jan. 199fi, http://www.clark.net/-roeschl
http://www.research.att.com/-smbhalks. idspaper.html.
2280
Authorized licensed use limited to: NATIONAL INSTITUTE OF TECHNOLOGY TIRUCHIRAPALLI. Downloaded on May 11, 2009 at 02:34 from IEEE Xplore. Restrictions apply.