Term Paper on

DDOS (Distributed Denial of Service)

Submitted ByVaibhav Srivastava Reg N0.-11310741

IntroductionIn the recent past, new classes of security threats have emerged: one, which does not target the integrity of resources, but rather their very availability. All threats under the new class is collectively known as DENIAL OF SERVICE (DoS) ATTACKS. DoS neither do nor associate with the actual contents, do they just concentrate on preventing the data from reaching its actual destination, thus effectively making the resource or service unavailable by exploiting either flaws in popular internet protocols or the very functioning of internet. A key problem in detecting denial of service attacks is that the source address of the packets are spoofed. This ensures that the compromised machines remain undetected and thereby can be used for other attacks. If the source of the attack is kept constant (even if it is spoofed), it is possible to block that particular address and recover from the attack. However, the attack now takes a new form by being distributed (DDoS). In this form, a number of compromised systems all over the world are used in a synchronized manner to attack a particular server. By distributing the attack, the intensity near the source is lessened and is therefore not detected there. Meanwhile, the concentrated effect at the victim is sufficient to overload networks and systems and thus deny service. This latest evolution in DoS has received much publicity, but some of the most important aspects have not yet been explored. DDoS isnt simply about multiplication of attack sources, it brings about issues of path diversity, obscurity, invisibility, and demoralization of the victim. In computing, a denial-of-service (DoS) or distributed denial-of-service (DDoS) attack is an attempt to make a machine or network resource unavailable to its intended users. Although the means to carry out, motives for, and targets of a DoS attack may vary, it generally consists of efforts to temporarily or indefinitely interrupt or suspend services of a host connected to the Internet. As clarification, DDoS (Distributed Denial of Service) attacks are sent by two or more persons, or bots. (See botnet) DoS (Denial of Service) attacks are sent by one person or system. Perpetrators of DoS attacks typically target sites or services hosted on high-profile web servers such as banks, credit card payment gateways, and even root name servers. DoS threats are also common in business, and are sometimes responsible for website attacks. This technique has now seen extensive use in certain games, used by server owners, or disgruntled competitors on games, such as server owners' popular Minecraft servers. Increasingly, DoS attacks have also been used as a form of resistance. Richard Stallman has stated that DoS is a form of 'Internet Street Protests. The term is generally used relating to computer networks, but is not limited to this field; for example, it is also used in reference to CPU resource management. The most recent findings from a report by Radware (2012) revealed that most victims of DDoS attacks are online businesses, carriers and service providers. DDoS attacks target revenuegenerating organizations by overtaxing their link capacity. Such an attack causes a company both direct and indirect damages. Direct damages include revenue loss due to downtime and increased network maintenance costs, whereas indirect damages tend to be related to the reputation and perceived reliability of the organization and its services.

Over the years, the world has seen many large-scale Distributed Denial of Service (DDoS) attacks conducted by organized cyber-criminal groups, some of these attacks have managed to disrupt the online services of prominent, major global enterprises. Despite the efforts of the security community, DDoS attacks have remained a constant threat and continue to wreak havoc in the cyberspace.

The Essence of a Distributed Denial of Service (DDoS) Attack:

A denial-of-service attack is characterized by an explicit attempt by attackers to prevent legitimate users of a service from using that service. Examples include attempts to flood a network, thereby preventing legitimate network traffic attempts to disrupt connections between two machines, thereby preventing access to a service attempts to prevent a particular individual from accessing a service attempts to disrupt service to a specific system or person Denial-of-service attacks come in a variety of forms and aim at a variety of services. There are three basic types of attack: consumption of scarce, limited, or nonrenewable resources by sending illegitimate traffic there by denying service to the legitimate users. Destruction or alteration of configuration information physical destruction or alteration of network components. The basic intent of a DoS attack is either to overwhelm the resources allocated by a networked device to a particular service in order to prevent its use, or to crash a target device or system. DoS attacks can achieve this goal by either taking advantage of known bugs in particular OS versions, or by taking advantage of loopholes designed into the fabric of a standard such as TCP/IP. DoS attacks can be effective by focusing on routers, switches, or servers. As an example, the strength of the routers, networks, applications and servers that comprise the infrastructure of the Internet, is their ability to handle a large number of requests for connection simultaneously. The weakness in the strength is in how they do so. Each time a client requests connection to a network service or application, a corresponding server sets aside a portion of its resource to handle the connection. By flooding a target server with connection requests, the finite resources allocated to a specific service can be overwhelmed. The result is a Denial of Service to valid connection requests, system errors, and possible system crashes. DoS attacks can generally be classified as either a Flood Attack or a Malformed (or crafted) Packet Attack and that where attacks originate simultaneously from several compromised sources that these can be classified as Distributed DoS attacks. Fundamental to the IP protocol every packet has a source and destination address field that is used to determine the originating and destination end points. The process of forwarding these packets by intermediate routers partly relies on the destination field; the source address will only be used when a response to the packet is required. This makes the implementation of DDoS flooding attacks easy to accomplish because fake or spoofed source addresses can be used, and packets will generally be forwarded unchallenged to the specified destination. This allows a DoS or DDoS attack to be carried out from any location and with total anonymity. If an attack is underway from a single address then it is possible to arrange for a block of the offending source IP address at the ISP or the border router. However, when a DDoS attack occurs the problem is not as easy to resolve because packets appear to be coming from hundreds or even thousands of different hosts, there is absolutely no point

trying to implement temporary Access Control Lists on routing devices or modify the border Firewall rule base, it is too late you are left at the mercy of the attack under way.

Background of DDoS attacks

1 History of DDoS attacksThe very first instance of a DDoS attack occurred in 1999, it utilized 227 systems to flood and subsequently, cease the operations of a single University of Minnesota computer (Kessler, 2000). Over the past decade since its emergence, the techniques used to generate DDoS attacks have been continuously evolving, with various breakthroughs in information and networking technologies. 2 Current trends of DDoS attacksIt was revealed that DDoS attacks are gaining popularity and was part of many high profile hacking campaigns last year (Imperva, 2011). The attacks by the group, Anonymous are one such example. The motivations behind such attacks vary greatly: financial, political, religious, entertainment, or to gain personal notoriety. In addition, the data security specialists predict that in year 2012, attackers will further increase the sophistication and effectiveness of DDoS attacks by shifting from network level attacks to application level attacks, and even business logic level attacks. 3 Implications of DDoS attacksCross explained that with the industrialization of DDoS attacks in the recent years, non-technical cyber-criminals can build botnets on thousands or even millions of computers by utilizing offthe-shelf toolkits, automated techniques, and search engines (Cross, 2011). Subsequently, by using these botnets, malicious users can unleash destructive DDoS attacks on virtually any victim. Harnessing the aggregate power of countless bots, DDoS attacks can inflict tremendous damages on websites, slowing down or even completely crippling them.

How is DDoS Executed?

The Distributed Denial of Service (DDoS) attack works as follows. The attacker uses widely available hacker tools to probe unsuspecting networks of computers for security weaknesses (trust us you have those). These tools often scan for and then piggyback on network sessions between key resources in your network and users authorized to control or reconfigure them. Once a suspect is located, the attacker uses this authorization level to insert a master DDoS program on a key system within your network. The master is then used to insert slave programs on other computers within the same network. These slaves contain one or many common DoS programs. A network of master/slave DoS programs then exists that will lie dormant awaiting a wakeup call to attack a specific target system. The hacker then moves on to find additional prospective master/slave networks. The normal DDoS attack architecture works upon the basis that the required hosts to launch the attack from have already been identified and compromised via Trojans or backdoors. In a DDoS scenario the Intruder (also called the Attacker or Client) issues control traffic to the Master (also called the Handler) which, in turn then issues commands to the Daemon (also called an Agent, Broadcast program or Zombie). The Daemons

that are at the end of this command chain finally initiate the attack traffic against the Victim.

An Example of an attack: Of all the attacks causing denial of service, the TCP-SYN Flooding attack is most common. A simplified diagram of the TCP SYN flooding problem is depicted below: Defense Against Distributed Denial of Service Attacks9.0.0.0/8 host < router < Internet < router < attacker TCP/SYN < Source: 192.168.0.4/32 SYN/ACK no route TCP/SYN < Source: 10.0.0.13/32 SYN/ACK no route TCP/SYN < Source: 172.16.0.2/32 SYN/ACK

no route Assume: o The host is the targeted machine. o The attacker resides within the valid prefix, 9.0.0.0/8. o The attacker launches the attack using randomly changing source addresses; in this example, the source addresses are depicted as from within, which are not generally present in the global Internet routing tables, and therefore, unreachable. However, any unreachable prefix could be used to perpetrate this attack method.

Performing DoS-attacksA wide array of programs is used to launch DoS-attacks. Most of these programs are completely focused on performing DoS-attacks, while others are also true Packet injectors, able to perform other tasks as well. Such tools are intended for benign use, but they can also be utilized in launching attacks on victim networks.

FirewallsFirewalls can be set up to have simple rules such to allow or deny protocols, ports or IP addresses. In the case of a simple attack coming from a small number of unusual IP addresses for instance, one could put up a simple rule to drop all incoming traffic from those attackers. More complex attacks will however be hard to block with simple rules: for example, if there is an ongoing attack on port 80 (web service), it is not possible to drop all incoming traffic on this port because doing so will prevent the server from serving legitimate traffic. Additionally, firewalls may be too deep in the network hierarchy. Routers may be affected before the traffic gets to the firewall. Nonetheless, firewalls can effectively prevent users from launching simple flooding type attacks from machines behind the firewall.

SwitchesMost switches have some rate-limiting and ACL capability. Some switches provide automatic and/or system-wide rate limiting, traffic shaping, delayed binding (TCP splicing), deep packet inspection and Bogon filtering (bogus IP filtering) to detect and remediate denial of service attacks through automatic rate filtering and WAN Link failover and balancing. These schemes will work as long as the DoS attacks are something that can be prevented by using them. For example SYN flood can be prevented using delayed binding or TCP splicing. Similarly content based DoS may be prevented using deep packet inspection. Attacks originating from dark addresses or going to dark addresses can be prevented using Bogon filtering. Automatic rate filtering can work as long as you have set rate-thresholds correctly and granularly. Wan-link failover will work as long as both links have DoS/DDoS prevention mechanism.

RoutersSimilar to switches, routers have some rate-limiting and ACL capability. They, too, are manually set. Most routers can be easily overwhelmed under a DoS attack. Cisco IOS has features that prevent flooding, i.e. example settings.

Application front end hardwareApplication front end hardware is intelligent hardware placed on the network before traffic reaches the servers. It can be used on networks in conjunction with routers and switches. Application front end hardware analyzes data packets as they enter the system, and then identifies them as priority, regular, or dangerous. There are more than 25 bandwidth management vendors.

IPS based preventionIntrusion-prevention systems (IPS) are effective if the attacks have signatures associated with them. However, the trend among the attacks is to have legitimate content but bad intent. Intrusion-prevention systems which work on content recognition cannot block behavior-based DoS attacks. An ASIC based IPS may detect and block denial of service attacks because they have the processing power and the granularity to analyze the attacks and act like a circuit breaker in an automated way. A rate-based IPS (RBIPS) must analyze traffic granularly and continuously monitor the traffic pattern and determine if there is traffic anomaly. It must let the legitimate traffic flow while blocking the DoS attack traffic. DDS based defense More focused on the problem than IPS, a DoS Defense System (DDS) is able to block connection-based DoS attacks and those with legitimate content but bad intent. A DDS can also address both protocol attacks (such as Teardrop and Ping of death) and rate-based attacks (such as ICMP floods and SYN floods).

Blackholing and sink holingWith blackholing, all the traffic to the attacked DNS or IP address is sent to a "black hole" (null interface or a non-existent server). To be more efficient and avoid affecting network connectivity, it can be managed by the ISP. Sinkholing routes traffic to a valid IP address which analyzes traffic and rejects bad packets. Sinkholing is not efficient for most severe attacks.

Clean pipesAll traffic is passed through a "cleaning center" or a "scrubbing center" via various methods such as proxies, tunnels or even direct circuits, which separates "bad" traffic (DDoS and also other common internet attacks) and only sends good traffic beyond to the server. The provider needs central connectivity to the Internet to manage this kind of service unless they happen to be located within the same facility as the "cleaning center" or "scrubbing center". Arbor Networks, Prolexic Technologies, Tata Communications, AT&T and VeriSign are examples of providers of this service.

Side effects of DoS attacksIn computer network security, backscatter is a side-effect of a spoofed denial-of-service attack. In this kind of attack, the attacker spoofs (or forges) the source address in IP packets sent to the victim. In general, the victim machine cannot distinguish between the spoofed packets and legitimate packets, so the victim responds to the spoofed packets as it normally would. These response packets are known as backscatter. If the attacker is spoofing source addresses randomly, the backscatter response packets from the victim will be sent back to random destinations. This effect can be used by network telescopes as indirect evidence of such attacks. The term "backscatter analysis" refers to observing backscatter packets arriving at a statistically significant portion of the IP address space to determine characteristics of DoS attacks and victims.

LegalityIn the Police and Justice Act 2006, the United Kingdom specifically outlawed denial-of-service attacks and set a maximum penalty of 10 years in prison. In the US, denial-of-service attacks may be considered a federal crime under the Computer Fraud and Abuse Act with penalties that include years of imprisonment. Many other countries have similar laws. The US situation is under court ruling with a case in California. On January 7, 2013, Anonymous posted a petition on the whitehouse.gov site asking that DDoS be recognized as a legal form of protest similar to the Occupy protests.