Threshold of DDoS in Internet Infrastructure

Monu Tripathi#, Bhatt Mehul*, Mohd Akhlaque#

#

Dept of IT, Jaipur National University Jaipur, Rajasthan

3

monu7@live.com mohd_akhlaque@live.com 2er.mehul14@gmail.com

Abstract The number Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks on the Internet has risen sharply in the last several years. Service providers are routinely expected to prevent, monitor and mitigate these types of attacks which occur daily on their networks. This paper discusses the most common types of DoS/DDoS attacks seen on the Internet and ways that service providers can prevent or mitigate damages from the attack threats.

have given rise to a new type of DoS classification: the distributed DoS attack (DDoS). Fig.1. shows the DDoS Reflexive on the infrastructure.

For example, an attacker who could compromise the popular Folding@Home [1]distributed computation software, or any popular P2P client, would be able to harness several hundreds of thousands of hosts to generate traffic for an attack. This can cause serious service distrupt from 1 minute to several hours or even days.
Hackers has changed the tools required for core service providers to effectively deal with payload propagation. With 60% of the vulnerable hosts infected within the first 20 minutes of release and an infection doubling time of 6.5 seconds, service providers must have semi-automated techniques at their disposal to mitigate a large scale Internet event in a matter of minutes, instead of hours or days. Keywords Security, system design, distributed denial of service defense, DDoS.

I. INTRODUCTION

This Despite a significant breadth of research into defenses,

Denial of Service (DoS) attacks remain a significant problem in the Internet today. The DoS phenomenon has evolved rapidly over the last decade. DoS attacks wereonce caused by only a few attackersoften only a single attackersending specially crafted packets designed to exploit flaws in the victims particular TCP/IP implementation, and sometimes using IP spoofing [2] (the forging of the source IP address field in the IP header to something other than the sending hosts IP address) to hide their identity. DoS attacks are becoming an increasing risk, as the sophistication of current attack tools enables relatively inexperienced attackers to perform these attacks. As the number of systems connected to the Internet has increased, the black-hat community has developed tools (known as rootkits) that take advantage of security flaws in operating system services to compromise computers. The darknet community has also written tools designed to control and coordinate these exploited machines (often called zombies) on a large scale [3, 4]. These developments

The weakness of the current Internet infrastructure that facilitates DDoS attacks is the inability for a packet recipient to authenticate that packets claimed source IP address. In other words, an attacker can intentionally modify, or spoof, the source address of the packets it sends from a compromised host. Two examples of DDoS attacks that rely on IP address spoofing are: TCP SYN Flooding: In this attack, an attacker sends TCP SYN packets as if to initiate a TCP connection with its victim. These SYN packets contain spoofed source IP addresses, which cause the victim to waste resources that are allocated to half-open TCP connections which will never be completed by the attacker [5]. Reflector Attack: In this attack described by Paxson [6], the attacker attempts to overwhelm the victim with traffic, by using intermediate servers to amplify the attackers bandwidth and/or hide the attackers origin. The attacker simply sends requests to the intermediate server with a spoofed source IP address matching the victims IP address. The intermediate server only sees that a number of requests are supposedly coming from the victim, and

so sends its responses to the victim. When properly coordinated, a group of attackers can cause a flood of packets to hit the victim, without sending any packets directly to the victim itself. To amplify the traffic, the attacker selects intermediate servers whose responses to the spoofed requests are larger than the requests themselves. For example, in DNS server based reflector attacks, attackers send short DNS lookup requests (50 bytes each), whose replies can be over a thousand bytes long, thus giving the attacker a 20-fold traffic amplification. Other popular reflectors are Internet game servers, where attackers can use similar methods to gain two orders of magnitude of traffic amplification[8]. This type of attack uses large amount of bandwidth and packet flooding to take down the target network. This type of attack is also very difficult to trace because attacker forge the packets source address maliciously.

sends a TCP RST packet. The technique can achieve 3 to 5 times amplification factors by retry packets sent from the reflection servers. With this technique, there are at most 65536 opened TCP connections (16 bits for source port, and this attack is done on only one destination port). A better technique an attacker can implement is to spoof source IP address, and then have lot more connections for an efficient DDoS attack. Some open-source software like packETH can successfully be implemented over cross platform. Any client wishing to contact a server over a privileged channel must first complete a handshake protocol to obtain a capability to insert into its privileged packets, and vice versa for server communication with the client. A single handshake is sufficient to provide both sides of a communication with their capabilities. Furthermore, The protocol is shown in Fig.3. below.

Fig.2. Graph analysis of DDoS threshold by Akamai Technologies in July 2009.

Fig.3. Handshake between Client and server.

TCP SYN
The TCP SYN flood attack is a protocol violation attack that is used in several variations. In the simplest case, an attacker sends the first packet (with the SYN bit set) of the well known TCP three way handshake. The victim responds with the second packet back to the source address with SYNACK bit set. The attacker never responds to the reply packet, either on purpose or because the source address of the packet is forged (For ex by Hping, GSpoof etc). In the original attack, the victims TCP receive queues would be filled up, denying new TCP connections. A variation to this attack uses public servers as a reflective media to flood the victim with TCP SYN ACK packets. In this case, the attacker spoofs the source address of the TCP SYN packet with the victims address. The packet is sent to a public server (such as HTTP). The server sends a TCP SYN ACK packet to the victims host. The victim, having not sent the original packet either ignores the packets or

ARP Poisoning
Address Resolution Protocol (ARP) Poison attacks require the attacker to have access to the victim's LAN. The attacker deludes the hosts of a specific LAN by providing them with wrong MAC addresses for hosts with already-known IP addresses. This can be achieved by the attacker through the following process: The network is monitored for "arp whohas" requests. As soon as such a request is received, the attacker tries to respond as quickly as possible to the questioning host in order to mislead it for the requested address. It changes the dynamic ARP entries in the host.

BACK
This attack is launched against an apache Web server, which is flooded with requests containing a large number of frontslash ( / ) characters in the URL description. As the server tries to process all these requests, it becomes unable to process other legitimate requests and hence it denies service to its customers.

turn off TTL expiration processing, with the side effect of breaking traceroute.

Prevention techniques :
ICMP Packet Flow Analysis An attacker could determine its capability by simply sending a packet designed to produce an ICMP error message at a router between the victim and the ISPs border routers (for example, a TTL expiration). The ICMP error packet sent by the router will include in its payload the IP header and the first 8 bytes of the payload of the original packet, thus returning to the attacker the capability that will bypass the ISPs border routers. An approach to prevent this attack is to have all the border routers of the ISPs network monitor outbound ICMP error messages and remove the contents of the marking field in messages that contain EXP packets. Although this may degrade performance on border routers, ICMP has a simple header, so packet inspection can be implemented in hardware. ICMP attacks are not a problem for full-ISP deployment because capability enabled routers can be programmed to mask out the marking field of all EXP packets before they are encapsulated in ICMP error packets. PACKET INJECTION / TRACE Packet injection can be used to define and inject IP based network traffic into IPv4 or IPv6 network. Network administrator or testers can have the ability to define essentially any ARP, IP, TCP, UDP, ICMP and Ethernet header value. This can be valuable in a number of ways, including testing firewalls, intrusion detection systems, simulating traffic flow and general TCP/IP auditing for DDoS analysis and implementation of defensive policies against unwanted overload. It can also provide the statistical analysis of the complete protocol wise result parsed in xml or in any other compatible format.

IP fragmentation attack prevention

Fragmentation attacks can be very simple or rather complex in nature depending upon the attackers motivations. IP Fragmentation Attacks The basic modus operandi of IP fragmentation attacks is to use varied IP datagram fragmentation to disguise its TCP packets from a targets IP filtering devices. The best countermeasure is to strictly enforce minimum fragment size requirements. With this done any under sized packets will be automatically dropped preventing them from ever getting onto your network. Overlapping Fragmentation Attacks In many ways similar to a teardrop attack an overlapping fragment attack is yet another variation on a datagrams zero-offset modification. Subsequent packets overwrite the initial packets destination address information and then the second packet is passed onto the target network. It can simply prevented by enforcing a minimum fragment offset for fragments with non-zero offsets is by far the easiest way to counter this type of attack. Teardrop Attack In order to instigate a teardrop attack the attacker will modify the length and fragmentation offset fields in sequential Internet Protocol (IP) packets. Upon reception of these modified packets a target system will become confused and crash because it will be receiving contradictory instructions on how the fragments are offset on these packets. This generally means that the CPU will flush all instructions, processing pipelines, queues and data. The easiest way for the system to do this is quite simply to reboot. The momentary zero power state will achieve exactly this. Most users will perceive and interpret this as the operating system is continually rebooting and without prior warning. It is this default response of rebooting in order to resolve multiple conflicting instructions that the attacker is taking advantage. It can be prevented by careful analysis of captured packets to determine that the offset fields have been deliberately modified to cause the systems under attack to crash.

TTL EXPIRATION
The TTL expiration attack relies on ICMP control messages to flood the victim. In this attack, the source address is forged to match the victims address. The TTL for the packet is set to a low value that will expire in transit at a high speed router. When the TTL of the packet reaches zero, the router drops the packet and sends an ICMP TTL expired message to the source address, in this case the victims site. Since TTL expiration is often done on the line card in ASIC, this can be an extremely fast reflective media.The best defense for this type of attack is rate limiting ICMP to all routers in the service providers network. Some network equipment vendors are now offering the ability to

Control Plane Attacks Prevention

Control plane attacks are attacks that are directed against the control plane of network elements, such as routers and switches. Attacks are usually directed at dynamic routing protocols such as BGP, OSPF, and EIGRP. ISIS is not as vulnerable to public attacks because it operates using the OSI protocol stack instead of the TCP/IP protocol stack and is an IGP routing protocol. Direct DoS/DDoS attacks against the routing protocols can lead to regional outages. Another form of attack, malicious route injection, can lead to DoS attacks, traffic redirection, prefix hijacking, and AS hijacking. Prefix and AS hijacking are rare but becoming more common with hardcore SPAM operators. Protection of the management and control planes is critical for the successful operation of an ISP. It is easier to discuss both topics together because the router configuration to protect both is similar in many ways. Authenticated and encrypted protocols are preferred for router management. Protocols must be accepted only from trusted hosts. Steps to protect the control plane include: protection of the route engine using filters, authentication and integrity verification of routing protocol updates. By th implementation of active filters in OSPF and BGP protocols handlers in routing device. During the routing table update between Border gateway Routers or INTRANET network Grid router the MD5 hash value can be implemented in update packets to avoid any unauthorized routing entry in the gateway router. Routers can exchange and share the PSK key for authentication of update packets.
[1]

Conclusion
Newer attack techniques will continue to advance and the number of software vulnerabilities will continues to increase, without regard to the internet boom. Internet worms that previously took days or weeks to spread now take minutes. Service providers and vendors are quickly adapting to the new landscape. Defense in depth must be implemented by service providers as zero day exploits are released. 3rd party DoS/DDoS monitoring and reporting will be adopted by service providers as reaction times have gone from days to few minutes. Preparation is the key for service providers to mitigate attacks as they happen. The Internet is maturing as companies become more dependent on its use. Customers are beginning to expect the same reliability from the Internet as other critical infrastructures: PSTN, power and water. Vendors and service providers are meeting the challenge head on with a high level of cooperation and innovation.

References
SETI@home. Search for Extraterrestrial Intelligence (SETI). http: //setiathome.ssl.berkeley.edu/, 2003. CERT. TCP SYN flooding and IP spoofing attacks. Advisory CA-96.21, September 1996.

[2]

[3] Sven Dietrich, Neil Long, and David Dittrich. Analyzing ditributed denial of service attack tools: The Shaft case. In 14th Systems Administration Conference, LISA 2000, 2000. [4] Dave Dittrich. Distributed Denial of Service (DDoS) attacks/tools resource page. http://staff. washington.edu/dittrich/misc/ddos/, 2003. [5] CERT. TCP SYN Flooding and IP Spoofing Attacks. Advisory CA96.21, September 1996. [6] [7] Vern Paxson. An Analysis of Using Reflectors for Distributed Denial-ofService Attacks. Computer Communication Review, 2001. Stefan Savage, David Wetherall, Anna Karlin, and Tom Anderson. Network Support for IP Traceback. ACM/IEEE Transactions on Networking, 9(3), June 2001.

Transparent Traffic Shield (Sinkhole)

It can be implemented on the outermost layer of the core network where all the network traffic goes through, it can behave like passive IDS/IPS and can analyze the behavious of the traffic flow. It can be configured to statically match the log results and detect the unexpected behaviour immediately. After the detection the IP or the block of IPs are blocked for further communication. It can also be configured to check the headers for the reflexed packets originating from other networks. It can be used to direct and trap traffic in a service providers network. It can monitor the scanning of bogon or dark IP space for worms, viruses or probing activity. It can also be used to redirect an attack against a customer to the sinkhole for traffic analysis. Sinkhole techniques can by used in conjunction with black hole filtering to analyze spoofed DoS/DDoS attacks.

[8] Mike Kristovich. Multi-vendor Game Server DDoS Vulnerability. http://www.pivx.com/kristovich/adv/mk001/, November 2002