Professional Documents
Culture Documents
Abstract The number Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks on the Internet has risen sharply in the last several years. Service providers are routinely expected to prevent, monitor and mitigate these types of attacks which occur daily on their networks. This paper discusses the most common types of DoS/DDoS attacks seen on the Internet and ways that service providers can prevent or mitigate damages from the attack threats.
have given rise to a new type of DoS classification: the distributed DoS attack (DDoS). Fig.1. shows the DDoS Reflexive on the infrastructure.
For example, an attacker who could compromise the popular Folding@Home [1]distributed computation software, or any popular P2P client, would be able to harness several hundreds of thousands of hosts to generate traffic for an attack. This can cause serious service distrupt from 1 minute to several hours or even days.
Hackers has changed the tools required for core service providers to effectively deal with payload propagation. With 60% of the vulnerable hosts infected within the first 20 minutes of release and an infection doubling time of 6.5 seconds, service providers must have semi-automated techniques at their disposal to mitigate a large scale Internet event in a matter of minutes, instead of hours or days. Keywords Security, system design, distributed denial of service defense, DDoS.
I. INTRODUCTION
The weakness of the current Internet infrastructure that facilitates DDoS attacks is the inability for a packet recipient to authenticate that packets claimed source IP address. In other words, an attacker can intentionally modify, or spoof, the source address of the packets it sends from a compromised host. Two examples of DDoS attacks that rely on IP address spoofing are: TCP SYN Flooding: In this attack, an attacker sends TCP SYN packets as if to initiate a TCP connection with its victim. These SYN packets contain spoofed source IP addresses, which cause the victim to waste resources that are allocated to half-open TCP connections which will never be completed by the attacker [5]. Reflector Attack: In this attack described by Paxson [6], the attacker attempts to overwhelm the victim with traffic, by using intermediate servers to amplify the attackers bandwidth and/or hide the attackers origin. The attacker simply sends requests to the intermediate server with a spoofed source IP address matching the victims IP address. The intermediate server only sees that a number of requests are supposedly coming from the victim, and
so sends its responses to the victim. When properly coordinated, a group of attackers can cause a flood of packets to hit the victim, without sending any packets directly to the victim itself. To amplify the traffic, the attacker selects intermediate servers whose responses to the spoofed requests are larger than the requests themselves. For example, in DNS server based reflector attacks, attackers send short DNS lookup requests (50 bytes each), whose replies can be over a thousand bytes long, thus giving the attacker a 20-fold traffic amplification. Other popular reflectors are Internet game servers, where attackers can use similar methods to gain two orders of magnitude of traffic amplification[8]. This type of attack uses large amount of bandwidth and packet flooding to take down the target network. This type of attack is also very difficult to trace because attacker forge the packets source address maliciously.
sends a TCP RST packet. The technique can achieve 3 to 5 times amplification factors by retry packets sent from the reflection servers. With this technique, there are at most 65536 opened TCP connections (16 bits for source port, and this attack is done on only one destination port). A better technique an attacker can implement is to spoof source IP address, and then have lot more connections for an efficient DDoS attack. Some open-source software like packETH can successfully be implemented over cross platform. Any client wishing to contact a server over a privileged channel must first complete a handshake protocol to obtain a capability to insert into its privileged packets, and vice versa for server communication with the client. A single handshake is sufficient to provide both sides of a communication with their capabilities. Furthermore, The protocol is shown in Fig.3. below.
TCP SYN
The TCP SYN flood attack is a protocol violation attack that is used in several variations. In the simplest case, an attacker sends the first packet (with the SYN bit set) of the well known TCP three way handshake. The victim responds with the second packet back to the source address with SYNACK bit set. The attacker never responds to the reply packet, either on purpose or because the source address of the packet is forged (For ex by Hping, GSpoof etc). In the original attack, the victims TCP receive queues would be filled up, denying new TCP connections. A variation to this attack uses public servers as a reflective media to flood the victim with TCP SYN ACK packets. In this case, the attacker spoofs the source address of the TCP SYN packet with the victims address. The packet is sent to a public server (such as HTTP). The server sends a TCP SYN ACK packet to the victims host. The victim, having not sent the original packet either ignores the packets or
ARP Poisoning
Address Resolution Protocol (ARP) Poison attacks require the attacker to have access to the victim's LAN. The attacker deludes the hosts of a specific LAN by providing them with wrong MAC addresses for hosts with already-known IP addresses. This can be achieved by the attacker through the following process: The network is monitored for "arp whohas" requests. As soon as such a request is received, the attacker tries to respond as quickly as possible to the questioning host in order to mislead it for the requested address. It changes the dynamic ARP entries in the host.
BACK
This attack is launched against an apache Web server, which is flooded with requests containing a large number of frontslash ( / ) characters in the URL description. As the server tries to process all these requests, it becomes unable to process other legitimate requests and hence it denies service to its customers.
turn off TTL expiration processing, with the side effect of breaking traceroute.
Prevention techniques :
ICMP Packet Flow Analysis An attacker could determine its capability by simply sending a packet designed to produce an ICMP error message at a router between the victim and the ISPs border routers (for example, a TTL expiration). The ICMP error packet sent by the router will include in its payload the IP header and the first 8 bytes of the payload of the original packet, thus returning to the attacker the capability that will bypass the ISPs border routers. An approach to prevent this attack is to have all the border routers of the ISPs network monitor outbound ICMP error messages and remove the contents of the marking field in messages that contain EXP packets. Although this may degrade performance on border routers, ICMP has a simple header, so packet inspection can be implemented in hardware. ICMP attacks are not a problem for full-ISP deployment because capability enabled routers can be programmed to mask out the marking field of all EXP packets before they are encapsulated in ICMP error packets. PACKET INJECTION / TRACE Packet injection can be used to define and inject IP based network traffic into IPv4 or IPv6 network. Network administrator or testers can have the ability to define essentially any ARP, IP, TCP, UDP, ICMP and Ethernet header value. This can be valuable in a number of ways, including testing firewalls, intrusion detection systems, simulating traffic flow and general TCP/IP auditing for DDoS analysis and implementation of defensive policies against unwanted overload. It can also provide the statistical analysis of the complete protocol wise result parsed in xml or in any other compatible format.
TTL EXPIRATION
The TTL expiration attack relies on ICMP control messages to flood the victim. In this attack, the source address is forged to match the victims address. The TTL for the packet is set to a low value that will expire in transit at a high speed router. When the TTL of the packet reaches zero, the router drops the packet and sends an ICMP TTL expired message to the source address, in this case the victims site. Since TTL expiration is often done on the line card in ASIC, this can be an extremely fast reflective media.The best defense for this type of attack is rate limiting ICMP to all routers in the service providers network. Some network equipment vendors are now offering the ability to
Control plane attacks are attacks that are directed against the control plane of network elements, such as routers and switches. Attacks are usually directed at dynamic routing protocols such as BGP, OSPF, and EIGRP. ISIS is not as vulnerable to public attacks because it operates using the OSI protocol stack instead of the TCP/IP protocol stack and is an IGP routing protocol. Direct DoS/DDoS attacks against the routing protocols can lead to regional outages. Another form of attack, malicious route injection, can lead to DoS attacks, traffic redirection, prefix hijacking, and AS hijacking. Prefix and AS hijacking are rare but becoming more common with hardcore SPAM operators. Protection of the management and control planes is critical for the successful operation of an ISP. It is easier to discuss both topics together because the router configuration to protect both is similar in many ways. Authenticated and encrypted protocols are preferred for router management. Protocols must be accepted only from trusted hosts. Steps to protect the control plane include: protection of the route engine using filters, authentication and integrity verification of routing protocol updates. By th implementation of active filters in OSPF and BGP protocols handlers in routing device. During the routing table update between Border gateway Routers or INTRANET network Grid router the MD5 hash value can be implemented in update packets to avoid any unauthorized routing entry in the gateway router. Routers can exchange and share the PSK key for authentication of update packets.
[1]
Conclusion
Newer attack techniques will continue to advance and the number of software vulnerabilities will continues to increase, without regard to the internet boom. Internet worms that previously took days or weeks to spread now take minutes. Service providers and vendors are quickly adapting to the new landscape. Defense in depth must be implemented by service providers as zero day exploits are released. 3rd party DoS/DDoS monitoring and reporting will be adopted by service providers as reaction times have gone from days to few minutes. Preparation is the key for service providers to mitigate attacks as they happen. The Internet is maturing as companies become more dependent on its use. Customers are beginning to expect the same reliability from the Internet as other critical infrastructures: PSTN, power and water. Vendors and service providers are meeting the challenge head on with a high level of cooperation and innovation.
References
SETI@home. Search for Extraterrestrial Intelligence (SETI). http: //setiathome.ssl.berkeley.edu/, 2003. CERT. TCP SYN flooding and IP spoofing attacks. Advisory CA-96.21, September 1996.
[2]
[3] Sven Dietrich, Neil Long, and David Dittrich. Analyzing ditributed denial of service attack tools: The Shaft case. In 14th Systems Administration Conference, LISA 2000, 2000. [4] Dave Dittrich. Distributed Denial of Service (DDoS) attacks/tools resource page. http://staff. washington.edu/dittrich/misc/ddos/, 2003. [5] CERT. TCP SYN Flooding and IP Spoofing Attacks. Advisory CA96.21, September 1996. [6] [7] Vern Paxson. An Analysis of Using Reflectors for Distributed Denial-ofService Attacks. Computer Communication Review, 2001. Stefan Savage, David Wetherall, Anna Karlin, and Tom Anderson. Network Support for IP Traceback. ACM/IEEE Transactions on Networking, 9(3), June 2001.
[8] Mike Kristovich. Multi-vendor Game Server DDoS Vulnerability. http://www.pivx.com/kristovich/adv/mk001/, November 2002