Distributed Denial Of Service DDOS Attack Computer Science Essay
Information technology is an exciting and emerging day by day technology which requires communication systems for data and services exchange. As nowadays every services and products uses computer and internet as a medium to interchange data or money in an open internet, hence prone to vulnerabilities. Distributed Denial of Service (DDoS) attack is an attack to the availability of the resources available, so that authenticated users do not use those resources. This paper intended to explore the existing threats and vulnerabilities of DDoS with possible solutions and recommendations plus overview and architecture methodology of this kind of attack.
Confidentiality, Integrity and Availability are the three main features of the any computer network communication systems. DDoS which is a subset of Denial of service (DoS) attack, which result in overwhelming the victim machine and deny the services to its legitimate users results in Unavailability of the resources and services for concern clients. Some examples are smurf attack, SYN & UDP floods and ping of death. DDoS is a type of DoS attack but uses distributed computers from different location to attack on a particular victim may be a server or client which results into the stopping of its functionality to provide services, hence unavailability of the server ultimately results loss in monetary plus status of the organization. It works by flooding all the network of the given organization with unwanted traffic, the first well known DDoS was identified in 2000 on yahoo.com which goes down to around two hours. The DDoS is a result of weakness of internet which prone to several vulnerabilities as internet was designed only for functionality but not concern about any security. As internet is an open network everything is open and is shared among authenticated users. Another big problem is that it is not centralized network different organization, different countries have their own rules and regulation regarding internet.
DDoS Layer Involved
The DDoS attack mainly occurs in three layers of the OSI model which are layer 3 (Network) layer 4 (transport) and layer 7 (application). In transport layer what exactly happens is that attacker uses a forged IP address to request for connection so in typical connection, 3 way TCP handshake is done but in this attack it does not complete 3 way handshake but send connection request over and over server reserves resources for each attempt and results in out of connection requires for the legitimate users. In network layer it includes ping of death and ICMP requests, where as in application layer is kind of effective DDoS attack and hard to detect because it passes the 3 way handshake and treated as authenticated user to the concern server, so attacker requests a large amount of data continuously through HTTP and results in avoiding its legitimate users as got busy with those false requests. In DDoS attack a combination of those three layers results in an effective attack that results in some really drastic effects.
Application Layer
Presentation Layer
Session Layer
Transport Layer
Network Layer
Data link Layer
Physical Layer
Fig: 1-Layers Involved in DDoS
DDoS Architecture
The main purpose of DDoS attack is to overwhelm the related server and makes it down, it can be for benefit or for fun only but in both case legitimate clients suffered as bandwidth, resources, memory and CPU got wasted. DDoS attack architecture consists of hierarchy pattern to attack; the four main components of DDoS are as follows:
Attacker
Master Machines/Handler
Zombie Machines
Victim
First of all attacker scans thousands of computers on the internet independent of the origin of the systems for known vulnerabilities that is which have minimum security aspect on the computer and makes Master machines or handlers, its consists of more than two systems to many depends upon how sophisticated is attack, after making handlers rest scans for the vulnerable systems is done by these handlers, which results in thousands of zombies across the globe without knowledge of concern users and when these zombies are ready attacker can execute for attack and makes the victim down.
Attacker
Master Machines/Handlers
Zombie Machines
Victim
Fig: 2- DDoS Architecture
As seen from the above figure attacker takes control of one or more than one masters which then take control over thousands zombies and when triggered at a specific time these zombies flood the victim. These attack results with the use of some tools (software or malware) which to be install on the masters and zombies so that attacker can take controls through these tools and monopoly the systems. Here above the communication between attacker and master machines is done through TCP protocol whereas between master machines to zombie and zombie machines to victim use UDP protocol for communication, as UDP is unreliable protocol so does not hold any state and results in no trace back, it uses TCP for initial communication because it needs to organize other subordinates with master machines.
DDoS Tools
The tools used by DDoS attack are very sophisticated as it runs in background or in foreground with the systems program name and is not visible or very hard to detect by administrators. Trin00, tribal flood network, stacheldraht, tribal flood network 2000, trinity, wintrin00, MStream and etc are the examples of such kind of tools used in DDoS attack, by this tools attacker installed and executes accordingly. It also helps him to facilitates co ordination between masters and zombie, and execute timer also to bombards at a fixed time, so that all zombies attacks the victim. Trin00 scans for buffer overflows in systems and install attack shell daemon through remote shell, it communicate through unencrypted UDP. In tribal flood network, it installs the daemon which carries out the multiple attacks like ICMP flood, UDP flood, SYN flood, communication done through ICMP ECHO and REPLY. List of zombies daemon IP address is encrypted in later version of TFN. Stacheldraht uses the combination of trin00 and TFN. Encryption takes place between attacker and master’s communication and attacks are similar to TFN. Trinity floods through UDP, SYN, and ACK through Internet Relay Chat (IRC) has a backdoor program which monitors TCP port. MStream uses forged TCP packets with ACK flag set, it uses TCP and UDP floods with no encryption in between but master machines are kept password protected. Beside these tools various other program and tools are readily available for such kind of attack which leaves no residue to trace back.
DDoS Types
DDoS are acts differently but mainly classified in two main categories according to their attack pattern which are as follows:
Bandwidth Depletion attack
Resource Depletion attack
In bandwidth depletion attack the main targeted area is the bandwidth of the concern victim by overwhelming with unwanted traffic more than 10 Gbps (It depends) and prevents the legitimate users from gaining access for the services. Some examples of such attacks are UDP flood, ping flood, Smurf and reflection attacks which bombards with unwanted traffic to make unavailability of the services. Whereas in resource depletion attack, the main concern area are the resources available. This attack leads to the out of resource available for the concern users by TCP SYN attack, PUSH ACK attack, Teardrop attack. These attacks through the requests like SYN to the concern server which in return reserves resources for this request, but attacker bombards the same again and again and hence server goes out resources.
DDoS Detection
The very first question about this attack is that, how to know if DDoS attack happened in any organization or in any machine. So following are some ways to know if it occurs:
Performance of CPU, Memory and bandwidth degrades abnormally.
Services become unavailable or partially available.
Cannot access given resources properly.
These above are preliminary steps to know the DDoS attack. It can be monitor through the continuously analyzing of the systems.
DDoS Defense
Practically speaking it is impossible to prevent DDoS attack but what we can do is to reduce its effect or tries to make security strong as much as possible. The following are very basic defense mechanism against DDoS attacks are:
Prevention
Detection
Classification
Justifying
Tracing back
The first phase called prevention which means to prevent from DDoS attack as much as possible that is to prevent itself to be part of the attack architecture, so not to become handler. It is done through the continuous monitor of the systems but every user is not aware of the security issues. The second phase describes to know that if the systems are under attack by verifying abnormal activities like CPU or bandwidth uses, it can done through firewalls or routers. The third phase is classification of the detected attack according to its prototypes like IP Addresses, protocol used and packet type used; it can be done through the use of Intrusion Detection System for future countermeasure. The fourth mechanism is justifying the detected attack that is how to deal with the known or detected attack one way is to block the whole traffic from those addresses by using access control list on gateways or react accordingly another approach is to trace back the detected packet so that source can be identified. The final part of our defense mechanism is trace back which will be covered in later section of this paper.
DDoS trace back
DDoS trace back is possible to zombies only but may be if done in proper way can leads to the attacker, chances are very rare as it is independent of the location. Some of the methods are as follows:
Link Testing
Controlled Flooding
ICMP Trace back
IP Trace back
In link testing, when attack is in progress routers can co ordinates with each other to determines which router originated the attack traffic and can trace to the upstream but requires inter ISP co operations as different connections are maintained by different ISP. Whereas in controlled flooding it floods each incoming links of the router to determines the source but needs router co operation and better network map, similarly in ICMP and IP trace back a reverse path is generated to identify the source but path can be long and packet format space is limited to cope.
DDoS Security measures
As currently various research are going on to stop DDoS attack and it may takes time but DDoS becoming deadly day by day and is considered second in financial losses due to attack after viruses but comparison to virus it is very new and have vast effect with no remedy. So only option we got is to make it harder for attacker to penetrate into the systems, and following are some security precaution we should follow:
Install and update continuously antivirus and spyware software from trusted authority and run regularly.
Patches the security components of the systems continuously and be always ready for up gradation of systems.
A well set network infrastructure with proper installation of firewalls and routers with appropriate policies, so that unwanted traffic and organization traffic can be separated clearly.
Filters incoming traffic on routers or rate-limit certain types of traffic like ICMP and SYN packets.
Monitors continuously incoming and outgoing packets and if some abnormality seen then react accordingly.
Use Network Address Translation (NAT) to hide internal IP addresses.
Use Intrusion detection systems (IDS) implement host based IDS plus network based IDS in a mix pattern to filter and detect abnormalities in the network.
Egress and Ingress filtering, these are filtering mechanism implement on IP traffic. Egress sets the ranges of IPs leaving the organization’s network whereas in ingress a set of IP address ranges are allowed to move into the network.
Using of SYN and RST cookies to verifies both communication parties with the help of cookies, so that legitimate clients can access the resources.
Use a proxy server in between the network so that a request goes via proxy to server and proxy filters it according the rules implemented on it.
Implement Honeypots systems, these are the systems in an organization with open security and are separated with internal network to know the attack pattern.
At last but not least literate the users or clients about the security concerns.
Conclusion
DDoS Attack is an attack on availability of the resources and services which results in financial losses, loss of organization reputation, and disturbance in work flow environment. The bitter truth is that the security technologies like firewall, routers and IDS are very week to prevent DDoS as it cannot differentiate between original and fake traffic. Another factor is that it uses IP spoofing, difficult to verify with original packets plus the routing involved is stateless. Hence results in very strong attack.
In this paper we have gone through the DDoS overview with its architecture layouts plus types and tools involved in DDoS attack. We have highlighted the DDoS detection part and visualize the security aspects and implementation to safeguard the assets against such attack plus a brief summary to how to trace back.
To compete with DDoS one way effort cannot prevent or defeat it, it needs all round support to tackle with it like among different internet communities, different countries to enforce such laws and regulation strictly to cope with it.
suggestions
DDoS is a newer and disastrous attack, so to prevent it I would suggest that very carefully implement DDoS security measures which are defined above. Beside these IPSec and SSL/TLS protocols implementation can helps a lot to prevent. VPNs can be added for secure channel communications. Use Mozilla Firefox as browser instead of others.
Order Now