Available ONLINE www.visualsoftindia.com/journal.html
VSRD-IJCSIT, Vol. 1 (1), 2011, 1-8
R RE ES SE EA AR RC CH H A AR RT TIIC CLLE E
Distributed Denial of Service Attacks Prevention 1
Reeta Mishra*, 2Amit Asthana and 3Jayant Shekhar
ABSTRACT Distributed Denial of Service (DDoS) attacks based on IP source address filtering. A DDoS attack can easily fake its source address (known as “spoofing”), which disguises the true origin of the attack. Distributed Denial of Service (DDoS) attacks have become a real threat to the security of the Internet. Defending against those types of attacks is not a trivial job, mainly due to the use of IP spoofing and the destination-based routing of the Internet. A significant number of solutions have been proposed, but none -to our knowledge- is able to stop an intense attack. Keywords : DDOS attacks, general attack classification, possible risk,type of DDOS attack, prevention from attack, type of DDOS attack.
1. INTRODUCTION Early 2001 a new type of DoS attack became rampant, called a Distributed Denial of Service attack, or DDoS. In this case multiple comprised systems are used to attack a single target. The flood of incoming traffic to the target will usually force it to shut down. Distributed Denial of Service (DDoS) attacks have become more sophisticated in the last several years as the level of attack automation has increased. Sample and fully functional attack software is readily available on the Internet. Precompiled and ready to use programs allow novice users to launch relatively large scale attacks with little knowledge of the underlying security exploits. The advent of remote controlled networks of computers used to launch attacks has changed the landscape and methods that a service provider must use. In the past year, Black Hats have taken theoretical optimizations in worm propagation and applied them to the fastest spreading worm today. Distributed Denial of Service (DDoS) attacks are becoming an increasingly frequent disturbance of the global Internet.They are very hard to defend against because these attacks consume.resources at the network and transport layers, where it is difficult to authenticate whether an access is genuine or malicious. There are two aims for DDoS attacks. The first is to ____________________________ 1
Research Scholar, Department of Computer Science, Subharti Institute of Technology & Engineering, Meerut, Uttar Pradesh, INDIA. 2Assistant Professor, Department of Computer Science, Subharti Institute of Technology & Engineering, Meerut, Uttar Pradesh, INDIA. 3Associate Professor, Department of Computer Science, Subharti Institute of Technology & Engineering, Meerut, Uttar Pradesh, INDIA. *Correspondence :
[email protected]
Reeta Mishra et. al / VSRD International Journal of CS & IT Vol. 1 (1), 2011
consume the resources of the host and second is to consume the bandwidth of the network.Current schemes to protect the resources of the host drop incoming packets according to fields, such as protocol type and port number. However, the disadvantage in doing this is that there is no accurate way to differentiate the normal traffic from the malicious traffic. The normal traffic could be affected by indiscriminately dropping packets.Expectation levels for service providers are also increasing as companies revenues are directly tied to having reliable connectivity to the Internet. The financial industry is especially susceptible to DDoS attacks as millions of consumers move to electronic bill payments, purchases and on-line banking. DDoS monitoring and black hole filtering are becoming entry level requirements for service providers to sell Internet services in the financial industry.
DDoS Attack (or Distributed Denial of Service Attack) is pretty much the same as a DoS- but the difference in results is massive; as its name suggests the DDoS attack is executed using a distributed computing method often referred to as a 'botnet army', the creation process of which involves infecting computers with a form of malware that gives the botnet owner access to the computer somewhat- this cold be anything from simply using the computers connection to flood to total control of the computer - these attacks affect the victims computer -> server more than a regular DoS- because multiple connections are being used against ONE connection, Think of it like a fight, if there is a 1-on-1 fight; the chance of the good guy winning is far higher than if he was being beaten up by several thousand.
1.1. General Attack Classification i) Bandwidth attack intended to overflow and consume resources available to the victim. ii) Protocol attack takes advantage of protocol inherent design.
Page 2 of 8
Reeta Mishra et. al / VSRD International Journal of CS & IT Vol. 1 (1), 2011
iii) Software vulnerability attack attempt to exploit software program design flaw.
1.2. Type of Distributed Denial of Service Attack The various type of DDOS Attack can be classified as the given below:-
1.2.1. Direct flooding attack The simplest case of a DDoS attack is the direct flooding attack. In this case, the attacker sends packets directly from his computer(s) to the victim’s site. In this attack, the source address of the packets may be forged. There are many tools available to allow this type of attack for a variety of protocols including ICMP, UDP and TCP. Some common tools include stream2, synhose, synk7, synsend, and hping2.
1.2.2.
Remote Controlled Network Attacks
Remote controlled network attacks involve the attacker compromising a series of computers and placing an application or agent on the computers. The computer then listens for commands from a central control computer. The compromise of computers can either be done manually or automatically through a worm or virus. Typical control channels include IRC channels, direct port communication or even through ICMP ping packets. Remote controlled attacks are very difficult to trace to the original control computer.
1.2.3.
Reflective Flooding Attacks
Reflective attacks forge the source address of the IP packets with the victim’s IP address and send them to an intermediate host. When the intermediate host sends a reply, it is sent to the victim’s destination address, flooding the victim. Depending on the type of protocol used and the application and configuration involved, amplification factors of 3 to several hundred are possible. Reflective attacks can be difficult to trace to the original attacker because the flood packets are actually sent from intermediate servers. In many types of reflective attacks, the intermediate servers are usually well known, public servers . The victim’s service provider cannot block access to these sites and many times end up blocking all the traffic to the victim’s site to allow other network traffic to get through. Smurf and Fraggle Attacks ICMP TCP SYN UDP ATTACK TTL expiration DRDOS
1.2.4.
Worms
Worms are distinguished from viruses in the fact that a virus requires some form of human intervention to infect a computer where a worm does not. Worms have had the ability to significantly disrupt the normal operation of the Internet since the Morris worm in 1988.Worms can create Internet wide events based on scanning and
Page 3 of 8
Reeta Mishra et. al / VSRD International Journal of CS & IT Vol. 1 (1), 2011
infection traffic volumes (Code Red, Slammer), automated DDoS events (MS Blaster), or by creating zombie networks used to launch large scale DDoS attacks. Worm propagation technology has advanced significantly in the past several years.
1.2.5.
Viruses
Viruses have had a lesser but significant impact on network providers. They are often used today to build large zombie networks. These are usually dire warnings that tell the person to notify all their friends about a fictitious worm, virus, or other situation. Although never a significant Internet problem, these have clogged enterprise email systems and continue to circulate today.
1.2.6.
Protocol Violation Attacks
All attacks could be considered protocol attacks in the sense that the attacker is sending packets in a manner not originally intended. Sometimes this is beneficial to the community as when Van Jacobson developed the trace route program using ICMP return codes from the routers. In many situations, however, this is not the case.Protocol violation attacks are generally referring to attacks that use IP protocols that are not valid or are reserved.
1.2.7.
Fragmentation Attacks
Packet fragmentation can be used in two distinct areas: evasion of IDS detection and as a DoS mechanism. As a DoS mechanism, fragmentation is used to exhaust a system’s resources while trying to reassemble the packets. These types of attacks have occurred against CheckPoint firewalls, Cisco routers and Windows computers
1.2.8.
Network Infrastructure
Attacks directed at network infrastructure can have a serious impact on the overall operation of the Internet. These attacks can create regional or global network outages or slowdowns. Recent attacks against the Internet’s root name servers caused enough concern for an FBI investigation into the attack. It sent a warning signal to the root Name servers operators to fortify the robustness of their infrastructure .Backbone services can cause significant network outages. This would include DNS and to a lesser extent RADIUS. Control Plane Attacks Management Plane Attacks
2. RISK OF DDOS ATTACK 1) DDOS attacks that crash systems or clog networks. While these attacks are unpleasant enough, a new dimension has been added: 2) These attacks can now be launched simultaneously from hundreds of remote-controlled attack servers. These attacks affect the working of several systems as well as network altogether. 3) People can be lied to manipulated, bribed, threatened, harmed, tortured etc, to give up valuable information.
Page 4 of 8
Reeta Mishra et. al / VSRD International Journal of CS & IT Vol. 1 (1), 2011
4) In most humans will breakdown once they are at the “harmed” stage, unless they have been specially trained. 5) In TCP Connection can be easily because in this the port number and sequence number can be correctly predicted by attacker. 6) This attack makes a network service unusable usually by overloading the server or network.
3. PREVENTION Since a DDOS attack it launched from multiple sources, it is often more difficult to detect and block than a DoS attack. To prevent your system and network from becoming a victim of DDOS attacks, many preventative solutions are:
3.1. Policies and Procedures Security policies and procedures should be developed .Security policies are a very important part of a service provider’s overall security architecture and are critical for stopping abusive users. A service provider’s Acceptable Use Policy (AUP) is a key tool for removing abusive customers from their network. Service providers should also establish an Incident Response Team (IRT) that is responsible for responding to attacks.
3.2. New Product/Upgrade Design and Testing The first line of defense is security design and thorough testing of new or significantly Upgraded products, services or platforms before a system is deployed in the production network. Things to consider include: Operating system lockdown and removal of any unnecessary processes, services and software. This should be done via scripts or by checklists preferably developed using industry best practices. Review of system protocols to ensure communication paths are properly authenticated and if necessary encrypted. Scanning of the systems to confirm and mitigate, if necessary, any security risks found. If software source code is available, security source code reviews should be performed to eliminate buffer overflows and other vulnerabilities.
3.3. Patch Management Manual or automated procedures should be in place to address the ever increasing load of patch management on servers and network elements. Care needs to be taken as installation of patches can leave a system open to new or previously mitigated vulnerabilities when configuration files are replaced that were previous secured.
3.4. Scanning/Auditing On-going scanning and auditing of servers and network elements is a critical part of network security management. Configuration management is a difficult task in a large network with hundreds of people making changes on different parts of the network. Scanning should begin by focusing on the most critical network elements and servers from an outsider’s vantage point, from outside any firewalls or router ACLs. This will
Page 5 of 8
Reeta Mishra et. al / VSRD International Journal of CS & IT Vol. 1 (1), 2011
allow operation personnel to address the most critical vulnerabilities first. The number of network elements included in the initial scans should be limited to a reasonable size to allow personnel to fix any issues before expanding the scanning. Scanning should occur at least once a quarter. Typical scanning tools include nmap and nessus. Scanning should include both TCP and UDP ports; however, UDP scanning can take considerably longer, especially if the scanning is done through a firewall. Scanning has been known to break services and even stop servers and network elements from functioning properly.
3.5. uRPF Unicast Reverse Path Forwarding (uRPF) is a technique .which help in Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing.uRPF can drop IP packets with spoofed source addresses at the service provider customer’s edge, depending on the method of deployment. URPF only works on the ingress interface.uRPF can be deployed in two basic modes, strict mode and loose mode. In strict mode, the router takes the source address and validates that it has a prefix that exists in the forwarding information base (FIB) for the interface on the router that the packet came in on. It also validates that the route for that address is in the interface adjacency table. Loose mode was designed for use at the ISP-ISP edge for peering applications where best path selection limits the applicability of strict mode. Loose mode only does the first check, ensuring that the source address of the packet has a route prefix in the FIB.This allows packets that have any valid route in the FIB to pass. a) Cisco Implementation b) Juniper Implementation
3.6. Management and Control Plane Protection Protection of the management and control planes is critical for the successful operation of an ISP. It is easier to discuss both topics together because the router configuration to protect both is similar in many ways. Authenticated and encrypted protocols are preferred for router management. Protocols must be accepted only from trusted hosts. Steps to protect the control plane include: protection of the route engine using filters, authentication and integrity verification of routing protocol updates, rate limiting of diagnostic protocols and filtering of routing prefix updates sent from customers and peers a) Router Access b) Router Engine Protection c) Prefix Filtering
3.7. FW/IDS/IPS Firewalls, Intrusion Detection Systems (IDS), and Intrusion Prevention Systems (IPS) can be useful devices for protecting backbone services. All servers exposed on the Internet should have all non-essential services turned
Page 6 of 8
Reeta Mishra et. al / VSRD International Journal of CS & IT Vol. 1 (1), 2011
off and some type of host based firewall installed on the system. Separate network based firewalls can also be installed but the cost of the systems can outweigh the benefit. If firewalls are deployed, an IDS behind the firewall should be considered to monitor for unauthorized activity. a) DNS Considerations b) Other Services
3.8. Disable any unused or unneeded network services. This can limit the ability of an intruder to take advantage of those services to execute a denial-of-service attack.
3.9. Observe your system performance and establish baselines for ordinary activity. Use the baseline to gauge unusual levels of disk activity, CPU usage, or network traffic.
3.10.
Use Tripwire or a similar tool to detect changes
in configuration information or other files.
3.11.
Invest in and maintain "hot spares"
machines that can be placed into service quickly in the event that a similar machine is disabled.
3.12.
Invest in redundant and fault-tolerant network configurations.
4. CONCLUSION Attack techniques continue to advance and the number of software vulnerabilities continues to increase, without regard to the dot com bubble bursting. Internet worms that previously took days or weeks to spread now take minutes. Service providers and vendors are quickly adapting to the new landscape. Defense in depth must be practiced by service providers as zero day exploits are released. Prevention is always the best measure. Wide scale deployment of uRPF across service providers’ networks will prevent many attacks seen today from happening. Hardening of the service providers’ infrastructure with full security testing is required for continued operation. Regular scanning and auditing will prevent configuration errors from exposing infrastructure to known attacks. Automated DoS/ DDoS monitoring and reporting will become the standard for service providers as reaction times have gone from days to minutes. Preparation is the key for service providers to mitigate attacks as they happen. The Internet is maturing as companies become more dependent on its use. Customers are beginning to expect the same reliability from the Internet as other critical infrastructures: PSTN, power and water. Vendors and service providers are meeting the challenge head on with a high level of cooperation and innovation.
5. REFERENCES [1] S. Blake, D. Black, M. Carlson, E. Davies, Z. Wang and W. Weiss. An Architecture for Differentiated Services, RFC 2475, IETF, December 1998.
Page 7 of 8
Reeta Mishra et. al / VSRD International Journal of CS & IT Vol. 1 (1), 2011
[2] K. Fall and K. Varadhan, eds. The ns Manual. February 2002. Available at http://www.isi.edu/nsnam/ns/nsdocumentation.html. [3] P. Ferguson and D. Senie. Network Ingress Filtering: Defeating Denial of Service Attacks which Employ IP Source Address Spoofing. RFC 2827, May 2000. [4] S. Kent and R. Atkinson. IP Authentication Header. RFC 2402, IETF, November 1998. [5] H. Lee and K. Park. On The Effectiveness of Probabilistic Packet Marking for IP Traceback Under Denial of Service Attack. Proceedings of IEEE INFOCOM 2001, Anchorage, Alaska. April 2001. [6] R. Mahajan, S. Bellovin, S. Floyd, J. Ioannidis, V. Paxson, and S. Shenker. Controlling High Bandwidth Aggregates in the Network. Technical Report (Extended Version), ACIRI and AT&T Labs Research, July 2001. [7] The Network Simulator – ns2. http://www.isi.edu/nsnam/ns/ S. Felix Wu, Lixia Zhang, Dan Massey, and Allison Mankin. Intension-Driven ICMP Trace-Back. Interner Draft,IETF, February 2001. draft-wuitraceintension-00.txt(work in progress). [8] David K. Y. Yau, John C. S. Lui, and Feng Liang. Defending against distributed denial-of-service attacks with max-min fair server-centric router throttles. In Proceedings of IEEE International Workshop on Quality of Service (IWQoS), Miami Beach, FL, May 2002. Cheswick B., Burch H. The Internet Mapping Project. Lumeta Corporation. Available online: http://research.lumeta.com/ches/map/ [9] Todd
B.
Distributed
Denial
of
Service
Attacks.
18
February
2000.
Available
online:
http://www.linuxsecurity.com/resource_files/intrusion_detection/ddos-faq.html [10] Mirkovic J., Martin J., Reiher P. A Taxonomy of DDoS Attacks and DDoS Defense Mechanisms. Computer
Science
Department,
University
of
California,
Los
Angeles.
Available
online:
http://lasr.cs.ucla.edu/ddos/ucla_tech_report_020018.p [11] [RFC01] “Request for Comments: 3330, Special-Use IPv4 Addresses.” Sep. 2002. 17 Aug. 2003. . [12] [RIV01] “Riverhead Guard.” 20 Aug. 2003. . [13] [SAN01] “The SANS Security Policy Project.” 19 Aug. 2003. . [14] [SEC01] “FW-1 IP Fragmentation vulnerability (remote DoS).” 6 June 2000. Beyond Security. 17 Aug. 2003. . [15] [STA01] Staniford, Stuart, Vern Paxson, and Nicholas Weaver. “How to 0wn the Internet in Your Spare Time.” Proceedings of the 11th Usenet Security Symposium, San Francisco, CA. 5-9 Aug. 2002. USENIX Association. 14 July 2003. .
Page 8 of 8