DDoS Attacks and Defenses Overview

Transcription

1 DDoS Attacks and Defenses Overview Pedro Pinto 1 1 ESTG/IPVC Escola Superior de Tecnologia e Gestão, Intituto Politécnico de Viana do Castelo, Av. do Atlântico, Viana do Castelo, Portugal pedropinto@estg.ipvc.pt 1 INESC Porto INESC Porto, Faculdade de Engenharia, Universidade do Porto Rua Dr. Roberto Frias, 378, Porto, Portugal ppinto@inescporto.pt Abstract. The Denial of Service (DoS) attack has been a subject of study and research for the last two decades. Nowadays, this attack and is mutations as is the Distributed DoS (DDoS) attacks, remain a serious concern by Corporation Security Administrators, Service Providers, Governments, by its power, its easy of use contrasted with the preservation of attacker s anonymity. This paper offer an overview on the attack methods and on detection and defense techniques that have been proposed recently, hoping to give readers and future researchers on the subject a straight view to help better understanding and facing this problem. 1. Introduction Denial of Service attack definition stands for an attack that aims to deny access by legitimate users to shared services or resources (Gligor 1984). This was applied first to operating systems and then to networking environments (Needham 1994). Now, and in this context, when DoS attack traffic comes from multiple sources, it is commonly called a distributed denial of service (DDoS) attack. Since the first appearances (in late 90s) to nowadays, DDoS attacks are a real concern of Corporation Security Administrators, Service Providers, Governments, among others who provide internet services, bringing new issues to active research community on the security topic. This type of attack can be characterized instantaneously as fast, distributed, effective, many often untraceable, and very powerful. For these years, the research community has been organizing and collecting information about this type of attack, the attackers and their targets to better understand and intervene in this problem. Since the first occurrences, the interest is to know better the attacker and its objectives, constitute attack frameworks to help defining attacks and decompose on a set of actions, and finally to prevent this actions to occur or detect ongoing attacks. The expectation is to mitigate the attack power and better adapt methods and systems to respond to this threat in the future. Recent academic community efforts in this subject can be separated and evaluated in three stages, the attack identification or taxonomy, the defense methods, including prevention and detection actions and finally, the attack reaction and countermeasures. In this context, the main goal of this article is to present recent knowledge on these categories in order to do a systematic analysis of the whole problem.

2 In the next section it is presented a brief review of main attack techniques and related work on the subject. In third section it is presented an overview of detection and defense methods. In fourth section it is presented the main conclusions about all content. 2. DDoS Attacks Overview Since its first appearances, some authors contributed with wide characterization of DoS attacks. Two groups of attacks have been distinguished in (Moore et al. 2001): Logic and Flooding attacks. The first group exploits existing software flaws causing remote servers to crash or substantially degrade in performance. These attacks can be often obfuscated and prevented by either upgrading faulty software or filtering particular packet sequences. The intention of second class attacks (flooding attacks) is overwhelm the victim s CPU, memory, or network resources by sending large numbers of false requests. Same considerations are taken by (Hussain et al. 2003) (Specht 2004), among other references, where can be seen the same characterization pushed from above, but with different names: software exploits and flooding/bandwidth attacks. This second type of attack is difficult to prevent or detect, once that is difficult to separate legitimate from illegitimate traffic. This is the reason that leads many authors to place more effort on this last group and also the motive to focus on the same direction in the present paper. Focusing bandwidth attack, (Paxson 2001) distinguish important subcategories: single source, multisource, the first forms of DoS attacks (Isolated and Distributed form, latter called DDoS attacks) but among these two, the author introduces the reflector attacks (Figure 1). Figure 1. Three main DoS attack Categories (Hussain et al. 2003). First understanding about DDoS subject suggests always that only compromised and vulnerable machines can perform a DDoS attack. The reflection type is based on the use of uncompromised machines that produce legitimate replies to legitimate requests. By faking the source of the request the reply is directed to the real target of the attack. This procedure makes this attack more difficult to identify, and the identity of the attacker hided in the back of reflectors and zombies. In the (Peng et al. 2007) survey, authors redefine DoS attack and also present it generically as a Bandwidth attack, with two main characteristics: consumption of host s resources and consumption of network bandwidth. Then it summarizes some good examples of DDoS as is:

3 Protocol-Based Bandwidth Attacks: These types of attacks try to take advantage of normal protocol procedures to produce a flood attack. Two main types in this category are known SYN and ICMP Floods. Application-Based Bandwidth Attacks: Application-based take advantage of application services as is the HTTP, SIP etc, with the intention to cause expensive processing and time consuming tasks in the server. Distributed Reflector Attacks: As been stated before in this paper, in this case the attackers hide behind the reflectors, innocent third parties that reply to an incoming request. According to the source, this attack is considered to be a potent and increasingly prevalent internet attack. Infrastructure Attacks: This attack pretends to disable principal infrastructures that provide main services in internet. Regarding existent DDoS attack taxonomies can be depicted some authors (Specht 2004) (Campbell 2005) that start to present a graphical overview with tree representations of DDoS attack types. Recently, other approaches followed to widely classify the attacks by a group of metrics providing more complete and updated taxonomies as is the case of (Abbass Asosheh & Ramezani 2008). The authors propose eight features to be deployed in new taxonomy for DDoS attacks. They are architecture, degree of automation, impact, vulnerability, attack rate dynamics, scanning strategy, propagation strategy and packet content. The schematic can be seen in figure 2. Figure 2. DDoS Attack Taxonomy (Abbass Asosheh & Ramezani 2008). In next section is presented an overview on detection methods or defense techniques. 3. DDoS Attack Detection and Defense Regarding DoS defenses context, (Schwartau 1999) formulate one group of main objectives to assure, which are: No modifications to existing protocols or altering the infrastructure. All DOS attacks should be detected and unsuccessful.

4 False positives should approach 0%. Recovery from DOS should be as rapid as possible. The perpetrators of the DOS attack should be identified. For DDoS these rules still relevant to take into account towards implementation of defenses and countermeasures. In the same paper is proposed a specific model for DoS defense, called reaction module that is based principally in filtration, blocking or deviating attack attempts. Other initial approach was made by (Cabrera et al. 2001) that use collected information from management information base (MIB). Later, various and more complex detection techniques were presented, as is the example in (Moore et al. 2001) by the use of backscatter analysis (consistent analysis of replying traffic). This technique only can detect attacks that uniformly spoof addresses in the complete IP address space and consequently, it doesn t detect reflection, subnet spoofing or no spoofing addresses attack. Another perspective is to apply signal processing knowledge. One of the approaches was through spectral analysis by (Chen- Mou Cheng et al. 2002) based on a comparison of power spectral density of a normal TCP flow, that usually present strong periodicity around its round-trip time in both flow directions compared to DDoS attack flow, most often only in one direction. Another proposal (Barford et al. 2002) follows to identify frequency characteristics of four classes of network anomalous traffic and collect results of signal analysis. The classes evaluated were outages, flash crowds, real attacks and measurement failures resulting in specific patterns and defining behaviors. Some related approach also followed by (Mirkovic et al. 2002), that is based on monitoring the asymmetry of two-way packet rates and to identify attacks in edge routers. In (Hussain et al. 2003) proposal the authors used three simultaneous methods that, once combined, produce better and accurate results than its separate use. It is analyzed the header contents, observing relevant fields, as fragment identification field (ID) and time-to-live field (TTL), the Ramp-up Behavior, i. e., the growing behavior, and finally, the spectral analysis. Another similar proposal presented by (Yuan & Mills 2005) used the cross-correlation analysis to capture the traffic patterns and then to decide where and when a DDoS attack possibly arises. Another point of view presented in (Xie & Yu 2009) suggests that it can be assumed three different levels of detection according to their action in network layer, transport layer, and application layer. The authors state that most DDoS-related research has focused on the IP layer and related mechanisms attempt to detect attacks by analyzing specific features, e.g., arrival rate or header information. Their approach is detecting attacks in application layer, called App-DDoS attacks, by collection of spatialtemporal patterns and implementing models to differentiate these attacks from flash crowd events. More recently, some authors present combined approaches and complex prediction methods like (Zhang et al. 2009) that applies one autoregressive integrated moving average model (ARIMA) to predict available service rate on target server or (Qingtao Wu et al. 2009) which propose an adaptive control mechanism for early detection of DDoS attacks.

5 4. Conclusion The DoS attacks still an important issue and concern of many companies, governments and service providers nowadays, particularly in is distributed form: DDoS, mainly by easy implementation facing the devastating effects and constant mutation of its procedures. This paper provides an overview on recent DDoS attacks characterization, related taxonomies and on detection and defense techniques proposed by research community. This short paper shows that many efforts were already made in attack characterization, prevention, detection, attack source identification and attack reaction. Knowledge about this type of attack is grown and the methods proposed by researchers provide a good approach to the problem. Even though, future work can be pointed towards integrating knowledge in defense proposals and aggregate some methods and techniques, evaluating and presenting their results. In addition, more detailed analysis and simulations can be performed to establish relationship between parameters as detection performance and complexity, detection ratio, detection time or detection area range. References Abbass Asosheh, D. & Ramezani, N., A comprehensive taxonomy of DDOS attacks and defense mechanism applying in a smart classification. W. Trans. on Comp., 7(4), Barford, P. et al., A signal analysis of network traffic anomalies. In Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment. Marseille, France: ACM, pp Available at: Cabrera, J. et al., Proactive detection of distributed denial of service attacks using MIB traffic variables-a feasibility study. In Integrated Network Management Proceedings, 2001 IEEE/IFIP International Symposium on. Integrated Network Management Proceedings, 2001 IEEE/IFIP International Symposium on. pp Campbell, P., The denial-of-service dance. Security & Privacy, IEEE, 3(6), Chen-Mou Cheng, Kung, H. & Koan-Sin Tan, Use of spectral analysis in defense against DoS attacks. In Global Telecommunications Conference, GLOBECOM '02. IEEE. Global Telecommunications Conference, GLOBECOM '02. IEEE. pp vol.3. Gligor, V.D., A note on denial-of-service in operating systems. IEEE Trans. Softw. Eng., 10(3), Hussain, A., Heidemann, J. & Papadopoulos, C., A framework for classifying denial of service attacks. In Proceedings of the 2003 conference on Applications, technologies, architectures, and protocols for computer communications. Karlsruhe, Germany: ACM, pp Available at: Mirkovic, J., Prier, G. & Reiher, P.L., Attacking DDoS at the Source. In Proceedings of the 10th IEEE International Conference on Network Protocols. IEEE

6 Computer Society, pp Available at: Moore, D., Voelker, G. & Savage, S., Inferring Internet Denial-of-Service Activity. In Proceedings of the 10th USENIX Security Symposium, Needham, R.M., Denial of service: an example. Commun. ACM, 37(11), Paxson, V., An analysis of using reflectors for distributed denial-of-service attacks. SIGCOMM Comput. Commun. Rev., 31(3), Peng, T., Leckie, C. & Ramamohanarao, K., Survey of network-based defense mechanisms countering the DoS and DDoS problems. ACM Comput. Surv., 39(1), 3. Qingtao Wu et al., An adaptive control mechanism for mitigating DDoS attacks. In Automation and Logistics, ICAL '09. IEEE International Conference on. Automation and Logistics, ICAL '09. IEEE International Conference on. pp Schwartau, W., Surviving denial of service. Computers & Security, 18(2), Specht, S.M., Distributed denial of service: taxonomies of attacks, tools and countermeasures. Proceedings of the International Workshop on Security in Parallel and Distributed Systems, 2004, Xie, Y. & Yu, S., Monitoring the application-layer DDoS attacks for popular websites. IEEE/ACM Trans. Netw., 17(1), Yuan, J. & Mills, K., Monitoring the Macroscopic Effect of DDoS Flooding Attacks. IEEE Trans. Dependable Secur. Comput., 2(4), Zhang, G. et al., A prediction-based detection algorithm against distributed denial-of-service attacks. In Proceedings of the 2009 International Conference on Wireless Communications and Mobile Computing: Connecting the World Wirelessly. Leipzig, Germany: ACM, pp Available at: &CFTOKEN=