Detection and prevention from denial of service attacks (DoS) and distributed denial of service attacks (DDoS)

Transcription

1 Detection and prevention from denial of service attacks (DoS) and distributed denial of service attacks (DDoS) Nozar kiani, Dr. Ebrahim Behrozian Nejad Institute For Higher Education ACECR Kouzestan, Iran Abstract regarding the growing trend of denial of service attacks (DoS) and distributed denial of service attacks (DDoS) in the context of internet networks, and the importance of Web-based services in these networks, we need to be quite aware of these attacks. Although it is difficult to study these attacks, through having a good insight about the effects and consequences of these attacks, it is possible to obtain the preventative ways for these kinds of attacks in order not to provide a necessary context for aggressors of these kinds of attacks. And the servers provide their services properly, and the users get the resources and services without any disruption. Although the prediction and deviation of these attacks in a wide area like web in a global scale is difficult, we can handle these attacks using some preventative techniques in the context of network, and detection of attack operations and the deviation of attack during the attack to reduce the effects of attack. Unfortunately, with the enormous traffics of attacks some damages have been found. Thus, detection of attacks DDOS At the earliest possible time is more favorable than waiting for the spread of a comprehensive flood of attacks. To implement an efficient defense system, we should use a network topology leverage to monitor the distributed traffic and detection. In this study, the Preventative methods for these attacks will be explained. Keywords DOS Attack, D.DOS Attack, Stacheldraht Attack, SYN flood, Legitimacy testing, Traceback, Trinoo Attack 1 - Introduction The purpose of the DOS attacks is to Interfere with resources and services that users are going to access and use them (disabling the services.) The main purpose of these kinds of attacks is to prevent users from accessing to a particular resource. In These attacks, attackers using several techniques make attempt to put into trouble the authorized users to access and use a particular service, and disturb the services of a network. Trying to generate False traffic in the network, interfering with communication between two machines, preventing authorized users from accessing a service, and disrupting services are some instances of other objectives that attackers pursue. In some cases, in order to carry out massive attacks using DOS attacks as a starting point an ancillary element is used to provide a context for the original invasion. Accurate and legitimate use of some resources may also leads to a kind of DOS attacks. A flood of large enough traffic causes to overflow a buffer connections, disk fatigue or saturation of connecting link and so on lead to the crash of the suffered device. And given that in recent years the widespread attacks DDOS is increasing for the competitiveness of business enterprises, service provider sites, and so forth has been conducted. Massive service attacks denial is considered as the greatest threat, therefore, to prevent these growing attacks, some preventative methods will be presented The Internet constitutes are consumable and limited. Infrastructure systems and connected networks that make internet are composed of entirely limited resources. Bandwidth, processing power and storage capacity all are limited and the target of common DOS attacks. Attackers perform the attacks trying to consume a significant amount of available resources so that some extent of the services will be disrupted. Abundant resources that have been designed and used properly, may contribute to reducing the impact of an attack DOS, but today's attack methods and tools operate even in the most abundant sources and make interferes in them Internet security is largely dependent on all the factors. The DOS Attacks Usually occur from one or more points invisible to the victim's system or network. In many cases, the starting point of the attack includes one or more systems that are provided to an attacker through security exploits, and so the attacks are not done by the system or the piercing systems. Therefore, defense against penetration not only protect the ISBN:

2 Internet-related property, but also helps avoid using this property to attack other networks and systems. Then no matter how much your system is protected, exposure to many types of attacks, particularly DOS, Depends largely on the security situation in other parts of the Internet. Fig.2 TCP Packet Format 2-2 -The examination of TCP Protocol Function In the following Fig, the server named TCP B and the client named TCP A are shown: Fig.1 the attack of packets diagram Defending DOS attacks is not only a practical discussion. Limiting demand amount, packet filtering and manipulation of software parameters can sometimes help limit the effects of DOS attacks provided that the DOS attack is not using all the existing resources. In most cases, we can only have one defensive reaction, and this happens only and only if the source or sources of the attack are determined. Using IP addresses faking during the attack, the advent of distributed attack methods, and existing tools cause a constant challenge against those who respond to DOS attack. Initial DOS Attacks technology consisted of a simple tool to generate the packages and send them from "one source to one destination". With the passage of time, the tools have progressed toward the implementation of attacks from "a source to several destinations", from "several sources to single destination ", and from "multiple sources to multiple destinations ". Today, most of the reported attacks to CERT / CC are based on the sending of a very large number of packets to a destination which consequently creates a lot of endpoints and consumes the network bandwidth. Such attacks are typically referred as Packet flooding. But about the "attack to multiple targets" fewer reports have been received. [3] 2 - Examining the TCP packets and how to communicate under the TCP / IP protocol For closer examination and explanation of how DOS attacks function we need to investigate TCP packets and explain how to communicate under the TCP / IP protocol. They will be discussed as follows: Examining the components inside a TCP packet The internal components of a TCP packet are: Source port, destination port, the data string and so on. They make the information on the way to the internet be displaced. Fig.3 Diagram of connections in TCP 1. The client sends TCP Packet to the server marked with SYN. This packet makes the server realize the client is going to send the information. Then the client is waits for a response to receive and accordingly sends the information. 2. After receiving the client request, the server, in response to the client, sends a packet marked with SYN / ACK indicating the permission to communicate and transmit data. 3. The client sends an ACK to the server after receiving a packet from the server. 4. Then the client tries to send data. [1] 3 - Examination of various DOS methods SYN flood attack investigation This attack sends numerous requests marked with SYN to the victim machine making Backlog queue full. But, what is Backlog? All requests that enter the machine including SYN mark for Communications. They are stored in order in a part of the memory to be considered and accordingly being answered so that the communication can happen. This part of the memory is called Backlog Queue. When this part is filled with many requests, the server is forced to abandon new requests and as a result, these new requests can't be processed and investigated. ISBN:

3 Fig.4 SYN Flood Attack Reset (RST) Packets which are sent with RST mark cause the connection to be disconnected. In fact, if the machine A sends a packet marked RST to the machine B, the connection request from the Backlog will be cleared. This attack can be used to disconnect the two machines. That is, The attacker breaks off the established connection between the two machines A And B by sending an RST request to the Machine B from the machine A. in fact, inside the packet sent to the victim from the attacker's machine, IP client is put, and consequently the machine B, which is The server, eliminates the machine A From the Backlog. In this method, the attacker through using a tool can fake the IP and in fact, sends his request instead of another machine. This technique is also called Spoofing. Fig () paying a little attention to Fig 5-1, you will find that Source IP which in the transferred packet sent by the attacker machine to machine B is the same with IP Machine Number A ( ), while the IP Machine Number C that the attacker uses is quite another. ( ( [1] Fig.6 Land Attack [2] Smurf Attack These attacks by sending ICMP requests to a range of amplifier IPs give rise to traffic extension; this in turn leads to DOS attack. Attacker can send their ICMP request in a Spoof- like manner and through the victim's machine to the IPs Of amplifier. By sending a request, hundreds of responses to the ICMP request will flow to the victim machine and this raises the traffic (Fig, 6-1). Amplifier: All networks that have not filtered the ICMP requests for IP broadcast are considered as Amplifier. the attacker can send some requests to, for example, IPs Such as: xxx The X can be 255, 223, 191, 15, 9, 127, 95, 63, 31, 15, 7 3, namely the IPs Of Broadcast. However, it is noteworthy that IP broadcast depends on how IP segmentation in the network is. [1] Fig.5 Attacking RST Attack Land Attack In this attack, using Spoofing method in the packets sent to the server, instead of IP and the port of Source and destination, IP and the port of server's machine is placed. In fact, IP and the port of server's machine are sent to the server. As a result, in the old operating systems an internal loop or Routing appears which consequently fill the memory and gives rise to DOS attack. In addition, This attack in Win 95 (winsok 1.0) and Cisco IOS ver 10.x machines and the old system makes the system break down, but today all intelligent systems such as IDS are able to identify these attacks and therefore, these attacks do not have any major effect on these server's function. Fig.7 Smurf Attack Ping Flood or Ping of death In this type of attack by a direct request (Ping) to the victim computer, the attacker tries to block the service or reduce its activity. In this type of attack the size of information packets ISBN:

4 becomes to a great extent (above K64, that is unauthorized in Ping) large and the victim's computer is not able to deal effectively with the mixing packets and it will break down. Fig.8 Standard Format Ping [2] Fig. 9 Diagram of Ping of death attack Teardrop Attacks When information is transferred from one system to another system, it will be divided into small pieces, and in the destination system, these pieces attach together and become the whole. Each packet contains an offset field, which shows that the packet contains what piece of information. This field, along with the order number helps the destination system to connect the packets again. If the packets are sent with the irrelevant offset number and order, it makes destination system unable to sort them and the system will break. 4 - Distributed Denial of Service D.DOS attacks and various Types of D.DOS attacks DDOS (Distributed Denial of Service) attacks are kinds of wide distributed DOS attacks. Generally, DDOS is s an organized attack against the available services on the Internet. In this way, DOS attacks are indirectly done on the victim's computer by a large number of hacked computers. The targeted services and resources are called the "Primary victims" and the computers used for the attack are the " Secondary victims ". DDOS attacks are generally more effective in knocking down (disabling) the large companies as compared with DOS attacks. This type of attack connects the nature of distributive internet with the hosts which have the separate essence around the world in order to create giant unidirectional flow of packets against one or several victims. To run a DDOS unidirectional flow, hacker first gains the control of a large number of victim devices which is called Zombies. Zombie systems are placed everywhere in the internet and have a simple vulnerable series that allows hacker to gain the control of system quickly. Till now in these kinds of attacks, Zombie has been installed in vulnerable university servers, the system of large companies, and the system of servers and even in household systems which connect to Loop Digital- Subscriber or Cable Modem services. Hacker scans the large strips of internet to find the vulnerable systems, use them and install Zombies on them. Most of the devices, on which the Zombies is installed, through using the attack of overfilling Buffer mass or a damaging software are installed. Hackers generate hundreds and thousands of Zombies. Fig.11 Diagram of attacks D.DOS [3] Fig.10 Teardrop Attacks [2] Based on the intensity of attacks DDOS Attacks are divided into two categories: disruptive attacks and degrading attacks. In disruptive attacks, providing services from the victim machine to the customers are completely impeded [6]. These attacks in their own turn are divided into three categories: Self-Recoverable, Human-Recoverable and Non- Recoverable. In the first one, namely Self-Recoverable, the victim machine a short while after the attack cease can be ISBN:

5 recovered automatically. UDP flood And TCP flood attacks fall into this category. In the second type, the system can not automatically recover and requires human intervention. Attacks that lead to rebooting, disabling or capping off the system fall into this category. The third type attacks cause permanent damages to the target system and the retrieval of the system requires purchasing new hardware [9]. [6] In degrading attacks the purpose of attack is to use some of victim's machine resources. As a result, this causes the delay in attack detection and consequently gives rise to huge damages to the victim machine [5]. Below some instances of Distributed Denial of service attacks D.DOS are Introduced and how the attacks function are explained Trinoo Attacks Trinoo is originally a kind of Master / Slave programs that cooperate and synchronize with each other in order to have a flood attack UDP Against the victim's computer are. In a normal process, the following steps occur to establish a Trinoo DDOS network TFN/TFN2K attacks TFN (Tribal Flood Network) is generally a Master / Slave attack in which coordination takes place to have a SYN flooding against the victim's system. TFN demons are able to do much more varied attacks include ICMP flooding, SYN flooding, and Smurf attacks. Therefore, TFN is more complicated as compared with Trinoo attack. Compared with the main TFN tool, TFN2K has several key advantages and improvements. TFN2K attacks are implemented by faking IP addresses that makes it more difficult to discover the source of the attack. TFN2K attacks are not just simple TFN flood. They also include the attacks that exploit the security gaps of the operating system for invalid and incomplete packets in order to cause the failure of victim systems. TFN2K attackers do not need to run the commands by entering to the Client machine instead of Master in TFN, and they can run these commands from a far distance. The connection between Clients And Demons is no longer restricted to ICMP Echo responses can be done through different intermediaries like TCP And UDP. Therefore, TFN2K are more dangerous and are more difficult to discover as well. Fig.13 Diagram of TFN/TFN2K attacks Fig.12 Diagram of Trinoo attack Step 1: The attacker, using a hacked host, collects a list of systems that can be hacked. Most of this process is done automatically by the hacked host. This host keeps in itself some information including how to find other hosts for hacking. Step 2: Once this list is ready, the scripts for hacking and changing them into Masters or demons are implemented. A Master can control several Demons. Demons are the hacked hosts that perform the main UDP flood on the victim's machine. Step 3: DDOS attack is done when command is sent to the hosts of the Master from the attacker.. These masters can command any Demon to have a DOS attack against IP address specified in the command to start and trough doing a lot of DOS attack a DDOS attack Forms [6] [4] Stacheldraht attacks Stacheldraht code is very similar to Terrinoo and TFN, however, Stacheldraht Allows the communication between the attacker and Master (Which in this attack is called Handler) to be encrypted; the operations can upgrade their code automatically, and they can proceed to do various types of attacks, such as ICMP floods, UDP floods, and SYN floods. ISBN:

6 6 - Ways of Coping Fig.14 Diagram of Stacheldraht attacks [4] 5 - An example of a DDOS attack In recent years, DDOS attacks on the Internet have targeted the accessibility. The first case happened on 7 February In that attack, Yahoo was targeted in a way that its portal was inaccessible for three hours. On February 8, 2000, some Sites like Amazon, Buy.com, CNN and ebay were targeted by the attackers. This gives rise to the complete cancellation of their operations or makes them slow down considerably. According to published reports, within the 3 hours that Yahoo was attacked the Commercial and advertising benefit amount that was lost was about 500, 000 dollars. According to the statistics provided by Amazon, within the 10-hour that this site was attacked 600, 000 dollars have been lost. Furthermore, During the DDOS attack accessibility amount of Buy.com was reduced from 100% to 9.4% and the users' volume of CNN has been lowered and became 5%. DDOS attacks are more powerful and more difficult to detect and cop with as compare with DOS attacks. The reason is that in these attacks several machines can coordinate in order to send a small stream of traffic to the target machine and the control of all the traffics is hard for the target machine [4] Defense against Smurf attacks If you are exposed to the Smurf attack, you can't do anything special. Although this is possible to block the attacker packets in the external router, the origin of the source width band of the router will be blocked. In order for the network provider above you to the attacks at the source of attack, the coordination is needed. In order to prevent the attack from your site, your external router should be configd in a way that blocks all the outgoing packets that have a source address inconsistent with your subnet. If the faking packet (the packet which does the action of faking) can't go out, it cannot make a serious damage. To avoid being as an intermediary and participating in other person's DOS attack, config your router in a way that block the packets which their destination is all addresses of your network. That is to say, do not allow the ICMP released packet on your network to come to the router. It allows you to have the ability to keep performing the action of ping in all existing systems in your network, while you are able not to allow an external system to do this action. If you are really worried, you can config your host systems in a way that impede ICMP releases completely Defense against SYN flood attacks Small blocks SYN Cookies A new defense against SYN flood is SYN Cookies. In SYN Cookies each side of the communication, has its own sequence numbers. In response to a SYN, the attacked system, creates a special sequence number from the communication which is a "cookie" and then forgets everything. In other words, eliminate them from the memory is (Cookies are used uniquely to determine an exchange or negotiation). Cookie contains information about the necessary information communication; therefore, later it can recreate the forgotten information about the communication when the packets come from a healthy communication. Fig.15 systems. the important threats, vulnerabilities of computer Coping with DDOS attacks How to take care of your servers against sent data attack from infected computers in the internet to prevent company's network from disrupting? Here are some ways to deal with DDOS attacks in which are presented in three sections below: Attack prevention, attack detection and attack response Attack Prevention Egress filtering Performs filtering on the external traffic and only allow the packets that have a valid source address to leave the network. The extension of property brings about the reduction of the attacks in which the fake IP address is used. However, there is away to fool the Egress filtering and that is the production of attacking packets that their IP address is faked in the network address range of the source [4]. ISBN:

7 D-WARD detects the external attacks and stops them through controlling the traffic issued to the target machine. It should be installed in the router of the source which works as a gateway between the network and the rest of the internet. This router is configd with a set of authorized local source addresses to run the egress filtering on the traffic issued from the source. Also, the networking and communication flows are always monitored to detect unusual behavior. these methods like Egress filtering can be fooled [4,3]. Ingress filtering filters the incoming traffic with invalid IP addresses of the source. These invalid source addresses can be the internal IP address entering from the external network or it can be any special reserved IP address ( for example, *. *). Ingress filtering is a reasonable way to block fake special IP addresses with complete confidence., but the range of addresses that can be used by the attackers to counterfeit is still too wide. Therefore, even after removing the attack traffic mentioned above, this method is unable to prevent the DDOS attacks effectively Attack Detection MULTOPS is used to detect bandwidth attacks, in which nonadaptive protocols such as UDP And ICMP. But, in detecting attacks in which a consensus protocol like TCP is used it fails [2]. MULTOPS has three main assumptions which are as follows: 1. attacker and target are separated at least by a router. 2. The rate of the packets is symmetric between two hosts. Meaning that the rate of the packets from A To B is Equal to the rate of packets from B To A. however, the traffic in both directions may not always be equal, like in downloading files or in video. 3. Finding location through a router equipped with MULTOPS is symmetric and constant. It means that if a package comes to B from A passes the router R, packets come to A from B will pass he router R response to the attack this section discusses the various mechanisms to respond to DDOS attacks Traceback Each IP packet has two addresses: the source and destination addresses. Destination address is used in route finding in order to deliver the packet to the destination. The route finding infrastructure of IP network does not check the validation of the source address which is placed in the IP packet. The source address is used by the destination machine in order to determine the source for giving answer. In general, no entity is responsible for the source address accuracy. Its scenario is similar to sending mail using mail service. This property is used by the attacker to hide their source address and identity by forging the source IP address. The reason for recommending Traceback mechanisms is to realize the attacker source correctly, provide the possibility of answering, and stop the attack at the nearest point to its source Reconfiguration Reconfiguration mechanisms change the topology of the target or intermediate network to hide the legitimate paths toward the target l from the attacker or isolate the attacker's machine. Such a plan is based on the secure covering service architecture which is used to protect the specified targets from DDOS attacks. The entry points of covering network and the access point of secure cover (SOAP) perform the identity recognition and allow only legitimate traffic to enter into the network. SOAPs try to find the Beacon to send traffic to them. The Beacons then work confidentially with the Servlet to send traffic to it. Beacons and Servlets of the network remain hidden from the reporters. The specified targets are protected confidentially by means of the filters with high efficiency. They do this through eliminating the traffic. Randomness and anonymity in this way makes targeting the nodes along the path to a special destination that is protected by SOS difficult for the attacker. Path redundancy is presented in order to hide the identity of confidential Beacons and Servlets. SOS disadvantage is that it requires setting up a covering network and complex algorithms such as: route finding algorithm Chord and Hashing adaptive for finding and assigning Beacons and Servlets. Beacons and Servlets can also be attacked [4] Redirection Black hole filtering allows the administrator to lead up the attack traffic to a null IP address to remove it. When an attack is detected, a static route is created to lead attack traffic into a "black hole" instead of the victim machine The problem here is that with the appearance of false positive, legitimate traffic will be also discarded like attack traffic Filtering Filtering mechanisms filter the attack streams completely. Filtering mechanisms rely heavily on third-party detection tools. The filtering function should be done only when the detection result is reliable. Detection can be divided into two main categories: "unorthodox or unconventional behaviorbased techniques" and "model-based techniques." Unconventional behavior-based techniques assume that a profile with normal activity is created for the system. Activities that do not match the profile are considered as intruder. However, if an action which is not intrusive but not registered in the normal profile is treated as an attack can lead to false positives. Then filter obstructs the service by its own defense systems. When an intrusive activity but not anomaly occur and gives rise to the attacks that are not detected a false negative appears. In the second technique, the attacks are presented in the form of model. In a way that even similar attacks can be detected. But it can only detect known attacks ISBN:

8 and respond to them. For new attacks that the properties of the packets and attack pattern are unknown, it is less used. However, the pattern-based designs when the traffic matches with the known attack patterns are very useful tools for filtering as a response mechanism [4]. Another solution is to use a firewall to filter out attack traffic. Before entering or leaving the network, packets wait to be processed in accordance with the standards of protection and firewall security Legitimacy testing In NetBouncer, a large list of applicants who have been proven to be legitimate is kept. If a packet is received from a source that is not in the legitimate list the types of tests are done to prove the legitimacy of the source. If a source passes these tests successfully, that will be added to the legitimate list and subsequent packets originating from this source are accepted until it the window of legitimacy expires. When it was accepted, the legitimate packets transmission is controlled by a traffic management subsystem to make sure that legitimate applicants are not abusing the consumption of bandwidth and the target does not suffer a traffic that seems to be legitimate. In this way, NetBouncer is able to distinguish legitimate traffic from illegitimate so that it can discard the illegitimate traffic. Tests of legitimacy due to the additional resources that will be allocated for testing give rise to delays in traffic processing and make it slow. [4] Attackers' resource consumption Client puzzles introduce an interactional action based on a cryptographic against connection depletion attacks. Connection depletion is a DOS attack in which the attacker tries to make a lot of faulty communication with the server in order to deplete the resources and disabling them to provide the service to the legitimate requests. The basic idea is that when a server is under attack, that server distributes some little hidden puzzles for users who have requested a service. To complete his application, the user must correctly solve his puzzle. The advantage of this plan is that legitimate traffic can for sure be distinguished from attack traffic. However, like NetBouncer, solving such puzzles requires processing the resources during the attack and causes the system to become slow [4]. 7 - Conclusion in this article a series of very Common and in use attacks DDOS and Dos have been explained I, Denial of service attacks is an important and complex issue and thus several techniques have been proposed to deal with them. As the mechanisms to deal with attacks expands, hacker motivation to use these tools will change and probably includes blind transfer of excessive biased competition or defrauding. Without any attention to their reasons, the hackers want to disable the target system. And they try the ways such as stopping the services and complete burst to make the data onesided. In this paper the methods to handle the attacks were divided into three different groups: attack prevention, attack detection and coping with attack. If a damage can create onesided streams of DOS information through DDOS attack we Should defend our main system against these attacks. We mentioned some ways to cope with them. Acknowledgment I wish to thank and express my deep appreciation to Mohammad Naghizadeh who has, as usual, given me his support and thoughts during the writing of this paper. Moreover, this paper wouldn t be conducted in English if he didn't devote his time to translate my writings into English. References [1] FHS Underground Group Attacks, " IEEE [2] Thomer M. Gil, "MULTOPS: a data structure for denialof-service attack detection", Ph.D. Thesis, Vrije University, Dec 2,000. [3] Jelena Mirkovic, "D-WARD: Source-End Defense Against Distributed Denial-of-Service Attacks", Ph.D. Thesis, University of California, Los Angeles, [4] Vrizlynn Thing Ling Ling, "Adaptive Response System for Distributed Denial-of-Service Attacks", Ph.D. Thesis, College London, Aug [5] Jelena Mirkovic, Janice Martin and Peter Reiher, "A Taxonomy of DDOSAttacks and DDOSDefense Mechanisms", Computer Science Department, University of California, the 2,002th [6] Christos Douligeris, Aikaterini Mitrokotsa, "DDOSattacks and defense mechanisms: classification and state-of-the-art", 13 October two thousand and three, Available from: C. Joshi, and Manoj Misra, Member, IEEE, [7] Karthikeyan. KR and A. Indra, "Intrusion Detection Tools and Techniques-A Survey", International Journal of Computer Theory and Engineering, Vol.2, No.6, December 2,010. [8] Abraham Yaar, Adrian Perrig, Dawn Song, "StackPi: New Packet Marking and Filtering Mechanisms for DDOSand IP Spoofing Defense", IEEE Journal, Carnegie Mellon University, Vol. 24, Oct [9] Jelena Mirkovic and Peter Reiher, "A Taxonomy of DDOSAttack and DDOSDefense Mechanisms", Funded by DARPA, University of Delaware and University of California, ISBN: