A Survey on Distributed Denial of Service Attacks: Classification of Attacks and Countermeasures

Transcription

1 Abstract Distributed Denial of Service (DDOS) attacks have become a large problem for users of computer system connected to the internet. DDOS attackers hijack secondary victim systems using them to launch a coordinated large-scale attack against primary victim systems. As new countermeasures and solutions are emerging constantly, attackers are also developing new methods to counter these preventive measures. In this paper, we classify various DDOS attacks, countermeasures to prevent DDOS attacks and characterize the scope of DDOS attacks and losses they cause to the various industries. A Survey on Distributed Denial of Service : Classification of and Countermeasures 1 Achin Jain, 2 Arvind Panwar, 3 Manish Kumar Dept. of CSE, Ambedkar Institute of Advanced Communication Technologies & Research, Delhi, India Keywords DDOS, DOS, DDOS Attack Types, DDOS Prevention Methods I. Introduction Denial of Service(DOS) attack is an attack with the purpose of preventing legitimate users from using a specified network resource such as website, web service or computer system [1]. A Distributed Denial of Service (DDOS) attack is a coordinated attack on the availability of services of a given target system or network that is launched indirectly through many compromised computing systems [2]. The victims in DDOS attack are categorized in two sections: Primary and Secondary Victim [2].Primary Victims are the ones whose services are affected by the attack whereas Secondary Victims are those victims whose systems are compromised to launch the attack. There are normally Four Strategies that are used by the attackers to implement the DDOS attack and they are known as the Four Pillars of DDOS attack Strategy [3] which is as follows: Using the Internet s Insecure Channels Using Huge Traffic Volume as the Weapon Completely circumventing the ultimate victim s security defense. Hiding the attacker s identity. The rest of the paper is organized as follows. In section I, I provide basic DDOS Attack Architecture which will give a brief idea of DDOS attack methodology. Section II, discusses Recent DDOS attacks. Section III, provides various DDOS attack classification, DDOS attack architecture, and DDOS attack classes, DDOS Solutions and DDOS countermeasures. Section IV, discusses losses occur due to DDOS attacks. Finally, I conclude in section V, by insight into what the future might hold with respect to DDOS attacks. Fig. 1: [19] III. Recent DDOS Incidents DDOS attacks are launched more or less every day. Even the most well-known Websites like Twitter, Facebook and Google etc couldn t prevent themselves from being attacked by DDOS attack, which caused millions of their users affected. The most eye opener case was the DDOS incident that targeted White house, Federal Trade Commission and the Department of the Treasury. Washington Post and the New York Stock exchange, NASDAQ. A Botnet comprised of 30,000 60,000 infected computers were used. The attack traffic consumed gigabytes of bandwidth per second. It was the largest attack traffic observed. Such attack caused target outage for 4-5 days which was the longest outage duration ever. Some of the observed DDOS incidents in the year are outlined in Table. 1, in the chronological order. II. DDOS Attack Architecture In DDOS attack the attacker gains access of many systems on the network and tries to launch the attack through these Zombie PC s as shown in the fig. (See fig. 1) International Journal of Computer Science And Technology 233

2 ISSN : (Online) ISSN : (Print) Table. 1: Recent DDOS Incidents [19] S.No. Date of Attack Target Description 1 December 8, MasterCard, PayPal, Visa. and PostFinance Launched to SupportWikiLeaks.ch and its founder and attack lasts for more than 16 hours 2 November 30, whistleblower site Wikileaks Size of attack was 10 Gbps which affect the site availability and was launched to prevent release of secret cables. 3 November 28, whistleblower site Wikileaks Size of attack was 2-4 Gbps and was launched just after it released confidential US diplomatic cables. 4 November 12, Domain registrar Register.com Impacted DNS, hosting and webmail clients. 24 hours of outage 5 November 2, Burma s main Internet provider Disrupted most network traffic in and out of the country for 2 days. 6 October MPAA & Indian tech firm Aiplex software At least hundreds of 4chan users at once executed attack in Pro-piracy protest. 7 September Fast growing botnet IMDDOS was discovered Botnet s motive was to provide commercial service for launching DDOS attacks against any target. IV. DDOS Classification A. DDOS Attack Architecture There are basically two types of DDOS attack architectures: Agent Handler Model and Internet Relay Chat [IRC] based Model [2]. 1. Agent Handler Model Agent Handler Model consists of the following three entities (see fig. 2). Fig. 3: [2] B. DDOS Attack Classes There are broadly two classes in which the DDOS attacks can be classified: Bandwidth Depletion and Resource Depletion [2]. Fig. 2: [2] (i). Clients They are where attacker communicates with the rest of the DDOS attack system. (ii). Handlers They are software packages located throughout the internet. 1. Bandwidth Depletion In this attack the victim s network is flooded with unwanted traffic that prevents the legitimate user reaching the services (See Table 2). Table 2: Classification of Bandwidth Depletion and Their Measures Bandwidth Depletion Classification S.No Attack Name Types Effect Caused Measure (iii). Agents It is the software exists in compromised systems that will eventually carry out the attack. IRC based DDOS Attack Model IRC based model is similar to Agent based but with one exception that in IRC based there is no Handler (see fig. 3). In this method instead of using a handler program installed on a network server, an IRC (Internet Relay Chat) communication channel is used to connect the client to the agents. 1. Flood UDP Flood ICMP Flood Victim become unreachable to other clients Target gets too busy to process normal network data packets. Agent Based Measure[4] Check the rate of ICMP packets using the intelligent traffic detection technology [5] 234 In t e r n a t io n a l Jo u r n a l o f Co m p u t e r Sc ie n c e An d Te c h n o l o g y

3 Amplification DDOS Smurf Congestion and Crash down of System Check whether the destination address of a received ICMP echo request message is a subnet broadcast address or network address[5] (b). Turing Test This method requires attacking computer to answer a random question before establishing the connection. Global Solutions These are the solutions that require cooperation of several Internet Subnets across company boundaries. Commonly used Global Solutions are the following: Resource Depletion Attack In this attack the victims resources are alter in such a way so that the victim become unable to process legitimate service request (See Table 3). Table. 3: Classification of Resource Depletion and Their Measures Resource Depletion Classification S.No Attack Name Types Effect Caused 1. Protocol Exploit MalformedPacket TCP SYN PSUH+ACK IPAdd. IP Packet Options Network SupplyCollapse Crash Down due to large data volume Crash down due to system mix-up Victim System gets drained Measure Use the firewall as a relay between the server and its clients. C. DDOS Solutions Broadly DDOS Solutions are classified into two main Categories: Local and Global [3]. 1. Local Solutions These solutions are basically implemented on the victim computer or on its local network. Local Solutions for individual protection falls into three areas. (i). Local Filtering This method employs the use of local router by installing a filter to detect and stop the infiltrating IP Packets. (ii). Changing IPs This method employs the functionality of changing the Victim Computer IP Address on detection of DDOS attack, thereby invalidating the old address. (iii). Creating Client Bottlenecks Main Objective of this method is to create bottleneck process on attacker s computer, limiting their attacking ability. Some of the Methods commonly used are as follows: (i). Improving the Security of the Entire Internet This method employs Securing all the computers connected to the Internet. (ii). Using Globally Coordinated Filters The idea is to prevent the accumulation of a critical mass of attacking packets in time so that on detection of attack the packets can be stop by the filter earlier along the attacking path. (iii). Tracing the Source IP Addresses The aim is to trace the intruder s path back to the attacker computers and try to stop the ongoing attack. D. DDOS Countermeasure Categories There are three main categories of DDOS countermeasures: First Preventing the setup of the DDOS attack network, second dealing with a DDOS attack while the attack is in progress, third is the post attack category involving network forensics [2]. The Various DDOS Countermeasures their methods and the proposed solutions are shown in Table. 4 Table. 4: DDOS Countermeasures, Methods and Proposed Solutions S.No 1. DDOS Countermeasures Methods Proposed Solutions Preventing the setup of the DDOS attack network Dealing with a DDOS attack while the attack is in progress Prevent Secondary Victims Detect and Neutralize Handlers Detect or Prevent Potential Mitigating the Effects of DDOS 1. Buffer Overflow Violations[6] Dynamic Pricing[7] 1. Studying the communication protocols and traffic patterns to identify the infected node. 1. Egress Filtering[8,9] Using MIB Stats from Routers[10] 1. Load Balancing Throttling[11] (a). RSA Security Corp Client Puzzles This method use a puzzle to be solved before gaining access to victims system. Deflect 1. Honeypots[12] International Journal of Computer Science And Technology 235

4 3. Post attack category Network Forensics 1. Traffic Pattern Data[2] Packet Traceback [13] 3. IP Traceback [14] 4. ICMP Traceback [15] 5. Event Logs V. Losses Occur Due to DDOS According to a survey conducted by CSI in 2007, DDOS attacks were found to be one of the major reasons for financial losses [16], as shown in fig. 4, incurred almost $2,888,600 which is remarkable high sum of financial loss. If we compare the major threats such as Virus, Spyware, Website Defacement, Password Sniffing with DOS attack loss in the chart given below then we can find that ()% of total loss has occurred due to DOS attack only. Fig. 4: VI. Conclusion There is an alarming increase in the number of DDOS attack incidents. Not only, DDOS incidents are growing day by day but the technique to attack, botnet size, and attack traffic are also attaining new heights. Effective defense measures needed to prevent and mitigate these attacks is the current need of the hour. The major contributions of this paper are: 1. In this Paper, we have given a classification of DDOS attacks along with their Measure. We have classify the DDOS attacks in two classes and list their solutions Bandwidth Depletion Resource Depletion 3. It gives overview of DDOS problem. 4. Information about recent DDOS incidents. 5. Information about taxonomies of DDOS attacks, tools and countermeasures. 6. Information about various DDOS attack solutions and countermeasures. 7. Financial loss incurred due to DDOS attacks is also explored. References [1] David Karig, Ruby Lee, Remote Denial of Service and Countermeasures, Princeton University Department of Electrical Engineering Technical Report CEL , Oct ISSN : (Online) ISSN : (Print) [2] Stephen M. Specht, Ruby B. Lee,"Distributed Denial of Service: Taxonomies of, Tools, and Countermeasures", Proceedings of the 17th International Conference on Parallel and Distributed Computing Systems, 2004 International Workshop on Security in Parallel and Distributed Systems, pp , September [3] Xianjun Geng, Andrew B. Whinston, Defeating Distributed Denial of Service, IT Pro July/August [4] Aarti Singh, Dimple Juneja, Agent Based Measure for UDP Flood Attack in DDoS, International Journal of Engineering Science and Technology Vol. 2(8), pp ,. [5] "Attack Prevention Technology White Paper", [Online]. Available: do?id= [6] Ruby Lee, David Karig, Patrick McGregor, Zhijie Shi, Enlisting Hardware Architecture to Thwart Malicious Code Injection, Proceedings of the International Conference on Security in Pervasive Computing (SPC-2003), LNCS 2802, pp , Springer Verlag, March [7] David Mankins, Rajesh Krishnan, Ceilyn Boyd, John Zao, Michael Frentz, Mitigating Distributed Denial of Service with Dynamic Resource Pricing, Computer Security Applications Conference, ACSAC Proceedings 17th Annual, pp , [8] P. Ferguson et.al. RFC 2267,"Network Ingress Filtering: Defeating Denial of Service attacks which employ IP Source Address Spoofing", Technical report, The Internet Society, [9] SANS Institute,"Egree Filtering v0.2", (2000), [Online]. Available: [10] Joao B. D. Cabrera, Lundy Lewis, Xinzhou Qin, Wenke Lee, Ravi K. Prasanth, B. Ravichandran, Ramon K. Mehra, Proactive Detection of Distributed Denial of Service Using MIB Traffic Variables A Feasibility Study, Integrated Network Management Proceedings, pp , [11] David K. Yau, John C. S. Lui, Feng Liang, Defending Against Distributed Denial of Service with Max-min Fair Server-centric Router Throttles, Quality of Service, 2002 Tenth IEEE International Workshop, pp , 200 [12] Nathalie Weiler, Honeypots for Distributed Denial of Service, Enabling Technologies: Infrastructure for Collaborative Enterprises, 200 WET ICE 200 Proceedings. Eleventh IEEE International Workshops, pp , 200 [13] Vern Paxon, An Analysis of Using Reflectors for Distributed Denial of Service, ACM SIGCOMM Computer Communication Review, Vol. 31, Iss. 3, Jul [14] Puneet Zaroo,"Advance Information Assurance (CS 626), [Online] Available: Public/IP%20TraceBack/Survey%20of%20DDoS%20 Atttacks%20and%20Defense.pdf [15] Bellovin (2000),"ICMP Traceback Message", Technical report, AT&T, [Online] Available: internet-drafts/draft-bellovin-itrace-00.txt. [16]gocsi.com (2007), The 12th annual computer crime and security survey, [Online]. Available: edu/~jjoshi/courses/is2150/fall09/csifbi2007.pdf. [17] Level3.com (2009), Managed DDoS Protection, [Online]. Available: DDoS_Protection_whitepaper.pdf. 236 In t e r n a t io n a l Jo u r n a l o f Co m p u t e r Sc ie n c e An d Te c h n o l o g y

5 [18] M. Sachdeva, G. Singh, K. Kumar, K. Singh, A comprehensive survey of distributed defense techniques against DDoS attacks, International Journal of Computer Science and Network Security, Vol. 9, No. 12, pp. 7-15, Dec [19] Ketki Arora et al., Impact Analysis of Recent DDoS, International Journal on Computer Science and Engineering (IJCSE), Vol. 3 No. 2 Feb International Journal of Computer Science And Technology 237