ΜΕΤΑΠΤΥΧΙΑΚΗ ΔΙΠΛΩΜΑΤΙΚΗ ΕΡΓΑΣΙΑ

Transcription

1 ΜΕΤΑΠΤΥΧΙΑΚΗ ΔΙΠΛΩΜΑΤΙΚΗ ΕΡΓΑΣΙΑ Βιβλιογραφική έρευνα σχετικά με Denial of Service επιθέσεις: Σύγκριση των διαφορετικών μορφών DoS επιθέσεων, Ανάλυση των DoS defense schemes σε περιβάλλοντα πληροφοριακών συστημάτων και δικτύων και Επισκόπηση των πολιτικών ασφαλείας κατά των DoS επιθέσεων σε επιχειρησιακά περιβάλλοντα. Literature research about Denial of Service attacks: Comparison of different modes of DoS attacks, Analysis of DoS defense schemes in information system environments and networks and Overview of security policies against DoS attacks on business environments. Ζλάτης Χρήστος Επιβλέπων καθηγητής: κ. Ιωάννης Σταματίου, Αν.Καθηγητής Παν. Πατρών Θεσσαλονίκη, Νοέμβριος 2014

2 2

3 ΜΕΤΑΠΤΥΧΙΑΚΗ ΔΙΠΛΩΜΑΤΙΚΗ ΕΡΓΑΣΙΑ Βιβλιογραφική έρευνα σχετικά με Denial of Service επιθέσεις: Σύγκριση των διαφορετικών μορφών DoS επιθέσεων, Ανάλυση των DoS defense schemes σε περιβάλλοντα πληροφοριακών συστημάτων και δικτύων και Επισκόπηση των πολιτικών ασφαλείας κατά των DoS επιθέσεων σε επιχειρησιακά περιβάλλοντα. Literature research about Denial of Service attacks: Comparison of different modes of DoS attacks, Analysis of DoS defense schemes in information system environments and networks and Overview of security policies against DoS attacks on business environments. Ζλάτης Χρήστος Επιβλέπων καθηγητής: κ. Ιωάννης Σταματίου, Αν.Καθηγητής Παν. Πατρών Εγκρίθηκε από την Τριμελή Εξεταστική Επιτροπή την 5 η Νοεμβρίου Ι. Αντωνίου Ι. Σταματίου Ν. Φαρμάκης Καθηγητής Α.Π.Θ. Αν. Καθηγητής Παν.Πατρών Αν. Καθηγητής Α.Π.Θ. Θεσσαλονίκη, Νοέμβριος

4 .. Χρήστος Ι. Ζλάτης Πτυχιούχος Τμήματος Διοίκησης Τεχνολογίας Πανεπιστήμιο Μακεδονίας Copyright Χρήστος Ι. Ζλάτης, 2014 Με επιφύλαξη παντός δικαιώματος. All rights reserved. Απαγορεύεται η αντιγραφή, αποθήκευση και διανομή της παρούσας εργασίας, εξ ολοκλήρου ή τμήματος αυτής, για εμπορικό σκοπό. Επιτρέπεται η ανατύπωση, αποθήκευση και διανομή για σκοπό μη κερδοσκοπικό, εκπαιδευτικής ή ερευνητικής φύσης, υπό την προϋπόθεση να αναφέρεται η πηγή προέλευσης και να διατηρείται το παρόν μήνυμα. Ερωτήματα που αφορούν τη χρήση της εργασίας για κερδοσκοπικό σκοπό πρέπει να απευθύνονται προς τον συγγραφέα. Οι απόψεις και τα συμπεράσματα που περιέχονται σε αυτό το έγγραφο εκφράζουν τον συγγραφέα και δεν πρέπει να ερμηνευτεί ότι εκφράζουν τις επίσημες θέσεις του Α.Π.Θ. 4

5 Abstract Although DoS attacks are launched since the beginning of computer networks, they were not considered a significant topic of research until relatively recently, when they started harming ISPs, governmental websites and the e-commerce infrastructure. The fact that the Internet operates on old networking protocols with limited provision for security is an advantage for the attackers. Of course, the increase in research interest did provide solutions, which have recently managed to halt the escalation of the DoS phenomenon. Distributed defense techniques have been designed and the majority of the DoS attacks can now be countered in networks where some sort of defense has been deployed. Today, attacks have shifted towards economic crime and cyber-warfare, and although less widespread they can be much more harmful. As a result, the new era of DoS research has to produce even more effective solutions with even less overhead in the absence of an attack and as small disruption in the presence of one. Keywords Denial of service attacks, DDoS attacks, DDoS attack mechanisms, DDoS defense schemes, Prevention methods, Security principles, Impacts on the web 5

6 Σύνοψη Αν και οι επιθέσεις DoS ξεκίνησαν από την αρχή των δικτύων υπολογιστών, δεν θεωρήθηκαν σημαντικά θέμα της έρευνας, μέχρι σχετικά πρόσφατα, όταν άρχισαν να βλάπτουν ISPs, κυβερνητικούς δικτυακούς τόπους και υποδομές ηλεκτρονικού εμπορίου. Το γεγονός ότι το Διαδίκτυο λειτουργεί με παλαιά πρωτόκολλα δικτύωσης με περιορισμένες παροχές ασφαλείας είναι ένα πλεονέκτημα για τους επιτιθέμενους. Φυσικά, η αύξηση του ερευνητικού ενδιαφέροντος παρέχει λύσεις, οι οποίες έχουν πρόσφατα καταφέρει να σταματήσουν την κλιμάκωση του φαινομένου DoS. Πλέον, έχουν σχεδιαστεί κατανεμημένες τεχνικές άμυνας και η πλειοψηφία των επιθέσεων DoS μπορεί πλέον να αντιμετωπιστεί σε δίκτυα όπου έχει αναπτυχθεί ένα τουλάχιστον αμυντικός μηχανισμός. Σήμερα, οι επιθέσεις έχουν μετατοπιστεί προς το τομέα του οικονομικού εγκλήματος και τον κυβερνοπόλεμο, και παρόλο που είναι λιγότερο διαδεδομένες μπορεί να είναι πολύ πιο επιβλαβείς. Ως αποτέλεσμα αυτού, η νέα εποχή για τη DoS έρευνα πρέπει να παράγει ακόμα πιο αποτελεσματικές λύσεις με ακόμη λιγότερη ανοχή στην απουσία μιας επίθεσης και τη μικρότερη δυνατή διαταραχή από την παρουσία μιας DoS επίθεσης. Λέξεις Κλειδιά Denial of service επιθέσεις, DDoS επιθέσεις, DDoS attack μηχανισμοί, DDoS defense schemes, Μέθοδοι αποτροπής, Αρχές ασφαλείας, Επιδράσεις στο Web 6

7 Summary The Internet is not stable as it reforms itself rapidly. This means that DDoS countermeasures quickly become obsolete. New services are offered through the Internet, and new attacks are deployed to prevent clients from accessing these services. However, the basic issue is whether DDoS attacks represent a network problem or an individual problem or both. In Chapter 1, there are some definitions about denial of service attacks and presented the vulnerabilities of Internet which can make DDoS attacks inevitable. In Chapter 2, there is an overview of network based attacks which consist of active and passive attacks. In Chapter 3, there is an overview of denial of service attacks referring to some definitions, symptoms and manifestations of this kind of attacks. In addition to that, there is a synopsis of the most well-known categories of denial of service attacks. In Chapter 4, there is an analysis of the different modes of denial of service attacks. In particular, it is presented the two main categories of the denial of service attacks: crashing and bandwidth attacks and there is a more thorough analysis of different types of bandwidth attacks. Furthermore, in this chapter there is a short introduction to distributed denial of service attacks and also referred to the impacts of the bandwidth attacks on the web. In chapter 5, there is an analysis of denial of service attacks giving a description of the overall process of a denial of service attack. In addition to that, there are presented some DDoS attack mechanisms and an analysis and comparison of different modes of DDoS attacks. In chapter 6, there is an overview of other significant modes of DoS attacks such as peer to peer attacks, reflected/spoofed attacks, low rate dos attacks, permanent and unintentional dos attacks. In chapter 7, there is an overview of prevention and response methods against denial of service attacks. In this chapter, we refer to different strategies which can protect a business environment from this kind of attacks. Furthermore, there is an analysis of some general security principles against denial of service attacks. In chapter 8, there is a short presentation of prevention and response tools. Among other tools, there is an analysis of clean pipe DoS protection services. In chapter 9, there is a presentation of two main categories of defense mechanisms which are preventive and reactive mechanisms and there is a short overview of modern tendencies on DDoS diversion systems. 7

8 In chapter 10, there is an overview of DDoS defense schemes which are classified into four broad categories: Prevention, Detection, Source identification and Response. In chapter 11, there is an analysis of these four categories of defense schemes giving more information about different types of filtering schemes. In addition to that, there is an analysis of DoS attack specific and anomaly based detection techniques. In chapter 12, are presented two main IP traceback methods: probabilistic packet marking and deterministic packet marking methods. There is a short analysis of these methods referring to their advantage and disadvantage for each of them. Furthermore, there is a comparison of these two methods with other significant filtering schemes. In chapter 13, there is an overview of statistical analysis of Dos attacks defense schemes. In chapter 14, are presented some statistical approaches to Dos attack detection techniques. In particular, in this chapter are referred two detection algorithms: Entropy and Chi-Square Statistic algorithms and their detector evaluations. In chapter 15, there is an analysis of the impact of DDoS attacks on the web. There are presented some of the most serious incidents of DDoS attacks worldwide and there is an overview of some recent surveys about the impact of DDoS attacks on business environments, retail banks and organizations. 8

9 Περίληψη Το Διαδίκτυο δεν είναι σταθερό καθώς μετασχηματίζεται ραγδαία. Αυτό σημαίνει ότι οι μέθοδοι αντιμετώπισης DDoS επιθέσεων γίνονται γρήγορα ξεπερασμένοι. Νέες υπηρεσίες προσφέρονται συνεχώς μέσω του Διαδικτύου και νέες επιθέσεις αναπτύσονται για να αποτρέψουν την πρόσβαση των πελατών σε αυτές τις υπηρεσίες. Ωστόσο, το βασικό ζήτημα είναι αν οι DDoS επιθέσεις αποτελούν ένα πρόβλημα δικτύου ή ένα μεμονωμένο πρόβλημα ή και τα δύο. Στο πρώτο κεφάλαιο, υπάρχουν μερικοί βασικοί ορισμοί για τις denial of service επιθέσεις και παρουσιάζονται οι αδυναμίες του διαδικτύου οι οποίες μπορούν να κάνουν τις DDoS επιθέσεις αναπόφευκτες. Στο δεύτερο κεφάλαιο, υπάρχη μια σύνοψη των network based attacks οι οποίες αποτελεούνται από ενεργές (active) και παθητικές (passive) επιθέσεις. Στο τρίτο κεφάλαιο, υπάρχει μια γενική περιγραφή των denial of service επιθέσεων με αναφορά σε ορισμούς, συμπτώματα και ενδείξεις αυτού του είδους των επιθέσεων καθώς και μια σύνοψη των κατηγοριών των πιο διαδεδομένων denial of service επιθέσεων. Στο τέταρτο κεφάλαιο, υπάρχει αναλυτική παρουσίαση των denial of service επιθέσεων δίνοντας την περιγραφή της συνολικής διαδικασίας μιας denial of service επίθεσης. Επιπροσθέτως, παρουσιάζονται μερικοί μηχανισμοί DDoS επιθέσεων καθώς επίσης και η ανάλυση και σύγκριση διαφόρων βασικών μορφών DDoS επιθέσεων. Στο πέμπτο κεφάλαιο, υπάρχει ανάλυτική παρουσίαση των διαφόρων μορφών denial of service επιθέσεων. Πιο συγκεκριμένα, παρουσιάζονται οι δύο κύριες κατηγορίες επιθέσεων: crashing και bandwidth επιθέσεις. Επιπροσθέτως, σε αυτό το κεφάλαιο, υπάρχει μαι μικρή εισαγωγή στις distributed denial of service επιθέσεις και ακόμη γίνεται αναφορά στις επιπτώσεις των bandwidth επιθέσεων στο διαδίκτυο. Στο έκτο κεφάλαιο, υπάρχει μια γενική περιγραφή των υπόλοιπων σημαντικών μορφών DoS επιθέσεων όπως peer attacks, reflected/spoofed attacks, low rate dos attacks, παροδικές και μη σκόπιμες DoS επιθέσεις. Στο έβδομο κεφάλαιο, υπάρχει μια γενική περιγραφή των μεθόδων αποτροπής και αντίδρασης (prevention and response methods) ενάντια στις denial of service επιθέσεις. Στο κεφάλαιο αυτό, γίνεται αναφορά σε διαφορετικές στρατηγικές οι οποίες μπορούν να προστατέψουν ένα επιχειρηματικό περιβάλλον από αυτού του είδους τις επιθέσεις. Επιπροσθέτως, υπάρχει ανάλυση μερικών γενικών αρχών ασφαλείας ενάντια στις denial of service επιθέσεις. Στο όγδοο κεφάλαιο, υπάρχει μια σύντομη παρουσίαση εργαλείων αποτροπής και αντίδρασης επιθέσεων. Ανάμεσα σε άλλα εργαλεία, υπάρχει ανάλυση των clean pipe DoS protection εργαλείων. 9

10 Στο ένατο κεφάλαιο, υπάρχει παρουσίαση των δύο κύριων κατηγοριών μηχανισμών άμυνας (defense mechanisms) οι οποίοι είναι: preventive και reactive μηχανισμοί και υπάρχει μια σύντομη αναφορά σε μοντέρνες πρακτικές σχετικά με DDoS diversion συστήματα. Στο δέκατο καφάλαιο, υπάρχει γενική περιγραφή των DDoS defense schemes οι οποίοι κατηγοριοποιούνται σε τέσσερεις γενικές κατηγορίες: Prevention, Detection, Source identification and Response. Στο ενδέκατο κεφάλαιο, υπάρχει αναλυτική παρουσίαση των τεσσάρων παραπάνω κατηγοριών DDoS defense schemes δίνοντας περισσότερες πληροφορίες σχετικά με διάφορους τύπους filtering schemes. Επιπροσθέτως, υπάρχει ανάλυση των DoS attack specific και anomaly based detection τεχνικών. Στο δωδέκατο κεφάλαιο, παρουσιάζονται οι δύο κύριοι IP traceback μέθοδοι: probabilistic packet marking and deterministic packet marking μέθοδοι. Ακόμη, υπάρχει μια μικρή ανάλυση αυτών των μεθόδων κάνοντας αναφορά στα πλεονεκτήματα και τα μειονεκτήματα κάθεμιας από τις δύο μεθόδους. Επιπρόσθετα, υπάρχει σύγκριση μεταξύ των δύο παραπάνω μεθόδοων με άλλα σημαντικά filtering schemes. Στο δέκατοτρίτο κεφάλαιο, υπάρχει μια σύνοπτική παρουσίαση στατιστικής ανάλυσης των Dos attacks defense schemes. Στο δέκατοτέταρτο κεφάλαιο, παρουσιάζονται μερικές στατιστικές προσεγγίσεις σχετικά με Dos attack detection τεχνικές. Πιο συγκεκριμένα, στο κεφάλαιο αυτό γίνεται αναφορά σε δύο αλγορίθμους ανίχνευσης (detection algorithms): την εντροπία και τον Chi-Square Statistic αλγόριθμο. Στο δέκατοπέμπτο κεφάλαιο, υπάρχει ανάλυση των επιπτώσεων των DDoS επιθέσεων στο διαδίκτυο. Παρουσιάζονται μερικά από τα πιο σημαντικά περιστατικά DDoS επιθέσεων σε παγκόσμιο επίπεδο και υπάρχει μια επισκόπηση μερικών πρόσφατων ερευνών σχετικά με τις επιπτώσεις των DDoS επιθέσεων σε επιχειρηματικά περιβάλλοντα, τραπεζικά συστήματα και οργανισμούς. 10

11 Ευχαριστίες Θα ήθελα να εκφράσω τις ευχαριστίες μου στο Δρ. Ιωάννη Σταματίου για την πρόταση του παρόντος θέματος, την υπομονή και την πολύτιμη υποστήριξή του, τόσο επιστημονική όσο και ηθική σ ολόκληρη την πορεία της διπλωματικής όπως και στους καθηγητές του Μεταπτυχιακού και ιδιαίτερα στους κ. Ιωάννη Αντωνίου, Πολυχρόνη Μωυσιάδη και Νικόλαο Φαρμάκη για την ευκαιρία που μου έδωσαν να ασχοληθώ με το Σημασιολογικό Ιστό μέσω του μεταπτυχιακού προγράμματος Web Science στο Αριστοτέλειο Πανεπιστήμιο Θεσσαλονίκης. Θα ήθελα ακόμη να ευχαριστήσω την οικογένειά μου για το κουράγιο, την υπομονή και την συμπαράστασή τους καθ όλη τη διάρκεια της παρούσης διπλωματικής. 11

12 12

13 Contents Abstract...5 Summary...7 Ευχαριστίες...11 Chapters 1. Introduction The historical timeline Definitions Vulnerabilities of Internet and DoS Attacks Overview of Networked based attacks Passive Attacks Active Attacks Overview of Denial of Service Attacks Introduction Definitions Symptoms and manifestations Well-Known DoS Attacks Analysis of Denial of Service Attacks Crashing attacks Bandwidth attacks Protocol-based Bandwidth Attacks ICMP flood Ping of Death SSPing Smurf SYN flood Land Exploit UDP flood Distributed Denial of Service (DDoS) Attacks Impacts of Bandwidth Attacks

14 5. Analysis of DDoS Attacks Description of DDoS attacks Attack mechanisms Types of DDoS attacks Typical DDoS Attacks Distributed Reflector (DRDoS) attacks Comparison of two types of DDoS Attacks Other DoS Attacks Peer-to-peer attacks Reflected / Spoofed attacks Low-rate DoS attacks Permanent DoS attacks Unintentional DoS attacks Prevention and Response Introduction Protection on business environments Security policies against DoS attacks Prevention from DDoS Attacks Prevention and Response tools Firewalls Switches/routers Application front end hardware Clean pipe DoS protection services Analysis of Clean Pipe DoS protection services Black holing/sink holing IPS/ DDS defense systems Categories of DoS attack defense mechanisms Preventive Mechanisms Reactive Mechanisms Modern Tendencies

15 10. Overview of DoS Attack Defense schemes Attack Prevention Attack Detection DoS-attack-specific Detection Anomaly-based Detection Attack Source Identification Attack Reaction Overview of existing DDoS defense schemes Analysis of Attack defense schemes Attack Prevention Ingress Filtering Router-based Packet Filtering Source Address Validity Enforcement Protocol Attack Detection DoS-attack-specific Detection Analysis of DoS-attack-specific detection techniques Anomaly-based Detection Analysis of anomaly-based DoS detection techniques Attack Source Identification Active IP Traceback Probabilistic IP Traceback Hash-based IP Traceback Attack Reaction Bottleneck Resource Management Conclusions Analysis of IP Traceback methods Introduction Probabilistic Packet Marking (PPM) Advantages and disadvantages of PPM method Deterministic Packet Marking (DPM) Comparison of DPM to full path traceback Comparison of DPM to ingress address filtering Overview of IP traceback approaches Suggestions for research

16 13. Statistical analysis of DDoS defense schemes Introduction Analysis of DDoS attack defense schemes Detection of a Dos attack Classification of traffic Passive tests Active tests Response to an attack DoS response in conventional networks DoS response in Self-Aware Networks Conclusions Statistical Approaches to DDoS Attack Detection Introduction Detection algorithms Entropy Chi-Square Statistic DDoS detectors Entropy Detector Chi-Square Detector Detectors Evaluation Suggestions for research The impact of DDoS attacks on the web Overview of serious incidents of DDoS attacks Timeline of recent DDoS attacks Recent surveys about the impact of DDoS attacks Protection of retail banks and DDoS attacks Cyber security and organizations Latest trends on DDoS attacks Conclusions References

17 1. Introduction The historical timeline Although DoS attacks are launched since the beginning of computer networks, they were not considered a significant topic of research until relatively recently [6], when they started harming ISPs, governmental websites and the e-commerce infrastructure. The fact that the Internet operates on old networking protocols with limited provision for security is an advantage for the attackers. Of course, the increase in research interest did provide solutions, which have recently managed to halt the escalation of the DoS phenomenon. Distributed defense techniques have been designed and the majority of the DoS attacks can now be countered in networks where some sort of defense has been deployed. Today, attacks have shifted towards economic crime and cyber-warfare, and although less widespread they can be much more harmful [2]. As a result, the new era of DoS research has to produce even more effective solutions with even less overhead in the absence of an attack and as small disruption in the presence of one Definitions A Denial of Service (DoS) attack aims to stop the service provided by a target. A DoS attack is a malicious attempt by a single person or a group of people to cause the victim, site, or node to deny service to its customers. When this attempt derives from a single host of the network, it constitutes a DoS attack. [22] A DoS attack can be launched in two forms. The first form is to exploit software vulnerabilities of a target by sending malformed packets and crash the system. The second form is to use massive volumes of useless traffic to occupy all the resources that could service legitimate traffic. On the other hand, when the traffic of a DoS attack comes from multiple sources, we call it a Distributed Denial of Service (DDoS) attack. In this case, a lot of malicious hosts coordinate to flood the victim with an abundance of attack packets, so that the attack takes place simultaneously from multiple points. [22] 17

18 1.3. Vulnerabilities of Internet and DDoS Attacks There exist few reasons which make DDoS attacks inevitable [5]. First of all, the Internet is designed to keep intermediate network as simple as possible to optimize it for packets forwarding. This pushes the complexity to the end hosts and causes one unfortunate implication. If one party in two-way communication misbehaves, it can result in arbitrary damage to its peer. No one in the intermediate network will step in and stop it because Internet is not designed to police traffic. Moreover, the Internet security is highly interdependent. At the maximum we can make victim secure with firewalls etc. but still the degree of its susceptibility to DDoS attacks depends on the position of security in the rest of the global Internet. The limited availability of resources acts as additional benefit for DDoS attackers. To add on, accountability is not enforced which lead to attacks comparable to reflector attacks such as the Smurf attacks. Thus there exists no way out to enforce global deployment of a particular security mechanism. 2. Overview of Networked based attacks... A high-level breakdown of network-based attacks consists of Active and Passive attacks [1]. Active attacks, such as breaking into a site (Intelligence gathering, Resource usage, Deception) and denial of Service attacks. On the other hand, Passive attacks are, commonly, Sniffing (Passwords, Network traffic, Sensitive information) and Information gathering attacks. In other words, at the highest level, the preceding attacks can be broken down into two main areas: active and passive Active attacks Active attacks involve a deliberate action on the part of the attacker to gain access to the information he is after. An example is trying to telnet to port 25 on a given machine to find out information about the mail server that a company is running. An attacker is actively doing something against a site to get in. These attacks are fairly easy to detect, if we are looking for them. However, active attacks often go undetected because companies do not know what to look for or are looking at the wrong thing. 18

19 2.2. Passive attacks Passive attacks, on the other hand, are geared toward gathering information as opposed to gaining access. This is not to say that active attacks cannot gather information or that passive attacks cannot be used to gain access in most cases, the two types are used together to compromise a site. Unfortunately, most passive attacks do not necessarily involve traceable activity and therefore are much harder to detect. As we mentioned before, active attacks are easier to detect and most companies are missing them; therefore, the chances of detecting a passive attack are almost zero. 3. Overview of Denial of Service attacks Introduction A Denial of Service attack (DOS) is an attack through which a person can render a system unusable or significantly slow down the system for legitimate users by overloading the resources so no one else can access it. This can also result in someone damaging or destroying resources, so they cannot be used. [3] The main aim of DoS attacks is to prevent the victim either from the benefit of a particular service (in case of client being victim) or from providing its services to others (in case of server being victim). Denial of Service attacks can either be deliberate or accidental. It is caused deliberately when an unauthorized user actively overloads a resource. It is caused accidentally when an authorized user unintentionally does something that causes resources to become unavailable. An organization should take precautions to protect a system against both types of Denial of Service attacks. In general, DOS attacks are difficult to prevent, and from an attacker s standpoint, they are very easy to launch. To put Denial of Service attacks in perspective, we should examine the three main areas of security: confidentiality, integrity, and availability [1]. Denials of Service attacks are attacks against the third component, availability. Availability is preventing, detecting, or deterring the unauthorized denial of access to information and systems. However, restricting access to critical accounts, resources, and files and protecting them from unauthorized users can hinder many DOS attacks. 19

20 3.2. Definitions In computing, a denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) is an attempt to make a machine or network resource unavailable to its intended users. In general terms, DoS attacks are implemented by either forcing the targeted computer(s) to reset, or consuming its resources so that it can no longer provide its intended service or obstructing the communication media between the intended users and the victim so that they can no longer communicate adequately. [6] One common method of attack involves saturating the target machine with external communications requests, so much so that it cannot respond to legitimate traffic or responds so slowly as to be rendered essentially unavailable. Such attacks usually lead to a server overload. Perpetrators of DoS attacks typically target sites or services hosted on high-profile web servers such as banks, credit card payment gateways, and even root name servers Symptoms and manifestations The United States Computer Emergency Readiness Team (US-CERT) [23] defines symptoms of denial-of-service attacks to include: Unusually slow network performance (opening files or accessing web sites) Unavailability of a particular web site Inability to access any web site Dramatic increase in the number of spam s received ( bomb) Denial-of-service attacks can also lead to problems in the network 'branches' around the actual computer being attacked. For example, the bandwidth of a router between the Internet and a LAN may be consumed by an attack, compromising not only the intended computer, but also the entire network. If the attack is conducted on a sufficiently large scale, entire geographical regions of Internet connectivity can be compromised without the attacker's knowledge or intent by incorrectly configured or flimsy network infrastructure equipment Well-known DoS attacks Some of the most famous documented DoS attacks are the following: [22] Land: In Land attacks, the attacker sends the victim a TCP SYN packet that contains the same IP address as the source and destination addresses. Such a packet completely locks the victim's system. 20

21 SYN Flood: A SYN flood attack occurs during the three-way handshake that marks the onset of a TCP connection. [33] If an attack occurs, however, the attacker sends an abundance of TCP SYN packets to the victim, obliging it both to open a lot of TCP connections and to respond to them. Then the attacker does not execute the third step of the three-way handshake that follows, rendering the victim unable to accept any new incoming connections, because its queue is full of half-open TCP connections. Ping of Death: In Ping of Death attacks, the attacker creates a packet that contains more than 65,536 bytes, which is the limit that the IP protocol defines. This packet can cause different kinds of damage to the machine that receives it, such as crashing and rebooting. Smurf Attack: In a "smurf" attack, the victim is flooded with Internet Control Message Protocol (ICMP) "echo-reply" packets. [21] The attacker sends numerous ICMP "echo-request" packets to the broadcast address of many subnets. These packets contain the victim's address as the source IP address. Every machine that belongs to any of these subnets responds by sending ICMP "echo-reply" packets to the victim. Smurf attacks are very dangerous, because they are strongly distributed attacks. UDP Storm: In a User Datagram Protocol (UDP) connection, a character generation "chargen" service generates a series of characters each time it receives a UDP packet, while an echo service echoes any character it receives. [3] Exploiting these two services, the attacker sends a packet with the source spoofed to be that of the victim to another machine. Then, the echo service of the former machine echoes the data of that packet back to the victim's machine and the victim's machine, in turn, responds in the same way. Hence, a constant stream of useless load is created that burdens the network. The impact of these attacks is catastrophic, especially when victims are not individuals but companies. DDoS attacks prevent victims either from using the Internet, or from being reached by other people. Consequently, when the victim is an ISP, the results of such an attack are far more severe. ISPs' clients will not be served. E-business is also top on the "hit list." Being off line for a few hours could result in the loss of large sums of money for an ISP. 4. Analysis of Denial of Service Attacks. A "denial-of-service" attack is characterized by an explicit attempt by attackers to prevent legitimate users of a service from using that service. There are two general 21

22 types of DoS attacks [3]: those that crash services and those that flood services. It is important to note that both of these attacks can be launched from a local system or over a network Crashing attacks The first type of DoS attack involves crashing a system or network and has the aim of disrupting the services provided by the victim by exploiting a software vulnerability of the system. If an attacker can send a victim data or packets it is not expecting, and it causes the system to either crash or reboot, then in essence, the attacker has performed a Denial of Service attack because no one will be able to get to the resources. From an attacker s standpoint, what is nice about these attacks is that you can render a system inaccessible with a couple of packets. In most cases, for the system to get back online would require intervention from an administrator to reboot or power off the system. So, this first type of attack is the most damaging because it requires little to perform and human interaction to fix Bandwidth attacks The second type of attack involves flooding the system or network with so much information that it cannot respond. This type of DoS attack is based on the volume of traffic, which is known as a bandwidth attack. The bandwidth attack can be defined as any activity that aims to disable the services provided by the victim by sending an excessive volume of useless traffic. With this attack, an attacker has to constantly flood the system with packets. After the attacker stops flooding the system with packets, the attack is over and the machine resumes operation. This type of attack requires a lot more energy on the part of the attacker because he has to keep actively flooding the system. In some cases, this type of attack could crash the machine, however in most cases, recovering from this attack requires minimal human intervention. Bandwidth attacks are classified according to the way the attack power is magnified [3]. The first category is protocol-based bandwidth attacks that take advantage of the Internet protocols. The second category is DDoS attacks that amplify attack power using a large number of distributed attack sources. In practice, a real attack can belong to both of these categories at the same time. 22

23 Protocol-based Bandwidth Attacks The protocol bandwidth attack can normally be launched effectively from a single attack source. Its attack power is based on the weaknesses of the Internet protocols. It can be broadly categorized as ICMP flood, SYN flood or UDP flood attacks ICMP flood An ICMP flood is a type of bandwidth attack that uses ICMP packets. The Internet Control Message Protocol (ICMP) is based on the IP protocol and is used to diagnose network status. [1] The Internet Control Message Protocol (ICMP) is used to handle errors and exchange control messages. ICMP can be used to determine if a machine on the Internet is responding. [21] To do this, an ICMP echo request packet is sent to a machine. If a machine receives that packet, that machine will return an ICMP echo reply packet. A common implementation of this process is the "ping" command, which is included with many operating systems and network software packages. ICMP is used to convey status and error information including notification of network congestion and of other network transport problems. ICMP can also be a valuable tool in diagnosing host or network problems. [34] On IP networks, a packet can be directed to an individual machine or broadcast to an entire network. When a packet is sent to an IP broadcast address from a machine on the local network, that packet is delivered to all machines on that network. When a packet is sent to that IP broadcast address from a machine outside of the local network, it is broadcast to all machines on the target network (as long as routers are configured to pass along that traffic). IP broadcast addresses are usually network addresses with the host portion of the address having all one bits. For example, the IP broadcast address for the network is If we have sub netted our class A network into 256 subnets, the IP broadcast address for the subnet would be Network addresses with all zeros in the host portion, such as , can also produce a broadcast response. [19] An IP broadcast address is a single address used to send a packet to all hosts on a network segment. This is done by making the host portion of an IP address all ones. This address then sends the packet to all machines on the network. If there are a large number of machines on a network segment using a broadcast address, it will use up a lot of network bandwidth because the system will generate individual packets for each machine on that network segment. [21] 23

24 Ping flood attacks are based on sending the victim an overwhelming number of ping packets, usually using the "ping" command from unix-like hosts. It is very simple to launch and the primary requirement is gaining access to greater bandwidth than the victim. [34] Ping of Death A Ping of death DoS attack involves sending a very large Internet ICMP or ping packets to a host machine. The ping of death attack is a category of network-level attacks against hosts with the goal of denying service to that host. [1] A perpetrator sends a large ping packet to the victim s machine. Most operating systems do not know what to do with a packet that is larger than the maximum size, as a result, it causes most operating systems to either hang or crash. [21] The best way to fix this problem is to apply the latest patch from the appropriate vendor. [1] If applying the patch is not an option, or additional protection is desired, large ping packets can be blocked at routers or firewalls, which stop them from getting to the victim s machine SSPing An SSPing DoS attack involves sending a series of highly fragmented, oversized ICMP data packets. [1] If a machine attempts to send a large packet on a network or over the Internet, there is a good chance that one of the routers that processes the packet will break it up into smaller pieces, so it can be properly routed to its destination. When this occurs, the destination machine receives the pieces and puts them back together. This process occurs all the time on the Internet and is called fragmentation. The SSPing program sends the victim s computer a series of highly fragmented, oversized ICMP data packets over the connection. The computer receiving the data packets locks when it tries to put the fragments together. Highly fragmented packets require the TCP/IP stack to keep track of additional information to reassemble the packets. [21] If the TCP/IP stack was not built properly, when it tries to keep track and put together several packets, the result is a memory overflow, which in turn causes the machine to stop responding. Usually, the attacker only needs to send a few packets, locking the victim s computer instantaneously. When the victim restarts his computer, the connection with the attacker is lost, so in some cases, the attacker is able to remain anonymous. This attack mainly impacts Microsoft operating systems so the only way to protect against this attack is to download the latest patches from its web site. To prevent this type of attack, Microsoft has updated the TCP/IP protocol stack. 24

25 Smurf attacks Smurf attacks are a type of ICMP flood, where attackers use ICMP echo request packets directed to IP broadcast addresses from remote locations to generate denialof-service attacks. The Smurf attack is a category of network-level attacks against hosts with the goal of denying service to the hosts. [19] A smurf attack is one particular variant of a flooding DoS attack on the public Internet. The two main components to the smurf denial-of-service attack are the use of forged ICMP echo request packets and the direction of packets to IP broadcast addresses. [34] This causes every machine on the broadcast network to receive the reply and respond back to the source address that was forged by the attacker. With this type of attack, there are three parties involved: the attacker, the intermediary (the broadcast address to which the packets are sent), and the victim (the forged source IP address). In this type of attack, the intermediary can also be a victim. This is the case because when all the machines on the intermediary start replying back to the forged address, it can generate so many packets that it uses up all the bandwidth of the intermediary network. [1] To start a smurf attack, the attacker generates an ICMP echo request (which is the same as a ping) using a forged source address and a broadcast address as the destination. The intermediary receives the ICMP echo request, which is directed to the broadcast address of its network. This causes the packet to be sent to all machines on that network segment, with each machine replying to the request and sending an ICMP echo reply back. When all the machines on the network reply, this could potentially result in degraded service or Denial of Service for that network segment due to the high volume of traffic generated. When the attackers create these packets, they do not use the IP address of their own machine as the source address. Instead, they create forged packets that contain the spoofed source address of the attacker's intended victim. The result is that when all the machines at the intermediary's site respond to the ICMP echo requests, they send replies to the victim's machine. [3] The victim is subjected to network congestion that could potentially make the network unusable. Even though we have not labeled the intermediary as a "victim," the intermediary can be victimized by suffering the same types of problem that the "victim" does in these attacks. To sum up, smurf attacks use forged ICMP packets to cause a Denial of Service attack. In such an attack, the perpetrators will send large numbers of IP packets with the source address faked to appear to be the address of the victim. The network's bandwidth is quickly used up, preventing legitimate packets from getting through to their destination. 25

26 The Smurf attack s cousin is called fraggle, which uses UDP echo packets in the same fashion as the ICMP echo packets. [34] Currently, the machines most commonly hit are IRC servers and their providers. Because Smurf is a Denial of Service attack, it impacts most devices that process packets. As for the matter of protection [1], the most common way of preventing a smurf attack is to ensure that our systems are not used as an amplified network against another victim. This can be achieved by turning off all replies to ICMP broadcast requests. Disabling all ICMP, though, may break some of the features of IPv4 like IP fragmentation. One solution to prevent our site from being used as an intermediary in this attack is to disable IP-directed broadcasts at our router. By disabling these broadcasts, we configure our router to deny IP broadcast traffic onto our network from other networks. Some operating systems can be configured to prevent the machine from responding to ICMP packets sent to IP broadcast addresses. Configuring machines so they do not respond to these packets can prevent our machines from being used as intermediaries in this type of attack. We could also block the ICMP echo reply traffic at the victim s router; however, that will not necessarily prevent congestion that occurs between the victim s router and the victim s Internet service provider. Victim s receiving this traffic may need to consult with their Internet service provider to temporarily block this type of traffic in the ISP s network SYN flood In order to describe the SYN flood attack, we first need to define several aspects of TCP connections. We define the client as the one who initiates the TCP connection, and the server as the one who receives the connection request. At the beginning of each TCP connection, the client will negotiate with the server to set up a connection, which is called three-way handshake. When a system (called the client) attempts to establish a TCP connection to a system providing a service (the server), the client and server exchange a set sequence of messages known as a three-way handshake. [1] Firstly, the client will send a SYN packet to the server, requesting a connection. Then the server will respond to the connection request using a SYN-ACK packet, and store the request information in the memory stack. After receiving the SYN-ACK packet, the client will confirm the request using an ACK packet. When the server receives the ACK packet, it checks the memory stack to see whether this packet is used to confirm an existing request. If it is, the server will remove the request information from the memory stack and start actual data communication. The connection between the client and the server is then opened, and the service-specific data can be exchanged between the client and the server. 26

27 The potential for abuse arises at the point where the server system has sent an acknowledgment (SYN-ACK) back to the client, but it has not yet received the final ACK message. This is what is meant by a half-opened connection. [19] The server has in its system memory a built-in data structure describing all pending connections. This data structure is of finite size, and it can be made to overflow by intentionally creating too many partially opened connections. Creating half-open connections is easily accomplished with IP spoofing. The half-open connections saturate the number of available connections the server is able to make, keeping it from responding to legitimate requests until after the attack ends. The SYN flood attack exploits a vulnerability of the TCP/IP protocol and is one of the most powerful and commonly seen attacks in the Internet. During SYN flood attacks, the attacker sends SYN packets with source IP addresses that do not exist or are not in use. [21] A SYN flood occurs when a host sends a flood of TCP/SYN packets, often with a forged sender address. Each of these packets is handled like a connection request, causing the server to spawn a half-open connection, by sending back a TCP/SYN-ACK packet (Acknowledge), and waiting for a packet in response from the sender address (response to the ACK Packet). However, because the sender address is forged, the response never comes. During the 3-way handshake, when the server puts the request information into the memory stack, it will wait for the confirmation from the client that sends the request. Before the request is confirmed, it will remain in the memory stack. Since the source IP addresses used in SYN flood attacks are non-existent, the server cannot receive confirmation packets for requests created by the SYN flood attack. Thus, more and more requests will accumulate and fill up the memory stack. [3] Therefore, no new request, including legitimate requests, can be processed and the services of the system are disabled. Generally, the space for the memory stack allocated by the operating system is small, and even a small scale SYN flood attack can be dangerous. The location of the attacker s system is obscured because the source addresses in the SYN packets are often set to an IP address that is currently not online. [2] This way it is not able to reply to the SYN-ACK request sent by the server. Because the source address is spoofed, there is no way to determine the identity of the true attacker when the packet arrives at the victim s system. SYN Floods exploit the underlying structure of TCP/IP. A SYN Flood can't be stopped by modifying the TCP protocol. Any modifications to the protocol may damage the core functionality of TCP/IP. There are various methods approaches to lessen the effect of a SYN flood by changing how the host reacts to the attack. [33] The three most common ways are: 1. to increase the size of the TCP backlog queue for half open connections, 2. to decrease the amount of time the TCP driver keeps half open connections and 3. to enable TCP cookies. 27

28 Currently, there is not a generally accepted solution to this problem with the current IP protocol technology. However, proper router or firewall configuration can reduce the likelihood that our site will be the source of one of these attacks. [19] A router or firewall can block this type of attack by allowing only a limited number of half-opened connections to be active at any given time. However, this approach is not perfect because legitimate user s requests could still be blocked. It just reduces the chances of the destination machine crashing. The use of Netstat helps us to look for a large number of half-opened connections so as to try to detect such an attack. Linux and Solaris have come out with a solution to SYN flooding known as SYN cookies. [33] The way SYN cookies work is after a machine s queue starts getting full with half-open connections, it stops storing the information in the queue. It does this by setting the initial sequence number as a function of the sender s IP address Land Exploit attacks A Land exploit attack is a DoS attack in which a program sends a TCP SYN packet where the target and source address are the same and the port numbers are the same. The land attack is a program used to launch a Denial of Service attack against various TCP implementations. The program sends a TCP SYN packet (which is the first part of the three-way handshake) where the source and destination addresses are the same and the source and destination port numbers are the same. [1] IP packets are used to send information across the Internet. IP packets contain information that specifies who the recipient and sender of the packets are. IP packets also contain port numbers that specify which TCP service the packet should be sent to. The key fields that an IP packet contains are: Source address, Source port number, Destination address, Destination port number. The above information as a whole is also referred to as a socket because this is what is needed to make a successful connection to a remote host. It is important to point out that the destination port number also indicates what protocol is being used. Under normal circumstances, the source and destination address and source and destination port numbers are different. [2] In these cases, IP works as designed. Unfortunately, when IP packets contain unconventional information, most TCP/IP stacks do not know how to handle it and they crash. One instance where this is true is when someone sets the source and destination addresses and source and destination ports to the same value. Some implementations of TCP/IP are vulnerable to SYN packets when the source address and port are the same as the destination. For this to occur, an attacker has to spoof both the source address and port number. The following are the properties of a 28

29 land attack: [1] Source and destination address have the same value and Source and destination port numbers have the same value TCP is a reliable connection-oriented protocol that operates at layer 4, the transport layer. Because TCP is reliable, it requires a three-way handshake to initiate new connections. [3] When a new connection is opened, it uses SYN packets to synchronize the two machines. SYN packets are similar to normal packets, except they have the SYN bit set, which means it is one of the first packets in a new connection. Because land attacks occur when a new session is opened, attackers use SYN packets. When an attacker wants to attack a machine using the land exploit, he sends a packet to the target machine opening a new connection. The packet has the source address and port number spoofed by setting the source address and port number to be the same as the destination address and port number. The destination machine receives the packet and replies to the source address and port number. Because this is the destination machine, most machines will crash or hang because they do not know how to handle it. As for the matter of protection, the easiest way to protect against this type of attack is to apply the latest patches from our vendor. If applying the latest vendor patch is not an option, there is a workaround. [21] Any packet that is coming into our network from the Internet should not have a source address from our internal network. This is the case because any packets originating on our internal network never come in on the external interface of our router. Therefore, our router can block all incoming packets that have a source address that matches an address on our internal network. However, this does not protect against an attacker who breaks into an internal host and launches an attack against another internal host UDP flood The User Datagram Protocol (UDP) is a connectionless protocol that does not have flow control mechanisms, i.e., there is no built-in mechanism for the sender and receiver to be synchronized to adapt to changing network conditions. The UDP flood is a type of bandwidth attack that uses UDP packets. [3] Since UDP does not have flow control mechanisms, when traffic congestion happens, both legitimate and attack flows will not reduce their sending rates. Hence, the victim is unable to decide whether a source is an attack source or legitimate source by just checking the source's sending rate. Moreover, unlike TCP, UDP does not have a negotiation mechanism before setting up a connection. Therefore, it is easier to spoof UDP traffic without being noticed by the victim. [1] The attacker sends a UDP packet to victim 1, claiming to be from victim 2, requesting the echo service. Since victim 1 does not know this is a spoofed 29