DoS: Attack and Defense

Similar documents
DDoS Protection Technology White Paper

VALIDATING DDoS THREAT PROTECTION

SHARE THIS WHITEPAPER. Top Selection Criteria for an Anti-DDoS Solution Whitepaper

Mitigating Denial of Service Attacks. Why Crossing Fingers is Not a Strategy

TLP WHITE. Denial of service attacks: what you need to know

Background (

Complete Protection against Evolving DDoS Threats

1. Introduction. 2. DoS/DDoS. MilsVPN DoS/DDoS and ISP. 2.1 What is DoS/DDoS? 2.2 What is SYN Flooding?

SHARE THIS WHITEPAPER. On-Premise, Cloud or Hybrid? Approaches to Mitigate DDoS Attacks Whitepaper

TDC s perspective on DDoS threats

Acquia Cloud Edge Protect Powered by CloudFlare

A TWO LEVEL ARCHITECTURE USING CONSENSUS METHOD FOR GLOBAL DECISION MAKING AGAINST DDoS ATTACKS

A Layperson s Guide To DoS Attacks

SeVen: A Selective Defense for Low-Rate Application Layer DDoS Attacks. Vivek Nigam Networking Laboratory Federal University of Paraíba - UFPB

CloudFlare advanced DDoS protection

CHAPTER 4 : CASE STUDY WEB APPLICATION DDOS ATTACK GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

SECURING APACHE : DOS & DDOS ATTACKS - I

How To Block A Ddos Attack On A Network With A Firewall

Survey on DDoS Attack Detection and Prevention in Cloud

White paper. TrusGuard DPX: Complete Protection against Evolving DDoS Threats. AhnLab, Inc.

Countering SYN Flood Denial-of-Service (DoS) Attacks. Ross Oliver Tech Mavens

Design and Experiments of small DDoS Defense System using Traffic Deflecting in Autonomous System

Web Application Level Approach against the HTTP Flood Attacks IOSEC HTTP Anti Flood/DoS Security Gateway Module

DDoS Overview and Incident Response Guide. July 2014

V-ISA Reputation Mechanism, Enabling Precise Defense against New DDoS Attacks

How To Protect A Dns Authority Server From A Flood Attack

DC++ and DDoS Attacks

Comparing Two Models of Distributed Denial of Service (DDoS) Defences

A Novel Distributed Denial of Service (DDoS) Attacks Discriminating Detection in Flash Crowds

Survey on DDoS Attack in Cloud Environment

A Study of Network Security Systems

DISTRIBUTED DENIAL OF SERVICE OBSERVATIONS

SolarWinds Certified Professional. Exam Preparation Guide

Cisco IPS Tuning Overview

ADC Survey GLOBAL FINDINGS

Understanding & Preventing DDoS Attacks (Distributed Denial of Service) A Report For Small Business

Firewalls and Intrusion Detection

Global DDoS Prevention Market

DDOS WALL: AN INTERNET SERVICE PROVIDER PROTECTOR

Hillstone T-Series Intelligent Next-Generation Firewall Whitepaper: Abnormal Behavior Analysis

An Anomaly-Based Method for DDoS Attacks Detection using RBF Neural Networks

Protecting DNS Critical Infrastructure Solution Overview. Radware Attack Mitigation System (AMS) - Whitepaper

DDoS Protection. How Cisco IT Protects Against Distributed Denial of Service Attacks. A Cisco on Cisco Case Study: Inside Cisco IT

NSFOCUS Web Application Firewall White Paper

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

How valuable DDoS mitigation hardware is for Layer 7 Sophisticated attacks

Distributed Denial of Service (DDoS)

Overview. Firewall Security. Perimeter Security Devices. Routers

How To Stop A Ddos Attack On A Website From Being Successful

PACKET SIMULATION OF DISTRIBUTED DENIAL OF SERVICE (DDOS) ATTACK AND RECOVERY

SecurityDAM On-demand, Cloud-based DDoS Mitigation

Denial of Service Attacks, What They are and How to Combat Them

Security vulnerabilities in the Internet and possible solutions

DDoS Protection on the Security Gateway

Federal Computer Incident Response Center (FedCIRC) Defense Tactics for Distributed Denial of Service Attacks

Industrial Network Security for SCADA, Automation, Process Control and PLC Systems. Contents. 1 An Introduction to Industrial Network Security 1

CHAPETR 3. DISTRIBUTED DEPLOYMENT OF DDoS DEFENSE SYSTEM

CS 356 Lecture 16 Denial of Service. Spring 2013

STATISTICS ON BOTNET-ASSISTED DDOS ATTACKS IN Q1 2015

Evading Infrastructure Security Mohamed Bedewi Penetration Testing Consultant

A Novel Approach for Evaluating and Detecting Low Rate SIP Flooding Attack

Firewalls. Ahmad Almulhem March 10, 2012

INCREASE NETWORK VISIBILITY AND REDUCE SECURITY THREATS WITH IMC FLOW ANALYSIS TOOLS

DDoS Vulnerability Analysis of Bittorrent Protocol

2013 MONITORAPP Co., Ltd.

A Review of Anomaly Detection Techniques in Network Intrusion Detection System

Dual Mechanism to Detect DDOS Attack Priyanka Dembla, Chander Diwaker 2 1 Research Scholar, 2 Assistant Professor

Stress Testing and Distributed Denial of Service Testing of Network Infrastructures

Protect your network: planning for (DDoS), Distributed Denial of Service attacks

Analysis of a DDoS Attack

CS5008: Internet Computing

Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst

SECURING APACHE : DOS & DDOS ATTACKS - II

Where every interaction matters.

SECURITY FLAWS IN INTERNET VOTING SYSTEM

Check Point DDoS Protector

Web Application Defence. Architecture Paper

Implementation of Botcatch for Identifying Bot Infected Hosts

The Reverse Firewall: Defeating DDOS Attacks Emanating from a Local Area Network

Content Distribution Networks (CDN)

Defense In Depth To Fight Against The Most Persistent DDoS

Denial of Service Attacks

A Secure Intrusion detection system against DDOS attack in Wireless Mobile Ad-hoc Network Abstract

Protecting against DoS/DDoS Attacks with FortiWeb Web Application Firewall

Real-Time Analysis of CDN in an Academic Institute: A Simulation Study

First Line of Defense to Protect Critical Infrastructure

DDoS Attacks & Mitigation

Analysis of Slow Read DoS Attack and Countermeasures

Application Security Backgrounder

A Novel Packet Marketing Method in DDoS Attack Detection

Quality Certificate for Kaspersky DDoS Prevention Software

LOAD BALANCING AS A STRATEGY LEARNING TASK

Denial of Service attacks: analysis and countermeasures. Marek Ostaszewski

Ashok Kumar Gonela MTech Department of CSE Miracle Educational Group Of Institutions Bhogapuram.

First Line of Defense

BlackRidge Technology Transport Access Control: Overview

Linux MDS Firewall Supplement

Secure Software Programming and Vulnerability Analysis

Transcription:

DoS: Attack and Defense Vincent Tai Sayantan Sengupta COEN 233 Term Project Prof. M. Wang 1

Table of Contents 1. Introduction 4 1.1. Objective 1.2. Problem 1.3. Relation to the class 1.4. Other approaches 1.5. Our approach 1.6. Statement of the problem 1.7. Area of investigation 2. Theoretical Bases and Literature Review 5 2.1. Definition of the problem 2.2. Theoretical background of the problem 2.3. Related research to solve the problem 2.4. Advantage/disadvantage of those research 2.5. Our solution to solve this problem 2.6. Where our solution different from others 2.7. Why our solution is better 3. Goals 7 4. Methodology 7 4.1. Basic Architecture 4.2. How to generate/collect input data 4.3. How to solve the problem 4.4. Algorithm design: 4.5. Tools and Language used 4.6. How to generate output 4.7. How to test against hypothesis 5. Implementation 9 5.1. Code 5.2. Flowchart 6. Data analysis and discussion 10 6.1. Output generation 6.2. Output analysis 6.3. Compare output against hypothesis 2

6.4. Abnormal case explanation 6.5. Discussion 7. Conclusions and recommendations 12 7.1. Summary and conclusions 7.2. Recommendations for future studies 8. Bibliography 12 9. Appendix 13 3

Introduction Objective To simulate denial of service attacks against an Internet web server; then to successfully defend against those attacks. Problem Denial of service is an ongoing problem on the Internet today. From discontented Internet users to governments and corporations, DoS is becoming a popular way for groups of people to suppress each other. Successful DoS can result in effective censorship or major loss of revenue for those who depend on web presence for business. In addition, new methods of DoS have been developed in recent years, and an average of 27.9 attacks have been occurring every hour this problem is not going away; it is escalating. Relation to the class Denial of service is a problem that occurs over networks. A successful DoS can disrupt the usability of computer networks. By sending data in special patterns over the network, or by simply flooding packets, it is often possible for attackers to take down remote services. On the other hand, by configuring a network well, it may be possible to mitigate DoS attacks. Other approaches Other approaches to mitigating denial of service attacks often involve connection rate limiting at the server. The server is still vulnerable to other attacks, such as bandwidth flooding, since its IP address is known. Our approach Our approach is to set up shield servers essentially proxies that forward connection requests to the actual server. The connection filtering is to be done at the shields themselves, not at the server. This makes the whole defense more scalable. If a shield gets taken down, the server is still alive, since attackers cannot access the actual server directly. This method is better since the server gets an extra layer of defense it is protected by shields, instead of being directly exposed to the world. Statement of the problem To mitigate DOS attack by adding an extra layer of protection (using shield nodes), so that the attack can be detected and mitigated even before the attack reaches the origin server. 4

Area of investigation Although a number of methods already exist for DoS detection and mitigation, DoS attacks still frequently occur. Our area of investigation is the configuration of a network that is resilient to DoS attacks. We will be implementing another layer of security in addition to the existing firewall setup. Theoretical Bases and Literature Review Definition of the problem Transport networks are the core elements of today s communications systems. Network operators are able to interconnect a large number of users at the same time because of their capability to transmit data extremely quickly and securely. However, the increasing number of attacks against such networks raises the challenge to deploy effective safeguards to guarantee their availability. Theoretical background of the problem Denial of Service (DoS) attacks have become a major threat for communication networks during the past few years. With the rapid growth in the internet, users are opting for online trading, shopping and other critical online activities.these resources have to be protected from various types of attacks. The main purpose of the DOS attack is usually to degrade or even disrupt the normal operation of the attacked network, its constituting components, or provided services. At present, the vast majority of DoS attacks is directed against individual network components and the services they are offering. Their targets predominantly comprise network components that provide end user services, such as Web servers or other kinds of service access points. As the types and number of users of the internet increases, the requirement of an effective system to detect these attacks also increases. Our project deals with focusing on transport resources aiming to prevent users from setting up transport connections. With respect to the aspects being relevant for Denial of Service attacks against transport resources and potential attack schemes and scenarios, we present methods for the detection of such attacks and subsequent blocking of those attacks, which contribute to a comprehensive detection framework for auditing the transport network for potential attacks. Related research to solve the problem With the size of the internet increasing everyday, Denial of Service attacks have also been increasing at a high rate. Related research projects in this field provides a theoretical and statistical base which provides ample scope of detecting an attack. With the statistical data 5

analysis recorded over a period of time a signature set of rules is set for the detection of an attack. Advantage/disadvantage of those research With the statistical data observed for a traffic pattern over a substantial amount of time we can recognize significant deviations which will subsequently indicate an attack. The attack is identified and appropriate steps are taken to safeguard the available resources. However, the detection happens in an origin server where the critical data is present. Also, the detection of an attack only happens once the server has already been partly compromised. Hence, most attacks are often detected once the attack has already taken place. Our solution to solve this problem Attacker has no access to the origin server. Data is cached on nodal servers. Implementation of shield nodes. Setting up of firewalls for rate limiting and bandwidth based attacks on the nodes and not in the destination servers. Where our solution different from others We provide the detection mechanism even before the traffic reaches the destination server. As the attack is detected before the attacker could reach the destination server, the attack can be blocked/mitigated and we will be able to guarantee availability on the destination server. Why our solution is better In our implementation, the attacker gets no access to the origin server. The attacker accesses the shield nodes who in turn fetch and cache the required data from the origin server. The origin server connects only to the shield nodes, not the whole internet. Also, each of the virtual servers are rate limited and firewalled for any abnormal traffic. 6

Goals Our goal is to simulate a Denial of Service attack and to completely secure availability of the destination server by using shield nodes which will detect and mitigate connection and bandwidth based DoS attacks. Methodology Basic Architecture How to generate/collect input data A Denial of Service attack is mainly based on sending the victim an overwhelming amount of traffic that it is not able to handle. Some of the methods include Internet Control Message Protocol (ICMP) flood, TCP SYN flood, resource utilization attacks, etc. We will receive the traffic from these end users and detect if these connections are legitimate at the shield nodes, even before the traffic reaches the main destination server. How to solve the problem We will use shield nodes as proxies to our main server. The shield nodes will have a custom HTTP proxy implementation. This custom HTTP proxy will normally accept client requests and 7

forward them to the server. However, it will also reject requests it thinks are part of a DoS attack. We plan to implement the shield nodes in front of the destination server which will detect and block the traffic even before it reaches the server. These shield servers adds a layer of security protection while still ensuring that content is delivered to the end user. Key benefits of the Shield node include: Enhance destination server security and mitigate risk by protecting the application origin. Ensure that traffic passes through the nodes, where attacks can be detected and mitigated Algorithm design: The shield nodes will have an algorithm for determining whether to accept or reject connections; here is one example of such an algorithm: 8

Tools and Language used We used Mininet to emulate a network containing our virtual hosts. We configured Mininet using Python; the software running on the shield nodes and attacker nodes will be implemented in C. The web server running on the origin server is Apache 2. How to generate output We will simulate a Denial of Service attack from the client end. Initially, without the implementation of our framework the attacker will be able to completely take down the destination server. Now, when we introduce our defense mechanism and re introduce the attack, the shield nodes will successfully be able to detect and block traffic which are not legitimate while still serving legitimate traffic simultaneously. How to test against hypothesis As we mentioned earlier, our goal is to simulate a Denial of Service attack and to completely secure availability of the destination server. The server should be able to successfully serve legitimate client traffic while simultaneously detecting and blocking non legitimate traffic coming from an attacker. Hence we would need to execute a DoS attack and at the same time send legitimate requests to the server and check for successful response. Implementation Code: This project consists of two pieces of code: a simple connection flooder, and a shield node implementation. Both are written in C. The connection flooder simply opens many connections to the targeted server; it does not do anything with those connections besides wait for them to close or reset. It is implemented using connect() calls on non blocking sockets; it uses poll() to receive notifications when a connection is acknowledge, closed, or reset by the remote host. The shield node is a defense against attackers trying to use up connections. Fundamentally, the shield node is implemented using single threaded multitasking, with non blocking sockets and poll() to determine readiness. The shield node implements the following in an attempt to maintain availability: 1. culling of the connection with longest inactivity period when it runs out of available task slots 2. rejecting new connections from IP addresses that have reached their connection limit 9

3. buffering requests, and opening a server connection only when a complete request is received 4. caching responses Points (1) and (2) are intended primarily to maintain availability of the shield node itself. Points (3) and (4) are intended to reduce load on the main server, thus maintaining its availability. Flow chart: A flow chart of the shield node s task logic is shown below; some logic is omitted for simplicity. Data analysis and discussion Output generation: First, we flood the destination server with connections from the attacker node until the server is unable to handle any other incoming traffic. Next, we try to access the destination server web page from the client server to verify that the destination server is unable to respond to any incoming requests. Then, we activate our shield nodes that we have placed in front of our origin server. We redirect the attack to the shield nodes, since the server is to be accessed only via shield nodes. Then, we try to access a page on the server again, but through a shield node this time. Output analysis: 10

When the server is not being attacked, the client is able to access the server normally. Without the shield nodes, when the attacker directly attacks the origin server, the client is no longer able to receive a response from the server. When the shield nodes are active, attacks on the shield nodes do not impact the client s ability to access the shield node. Compare output against hypothesis: The webpage was available during the shielded attack, but not available during the unshielded attack. This indicates that our shield node was successfully mitigating the attack. For the attack scenario presented, this data is in agreement with our hypothesis. Abnormal case explanation: Even though we could successfully defend DOS attacks from a particular attack source our defense does not work as well against botnets which come from multiple IP addresses. For example, one hypothetically possible attack vector when the attacker has a large number of IP addresses is to send connections at an overall rate high enough to cause legitimate connections to be culled before they are able to receive data. Our next goal is to implement defense against distributed denial of service attacks using our shield nodes in a more scalable form. In addition, we do not defend against bandwidth attacks. Thus, one attacker can try to bring down all the shield nodes by flooding them with bandwidth. However, we find this case unlikely if there is only a single attacker, as the attacker would need a huge amount of upload bandwidth to saturate the bandwidth of all the shield nodes all at once. Discussion: This project was limited in scope. The shield nodes are intended to be discovered through DNS, preferably with a DNS load balancer. This was not implemented, as it was outside our scope of investigation. The shield node as implemented is intended mainly for use with static HTTP webpages; with dynamic web pages, the caching behavior will cause wrong or outdated pages to be returned. However, this was more intended to be a proof of concept of DoS mitigation, than a perfect HTTP reverse proxy. The DoS attack implemented is a simple connection flood. This is a fairly primitive attack; we did not implement more sophisticated attacks, like slowloris or slow read. However, we expect that the shield node implementation should also provide protection against these attacks, although of course we were not able to actually test this. 11

Conclusions and Recommendations Summary and conclusions: The goal of this project was to attempt to: Enhance site security and mitigate risk by cloaking the application origin Ensure that web traffic passes through the shield nodes, where attacks can be detected and mitigated. We attempted to do this by simulating the network topology using mininet. Generated huge amount traffic towards the destination server and successfully detected and mitigated the attack using our shield nodes. Our simulation results indicate that with the help of the shield nodes the attack could be mitigated one layer before the destination server. We concluded this by trying to access the server with legitimate requests even when the attack was in place. The server responded without any issues. Recommendations for future studies: We would like to explore more on our existing system to successfully mitigate botnets distributed denial of service attack as well. By using an arbitrary number of shield nodes and using DNS load balancers we believe that we can achieve this. Bibliography 1. Durcekova, V.; Schwartz, L.; Shahmehri, N., "Sophisticated Denial of Service attacks aimed at application layer," ELEKTRO, 2012, pp.55,60, 21 22 May 2012 2. Cambiaso, E.; Gianluca P.; Maurizio, A., Taxonomy of Slow DoS Attacks to Web Applications, Communications in Computer and Information Science Volume 335, pp 195 204, 2012 3. Hofmann, Stefan; Louizi, Mohamed; Stoll, Dieter, "A Novel Approach to Identify Denial of Service Attacks against Transport Network Resources," Photonic Networks, 2008 ITG Symposium on, vol., no., pp.1,8, 28 29 April 2008 4. Shea, R.; Jiangchuan Liu, "Performance of Virtual Machines Under Networked Denial of Service Attacks: Experiments and Analysis," Systems Journal, IEEE, vol.7, no.2, pp.335,345, June 2013 5. Bao, X.; Hong, H.; NSFOCUS DDoS Threat Report 2013, 2013 12

Appendix Submitted source code list: dos topo.py: the mininet topology used connflood.c: a simple connection flooder shield/: directory containing the shield node implementation in C README: compilation and usage information 13

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information