A Brief Discussion of Network Denial of Service Attacks by Eben Schaeffer 0040014 SE 4C03 Winter 2004 Last Revised: Thursday, March 31
Introduction There has been a recent dramatic increase in the number of transaction based service websites (gambling sites, medical databases, auction sites, etc.) accessible on the internet. Accompanying this growth has been an equally notable increase in the complexity and frequency of malicious attacks attempting to violate these sites' integrity. The Denial of Service (DoS) attack is one type that experienced a significant increase in notoriety during the late 1990's and remains a reasonable source of anxiety for network security officials today. The ultimate goal of a DoS attack is to prevent the resources of its target from being available to those that were intended to use them. This can be done by infiltrating and taking control of the target, or more simply by overloading its abilities. A successful DoS attack can cause great financial loss to any company with a reasonable dependency on its website services. We outline the details of one common attack method for clarity. The TCP protocol employs a commonly used handshake method of establishing connections. A node requesting connectivity can send a synchronize (SYN) request to the target to begin the handshake. The target is required to respond to this request by sending an acknowledgment (SYN/ACK) package back. Ideally, the originating node sends another acknowledgment (ACK) back to the target to complete the handshake, and thus, the connection. A TCP SYN attack involves one or more attacking nodes repeatedly sending SYN connection requests, without completing the handshake. This results in the target's connection buffer being filled up with pending connections that will never be completed, and thus disables it from answering new requests that may be valid. Other methods use similar strategies to effectively disable one or more resources on the target computer that are needed for it to operate efficiently. A Deeper Look: Classification of DoS Attacks In [6], Gretsy classifies these attacks into two categories which he labels producer and consumer attacks. Consumer attacks are characterized by a target being caused to refuse to pass requests for data, or the data itself, from one point to another. Producer attacks involve the attacker creating resources in numbers too numerous for its target to handle effectively, thereby crippling its ability to handle other legitimate resources. The former class of attacks has presented less of a concern to networks as large as the internet. Combating those is a simple matter of the sender detecting that the data is not passing through the affected node, and then plotting a different send route that doesn't use that node. Producer attacks are what have created a significant recent concern. The United States' University of Minnesota received the first recorded Distributed Denial of Service (DDoS) attack in August of 1999 [11]. DDoS attacks are producer
attacks in which there are multiple, indeed often numerous sources from which the attack is made. More often than not, this involves the farming of what are referred to as zombie machines to use as participants in the attack. These zombie machines are other nodes on the network to which the target and original attacker belong. They are compromised with the installation of malicious software designed to use their resources to contribute in the attack. The past few years have given birth to versions of this malicious software simple enough for relatively unskilled and ignorant users to operate, allowing the mounting of large scale DDoS attacks by anyone with a minimal amount of computer knowledge. According to [11], there were five of these attack tools known to exist in 2001. Douligeris and Mitrokatsa describe in [2], the operation of some of the tools (listing eleven), known to exist at its time of writing in 2003. It is not unreasonable to assume that according to these statistics, interest among would be computer criminals in this type of attack software is as strong as ever. Outlined in [14] is a case of blackmail conducted by internet gangs of organized criminals threatening to release a DDoS attack on an online casino site unless a ransom was paid. The frequency of these types of crimes has increased recently, and could be expected to continue to in the future unless effective means of dealing with these attacks are found and implemented. A means of further classification of DoS attacks is presented in [2]. Here, attacks are divided into categories depending on the system component that they are targeting for exploitation. The five categories listed are (i) network device, (ii) operating system, (iii) application, (iv) data flooding, and (v) protocol feature attacks. The first three categories of attacks attempt to take advantage of some flaw or bug in the respective piece of hardware or software under which they are classified. Data flooding techniques attempt to use all of the bandwidth available on the target by sending extremely large amounts of useless data using a protocol format within the expected specifications of the target. The last category, protocol feature attacks, is what the majority of DDoS attacks would be classified under. These types of attacks attempt to overload their target by exploiting some vulnerability in the standard protocols that are used on the internet. These vulnerabilities are surprisingly numerous, the cause of which comes from the inherent design philosophies the protocols were designed upon. The vast majority of internet architecture was designed for relative simplicity and high functionality, not security. From a security standpoint, it is a far too trustful structure. Detecting DoS Attacks Detection of a DoS attack is not a simple task. The attack tools currently available are capable of dynamically varying nearly all of the distinguishing characteristics of attack packets, thereby eliminating the chances of generalizing attributes of those packets causing harm. Indeed, they are even able to mount attacks of
varying types simultaneously from different sources. If this wasn't enough, the addresses of the attacking node or nodes can be faked or spoofed with relative ease, and this capability is encoded directly into most of the tools used for DoS attacks. This makes determining which addresses correspond to nodes participating in an attack, an increasingly difficult task. Some promising areas of attack detection research include traffic anomaly detection, data mining of historical usage databases, and misuse detection, among others. The basic idea among many of these and other attack detection strategies is to analyze historical databases recording traffic information from regular network usage, as well as traffic from events resulting from a DoS attack. In their implementation. anomalies from regular use statistics will temporarily trigger more cautious routing strategies within the protected network. During this time, network traffic is heavily monitored to attempt to discover a common misuse profile, and then actions are taken to counter the potential effects of the attack. Preventing DoS Attacks It is a common thought among researchers that a more successful means of combating DoS attacks would include implementing a number prevention techniques. These practices include but are not limited to, strict packet filtering, disabling unused network services, IP address changing, and regular updating of software on servers. IP address changing causes the successful attacker to have to modify their attack whenever the targeted party changes their address. Regular updating of software will eliminate many of the bugs that attackers can exploit when mounting an attack. These two practices will not alone, make a significant change in the threat of an attack. Attackers can automate the updating of their participating nodes once the new IP address is published, and new software will always be in release with new bugs to exploit. Those prevention strategies that are thought to be able to create the greatest decrease in the threat of DoS attacks, are the ones that ideally would be implemented globally. Disabling unused network services and packet filtering have a similar effect. They prevent packets that are unimportant to the regular operation of networks from being propagated through those networks. However, implementing these practices is significantly less effective if neighbouring networks do not. It has been proposed that, in order to create incentives for networking entities to implement these strategies, a more strict model of liability and more restrictive pricing structure for bandwidth usage be introduced. Large internet entities would be far more interested in securing the use of their networks if they were in some part accountable for attacks launched and propagated through them.
Conclusion Research on this subject reveals a significant need to address the problems that DoS attacks raise. A sufficiently large scale attack aimed at the correct system flaw can temporarily cripple the operations of one or more entire corporations. Without drastically changing the accountability structure or implemented protocols of today's internet, a complete solution to this problem may escape us. However, further work in this area will hopefully bring advances and solutions that will create a more secure and reliable venue for all internet residents.
References [1] L. Chen, T. A. Longstaff, and K. M. Carley, Characterization of Defense Mechanisms Against Distributed Denial of Service Attacks, Computers & Security 23 (2004), pp 665 678 [2] C. Douligeris and A. Mitrokatsa, DDoS Attacks and Defense Mechanisms: Classification and State of the Art, Computer Networks 44(2004), pp 643 666 [3] A. Garg and A.L. Narasimha Reddy, Mitigation of DoS Attacks Through QoS Regulation, Microprocessors and Microsystems 28(2004), pp 521 530 [4] D. Gavrilis, E. Dermatas, Real time Detection of Distributed Denial of Service Attacks Using RBF Networks and Statistical Features, Computer Networks(In press) (2005), pp xxx xxx [5] D. E. Gobuty, Defending Medical Information Systems Against Malicious Software, International Congress Series 1268(2004), pp 96 107 [6] D.W. Gresty, Q. Shi, and M. Merabti, Requirements for a General Framework for Response to Distributed Denial of Service, Computer Security Applications Conference (2001), pp 422 429 [7] P. Hunter, Distributed Denial of Service Mitigation Tools, Network Security 5(2003), pp 12 14 [8] P. Hunter, Testing Security Products, Network Security 12(2004), pp 15 16 [9] A. Hussain, J. Heidemann, C. Papadopoulous, Distinguishing Between Single and Multi Source Attacks Using Signal Processing, Computer Networks 46(2004), pp 479 503 [10] L. J. Janczewski, D. Reamer, and J. Brendel, Handling Distributed Denial of Service Attacks, Information Security Technical Report, Vol6 No3(2001), pp 37 44 [11] M. A. Lejeune, Awareness of Distributed Denial of Service Attacks' Dangers: Role of Internet Pricing Mechanisms, Netnomics 4(2002), pp 145 162 [12] S. Lin, S. Tseng, Constructing Detection Knowledge for DDoS Intrusion Tolerance, Expert Systems with Applications 27(2004), pp 379 390 [13] M. Villano, DoS Threats Open New Security Solutions, CRN Jericho 1111(2004), p 41 [14] Online Betting Site Beats Blackmail DDoS, Network Security 5(2004), p 1