A Brief Discussion of Network Denial of Service Attacks. by Eben Schaeffer 0040014 SE 4C03 Winter 2004 Last Revised: Thursday, March 31



Similar documents
Denial of Service Attacks

How To Protect A Dns Authority Server From A Flood Attack

SECURING APACHE : DOS & DDOS ATTACKS - I

Analysis on Some Defences against SYN-Flood Based Denial-of-Service Attacks

1. Introduction. 2. DoS/DDoS. MilsVPN DoS/DDoS and ISP. 2.1 What is DoS/DDoS? 2.2 What is SYN Flooding?

Denial of Service (DoS)

CS 356 Lecture 16 Denial of Service. Spring 2013

Game-based Analysis of Denial-of- Service Prevention Protocols. Ajay Mahimkar Class Project: CS 395T

The Reverse Firewall: Defeating DDOS Attacks Emanating from a Local Area Network

Modern Denial of Service Protection

A TWO LEVEL ARCHITECTURE USING CONSENSUS METHOD FOR GLOBAL DECISION MAKING AGAINST DDoS ATTACKS

TLP WHITE. Denial of service attacks: what you need to know

MONITORING OF TRAFFIC OVER THE VICTIM UNDER TCP SYN FLOOD IN A LAN

SY system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users.

Complete Protection against Evolving DDoS Threats

An Anomaly-Based Method for DDoS Attacks Detection using RBF Neural Networks

Survey on DDoS Attack Detection and Prevention in Cloud

Seminar Computer Security

SECURITY FLAWS IN INTERNET VOTING SYSTEM

Survey on DDoS Attack in Cloud Environment

Distributed Denial of Service (DDoS)

20-CS X Network Security Spring, An Introduction To. Network Security. Week 1. January 7

co Characterizing and Tracing Packet Floods Using Cisco R

Security Toolsets for ISP Defense

1. Firewall Configuration

White paper. TrusGuard DPX: Complete Protection against Evolving DDoS Threats. AhnLab, Inc.

This document is licensed for use, redistribution, and derivative works, commercial or otherwise, in accordance with the Creative Commons

How To Classify A Dnet Attack

DDoS-blocker: Detection and Blocking of Distributed Denial of Service Attack

Understanding & Preventing DDoS Attacks (Distributed Denial of Service) A Report For Small Business

A Layperson s Guide To DoS Attacks

Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst

Acquia Cloud Edge Protect Powered by CloudFlare

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Denial of Service attacks: analysis and countermeasures. Marek Ostaszewski

Defending against Flooding-Based Distributed Denial-of-Service Attacks: A Tutorial

Radware s Behavioral Server Cracking Protection

CloudFlare advanced DDoS protection

Distributed Denial of Service

Distributed Denial of Service(DDoS) Attack Techniques and Prevention on Cloud Environment

How To Stop A Ddos Attack On A Website From Being Successful

Firewalls and Intrusion Detection

How Cisco IT Protects Against Distributed Denial of Service Attacks

Firewalls Overview and Best Practices. White Paper

Design and Experiments of small DDoS Defense System using Traffic Deflecting in Autonomous System

DoS: Attack and Defense

DISTRIBUTED DENIAL OF SERVICE OBSERVATIONS

Project 4: (E)DoS Attacks

STATISTICS ON BOTNET-ASSISTED DDOS ATTACKS IN Q1 2015

A COMPREHENSIVE STUDY OF DDOS ATTACKS AND DEFENSE MECHANISMS

Kaspersky DDoS Prevention

Safeguards Against Denial of Service Attacks for IP Phones

Impact of Denial of Service Attack on the Virtualization in Cloud Computing

IDS / IPS. James E. Thiel S.W.A.T.

WHITE PAPER. FortiGate DoS Protection Block Malicious Traffic Before It Affects Critical Applications and Systems

Frequent Denial of Service Attacks

Preventing DDOS attack in Mobile Ad-hoc Network using a Secure Intrusion Detection System

SHARE THIS WHITEPAPER. Top Selection Criteria for an Anti-DDoS Solution Whitepaper

JUST FOR THOSE WHO CAN T TOLERATE DOWNTIME WE ARE NOT FOR EVERYONE

DDoS Protection Technology White Paper

CS5008: Internet Computing

A UNIFIED APPROACH FOR DETECTION AND PREVENTION OF DDOS ATTACKS USING ENHANCED SUPPORT VECTOR MACHINES AND FILTERING MECHANISMS

V-ISA Reputation Mechanism, Enabling Precise Defense against New DDoS Attacks

Secure Software Programming and Vulnerability Analysis

Network Bandwidth Denial of Service (DoS)

Federal Computer Incident Response Center (FedCIRC) Defense Tactics for Distributed Denial of Service Attacks

The Critical Importance of Three Dimensional Protection (3DP) in an Intrusion Prevention System

Denial Of Service. Types of attacks

Application Security Backgrounder

Attack and Defense Techniques

DDoS Protection. How Cisco IT Protects Against Distributed Denial of Service Attacks. A Cisco on Cisco Case Study: Inside Cisco IT

Malicious Programs. CEN 448 Security and Internet Protocols Chapter 19 Malicious Software

SeVen: A Selective Defense for Low-Rate Application Layer DDoS Attacks. Vivek Nigam Networking Laboratory Federal University of Paraíba - UFPB

Hypervisor Security - A Major Concern

Mitigating Denial of Service Attacks. Why Crossing Fingers is Not a Strategy

Abstract. Introduction. Section I. What is Denial of Service Attack?

Network Threats and Vulnerabilities. Ed Crowley

A Senior Design Project on Network Security

surviving DDoS attacks

Denial of Service (DoS) Technical Primer

Malice Aforethought [D]DoS on Today's Internet

Network Security. Chapter 9. Attack prevention, detection and response. Attack Prevention. Part I: Attack Prevention

How To Understand A Network Attack

Gaurav Gupta CMSC 681

Keywords Attack model, DDoS, Host Scan, Port Scan

A Novel Approach for Evaluating and Detecting Low Rate SIP Flooding Attack

About Firewall Protection

HOW TO PREVENT DDOS ATTACKS IN A SERVICE PROVIDER ENVIRONMENT

TDDA: Traceback-based Defence against DDoS Attack

Application of Netflow logs in Analysis and Detection of DDoS Attacks

DDoS Attack Trends and Countermeasures A Information Theoretical Metric Based Approach

Overview. Firewall Security. Perimeter Security Devices. Routers

Distributed Denial of Service protection

COSC 472 Network Security

Denial of Service Attacks, What They are and How to Combat Them

PART D NETWORK SERVICES

Dos & DDoS Attack Signatures (note supplied by Steve Tonkovich of CAPTUS NETWORKS)

Dual Mechanism to Detect DDOS Attack Priyanka Dembla, Chander Diwaker 2 1 Research Scholar, 2 Assistant Professor

Four Steps to Defeat a DDoS Attack

Protecting Mobile Devices From TCP Flooding Attacks

Transcription:

A Brief Discussion of Network Denial of Service Attacks by Eben Schaeffer 0040014 SE 4C03 Winter 2004 Last Revised: Thursday, March 31

Introduction There has been a recent dramatic increase in the number of transaction based service websites (gambling sites, medical databases, auction sites, etc.) accessible on the internet. Accompanying this growth has been an equally notable increase in the complexity and frequency of malicious attacks attempting to violate these sites' integrity. The Denial of Service (DoS) attack is one type that experienced a significant increase in notoriety during the late 1990's and remains a reasonable source of anxiety for network security officials today. The ultimate goal of a DoS attack is to prevent the resources of its target from being available to those that were intended to use them. This can be done by infiltrating and taking control of the target, or more simply by overloading its abilities. A successful DoS attack can cause great financial loss to any company with a reasonable dependency on its website services. We outline the details of one common attack method for clarity. The TCP protocol employs a commonly used handshake method of establishing connections. A node requesting connectivity can send a synchronize (SYN) request to the target to begin the handshake. The target is required to respond to this request by sending an acknowledgment (SYN/ACK) package back. Ideally, the originating node sends another acknowledgment (ACK) back to the target to complete the handshake, and thus, the connection. A TCP SYN attack involves one or more attacking nodes repeatedly sending SYN connection requests, without completing the handshake. This results in the target's connection buffer being filled up with pending connections that will never be completed, and thus disables it from answering new requests that may be valid. Other methods use similar strategies to effectively disable one or more resources on the target computer that are needed for it to operate efficiently. A Deeper Look: Classification of DoS Attacks In [6], Gretsy classifies these attacks into two categories which he labels producer and consumer attacks. Consumer attacks are characterized by a target being caused to refuse to pass requests for data, or the data itself, from one point to another. Producer attacks involve the attacker creating resources in numbers too numerous for its target to handle effectively, thereby crippling its ability to handle other legitimate resources. The former class of attacks has presented less of a concern to networks as large as the internet. Combating those is a simple matter of the sender detecting that the data is not passing through the affected node, and then plotting a different send route that doesn't use that node. Producer attacks are what have created a significant recent concern. The United States' University of Minnesota received the first recorded Distributed Denial of Service (DDoS) attack in August of 1999 [11]. DDoS attacks are producer

attacks in which there are multiple, indeed often numerous sources from which the attack is made. More often than not, this involves the farming of what are referred to as zombie machines to use as participants in the attack. These zombie machines are other nodes on the network to which the target and original attacker belong. They are compromised with the installation of malicious software designed to use their resources to contribute in the attack. The past few years have given birth to versions of this malicious software simple enough for relatively unskilled and ignorant users to operate, allowing the mounting of large scale DDoS attacks by anyone with a minimal amount of computer knowledge. According to [11], there were five of these attack tools known to exist in 2001. Douligeris and Mitrokatsa describe in [2], the operation of some of the tools (listing eleven), known to exist at its time of writing in 2003. It is not unreasonable to assume that according to these statistics, interest among would be computer criminals in this type of attack software is as strong as ever. Outlined in [14] is a case of blackmail conducted by internet gangs of organized criminals threatening to release a DDoS attack on an online casino site unless a ransom was paid. The frequency of these types of crimes has increased recently, and could be expected to continue to in the future unless effective means of dealing with these attacks are found and implemented. A means of further classification of DoS attacks is presented in [2]. Here, attacks are divided into categories depending on the system component that they are targeting for exploitation. The five categories listed are (i) network device, (ii) operating system, (iii) application, (iv) data flooding, and (v) protocol feature attacks. The first three categories of attacks attempt to take advantage of some flaw or bug in the respective piece of hardware or software under which they are classified. Data flooding techniques attempt to use all of the bandwidth available on the target by sending extremely large amounts of useless data using a protocol format within the expected specifications of the target. The last category, protocol feature attacks, is what the majority of DDoS attacks would be classified under. These types of attacks attempt to overload their target by exploiting some vulnerability in the standard protocols that are used on the internet. These vulnerabilities are surprisingly numerous, the cause of which comes from the inherent design philosophies the protocols were designed upon. The vast majority of internet architecture was designed for relative simplicity and high functionality, not security. From a security standpoint, it is a far too trustful structure. Detecting DoS Attacks Detection of a DoS attack is not a simple task. The attack tools currently available are capable of dynamically varying nearly all of the distinguishing characteristics of attack packets, thereby eliminating the chances of generalizing attributes of those packets causing harm. Indeed, they are even able to mount attacks of

varying types simultaneously from different sources. If this wasn't enough, the addresses of the attacking node or nodes can be faked or spoofed with relative ease, and this capability is encoded directly into most of the tools used for DoS attacks. This makes determining which addresses correspond to nodes participating in an attack, an increasingly difficult task. Some promising areas of attack detection research include traffic anomaly detection, data mining of historical usage databases, and misuse detection, among others. The basic idea among many of these and other attack detection strategies is to analyze historical databases recording traffic information from regular network usage, as well as traffic from events resulting from a DoS attack. In their implementation. anomalies from regular use statistics will temporarily trigger more cautious routing strategies within the protected network. During this time, network traffic is heavily monitored to attempt to discover a common misuse profile, and then actions are taken to counter the potential effects of the attack. Preventing DoS Attacks It is a common thought among researchers that a more successful means of combating DoS attacks would include implementing a number prevention techniques. These practices include but are not limited to, strict packet filtering, disabling unused network services, IP address changing, and regular updating of software on servers. IP address changing causes the successful attacker to have to modify their attack whenever the targeted party changes their address. Regular updating of software will eliminate many of the bugs that attackers can exploit when mounting an attack. These two practices will not alone, make a significant change in the threat of an attack. Attackers can automate the updating of their participating nodes once the new IP address is published, and new software will always be in release with new bugs to exploit. Those prevention strategies that are thought to be able to create the greatest decrease in the threat of DoS attacks, are the ones that ideally would be implemented globally. Disabling unused network services and packet filtering have a similar effect. They prevent packets that are unimportant to the regular operation of networks from being propagated through those networks. However, implementing these practices is significantly less effective if neighbouring networks do not. It has been proposed that, in order to create incentives for networking entities to implement these strategies, a more strict model of liability and more restrictive pricing structure for bandwidth usage be introduced. Large internet entities would be far more interested in securing the use of their networks if they were in some part accountable for attacks launched and propagated through them.

Conclusion Research on this subject reveals a significant need to address the problems that DoS attacks raise. A sufficiently large scale attack aimed at the correct system flaw can temporarily cripple the operations of one or more entire corporations. Without drastically changing the accountability structure or implemented protocols of today's internet, a complete solution to this problem may escape us. However, further work in this area will hopefully bring advances and solutions that will create a more secure and reliable venue for all internet residents.

References [1] L. Chen, T. A. Longstaff, and K. M. Carley, Characterization of Defense Mechanisms Against Distributed Denial of Service Attacks, Computers & Security 23 (2004), pp 665 678 [2] C. Douligeris and A. Mitrokatsa, DDoS Attacks and Defense Mechanisms: Classification and State of the Art, Computer Networks 44(2004), pp 643 666 [3] A. Garg and A.L. Narasimha Reddy, Mitigation of DoS Attacks Through QoS Regulation, Microprocessors and Microsystems 28(2004), pp 521 530 [4] D. Gavrilis, E. Dermatas, Real time Detection of Distributed Denial of Service Attacks Using RBF Networks and Statistical Features, Computer Networks(In press) (2005), pp xxx xxx [5] D. E. Gobuty, Defending Medical Information Systems Against Malicious Software, International Congress Series 1268(2004), pp 96 107 [6] D.W. Gresty, Q. Shi, and M. Merabti, Requirements for a General Framework for Response to Distributed Denial of Service, Computer Security Applications Conference (2001), pp 422 429 [7] P. Hunter, Distributed Denial of Service Mitigation Tools, Network Security 5(2003), pp 12 14 [8] P. Hunter, Testing Security Products, Network Security 12(2004), pp 15 16 [9] A. Hussain, J. Heidemann, C. Papadopoulous, Distinguishing Between Single and Multi Source Attacks Using Signal Processing, Computer Networks 46(2004), pp 479 503 [10] L. J. Janczewski, D. Reamer, and J. Brendel, Handling Distributed Denial of Service Attacks, Information Security Technical Report, Vol6 No3(2001), pp 37 44 [11] M. A. Lejeune, Awareness of Distributed Denial of Service Attacks' Dangers: Role of Internet Pricing Mechanisms, Netnomics 4(2002), pp 145 162 [12] S. Lin, S. Tseng, Constructing Detection Knowledge for DDoS Intrusion Tolerance, Expert Systems with Applications 27(2004), pp 379 390 [13] M. Villano, DoS Threats Open New Security Solutions, CRN Jericho 1111(2004), p 41 [14] Online Betting Site Beats Blackmail DDoS, Network Security 5(2004), p 1

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information