According to Sun Tzu in his book The Art of War: The art of war teaches us to rely not on the likelihood of the enemys not coming, but on our own readiness to receive him; not on the chance of his not attacking, but rather on the fact that we have made our position unassailable.
The requirements of information security had two major changes within governments and originations in the last past years. Before the emergence of data processing equipment, the security of information was and still is a high priority to an organization and it was provided essentially by physical and administrative means. With the emergence of the digitalized computer, the demand for automated tools for protecting information stored on the computer became an essentiality. This is especially the case for a shared system and it is even more needed for systems that can be accessed over a public network .The name for the collection of tools designed to protect data and to withstand the hackers is computer security. And that was the first change.
The second change is the emergence of distributed systems and the excessive use of for transferring data between a user and computer and between a computer and another.
"Network security measures are needed to protect data during their transmission. In fact, the term network security is somewhat misleading, because virtually all business, government, and academic organizations interconnect their data processing equipment with a collection of interconnected networks. Such a collection is often referred to as an internet, and the term internet security is used." [1]
There are no boundaries between the two forms of security. Because any threat can be uploaded from over the internet or it is uploaded manually to the computer in a form of a disk.
The computer security problems has grown within the computer industry for nearly the first two decades starting with the surfacing of digital computers, Security problems were not really noticed. The previous computers were used to process sensitive information, but how big the computer was and the type of their applications allowed any security problems to be solved outside the computer.
"If the entire system was dedicated to a single user, protection consisted of the user simply picking up his tapes and cards and clearing CPU memory when the job was finished." [2]
If one had information on a computer and he wanted to keep it a secret, he just locks the computer in a room. Basically the user had complete control over his information and processing steps, including his data and programs. The computer itself was not really part of the security.
In the 1960s, people began demanding better utilization of the computer services and the security surrounding computer systems began to change. The answer to the demand for more efficiency gave us the resource-sharing operating systems, multiprogramming, and many more. One could build a time-sharing computer system to serve many people in the same time. People suddenly found not only a shortage in control over the processing environment but a shortage in control over their information and programs as well.
As you can see the computer security became a major requirement in our modern organizations which simultaneously gave it a mark on its back, and the people who are targeting it are called hackers and their weapon of choice is cyber-attacks which brings us to our subject.
In this paper I will be focusing on one of the most deadly types of cyber-attacks which is the Denial-of-Service attack (DoS attack).
Denial-of-service attacks have been launched against Internet sites for years. They can shut an organization off from the Internet and because there is no solution for protecting your site or recovering from a denial of service they are considered significant.
"DoS attacks can essentially disable your computer or your network. Depending on the nature of your enterprise, this can effectively disable your organization. Some DoS attacks can be executed with limited resources against a large, sophisticated site. This type of attack is sometimes called an "asymmetric attack." For example, an attacker with an old PC and a slow modem may be able to disable much faster and more sophisticated machines or networks."[3]
The traditional intent and impact of DoS attacks is to prevent or slow down the legitimate use of computer or network resources. Regardless of the effort, and resources spent securing against an intrusion, Internet connected systems face a consistent threat from DoS attacks because of two fundamental characteristics of the Internet. First, the Internet is composed of limited and consumable resources. Secondly, internet security type is interdependent.
"The traditional intent and impact of DoS attacks is to prevent or impair the legitimate use of computer or network resources. Regardless of the diligence, effort, and resources spent securing against intrusion, Internet connected systems face a consistent and real threat from DoS attacks because of two fundamental characteristics of the Internet. " [4]
DoS ORIGINS AND MODELING
"Denial of service is accomplished technologically-the primary goal of an attack is to deny the victim(s) access to a particular resource. It is an explicit attempt by attackers to prevent legitimate users of a computer-related service from using that service. But, as any information and network security issue, combating denial of service is primarily an exercise in risk management."[5]
In this section, I will describe how an attacker can take advantage of TCP's timeout mechanism to perform a DoS attack. Next, I will provide a scenario and a system model of such an attack. Finally, I will introduce a simple model for aggregate TCP throughput as a function of the DoS traffic parameters.
Origin
The timeout mechanism, while important for robust network congestion control, provides an opportunity for low-rate DoS attacks that take advantage of the slow-time-scale dynamics of retransmission timers.In particular, an attacker can start up a TCP flow to repeatedly enter a retransmission timeout state by sending high rate, but short-duration bursts having RTT-scale burst length, and repeating periodically at slower RTO time-scales.
The victim will be drawn to near-zero throughput while the attacker will have low average rate making it difficult for counter-DoS mechanisms to detect. It is referred to the short durations of the attacker's loss-inducing bursts as outages, and present a simple but illustrative model relating the outage time-scale (and hence attacker's average rate) to the victim's throughput as follows. First, consider a single TCP flow and a single DoS stream. Pretend that an attacker creates an initial outage at time 0 via a short-duration high-rate burst. The TCP sender will wait for a retransmission timer of 1 sec to end and will then double its RTO. If the attacker starts a second outage between time 1 and 1 + 2 RTT, it will force TCP to wait another 2 sec. By creating similar outages at times 3, 7, 15, · · ·, an attacker could exploit Karn's algorithm and deny service to the TCP flow while transmitting at extremely low average rate. While potentially effective for a single flow, a DoS attack on TCP aggregates in which flows continually arrive and depart requires periodic (vs. exponentially spaced) outages at the min- RTO time-scale. Moreover, if all flows have an identical min- RTO parameter, the TCP flows can be forced into continual timeouts if an attacker creates periodic outages.
Thus, we consider square wave shrew attacks in which the attacker transmits bursts of duration l and rate R in a deterministic on-off pattern that has period T. As explored below, a successful shrew attack will have rate R large enough to induce loss (i.e., R aggregated with existing traffic must exceed the link capacity), duration l of scale RTT (long enough to induce timeout but short enough to avoid detection), and period T of scale RTO (chosen such that when flows attempt to exit timeout, they are faced with another loss).
Model
Consider a scenario of an attack. It consists of a single bottleneck queue driven by n long-lived TCP flows with heterogeneous RTTs and a single DoS flow. Denote RTTi as the roundtrip time of the i-th TCP flow, i = 1, · · ·, n. The DoS flow is a periodic square-wave DoS stream. The following result relates the throughput of the TCP flows to the period of the attack. This result is obtained as follows. The periodic l-length bursts create short l0-length outages having high packet loss. If l' reaches the TCP flows' RTT timescales, i.e., l0 ≥ RTTi, for all i = 1, · · · , n, then the congestion caused by the DoS burst lasts sufficiently long to force all TCP flows to simultaneously enter timeout. Moreover, if minRTO ≥ SRTTi + 4 RTTVARi, for i = 1, · · ·, n, all TCP Flows will have the same values of RTO and will thus timeout after minRTO seconds, which is the ideal moment for an attacker to create a new outage. Thus, in this case, despite their heterogeneous round-trip times, all TCP flows are forced to synchronize to the attacker and enter timeout at nearly the same time, and attempt to recover at nearly the same time. Thus, when exposed to outages with period T, thus expressing the normalized throughput of a TCP flow under a T-periodic attack. A ratio of the bandwidth achievable by the TCP flow under the T-periodic attack, and the TCP bandwidth without any attack. For example, when T = 1.5 sec, and minRTO = 1 sec, the TCP flow utilizes the available bandwidth in the [minRTO, T] period after each outage, such that the normalized TCP throughput becomes (T − minRTO)/T = 0.33. On the other hand, when T = 0.8 sec, only every second outage is effective, and the TCP flow utilizes bandwidth in the [minRTO, 2T ] period after each effective outage in this scenario. Consequently, the normalized throughput becomes (2T − minRTO)/2T = 0.375).
