The advent of Internet has shifted the fulcrum of economic activity to an extent unseen since the Industrial Revolution. Nowadays, an increasing number of companies worldwide rely on Internet - related technologies to conduct their businesses. Denial of service attacks (DoS) pose a serious threat on the Internet. This results to serious economic repercussions particularly to companies that depend on online availability to carry out their operations (e.g. Amazon, E-Bay). This problem is exacerbated by the hitherto absence of a comprehensive solution for protecting the web - sites or recovering from a DoS attack. Our analysis will carry out to examine the various types of DoS attack as well as the tools used in perpetrating DDoS attacks. The steps taken by a company to mitigate the risks are then analysed. A number of remedies proposed to ameliorate the problem of DoS attacks are subsequently presented. Finally, the current developments as well as future possibilities in addressing this problem are discussed.
2.2 INTRODUCTION OF DENIAL OF SERVICE ATTACKS
Traditional DoS attacks are performed by exploiting a buffer overflow. As a consequence, DoS attacks exhaust system resources or exploit a system bug that results in an inoperable system. An expansion and variant of DoS is the distributed denial of service attack (DDoS), first documented in the summer of 1999. DoS attacks (direct or distributed) force the target system to handle request for services that exceeds its planned capabilities. Consequently, the system is so busy handling all incoming traffic that is unable to process the legitimate traffic. As a result, the DoS attack deprives the legitimate use, such as e-mail, file transferring, of the system under attack.
2.2 Fertile ground for DoS attacks
The three fundamental characteristics of the Internet presented below are what make DoS attacks a possible menace to the internet infrastructure.
In particular,
(i). The Internet consists of finite and consumable resources. As a result, bandwidth processing power and storage capacities are common targets for DDoS attacks designed to consume enough of target's available resources to cause some level of service disruption.
(ii). Internet security is highly interdependent.
Despite a company's secured I.T infrastructure, its vulnerability to DDoS attacks depends on the state of security of the other computers connected on the Internet.
(iii).The properties of the TCP and IP protocols on which the Internet relies.
The TCP/IP protocols currently in use were developed to facilitate error-free delivery of packets across an "open" and "trusted" network without addressing any security issues. Consequently, these protocols do not provide any mechanism to insure the integrity or the authenticity of packet attributes when these packets are generated or during end-to-end transmission. In addition, the internet routing protocols enable IP spoofing, i.e. the source IP address of a packet can be a fake one. Most potential attackers exploit this unfortunate vulnerability in IP protocol in launching DDoS attacks.
2.3 A description of a DDoS attack
Both direct and distributed DoS attacks take advantage of the foregoing characteristics of the Internet to disrupt the target host. In particular, the DDoS attack harness the distributed nature of the Internet using many computers to launch a co-ordinated DoS attack against one or more targets. Thus, the potential attacker is able to multiply the effectiveness of DoS significantly by using the resources of multiple unwitting accomplice computers, which serve as attack platforms.
The DDoS attack is carried out in two phases. During the first phase the potential attacker tries to compromise as many PCs as possible by installing DDoS attack tools and related utilities (e.g. roodkit), to hide the presence of DDoS tools. If the first phase is successful, the potential attacker proceeds to the second phase, the actual DDoS attack. In the second phase, the compromised systems, the secondary victims of the attack, will generate the high volume of network traffic required to inundate a targeted site. The target of the flood can not handle the high volume of packets sent in an efficient manner thus becoming inoperable.
Having set the background and framework of this study, I am going to delve into the analysis of the classification of DDoS attacks.
CLASSIFICATION OF DDoS ATTACKS
In the following section, I am going to describe in more detail the most prevalent DDoS attacks. In doing this, I follow the classification of DDoS attacks adopted by the Computer Emergency Response Team (CERT) based at the Carnegie Mellon University. CERT classifies DDoS attacks into three main categories that are bandwidth, protocol and logic.
3.1 Bandwidth attacks
Bandwidth attacks are attempts to consume resources, such as network bandwidth or equipment throughput. A simple bandwidth consumption attack can exploit the throughput limits of servers or network equipment by sending large numbers of small packets. As a result, the network equipment is overwhelmed.
3.2 Protocol attacks
Protocol attacks do not directly exploit weaknesses in TCP/IP or network applications. Instead, they use the expected behavior of protocols such as TCP, UDP, ICMP to the attacker's advantage. I examine in detail six instances of protocol attacks: ICMP flood, SMURF attack, SYN flood, UDP flood, Tagra3 attack and mix attack. These examples are the most widespread forms of protocol attacks.
3.2.1 ICMP flood
ICMP floods exploit the Internet Control Message Protocol (ICMP), which is used for low-level operations of the IP protocol (e.g. ICMP_ECHO REQUEST and ICMP_ECHO REPLY) used to test network connectivity. The attacker sends a large amount of ICMP_ECHO REQUEST packets to the target host. As a result, the host can not respond quickly enough, by sending ECHO REPLY, to alleviate the amount of traffic on network.
3.2.2 SMURF attack
An expansion of the ICMP flood is the SMURF attack, which exploits not only the ICMP but also a feature in the IP specification known as direct broadcast addressing. The potential attacker sends a large number of ICMP_ECHO REQUEST packets to an IP broadcast address. If the routing device performs the IP broadcast then most hosts on that IP network will receive the ICMP_ECHO REQUEST and reply to it with an ICMP_ECHO REPLY each, multiplying the traffic by the number of hosts responding. If the perpetrator spoofs the IP source address of the ECHO REQUEST packets, then he will flood not only the target host but also the network having the spoofed IP address (i.e. secondary victim) which will receive the ECHO REPLY packets.
3.2.3 SYN flood
SYN flood attacks exploit the process used in establishing a TCP connection known as "TCP - 3 way handshake" This process requires three packets to be sent between the client and the server to establish a TCP connection: (i) a client sends a SYN packet (ii) the server allocates a TCP control block and sends back a SYN/ACK packet and (iii) the server awaits the client to send an ACK packet for the connection to be established. As long as the server has not received the ACK, the connection is in half-open state, thus consuming TCP control blocks. The potential attacker sends SYN packets with spoofed source IP address to the target. The target replies in response with SYN/ACK packets that are however, destined for an incorrect or non-existent host. The connections remain in half-open state because the target never receives the required ACK packets, thus causing the target to run out of TCP control blocks. Due to the lack of available TCP control blocks, the target is unable to process legitimate traffic with respect to e-mails, file sharing
3.2.4 UDP flood
This type of flood exploits the User Datagram Protocol (UDP), a connectionless and non-adaptive protocol that provides a simple and unreliable system for transferring data. The potential attacker uses a forged source IP address to send UDP packets to a random port on the target machine. The latter in turn has to determine what is listening on its port. If nothing is listening then the target machine will send a packet to the forged source I.P address notifying that the host is unreachable.
3.2.5 Tagra3 attack
In a Targa3 attack, the potential attacker sends a combination of uncommon I.P packets to the target. The uncommon I.P packet consists of invalid fragmentation, packet size, header value and routing flags. Once the TCP stack on the target receives the invalid packet, the kernel has to allocate resources to handle the packet. If a large number of malformed packets are received, then the target will crash because of exhausted resources.
3.2.6 Mix attack
In Mix attacks the potential attacker sends UDP,SYN and ICMP packets on a 1:1:1 ratio. This can have adverse effects on certain routers, networks and detection software.
3.3 Logic attacks
Logic attacks exploit vulnerabilities in network software such as web server or the underlying TCP/IP stack. This is in contrast to the bandwidth and protocol attacks, which seek to consume network or state resources.
3.3.1 Teardrop
Teardrop attacks exploit TCP/IP stacks that do not properly handle overlapping IP fragments.
3.3.2 Land
Land attacks exploit some TCP/IP implementations that are vulnerable to "spoofed" packets. "Spoofed" packets are packets in which the source address and port are the same as the destination. Unfortunately, it is not possible to eliminate "spoofed" IP packets with the current IP technology (IPv4). A remedy to this problem is to use ingress filtering, which is further examined at a later stage.
3.3.3 Naptha
Naptha refers to a family of DoS methods that exploit the way TCP/IP stacks and network applications handle the state of a TCP connection. An attacker can exhaust the resources of applications or operating systems by creating a suitably large number of TCP connections and leaving them in certain states (e.g. ESTABLISHED or FIN WAIT -1).
3.3.4 Ping of death
Ping of death or "long ICMP" is caused when an attacker deliberately sends an IP packet larger than the 65,536 (2^16) bytes allowed by the current I.P protocol.
4. DDoS ATTACK TOOLS
The focus of this section is to examine the DDoS attack tools used in perpetrating a DDoS attack.
The DDoS attack tools are designed to bring a single or multiple sites down by flooding the victim with large amounts of network traffic. These amounts of network traffic originate from multiple locations and are remotely controlled by a single client. Each of these attack tools share the same premise and topology depicted in figure 1. However, they differ in terms of the types of attack they can support and the way the communication is carried out between the client and the handlers. In addition, these tools are used to disrupt the normal network traffic to a host and not to capture data or infiltrate a computer system. Moreover, these tools are not traceable easily because they forge their source addresses by using IP spoofing thus hiding their genuine location.
4.1 Trin00
Trin00 is a distributed tool used to launch only UDP flood attacks from many sources as described in figure 1. A denial of service attack utilising a Trin00 network is carried out by an intruder connecting to a Trin00 handler and instructing that handler to launch a DDoS attack against one or more I.P addresses. The Trin00 handlers in turn forward the instruction to the agents, which generate the UDP flood against the target.
4.2 Tribe flood network (TFN)
TFN in addition to being able to generate UDP flood attacks like Trin00, it can generate TCP SYN flood, ICMP flood and SMURF attacks as well. Moreover, TFN has the capability to generate "spoofed" source I.P address.
4.3 Tribe flood network 2000 (TFN2K)
TFNK2K is a more sophisticated and potent DDoS tool than Trin00 and TFN. It can generate not only the usual attacks of ICMP flood, SMURF flood, SYN flood and UDP flood, but also Tagra3 and Mix attacks. It also supports the "spoofing" of source I.P address in all of the foregoing attacks. In addition, the communication between the attacker and the handlers is conducted with a randomly chosen protocol (TCP,UDP,ICMP) optimised with internal values. As a consequence, no recognisable patterns can be found in the packets. A further feature of the communication in a TFN2K network is that the packet payload contains a specific protocol, called Tribe Protocol, which is CAST-256 encrypted and base64 encoded before the handlers decode it. Furthermore, decoy packets can be sent out along with real packets thus obscuring the attacker/handler communication rendering it very difficult to determine the location of the attacking servers.
4.4 Stacheldraht (German for barb wire)
Stacheldraht gained prominence because of its alleged involvement in the 2000 outbreak of DDoS attacks against well known web sites such as Yahoo. It combines the features of Trin00 and TFN, encrypted communication between the client and the handler and automated remote update of the agents. The attacker uses a blowfish encrypted telnet - like session to connect and communicate with the handlers. The attacker can also update the agents remotely on demand via an "rcp" command thus enabling the attacker to continually change the port passwords and command values.
Having examined the main DDoS attack tools, I turn my attention to the devices one can use in detecting and eliminating these attacks tools.
5. DETECTION TOOLS
There are presently three devices available that can help one in detecting 'handlers' and 'agents' on his computer system. A brief description of these devices follows.
5.1 Find_ddosvs31This tool was developed by the National Infrastructure Protection Centre (NIPC). It can detect both the handlers and agents of Trin00, TFN, TFN2K and Stacheldraht by searching the local hard disks for known strings in the binary of the attack tools. However, an attacker can render this tool inoperable by compressing the binaries thus hiding the strings in a compressed binary while at the same time allowing the binary to execute.
5.2 Ddos_scan Ddos_scan was developed by D.Dittrich at the University of Washington. Although it can detect the agents of Trin00, TFN and Stacheldraht it can not detect TFN2K. This tool scans a complete subnet form a single node on that subnet. If the attack tool is modified to accept communications from a different port then this utility will fail in detecting the attack tool.
5.3 Rid
This tool was developed by D.Brumley at Stanford University and is currently the most promising utility. It searches an entire subnet from a single node as well as searches hosts from a list. In addition, it uses a configuration file thus allowing the user to modify the ports and strings "Rid" looks for and the hosts it scans.
6. MANAGING THE THREAT OF DDoS
Although DDoS is accomplished by technological means, combating it requires a business risk assessment exercise. A company needs to make both technical and business decisions to mitigate the risk. Risk assessment is a balancing act since the company must strike a balance between the level of acceptable risk and the costs to be incurred in mitigating the risk. This 'trade - off' stems from the business reality that a company can identify and reduce the risks, but never eliminate them entirely.
In developing a risk assessment policy a company may wish to consider the following issues : (i) the assets and services it wants to protect from a potential DDoS, (ii) the possibilities of a DDoS attack against the company (iii) the expected damage to the company if such an attack occurs. A company needs to consider the importance of the Internet to its business and how long it can function without internet service. (iv) the acceptable level of risk and (v) the ability to mitigate the risk and how much time and effort the company is willing to spend in their efforts to manage the risks
CONCLUSION
A fundamental issue arisen from this paper is the fact that all Internet sites are interdependent. As a result even security - conscious sites can be a victim of a DDoS attack. This is attributable to the fact that the potential attacker can control other more vulnerable on-line computers to attack the secure site. DDoS attacks can be detrimental not only to the company's physical I.T infrastructure but also to its continuous business viability. A company should address this problem as part of its overall risk assessment policy. In addition, a company should approach the issue from both the technological and business perspective. A successful response to a DDoS attack is tightly related to the company's readiness to face such attacks. This paper presented a number of proposed remedies to counteract the DDoS problem, such as Xenoservice, NetDeflect and Proactive Roaming. It is important to know, however, that none of them is a panacea. The development and eventual deployment of IPv6, that replaces the current internet protocol (IPv4), presents the most promising defense against DDoS attacks. IPSEC, a mandatory part of IPv6, eradicates 'IP spoofing', a practice that underpins most DDoS attacks. As a result, the potential attacker will no longer be able to hide his identity thus becoming liable to legal action.
