Main classifications of DDoS attacks

DDoS Attacks - Classification

The following are the 2 main classifications of DDoS attacks,

Bandwidth Depletion Attack

The bandwidth depletion attack will flood the target network with enormous number of garbage traffic to prevent the legitimate users from reaching the target system. The bandwidth depletion attacks can further be classified in to the following categories,

Resource Depletion Attack

The resource depletion attack will exhaust or shut down a particular resource of the target system and making it unavailable to legitimate users. The resource depletion attacks can further be classified in to the following categories,

The DDoS attacks can also be generally classified in to the following 2 categories,

Direct Attacks

In case of direct attacks, the attacker will participate directly in launching the attack, but with a spooked IP address.

Reflector Attacks

In case of reflector attacks, the attack will be launched using intermediary nodes called as the reflectors. The characteristic feature of a reflector is to return a packet, if a packet is received.

DDoS Prevention

DDoS attacks can be targeted at any number of services or devices in a network and hence it proves to be more difficult to prevent the network devices from being susceptible to DDoS attack. Even a legitimate traffic can turn in to a DDoS attack, if it creates recursive operations and consume the server resource. Hence, there no single point solution to DDoS attacks and the following actions should be combined to have a effective DDoS prevention mechanism in place.

Network Design with High Redundancy and High Availability

Having high redundancy of critical network resources will prevent single point of failure in case of DDoS attacks. Though this proves to be costly to implement, such as dual internet lines, but proves to be a effective solution.

Perimeter Defense

The filtering of traffic from spoofed IP addresses should start from the gateway router, such as implementing the ingress and egress filtering to prevent spoofed traffic from internal and external networks.

Defense In-Depth

The Intrusion Detection Systems (IDS) can detect the communication between the master and the zombies or the agents. This will be helpful in removing those zombies from the network, but the IDS cannot detect the new variants of the communication without signatures.

Host Hardening

Host hardening is the process of hardening the operating system by applying the latest patches for the current vulnerabilities, applying the proper security policies with the access control lists, changing the default passwords, closing the unwanted ports and tightening the system configurations.

Malware Detection & Prevention

All the hosts in the network must be installed with anti-virus and updated with the latest signatures to detect the virus and the file integrity checkers much be used to closely watch the unauthorized modification of data, to prevent any hosts from being infected by malware and making it a zombie for future DDoS attacks.

Periodic Scanning

Periodic vulnerability assessment will help to identify the hosts with vulnerabilities and closing those vulnerabilities in time, before the attackers exploit those vulnerabilities.

Policy Enforcement

The final thing to prevent the DDoS attacks is to enforce proper acceptable usage and resource management policies. There should be proper policies to ensure secure coding practices and pre-production testing to prevent any loopholes in the developed systems.

DDoS Detection & Defense Mechanism

As the DDoS attacks are getting more advanced day by day, with the evolution of new tools and techniques making it easier for even a normal internet user to launch automated attacks, adaptation of proper strategy is required to thwart the DDoS attacks successfully.

The countermeasures for the DDoS attacks should be modeled to adapt 3 stages of handling the attack. The first stage is the DDoS detection stage, where the DDoS traffic is identified. The second stage is the traffic segregation stage, where the malicious traffic will be segregated from the legitimate traffic. The third stage is the DDoS mitigation stage, where the effect of the DDoS attack will dissolved by nullifying it.

DDoS Detection

DDoS attacks involve 2 types of traffic in the execution, called as the Attack traffic and the Control traffic [Figure 1]. Varieties of security resources such as the Intrusion Detection System (IDS) are available to identify the DDoS attacks. The Anomaly based IDS and the Signature based IDS are widely used to identify the DDoS attacks. Signature based IDS is used to detect the Control traffic in DDoS attacks, based on the standard set of signatures, which will look for the port number or traffic targeting know vulnerabilities to connect with the zombies to trigger the attack. The Anomaly based IDS are used to detect the Attack traffic in DDoS by monitoring the network for unusual behaviors using statistical analysis. In case Anomaly based IDS the packet frequency and the bandwidth consumption will be analyzed at different locations in the network. The following 2 tests will be useful in analyzing and alerting of the DDoS attacks,

Persistence Threshold Test

The persistence threshold test involves 2 different threshold values, called as the Rate threshold and the Persistence threshold. The persistence threshold defines the monitoring period, whereas the rate threshold defines the bandwidth usage. The rate threshold is calculated based on the tolerance level and the network traffic volume average. This test work in such a way that, when the currently monitored traffic parameter exceeds the value defined in the rate threshold and if this continues until the time defined in the persistence threshold, then the system will alert the administrator.

Bucket Threshold Test

The persistence threshold test might result in false negatives, if the attacker floods the network in intervals less than the one defined in the persistence threshold. Bucket threshold test was introduced to overcome the problem. This testing technique divides the monitoring period in to smaller windows called as buckets. At any time there will be 2 observation windows available to compare the short interval traffic rate with the long interval traffic rate. When the comparison of the observation windows shows that the tolerance level is crossed, then system administrator will be alerted.

The combination and concurrent usage of bucket and persistence threshold tests proved to be the most effective detection mechanism available in the market today.

Intrusion Detection Modeling

Distributed and cooperative or organized attacks can be effectively handled by deploying Intrusion Detection Systems in a geographically distributed manner. All these geographically distributed IDS devices will develop attack patterns based on the attacks targeting their monitored networks. The cooperative approach will correlate all these attack patterns to detect a possible attack executed by the attackers. Thus the correlated attack patterns will serve as the information database for detecting the attacks, as all the geographically distributed IDS devices contribute to the detection of attacks.

Segregation of Malicious Traffic

Once the detection mechanism alerts for malicious traffic, the next step will be the blocking of DDoS traffic. In-depth analysis of traffic will be required to identify the normal and malicious traffic patterns. Once these traffic patterns are developed, they will be used to block the abnormal traffic or to allow only the normal traffic. On-going attacks can be tackled by creating temporary filters to allow only the known legitimate traffic. Table [1] lists the different known attack patterns.

Identification of Non-TCP Attacks

The attack patterns listed in Table [1] can be used to create filters for preventing the malicious traffic from entering the network. Most of the flooding attacks can be prevented and nullified by using the Egress and Ingress filtering methodologies. But the basic flooding attacks targeting specific ports can be filtered using the firewall.

Identification of TCP Attacks

When an attack used TCP as the protocol, it will be difficult to segregate malicious traffic, as it will require proper analysis of the network traffic, else will result in higher number of false positives. SYN flooding attacks are used to exploit a known vulnerability by making the server to enter in to an indefinite loop and making it to wait for ACK continuously by sending enormous number of spoofed SYN packets. The SYN flooding attacks will consume the network bandwidth as well as the server resources. The calculation of SYN and Non-SYN packet ration in the network will help to identify the SYN flood attacks. The ratio calculation can also be used to detect the RST & FIN flood attack scenarios. If other flags are used in the TCP flooding attacks, it can be identified by the packets returned from the server.

Identifying Legitimate Traffic

It is good to identify and segregate the legitimate traffic, instead of identifying the malicious traffic. Creating filters to segregate the malicious traffic will be difficult to implement, if the attacker uses random spoofed IP addresses, since it will result in the blocking of legitimate traffic as well. This issue can be handled, if we know the list of white listed legitimate IP addresses, we can simply allow the service only for the white listed sources. The following 2 techniques help in identifying the legitimate sources.

Connection Status

The white list of IP addresses or the legitimate IP addresses can be identified by monitoring the connection status established by the server with its clients. When the server returns an ACK packet to a client, then the destination IP address can be added to the white list.

Client Response Pattern

The legitimate clients can be identified with the flow control mechanism of the TCP. When network congestion occurs, the flow control mechanism will request the hosts to decrease the rate of sending to the available bandwidth in the target network. The legitimate hosts will respond to the request, by decreasing the traffic flow. But, the malicious hosts will not respond in the similar manner, as they will be mostly spoofed IP address which will not be available to reach or if they are present, they won't reduce the traffic speed, as their purpose is to flood. Using this differential pattern, the legitimate and malicious sources can be identified and segregated.

DDoS Mitigation

Once the DDoS attacks are detected and segregated from the legitimate traffic, the next step will be to nullify or dissolve the effect of the attack. This can be done by Proactive or the Reactive approaches. The disadvantage of Proactive approach is that, it proves to be more costly to implement. The following are few Proactive & Reactive approaches applicable for DDoS attacks.

Blocking At The Upstream

Blocking the attack traffic at the firewall is not going to be useful in case of DDoS attacks. Instead the attacks should be blocked at the upstream nodes by sharing the defense logic and filter rules with the upstream nodes in active networks. This will help to distribute and reduce the network congestion and hence dissolving the attack intensity.

Kill The Zombie

The attacker uses the zombies as the attack agents to execute the DDoS attacks. So, these nodes should be killed by blocking the IRC ports / channels.

Load Balancing

Load balancing prove to be more effective in terms of normal operation as well as to handle the DDoS attacks. Critical network connections should be provided with an increased network bandwidth to with stand the DDoS traffic. Resource redundancy will help to have failsafe protection for critical resources in case of DDoS attacks.

Throttling

Throttling technique can prove to be more effective in handling DDoS attack traffic, as it uses the logic of adjusting the incoming traffic to the safest level a server can handle. But, the disadvantage with this technique is that, it will be difficult to decipher the traffic to identify the malicious traffic.

Deflect Attacks

Honeypots prove to be most important component to protect the resource by deflecting the DDoS attacks and also to gain information about the attacker's activities. The Honeypots mimic the behaviors of legitimate network resources and attract the attackers to install the DDoS agents in it. This helps to understand the agent code and build a effective defense against future attacks.

Post - Attack Forensics

The logs captured during the DDoS attacks can be used to derive the attack patters, which can be used to improve the current defense mechanisms in place and also to develop new filtering mechanisms against future DDoS attacks. The logs will help to trace back the attacks sources, if they are not spoofed and it also helps in forensic analysis and to assist law enforcement in case of serious damages caused by the attack.