By constant network monitoring and through the knowledge about attack mechanism network security can be provided. Precautions can be taken by network manager to prevent the attack or at the very least be alarmed when attacks are taking place. As threats follow certain patterns, like determinant effect on the bandwidth utilization, by monitoring network data we can provide the required level of security. A network monitoring tool shall be used explore the effect of a ping flood attack. Network Instrument's Observer tool will be used to record the data and look for the data fluctuations caused due to change of status of the network security.
This paper shall discuss this by presenting a scenario where the network is under attack from a Ping Flood attack. With the help of Observer we can show how a Ping Flood can be identified. Then the network manager can deal with the attack with high efficiency.
1. Introduction
TCP/IP is the foundations of most of the services which people use over a network in the modern world. TCP provides reliable, ordered delivery of a stream of bytes from a program on one computer to another program on another computer where as IP works on a lower level by handling from a computer to another computer.
But TCP/IP is vulnerable to many sorts of attacks. One such type of attacks is the Denial of Service attacks. In a Denial of Service (DoS) attack, the
malicious attacker attempts to disrupt the smooth running of network by making a service unavailable for the authorized users. The service could be anything from a computer resource like a printer to a website server.
There are three main ways a DoS attack happens:
Overwhelming computational resources like CPU time or processing cycles.
Disruption of configuration information
Unavailability to physical network components.
Even if target's personal assets such as computer is substantially secured DoS attack susceptibly depends on the networks security or even the security of the whole internet. ("Denial of Service ",2007)
Ping Flood is a DoS attack in which the attacker tries to saturate the network by sending a continuous stream of ICMP Echo Requests to a target host computer. These ICMP Echo Requests or Pings once arriving to the target computer causes the target computer to send a reply message or an ICMP Echo Reply. The ICMP Echo Reply is send back towards the attackers PC is the IP is not spoofed.
Hence due to the flooding of Request and Reply both the target computers incoming and outgoing bandwidth can be completely exhausted in theory.
Ping flood attack slows down the network performance and can also completely cripple the network.
Let us now move on to the literature review to discuss critical points and area of problem definition.
2. Literature review with problem area definition
The main aim of the project is to propose how network management plays a role in maintaining the network security. With constant monitoring and reviewing the data which has being provided by network monitoring tools (Observer in this case) a person can test the load on the each of the resources. The designated person can also view the traffic and fix any bottleneck which are being caused in the network, The person can also view and be alerted in case of any suspicious activity. This aim can be achieved by using an approach which is using a real world scenario,
We shall be using a scenario where a network is under attack by DoS attack. The attack which has been taken into consideration is a Ping Flood attack. Let us now step by step review how the attack is taking place and make critical judgement of the cause.
The scenario which has been proposed in this paper is fairly simple. The scenario is as the following.
We take a comparatively small network to which an attacker with a higher bandwidth attaches itself. Lets us discuss the steps of how the attack is taking place with respect to time ,t.
At t=0
He then targets a victim system with a lower bandwidth. Due the broadcast nature of echo requests in IPv4 the victim suddenly is bombarded by the ICMP Echo Request. Its incoming bandwidth is compromised slowly but surely with such a flooding. The attacker may also utilize IP spoofing so as use false IP addresses while broadcasting the ICMP Echo Request.
Step 1: ICMP Echo Request FloodingAt t > 0 and t < n
The second leg of the attack is made possible due to the ICMP Echo Request/Reply mechanism. Every computer on the network which receive the Ping request has to respond with an ICMP Echo Reply. So the victims system sends reply to all of the requests that it had received.
The victim unintentionally becomes the cause of compromising its outgoing bandwidth. As this step of the attack continues the targets incoming bandwidth buffer which had being filling up would have reach a stage where the victim is no longer even able to process the attacker's request. Also slowly its outgoing bandwidth capacity is being filled and it may longer be able to send requests effectively to other devices on the network.
Step 2: ICMP Echo Reply
At t=n
The third stage at t = n is when both the incoming and outgoing bandwidth are overwhelmed by ICMP Request/Reply packets and is rendered useless. This makes the victim incapable of communicating with the rest of the systems on the network. This also depreciates the performance of the CPU takes over a lot of the process cycle and CPU time.
Step 3: Incapable of receiving other request due to high bandwidth utilization
Even on the network level it reduces the performance of the whole network. This could also affect the interconnecting physical media for e.g., a router, and saturate the whole memory of a router causing denial of service to a larger crowd.
In a collapsed core layered system if the attacker aims at the backbone of the network he can compromise the whole network.
The DoS Ping Flood attack on a network using network management tools is the problem which the paper wishes to solve.
3. Statement of Findings
3.1 Specifications
The process this paper is chosen to address the problem is to first to create a small network between three PC's.
The three system have these roles:
Server/Managers system : This system is the one which monitors the network and will collect the data through Observer when the attack is in process
IP Address: 192.168.0.1
Attacker/Lab System 1: This system is the once which I shall be using for launching the attack.
IP Address: 192.168.0.2
Victim/Lab System 2: This system will be the one under attack and will be the priority of the Sever system. The Server system shall analyse the data in this network
IP Address: 192.168.0.3
Process of Launching a Ping Flood Attack
As the primary requirement of the Ping Flood Attack to be successful the Attackers system has to be of a higher bandwidth than the victims I have also utilized the Traffic Generator available in the Observer over the Victims PC and reducing the available bandwidth of the Victims System . This process also simulates a small network scenario traffic to make the method more applicable
The command to launch an attack on a windows system is relatively easy. This is the format of the command.
ping <target pc ip address> -t -l <size of the packet to send >
Hence using the structure and opening the command prompt on a Windows OS we have
ping 192.168.0.3 -t -l 65000
Though this process takes an ample amount it eventually floods the Victim system with ICMP Echo Request of packet size 65000 (max 65500).
Hence from the Server system we start capturing the packets and it provides us with data to relate to identifying the attack.
Findings:
With continuous iteration of the attack, I have used Observer to record certain data which are as following:
Packet Capturing
Observer allows this graph which potrays the no. of packets being captured per second.
3.3.2 Utilization Thermometer
This tool provided by observer helps record the utilization percentage and the rate of data transfer. While running the simulation I hoped to achieve a higher utilization percentage as required but the data was recorded in the initial stages of attack so the utilization has not reached a high peak.
3.3.3 Bandwitdh Utilization
As the victim pc is bombarded with Ping request we can see that the bandwidth utilization spikes up frequently.
4. Discussions towards Practical Application
Though we have seen the finding let us discuss how we can use Observer as a tool to practically solve this problem.
There are two ways to solve the problem of a Ping Flood attack. They are as follows:
By limiting the packet size
By delaying the passing of ping request packets as it comes
Maximum Packet Size Filter
With help of Observer Filters Options we can create a new filter which will warn us when the packet size exceeds a certain given size. We can utilize it to alarm us when packets of size higher than 60000.This can alert the manager by sending him an email. He can then proceed with any of the two solutions mentioned above. This is one possible outcome.
There are two other possible outcomes with this practical application of Observer
False Positive: If we would put the packet size filter to alarm us when the packet sizes are greater 60000, the alarm may be triggered when an attack is not happening.
False Negative: If an attacker chooses the size of the packet to be less than 60000, for e.g. 59000, the alarm may never trigger.
Number of Packets Filter
We can also utilize the filter which triggers an alarm when the number of packets to the victim system exceeds a certain number in a given amount of time.
For E.g. if we put 100 packets/second as the limit, the network manager will be alerted when the attacker send ICMP Flood Request and he can again take actions to solve from any of the above 2 solutions given earlier. This is a possible outcome .
There are two other possible outcomes with this practical application of Observer
False Positive: If we would put the no. Of packets per sec filter to alarm us, when the no. of packet are greater 100 packets/sec, the alarm may be triggered when an attack is not happening.
False Negative: If an attacker chooses to send only 99 packets for example we will arrive at a false negative.
Duplicate Ip Filter
In a ping flood attack the attacker sometimes harass the IP or spoof IP. So when the request comes, they come from duplicate IP
So Observer allows you to use its Duplicate IP filter.
Duplicate IP's are a major concern for network manager regardless of an attack.
This filter with help of the other two mentioned above can help in alerting if a Ping Flood attack is taking place.
Maximum Bandwidth Utilization Filter
During a successful Ping Flood attack the bandwidth usage of the victim is extremely high. So this filter can be used from Observer. All we have to do is to set the upper bound percentage utilization which when exceeded will alert the manager through an email. This is a possible outcome.
There are two other possible outcomes with this practical application of Observer
False Positive: If we would put the no. Of packets per sec filter to alarm us, when the no. of packet are greater 100 packets/sec, the alarm may be triggered when an attack is not happening.
False Negative: If an attacker chooses to send only 99 packets for example we will arrive at a false negative.
I believe a combination of all the above filters (with the right AND/OR combination) will help the manager to come to the conclusion that Ping Flood attack is taking place.
5. Conclusion
This paper discusses how a network management tool like Observer can be used so vitally to upkeep the network security. It has discussed about the how DoS attacks affect the network especially the Ping Flood attack. It has explored in depth the mechanism of the attack and its effects on our simulated network.
The data collection from Observer was vital for analyzing and formulating a practical approach as how to deal with a Ping Flood attack.
This paper confirms to the believe that a vigilant network monitoring scheme is one of the most effective way to manage the network security as well. It shows us how the role of a network manager should be like a life guard who keeps an eye out; warn swimmers in deep waters and saves people in despair. This is the role which network manager should have instead of the one which is rather common these days. A network manager should be like a life guard as opposed to a fire fighter who only becomes active once there is a uncontrollable fire to be subdued.
