-
Distributedenialofservice(DDOS)attacks
CaueKoisumiCintraUniversidadeEstadualdeCampinasUNICAMP
AbstractDistributedDenialofService(DDOS)attacksareadeadlyagainsttheavailabilityofInternetservicesandresources.DDOSattackersinfectslargenumbersofcomputersbyexploitingsoftwarevulnerabilitiestosetupbotnets.Thenallthesezombiecomputersareinvokedtounleashacoordinated,largescaleattackagainstavictimssystems.Asspecificcountermeasuresarebeingdeveloped,attackerscontinuetoenhanceexistingDDOSattacktools,developingnewandderivativeDDOStechniquesandtools.Ratherthanalwaysreacttonewattackswithspecificcountermeasures,itwouldbedesirabletodevelopsolutionsthatdefendagainstknownandfutureDDOSattackvariants.However,thisisreallyhardtodoasisneededagreatunderstandingofthescopeandtechniquesusedonDDOSattacks.ThispaperattemptstocategorizeDDOSattacknetworks,toclassifythedifferenttechniquesusedinaDDoSattack,andtodescribethecharacteristicsoftoolsusedtoperformDDOS.Giventhisnewunderstanding,proposeclassesofcountermeasuresthattargettheDDOSproblembefore,duringandafteranattack.
1
-
1.IntroductionTheInternetwasoriginallydesignedtolinktogetheracooperativeandcollaborativecommunityofresearcher(LIPSON,2002).Itwasntaconcernthinkaboutsecuritywhenthefirstthoughtsoftheinternetwasbeginning,becauseitwassupposedtobeanetworktosomeresearcherstoexchangeknowledge,soeveryuserwastrustablethatmeansthenetworkwouldalwaysbesecure.Withtheevolutionoftheinternetsecurityissuesstartedtooccur,andinthe90soneofthemanytypesofsecurityattacksthatwerecreatedwastheDOS(DenialofService),thisattackisfairlysimpleandbasicallyconsistsinanattempttomakeanetworkresourceunavailableforitsrealusers.LateronthisattackevolvedtoDDOS(DistributedDenialofService)whichisbasicallythesamethingasDOS,butnowtheattackcomesfromseveralsourcesthatcanbespreadallovertheworld.Thisattacksareexecutedfordifferentkindsofreasons,themostcommonsthougharefinancialandpoliticalmotives.Thecurrentstateofthecyberworldtodaystillisinlackofabilitytoprevent,correct,trackandtraceDDOSattacks,Theanonymityenjoyedbytodayscyberattackersposesagravethreattotheglobalinformationsociety,theprogressofaninformationbasedinternationaleconomy,andtheadvancementofglobalcollaborationandcooperationinallareasofhumanendeavor.(LIPSON,2002),wecanclearlyseethatwithgroupslikeLulzSecandAnonymousthatcanremainalotoftimelaunchingattacksbeforebeingcaught,orsomeotherhackersthatarenotcaughtatall.
2
-
2.WhatisDDOS?DOSattacksarejustanexplicitattemptfromanattackertomakeaserverunabletoprovideservicestoitsusersbyfloodingorcrashingthesystem.Unlikeconventionalelectronicattacks,thereislittleinformationoreffortrequiredtoinitiateaDOSattackonthetargetwebsiteallthatisneededisthewebsiteaddress,aprogramthatcanperformarapidnumberofrequeststothetargetedwebsiteandabotnet(ForDDOSattacks)ThefirstsprogramstomakeDOSremoteattacksstartedtoappearinthe90sandfortheseprogramstobeeffectivetheyneededlargesizecomputersornetworkslikefromanuniversity.In1997werediscoveredalargenumberoffailuresintheTCP/IP(TransmissionControlProtocol/InternetProtocol)andthenthenumberofattacksstartedtogrowusingIRC(InternetRelayChat)networkandexploitingknownvulnerabilitiesonWindowstocrashit.Thelate1999wastheariseoftheDDOSattacks,wheretheattackerscouldgetcontrolofothermachines(botsorzombies)tomaximizethepoweroftheattackagainsthisttarget.Inthe2000theDDOSattacksstartedtogettingmixedwithworms(malwareprogramthatcanreplicateitselfandinfectothercomputersthroughvulnerabilitiesinthenetwork)turningtheaffectedtargetsmorevulnerabletootherattacks.InJanuary2001MicrosoftswebsitesufferedapowerDDOSattackthatlastedforhoursandmadethewebpageunavailabletorealusers,duringsomeperiods98%oftheserviceswereaffectedbytheattack.EventheFBIwascalledtotakecareofthecase,showingthatevenahugecompanyasMicrosoftwasntimmuneagainstaDDOSattack.DDOSattackscanbedividedinthreegeneralcategories:VolumeBasedAttacksthatconsistsinsaturatethebandwidthoftheattackedserver,anditspowerismeasuredinbitspersecond(bps).Someexamplesare:UDPfloods,ICMPfloodsandotherspoofedpacketfloods.ProtocolAttacksthattriestoconsumetheactualserverresourcesorfirewallsandloadbalancersanditsmagnitudeismeasuredinpacketspersecond.Someexamplesare:SYNfloods,PingofDeathandSmurfDDOS.ApplicationLayerAttacksthatconsistsinsendingapparentlylegitimaterequestswiththegoalofcrashthewebserver,anditsmeasuredinrequestspersecond.Someexamplesare:Slowloris,ZeroDayDDOSattacks,Windowsvulnerabilities.
3
-
3TypesofattackThereisseveralformsofDOSattacks,herearesomeofthemostcommonused.3.1UDPFloodThisattackusestheUserDatagramProtocol(UDP),asessionlessnetworkingprotocol.ItfloodsrandomportsofaremotehostwithnumerousUDPpacketsmakingthehostconstantlychecksfortheapplicationlisteningatthatporthowevernoapplicationslistensatthatportsothehostneedstoreplywithanICMPDestinationUnreachablewhichendsupcausinganexcessiveuseofthehostresourcesthatcanleadtoinaccessibility.ThisattackisusedwithIPspoofingsothattheICMPreturnpacketswon'treachthemandhidingthenetworklocation.
4
-
3.2ICMPFloodorPingFloodTheprincipleissimilarfromtheUDPfloodattack,butnowthetargetisoverwhelmedwithICMPEcho(ping)requestspacketsusingamethodsendingICMPpacketscontinuouslywithoutwaitingforreply.TheattackedserverwilloftenattempttorespondwithICMPreplypacketswhichconsumebothincomingandoutgoingbandwidthwhichcanresultinanoverallsystemslowdown.
5
-
3.3SYNFloodThisattackexploitsthethreewayhandshake,aknownweaknessintheTCPconnectionsequence,whenaSYNrequestissenttobeginaTCPconnectionthehostneedstoanswerwithaSYNACKresponseandthenbeconfirmedbyanACKresponsefromtherequester.TheattackersendsmultipleSYNrequestsbuthedoesntrespondtothetargetsSYNACKresponses,ortheattackercansendtherequestsfromspoofedIPaddresses,sothevictimsserverkeepswaitingfortheresponsesforeachrequestsbindingresourcesuntilnonewconnectionscanbemade.
6
-
3.4PingofDeath(POD)GenerallythemaximumpacketlengthofanIPpacketonIPv4is65,535bytesandsendingapingofthissizecouldcrashthetargetscomputer,thisvulnerabilitystartedtobeingexploitedastheattackersstartedtosendalargeIPpacket(biggerthan65,536bytes)splittedinmultipleminorpacketssowhenthehostwouldassembletheminorpacketsitcouldendupcausingamemorybufferoverflowdenyingserviceforlegitimatepackets.Todayitsreallyhardforaservertocrashbecauseofthisattack.
3.5SlowlorisSlowlorisisahighlytargetedattackthatpermitsoneservertotakedownanotheronewithminimalbandwidthandsideeffectsonunrelatedservicesandports.Theattackerstrytokeepopenandforaslongaspossiblemanyconnectionswiththetargetedserver,thisisdonebyconstantlysendingHTTPheadersbutwithoutcompletetherequest.Thetargetedserverwillkeepthoseconnectionsopenandthiseventuallywillleadtoanoverflowoftheconnectionspoolleavinglegitimaterequestsfromclientsdeniedofservice.ItisspeciallyusedagainstApache,Tomcat,dhttpdandGoAheadWebServer.
7
-
3.6ZerodayDDOSZerodayattacksareunknownornewattacksexploitingvulnerabilitiesthatdontstilldonthaveasolution,sobasicallyitsanattackthatexploitsavulnerabilitythatthesoftwareownerdoesntevenknowaboutyetordidnthavedevelopedapatchtofixit.Somebigproblemsaboutthoseattacksisthattradingzerodayvulnerabilitiesarequitepopularintheblackhatcommunityandevenifthecompanydevelopapatchlater,youcomputermayalreadybeeninfectedwithwormsandtrojans.4.AttackersandmotivesThereisalargediversityinattackersandtheirmotives.Andsometimestwoofthoseclassescanmerge,asexample:Anextorquistsgroupcanuseahacktivistexcusetoattackawebservicebuttheirrealpurposeistogetmoney.4.1ExtorquistsTheseattackersthreatstheirtargetaskingformoneyortheywilltakedowntheirservers,theyworkwithafinancialpurpose.4.2HacktivistsTheHacktivistgroupwastheonethatgotmostofthespotlightwithDDOSattacksinthelastyears,theygrewandunitedthemselvesreallyfastandstartedtomakeInternetStreetProtests(RichardStallman).SomehackgroupseventookdownUSgovernmentalsitescausingagreatsplurgeonthecommunity,theirmotivesaretotrytochangedecisionsmadebyorganizationsorthegovernment.
8
-
4.3Competitors,unsatisfiedemployeesandcustomersThereweresomecaseswhereacompanywouldlaunchaDDOSattackagainstacompetitortoharmtheirimagesothecustomerswouldtradecompaniesandtheywouldgetmoreprofit.ItcanalsohappenthatafiredorunsatisfiedemployeeorcustomerwouldlaunchaDDOSattackagainstacompanyasavendetta.4.4ScriptKiddiesTheybasicallyareunskilledindividualsthatusesautomatedtoolscreatedbyotherstorealizeattacks,theirpurposenormallyistoimpressfriendsortrytobecomefamousandclimbupinthehackercommunity,somescriptkiddiescanlaunchanattackjustforthefunofit.5.ToolsOneofthemotivesforthegreatgrowingoftheDOSattacksistheappearanceofmanyfreetoolsontheweb,herearesomeofthem.5.1LOIC(Loworbitioncannon)ItsoneofthemostpopularfreeDOSattackingtoolontheweb,ithasauserfriendlyinterfacesoitseasytolearnanduse.ThetoolcanperformDOSattackbysendingTCP,UDPorHTTPrequeststothetargetssystem.Abotnetcanbeusedtoimprovethepoweroftheattackandmakeitadistributedattack.
9
-
5.2HOIC(Highorbitioncannon)ItwasmadeoutoftheconceptofLOIC,butthedeveloperstriedtoimproveitsstrenghtandincludedaboosterfeaturetomaketheattackstronger.
5.3XOICItsaverysimpleandeasytousetool,comeswithawhoisfeaturetofindIPandportandhave3modesofattack,abasictestmode,anormalDOSmodeandaDOSmodewithaTCP/HTTP/UDP/ICMPmessage.
5.4PylorisPyLorisisascriptabletoolfortestingaserver'svulnerabilitydenialofservice(DoS)attacks.PyLoriscanutilizeSOCKSproxiesandSSLconnections,andcantargetprotocolssuchas
10
-
HTTP,FTP,SMTP,IMAP,andTelnet.
6.DefenseagainstDOSattacks6.1Howtoprevent?Untilnowthereisnosilverbullet(Brooks)againstDDOSattacks,butthereissomestrategiestomitigatetheattack.Somerecommendedstrategiestopreventattacksare:Incrementhostsecurity:AstheprimarycharacteristicoftheDDOSistheuseofabotnet,itisveryimportanttoimprovethesecurityofyourmachinessoitwontbecomeazombie.Installpatches:Themachinesusedaszombiesarenormallyinfectedwithknownvulnerabilities.Soitishighlyrecommendedthatyoualwaysupdateyoursystemwhenpossible.Applyantispoofingfilters:DuringtheDDOS,theattackerstrytohidetheirrealIPusingspoofingmechanismsthatforgesfakeIPsmakingithardertotracktheattackorigin.Soitisnecessarythattheaccessprovidersimplementantispoofingfiltersontheroutersentrance,sothenetworkoftheirclientscantusespoofing.Andthatalltheinternetnetwork,inageneralway,implementantispoofingfiltersontheborderroutersexitpreventingtheuseofspoofing.PreviousplanningagainstDDOS:ApreviousplanningandcoordinationisessentialtoguaranteeanadequateanswerwhenaDDOSattackstartstohappen.Thisplanningmustincludecounterattackprocedureswithyourbackboneprovider.6.2Howtoreact?6.2.1DDOStoolsareinstalledonyoursystem
11
-
Thiscanmeanthatyoursystemisbeingusedasamasteroragent.Itsimportanttodeterminewhatisthepartofthetoolsfoundandtrytodiscoverworthinformationthatwouldallowtrackingothercomponentsinthebotnet,prioritizingthediscoveringofmasters.Dependingonthesituation,itisrecommendedtotryshutdownimmediatelythemasters,butsometimesitcanbeworthtomonitortheactivitiestogatherinformation.6.2.2IfyoursystemissufferingaDDOSattackThespoofingmechanismsusedonDDOSattacksmakesreallyhardtoidentifytheattacker,butifthereisamomentthatispossibletobacktraceandgettherealresponsible,itiswhentheattackishappening.Itiscriticaltohaveaquickcommunicationwithyourbackboneprovidertotrytotracktheattacker.ThereissometechniquestomitigatetheDDOSattackhappening.LoadBalancing:Networkproviderscanincreasebandwidthoncriticalconnectionstopreventthemfromgoingofflineinthemiddleofanattack.BalancingtheloadtoeachserverinamultipleserverarchitecturecanimprovenormalperformanceandmitigatetheeffectofaDDOSattack.DropRequests:Thesystemcansimplydroprequestswhentheloadincreases.Thiscanbedonebytherouterortheserver.Alternatively,therequestermaybeinducedtodroptherequestbymakingtheitssystemsolveahardpuzzlethattakesalotofcomputepowerormemoryspace,beforecontinuingwiththerequest.Thiswillmaketheusersofzombiesystemsdetectperformancedegradation,makingthemawarethatsomethingwrongishappeningandleadingthemtolookandsolvetheproblem,gettingridofbeingazombiemachine.Outsourcedcompanies:ThereisanumberofoutsourcedcompaniesthatoffersserviceagainstDDOSattacks,theygiveyou24/7support,monitoringandinthemiddleofaneventtheyusetheirservertohelpmitigatetheattack..7.Myanalysis.NextstepsforfutureresearchDistributeddenialofserviceattacksarestillrising,becausetheyarefairlyeasytoexecuteanditshardtogetbacktraced,anditseemsitwontstopsoon.Thereisnoeasysolutionagainstthesetypeofattacks,andthroughoutthehistorywecanseethatthehackerswerealwaysone,twoorevenmorestepsaheadfromthesecurityteamsfromcompanies.Butthereissomearrangementsthatshouldbedone.Raiseinternetusersawareness:Ifwecanmaketheinternetusersmoreawareofsecurityissues,wecanpreventthosemachinesfrombeingpartofabotnet,andwiththisthebotnetswillbecomesmallermakingtheDDOSattackwayweaker.Honeypots:Theyaresystemsmadewithknownvulnerabilitiestoinstigatetheattack.Itnotonlyavoidtheattackfromgoingtothecriticalareasofthesystembutitgatherrelevantdataandrecordsallabouthowtheattackisbeingperformed,whichtoolsarebeingused.Sowiththat
12
-
kindofinformationyoucanfortifyyoursystemtopreventnextattacks.Thehackerselitearealreadywellawareofthistechnique,soinordertoimproveitseffectiveness,itmustbemadebettercamouflageforthehoneypotslookexactlylikerealsystems.PostattackForensics:WhenbeingunderaDDOSattackitisrecommendedtogatherthemostpossibledatatolateranalyzeandlookforspecificcharacteristicsintheattackingtraffic,thiscanbeusedtodevelopnewfilteringtechniquesagainstDDOS.Packettracestechniqueconsistsonthefactofinternettrafficcanbetracedbacktoitstruesource.Thisallowsbacktracetheattackerstraffictofindoutwhoistheattacker.Allthedatacollectedmustbestoredinasafedatabasesoitcanbeusedtodoforensicanalysisandassistlawenforcementincasesofsignificantfinancialdamage.8.ConclusionDDOSattacksarereallydangerousandcancausealotoftroubles,mixingthatwiththefactthatishardlytraceable,itmakesasafeandeffectiveattacktoperformagainstyourtargets.Thereisthemostcommonattacksthataremadebyafewpeoplewithsomebotnets,andthiscancauserealtroubletosmall/mediumcompanies,buttheydontreallyhasmucheffectivenessagainstlargecompaniesasAmazon,eBayandMicrosoft.Butthereisthehackerelitegroupsthathavealotofinfluenceinthehackersceneandcangatherahugenumberoffollowersandbotnetstoorchestrateapowerfulattackcapableoftakingdownevenlargecompanies.Theinternetusersneedtostartthinkingmoreaboutthesecureoftheirownsystemstonotbecomeinfected,networkprovidersneedstomonitorbettertheirtraffictotrackattackersandhelpcompaniestoresistwhenbeingattackedandITcompaniesneedtoinvestmoreinfindingnewgeneralDDOSsolutions,andsharetheknowledgewithsmallercompanies.ThatwaytheDDOSattackcanbeweakenedandwontbethebigconcernthatitistoday.
13
-
9.ReferencesLipson,HowardF.TrackingandTracingCyberattacks:TechnicalChallengesandGlobalPolicyIssues.Pittsburgh,PA:CarnegieMellonUniversity,SoftwareEngineeringInstitute,2002.Print."GRC|SecurityNow!TranscriptofEpisode#8."GRC|SecurityNow!TranscriptofEpisode#8.N.p.,n.d.Web.10Dec.2013.."ATimelineofHackingGroupLulzSec'sAttacks."Msnbc.com.N.p.,n.d.Web.10Dec.2013.."DoSAttackKnocksOutMicrosoftSites."DoSAttackKnocksOutMicrosoftSites.N.p.,n.d.Web.10Dec.2013.."NetworkDoSAttacksOverview."JUNOSSoftwareSecurityConfigurationGuide.N.p.,n.d.Web.10Dec.2013.."DDoSProtection."DDoSProtection.N.p.,n.d.Web.10Dec.2013..
14
https://www.grc.com/sn/SN%C2%AD008.htm
-
"DistributedDenialofServiceAttacks."N.p.,n.d.Web.10Dec.2013.."AdvancedDDOSTools."ADVANCEDDDOSTOOLS~Prince4Hack.N.p.,n.d.Web.10Dec.2013.."DOSAttacksandFreeDOSAttackingToolsInfoSecInstitute."InfoSecInstitute.N.p.,n.d.Web.10Dec.2013..
15