Distributedenialofservice(DDOS)attacks

CaueKoisumiCintra
UniversidadeEstadualdeCampinasUNICAMP

Abstract

DistributedDenialofService(DDOS)attacksareadeadlyagainsttheavailabilityof
Internetservicesandresources.DDOSattackersinfectslargenumbersofcomputersby
exploitingsoftwarevulnerabilitiestosetupbotnets.
Thenallthesezombiecomputersareinvokedtounleashacoordinated,large
scaleattack
againstavictimssystems.Asspecificcountermeasuresarebeingdeveloped,attackers
continuetoenhanceexistingDDOSattacktools,developingnewandderivativeDDOS
techniquesandtools.Ratherthanalwaysreacttonewattackswithspecific
countermeasures,itwouldbedesirabletodevelopsolutionsthatdefendagainstknownand
futureDDOSattackvariants.However,thisisreallyhardtodoasisneededagreat
understandingofthescopeandtechniquesusedonDDOSattacks.
ThispaperattemptstocategorizeDDOSattacknetworks,toclassifythedifferent
techniquesusedinaDDoSattack,andtodescribethecharacteristicsoftoolsusedto
performDDOS.Giventhisnewunderstanding,proposeclassesofcountermeasuresthat
targettheDDOSproblembefore,duringandafteranattack.

1.Introduction

TheInternetwasoriginallydesignedtolinktogetheracooperativeandcollaborativecommunity
ofresearcher(LIPSON,2002).Itwasntaconcernthinkaboutsecuritywhenthefirstthoughts
oftheinternetwasbeginning,becauseitwassupposedtobeanetworktosomeresearchersto
exchangeknowledge,soeveryuserwastrustablethatmeansthenetworkwouldalwaysbe
secure.
Withtheevolutionoftheinternetsecurityissuesstartedtooccur,andinthe90soneofthe
manytypesofsecurityattacksthatwerecreatedwastheDOS(DenialofService),thisattackis
fairlysimpleandbasicallyconsistsinanattempttomakeanetworkresourceunavailableforits
realusers.LateronthisattackevolvedtoDDOS(DistributedDenialofService)whichis
basicallythesamethingasDOS,butnowtheattackcomesfromseveralsourcesthatcanbe
spreadallovertheworld.Thisattacksareexecutedfordifferentkindsofreasons,themost
commonsthougharefinancialandpoliticalmotives.
Thecurrentstateofthecyberworldtodaystillisinlackofabilitytoprevent,correct,trackand
traceDDOSattacks,Theanonymityenjoyedbytodayscyber
attackersposesagravethreat
totheglobalinformationsociety,theprogressofaninformation
basedinternationaleconomy,
andtheadvancementofglobalcollaborationandcooperationinallareasofhumanendeavor.
(LIPSON,2002),wecanclearlyseethatwithgroupslikeLulzSecandAnonymousthatcan
remainalotoftimelaunchingattacksbeforebeingcaught,orsomeotherhackersthatarenot
caughtatall.

2.WhatisDDOS?

DOSattacksarejustanexplicitattemptfromanattackertomakeaserverunabletoprovide
servicestoitsusersbyfloodingorcrashingthesystem.Unlikeconventionalelectronicattacks,
thereislittleinformationoreffortrequiredtoinitiateaDOSattackonthetargetwebsiteallthat
is
neededisthewebsiteaddress,aprogramthatcanperformarapidnumberofrequeststothe
targetedwebsiteandabotnet(ForDDOSattacks)

ThefirstsprogramstomakeDOSremoteattacksstartedtoappearinthe90sandforthese
programstobeeffectivetheyneededlargesizecomputersornetworkslikefromanuniversity.
In1997werediscoveredalargenumberoffailuresintheTCP/IP(TransmissionControl
Protocol/InternetProtocol)andthenthenumberofattacksstartedtogrowusingIRC(Internet
RelayChat)networkandexploitingknownvulnerabilitiesonWindowstocrashit.
Thelate1999wastheariseoftheDDOSattacks,wheretheattackerscouldgetcontrolofother
machines(botsorzombies)tomaximizethepoweroftheattackagainsthisttarget.
Inthe2000theDDOSattacksstartedtogettingmixedwithworms(malwareprogramthatcan
replicateitselfandinfectothercomputersthroughvulnerabilitiesinthenetwork)turningthe
affectedtargetsmorevulnerabletootherattacks.
InJanuary2001MicrosoftswebsitesufferedapowerDDOSattackthatlastedforhoursand
madethewebpageunavailabletorealusers,duringsomeperiods98%oftheserviceswere
affectedbytheattack.EventheFBIwascalledtotakecareofthecase,showingthatevena
hugecompanyasMicrosoftwasntimmuneagainstaDDOSattack.

DDOSattackscanbedividedinthreegeneralcategories:
VolumeBasedAttacksthatconsistsinsaturatethebandwidthoftheattackedserver,andits
powerismeasuredinbitspersecond(bps).Someexamplesare:UDPfloods,ICMPfloodsand
otherspoofed
packetfloods.
ProtocolAttacksthattriestoconsumetheactualserverresourcesorfirewallsandload
balancersanditsmagnitudeismeasuredinpacketspersecond.Someexamplesare:SYN
floods,PingofDeathandSmurfDDOS.
ApplicationLayerAttacksthatconsistsinsendingapparentlylegitimaterequestswiththegoal
ofcrashthewebserver,anditsmeasuredinrequestspersecond.Someexamplesare:
Slowloris,Zero
DayDDOSattacks,Windowsvulnerabilities.

3Typesofattack

ThereisseveralformsofDOSattacks,herearesomeofthemostcommonused.

3.1UDPFlood

ThisattackusestheUserDatagramProtocol(UDP),asessionlessnetworkingprotocol.Itfloods
randomportsofaremotehostwithnumerousUDPpacketsmakingthehostconstantlychecks
fortheapplicationlisteningatthatporthowevernoapplicationslistensatthatportsothehost
needstoreplywithanICMPDestinationUnreachablewhichendsupcausinganexcessiveuse
ofthehostresourcesthatcanleadtoinaccessibility.ThisattackisusedwithIPspoofingsothat
theICMPreturnpacketswon'treachthemandhidingthenetworklocation.

3.2ICMPFloodorPingFlood

TheprincipleissimilarfromtheUDPfloodattack,butnowthetargetisoverwhelmedwithICMP
Echo(ping)requestspacketsusingamethodsendingICMPpacketscontinuouslywithout
waitingforreply.TheattackedserverwilloftenattempttorespondwithICMPreplypackets
whichconsumebothincomingandoutgoingbandwidthwhichcanresultinanoverallsystem
slowdown.

3.3SYNFlood

Thisattackexploitsthethree
wayhandshake,aknownweaknessintheTCPconnection
sequence,whenaSYNrequestissenttobeginaTCPconnectionthehostneedstoanswer
withaSYN
ACKresponseandthenbeconfirmedbyanACKresponsefromtherequester.
TheattackersendsmultipleSYNrequestsbuthedoesntrespondtothetargetsSYN
ACK
responses,ortheattackercansendtherequestsfromspoofedIPaddresses,sothevictims
serverkeepswaitingfortheresponsesforeachrequestsbindingresourcesuntilnonew
connectionscanbemade.

3.4PingofDeath(POD)

GenerallythemaximumpacketlengthofanIPpacketonIPv4is65,535bytesandsendinga
ping
ofthissizecouldcrashthetargetscomputer,thisvulnerabilitystartedtobeingexploitedasthe
attackersstartedtosendalargeIPpacket(biggerthan65,536bytes)splittedinmultipleminor
packetssowhenthehostwouldassembletheminorpacketsitcouldendupcausingamemory
bufferoverflowdenyingserviceforlegitimatepackets.Todayitsreallyhardforaservertocrash
becauseofthisattack.

3.5Slowloris

Slowlorisisahighly
targetedattackthatpermitsoneservertotakedownanotheronewith
minimalbandwidthandside
effectsonunrelatedservicesandports.Theattackerstrytokeep
openandforaslongaspossiblemanyconnectionswiththetargetedserver,thisisdoneby
constantlysendingHTTPheadersbutwithoutcompletetherequest.Thetargetedserverwill
keepthoseconnectionsopenandthiseventuallywillleadtoanoverflowoftheconnectionspool
leavinglegitimaterequestsfromclientsdeniedofservice.ItisspeciallyusedagainstApache,
Tomcat,dhttpdandGoAheadWebServer.

3.6Zero
dayDDOS

Zero
dayattacksareunknownornewattacksexploitingvulnerabilitiesthatdontstilldonthavea
solution,sobasicallyitsanattackthatexploitsavulnerabilitythatthesoftwareownerdoesnt
evenknowaboutyetordidnthavedevelopedapatchtofixit.Somebigproblemsaboutthose
attacksisthattradingzero
dayvulnerabilitiesarequitepopularintheblackhatcommunityand
evenifthecompanydevelopapatchlater,youcomputermayalreadybeeninfectedwithworms
andtrojans.

4.Attackersandmotives

Thereisalargediversityinattackersandtheirmotives.Andsometimestwoofthoseclasses
canmerge,asexample:Anextorquistsgroupcanuseahacktivistexcusetoattackaweb
servicebuttheirrealpurposeistogetmoney.

4.1Extorquists

Theseattackersthreatstheirtargetaskingformoneyortheywilltakedowntheirservers,they
workwithafinancialpurpose.

4.2Hacktivists

TheHacktivistgroupwastheonethatgotmostofthespotlightwithDDOSattacksinthelast
years,theygrewandunitedthemselvesreallyfastandstartedtomakeInternetStreetProtests
(RichardStallman).SomehackgroupseventookdownUSgovernmentalsitescausingagreat
splurgeonthecommunity,theirmotivesaretotrytochangedecisionsmadebyorganizationsor
thegovernment.
8

4.3Competitors,unsatisfiedemployeesandcustomers
ThereweresomecaseswhereacompanywouldlaunchaDDOSattackagainstacompetitorto
harmtheirimagesothecustomerswouldtradecompaniesandtheywouldgetmoreprofit.
ItcanalsohappenthatafiredorunsatisfiedemployeeorcustomerwouldlaunchaDDOS
attack
againstacompanyasavendetta.

4.4ScriptKiddies

Theybasicallyareunskilledindividualsthatusesautomatedtoolscreatedbyotherstorealize
attacks,theirpurposenormallyistoimpressfriendsortrytobecomefamousandclimbupinthe
hackercommunity,somescriptkiddiescanlaunchanattackjustforthefunofit.

5.Tools

OneofthemotivesforthegreatgrowingoftheDOSattacksistheappearanceofmanyfree
toolsontheweb,herearesomeofthem.

5.1LOIC(Loworbitioncannon)

ItsoneofthemostpopularfreeDOSattackingtoolontheweb,ithasauser
friendlyinterfaceso
itseasytolearnanduse.ThetoolcanperformDOSattackbysendingTCP,UDPorHTTP
requeststothetargetssystem.Abotnetcanbeusedtoimprovethepoweroftheattackand
makeitadistributedattack.

5.2HOIC(Highorbitioncannon)

ItwasmadeoutoftheconceptofLOIC,butthedeveloperstriedtoimproveitsstrenghtand
includedaboosterfeaturetomaketheattackstronger.

5.3XOIC

Itsaverysimpleandeasytousetool,comeswithawhoisfeaturetofindIPandportandhave
3
modesofattack,abasictestmode,anormalDOSmodeandaDOSmodewitha
TCP/HTTP/UDP/ICMPmessage.

5.4Pyloris

PyLorisisascriptabletoolfortestingaserver'svulnerabilitydenialofservice(DoS)attacks.
PyLoriscanutilizeSOCKSproxiesandSSLconnections,andcantargetprotocolssuchas
10

HTTP,FTP,SMTP,IMAP,andTelnet.

6.DefenseagainstDOSattacks

6.1Howtoprevent?

Untilnowthereisnosilverbullet(Brooks)againstDDOSattacks,butthereissomestrategies
tomitigatetheattack.
Somerecommendedstrategiestopreventattacksare:
Incrementhostsecurity:AstheprimarycharacteristicoftheDDOSistheuseofabotnet,itis
veryimportanttoimprovethesecurityofyourmachinessoitwontbecomeazombie.
Installpatches:Themachinesusedaszombiesarenormallyinfectedwithknown
vulnerabilities.Soitishighlyrecommendedthatyoualwaysupdateyoursystemwhenpossible.
Applyanti
spoofingfilters:DuringtheDDOS,theattackerstrytohidetheirrealIPusing
spoofingmechanismsthatforgesfakeIPsmakingithardertotracktheattackorigin.Soitis
necessarythattheaccessprovidersimplementanti
spoofingfiltersontheroutersentrance,so
thenetworkoftheirclientscantusespoofing.Andthatalltheinternetnetwork,inageneral
way,
implementanti
spoofingfiltersontheborderroutersexitpreventingtheuseofspoofing.
PreviousplanningagainstDDOS:Apreviousplanningandcoordinationisessentialto
guaranteeanadequateanswerwhenaDDOSattackstartstohappen.Thisplanningmust
includecounter
attackprocedureswithyourbackboneprovider.

6.2Howtoreact?

6.2.1DDOStoolsareinstalledonyoursystem

11

Thiscanmeanthatyoursystemisbeingusedasamasteroragent.Itsimportanttodetermine
whatisthepartofthetoolsfoundandtrytodiscoverworthinformationthatwouldallowtracking
othercomponentsinthebotnet,prioritizingthediscoveringofmasters.Dependingonthe
situation,itisrecommendedtotryshutdownimmediatelythemasters,butsometimesitcanbe
worthtomonitortheactivitiestogatherinformation.

6.2.2IfyoursystemissufferingaDDOSattack

ThespoofingmechanismsusedonDDOSattacksmakesreallyhardtoidentifytheattacker,but
ifthereisamomentthatispossibletobacktraceandgettherealresponsible,itiswhenthe
attackishappening.Itiscriticaltohaveaquickcommunicationwithyourbackboneproviderto
trytotracktheattacker.
ThereissometechniquestomitigatetheDDOSattackhappening.
LoadBalancing:Networkproviderscanincreasebandwidthoncriticalconnectionstoprevent
themfromgoingofflineinthemiddleofanattack.Balancingtheloadtoeachserverina
multiple
serverarchitecturecanimprovenormalperformanceandmitigatetheeffectofaDDOS
attack.

DropRequests:Thesystemcansimplydroprequestswhentheloadincreases.Thiscanbe
donebytherouterortheserver.Alternatively,therequestermaybeinducedtodroptherequest
bymakingtheitssystemsolveahardpuzzlethattakesalotofcomputepowerormemory
space,beforecontinuingwiththerequest.Thiswillmaketheusersofzombiesystemsdetect
performancedegradation,makingthemawarethatsomethingwrongishappeningandleading
themtolookandsolvetheproblem,gettingridofbeingazombiemachine.
Outsourcedcompanies:Thereisanumberofoutsourcedcompaniesthatoffersserviceagainst
DDOSattacks,theygiveyou24/7support,monitoringandinthemiddleofaneventtheyuse
theirservertohelpmitigatetheattack.

7.Myanalysis.Nextstepsforfutureresearch

Distributeddenialofserviceattacksarestillrising,becausetheyarefairlyeasytoexecuteand
itshardtogetbacktraced,anditseemsitwontstopsoon.Thereisnoeasysolutionagainst
thesetypeofattacks,andthroughoutthehistorywecanseethatthehackerswerealwaysone,
twoorevenmorestepsaheadfromthesecurityteamsfromcompanies.Butthereissome
arrangementsthatshouldbedone.
Raiseinternetusersawareness:Ifwecanmaketheinternetusersmoreawareofsecurity
issues,wecanpreventthosemachinesfrombeingpartofabotnet,andwiththisthebotnetswill
becomesmallermakingtheDDOSattackwayweaker.
Honeypots:Theyaresystemsmadewithknownvulnerabilitiestoinstigatetheattack.Itnotonly
avoidtheattackfromgoingtothecriticalareasofthesystembutitgatherrelevantdataand
recordsallabouthowtheattackisbeingperformed,whichtoolsarebeingused.Sowiththat
12

kindofinformationyoucanfortifyyoursystemtopreventnextattacks.Thehackerseliteare
alreadywellawareofthistechnique,soinordertoimproveitseffectiveness,itmustbemade
bettercamouflageforthehoneypotslookexactlylikerealsystems.
Post
attackForensics:WhenbeingunderaDDOSattackitisrecommendedtogatherthemost
possibledatatolateranalyzeandlookforspecificcharacteristicsintheattackingtraffic,thiscan
beusedtodevelopnewfilteringtechniquesagainstDDOS.
Packettracestechniqueconsistsonthefactofinternettrafficcanbetracedbacktoitstrue
source.Thisallowsbacktracetheattackerstraffictofindoutwhoistheattacker.
Allthedatacollectedmustbestoredinasafedatabasesoitcanbeusedtodoforensic
analysis
andassistlawenforcementincasesofsignificantfinancialdamage.

8.Conclusion

DDOSattacksarereallydangerousandcancausealotoftroubles,mixingthatwiththefact
that
ishardlytraceable,itmakesasafeandeffectiveattacktoperformagainstyourtargets.
Thereisthemostcommonattacksthataremadebyafewpeoplewithsomebotnets,andthis
cancauserealtroubletosmall/mediumcompanies,buttheydontreallyhasmuch
effectivenessagainstlargecompaniesasAmazon,eBayandMicrosoft.Butthereisthehacker
elitegroupsthathavealotofinfluenceinthehackersceneandcangatherahugenumberof
followersandbotnetstoorchestrateapowerfulattackcapableoftakingdownevenlarge
companies.

Theinternetusersneedtostartthinkingmoreaboutthesecureoftheirownsystemstonot
becomeinfected,networkprovidersneedstomonitorbettertheirtraffictotrackattackersand
helpcompaniestoresistwhenbeingattackedandITcompaniesneedtoinvestmoreinfinding
newgeneralDDOSsolutions,andsharetheknowledgewithsmallercompanies.Thatwaythe
DDOSattackcanbeweakenedandwontbethebigconcernthatitistoday.

13

9.References

Lipson,HowardF.TrackingandTracingCyber
attacks:TechnicalChallengesandGlobal
PolicyIssues.Pittsburgh,PA:CarnegieMellonUniversity,SoftwareEngineeringInstitute,2002.
Print.

"GRC|SecurityNow!TranscriptofEpisode#8."GRC|SecurityNow!TranscriptofEpisode
#8.N.p.,n.d.Web.10Dec.2013.<
https://www.grc.com/sn/SN
008.htm
>.

"ATimelineofHackingGroupLulzSec'sAttacks."Msnbc.com.N.p.,n.d.Web.10Dec.2013.
<http://www.nbcnews.com/id/43529667/>.

"DoSAttackKnocksOutMicrosoftSites."DoSAttackKnocksOutMicrosoftSites.N.p.,n.d.
Web.10Dec.2013.<http://www.secure64.com/news
hackers
microsoft
dns
switch>.

"NetworkDoSAttacksOverview."
JUNOSSoftwareSecurityConfigurationGuide.N.p.,n.d.
Web.10Dec.2013.
<http://www.juniper.net/techpubs/software/junos
security/junos
security10.0/junos
securityswco
nfig
security/id
16414.html>.

"DDoSProtection."DDoSProtection.N.p.,n.d.Web.10Dec.2013.
<http://www.ddosprotection.net/>.
14


"DistributedDenialofServiceAttacks."N.p.,n.d.Web.10Dec.2013.
<http://www.incapsula.com/ddos/ddos
attacks>.

"AdvancedDDOSTools."ADVANCEDDDOSTOOLS~Prince4Hack.N.p.,n.d.Web.10
Dec.2013.<http://prince4hack.blogspot.com/2012/12/advanced
ddos
tools.html>.

"DOSAttacksandFreeDOSAttackingTools
InfoSecInstitute."InfoSecInstitute.N.p.,n.d.
Web.10Dec.
2013.<http://resources.infosecinstitute.com/dos
attacks
free
dos
attacking
tools/>.

15