Académique Documents
Professionnel Documents
Culture Documents
CaueKoisumiCintra
UniversidadeEstadualdeCampinasUNICAMP
Abstract
DistributedDenialofService(DDOS)attacksareadeadlyagainsttheavailabilityof
Internetservicesandresources.DDOSattackersinfectslargenumbersofcomputersby
exploitingsoftwarevulnerabilitiestosetupbotnets.
Thenallthesezombiecomputersareinvokedtounleashacoordinated,large
scaleattack
againstavictimssystems.Asspecificcountermeasuresarebeingdeveloped,attackers
continuetoenhanceexistingDDOSattacktools,developingnewandderivativeDDOS
techniquesandtools.Ratherthanalwaysreacttonewattackswithspecific
countermeasures,itwouldbedesirabletodevelopsolutionsthatdefendagainstknownand
futureDDOSattackvariants.However,thisisreallyhardtodoasisneededagreat
understandingofthescopeandtechniquesusedonDDOSattacks.
ThispaperattemptstocategorizeDDOSattacknetworks,toclassifythedifferent
techniquesusedinaDDoSattack,andtodescribethecharacteristicsoftoolsusedto
performDDOS.Giventhisnewunderstanding,proposeclassesofcountermeasuresthat
targettheDDOSproblembefore,duringandafteranattack.
1.Introduction
TheInternetwasoriginallydesignedtolinktogetheracooperativeandcollaborativecommunity
ofresearcher(LIPSON,2002).Itwasntaconcernthinkaboutsecuritywhenthefirstthoughts
oftheinternetwasbeginning,becauseitwassupposedtobeanetworktosomeresearchersto
exchangeknowledge,soeveryuserwastrustablethatmeansthenetworkwouldalwaysbe
secure.
Withtheevolutionoftheinternetsecurityissuesstartedtooccur,andinthe90soneofthe
manytypesofsecurityattacksthatwerecreatedwastheDOS(DenialofService),thisattackis
fairlysimpleandbasicallyconsistsinanattempttomakeanetworkresourceunavailableforits
realusers.LateronthisattackevolvedtoDDOS(DistributedDenialofService)whichis
basicallythesamethingasDOS,butnowtheattackcomesfromseveralsourcesthatcanbe
spreadallovertheworld.Thisattacksareexecutedfordifferentkindsofreasons,themost
commonsthougharefinancialandpoliticalmotives.
Thecurrentstateofthecyberworldtodaystillisinlackofabilitytoprevent,correct,trackand
traceDDOSattacks,Theanonymityenjoyedbytodayscyber
attackersposesagravethreat
totheglobalinformationsociety,theprogressofaninformation
basedinternationaleconomy,
andtheadvancementofglobalcollaborationandcooperationinallareasofhumanendeavor.
(LIPSON,2002),wecanclearlyseethatwithgroupslikeLulzSecandAnonymousthatcan
remainalotoftimelaunchingattacksbeforebeingcaught,orsomeotherhackersthatarenot
caughtatall.
2.WhatisDDOS?
DOSattacksarejustanexplicitattemptfromanattackertomakeaserverunabletoprovide
servicestoitsusersbyfloodingorcrashingthesystem.Unlikeconventionalelectronicattacks,
thereislittleinformationoreffortrequiredtoinitiateaDOSattackonthetargetwebsiteallthat
is
neededisthewebsiteaddress,aprogramthatcanperformarapidnumberofrequeststothe
targetedwebsiteandabotnet(ForDDOSattacks)
ThefirstsprogramstomakeDOSremoteattacksstartedtoappearinthe90sandforthese
programstobeeffectivetheyneededlargesizecomputersornetworkslikefromanuniversity.
In1997werediscoveredalargenumberoffailuresintheTCP/IP(TransmissionControl
Protocol/InternetProtocol)andthenthenumberofattacksstartedtogrowusingIRC(Internet
RelayChat)networkandexploitingknownvulnerabilitiesonWindowstocrashit.
Thelate1999wastheariseoftheDDOSattacks,wheretheattackerscouldgetcontrolofother
machines(botsorzombies)tomaximizethepoweroftheattackagainsthisttarget.
Inthe2000theDDOSattacksstartedtogettingmixedwithworms(malwareprogramthatcan
replicateitselfandinfectothercomputersthroughvulnerabilitiesinthenetwork)turningthe
affectedtargetsmorevulnerabletootherattacks.
InJanuary2001MicrosoftswebsitesufferedapowerDDOSattackthatlastedforhoursand
madethewebpageunavailabletorealusers,duringsomeperiods98%oftheserviceswere
affectedbytheattack.EventheFBIwascalledtotakecareofthecase,showingthatevena
hugecompanyasMicrosoftwasntimmuneagainstaDDOSattack.
DDOSattackscanbedividedinthreegeneralcategories:
VolumeBasedAttacksthatconsistsinsaturatethebandwidthoftheattackedserver,andits
powerismeasuredinbitspersecond(bps).Someexamplesare:UDPfloods,ICMPfloodsand
otherspoofed
packetfloods.
ProtocolAttacksthattriestoconsumetheactualserverresourcesorfirewallsandload
balancersanditsmagnitudeismeasuredinpacketspersecond.Someexamplesare:SYN
floods,PingofDeathandSmurfDDOS.
ApplicationLayerAttacksthatconsistsinsendingapparentlylegitimaterequestswiththegoal
ofcrashthewebserver,anditsmeasuredinrequestspersecond.Someexamplesare:
Slowloris,Zero
DayDDOSattacks,Windowsvulnerabilities.
3Typesofattack
ThereisseveralformsofDOSattacks,herearesomeofthemostcommonused.
3.1UDPFlood
ThisattackusestheUserDatagramProtocol(UDP),asessionlessnetworkingprotocol.Itfloods
randomportsofaremotehostwithnumerousUDPpacketsmakingthehostconstantlychecks
fortheapplicationlisteningatthatporthowevernoapplicationslistensatthatportsothehost
needstoreplywithanICMPDestinationUnreachablewhichendsupcausinganexcessiveuse
ofthehostresourcesthatcanleadtoinaccessibility.ThisattackisusedwithIPspoofingsothat
theICMPreturnpacketswon'treachthemandhidingthenetworklocation.
3.2ICMPFloodorPingFlood
TheprincipleissimilarfromtheUDPfloodattack,butnowthetargetisoverwhelmedwithICMP
Echo(ping)requestspacketsusingamethodsendingICMPpacketscontinuouslywithout
waitingforreply.TheattackedserverwilloftenattempttorespondwithICMPreplypackets
whichconsumebothincomingandoutgoingbandwidthwhichcanresultinanoverallsystem
slowdown.
3.3SYNFlood
Thisattackexploitsthethree
wayhandshake,aknownweaknessintheTCPconnection
sequence,whenaSYNrequestissenttobeginaTCPconnectionthehostneedstoanswer
withaSYN
ACKresponseandthenbeconfirmedbyanACKresponsefromtherequester.
TheattackersendsmultipleSYNrequestsbuthedoesntrespondtothetargetsSYN
ACK
responses,ortheattackercansendtherequestsfromspoofedIPaddresses,sothevictims
serverkeepswaitingfortheresponsesforeachrequestsbindingresourcesuntilnonew
connectionscanbemade.
3.4PingofDeath(POD)
GenerallythemaximumpacketlengthofanIPpacketonIPv4is65,535bytesandsendinga
ping
ofthissizecouldcrashthetargetscomputer,thisvulnerabilitystartedtobeingexploitedasthe
attackersstartedtosendalargeIPpacket(biggerthan65,536bytes)splittedinmultipleminor
packetssowhenthehostwouldassembletheminorpacketsitcouldendupcausingamemory
bufferoverflowdenyingserviceforlegitimatepackets.Todayitsreallyhardforaservertocrash
becauseofthisattack.
3.5Slowloris
Slowlorisisahighly
targetedattackthatpermitsoneservertotakedownanotheronewith
minimalbandwidthandside
effectsonunrelatedservicesandports.Theattackerstrytokeep
openandforaslongaspossiblemanyconnectionswiththetargetedserver,thisisdoneby
constantlysendingHTTPheadersbutwithoutcompletetherequest.Thetargetedserverwill
keepthoseconnectionsopenandthiseventuallywillleadtoanoverflowoftheconnectionspool
leavinglegitimaterequestsfromclientsdeniedofservice.ItisspeciallyusedagainstApache,
Tomcat,dhttpdandGoAheadWebServer.
3.6Zero
dayDDOS
Zero
dayattacksareunknownornewattacksexploitingvulnerabilitiesthatdontstilldonthavea
solution,sobasicallyitsanattackthatexploitsavulnerabilitythatthesoftwareownerdoesnt
evenknowaboutyetordidnthavedevelopedapatchtofixit.Somebigproblemsaboutthose
attacksisthattradingzero
dayvulnerabilitiesarequitepopularintheblackhatcommunityand
evenifthecompanydevelopapatchlater,youcomputermayalreadybeeninfectedwithworms
andtrojans.
4.Attackersandmotives
Thereisalargediversityinattackersandtheirmotives.Andsometimestwoofthoseclasses
canmerge,asexample:Anextorquistsgroupcanuseahacktivistexcusetoattackaweb
servicebuttheirrealpurposeistogetmoney.
4.1Extorquists
Theseattackersthreatstheirtargetaskingformoneyortheywilltakedowntheirservers,they
workwithafinancialpurpose.
4.2Hacktivists
TheHacktivistgroupwastheonethatgotmostofthespotlightwithDDOSattacksinthelast
years,theygrewandunitedthemselvesreallyfastandstartedtomakeInternetStreetProtests
(RichardStallman).SomehackgroupseventookdownUSgovernmentalsitescausingagreat
splurgeonthecommunity,theirmotivesaretotrytochangedecisionsmadebyorganizationsor
thegovernment.
8
4.3Competitors,unsatisfiedemployeesandcustomers
ThereweresomecaseswhereacompanywouldlaunchaDDOSattackagainstacompetitorto
harmtheirimagesothecustomerswouldtradecompaniesandtheywouldgetmoreprofit.
ItcanalsohappenthatafiredorunsatisfiedemployeeorcustomerwouldlaunchaDDOS
attack
againstacompanyasavendetta.
4.4ScriptKiddies
Theybasicallyareunskilledindividualsthatusesautomatedtoolscreatedbyotherstorealize
attacks,theirpurposenormallyistoimpressfriendsortrytobecomefamousandclimbupinthe
hackercommunity,somescriptkiddiescanlaunchanattackjustforthefunofit.
5.Tools
OneofthemotivesforthegreatgrowingoftheDOSattacksistheappearanceofmanyfree
toolsontheweb,herearesomeofthem.
5.1LOIC(Loworbitioncannon)
ItsoneofthemostpopularfreeDOSattackingtoolontheweb,ithasauser
friendlyinterfaceso
itseasytolearnanduse.ThetoolcanperformDOSattackbysendingTCP,UDPorHTTP
requeststothetargetssystem.Abotnetcanbeusedtoimprovethepoweroftheattackand
makeitadistributedattack.
5.2HOIC(Highorbitioncannon)
ItwasmadeoutoftheconceptofLOIC,butthedeveloperstriedtoimproveitsstrenghtand
includedaboosterfeaturetomaketheattackstronger.
5.3XOIC
Itsaverysimpleandeasytousetool,comeswithawhoisfeaturetofindIPandportandhave
3
modesofattack,abasictestmode,anormalDOSmodeandaDOSmodewitha
TCP/HTTP/UDP/ICMPmessage.
5.4Pyloris
PyLorisisascriptabletoolfortestingaserver'svulnerabilitydenialofservice(DoS)attacks.
PyLoriscanutilizeSOCKSproxiesandSSLconnections,andcantargetprotocolssuchas
10
HTTP,FTP,SMTP,IMAP,andTelnet.
6.DefenseagainstDOSattacks
6.1Howtoprevent?
Untilnowthereisnosilverbullet(Brooks)againstDDOSattacks,butthereissomestrategies
tomitigatetheattack.
Somerecommendedstrategiestopreventattacksare:
Incrementhostsecurity:AstheprimarycharacteristicoftheDDOSistheuseofabotnet,itis
veryimportanttoimprovethesecurityofyourmachinessoitwontbecomeazombie.
Installpatches:Themachinesusedaszombiesarenormallyinfectedwithknown
vulnerabilities.Soitishighlyrecommendedthatyoualwaysupdateyoursystemwhenpossible.
Applyanti
spoofingfilters:DuringtheDDOS,theattackerstrytohidetheirrealIPusing
spoofingmechanismsthatforgesfakeIPsmakingithardertotracktheattackorigin.Soitis
necessarythattheaccessprovidersimplementanti
spoofingfiltersontheroutersentrance,so
thenetworkoftheirclientscantusespoofing.Andthatalltheinternetnetwork,inageneral
way,
implementanti
spoofingfiltersontheborderroutersexitpreventingtheuseofspoofing.
PreviousplanningagainstDDOS:Apreviousplanningandcoordinationisessentialto
guaranteeanadequateanswerwhenaDDOSattackstartstohappen.Thisplanningmust
includecounter
attackprocedureswithyourbackboneprovider.
6.2Howtoreact?
6.2.1DDOStoolsareinstalledonyoursystem
11
Thiscanmeanthatyoursystemisbeingusedasamasteroragent.Itsimportanttodetermine
whatisthepartofthetoolsfoundandtrytodiscoverworthinformationthatwouldallowtracking
othercomponentsinthebotnet,prioritizingthediscoveringofmasters.Dependingonthe
situation,itisrecommendedtotryshutdownimmediatelythemasters,butsometimesitcanbe
worthtomonitortheactivitiestogatherinformation.
6.2.2IfyoursystemissufferingaDDOSattack
ThespoofingmechanismsusedonDDOSattacksmakesreallyhardtoidentifytheattacker,but
ifthereisamomentthatispossibletobacktraceandgettherealresponsible,itiswhenthe
attackishappening.Itiscriticaltohaveaquickcommunicationwithyourbackboneproviderto
trytotracktheattacker.
ThereissometechniquestomitigatetheDDOSattackhappening.
LoadBalancing:Networkproviderscanincreasebandwidthoncriticalconnectionstoprevent
themfromgoingofflineinthemiddleofanattack.Balancingtheloadtoeachserverina
multiple
serverarchitecturecanimprovenormalperformanceandmitigatetheeffectofaDDOS
attack.
DropRequests:Thesystemcansimplydroprequestswhentheloadincreases.Thiscanbe
donebytherouterortheserver.Alternatively,therequestermaybeinducedtodroptherequest
bymakingtheitssystemsolveahardpuzzlethattakesalotofcomputepowerormemory
space,beforecontinuingwiththerequest.Thiswillmaketheusersofzombiesystemsdetect
performancedegradation,makingthemawarethatsomethingwrongishappeningandleading
themtolookandsolvetheproblem,gettingridofbeingazombiemachine.
Outsourcedcompanies:Thereisanumberofoutsourcedcompaniesthatoffersserviceagainst
DDOSattacks,theygiveyou24/7support,monitoringandinthemiddleofaneventtheyuse
theirservertohelpmitigatetheattack.
7.Myanalysis.Nextstepsforfutureresearch
Distributeddenialofserviceattacksarestillrising,becausetheyarefairlyeasytoexecuteand
itshardtogetbacktraced,anditseemsitwontstopsoon.Thereisnoeasysolutionagainst
thesetypeofattacks,andthroughoutthehistorywecanseethatthehackerswerealwaysone,
twoorevenmorestepsaheadfromthesecurityteamsfromcompanies.Butthereissome
arrangementsthatshouldbedone.
Raiseinternetusersawareness:Ifwecanmaketheinternetusersmoreawareofsecurity
issues,wecanpreventthosemachinesfrombeingpartofabotnet,andwiththisthebotnetswill
becomesmallermakingtheDDOSattackwayweaker.
Honeypots:Theyaresystemsmadewithknownvulnerabilitiestoinstigatetheattack.Itnotonly
avoidtheattackfromgoingtothecriticalareasofthesystembutitgatherrelevantdataand
recordsallabouthowtheattackisbeingperformed,whichtoolsarebeingused.Sowiththat
12
kindofinformationyoucanfortifyyoursystemtopreventnextattacks.Thehackerseliteare
alreadywellawareofthistechnique,soinordertoimproveitseffectiveness,itmustbemade
bettercamouflageforthehoneypotslookexactlylikerealsystems.
Post
attackForensics:WhenbeingunderaDDOSattackitisrecommendedtogatherthemost
possibledatatolateranalyzeandlookforspecificcharacteristicsintheattackingtraffic,thiscan
beusedtodevelopnewfilteringtechniquesagainstDDOS.
Packettracestechniqueconsistsonthefactofinternettrafficcanbetracedbacktoitstrue
source.Thisallowsbacktracetheattackerstraffictofindoutwhoistheattacker.
Allthedatacollectedmustbestoredinasafedatabasesoitcanbeusedtodoforensic
analysis
andassistlawenforcementincasesofsignificantfinancialdamage.
8.Conclusion
DDOSattacksarereallydangerousandcancausealotoftroubles,mixingthatwiththefact
that
ishardlytraceable,itmakesasafeandeffectiveattacktoperformagainstyourtargets.
Thereisthemostcommonattacksthataremadebyafewpeoplewithsomebotnets,andthis
cancauserealtroubletosmall/mediumcompanies,buttheydontreallyhasmuch
effectivenessagainstlargecompaniesasAmazon,eBayandMicrosoft.Butthereisthehacker
elitegroupsthathavealotofinfluenceinthehackersceneandcangatherahugenumberof
followersandbotnetstoorchestrateapowerfulattackcapableoftakingdownevenlarge
companies.
Theinternetusersneedtostartthinkingmoreaboutthesecureoftheirownsystemstonot
becomeinfected,networkprovidersneedstomonitorbettertheirtraffictotrackattackersand
helpcompaniestoresistwhenbeingattackedandITcompaniesneedtoinvestmoreinfinding
newgeneralDDOSsolutions,andsharetheknowledgewithsmallercompanies.Thatwaythe
DDOSattackcanbeweakenedandwontbethebigconcernthatitistoday.
13
9.References
Lipson,HowardF.TrackingandTracingCyber
attacks:TechnicalChallengesandGlobal
PolicyIssues.Pittsburgh,PA:CarnegieMellonUniversity,SoftwareEngineeringInstitute,2002.
Print.
"GRC|SecurityNow!TranscriptofEpisode#8."GRC|SecurityNow!TranscriptofEpisode
#8.N.p.,n.d.Web.10Dec.2013.<
https://www.grc.com/sn/SN
008.htm
>.
"ATimelineofHackingGroupLulzSec'sAttacks."Msnbc.com.N.p.,n.d.Web.10Dec.2013.
<http://www.nbcnews.com/id/43529667/>.
"DoSAttackKnocksOutMicrosoftSites."DoSAttackKnocksOutMicrosoftSites.N.p.,n.d.
Web.10Dec.2013.<http://www.secure64.com/news
hackers
microsoft
dns
switch>.
"NetworkDoSAttacksOverview."
JUNOSSoftwareSecurityConfigurationGuide.N.p.,n.d.
Web.10Dec.2013.
<http://www.juniper.net/techpubs/software/junos
security/junos
security10.0/junos
securityswco
nfig
security/id
16414.html>.
"DDoSProtection."DDoSProtection.N.p.,n.d.Web.10Dec.2013.
<http://www.ddosprotection.net/>.
14
"DistributedDenialofServiceAttacks."N.p.,n.d.Web.10Dec.2013.
<http://www.incapsula.com/ddos/ddos
attacks>.
"AdvancedDDOSTools."ADVANCEDDDOSTOOLS~Prince4Hack.N.p.,n.d.Web.10
Dec.2013.<http://prince4hack.blogspot.com/2012/12/advanced
ddos
tools.html>.
"DOSAttacksandFreeDOSAttackingTools
InfoSecInstitute."InfoSecInstitute.N.p.,n.d.
Web.10Dec.
2013.<http://resources.infosecinstitute.com/dos
attacks
free
dos
attacking
tools/>.
15