Attacks on routes to resources

The original Routing Information Protocol (RIP) [50] is not secure. It is possible to disrupt the routes to the target by injecting bogus RIP packets into a network, resulting in DoS. If the attacker’s system is closer to the target than the real source system, it will also be possible to divert traffic to the attackers. RIP version 2 [51] provides authentication support to increase the security of the routing protocol by preventing routers from accepting routing packets from unauthorized entities.

The Border Gateway Protocol (BGP) [52] is an inter-autonomous system routing protocol. An autonomous system (AS) is a network under a common administration. BGP is used to exchange routing information for the Internet and is the protocol used between Internet service providers (ISP). The nature of the BGP protocol gives autonomous systems considerable latitude in determining which routes to modify, forward, or reject. This implies that there is a class of routing attacks that cannot be avoided simply because they do not necessarily constitute malicious behavior. For instance, the AS7007 incident [53] in April 1997 was caused by a misconfigured router that flooded the Internet with incorrect advertisements, announcing AS7007 as the origin of the best route to essentially the entire Internet. As a result, that AS quickly became a major traffic sink, and it disrupted reachability to many networks for several hours. Similar events occurred in Apr. 1998, when AS8584 announced 10,000 prefixes it did not own, and in Apr. 2001, when AS15412 announced 5,000 prefixes it did not own [54]. Therefore, in the event that one or more BGP routers are compromised, it could result in DoS attacks that would have a forceful impact on the entire Internet.

Most external BGP sessions are between adjacent routers. Therefore, to protect from attackers trying to hijack a BGP session, [55] proposed setting the IP header TTL field to a value that allows those BGP packets to reach the receiving router only if the latter is exactly one hop away from the sender. To protect against spoofed messages and TCP connections hijacking, BGP sessions are often protected using the TCP MD5 signature option [56], which is a new TCP option to carry a MD5 digest in the TCP segment. The digest acts as a signature for that segment, incorporating information known only to the connection end points. Therefore, to spoof the connection, the attacker not only needs to guess the TCP sequence numbers, but would also have to obtain the password (which never appears in

2. DDOS ATTACKS AND DEFENCES

The Domain Name System (DNS) [57-60] is a distributed database system for mapping host names to IP addresses and vice versa. Hosts send UDP queries to DNS servers and get replies with either the answers to the queries or information about higher level servers (who might hold the answers).

Type Function

A IPv4 address of host

AAAA IPv6 address of host

NS Name server. Specifies a host name where DNS information can be

found about the domain name to which the NS record is attached. SOA Start of authority. Denotes start of a zone; contains cache and

configuration parameters, and gives the address of the person responsible for the zone.

MX Mail exchange. Names a host that processes incoming mail for the designated target.

CNAME Alias for the real name of the host

PTR Domain name pointer. Used to map IP addresses to host names.

HINFO Host type and operating system information

WKS Well-known services. Information about which services are available at a host.

SRV Service Location. Uses DNS to find out how to contact for access to a particular service.

SIG Signature record. Cryptographic public key signature for DNS security.

DNSKEY Public key used in DNS security

NAPTR Naming authority pointer. Used mostly for Internet telephony infrastructure.

Table 2.1: DNS Resource Record Types

Queries made via TCP are for zone transfers. Zone transfers are used by backup servers to obtain a full copy of their portion of the namespace. The different types of resource records (RRs) stored by the DNS is shown in Table 2.1. In the DDoS attack carried out against the 13 DNS root servers in October 2002 and February 2007 [8, 61], the attacker uses bogus ICMP Ping requests to flood the servers for about an hour. Several root servers were overwhelmed by the requests and were unable to provide normal services to the Internet users. Solutions to prevent this attack are for ISPs to provide DNS

2.1 DoS and DDoS Attacks

service only to their own customers, mandate source address verification for DNS servers, and limit the amount of ICMP traffic that the root servers can accept.

In systems with existing security vulnerabilities (for example, due to design or implementation flaws), the attacker will need knowledge of the security weaknesses of the victim and ability to come up with the attack tools targeting them. Such system vulnerability attacks are more difficult to launch compared with bandwidth depletion attacks, which can be accomplished by simply flooding the victim with seemingly legitimate requests. In any case, it is easier for users to detect and defend against system vulnerability attacks (if the vulnerabilities are known) by monitoring attack patterns and performing patches to fix security holes.