Study of Recent DDoS Attacks and Defense Evaluation Approaches

(1)

International Journal of Emerging Technology and Advanced Engineering

Website: www.ijetae.com (ISSN 2250-2459,ISO 9001:2008 Certified Journal, Volume 3, Issue 1, January 2013)

332

Study of Recent DDoS Attacks and Defense Evaluation

Approaches

Daljeet Kaur

1

, Monika Sachdeva

2 1,2

Department of Computer Science and Engineering, SBS State Technical Campus, Ferozepur – 152004, Punjab, India

Abstract— Distributed Denial of Service (DDoS) attacks is

virulent, relatively new type of attacks on the availability of Internet services and resources. DDoS attackers infiltrate large number of computers by exploiting software vulnerabilities, to set up DDoS attack networks. DDoS attacks pose an immense threat to the Internet, therefore some defense systems are required to defend these attacks. In this paper, an overview of DDoS problem, brief detail of most recent DDoS incidents on online organizations is highlighted. Finally three approaches to evaluate DDoS defense systems i.e theory, simulation and emulation are discussed.

Keywords— DDoS, Incidents, availability, emulation,

vulnerability.

I. INTRODUCTION

This DOS Attacks or Denial of Services Attack has become very common amongst Hackers who use them as a path to fame and respect in the underground groups of the Internet? Denial of Service Attacks basically means denying valid Internet and Network users from using the services of the target network or server. It basically means, launching an attack, which will temporarily make the services, offered by the Network unusable to legitimate users.

A Denial of Service (DoS) attack can be characterized as an attack with the purpose of preventing legitimate users from using a victim computing system or network resource. A Distributed Denial of Service (DDoS) attack is a large-scale, coordinated attack on the availability of services of a victim system or network resource, launched indirectly through many compromised computers on the Internet. The services under attack are those of the “primary victim”, while the compromised systems used to launch the attack are often called the “secondary victims.” The use of secondary victims in performing a DDoS attack provides the attacker with the ability to wage a much larger and more disruptive attack, while making it more difficult to track down the original attacker. As defined by the World Wide Web Security FAQ: A Distributed Denial of Service (DDoS) attack uses many computers to launch a coordinated DoS attack against one or more targets.

Using client/server technology, the perpetrator is able to multiply the effectiveness of the Denial of Service significantly by harnessing the resources of multiple unwitting accomplice computers which serve as attack platforms.

II. DDOS OVERVIEW

DDoS attacks involve breaking into hundreds or thousands of machines all over the Internet. Then the attacker installs DDoS software on them, allowing them to control all these burgled machines to launch coordinated attacks on victim sites. These attacks typically exhaust bandwidth, router processing capacity, or network stack resources, breaking network connectivity to the victims.

The attacker runs a single command, which sends command packets to all the captured machines, instructing them to launch a particular attack (from a menu of different varieties of flooding attacks) against a specific victim. When the attacker decides to stop the attack, they send another single command. The controlled machines being used to mount the attacks send a stream of packets. For most of the attacks, these packets are directed at the victim machine. For one variant (called ``smurf'', named after the first circulated program to perform this attack) the packets are aimed at other networks, where they provoke multiple echoes all aimed at the victim.

The operating systems and network protocols are developed without applying security engineering which results is providing hackers a lot of insecure machines on Internet. These insecure and unpatched machines are used by DDoS attackers as their army to launch attack.

An attacker or hacker gradually implants attack programs on these insecure machines. Depending upon sophistication in logic of implanted programs these compromised machines are called Masters/Handlers or Zombies and are collectively called bots and the attack network is called botnet in hacker’s community. Hackers send control instructions to masters, which in turn communicate it to zombies for launching attack.

(2)

International Journal of Emerging Technology and Advanced Engineering

333

Fig. 1. Attack Modus Operandi

The zombie machines under control of masters/handlers (running control mechanism) as shown in Figure 1 transmit attack packets, which converge at victim or its network to exhaust either its communication or computational resources. Mirkovic et al. [1] have classified DDOS attacks into two broad categories: flooding attacks and vulnerability attacks. Flooding DDoS attacks consume resources such as network bandwidth by overwhelming bottleneck link with a high volume of packets. Vulnerability attacks use the expected behaviour of protocols such as TCP and HTTP to the attacker’s advantage. The computational resources of the server are tied up by seemingly legitimate requests of the attackers and thus prevent the server from processing transactions or requests from authorized users.

Fig. 2. Packets drop under DDoS Attack.

Flooding DDoS is basically a resource overloading problem. The resource can be bandwidth, memory, CPU cycles, file descriptors and buffers etc., the attackers bombard the scarce resource(s) by sheer flood of packets.

In Figure 2 a flood of packets is shown, which congests the link between ISP’s edge router and border router of victim domain [2].

Attack packets keep coming as per distribution fixed by attacker, whereas legitimate clients cut short their packet sending rates as per flow control and congestion signals. A situation comes when whole of bottleneck bandwidth is seized by attack packets

Thus, service is denied to legitimate users due to limited bottleneck bandwidth. However, resources of connecting network are not a problem in case of commercial servers as these are hosted by the ISPs, quite close to their backbone network with high bandwidth access links. But server resources such as processing capacity, buffer limit etc., are put under stress by flood of seemingly legitimate requests generated by DDoS attack zombies. Each request consume some CPU cycles. Once the total request rate is more than the service rate of server, as shown in Figure 2, the requests start getting buffered in the server, and after some time due to buffer over run, incoming requests are dropped. The congestion and flow control signals force legitimate clients to decrease their rate of sending requests, whereas attack packets keep coming. Finally, a stage comes when only attack traffic is reaching at the server. Thus, service is denied to legitimate clients. Moreover Robinson stated that as attack strength grows by using multiple sources, the computational requirements of even filtering traffic of malicious flows become a burden at the target.

III. DDOS INCIDENTS

All The Domain Name System (DNS) is a continuous target for DoS attacks. In October, 2002, all root name servers experienced an exceptionally intensive DoS attack. Some DNS requests were not able to reach a root name server due to congestion caused by the DoS attack. As per Gonsalves [3], another major DoS attack was launched on June 15, 2004 against name servers on Akamai’s Content Distribution Network (CDN) which blocked nearly all access to many sites for more than two hours. The affected sites included Apple computer, Google, Microsoft, and Yahoo. These companies have outsourced their DNS service to Akamai to enhance service performance.

In UK online bookmaking, betting, and gambling sites have been extorted with DoS attacks during 2004 by unidentified attackers [6]. The Internet-based business service of Al Jazeera was brought down due to a DoS attack in January, 2005 [5]. Al Jazeera provides many Arabic-language news services. The text-to speech translation application running in the Sun Microsystem’s Grid computing system was disabled with a DoS attack in March, 2006 [4]. This attack was carried out during the opening day of this service.

(3)

International Journal of Emerging Technology and Advanced Engineering

334

As Proof of these disturbing trends, 2003 to 2006 FBI / CSI surveys [8,9] concluded that DoS/DDoS attacks are one of the major causes of financial losses as depicted in Figure 3 below :

Fig. 3. Financial losses incurred due to attack incidents.

Moore et al. [7], have established presence of roughly 2000-3000 active DoS attacks per week using updated backscatter analysis in their work. The study of attacks over a three-year period revealed 68,700 attack on over 34,700 distinct Internet hosts belonging to more than 5,300 distinct organizations. The Table 1 lists some of the recent DDoS attacks incidents.

TABLEI

RECENT DDOSINCIDENTS ON IMPOTANT WEBSITES

S.no Date DDoS

target/Incidents

Consequences/Description

1 March,

2012

South Korea and

United states

Websites

It is similar to those launched in 2009.

2 Jan 1, 2012 Official Web-site

of the office of the vice president of Russia

It caused the site to be down by more than 15 hours.

3 Nov 5 to 12

, 2011

Asian

Ecom-merce Company

Flood of Traffic was

launched and 250,000 Com-puters are infected with malware participated.

4 Nov 10,

2011

Server The traffic load has been

immense with several

thousands request per

second. 3. October 2011 Site of National Election Commission of South Korea

Attacks were launched

during the morning when

citizens would look up

information .and attack leads to fewer turnouts. 4. March 30, 2011 On Blogging Platform Live Journal Experienced serious

functionality problems for over 12 Hours and resumed on April 4 and 5, 2011

5. December

8, 2010

Master Card,

PayPal, Visa and Post Finance

Attack was launched in supportof WikiLeaks.ch and its founder. Attack lasts for more than 16 hours.

6. November

30, 2010

Whistleblower site Wikileaks

Attack size was 10 Gbps. Caused the site unavailable

to visitors. Attack was

launched to prevent release of secret cables.

7. November

28, 2010

whistleblower site Wikileaks

Attack size was 2-4 Gbps. Attack was launched just after it released confidential US diplomatic cables.

8. November

12, 2010

Domain registrar Register.com

Impacted DNS, hosting and webmail clients. 24 hours of outage

9. November

2, 2010

Burma’s main Internet provider

Disrupted most network traffic in and out of the country for 2 days. Geopolitical motivated attack. Attack size was of 1.09 Gbps (average) & 14.58 Gbps (maximum) . Attack vectors were TCP Syn/rst 85%, flooding 15%.

10. October

2010

MPAA & Indian tech firm Aiplex software

At least hundreds of 4chan users at once executed attack in Pro-piracy protest. Simple application Low Orbit Ion Cannon (LOIC) was used.

11. Sept 2010 Fast growing

botnet “IMDDOS” was discovered

Botnet’s motive was to provide commercial service for launching DDoS attacks against any target.

12. July and August, 2010 Irish Central Applications Office server

Attack was hit on four different occasions.

13. June 2010 Broadband forum

Whirlpool

Flooding DDoS attack. 9 hours of outage.

14. June 2010 UK-based Jewish

Chronicle

Website had to shut down its balanced coverage of the “Ashdod flotilla incident" immediately.

(4)

International Journal of Emerging Technology and Advanced Engineering

335

IV. DDOS DEFENSE

The main aim of a DDoS defense system is to relieve victim’s resources from high volume of counterfeit packets sent by attackers from distributed locations, so that these resources could be used to serve legitimate users. There are four approaches to combat with DDoS menace as proposed by Douligeris et al. [16]: Prevention, Detection and Characterization, Traceback, and Tolerance and Mitigation. Attack prevention aims to fix security holes, such as insecure protocols, weak authentication schemes and vulnerable computer systems, which can be used as stepping stones to launch a DoS attack. This approach aims to improve the global security level and is the best solution to DoS attacks in theory. Attack detection aims to detect DDoS attacks in the process of an attack and characterization helps to discriminate attack traffic from legitimate traffic. Traceback aims to locate the attack sources regardless of the spoofed source IP addresses in either process of attack (active) or after the attack (passive). Tolerance and mitigation aims to eliminate or curtail the effects of an attack and try to maximize the Quality of Services (QoS) under attack.

The results and losses due to DDoS attacks are disastrous and unimaginable, therefore it is really important some approaches to defend these attacks. Researchers have been evaluated these defense systems by three approaches: Theory, Simulation and Emulation.

V. TESTING APPROACHES

Theory [15] is well-suited to answering questions about situations that can be accurately represented by existing models, such as M/M/1 queues, state diagrams, probabilistic models, hash tables, random selection from a set, etc. In the DoS context, theory may be useful to evaluate robustness of a given defense to cheating or a direct attack. Both require some guesswork on the attacker’s part, whose success can be evaluated via theory. Theory may also be useful in answering specific questions about a defense’s scalability, cost and delay, again depending on the defense’s design, and if parts of it can be accurately represented by simple models.

In general, theory is a poor choice for effectiveness evaluation. While it may be able to answer sub-questions related to effectiveness, we lack theoretical tools powerful enough to model the complexity of traffic mixes, their dynamics and their interaction with the underlying hardware and network protocols, especially in high-stress situations like DoS.

Simulation is highly popular for addressing network performance questions. Network simulators must balance a tradeoff between fidelity and scalability [10,11]. At one end of the spectrum, simulators can choose to sacrifice fidelity, especially at the lower layers of the protocol stack, for scalability. For example, Internet forwarding devices, such as switches and routers, are only modeled at a high level in popular packet-level simulators such as ns-2. The ranges of intra-device latencies and maximum packet forwarding rates in commercial forwarding devices are not incorporated. Networking researchers further find it difficult to correctly set remaining router parameters, such as buffer size, in experiments with simulators. Hence, many research papers report results that are highly sensitive to the default forwarding model or the buffer size selected; these values may not be realistic.

Emulation involves testing in a mini-network, such as a lab or a shared testbed. Three testbeds have been popular for DoS defense testing: Emulab [12], DETER [13] and Planetlab [14]. Emulab and DETER allow users to gain exclusive access to a desired number of PCs, located at a central facility and isolated from the Internet. These can be loaded with a user-specified OS and applications, and users obtain root privileges.

Planetlab is a distributed testbed where participating organizations contribute machines. Users gain shared access to those machines via virtual machine software that achieves user isolation. They can organize Planetlab nodes into overlays — traffic between nodes travel son the Internet and experiences realistic delays, drops and interaction with cross-traffic. Users can also install applications on Planetlab nodes, but their choice of OS and their privileges on nodes are much more limited than in Emulab or DETER.

VI. CONCLUSION

There is alarming increase in the number of DDoS attack incidents. Not only, DDoS incidents are growing day by day but the technique to attack, botnet size, and attack traffic are also attaining new heights. Effective mechanisms are needed to elicit the information of attack to develop the potential defense mechanism.

REFERENCES

[1] Mirkovic, J. and Reiher, P. “A Taxonomy of DDoS Attack and DDoS Defense Mechanisms,” ACM SIGCOMM Computer Communications Review, Volume 34, No. 2, pp. 39-53, April, 2004. [2] Kumar, K., Joshi, R. and Singh, K. “An Integrated Approach for

(5)

International Journal of Emerging Technology and Advanced Engineering

336

[3] Gonsalves, C., Akamai DDoS Attack Whacks Web Traffic, 2007. [4] Galli, P., “DoS Attack Brings down SUN Grid Demo, 2007.

[5] Haymarket Media, “Al-Jazeera Hacked in DoS Attack,

2007.owman, M., Debray, S. K., and Peterson, L. L. 1993. Reasoning about naming systems.

[6] McCue, A. “Bookie Reveals,” 2007

[7] Moore, D., Shannon, C., Brown, D., Voelker, G. and Savage, S. “Inferring Internet Denial of Service Activity,” Computer Journal of ACM Transactions, vol. 24, no. 2, pp. 115-139, 2006.

[8] Cichardson, R. “Computer Crime and Security Survey, 2007. [9] Gordon, A., Loeb, P., Lucysgyn, W. and Richardson, R. CSI/FBI

Computer Crime and Security Survey, CSI Publications, 2006. [10] D.M., Scalability of network simulators revisited. In Proceedings of

the Communications Networking and Distributed Systems Modeling and Simulation Conference, February 2003.

[11] Nicol, D.M., Utility analysis of network simulators. International journal of simulation: Systems, Science, and Technology, 2003.

[12] White, B., Lepreau, J., Stoller, L., Ricci, R., Guruprasad, S., Newbold, M., Hibler, M., Barb, C. and Joglekar, A., An Integrated experimental environment for distributed systems and networks. In Proceedings of the Fifth Symposium on Operating Systems Design and Implementation (OSDI02), (Dec. 2002). Pp 255-270.

[13] Benzel, T., Braden, R., Kim, D., Neuman, C., Joseph, A., Sklower, K., Ostrenga, R. and Schwab, S., Experience with DETER: A Testbed for Security Research. In Proceedings of Tridentcom, March 2006.

[14] Peterson, L., Bavier, A., Fiuczynski, M.E. and Muir, S. “Experiences building planetlab.” In Proceedings of the 7th USENIX Symposium on Operating System Design and Implementation (OSDI ’06), Seattle, WA, November 2006.

[15] Mirkovic, J., Fahmy, S., Reiher, P., Thomas, R., “How to test DoS Defence”,2009.

[16] Douligeris C. and Mitrokotsa, A., DDoS Attacks and Defense Mechanisms: Classification and State of the Art,” Computer Journal of Networks, vol. 44, no. 5, pp. 643-666, 2004