Detecting and Preventing DoS or Distributed DoS (DDoS) Attacks

Security Issues

Introduction to Distributed or Denial-of-Service-Attacks

Denial-of-Service-Attacks (DoS) and Distributed Denial-of –Service-Attacks are of great concern to organizations. They are among the most feared threats and very difficult to defend against. DoS attacks can cause outages of web sites and network services. They can also be used by criminal organizations to blackmail businesses for money.

Any concerted effort to cut off a website or network from its intended users qualifies as a DoS attack. An effective DoS attack can stop various services which can cost businesses money and provide unwanted publicity.

The objective of a DoS or DDoS attack is usually not to steal or expose confidential data. It is simply to overwhelm the network with traffic. A DDoS attack is usually launched from a distributed network of computers and is directed by one computer. A DoS attack is launched from one computer against a target.  Hacktivist groups have used these types of attacks as a form of protest against corporate and government targets that they dislike.

DoS attacks are not as successful as DDoS attacks and most of this type of attack is directed towards home networks. Since a DoS attack is from one computer to a victim’s network, it will likely target the home network’s router with traffic until it overloads and crashes.

A DDoS attack will be much more successful and is typically used on a harder target than a home network. In order to carry out a successful and powerful DDoS attack, the attacker will establish a botnet (a network of computers that have been commandeered by an unauthorized person to launch an attack against another network or sometimes a coordinated attack using willing participants that connect their computers together). In many cases a botnet is created with a trojan and distributed to a number of computers. Once the trojan is in place, the attacker obtains an IP address of their victim. A command is sent to the infected computers and they send packets of data to the victim. The victim’s network connection slows down until it gradually stops.

Background Examples

Below are a couple of examples that fully articulate the meaning of a DDoS attack. The effectiveness of the attacks not only depends on the type of technology or ingenuity of the attacker or attackers but also on the very reason for the attack or on their grievances towards the victim.

Hacktivists attacked WikiLeaks.org in retaliation for posting on its website approximately 250,000 classified documents that were stolen from the U.S. government. A person that went by the name The Jester took credit for the DDOS attack that began on November 30, 2010. He did this because he believed that it endangered the lives of the troops, various assets and foreign relations. The tool that was employed against WikiLeaks was called the Low Orbit Ion Cannon (LOIC). LOIC has a feature called the “Hivemind” that allows users to point their software to an internet relay chat service to allow someone else to take control of their computer to launch DDOS attacks, much like a botnet.

Another example is of a virtual sit-in or DDoS that was very effective at focusing the world’s attention on the Mexican army killing 45 Chiapas peasants in 1997. The Electronic Disturbance Theater (EDT) had been working closely with the Zapatista rebels in the 1990’s with Internet activism and was angered by the killings. They contacted an Italian group called the Anonymous Digital Coalition (ADC). ADC developed a plan to have activists simultaneously visit a Mexican government website and reloading their web browser constantly until the server slowed or crashed. This was done by software called FloodNet code. All of the participants would download and run the code at the same time. The script in the code would then command the web browser to the target website at the appointed time.  The script would refresh the browser for the participants. April 10, 1998, the script ran for the first time against the website of Mexican President Ernesto Zedillo. The group generated a lot of attention to itself and gained popularity for its attack.

For some attacks to be successful, it has to be kept a secret. Organizations are not always ready for a DoS and especially a DDoS attack. It would be helpful for a way to proactively monitor the network for a DoS or DDoS attack.

Detection Article

Detection of a DDoS attack prior to hitting an organization’s network is the focus of Kumarasamy and Asokan’s paper titled, “An Efficient Detection Mechanism for Distributed Denial of Service (DDoS) Attack”. Essentially, there are two algorithms on a router. One algorithm is constantly monitoring the traffic and the other waits until a trigger is reached to learn more about the attacker. No human intervention is needed as their proposal is set to automatically run.

The paper sets out to discuss the many different attacks that networks have confronted. They are the SYN flood, smurf attack, HHTP flood (although it appears to be a typo and should most likely state HTTP flood) and the SIP flood attack.

Per the researchers, the SYN flood attack is the most powerful flooding method. In a client-server relationship, there is a standard three-way handshake. The client sends a SYN packet and the server responds with a SYN-ACK. A TCP connection is established when the client responds. An attack occurs when client does not respond and sends a massive number of SYN requests. It overwhelms the server affecting its memory and leaving it unable to respond to legitimate requests.

The smurf attack is a type of ICMP flood. An ICMP request requires the server to process the request and respond. It takes up CPU resources especially if the server is inundated with ICMP requests. The server cannot respond fast enough and legitimate requests are blocked. This type of attack rarely happens as routers limit the rate of ICMP traffic.

HTTP flood attacks start by opening connections to a web server and then sending enough data in an HTTP header or in some other fashion to keep the connections open. The connection table fills up consuming CPU, memory, input/output devices and the outbound Internet link resources. It is difficult to detect as there can be many requests to web servers.

The last type of attack discussed was the SIP flood. SIP is an open standard protocol used in Voice Over IP (VOIP). Essentially, there can be two victims of this type of attack. One victim is the PBX server The PBX server is flooded with requests for registration and call requests. The other victim in this would be the actual phones. If the phone is not configured correctly, it is not possible to make or receive calls during the attack.

The researchers then list a number of protections used against the attacks and found weaknesses in almost all of them. They were Protocol reordering, Network ingress filtering, ICMP traceback, Deterministic packet marking (DPM), Probabilistic packet marking (PPM), path identifier (Pi), Pushback, Multops, D-WARD, adaptive defense scheme and client side puzzle. Not sure why the researchers decided to write about them as they are protections and not detection mechanisms.

The reason for choosing the paper was its novel approach at stopping DDoS attacks. As mentioned earlier, the researchers propose to use two algorithms in routers. They are Special Flow and IP Traceback. The Special Flow monitoring algorithm runs when there are no DDoS attacks occuring. It monitors the traffic and learns from it. When something different or unexpected occurs, then the victim or an upstream router starts the IP Traceback. The IP address is identfied and counts the requests from the IP address. A timer is also started. If more than 20 requests are received with one second from the same IP address, then it is considered a DDoS attack. The IP address is blocked for a certain set time period saving the network from harm.

The researchers stated that it could be implemented into an existing platform. It did not go into any details as to what type of platform other than using the generic term router. It seems that the best place for this Special Flow algorithm is in an Intrusion Detection and Prevention System (IDPS). The IP Traceback algorithm is on an upstream router which most likely is not in your control. It might not be controlled by your Internet service provider (ISP). While the approach looks good on paper, the question is how to get the various network providers or ISPs to cooperate to make the alogorithms really work. Also, what about IP spoofing? The alogrithm might be defeated by changing the IP addresses constantly. Would the algrorithm keep up and have enough space so that it does not crash the router?

Prevention Articles

In the article by Douligeris and Mitrokotsa, “DDoS attacks and defense mechanisms: classification and state-of-the-art”, the researchers discuss a number a number of DDoS prevention techniques. Before getting into their proposed ways to prevent a successful attack, they discuss what has made DDoS attacks so successful.

When the Internet was setup, nobody thought of security. It was designed for functionality.  The authors go on to say that Internet security is highly interdependent and that no matter how secure the network is, it still depends on the rest of the Internet as to whether you will become a victim of a DDoS attack.  Another point that the authors make is that Internet resources are limited. At some point, the resources will be used up by users. If the attackers have more resources than the victim, then the success of the attack is definite.  Attackers can exploit the resources of an unwitting network to flood a victim with packets though an intermediate network that has good throughput.

All of those points are valid. The article almost takes a fatalistic approach and that sooner or later, you will become a victim of DDoS attack. The article makes it a point that DDoS attacks are difficult to solve. Per the author, the best strategy is to completely prevent the attack from occurring.

Since the authors have so many ways to prevent the attack, this report will discuss a subsection of their prevention strategies. Attackers look for the easiest network to hack into and to disrupt services. Therefore, disable unused services and apply security patches. For instance, if UDP echo services are not needed, then disable it. If network discovery is not need disable it. Anything that is not needed should be disabled so as to protect yourself. Windows, Macs and Linux hosts from time to time need to be updated with the latest security patches and to prevent bugs. Doing so will reduce the likelihood of a successful attack.

The strategy is good way to protect the network. Any decent administrator should do this and to make sure that end users comply with updating their machines.

In the last prevention article, “An Implicit Token Scheme to Prevent DoS Attacks”, the researchers propose using an Implicit Token Scheme (ITS) to protect TCP servies from DDoS attacks. The token from the sender to the destination is proof in the validity of the packets and is a part of an existing TCP connection.

Basically, the ITS modifies the current 3-Way handshake. The current 3-Way handshake exchanges packets in three steps. Two hosts establish a TCP connection.  One host sends a SYN segment. The second host responds with a SYN/ACK. The one or first host then responds with an ACK segment. If the IP address does not exist, the host continues to send out a SYN/ACK. But the SYN flood attack cannot occur with the modified handshake because the packet will not forward to the target until a valid TCP handshake is received correctly. The hash functions are encrypted. Unauthorized individuals cannot see the hash functions. The routers keep the hash algorithm safe for verification purposes.

Communications seem safe with this scheme but how will this work on networks that do not use this 3-Way handshake scheme. Does it work like the Exchange server – when sending encrypted messages using your company’s Exchange server to someone else inside the company, the email message can be read. If sending an encrypted message to someone outside the company, it cannot be read without exchanging encrypted information.  It is not clear if this will take place with this scheme.

Conclusion

A lot of research has been down since the late 1990’s on DoS and DDoS attacks. It seems that when an attack is repulsed, the attacker learns and adapts. Whole new attacks are devised all the time. It is difficult to stay ahead.

It would appear that using a combination of all three methods may be the best way to try to hold back the attackers. Keeping the network up to date with the latest patches and turning off unnecessary services is a smart way to repulse some attacks. Encrypting TCP packets is a good way to make sure that both sides can trust the communications. But it just might be possible to stay ahead of the attackers if the proposed Special Flow algorithm successfully monitors the traffic and the IP Traceback can stop the attacker before any damage is done.

References are available upon request.

© 2015 Michael Carr

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.