Nirbhay Ahlawat et al. / (IJAEST) INTERNATIONAL JOURNAL OF ADVANCED ENGINEERING SCIENCES AND TECHNOLOGIES Vol No. 3, Issue No. 1, 052 - 060
Classification and Prevention of Distributed Denial of Service Attacks Nirbhay Ahlawat1and Chetan Sharma2 (M. Tech-CS Department, Subharti Institute of Technology and Engineering , Meerut, nirbhay.ahlawat@gmail.com ) 2 ((M. Tech-VLSI Department, JSS Academy of Technical Education, Noida, chetan2042@gmail.com )
T
1
ABSTRACT
Distributed Denial of Service (DDoS) attacks have become a real threat to the security of
ES
the internet. A DDoS attack is the most advanced form of DoS attack. A DDoS attack can easily fake its source address (known as “spoofing�), which disguises the true origin of the attack. Defending against DDoS is a challenging job due to use of IP spoofing and destination based routing of the internet. In this paper we present a classification and some preventiom techniques of DDoS attack, which can be explained in a way so that a better understanding of DDoS attacks can be achieved. Many solution have been
A
proposed but none is able to completely stop an intense attack.
Keywords : DDOS attacks, DDoS classification, , prevention from attack. INTRODUCTION
such attack more difficult and the impact proportionally serve . DDoS exploits the inherent weakness of the DoS attack in
more serious with the rapid development
the network device level include attacks
of network technology and application
that might be caused either by taking
.The distributed
Service
advantage of bugs or weakness in
(DDos) is relatively simple , yet very
software or by trying to exhaust the
powerful techniques to attack internet
hardware resource of network device .
resources . DDoS attacks add the many-
According
to-one dimension to the DoS problem
Distributed Denial of Service (DDoS)
making the prevention and mitigation of
attack , A DDoS attack uses many
IJ
The network security becomes more and
ISSN: 2230-7818
Denial of
to
@ 2011 http://www.ijaest.iserp.org. All rights Reserved.
WWW
security
on
Page 52
Nirbhay Ahlawat et al. / (IJAEST) INTERNATIONAL JOURNAL OF ADVANCED ENGINEERING SCIENCES AND TECHNOLOGIES Vol No. 3, Issue No. 1, 052 - 060
computer to launch a coordinate DoS
protocol
type
and
port
number.
attack against one or more targets.
However, the disadvantage in doing this
Distributed Denial of Service (DDoS)
is that there is no accurate way to
attacks have become more sophisticated
differentiate the normal traffic from the
in the last several years as the level of
malicious traffic.
attack automation has increased. Sample and fully functional attack software is available
on
the
Internet.
Precompiled and ready to use programs allow novice users to launch relatively large scale attacks with little knowledge
ES
of the underlying security exploits. In
T
readily
the past year, Black Hats have taken theoretical
optimizations
in
worm
propagation and applied them to the fastest
spreading
worm
today.
Distributed Denial of Service (DDoS)
attacks are becoming an increasingly disturbance of the global
A
frequent
Internet.They are very hard to defend
DDoS Attack (or Distributed Denial of
against
attacks
Service Attack) is the most advanced
consume.resources at the network and
form of DoS attack. It is different from
because
these
other attacks by its ability to deploy its
authenticate
is
weapons in a “distributed” way over the
genuine or malicious. There are two
internet and to aggregate these forces to
aims for DDoS attacks. The first is to
create lethal traffic. One main different
consume the resources of the host and
thing of DDoS attack which make him
second is to consume the bandwidth of
different is that it never try to break the
the network.Current schemes to protect
victim’s system. The main goal of a
the resources of the host drop incoming
DDoS attack is to cause damage on a
packets according to fields, such as
victim either for personal reason , either
IJ
transport layers, where it is difficult to
ISSN: 2230-7818
whether
an
access
@ 2011 http://www.ijaest.iserp.org. All rights Reserved.
Page 53
Nirbhay Ahlawat et al. / (IJAEST) INTERNATIONAL JOURNAL OF ADVANCED ENGINEERING SCIENCES AND TECHNOLOGIES Vol No. 3, Issue No. 1, 052 - 060
for material gain or for popularity.
2)
DDoS make advantage of the internet
vulnerability DDoS according to the
archietecture and this is that makes them
exploited vulnerability can be divided
even more powerful.
into following categories: flood attacks,
Classification
by
exploited
amplification attack, protocol exploit attacks and malformed packet attacks.
DDoS Classification:
1)
of
i) flood attack In this attack the
Based on the degree of
zombines send large volumes of IP
automation of the attack DDoS attack
traffic to a victim system in order to
can be classified into manual, semi
congest the victim system’s bandwidth.
automatic, and automatic DDoS attacks.
The impact of packet stream sent by the
i) Manual
zombies to the victim system varies from
automation
by
degree
ES
Early DDoS attacks were
T
Classification
manual this means that the early DDoS
strategy included the scanning of remote machines for vulnerabilities, breaking into them and installing the attack code.
A
ii)semi-automatic In this the DDoS attack belongs in the agent-handler attack model. The attacker scans and
compromises the handlers and agent by
IJ
using automated scripts. Semi-automatic
can be divide further to attacks with direct communication and attack with indirect communication.
slowing it down or crashing the system to saturation of the network bandwidth. Some of the well-known flood attacks are:-
UDP flood attacks.
ICMP flood attacks.
ii) amplification attack the attacker or the agent exploit the broadcast IP address feature found on most routers to amplify and reflect the attack and send message to a broadcast IP address. This instruct the routers servicing the packets within the network to send them to all
iii)automatic the DDoS attacks the
the IP addresses within the broadcast
communication between the attacker and
address range. This way the malicious
agent machines is completely avoided.
traffic that is produced reduces the
In most cases the attack phase is limited
victim system’s bandwidth. In this type
to a single command.
of DDoD attack. The attacker can send the broadcast message directly, Or by
ISSN: 2230-7818
@ 2011 http://www.ijaest.iserp.org. All rights Reserved.
Page 54
Nirbhay Ahlawat et al. / (IJAEST) INTERNATIONAL JOURNAL OF ADVANCED ENGINEERING SCIENCES AND TECHNOLOGIES Vol No. 3, Issue No. 1, 052 - 060
the use of agents to send the broadcast
system. The malformed packet attack
message in order to increase the volume
can be divided into two type of attacks.
of attacking traffic. Reflector are used as
IP address attack and IP packet options
an intermediate nodes in amplification
attack. In IP address attack, the packet
attack.
contain the same source and destination
some
of
the
well
known
IP addresses. This has result the confuse
Smurf attacks.
operating system of the victim system
Fraggle attacks.
and the crash of the victim system. In an
iii) protocol exploit attacks it exploit a
IP packet options attack, a malformed
specific feature or implementation bug
packet may randomize the optional
of some protocol installed at the victim
fields within an IP packet and set all
in order to consume excess amount of its
quality of service to bit to one. If this
ES
T
amplification attack are:
resources and a representative example
attack is combined with the use of
of protocol exploits attack is TCP SYN
multiple agent , it could lead to the crash
attacks because TCP SYN attack exploit
of the victim system.
the inherent weakness of the three way
3)
handshake
dynamics :-
involved
in
the
TCP
Classification
by
attack
rate
The attack rate dynamics DDoS attack
SYN flooding attack by sending a large
can be divided in continuous rate and
number of SYN packets. SYN flood
variable rate attacks.
result in the server being unable to
i)continuous
process other incoming connection as
attacks that after the onset of the attack
IJ
A
connection setup. An attacker initiates an
rate
attacks
comprise
the queue gets overloaded, example of
that are executed with full force and
protocol exploit attack are:
without a break or decrement of force.
PUSH + ACK attacks.
The impact of continuous rate attack is
CGI request attacks.
very quick.
Authentication server attack.
ii) variable rate attacks as their name
iv) malformed packet attacks these type
indicates “vary the attack rate” and thus
of attack rely on incorrectly formed IP
they avoid detection and immediate
packets that are sent from agent to the
response. Based on the rate change
victim in order to crash the victim
mechanism we differentiate between
ISSN: 2230-7818
@ 2011 http://www.ijaest.iserp.org. All rights Reserved.
Page 55
Nirbhay Ahlawat et al. / (IJAEST) INTERNATIONAL JOURNAL OF ADVANCED ENGINEERING SCIENCES AND TECHNOLOGIES Vol No. 3, Issue No. 1, 052 - 060
with
increasing
rate
and
fluctuating rate. Increasing rate attacks gradually lead to the exhaustion of victim’s
resources,
thus
delaying
detection of the attack. Fluctuating rate attacks have a wavy rate that is defined by the victims behavior and response to the attack.
1) Policies and Procedures
Security policies and procedures should be developed .Security policies are a very
important
part
of
a
service
provider’s overall security architecture and are critical for stopping abusive users. A service provider’s Acceptable Use Policy (AUP) is a key tool for
4) Classification by impact:Based on the impact of a DDoS attack we can divide DDoS attack to disruptive i)disruptive attacks these attacks lead to the complete denial f the victim’s service to its clients.
removing abusive customers from their network. Service providers should also establish an Incident Response Team (IRT) that is responsible for responding
ES
and degrading attacks.
T
attack
to attacks.
2) New Product/Upgrade Design and
ii) degrading attacks the main aim of these type of attack is to consume some
portion of a victim’s resources. This has
A
as an effect the delay of the detection of the attack and at the same time an
IJ
immense damage to the system. Prevention:
Since a DDos attack it launched from multiple sources, it is often more difficult to detect and block than a DoS attack. To prevent your system and network from becoming a victim of DoS attacks, many preventative solutions are:
Testing
The first line of defense is security design and thorough testing of new or significantly
Upgraded
products,
services or platforms before a system is deployed in the production network. Things to consider include: Operating
removal
system of
lockdown
any
and
unnecessary
processes, services and software. This should be done via scripts or by checklists preferably developed using industry best practices. Review of system protocols to ensure
communication paths are properly authenticated
ISSN: 2230-7818
@ 2011 http://www.ijaest.iserp.org. All rights Reserved.
and
if
necessary
Page 56
Nirbhay Ahlawat et al. / (IJAEST) INTERNATIONAL JOURNAL OF ADVANCED ENGINEERING SCIENCES AND TECHNOLOGIES Vol No. 3, Issue No. 1, 052 - 060
encrypted.
any firewalls or router ACLs. This will
Scanning of the systems to confirm
and
mitigate,
if
necessary,
any
security risks found.
allow operation personnel to address the most critical vulnerabilities first. The number of network elements included in
If software source code is available,
the initial scans should be limited to a
security source code reviews should
reasonable size to allow personnel to fix
be performed to eliminate buffer
any
overflows and other vulnerabilities.
scanning. Scanning should occur at least
issues
before
expanding
the
T
once a quarter. Typical scanning tools 3) Patch Management
include nmap and nessus. Scanning
Manual or automated procedures should
should include both TCP and UDP ports;
load of patch management on servers and network elements. Care needs to be taken as installation of patches can leave
a system open to new or previously mitigated
however,
UDP
scanning
ES
be in place to address the ever increasing
vulnerabilities
when
A
configuration files are replaced that were
can
take
considerably longer, especially if the scanning is done through a firewall. Scanning has been known to break services and even stop servers and network
elements
from
functioning
properly.
previous secured.
4) Scanning/Auditing
IJ
On-going scanning and auditing of servers and network elements is a critical part of network security management. Configuration management is a difficult task in a large network with hundreds of people making changes on different parts of the network. Scanning should begin by focusing on the most critical network elements and servers from an outsider’s vantage point, from outside
ISSN: 2230-7818
5)
Management
and
Control
Plane
Protection
Protection of the management and control
planes
is
critical
for
the
successful operation of an ISP. It is easier to discuss both topics together because the router configuration to protect both is similar in many ways. Authenticated and encrypted protocols are preferred for router management. Protocols must be accepted only from trusted hosts.
@ 2011 http://www.ijaest.iserp.org. All rights Reserved.
Page 57
Nirbhay Ahlawat et al. / (IJAEST) INTERNATIONAL JOURNAL OF ADVANCED ENGINEERING SCIENCES AND TECHNOLOGIES Vol No. 3, Issue No. 1, 052 - 060
Steps to protect the control plane
7) Disable any unused or unneeded
include: protection of the route engine
network services.
using filters, authentication and integrity verification of routing protocol updates, rate limiting of diagnostic protocols and filtering of routing prefix updates sent from customers and peers
This can limit the ability of an intruder to take advantage of those services to execute a denial-of-service attack. 8) Observe your system performance and establish baselines for ordinary activity.
T
a) Router Access
Use the baseline to gauge unusual levels
b) Router Engine Protection
of disk activity, CPU usage, or network
c) Prefix Filtering 6) FW/IDS/IPS
ES
traffic.
9) Use Tripwire or a similar tool to detect
Firewalls, Intrusion Detection Systems
changes
(IDS), and Intrusion Prevention Systems
in configuration information or other
(IPS)
files.
can
be
useful
devices
for
protecting backbone services. All servers
A
exposed on the Internet should have all non-essential services turned off and
some type of host based firewall installed
on
the
system.
Separate
IJ
network based firewalls can also be installed but the cost of the systems can outweigh the benefit. If firewalls are deployed, an IDS behind the firewall should be considered to monitor for unauthorized activity. a) DNS Considerations b) Other Services
ISSN: 2230-7818
CONCLUSION:
The cycle of attacking and defending is like a game. When someone finds a way to attack a system, someone else tries to defend against this attack. The attacker then tries harder to defeat the protection. It become a cycle that never seems to end. DDoS attack present a serious problem in the internet and it is very crucial to detect DDoS attack as their early launching stage before widespread damage
is
done
to
legitimate
applications on the victim’s system, but if once the DDoS attack is detected. We
@ 2011 http://www.ijaest.iserp.org. All rights Reserved.
Page 58
Nirbhay Ahlawat et al. / (IJAEST) INTERNATIONAL JOURNAL OF ADVANCED ENGINEERING SCIENCES AND TECHNOLOGIES Vol No. 3, Issue No. 1, 052 - 060
knows the exact router or network
http://lasr.cs.ucla.edu/ddos/ucla_tech_re
domain
port_020018.pdf.
where
the
anomaly
was
observed. This paper will help in raising
[5] T. Anderson et al., “Rocketfuel: An
awareness and helping people to know in
ISP
detail about the DDoS attack. In addition
http://www.cs.washington.edu/research/
this classification and prevention can be
networking rocketfuel/, 2006.
used for analyzing and
[6] Jelena Mirkovic, Sven. Dietrich,
performing
Topology
David
attack detection.
Dittrich,
Mapping
and
Peter
Engine,”
Reiher,
T
Internet Denial of Service: Attack and REFERENCES
Defense Mechanisms, Prentice Hall,
[1] CERT Coordination Center, Denial
2004.
[7] K. J. Houle, G. M. Weaver, and N.
<http://www.cert.org/tec_tips/denial
Long, R. Thomas, “Trends in Denial of
_of_service.html>.
Service Attack Technology”, Technical
ES
of service attacks. Available from
[2] Jin C., Wang H., and Shin K.O,
Report, CERT Coordination Center,
“Hop-Count
2001.
Filtering:
An Effective
Defence against Spoofed Traffic, “ in Proc.
10
th
ACM
Conference
on
[8] David K. Y. Yau, John C. S. Lui, and Feng
Liang.
Defending
against
distributed denial-of-service attacks
pp. 30-41.
with max-min fair server-centric
A
computer and Communication Security,
[3] Zhaole c., Lee M, "An IP Traceback
router throttles. In Proceedings of
Technique
IEEE International Workshop on
against
in
Proc.
19th
Annual
Quality of Service (IWQoS), Miami
Applications
Beach, FL, May 2002. Cheswick B.,
IJ
Attacks,"
Denial-of-Service
Computer
Security
Conference.
Burch H. The Internet Mapping
[4] Mirkovic J., Martin J., Reiher P, "A
Project.
Taxonomy of DDoS Attacks and DDoS
Available
Defense
http://research.lumeta.com/ches/map/
Science
Mechanisms," Department,
California, online:
ISSN: 2230-7818
Los
Computer
University
Angeles.
of
Available
Lumeta
Corporation. online:
. [9] Mirkovic J., Martin J., Reiher P. A Taxonomy of DDoS Attacks and
@ 2011 http://www.ijaest.iserp.org. All rights Reserved.
Page 59
Nirbhay Ahlawat et al. / (IJAEST) INTERNATIONAL JOURNAL OF ADVANCED ENGINEERING SCIENCES AND TECHNOLOGIES Vol No. 3, Issue No. 1, 052 - 060
DDoS
Defense
Mechanisms.
Computer
Science
University
of
Department,
California,
Los
[10]
Todd B. Distributed Denial of
Service Attacks. 18 February 2000. Available
online:
online:http://www.linuxsecurity.com
http://lasr.cs.ucla.edu/ddos/ucla_tech
/resource_files/intrusion_detection/d
_report_020018.p.
dos faq.html.
Available
IJ
A
ES
T
Angeles.
ISSN: 2230-7818
@ 2011 http://www.ijaest.iserp.org. All rights Reserved.
Page 60