Scribd
Upload
428 views14 pages

DDOS Research Paper

This document discusses distributed denial of service (DDoS) attacks. It begins by explaining how DDoS attacks work, infecting large numbers of computers to form botnets that can then be directed to overwhelm victims' systems. The document categorizes DDoS attacks and describes common techniques like UDP floods, SYN floods, and Slowloris attacks. It also discusses the different types of attackers that launch DDoS attacks and their various motives, such as extortionists, hacktivists, competitors, and script kiddies. The goal of the document is to provide an understanding of DDoS attacks to help develop effective countermeasures.

Uploaded by

Caue Koisumi Cintra
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
428 views14 pages

DDOS Research Paper

This document discusses distributed denial of service (DDoS) attacks. It begins by explaining how DDoS attacks work, infecting large numbers of computers to form botnets that can then be directed to overwhelm victims' systems. The document categorizes DDoS attacks and describes common techniques like UDP floods, SYN floods, and Slowloris attacks. It also discusses the different types of attackers that launch DDoS attacks and their various motives, such as extortionists, hacktivists, competitors, and script kiddies. The goal of the document is to provide an understanding of DDoS attacks to help develop effective countermeasures.

Uploaded by

Caue Koisumi Cintra
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

Distributedenialofservice(DDOS)attacks

CaueKoisumiCintra
StevensInstituteofTechnology

Abstract
DistributedDenialofService(DDOS)attacksareadeadlyagainsttheavailabilityofInternet
[Link]
softwarevulnerabilitiestosetupbotnets.
Thenallthesezombiecomputersareinvokedtounleashacoordinated,largescaleattack
[Link],attackers
continuetoenhanceexistingDDOSattacktools,developingnewandderivativeDDOS
[Link],it
wouldbedesirabletodevelopsolutionsthatdefendagainstknownandfutureDDOSattack
[Link],thisisreallyhardtodoasisneededagreatunderstandingofthescopeand
techniquesusedonDDOSattacks.
ThispaperattemptstocategorizeDDOSattacknetworks,toclassifythedifferenttechniques
usedinaDDoSattack,andtodescribethecharacteristicsoftoolsusedtoperformDDOS.
Giventhisnewunderstanding,proposeclassesofcountermeasuresthattargettheDDOS
problembefore,duringandafteranattack.

[Link]
TheInternetwasoriginallydesignedtolinktogetheracooperativeandcollaborativecommunity
ofresearcher(LIPSON,2002).Itwasntaconcernthinkaboutsecuritywhenthefirstthoughts
oftheinternetwasbeginning,becauseitwassupposedtobeanetworktosomeresearchersto
exchangeknowledge,soeveryuserwastrustablethatmeansthenetworkwouldalwaysbe
secure.
Withtheevolutionoftheinternetsecurityissuesstartedtooccur,andinthe90soneofthe
manytypesofsecurityattacksthatwerecreatedwastheDOS(DenialofService),thisattackis
fairlysimpleandbasicallyconsistsinanattempttomakeanetworkresourceunavailableforits
[Link](DistributedDenialofService)whichis
basicallythesamethingasDOS,butnowtheattackcomesfromseveralsourcesthatcanbe
[Link],themost
commonsthougharefinancialandpoliticalmotives.
Thecurrentstateofthecyberworldtodaystillisinlackofabilitytoprevent,correct,trackand
traceDDOSattacks,Theanonymityenjoyedbytodayscyberattackersposesagravethreat
totheglobalinformationsociety,theprogressofaninformationbasedinternationaleconomy,
andtheadvancementofglobalcollaborationandcooperationinallareasofhumanendeavor.
(LIPSON,2002),wecanclearlyseethatwithgroupslikeLulzSecandAnonymousthatcan
remainalotoftimelaunchingattacksbeforebeingcaught,orsomeotherhackersthatarenot
caughtatall.

[Link]?
DOSattacksarejustanexplicitattemptfromanattackertomakeaserverunabletoprovide
[Link],
thereislittleinformationoreffortrequiredtoinitiateaDOSattackonthetargetwebsiteallthatis
neededisthewebsiteaddress,aprogramthatcanperformarapidnumberofrequeststothe
targetedwebsiteandabotnet(ForDDOSattacks)
ThefirstsprogramstomakeDOSremoteattacksstartedtoappearinthe90sandforthese
programstobeeffectivetheyneededlargesizecomputersornetworkslikefromanuniversity.
In1997werediscoveredalargenumberoffailuresintheTCP/IP(TransmissionControl
Protocol/InternetProtocol)andthenthenumberofattacksstartedtogrowusingIRC(Internet
RelayChat)networkandexploitingknownvulnerabilitiesonWindowstocrashit.
Thelate1999wastheariseoftheDDOSattacks,wheretheattackerscouldgetcontrolofother
machines(botsorzombies)tomaximizethepoweroftheattackagainsthisttarget.
Inthe2000theDDOSattacksstartedtogettingmixedwithworms(malwareprogramthatcan
replicateitselfandinfectothercomputersthroughvulnerabilitiesinthenetwork)turningthe
affectedtargetsmorevulnerabletootherattacks.
InJanuary2001MicrosoftswebsitesufferedapowerDDOSattackthatlastedforhoursand
madethewebpageunavailabletorealusers,duringsomeperiods98%oftheserviceswere
[Link],showingthatevena
hugecompanyasMicrosoftwasntimmuneagainstaDDOSattack.
DDOSattackscanbedividedinthreegeneralcategories:
VolumeBasedAttacksthatconsistsinsaturatethebandwidthoftheattackedserver,andits
powerismeasuredinbitspersecond(bps).Someexamplesare:UDPfloods,ICMPfloodsand
otherspoofedpacketfloods.
ProtocolAttacksthattriestoconsumetheactualserverresourcesorfirewallsandload
[Link]:SYN
floods,PingofDeathandSmurfDDOS.
ApplicationLayerAttacksthatconsistsinsendingapparentlylegitimaterequestswiththegoal
ofcrashthewebserver,[Link]:
Slowloris,ZeroDayDDOSattacks,Windowsvulnerabilities.

3Typesofattack
ThereisseveralformsofDOSattacks,herearesomeofthemostcommonused.

3.1UDPFlood
ThisattackusestheUserDatagramProtocol(UDP),[Link]
randomportsofaremotehostwithnumerousUDPpacketsmakingthehostconstantlychecks
fortheapplicationlisteningatthatporthowevernoapplicationslistensatthatportsothehost
needstoreplywithanICMPDestinationUnreachablewhichendsupcausinganexcessiveuse
[Link]
theICMPreturnpacketswon'treachthemandhidingthenetworklocation.

3.2ICMPFloodorPingFlood
TheprincipleissimilarfromtheUDPfloodattack,butnowthetargetisoverwhelmedwithICMP
Echo(ping)requestspacketsusingamethodsendingICMPpacketscontinuouslywithout
[Link]
whichconsumebothincomingandoutgoingbandwidthwhichcanresultinanoverallsystem
slowdown.

3.3SYNFlood
Thisattackexploitsthethreewayhandshake,aknownweaknessintheTCPconnection
sequence,whenaSYNrequestissenttobeginaTCPconnectionthehostneedstoanswer
withaSYNACKresponseandthenbeconfirmedbyanACKresponsefromtherequester.
TheattackersendsmultipleSYNrequestsbuthedoesntrespondtothetargetsSYNACK
responses,ortheattackercansendtherequestsfromspoofedIPaddresses,sothevictims
serverkeepswaitingfortheresponsesforeachrequestsbindingresourcesuntilnonew
connectionscanbemade.

3.4PingofDeath(POD)
GenerallythemaximumpacketlengthofanIPpacketonIPv4is65,535bytesandsendingaping
ofthissizecouldcrashthetargetscomputer,thisvulnerabilitystartedtobeingexploitedasthe
attackersstartedtosendalargeIPpacket(biggerthan65,536bytes)splittedinmultipleminor
packetssowhenthehostwouldassembletheminorpacketsitcouldendupcausingamemory
[Link]
becauseofthisattack.

3.5Slowloris
Slowlorisisahighlytargetedattackthatpermitsoneservertotakedownanotheronewith
[Link]
openandforaslongaspossiblemanyconnectionswiththetargetedserver,thisisdoneby
[Link]
keepthoseconnectionsopenandthiseventuallywillleadtoanoverflowoftheconnectionspool
[Link],
Tomcat,dhttpdandGoAheadWebServer.

3.6ZerodayDDOS
Zerodayattacksareunknownornewattacksexploitingvulnerabilitiesthatdontstilldonthavea
solution,sobasicallyitsanattackthatexploitsavulnerabilitythatthesoftwareownerdoesnt
[Link]
attacksisthattradingzerodayvulnerabilitiesarequitepopularintheblackhatcommunityand
evenifthecompanydevelopapatchlater,youcomputermayalreadybeeninfectedwithworms
andtrojans.

[Link]
[Link]
canmerge,asexample:Anextorquistsgroupcanuseahacktivistexcusetoattackaweb
servicebuttheirrealpurposeistogetmoney.

4.1Extorquists
Theseattackersthreatstheirtargetaskingformoneyortheywilltakedowntheirservers,they
workwithafinancialpurpose.

4.2Hacktivists
TheHacktivistgroupwastheonethatgotmostofthespotlightwithDDOSattacksinthelast
years,theygrewandunitedthemselvesreallyfastandstartedtomakeInternetStreetProtests
(RichardStallman).SomehackgroupseventookdownUSgovernmentalsitescausingagreat
splurgeonthecommunity,theirmotivesaretotrytochangedecisionsmadebyorganizationsor
thegovernment.

4.3Competitors,unsatisfiedemployeesandcustomers
ThereweresomecaseswhereacompanywouldlaunchaDDOSattackagainstacompetitorto
harmtheirimagesothecustomerswouldtradecompaniesandtheywouldgetmoreprofit.
ItcanalsohappenthatafiredorunsatisfiedemployeeorcustomerwouldlaunchaDDOSattack
againstacompanyasavendetta.

4.4ScriptKiddies
Theybasicallyareunskilledindividualsthatusesautomatedtoolscreatedbyotherstorealize
attacks,theirpurposenormallyistoimpressfriendsortrytobecomefamousandclimbupinthe
hackercommunity,somescriptkiddiescanlaunchanattackjustforthefunofit.

[Link]
OneofthemotivesforthegreatgrowingoftheDOSattacksistheappearanceofmanyfree
toolsontheweb,herearesomeofthem.

5.1LOIC(Loworbitioncannon)
ItsoneofthemostpopularfreeDOSattackingtoolontheweb,ithasauserfriendlyinterfaceso
[Link],UDPorHTTP
[Link]
makeitadistributedattack.

5.2HOIC(Highorbitioncannon)
ItwasmadeoutoftheconceptofLOIC,butthedeveloperstriedtoimproveitsstrenghtand
includedaboosterfeaturetomaketheattackstronger.

5.3XOIC
Itsaverysimpleandeasytousetool,comeswithawhoisfeaturetofindIPandportandhave3
modesofattack,abasictestmode,anormalDOSmodeandaDOSmodewitha
TCP/HTTP/UDP/ICMPmessage.

5.4Pyloris
PyLorisisascriptabletoolfortestingaserver'svulnerabilitydenialofservice(DoS)attacks.
PyLoriscanutilizeSOCKSproxiesandSSLconnections,andcantargetprotocolssuchas
HTTP,FTP,SMTP,IMAP,andTelnet.

10

[Link]
6.1Howtoprevent?
Untilnowthereisnosilverbullet(Brooks)againstDDOSattacks,butthereissomestrategies
tomitigatetheattack.
Somerecommendedstrategiestopreventattacksare:
Incrementhostsecurity:AstheprimarycharacteristicoftheDDOSistheuseofabotnet,itis
veryimportanttoimprovethesecurityofyourmachinessoitwontbecomeazombie.
Installpatches:Themachinesusedaszombiesarenormallyinfectedwithknown
[Link].
Applyantispoofingfilters:DuringtheDDOS,theattackerstrytohidetheirrealIPusing
[Link]
necessarythattheaccessprovidersimplementantispoofingfiltersontheroutersentrance,so
[Link],inageneralway,
implementantispoofingfiltersontheborderroutersexitpreventingtheuseofspoofing.
PreviousplanningagainstDDOS:Apreviousplanningandcoordinationisessentialto
[Link]
includecounterattackprocedureswithyourbackboneprovider.

6.2Howtoreact?
6.2.1DDOStoolsareinstalledonyoursystem
[Link]
whatisthepartofthetoolsfoundandtrytodiscoverworthinformationthatwouldallowtracking
othercomponentsinthebotnet,[Link]
situation,itisrecommendedtotryshutdownimmediatelythemasters,butsometimesitcanbe
worthtomonitortheactivitiestogatherinformation.

6.2.2IfyoursystemissufferingaDDOSattack
ThespoofingmechanismsusedonDDOSattacksmakesreallyhardtoidentifytheattacker,but
ifthereisamomentthatispossibletobacktraceandgettherealresponsible,itiswhenthe
[Link]
trytotracktheattacker.
ThereissometechniquestomitigatetheDDOSattackhappening.
LoadBalancing:Networkproviderscanincreasebandwidthoncriticalconnectionstoprevent
[Link]
multipleserverarchitecturecanimprovenormalperformanceandmitigatetheeffectofaDDOS
attack.
11

DropRequests:[Link]
[Link],therequestermaybeinducedtodroptherequest
bymakingtheitssystemsolveahardpuzzlethattakesalotofcomputepowerormemory
space,[Link]
performancedegradation,makingthemawarethatsomethingwrongishappeningandleading
themtolookandsolvetheproblem,gettingridofbeingazombiemachine.
Outsourcedcompanies:Thereisanumberofoutsourcedcompaniesthatoffersserviceagainst
DDOSattacks,theygiveyou24/7support,monitoringandinthemiddleofaneventtheyuse
theirservertohelpmitigatetheattack.

[Link]
Distributeddenialofserviceattacksarestillrising,becausetheyarefairlyeasytoexecuteand
itshardtogetbacktraced,[Link]
thesetypeofattacks,andthroughoutthehistorywecanseethatthehackerswerealwaysone,
[Link]
arrangementsthatshouldbedone.
Raiseinternetusersawareness:Ifwecanmaketheinternetusersmoreawareofsecurity
issues,wecanpreventthosemachinesfrombeingpartofabotnet,andwiththisthebotnetswill
becomesmallermakingtheDDOSattackwayweaker.
Honeypots:[Link]
avoidtheattackfromgoingtothecriticalareasofthesystembutitgatherrelevantdataand
recordsallabouthowtheattackisbeingperformed,[Link]
[Link]
alreadywellawareofthistechnique,soinordertoimproveitseffectiveness,itmustbemade
bettercamouflageforthehoneypotslookexactlylikerealsystems.
PostattackForensics:WhenbeingunderaDDOSattackitisrecommendedtogatherthemost
possibledatatolateranalyzeandlookforspecificcharacteristicsintheattackingtraffic,thiscan
beusedtodevelopnewfilteringtechniquesagainstDDOS.
Packettracestechniqueconsistsonthefactofinternettrafficcanbetracedbacktoitstrue
[Link].
Allthedatacollectedmustbestoredinasafedatabasesoitcanbeusedtodoforensicanalysis
andassistlawenforcementincasesofsignificantfinancialdamage.

12

[Link]
DDOSattacksarereallydangerousandcancausealotoftroubles,mixingthatwiththefactthat
ishardlytraceable,itmakesasafeandeffectiveattacktoperformagainstyourtargets.
Thereisthemostcommonattacksthataremadebyafewpeoplewithsomebotnets,andthis
cancauserealtroubletosmall/mediumcompanies,buttheydontreallyhasmuch
effectivenessagainstlargecompaniesasAmazon,[Link]
elitegroupsthathavealotofinfluenceinthehackersceneandcangatherahugenumberof
followersandbotnetstoorchestrateapowerfulattackcapableoftakingdownevenlarge
companies.
Theinternetusersneedtostartthinkingmoreaboutthesecureoftheirownsystemstonot
becomeinfected,networkprovidersneedstomonitorbettertheirtraffictotrackattackersand
helpcompaniestoresistwhenbeingattackedandITcompaniesneedtoinvestmoreinfinding
newgeneralDDOSsolutions,[Link]
DDOSattackcanbeweakenedandwontbethebigconcernthatitistoday.

13

[Link]
Lipson,[Link]:TechnicalChallengesandGlobal
[Link],PA:CarnegieMellonUniversity,SoftwareEngineeringInstitute,2002.
Print.
"GRC|SecurityNow!TranscriptofEpisode#8."GRC|SecurityNow!TranscriptofEpisode
#8.N.p.,[Link].10Dec.2013.<[Link]
"ATimelineofHackingGroupLulzSec'sAttacks."[Link].N.p.,[Link].10Dec.2013.
<[Link]
"DoSAttackKnocksOutMicrosoftSites."DoSAttackKnocksOutMicrosoftSites.N.p.,n.d.
Web.10Dec.2013.<[Link]
"NetworkDoSAttacksOverview."JUNOSSoftwareSecurityConfigurationGuide.N.p.,n.d.
Web.10Dec.2013.
<[Link]
onfigsecurity/[Link]>.
"DDoSProtection."DDoSProtection.N.p.,[Link].10Dec.2013.
<[Link]
"DistributedDenialofServiceAttacks."N.p.,[Link].10Dec.2013.
<[Link]
"AdvancedDDOSTools."ADVANCEDDDOSTOOLS~Prince4Hack.N.p.,[Link].10
Dec.2013.<[Link]
"DOSAttacksandFreeDOSAttackingToolsInfoSecInstitute."InfoSecInstitute.N.p.,n.d.
Web.10Dec.2013.
<[Link]

14

You might also like