Scribd
Upload
271 views

DDOS Research Paper

This document discusses distributed denial of service (DDoS) attacks. It begins by explaining how DDoS attacks work, infecting large numbers of computers to form botnets that can then be directed to overwhelm victims' systems. The document categorizes DDoS attacks and describes common techniques like UDP floods, SYN floods, and Slowloris attacks. It also discusses the different types of attackers that launch DDoS attacks and their various motives, such as extortionists, hacktivists, competitors, and script kiddies. The goal of the document is to provide an understanding of DDoS attacks to help develop effective countermeasures.

Uploaded by

Caue Koisumi Cintra
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
271 views

DDOS Research Paper

This document discusses distributed denial of service (DDoS) attacks. It begins by explaining how DDoS attacks work, infecting large numbers of computers to form botnets that can then be directed to overwhelm victims' systems. The document categorizes DDoS attacks and describes common techniques like UDP floods, SYN floods, and Slowloris attacks. It also discusses the different types of attackers that launch DDoS attacks and their various motives, such as extortionists, hacktivists, competitors, and script kiddies. The goal of the document is to provide an understanding of DDoS attacks to help develop effective countermeasures.

Uploaded by

Caue Koisumi Cintra
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 14

Distributedenialofservice(DDOS)attacks

CaueKoisumiCintra
StevensInstituteofTechnology

Abstract
DistributedDenialofService(DDOS)attacksareadeadlyagainsttheavailabilityofInternet
servicesandresources.DDOSattackersinfectslargenumbersofcomputersbyexploiting
softwarevulnerabilitiestosetupbotnets.
Thenallthesezombiecomputersareinvokedtounleashacoordinated,largescaleattack
againstavictimssystems.Asspecificcountermeasuresarebeingdeveloped,attackers
continuetoenhanceexistingDDOSattacktools,developingnewandderivativeDDOS
techniquesandtools.Ratherthanalwaysreacttonewattackswithspecificcountermeasures,it
wouldbedesirabletodevelopsolutionsthatdefendagainstknownandfutureDDOSattack
variants.However,thisisreallyhardtodoasisneededagreatunderstandingofthescopeand
techniquesusedonDDOSattacks.
ThispaperattemptstocategorizeDDOSattacknetworks,toclassifythedifferenttechniques
usedinaDDoSattack,andtodescribethecharacteristicsoftoolsusedtoperformDDOS.
Giventhisnewunderstanding,proposeclassesofcountermeasuresthattargettheDDOS
problembefore,duringandafteranattack.

1.Introduction
TheInternetwasoriginallydesignedtolinktogetheracooperativeandcollaborativecommunity
ofresearcher(LIPSON,2002).Itwasntaconcernthinkaboutsecuritywhenthefirstthoughts
oftheinternetwasbeginning,becauseitwassupposedtobeanetworktosomeresearchersto
exchangeknowledge,soeveryuserwastrustablethatmeansthenetworkwouldalwaysbe
secure.
Withtheevolutionoftheinternetsecurityissuesstartedtooccur,andinthe90soneofthe
manytypesofsecurityattacksthatwerecreatedwastheDOS(DenialofService),thisattackis
fairlysimpleandbasicallyconsistsinanattempttomakeanetworkresourceunavailableforits
realusers.LateronthisattackevolvedtoDDOS(DistributedDenialofService)whichis
basicallythesamethingasDOS,butnowtheattackcomesfromseveralsourcesthatcanbe
spreadallovertheworld.Thisattacksareexecutedfordifferentkindsofreasons,themost
commonsthougharefinancialandpoliticalmotives.
Thecurrentstateofthecyberworldtodaystillisinlackofabilitytoprevent,correct,trackand
traceDDOSattacks,Theanonymityenjoyedbytodayscyberattackersposesagravethreat
totheglobalinformationsociety,theprogressofaninformationbasedinternationaleconomy,
andtheadvancementofglobalcollaborationandcooperationinallareasofhumanendeavor.
(LIPSON,2002),wecanclearlyseethatwithgroupslikeLulzSecandAnonymousthatcan
remainalotoftimelaunchingattacksbeforebeingcaught,orsomeotherhackersthatarenot
caughtatall.

2.WhatisDDOS?
DOSattacksarejustanexplicitattemptfromanattackertomakeaserverunabletoprovide
servicestoitsusersbyfloodingorcrashingthesystem.Unlikeconventionalelectronicattacks,
thereislittleinformationoreffortrequiredtoinitiateaDOSattackonthetargetwebsiteallthatis
neededisthewebsiteaddress,aprogramthatcanperformarapidnumberofrequeststothe
targetedwebsiteandabotnet(ForDDOSattacks)
ThefirstsprogramstomakeDOSremoteattacksstartedtoappearinthe90sandforthese
programstobeeffectivetheyneededlargesizecomputersornetworkslikefromanuniversity.
In1997werediscoveredalargenumberoffailuresintheTCP/IP(TransmissionControl
Protocol/InternetProtocol)andthenthenumberofattacksstartedtogrowusingIRC(Internet
RelayChat)networkandexploitingknownvulnerabilitiesonWindowstocrashit.
Thelate1999wastheariseoftheDDOSattacks,wheretheattackerscouldgetcontrolofother
machines(botsorzombies)tomaximizethepoweroftheattackagainsthisttarget.
Inthe2000theDDOSattacksstartedtogettingmixedwithworms(malwareprogramthatcan
replicateitselfandinfectothercomputersthroughvulnerabilitiesinthenetwork)turningthe
affectedtargetsmorevulnerabletootherattacks.
InJanuary2001MicrosoftswebsitesufferedapowerDDOSattackthatlastedforhoursand
madethewebpageunavailabletorealusers,duringsomeperiods98%oftheserviceswere
affectedbytheattack.EventheFBIwascalledtotakecareofthecase,showingthatevena
hugecompanyasMicrosoftwasntimmuneagainstaDDOSattack.
DDOSattackscanbedividedinthreegeneralcategories:
VolumeBasedAttacksthatconsistsinsaturatethebandwidthoftheattackedserver,andits
powerismeasuredinbitspersecond(bps).Someexamplesare:UDPfloods,ICMPfloodsand
otherspoofedpacketfloods.
ProtocolAttacksthattriestoconsumetheactualserverresourcesorfirewallsandload
balancersanditsmagnitudeismeasuredinpacketspersecond.Someexamplesare:SYN
floods,PingofDeathandSmurfDDOS.
ApplicationLayerAttacksthatconsistsinsendingapparentlylegitimaterequestswiththegoal
ofcrashthewebserver,anditsmeasuredinrequestspersecond.Someexamplesare:
Slowloris,ZeroDayDDOSattacks,Windowsvulnerabilities.

3Typesofattack
ThereisseveralformsofDOSattacks,herearesomeofthemostcommonused.

3.1UDPFlood
ThisattackusestheUserDatagramProtocol(UDP),asessionlessnetworkingprotocol.Itfloods
randomportsofaremotehostwithnumerousUDPpacketsmakingthehostconstantlychecks
fortheapplicationlisteningatthatporthowevernoapplicationslistensatthatportsothehost
needstoreplywithanICMPDestinationUnreachablewhichendsupcausinganexcessiveuse
ofthehostresourcesthatcanleadtoinaccessibility.ThisattackisusedwithIPspoofingsothat
theICMPreturnpacketswon'treachthemandhidingthenetworklocation.

3.2ICMPFloodorPingFlood
TheprincipleissimilarfromtheUDPfloodattack,butnowthetargetisoverwhelmedwithICMP
Echo(ping)requestspacketsusingamethodsendingICMPpacketscontinuouslywithout
waitingforreply.TheattackedserverwilloftenattempttorespondwithICMPreplypackets
whichconsumebothincomingandoutgoingbandwidthwhichcanresultinanoverallsystem
slowdown.

3.3SYNFlood
Thisattackexploitsthethreewayhandshake,aknownweaknessintheTCPconnection
sequence,whenaSYNrequestissenttobeginaTCPconnectionthehostneedstoanswer
withaSYNACKresponseandthenbeconfirmedbyanACKresponsefromtherequester.
TheattackersendsmultipleSYNrequestsbuthedoesntrespondtothetargetsSYNACK
responses,ortheattackercansendtherequestsfromspoofedIPaddresses,sothevictims
serverkeepswaitingfortheresponsesforeachrequestsbindingresourcesuntilnonew
connectionscanbemade.

3.4PingofDeath(POD)
GenerallythemaximumpacketlengthofanIPpacketonIPv4is65,535bytesandsendingaping
ofthissizecouldcrashthetargetscomputer,thisvulnerabilitystartedtobeingexploitedasthe
attackersstartedtosendalargeIPpacket(biggerthan65,536bytes)splittedinmultipleminor
packetssowhenthehostwouldassembletheminorpacketsitcouldendupcausingamemory
bufferoverflowdenyingserviceforlegitimatepackets.Todayitsreallyhardforaservertocrash
becauseofthisattack.

3.5Slowloris
Slowlorisisahighlytargetedattackthatpermitsoneservertotakedownanotheronewith
minimalbandwidthandsideeffectsonunrelatedservicesandports.Theattackerstrytokeep
openandforaslongaspossiblemanyconnectionswiththetargetedserver,thisisdoneby
constantlysendingHTTPheadersbutwithoutcompletetherequest.Thetargetedserverwill
keepthoseconnectionsopenandthiseventuallywillleadtoanoverflowoftheconnectionspool
leavinglegitimaterequestsfromclientsdeniedofservice.ItisspeciallyusedagainstApache,
Tomcat,dhttpdandGoAheadWebServer.

3.6ZerodayDDOS
Zerodayattacksareunknownornewattacksexploitingvulnerabilitiesthatdontstilldonthavea
solution,sobasicallyitsanattackthatexploitsavulnerabilitythatthesoftwareownerdoesnt
evenknowaboutyetordidnthavedevelopedapatchtofixit.Somebigproblemsaboutthose
attacksisthattradingzerodayvulnerabilitiesarequitepopularintheblackhatcommunityand
evenifthecompanydevelopapatchlater,youcomputermayalreadybeeninfectedwithworms
andtrojans.

4.Attackersandmotives
Thereisalargediversityinattackersandtheirmotives.Andsometimestwoofthoseclasses
canmerge,asexample:Anextorquistsgroupcanuseahacktivistexcusetoattackaweb
servicebuttheirrealpurposeistogetmoney.

4.1Extorquists
Theseattackersthreatstheirtargetaskingformoneyortheywilltakedowntheirservers,they
workwithafinancialpurpose.

4.2Hacktivists
TheHacktivistgroupwastheonethatgotmostofthespotlightwithDDOSattacksinthelast
years,theygrewandunitedthemselvesreallyfastandstartedtomakeInternetStreetProtests
(RichardStallman).SomehackgroupseventookdownUSgovernmentalsitescausingagreat
splurgeonthecommunity,theirmotivesaretotrytochangedecisionsmadebyorganizationsor
thegovernment.

4.3Competitors,unsatisfiedemployeesandcustomers
ThereweresomecaseswhereacompanywouldlaunchaDDOSattackagainstacompetitorto
harmtheirimagesothecustomerswouldtradecompaniesandtheywouldgetmoreprofit.
ItcanalsohappenthatafiredorunsatisfiedemployeeorcustomerwouldlaunchaDDOSattack
againstacompanyasavendetta.

4.4ScriptKiddies
Theybasicallyareunskilledindividualsthatusesautomatedtoolscreatedbyotherstorealize
attacks,theirpurposenormallyistoimpressfriendsortrytobecomefamousandclimbupinthe
hackercommunity,somescriptkiddiescanlaunchanattackjustforthefunofit.

5.Tools
OneofthemotivesforthegreatgrowingoftheDOSattacksistheappearanceofmanyfree
toolsontheweb,herearesomeofthem.

5.1LOIC(Loworbitioncannon)
ItsoneofthemostpopularfreeDOSattackingtoolontheweb,ithasauserfriendlyinterfaceso
itseasytolearnanduse.ThetoolcanperformDOSattackbysendingTCP,UDPorHTTP
requeststothetargetssystem.Abotnetcanbeusedtoimprovethepoweroftheattackand
makeitadistributedattack.

5.2HOIC(Highorbitioncannon)
ItwasmadeoutoftheconceptofLOIC,butthedeveloperstriedtoimproveitsstrenghtand
includedaboosterfeaturetomaketheattackstronger.

5.3XOIC
Itsaverysimpleandeasytousetool,comeswithawhoisfeaturetofindIPandportandhave3
modesofattack,abasictestmode,anormalDOSmodeandaDOSmodewitha
TCP/HTTP/UDP/ICMPmessage.

5.4Pyloris
PyLorisisascriptabletoolfortestingaserver'svulnerabilitydenialofservice(DoS)attacks.
PyLoriscanutilizeSOCKSproxiesandSSLconnections,andcantargetprotocolssuchas
HTTP,FTP,SMTP,IMAP,andTelnet.

10

6.DefenseagainstDOSattacks
6.1Howtoprevent?
Untilnowthereisnosilverbullet(Brooks)againstDDOSattacks,butthereissomestrategies
tomitigatetheattack.
Somerecommendedstrategiestopreventattacksare:
Incrementhostsecurity:AstheprimarycharacteristicoftheDDOSistheuseofabotnet,itis
veryimportanttoimprovethesecurityofyourmachinessoitwontbecomeazombie.
Installpatches:Themachinesusedaszombiesarenormallyinfectedwithknown
vulnerabilities.Soitishighlyrecommendedthatyoualwaysupdateyoursystemwhenpossible.
Applyantispoofingfilters:DuringtheDDOS,theattackerstrytohidetheirrealIPusing
spoofingmechanismsthatforgesfakeIPsmakingithardertotracktheattackorigin.Soitis
necessarythattheaccessprovidersimplementantispoofingfiltersontheroutersentrance,so
thenetworkoftheirclientscantusespoofing.Andthatalltheinternetnetwork,inageneralway,
implementantispoofingfiltersontheborderroutersexitpreventingtheuseofspoofing.
PreviousplanningagainstDDOS:Apreviousplanningandcoordinationisessentialto
guaranteeanadequateanswerwhenaDDOSattackstartstohappen.Thisplanningmust
includecounterattackprocedureswithyourbackboneprovider.

6.2Howtoreact?
6.2.1DDOStoolsareinstalledonyoursystem
Thiscanmeanthatyoursystemisbeingusedasamasteroragent.Itsimportanttodetermine
whatisthepartofthetoolsfoundandtrytodiscoverworthinformationthatwouldallowtracking
othercomponentsinthebotnet,prioritizingthediscoveringofmasters.Dependingonthe
situation,itisrecommendedtotryshutdownimmediatelythemasters,butsometimesitcanbe
worthtomonitortheactivitiestogatherinformation.

6.2.2IfyoursystemissufferingaDDOSattack
ThespoofingmechanismsusedonDDOSattacksmakesreallyhardtoidentifytheattacker,but
ifthereisamomentthatispossibletobacktraceandgettherealresponsible,itiswhenthe
attackishappening.Itiscriticaltohaveaquickcommunicationwithyourbackboneproviderto
trytotracktheattacker.
ThereissometechniquestomitigatetheDDOSattackhappening.
LoadBalancing:Networkproviderscanincreasebandwidthoncriticalconnectionstoprevent
themfromgoingofflineinthemiddleofanattack.Balancingtheloadtoeachserverina
multipleserverarchitecturecanimprovenormalperformanceandmitigatetheeffectofaDDOS
attack.
11

DropRequests:Thesystemcansimplydroprequestswhentheloadincreases.Thiscanbe
donebytherouterortheserver.Alternatively,therequestermaybeinducedtodroptherequest
bymakingtheitssystemsolveahardpuzzlethattakesalotofcomputepowerormemory
space,beforecontinuingwiththerequest.Thiswillmaketheusersofzombiesystemsdetect
performancedegradation,makingthemawarethatsomethingwrongishappeningandleading
themtolookandsolvetheproblem,gettingridofbeingazombiemachine.
Outsourcedcompanies:Thereisanumberofoutsourcedcompaniesthatoffersserviceagainst
DDOSattacks,theygiveyou24/7support,monitoringandinthemiddleofaneventtheyuse
theirservertohelpmitigatetheattack.

7.Myanalysis.Nextstepsforfutureresearch
Distributeddenialofserviceattacksarestillrising,becausetheyarefairlyeasytoexecuteand
itshardtogetbacktraced,anditseemsitwontstopsoon.Thereisnoeasysolutionagainst
thesetypeofattacks,andthroughoutthehistorywecanseethatthehackerswerealwaysone,
twoorevenmorestepsaheadfromthesecurityteamsfromcompanies.Butthereissome
arrangementsthatshouldbedone.
Raiseinternetusersawareness:Ifwecanmaketheinternetusersmoreawareofsecurity
issues,wecanpreventthosemachinesfrombeingpartofabotnet,andwiththisthebotnetswill
becomesmallermakingtheDDOSattackwayweaker.
Honeypots:Theyaresystemsmadewithknownvulnerabilitiestoinstigatetheattack.Itnotonly
avoidtheattackfromgoingtothecriticalareasofthesystembutitgatherrelevantdataand
recordsallabouthowtheattackisbeingperformed,whichtoolsarebeingused.Sowiththat
kindofinformationyoucanfortifyyoursystemtopreventnextattacks.Thehackerseliteare
alreadywellawareofthistechnique,soinordertoimproveitseffectiveness,itmustbemade
bettercamouflageforthehoneypotslookexactlylikerealsystems.
PostattackForensics:WhenbeingunderaDDOSattackitisrecommendedtogatherthemost
possibledatatolateranalyzeandlookforspecificcharacteristicsintheattackingtraffic,thiscan
beusedtodevelopnewfilteringtechniquesagainstDDOS.
Packettracestechniqueconsistsonthefactofinternettrafficcanbetracedbacktoitstrue
source.Thisallowsbacktracetheattackerstraffictofindoutwhoistheattacker.
Allthedatacollectedmustbestoredinasafedatabasesoitcanbeusedtodoforensicanalysis
andassistlawenforcementincasesofsignificantfinancialdamage.

12

8.Conclusion
DDOSattacksarereallydangerousandcancausealotoftroubles,mixingthatwiththefactthat
ishardlytraceable,itmakesasafeandeffectiveattacktoperformagainstyourtargets.
Thereisthemostcommonattacksthataremadebyafewpeoplewithsomebotnets,andthis
cancauserealtroubletosmall/mediumcompanies,buttheydontreallyhasmuch
effectivenessagainstlargecompaniesasAmazon,eBayandMicrosoft.Butthereisthehacker
elitegroupsthathavealotofinfluenceinthehackersceneandcangatherahugenumberof
followersandbotnetstoorchestrateapowerfulattackcapableoftakingdownevenlarge
companies.
Theinternetusersneedtostartthinkingmoreaboutthesecureoftheirownsystemstonot
becomeinfected,networkprovidersneedstomonitorbettertheirtraffictotrackattackersand
helpcompaniestoresistwhenbeingattackedandITcompaniesneedtoinvestmoreinfinding
newgeneralDDOSsolutions,andsharetheknowledgewithsmallercompanies.Thatwaythe
DDOSattackcanbeweakenedandwontbethebigconcernthatitistoday.

13

9.References
Lipson,HowardF.TrackingandTracingCyberattacks:TechnicalChallengesandGlobal
PolicyIssues.Pittsburgh,PA:CarnegieMellonUniversity,SoftwareEngineeringInstitute,2002.
Print.
"GRC|SecurityNow!TranscriptofEpisode#8."GRC|SecurityNow!TranscriptofEpisode
#8.N.p.,n.d.Web.10Dec.2013.<https://www.grc.com/sn/SN008.htm>.
"ATimelineofHackingGroupLulzSec'sAttacks."Msnbc.com.N.p.,n.d.Web.10Dec.2013.
<http://www.nbcnews.com/id/43529667/>.
"DoSAttackKnocksOutMicrosoftSites."DoSAttackKnocksOutMicrosoftSites.N.p.,n.d.
Web.10Dec.2013.<http://www.secure64.com/newshackersmicrosoftdnsswitch>.
"NetworkDoSAttacksOverview."JUNOSSoftwareSecurityConfigurationGuide.N.p.,n.d.
Web.10Dec.2013.
<http://www.juniper.net/techpubs/software/junossecurity/junossecurity10.0/junossecurityswc
onfigsecurity/id16414.html>.
"DDoSProtection."DDoSProtection.N.p.,n.d.Web.10Dec.2013.
<http://www.ddosprotection.net/>.
"DistributedDenialofServiceAttacks."N.p.,n.d.Web.10Dec.2013.
<http://www.incapsula.com/ddos/ddosattacks>.
"AdvancedDDOSTools."ADVANCEDDDOSTOOLS~Prince4Hack.N.p.,n.d.Web.10
Dec.2013.<http://prince4hack.blogspot.com/2012/12/advancedddostools.html>.
"DOSAttacksandFreeDOSAttackingToolsInfoSecInstitute."InfoSecInstitute.N.p.,n.d.
Web.10Dec.2013.
<http://resources.infosecinstitute.com/dosattacksfreedosattackingtools/>.

14

You might also like