Survey On Taxonomy Of Ddos Attacks With Impact And Mitigation Techniques

DOI : 10.17577/IJERTV1IS9134

Download Full-Text PDF Cite this Publication

Text Only Version

Survey On Taxonomy Of Ddos Attacks With Impact And Mitigation Techniques

Ms. Chandni M Patel*1, Asst. Prof. Viral H Borisagar #2

* C.S.E. Department, Government College of Engineering, Sector-28,Gandhinagar Gujarat Technology University, Gujarat, India.

# C.S.E. Department, Government College of Engineering, Sector-28, Gandhinagar Gujarat Technology University, Gujarat, India

Abstract

Recently many prominent web sites face so called Distributed Denial of Service Attacks (DDoS). DDoS attacks are a virulent, relatively new type of attack on the availability of Internet services and resources. To avoid denigration most of the commercial sites do not expose that they were attacked that is the biggest challenges of the researchers. In this paper survey on taxonomy of DDos attacks with Impact and mitigation techniques are done.

Keywords: DOS, DDos, zombies, botnets, deplition, incidents, factors affecting DDos, Mitigation techniques.

1. Introduction

An aim of an internet is to provide scalable, open

[1] and secured network. Confidentiality, authentication, message integrity and non repudiation are the basic aspects of the internet security. As the Internet is breeding in size and complexity its visibility and diversity is also increased which gives the impressions to attract a variety of highly damaging attacks. A Denial of Service (DoS) attack can be characterized as an attack with the purpose of preventing legitimate users from using a victim computing system or network resource. Distributed

denial of service (DDos) attack targets the availability of services on the Internet. It is one kind of Denial of service attack. A DDoS attack can be characterized as a simultaneous network attack on a victim from large numbers of hosts, well distributed throughout the network [2]. Many to one nature of DDoS attack makes it more powerful and difficult to prevent. DDoS attacks are a case where several hundreds of zombies or botnets (compromised machines) are involved in the generation of attack traffic. In most of the cases, the owners of the zombie machines are not even aware that their systems are compromised and being used to generate DDoS attacks [3]. As defined by the World Wide Web Security FAQ: A Distributed Denial of Service (DDoS) attack uses many computers to launch a coordinated DoS attack against one or more targets. Using client/server technology, the perpetrator is able to multiply the effectiveness of the Denial of Service significantly by harnessing the resources of multiple unwitting accomplice computers which serve as attack platforms[4]. DDoS attack first appears in July, 1999. At that time, it is just one theoretical research on the hacker network. But through the rapid development of internet since February, 2002. DDoS attack becomes more and more serious get along with the increase of network speed and bandwidth. Because the DDoS attack is harmful to the users, detection and defense has the vital significance.[5]

In this paper survey on section 2 describes what is DDos attack and DDos attack process.In section 3 various types of DDos attacks are described.Section 4 illustrates the various factors which causes DDos attacks.Section 5 gives related information regarding various DDos Incidents, losses due to attack ,threat landscap of DDos attacks and impact of DDos attack in network.Section 6 describes DDos attack mitigation techniques. So overall paper comprises the taxonomy of DDos attack and impact analysis with DDos mitigation strategies.

  1. DDos Attacks

    DDoS attacks are highly distributed, well coordinated, offensive assaults on services, hosts, and infrastructure of the Internet. Effective defensive countermeasures to DDoS attacks will require equally sophisticated, well coordinated, monitoring, analysis, and response.[2]

    DDos Overview

    "Distributed denial-of-service" attack is characterized by an explicit attempt by attackers to prevent legitimate users of a service from using that service. Examples include: [24]

    1. attempts to "flood" a network, thereby preventing legitimate network traffic

    2. attempts to disrupt connections between two machines, thereby preventing access to a service

    3. attempts to prevent a particular individual from accessing a service

    4. attempts to disrupt service to a specific system or person

    Fig. 1 DDos Architecture

    As Shown in fig.1 A typical DDoS attack contains two stages, the first stage is to compromise susceptible systems that are accessible in the Internet and install attack tools in these compromised systems. This is known as turning the computers into zombies. In the second stage, the attacker sends an attack command to the zombies through a secure channel to launch a bandwidth attack against the targeted victim(s).[6]

    DDoS Attack Process [5]

    Step 1 )Information Collection of Target Host

    Before invade the network, attacker needs to collect and understand the hosts condition. Attacker cares such as host quantity and address configuration, system layout and performance, bandwidth and so on. For instance, if attacker attacks at one website, he must confirm how many hosts are supporting this website. Because one big website might need many hosts to support the services by using load balance technology. On the basis of host quantity, attacker can assure the attack quantity to achieve the attack.

    Step 2) Host Occupation

    Attacker need to use the scan or other equipments to chose one or more zombie computers to carry out the attack. In order to avoid the efficient effect of network as well as the tracked monitoring attack, zombie host usually stand outside the attack network and target network. Zombie host must be fragility enough to control and need to equip with enough resource to create the powerful attack data flow. Attacker can use them to send attack data package to the targets.

    Step 3) Initiate Actual Attack

    After former 2 stage preparations, attacker can bring the attack into operation. In the first place, log in the control zombie and send attack orders to the entire attack zombies. And the hided DDOS attack programs will send out amount of data packages to the host with the speed which beyond the host management. Then the hosts will dead halt or no response to the normal requirements. Some expert attackers will attack and monitor the attack effect with different measures at the same time so that can make the relative modulations. The simplest method is open so much windows to ping the hosts. When receive the responses, it will crease the flow rate or more hosts to attack until the target host breakdown. From the process we can know that attacker can falsify the IP address to avoid the tracking.

    Attacker can off line when send out the attack orders or after the attack computer respond. So even find out the zombie host, get hold of the attack is still a difficulty.

  2. Taxanomy Of DDos Attacks

    There are different types of DDos attacks Techniques. There are two main classes of DDoS attacks: bandwidth depletion and resource depletion attacks.

    UDP

    Flood Attack

    ICMP

    within the broadcast address range, and each of these systems will return an ICMP ECHO REPLY to the target victims IP address. This type of attack amplifies the original packet tens or hundreds of times.

    Mail bomb attack [6]

    A mail bomb is the sending of a enormous amount of e-mail to a specific person or system. A huge amount of mail may simply fill up the recipients disk space on the sever or, in some cases, may be too much for a server to handle and may cause the server to stop working. This attack is also a kind of flood attack [9].

    Spam Attack

    This type of attack is used for targeting the various mail services of corporate as well as public

    DDos Attack

    Bandwidth

    Deplition

    Resource Deplition

    Amplification Attack

    Protocol Exploit Attack

    Malformed Packet Attack

    Smurf Attack

    Fraggle Attack TCP SYNC

    Attack

    PUSH ACK

    Attack

    users. DDoS attack through spam has increased and disturbed the mail services of various organizations. Spam penetrates through all the filters to create DDoS attacks, which causes serious trouble to users and the data. But these mail services are frequent target of hackers and spammers.[6,10]

    Fraggle Attacks [27]

    A DDoS Fraggle attack is similar to a Smurf attack in that the attacker sends packets to a network amplifier. Fraggle is different from Smurf in that Fraggle uses UDP ECHO packets instead of ICMP ECHO packets. There is a variation of the Fraggle

    Fig.2 Taxonomy of DDos Attacks

    3.1) Bandwidth Depletion attack

    A bandwidth depletion attack is designed to flood the victim network with unwanted traffic that prevents legitimate traffic from reaching the (primary) victim system.

    Flood Attack [27]

    In a DDoS flood attack the zombies flood the victim system with IP traffic. The large volume of packets sent by the zombies to the victim system slows it down, crashes the system or saturates the network bandwidth. This prevents legitimate users from accessing the victim.

    Smurf Attack [27]

    In a DDoS Smurf attack, the attacker sends packets to a network amplifier with the return address spoofed to the victims IP address. The attacking packets are typically ICMP ECHO REQUESTs, which are packets that request the receiver to generate an ICMP ECHO REPLY packet. The amplifier sends the ICMP ECHO REQUEST packets to all of the systems

    attack where the UDP ECHO packets are sent to the port that supports character generation with the return address spoofed to the victims echo service creating an infinite loop The UDP Fraggle packet will target the character generator in the systems reached by the broadcast address. This attack generates even more bad traffic and can create even more damaging effects than just a Smurf attack

    DNS request attack [6]

    In this attack scenario, the attack sends a large number of UDP-based DNS requests to a name server using a spoofed source IP address. Then the name server, acting as an intermediate party in the attack, responds by sending back to the spoofed IP address as the victim destination. Because of the amplification effect of DNS response, it can cause serious bandwidth attack [6,8]

    Algorithmic complexity attack [6]

    Its a class of low-bandwidth DDoS attacks that exploit algorithmic deficiencies in the worst case performance of algorithms used in many mainstream applications. For example, both binary trees and hash

    tables with carefully chosen input can be the attack targets to consume system resources greatly [6,9].

    3.1.2) Resource Depletion attack

    A resource depletion attack is an attack that is designed to tie up the resources of a victim system. This type of attack targets a server or process on the victim system making it unable to process legitimate requests for service.[6]

    TCP Reset Attack [6]

    TCP reset also utilize the characteristics of TCP protocol. By listening the TCP connections to the victim, the attacker sends a fake TCP RESET packet to the victim. Then it causes the victim to inadvertently terminate its TCP connection [6,7].

    TCP SYN Attack [27]

    In a DDoS TCP SYN attack, the attacker instructs the zombies to send such bogus TCP SYN requests to a victim server in order to tie up the servers processor resources, and hence prevent the server from responding to legitimate requests. Eventually, if the volume of TCP SYN attack requests is large and they continue over time, the victim system will run out of resources and be unable to respond to any legitimate users.

    PUSH + ACK Attacks [27]

    The PUSH + ACK attack is similar to a TCP SYN attack in that its goal is to deplete the resources of the victim system The attacking agents send TCP packets with the PUSH and ACK bits set to one. These packets instruct the victim system to unload all data in the TCP buffer and send an acknowledgement when complete. If this process is repeated with multiple agents, the receiving system cannot process the large volume of incoming packets and it will crash.

    Malformed Packet Attacks [27]

    A malformed packet attack is an attack where the attacker instructs the zombies to send incorrectly formed IP packets to the victim system in order to crash the victim system. There are two types of malformed packet attacks. In an IP address attack, the packet contains the same source and destination IP addresses. This can confuse the operating system of the victim system and cause the victim system to crash. In an IP packet options attack, a malformed packet may randomize the optional fields within an IP packet and set all quality of service bits to one so that the victim system must use additional processing time to analyze the traffic. If this attack is multiplied using enough

    agents, it can shut down the processing ability of the victim system.

    UDP storm attack [6]

    This kind of attack can not only impair the hosts. Services, but also congest or slow down the prevailing network. When a connection is established between two UDP services, each of which produces a very huge number of packets, thus cause an attack.[6]

  3. Factors affecting DDos Attack

    One of the major reasons that make the DDoS attacks wide spread and easy in the Internet is the availability of attacking tools and the powerfulness of these tools to generate attacking traffic [12]. As per [11], [13] various reasons that create opportunities for attackers to use attack tools easily and launch a successful attack are:[1]

    1. Internet security is highly interdependent: The susceptibility of DDoS attacks depends upon global internet security rather than the security of victim.

    2. Internet resources are limited: Each Internet host has limited resources that can be consumed by a sufficient number of users.

    3. Accountability is not enforced: With mechanisms like IP spoofing, the perpetrator can conceal his real identity and hence, real source of attack cannot be judged.

    4. Control is distributed: Since Internet management is distributed and each network runs as per particular policies and regulations defined, it is almost impossible to deploy a certain global security mechanism and moreover due to privacy concerns it is sometimes nearly impossible to investigate the cross network behavior.

    5. Simple Core and Complex Edge: One of the design principles is that the Internet should keep the core networks simple and push any complexity into the end hosts [1,13,14]. Hence, core routers dont make necessary authentication checks. The void of authentication checks at network level encourages undesired unauthorized attempts like IP spoofing, which is the major way of doing DDoS attack.

    6. Multipath Routing: Multipath routing makes authentication difficult hence, it may encourage unauthorized activities. Intermediate router routes IP

    September 25,2012

    Bank of America website

    disrupted daily

    operations for banks

    September 11,2012

    GoDaddy takes down

    Millions of website are out

    of service

    March , 2012

    South Korea and United states

    Websites

    It is similar to those launched

    in 2009.

    January 1,2012

    Offical Web-site of the office of the vice president of

    Russia

    It caused the site to be down by more than

    15 hours.

    November 5

    to 12 , 2011

    Asian Ecommerce Company

    Flood of Traffic was launched

    and 250,000 Computers are infected with

    malware participated.

    October

    ,2011

    Site of National Election Com- mission of South Korea

    Attacks were launched during the morning when citizens would look up information

    .and attack leads to fewer turnouts.

    March 3,2011

    On Blogging Platform Live Journal

    Experienced serious functionality problems for

    over 12 Hours

    December 8,2011

    Master Card, PayPal, Visa and Post Finance

    Attack was

    launched in

    support of

    WikiLeaks.ch and its founder.

    November 30,2011

    Whistleblower site Wikileaks

    Attack size was 10Gbps.

    Caused the site unavailable to visitors.

    November 12,2011

    Domain registrar Regis-ter.com

    Impacted DNS, hosting and webmail

    clients.

    November 2,2010

    Burmas main Internet provider

    Disrupted most network traffic in and out of

    the country for 2 days.

    packet from source to destination & has no way of knowing that whether the IP packet it is forwarding is the legitimate packet or a spoofed one [1,13].

  4. DDos Incidents

    Attack communities are well coordinated and synchronized with each other and hence, have high potential.They use the distributed traffic to create the botnet and flood the packets targeting victim. This makes tracing of the identity of attacker difficult and thus attacker escapes the witty eye. The DDoS attacking programs have very simple logic structures and small memory requirements which make them easy to implement and hide. Besides, many tools for DDoS attacks are available, high qualification is not required to use them. Hence, DDoS attacks have emerged as a weapon of choice for disruption on the Internet.

    Any one on the network is prone to DDos attack, it may be financial institutes or banks or multinational corporations or government or defense agencies etc. Even very high profile websites like Yahoo, eBay, E Trade, Buy, Amazon, Twitter, Facebook etc were Web sites fell victim to DDoS attacks [15]. In January 2001, Register.com was targeted, DNS servers were used as reflector in that attack [16]. On two occasions to date, attackers have performed DNS Backbone DDoS Attacks on the DNS root servers. The first occurred in October 2002 and disrupted service at 9 of the 13 root servers. The second occurred in February 2007 and caused disruptions at two of the root servers [17], [18]. Even CERT/CC, one of the Internet's leading network security sites, was also suffered from DDoS attack in May, 2001 [19].In the same year, DDoS attack was launched targeting Whitehouse.gov domain [20].In January 2004, MyDoom attacked 1 million computers [21]. In February 2007, more than 10,000 online servers in games such as such as Return to Castle Wolfenstein, Halo, Counter- Strike and many others were attacked [17]. After one year, WordPress.com was attacked resulting in 15 minutes of outage [15]. The incidents citing DDoS attacks are endless. These attacks demonstrate the potential of attacks.

    Table 1 [1, 26]

    Recent DDos Attack Incidents

    Date

    DDos Incidents

    Description

    October 21,2012

    HSBC Bank of America

    disrupted daily

    operations for banks

    thousands of its

    shared hosting customers.

    October.2010

    MPAA & Indian tech firm Aiplex software

    At least

    hundreds of 4chan users at once executed at-tack in Pro- piracy protest. Simple application Low Orbit Ion Cannon (LOIC)

    was used.

    September,20 10

    Fast growing botnet

    Botnets motive was to provide

    commercial service

    June,2010

    Broadband forum

    Whirlpool

    Flooding DDoS

    attack

    May,2010

    Vocus

    Caused connectivity disruptions across multiple

    web-sites.

    May,2010

    Web24

    Caused Connection issues for users of the Vocus

    net-work

    April,2010

    Optus

    Sourced from China. 4 hours

    of outage.

    February,201 0

    Australian Parliament House website

    (www.aph.gov.au)

    Attack was the part of protest by a group.

    December 23,2009

    DNS services provider Neustar

    Amazon, Wal- Mart, and

    Expedia were affected

    August 6,2009

    Twitter, Facebook, Livejournal, and Google blogging

    pages

    Hundreds of

    millions of

    Internet users affected.

    October,2009

    40 Swedish sites

    About 40

    websites belonging to police & media

    went down.

    April 1,2009

    Cloud computing provider GoGrid

    Service was

    disrupted to about half of its 1,000

    customers

    January,2009

    GoDaddy.com

    Affected

    Financial Loses Incurred Due To Attack Incidents

    As proof of these disturbing trends, 2003 to 2006 FBI/CSI surveys [22,23] concluded that DoS/DDoS attacks are one of the major causes of financial losses [26]as depicted in Figure 3 below:

    Fig.3 Financial Loss

    Threat landscape of DDoS attacks [28]

    Below Fig 4 shows a flow of DDoS attacks, surpassing all previous records. Amazingly a majority of these distributed denial-of-service attacks were not recognized due to bandwidth constraints. In the supplementary graph it is clearly seen that network- based DoS attacks were fewer than application-level DDoS attacks. A majority of the attacks exploited the HTTP and its sibling HTTPS protocols. Attackers recognize that volumetric attacks can be mitigated by use of scrubbers on the cloud, so they opt for slow and low DoS attacks, choosing applications as the target instead of networks.

    Fig.4 Threat Landscape [28]

  5. DDos attack mitigation tequniques [27]

    Load Balancing

    For network providers, there are a number of techniques used to mitigate the effects of a DDoS attack. Providers can increase bandwidth on critical connections to prevent them from going down in the event of an attack. Replicating servers can help provide additional failsafe protection in the event some go down during a DDoS attack. Balancing the load to each server in a multiple-server architecture can improve both normal performance as well as mitigate the effect of a DDoS attack.

    Throttling

    One proposed method to prevent servers from going down is to use Max-min Fair server-centric router throttles. This method sets up routers that access a server with logic to adjust (throttle) incoming traffic to levels that will be safe for the server to process. This will prevent flood damage to servers. Additionally, this method can be extended to throttle DDoS attacking traffic versus legitimate user traffic for better results. This method is still in the experimental stage, however similar techniques to throttling are being implemented by network operators. The difficulty with implementing throttling is that it is still hard to deciher legitimate traffic from malicious traffic. In the process of throttling, legitimate traffic may sometimes be dropped or delayed and malicious traffic may be allowed to pass to the servers.

    Honeypots

    Honeypots are systems that are set up with limited security to be an enticement for an attacker so that the attacker will attack the Honeypot and not the

    actual system. The goal of this type of honeypot is to attract a DDoS attacker and get him to install either handler or agent code within the honeypot. This prevents some legitimate systems from getting compromised and allows the honeypot owner to track the handler or agent behavior and better understand how to defend against future DDoS installation attacks.

  6. Conclusion

The major contributions of this paper are the survey of overview of DDos attack, the main security defects which causes the DDos attack, taxonomy of DDos attacks, recent DDos attack incidents, DDos attack incidents history from 2009-2012 ,impact analysis of attack and financial loss incurred due to attack and DDos attack mitigation techniques are done.

References

  1. Ketki Arora, Krishan Kumar, Monika Sachdeva Impact Analysis of Recent DDoS Attacks International Journal on Computer Science and Engineering (IJCSE)ISSN : 0975-3397 Vol. 3 No. 2 Feb 2011

  2. Christos Papadopoulos, Robert Lindell, John Mehringer, Alefiya Hussain, Ramesh Govindan COSSACK: Coordinated Suppression of Simultaneous Attacks Proceedings of the DARPA Information Survivability Conference and Exposition (DISCEX03) 0-7695-1897- 4/03 © 2003 IEEE

  3. Udaya Kiran Tupakula ,Vijay Varadharajan, Sunil Kumar VuppalaSBAC: Service Based Access Control 14th IEEE International Conference on Engineering of Complex Computer Systems978-0-7695-3702-3/09 © 2009 IEEE

  4. Lincoln Stein and John N. Stuart. The World Wide Web Security FAQ, Version 3.1.2, February 4, 2002. http://www.w3.org/security/faq/ (8 April 2003).

  5. Liang Hu, Xiaoming Bi Research of DDoS Attack Mechanism and Its Defense Frame 978-1-61284-840- 2/11©2011 IEEE

  6. Akash Mittal A Review of DDOS Attack and its Countermeasures in TCP Based NetworksInternational Journal of Computer Science & Engineering Survey (IJCSES) Vol.2, No.4, November 2011 DOI : 0.5121/ijcses.2011.2413

  7. Robert Vamosi, Study: DDoS attacks threaten ISP infrastructure, Online at http://news.cnet.com/8301- 1009_3-10093699-83.html, CNET News, Nov. 2008.

  8. A. Yaar, A. Perrig, and D. Song, PI: A path identification mechanism to defend against DDoS attacks, in proceedings of the IEEE symposium on Security and Privacy, pp. 93-109, May 2003.

  9. Elinor Mills, Radio Free Europe DDOS attack latest by hactivists, Online at http://news.cnet.com/8301- 10784_3-9933746-7.html, CNET News, May. 2008.

  10. Dhinaharan Nagamalai, Cynthia Dhinakaran, Jae Kwang Lee. Multi Layer Approach to Defend DDoS Attacks Caused by Spam. In aaXiv.org (Cornell university Library),arXiv: 1010.1583v1 [cs.CR]

  11. J. Mirkovic, and P. Reiher, A taxonomy of DDoS attack and DDoS defense mechanisms, Computer Journal of ACM SIGCOMM,vol. 34, no. 2, pp. 39-53, Apr. 2004.

  12. B. Gupta, R. Joshi, and M. Misra, Distributed Denial of Service Prevention Techniques, International Journal of Computer and Electrical Engineering, Vol. 2, no. 2, pp. 268-276, April, 2010.

  13. T. Peng, C. Leckie, and K. Ramamohanarao, Survey of network based defense mechanisms countering the DoS and DDoS problems, Computer Journal of ACM Computing Surveys, vol. 39, no. 1, pp. 123-128, Apr. 2007.

  14. J. Mirkovic, D-WARD: source end defense against distributed denial of service attacks, Ph.D. thesis, University of California,2003.

  15. M. Sachdeva, G. Singh, K. Kumar, and K. Singh, DDoS incidents and their impact :A review,International Arab Journal of Information Technology, vol. 7, no. 1, pp. 14-19, Jan. 2010.

  16. Washington.edu, A DNS reflection attack on register.com,[Online].Available:http://ww.staff.washin gton.edu/dittrich/misc/ ddos/

  17. Wikipedia, Denial-of-service attack, [Online]. Available: http://en.wikipedia.org/wiki/Denial-of- service_attack.

  18. ICANN. Factsheet – Root server attack on 6 February 2007,[Online].Available:http://ww.icann.org/announce ments/factsheet-dns-attack-08mar07.pdf.

  19. A. Bennett. (2001) ITworld.com,"CERT hit by DDoS attack for a third day,"[Online].Available: http://www.itworld.com/IDG010524CERT2.

  20. R. Lemos. (2001) Cnet.com, Hackers cripple white house site, [Online]. Available: http://news.cnet.com/2100-1001-257068.html.

  21. Parabon.com, Distributed Denial of Service (DDoS) attack timeline, [Online]. Available: http://www.parabon.com/faqs/ddostimeline.html

  22. Cichardson R., Computer Crime and Security Survey, http://www.crime-research.org/ news/ 11.06.2004 /423/, 2007

  23. Gordon A., Loeb P., Lucysgyn W., and Richardson R., CSI/FBI Computer Crime and Security Survey, CSI Publications, 2006.

  24. Priya Metri, Jayshree Ghorpade, Santaji Ghorpade, DDOS Attacks and Defense Mechanisms: An Overview, International Journal of Advances in Computing and Information Researches ISSN: 2277- 4068, Volume 1 No.1, January 2012, 1 to 5

  25. Daljeet Kaur, Monika Sachdeva , Krishan Kumar, Recent DDoS Incidents and Their Impact International Journal of Scientific & Engineering Research Volume 3,

    Issue 8, August-2012 1 ISSN 2229-5518,1 to 6

  26. Monika Sachdeva,Gurvinder Singh,Krishan Kumar,Kuldip Singh DDoS Incidents and their Impact: A Review, The International Arab Journal of Information Technology, Vol. 7, No. 1, January 2010, 14 to 24

  27. Stephen Specht, Ruby Lee Taxonomies of Distributed Denial of Service Networks, Attacks, Tools, and Countermeasures http://www.princeton.edu

  28. Website http:// searchsecurity.techtarget.in / photostory/2240164376 /Five-DDoS-attack-tools-that- you-should-know-about/9/Threat-landscape-of-DDoS- attacks#contentCompress

Leave a Reply