Click here to load reader

DDOSartigo-ST566A Caue Cintra

  • View
    212

  • Download
    0

Embed Size (px)

DESCRIPTION

Artigo DDOS

Text of DDOSartigo-ST566A Caue Cintra

  • Distributedenialofservice(DDOS)attacks

    CaueKoisumiCintraUniversidadeEstadualdeCampinasUNICAMP

    AbstractDistributedDenialofService(DDOS)attacksareadeadlyagainsttheavailabilityofInternetservicesandresources.DDOSattackersinfectslargenumbersofcomputersbyexploitingsoftwarevulnerabilitiestosetupbotnets.Thenallthesezombiecomputersareinvokedtounleashacoordinated,largescaleattackagainstavictimssystems.Asspecificcountermeasuresarebeingdeveloped,attackerscontinuetoenhanceexistingDDOSattacktools,developingnewandderivativeDDOStechniquesandtools.Ratherthanalwaysreacttonewattackswithspecificcountermeasures,itwouldbedesirabletodevelopsolutionsthatdefendagainstknownandfutureDDOSattackvariants.However,thisisreallyhardtodoasisneededagreatunderstandingofthescopeandtechniquesusedonDDOSattacks.ThispaperattemptstocategorizeDDOSattacknetworks,toclassifythedifferenttechniquesusedinaDDoSattack,andtodescribethecharacteristicsoftoolsusedtoperformDDOS.Giventhisnewunderstanding,proposeclassesofcountermeasuresthattargettheDDOSproblembefore,duringandafteranattack.

    1

  • 1.IntroductionTheInternetwasoriginallydesignedtolinktogetheracooperativeandcollaborativecommunityofresearcher(LIPSON,2002).Itwasntaconcernthinkaboutsecuritywhenthefirstthoughtsoftheinternetwasbeginning,becauseitwassupposedtobeanetworktosomeresearcherstoexchangeknowledge,soeveryuserwastrustablethatmeansthenetworkwouldalwaysbesecure.Withtheevolutionoftheinternetsecurityissuesstartedtooccur,andinthe90soneofthemanytypesofsecurityattacksthatwerecreatedwastheDOS(DenialofService),thisattackisfairlysimpleandbasicallyconsistsinanattempttomakeanetworkresourceunavailableforitsrealusers.LateronthisattackevolvedtoDDOS(DistributedDenialofService)whichisbasicallythesamethingasDOS,butnowtheattackcomesfromseveralsourcesthatcanbespreadallovertheworld.Thisattacksareexecutedfordifferentkindsofreasons,themostcommonsthougharefinancialandpoliticalmotives.Thecurrentstateofthecyberworldtodaystillisinlackofabilitytoprevent,correct,trackandtraceDDOSattacks,Theanonymityenjoyedbytodayscyberattackersposesagravethreattotheglobalinformationsociety,theprogressofaninformationbasedinternationaleconomy,andtheadvancementofglobalcollaborationandcooperationinallareasofhumanendeavor.(LIPSON,2002),wecanclearlyseethatwithgroupslikeLulzSecandAnonymousthatcanremainalotoftimelaunchingattacksbeforebeingcaught,orsomeotherhackersthatarenotcaughtatall.

    2

  • 2.WhatisDDOS?DOSattacksarejustanexplicitattemptfromanattackertomakeaserverunabletoprovideservicestoitsusersbyfloodingorcrashingthesystem.Unlikeconventionalelectronicattacks,thereislittleinformationoreffortrequiredtoinitiateaDOSattackonthetargetwebsiteallthatisneededisthewebsiteaddress,aprogramthatcanperformarapidnumberofrequeststothetargetedwebsiteandabotnet(ForDDOSattacks)ThefirstsprogramstomakeDOSremoteattacksstartedtoappearinthe90sandfortheseprogramstobeeffectivetheyneededlargesizecomputersornetworkslikefromanuniversity.In1997werediscoveredalargenumberoffailuresintheTCP/IP(TransmissionControlProtocol/InternetProtocol)andthenthenumberofattacksstartedtogrowusingIRC(InternetRelayChat)networkandexploitingknownvulnerabilitiesonWindowstocrashit.Thelate1999wastheariseoftheDDOSattacks,wheretheattackerscouldgetcontrolofothermachines(botsorzombies)tomaximizethepoweroftheattackagainsthisttarget.Inthe2000theDDOSattacksstartedtogettingmixedwithworms(malwareprogramthatcanreplicateitselfandinfectothercomputersthroughvulnerabilitiesinthenetwork)turningtheaffectedtargetsmorevulnerabletootherattacks.InJanuary2001MicrosoftswebsitesufferedapowerDDOSattackthatlastedforhoursandmadethewebpageunavailabletorealusers,duringsomeperiods98%oftheserviceswereaffectedbytheattack.EventheFBIwascalledtotakecareofthecase,showingthatevenahugecompanyasMicrosoftwasntimmuneagainstaDDOSattack.DDOSattackscanbedividedinthreegeneralcategories:VolumeBasedAttacksthatconsistsinsaturatethebandwidthoftheattackedserver,anditspowerismeasuredinbitspersecond(bps).Someexamplesare:UDPfloods,ICMPfloodsandotherspoofedpacketfloods.ProtocolAttacksthattriestoconsumetheactualserverresourcesorfirewallsandloadbalancersanditsmagnitudeismeasuredinpacketspersecond.Someexamplesare:SYNfloods,PingofDeathandSmurfDDOS.ApplicationLayerAttacksthatconsistsinsendingapparentlylegitimaterequestswiththegoalofcrashthewebserver,anditsmeasuredinrequestspersecond.Someexamplesare:Slowloris,ZeroDayDDOSattacks,Windowsvulnerabilities.

    3

  • 3TypesofattackThereisseveralformsofDOSattacks,herearesomeofthemostcommonused.3.1UDPFloodThisattackusestheUserDatagramProtocol(UDP),asessionlessnetworkingprotocol.ItfloodsrandomportsofaremotehostwithnumerousUDPpacketsmakingthehostconstantlychecksfortheapplicationlisteningatthatporthowevernoapplicationslistensatthatportsothehostneedstoreplywithanICMPDestinationUnreachablewhichendsupcausinganexcessiveuseofthehostresourcesthatcanleadtoinaccessibility.ThisattackisusedwithIPspoofingsothattheICMPreturnpacketswon'treachthemandhidingthenetworklocation.

    4

  • 3.2ICMPFloodorPingFloodTheprincipleissimilarfromtheUDPfloodattack,butnowthetargetisoverwhelmedwithICMPEcho(ping)requestspacketsusingamethodsendingICMPpacketscontinuouslywithoutwaitingforreply.TheattackedserverwilloftenattempttorespondwithICMPreplypacketswhichconsumebothincomingandoutgoingbandwidthwhichcanresultinanoverallsystemslowdown.

    5

  • 3.3SYNFloodThisattackexploitsthethreewayhandshake,aknownweaknessintheTCPconnectionsequence,whenaSYNrequestissenttobeginaTCPconnectionthehostneedstoanswerwithaSYNACKresponseandthenbeconfirmedbyanACKresponsefromtherequester.TheattackersendsmultipleSYNrequestsbuthedoesntrespondtothetargetsSYNACKresponses,ortheattackercansendtherequestsfromspoofedIPaddresses,sothevictimsserverkeepswaitingfortheresponsesforeachrequestsbindingresourcesuntilnonewconnectionscanbemade.

    6

  • 3.4PingofDeath(POD)GenerallythemaximumpacketlengthofanIPpacketonIPv4is65,535bytesandsendingapingofthissizecouldcrashthetargetscomputer,thisvulnerabilitystartedtobeingexploitedastheattackersstartedtosendalargeIPpacket(biggerthan65,536bytes)splittedinmultipleminorpacketssowhenthehostwouldassembletheminorpacketsitcouldendupcausingamemorybufferoverflowdenyingserviceforlegitimatepackets.Todayitsreallyhardforaservertocrashbecauseofthisattack.

    3.5SlowlorisSlowlorisisahighlytargetedattackthatpermitsoneservertotakedownanotheronewithminimalbandwidthandsideeffectsonunrelatedservicesandports.Theattackerstrytokeepopenandforaslongaspossiblemanyconnectionswiththetargetedserver,thisisdonebyconstantlysendingHTTPheadersbutwithoutcompletetherequest.Thetargetedserverwillkeepthoseconnectionsopenandthiseventuallywillleadtoanoverflowoftheconnectionspoolleavinglegitimaterequestsfromclientsdeniedofservice.ItisspeciallyusedagainstApache,Tomcat,dhttpdandGoAheadWebServer.

    7

  • 3.6ZerodayDDOSZerodayattacksareunknownornewattacksexploitingvulnerabilitiesthatdontstilldonthaveasolution,sobasicallyitsanattackthatexploitsavulnerabilitythatthesoftwareownerdoesntevenknowaboutyetordidnthavedevelopedapatchtofixit.Somebigproblemsaboutthoseattacksisthattradingzerodayvulnerabilitiesarequitepopularintheblackhatcommunityandevenifthecompanydevelopapatchlater,youcomputermayalreadybeeninfectedwithwormsandtrojans.4.AttackersandmotivesThereisalargediversityinattackersandtheirmotives.Andsometimestwoofthoseclassescanmerge,asexample:Anextorquistsgroupcanuseahacktivistexcusetoattackawebservicebuttheirrealpurposeistogetmoney.4.1ExtorquistsTheseattackersthreatstheirtargetaskingformoneyortheywilltakedowntheirservers,theyworkwithafinancialpurpose.4.2HacktivistsTheHacktivistgroupwastheonethatgotmostofthespotlightwithDDOSattacksinthelastyears,theygrewandunitedthemselvesreallyfastandstartedtomakeInternetStreetProtests(RichardStallman).SomehackgroupseventookdownUSgovernmentalsitescausingagreatsplurgeonthecommunity,theirmotivesaretotrytochangedecisionsmadebyorganizationsorthegovernment.

    8

  • 4.3Competitors,unsatisfiedemployeesandcustomersThereweresomecaseswhereacompanywouldlaunchaDDOSattackagainstacompetitortoharmtheirimagesothecustomerswouldtradecompaniesandtheywouldgetmoreprofit.ItcanalsohappenthatafiredorunsatisfiedemployeeorcustomerwouldlaunchaDDOSattackagainstacompanyasavendetta.4.4ScriptKiddiesTheybasicallyareunskilledindividualsthatusesautomatedtoolscreatedbyotherstorealizeattacks,theirpurposenormallyistoimpressfriendsortrytobecomefamousandclimbupinthehackercommunity,somescriptkiddiescanlaunchanattackjustforthefunofit.5.ToolsOneofthemotivesforthegreatgrowingoftheDOSattacksistheappearanceofmanyfreetoolsontheweb,herearesomeofthem.5.1LOIC(Loworbitioncannon)ItsoneofthemostpopularfreeDOSattackingtoolontheweb,ithasauserfriendlyinterfacesoitseasytolearnanduse.ThetoolcanperformDOSattackbysendingTCP,UDPorHTTPrequeststothetargetssystem.Abotnetcanbeusedtoimprovethepoweroftheattackandmakeitadistributedattack.

    9

  • 5.2HOIC(Highorbitioncannon)ItwasmadeoutoftheconceptofLOIC,butthedeveloperstriedtoimproveitsstrenghtandincludedaboosterfeaturetomaketheattackstronger.

    5.3XOICItsaverysimpleandeasytousetool,comeswithawhoisfeaturetofindIPandportandhave3modesofattack,abasictestmode,anormalDOSmodeandaDOSmodewithaTCP/HTTP/UDP/ICMPmessage.

    5.4PylorisPyLorisisascriptabletoolfortestingaserver'svulnerabilitydenialofservice(DoS)attacks.PyLoriscanutilizeSOCKSproxiesandSSLconnections,andcantargetprotocolssuchas

    10

  • HTTP,FTP,SMTP,IMAP,andTelnet.

    6.DefenseagainstDOSattacks6.1Howtoprevent?Untilnowthereisnosilverbullet(Brooks)againstDDOSattacks,butthereissomestrategiestomitigatetheattack.Somerecommendedstrategiestopreventattacksare:Incrementhostsecurity:AstheprimarycharacteristicoftheDDOSistheuseofabotnet,itisveryimportanttoimprovethesecurityofyourmachinessoitwontbecomeazombie.Installpatches:Themachinesusedaszombiesarenormallyinfectedwithknownvulnerabilities.Soitishighlyrecommendedthatyoualwaysupdateyoursystemwhenpossible.Applyantispoofingfilters:DuringtheDDOS,theattackerstrytohidetheirrealIPusingspoofingmechanismsthatforgesfakeIPsmakingithardertotracktheattackorigin.Soitisnecessarythattheaccessprovidersimplementantispoofingfiltersontheroutersentrance,sothenetworkoftheirclientscantusespoofing.Andthatalltheinternetnetwork,inageneralway,implementantispoofingfiltersontheborderroutersexitpreventingtheuseofspoofing.PreviousplanningagainstDDOS:ApreviousplanningandcoordinationisessentialtoguaranteeanadequateanswerwhenaDDOSattackstartstohappen.Thisplanningmustincludecounterattackprocedureswithyourbackboneprovider.6.2Howtoreact?6.2.1DDOStoolsareinstalledonyoursystem

    11

  • Thiscanmeanthatyoursystemisbeingusedasamasteroragent.Itsimportanttodeterminewhatisthepartofthetoolsfoundandtrytodiscoverworthinformationthatwouldallowtrackingothercomponentsinthebotnet,prioritizingthediscoveringofmasters.Dependingonthesituation,itisrecommendedtotryshutdownimmediatelythemasters,butsometimesitcanbeworthtomonitortheactivitiestogatherinformation.6.2.2IfyoursystemissufferingaDDOSattackThespoofingmechanismsusedonDDOSattacksmakesreallyhardtoidentifytheattacker,butifthereisamomentthatispossibletobacktraceandgettherealresponsible,itiswhentheattackishappening.Itiscriticaltohaveaquickcommunicationwithyourbackboneprovidertotrytotracktheattacker.ThereissometechniquestomitigatetheDDOSattackhappening.LoadBalancing:Networkproviderscanincreasebandwidthoncriticalconnectionstopreventthemfromgoingofflineinthemiddleofanattack.BalancingtheloadtoeachserverinamultipleserverarchitecturecanimprovenormalperformanceandmitigatetheeffectofaDDOSattack.DropRequests:Thesystemcansimplydroprequestswhentheloadincreases.Thiscanbedonebytherouterortheserver.Alternatively,therequestermaybeinducedtodroptherequestbymakingtheitssystemsolveahardpuzzlethattakesalotofcomputepowerormemoryspace,beforecontinuingwiththerequest.Thiswillmaketheusersofzombiesystemsdetectperformancedegradation,makingthemawarethatsomethingwrongishappeningandleadingthemtolookandsolvetheproblem,gettingridofbeingazombiemachine.Outsourcedcompanies:ThereisanumberofoutsourcedcompaniesthatoffersserviceagainstDDOSattacks,theygiveyou24/7support,monitoringandinthemiddleofaneventtheyusetheirservertohelpmitigatetheattack..7.Myanalysis.NextstepsforfutureresearchDistributeddenialofserviceattacksarestillrising,becausetheyarefairlyeasytoexecuteanditshardtogetbacktraced,anditseemsitwontstopsoon.Thereisnoeasysolutionagainstthesetypeofattacks,andthroughoutthehistorywecanseethatthehackerswerealwaysone,twoorevenmorestepsaheadfromthesecurityteamsfromcompanies.Butthereissomearrangementsthatshouldbedone.Raiseinternetusersawareness:Ifwecanmaketheinternetusersmoreawareofsecurityissues,wecanpreventthosemachinesfrombeingpartofabotnet,andwiththisthebotnetswillbecomesmallermakingtheDDOSattackwayweaker.Honeypots:Theyaresystemsmadewithknownvulnerabilitiestoinstigatetheattack.Itnotonlyavoidtheattackfromgoingtothecriticalareasofthesystembutitgatherrelevantdataandrecordsallabouthowtheattackisbeingperformed,whichtoolsarebeingused.Sowiththat

    12

  • kindofinformationyoucanfortifyyoursystemtopreventnextattacks.Thehackerselitearealreadywellawareofthistechnique,soinordertoimproveitseffectiveness,itmustbemadebettercamouflageforthehoneypotslookexactlylikerealsystems.PostattackForensics:WhenbeingunderaDDOSattackitisrecommendedtogatherthemostpossibledatatolateranalyzeandlookforspecificcharacteristicsintheattackingtraffic,thiscanbeusedtodevelopnewfilteringtechniquesagainstDDOS.Packettracestechniqueconsistsonthefactofinternettrafficcanbetracedbacktoitstruesource.Thisallowsbacktracetheattackerstraffictofindoutwhoistheattacker.Allthedatacollectedmustbestoredinasafedatabasesoitcanbeusedtodoforensicanalysisandassistlawenforcementincasesofsignificantfinancialdamage.8.ConclusionDDOSattacksarereallydangerousandcancausealotoftroubles,mixingthatwiththefactthatishardlytraceable,itmakesasafeandeffectiveattacktoperformagainstyourtargets.Thereisthemostcommonattacksthataremadebyafewpeoplewithsomebotnets,andthiscancauserealtroubletosmall/mediumcompanies,buttheydontreallyhasmucheffectivenessagainstlargecompaniesasAmazon,eBayandMicrosoft.Butthereisthehackerelitegroupsthathavealotofinfluenceinthehackersceneandcangatherahugenumberoffollowersandbotnetstoorchestrateapowerfulattackcapableoftakingdownevenlargecompanies.Theinternetusersneedtostartthinkingmoreaboutthesecureoftheirownsystemstonotbecomeinfected,networkprovidersneedstomonitorbettertheirtraffictotrackattackersandhelpcompaniestoresistwhenbeingattackedandITcompaniesneedtoinvestmoreinfindingnewgeneralDDOSsolutions,andsharetheknowledgewithsmallercompanies.ThatwaytheDDOSattackcanbeweakenedandwontbethebigconcernthatitistoday.

    13

  • 9.ReferencesLipson,HowardF.TrackingandTracingCyberattacks:TechnicalChallengesandGlobalPolicyIssues.Pittsburgh,PA:CarnegieMellonUniversity,SoftwareEngineeringInstitute,2002.Print."GRC|SecurityNow!TranscriptofEpisode#8."GRC|SecurityNow!TranscriptofEpisode#8.N.p.,n.d.Web.10Dec.2013.."ATimelineofHackingGroupLulzSec'sAttacks."Msnbc.com.N.p.,n.d.Web.10Dec.2013.."DoSAttackKnocksOutMicrosoftSites."DoSAttackKnocksOutMicrosoftSites.N.p.,n.d.Web.10Dec.2013.."NetworkDoSAttacksOverview."JUNOSSoftwareSecurityConfigurationGuide.N.p.,n.d.Web.10Dec.2013.."DDoSProtection."DDoSProtection.N.p.,n.d.Web.10Dec.2013..

    14

    https://www.grc.com/sn/SN%C2%AD008.htm
  • "DistributedDenialofServiceAttacks."N.p.,n.d.Web.10Dec.2013.."AdvancedDDOSTools."ADVANCEDDDOSTOOLS~Prince4Hack.N.p.,n.d.Web.10Dec.2013.."DOSAttacksandFreeDOSAttackingToolsInfoSecInstitute."InfoSecInstitute.N.p.,n.d.Web.10Dec.2013..

    15