15
Distribute denial of service (DDOS) attacks Caue Koisumi Cintra Universidade Estadual de Campinas UNICAMP Abstract Distributed Denial of Service (DDOS) attacks are a deadly against the availability of Internet services and resources. DDOS attackers infects large numbers of computers by exploiting software vulnerabilities to set up botnets. Then all these zombie computers are invoked to unleash a coordinated, largescale attack against a victim’s systems. As specific countermeasures are being developed, attackers continue to enhance existing DDOS attack tools, developing new and derivative DDOS techniques and tools. Rather than always react to new attacks with specific countermeasures, it would be desirable to develop solutions that defend against known and future DDOS attack variants. However, this is really hard to do as is needed a great understanding of the scope and techniques used on DDOS attacks. This paper attempts to categorize DDOS attack networks, to classify the different techniques used in a DDoS attack, and to describe the characteristics of tools used to perform DDOS. Given this new understanding, propose classes of countermeasures that target the DDOS problem before, during and after an attack. 1

DDOSartigo-ST566A Caue Cintra

Embed Size (px)

DESCRIPTION

Artigo DDOS

Citation preview

  • Distributedenialofservice(DDOS)attacks

    CaueKoisumiCintraUniversidadeEstadualdeCampinasUNICAMP

    AbstractDistributedDenialofService(DDOS)attacksareadeadlyagainsttheavailabilityofInternetservicesandresources.DDOSattackersinfectslargenumbersofcomputersbyexploitingsoftwarevulnerabilitiestosetupbotnets.Thenallthesezombiecomputersareinvokedtounleashacoordinated,largescaleattackagainstavictimssystems.Asspecificcountermeasuresarebeingdeveloped,attackerscontinuetoenhanceexistingDDOSattacktools,developingnewandderivativeDDOStechniquesandtools.Ratherthanalwaysreacttonewattackswithspecificcountermeasures,itwouldbedesirabletodevelopsolutionsthatdefendagainstknownandfutureDDOSattackvariants.However,thisisreallyhardtodoasisneededagreatunderstandingofthescopeandtechniquesusedonDDOSattacks.ThispaperattemptstocategorizeDDOSattacknetworks,toclassifythedifferenttechniquesusedinaDDoSattack,andtodescribethecharacteristicsoftoolsusedtoperformDDOS.Giventhisnewunderstanding,proposeclassesofcountermeasuresthattargettheDDOSproblembefore,duringandafteranattack.

    1

  • 1.IntroductionTheInternetwasoriginallydesignedtolinktogetheracooperativeandcollaborativecommunityofresearcher(LIPSON,2002).Itwasntaconcernthinkaboutsecuritywhenthefirstthoughtsoftheinternetwasbeginning,becauseitwassupposedtobeanetworktosomeresearcherstoexchangeknowledge,soeveryuserwastrustablethatmeansthenetworkwouldalwaysbesecure.Withtheevolutionoftheinternetsecurityissuesstartedtooccur,andinthe90soneofthemanytypesofsecurityattacksthatwerecreatedwastheDOS(DenialofService),thisattackisfairlysimpleandbasicallyconsistsinanattempttomakeanetworkresourceunavailableforitsrealusers.LateronthisattackevolvedtoDDOS(DistributedDenialofService)whichisbasicallythesamethingasDOS,butnowtheattackcomesfromseveralsourcesthatcanbespreadallovertheworld.Thisattacksareexecutedfordifferentkindsofreasons,themostcommonsthougharefinancialandpoliticalmotives.Thecurrentstateofthecyberworldtodaystillisinlackofabilitytoprevent,correct,trackandtraceDDOSattacks,Theanonymityenjoyedbytodayscyberattackersposesagravethreattotheglobalinformationsociety,theprogressofaninformationbasedinternationaleconomy,andtheadvancementofglobalcollaborationandcooperationinallareasofhumanendeavor.(LIPSON,2002),wecanclearlyseethatwithgroupslikeLulzSecandAnonymousthatcanremainalotoftimelaunchingattacksbeforebeingcaught,orsomeotherhackersthatarenotcaughtatall.

    2

  • 2.WhatisDDOS?DOSattacksarejustanexplicitattemptfromanattackertomakeaserverunabletoprovideservicestoitsusersbyfloodingorcrashingthesystem.Unlikeconventionalelectronicattacks,thereislittleinformationoreffortrequiredtoinitiateaDOSattackonthetargetwebsiteallthatisneededisthewebsiteaddress,aprogramthatcanperformarapidnumberofrequeststothetargetedwebsiteandabotnet(ForDDOSattacks)ThefirstsprogramstomakeDOSremoteattacksstartedtoappearinthe90sandfortheseprogramstobeeffectivetheyneededlargesizecomputersornetworkslikefromanuniversity.In1997werediscoveredalargenumberoffailuresintheTCP/IP(TransmissionControlProtocol/InternetProtocol)andthenthenumberofattacksstartedtogrowusingIRC(InternetRelayChat)networkandexploitingknownvulnerabilitiesonWindowstocrashit.Thelate1999wastheariseoftheDDOSattacks,wheretheattackerscouldgetcontrolofothermachines(botsorzombies)tomaximizethepoweroftheattackagainsthisttarget.Inthe2000theDDOSattacksstartedtogettingmixedwithworms(malwareprogramthatcanreplicateitselfandinfectothercomputersthroughvulnerabilitiesinthenetwork)turningtheaffectedtargetsmorevulnerabletootherattacks.InJanuary2001MicrosoftswebsitesufferedapowerDDOSattackthatlastedforhoursandmadethewebpageunavailabletorealusers,duringsomeperiods98%oftheserviceswereaffectedbytheattack.EventheFBIwascalledtotakecareofthecase,showingthatevenahugecompanyasMicrosoftwasntimmuneagainstaDDOSattack.DDOSattackscanbedividedinthreegeneralcategories:VolumeBasedAttacksthatconsistsinsaturatethebandwidthoftheattackedserver,anditspowerismeasuredinbitspersecond(bps).Someexamplesare:UDPfloods,ICMPfloodsandotherspoofedpacketfloods.ProtocolAttacksthattriestoconsumetheactualserverresourcesorfirewallsandloadbalancersanditsmagnitudeismeasuredinpacketspersecond.Someexamplesare:SYNfloods,PingofDeathandSmurfDDOS.ApplicationLayerAttacksthatconsistsinsendingapparentlylegitimaterequestswiththegoalofcrashthewebserver,anditsmeasuredinrequestspersecond.Someexamplesare:Slowloris,ZeroDayDDOSattacks,Windowsvulnerabilities.

    3

  • 3TypesofattackThereisseveralformsofDOSattacks,herearesomeofthemostcommonused.3.1UDPFloodThisattackusestheUserDatagramProtocol(UDP),asessionlessnetworkingprotocol.ItfloodsrandomportsofaremotehostwithnumerousUDPpacketsmakingthehostconstantlychecksfortheapplicationlisteningatthatporthowevernoapplicationslistensatthatportsothehostneedstoreplywithanICMPDestinationUnreachablewhichendsupcausinganexcessiveuseofthehostresourcesthatcanleadtoinaccessibility.ThisattackisusedwithIPspoofingsothattheICMPreturnpacketswon'treachthemandhidingthenetworklocation.

    4

  • 3.2ICMPFloodorPingFloodTheprincipleissimilarfromtheUDPfloodattack,butnowthetargetisoverwhelmedwithICMPEcho(ping)requestspacketsusingamethodsendingICMPpacketscontinuouslywithoutwaitingforreply.TheattackedserverwilloftenattempttorespondwithICMPreplypacketswhichconsumebothincomingandoutgoingbandwidthwhichcanresultinanoverallsystemslowdown.

    5

  • 3.3SYNFloodThisattackexploitsthethreewayhandshake,aknownweaknessintheTCPconnectionsequence,whenaSYNrequestissenttobeginaTCPconnectionthehostneedstoanswerwithaSYNACKresponseandthenbeconfirmedbyanACKresponsefromtherequester.TheattackersendsmultipleSYNrequestsbuthedoesntrespondtothetargetsSYNACKresponses,ortheattackercansendtherequestsfromspoofedIPaddresses,sothevictimsserverkeepswaitingfortheresponsesforeachrequestsbindingresourcesuntilnonewconnectionscanbemade.

    6

  • 3.4PingofDeath(POD)GenerallythemaximumpacketlengthofanIPpacketonIPv4is65,535bytesandsendingapingofthissizecouldcrashthetargetscomputer,thisvulnerabilitystartedtobeingexploitedastheattackersstartedtosendalargeIPpacket(biggerthan65,536bytes)splittedinmultipleminorpacketssowhenthehostwouldassembletheminorpacketsitcouldendupcausingamemorybufferoverflowdenyingserviceforlegitimatepackets.Todayitsreallyhardforaservertocrashbecauseofthisattack.

    3.5SlowlorisSlowlorisisahighlytargetedattackthatpermitsoneservertotakedownanotheronewithminimalbandwidthandsideeffectsonunrelatedservicesandports.Theattackerstrytokeepopenandforaslongaspossiblemanyconnectionswiththetargetedserver,thisisdonebyconstantlysendingHTTPheadersbutwithoutcompletetherequest.Thetargetedserverwillkeepthoseconnectionsopenandthiseventuallywillleadtoanoverflowoftheconnectionspoolleavinglegitimaterequestsfromclientsdeniedofservice.ItisspeciallyusedagainstApache,Tomcat,dhttpdandGoAheadWebServer.

    7

  • 3.6ZerodayDDOSZerodayattacksareunknownornewattacksexploitingvulnerabilitiesthatdontstilldonthaveasolution,sobasicallyitsanattackthatexploitsavulnerabilitythatthesoftwareownerdoesntevenknowaboutyetordidnthavedevelopedapatchtofixit.Somebigproblemsaboutthoseattacksisthattradingzerodayvulnerabilitiesarequitepopularintheblackhatcommunityandevenifthecompanydevelopapatchlater,youcomputermayalreadybeeninfectedwithwormsandtrojans.4.AttackersandmotivesThereisalargediversityinattackersandtheirmotives.Andsometimestwoofthoseclassescanmerge,asexample:Anextorquistsgroupcanuseahacktivistexcusetoattackawebservicebuttheirrealpurposeistogetmoney.4.1ExtorquistsTheseattackersthreatstheirtargetaskingformoneyortheywilltakedowntheirservers,theyworkwithafinancialpurpose.4.2HacktivistsTheHacktivistgroupwastheonethatgotmostofthespotlightwithDDOSattacksinthelastyears,theygrewandunitedthemselvesreallyfastandstartedtomakeInternetStreetProtests(RichardStallman).SomehackgroupseventookdownUSgovernmentalsitescausingagreatsplurgeonthecommunity,theirmotivesaretotrytochangedecisionsmadebyorganizationsorthegovernment.

    8

  • 4.3Competitors,unsatisfiedemployeesandcustomersThereweresomecaseswhereacompanywouldlaunchaDDOSattackagainstacompetitortoharmtheirimagesothecustomerswouldtradecompaniesandtheywouldgetmoreprofit.ItcanalsohappenthatafiredorunsatisfiedemployeeorcustomerwouldlaunchaDDOSattackagainstacompanyasavendetta.4.4ScriptKiddiesTheybasicallyareunskilledindividualsthatusesautomatedtoolscreatedbyotherstorealizeattacks,theirpurposenormallyistoimpressfriendsortrytobecomefamousandclimbupinthehackercommunity,somescriptkiddiescanlaunchanattackjustforthefunofit.5.ToolsOneofthemotivesforthegreatgrowingoftheDOSattacksistheappearanceofmanyfreetoolsontheweb,herearesomeofthem.5.1LOIC(Loworbitioncannon)ItsoneofthemostpopularfreeDOSattackingtoolontheweb,ithasauserfriendlyinterfacesoitseasytolearnanduse.ThetoolcanperformDOSattackbysendingTCP,UDPorHTTPrequeststothetargetssystem.Abotnetcanbeusedtoimprovethepoweroftheattackandmakeitadistributedattack.

    9

  • 5.2HOIC(Highorbitioncannon)ItwasmadeoutoftheconceptofLOIC,butthedeveloperstriedtoimproveitsstrenghtandincludedaboosterfeaturetomaketheattackstronger.

    5.3XOICItsaverysimpleandeasytousetool,comeswithawhoisfeaturetofindIPandportandhave3modesofattack,abasictestmode,anormalDOSmodeandaDOSmodewithaTCP/HTTP/UDP/ICMPmessage.

    5.4PylorisPyLorisisascriptabletoolfortestingaserver'svulnerabilitydenialofservice(DoS)attacks.PyLoriscanutilizeSOCKSproxiesandSSLconnections,andcantargetprotocolssuchas

    10

  • HTTP,FTP,SMTP,IMAP,andTelnet.

    6.DefenseagainstDOSattacks6.1Howtoprevent?Untilnowthereisnosilverbullet(Brooks)againstDDOSattacks,butthereissomestrategiestomitigatetheattack.Somerecommendedstrategiestopreventattacksare:Incrementhostsecurity:AstheprimarycharacteristicoftheDDOSistheuseofabotnet,itisveryimportanttoimprovethesecurityofyourmachinessoitwontbecomeazombie.Installpatches:Themachinesusedaszombiesarenormallyinfectedwithknownvulnerabilities.Soitishighlyrecommendedthatyoualwaysupdateyoursystemwhenpossible.Applyantispoofingfilters:DuringtheDDOS,theattackerstrytohidetheirrealIPusingspoofingmechanismsthatforgesfakeIPsmakingithardertotracktheattackorigin.Soitisnecessarythattheaccessprovidersimplementantispoofingfiltersontheroutersentrance,sothenetworkoftheirclientscantusespoofing.Andthatalltheinternetnetwork,inageneralway,implementantispoofingfiltersontheborderroutersexitpreventingtheuseofspoofing.PreviousplanningagainstDDOS:ApreviousplanningandcoordinationisessentialtoguaranteeanadequateanswerwhenaDDOSattackstartstohappen.Thisplanningmustincludecounterattackprocedureswithyourbackboneprovider.6.2Howtoreact?6.2.1DDOStoolsareinstalledonyoursystem

    11

  • Thiscanmeanthatyoursystemisbeingusedasamasteroragent.Itsimportanttodeterminewhatisthepartofthetoolsfoundandtrytodiscoverworthinformationthatwouldallowtrackingothercomponentsinthebotnet,prioritizingthediscoveringofmasters.Dependingonthesituation,itisrecommendedtotryshutdownimmediatelythemasters,butsometimesitcanbeworthtomonitortheactivitiestogatherinformation.6.2.2IfyoursystemissufferingaDDOSattackThespoofingmechanismsusedonDDOSattacksmakesreallyhardtoidentifytheattacker,butifthereisamomentthatispossibletobacktraceandgettherealresponsible,itiswhentheattackishappening.Itiscriticaltohaveaquickcommunicationwithyourbackboneprovidertotrytotracktheattacker.ThereissometechniquestomitigatetheDDOSattackhappening.LoadBalancing:Networkproviderscanincreasebandwidthoncriticalconnectionstopreventthemfromgoingofflineinthemiddleofanattack.BalancingtheloadtoeachserverinamultipleserverarchitecturecanimprovenormalperformanceandmitigatetheeffectofaDDOSattack.DropRequests:Thesystemcansimplydroprequestswhentheloadincreases.Thiscanbedonebytherouterortheserver.Alternatively,therequestermaybeinducedtodroptherequestbymakingtheitssystemsolveahardpuzzlethattakesalotofcomputepowerormemoryspace,beforecontinuingwiththerequest.Thiswillmaketheusersofzombiesystemsdetectperformancedegradation,makingthemawarethatsomethingwrongishappeningandleadingthemtolookandsolvetheproblem,gettingridofbeingazombiemachine.Outsourcedcompanies:ThereisanumberofoutsourcedcompaniesthatoffersserviceagainstDDOSattacks,theygiveyou24/7support,monitoringandinthemiddleofaneventtheyusetheirservertohelpmitigatetheattack..7.Myanalysis.NextstepsforfutureresearchDistributeddenialofserviceattacksarestillrising,becausetheyarefairlyeasytoexecuteanditshardtogetbacktraced,anditseemsitwontstopsoon.Thereisnoeasysolutionagainstthesetypeofattacks,andthroughoutthehistorywecanseethatthehackerswerealwaysone,twoorevenmorestepsaheadfromthesecurityteamsfromcompanies.Butthereissomearrangementsthatshouldbedone.Raiseinternetusersawareness:Ifwecanmaketheinternetusersmoreawareofsecurityissues,wecanpreventthosemachinesfrombeingpartofabotnet,andwiththisthebotnetswillbecomesmallermakingtheDDOSattackwayweaker.Honeypots:Theyaresystemsmadewithknownvulnerabilitiestoinstigatetheattack.Itnotonlyavoidtheattackfromgoingtothecriticalareasofthesystembutitgatherrelevantdataandrecordsallabouthowtheattackisbeingperformed,whichtoolsarebeingused.Sowiththat

    12

  • kindofinformationyoucanfortifyyoursystemtopreventnextattacks.Thehackerselitearealreadywellawareofthistechnique,soinordertoimproveitseffectiveness,itmustbemadebettercamouflageforthehoneypotslookexactlylikerealsystems.PostattackForensics:WhenbeingunderaDDOSattackitisrecommendedtogatherthemostpossibledatatolateranalyzeandlookforspecificcharacteristicsintheattackingtraffic,thiscanbeusedtodevelopnewfilteringtechniquesagainstDDOS.Packettracestechniqueconsistsonthefactofinternettrafficcanbetracedbacktoitstruesource.Thisallowsbacktracetheattackerstraffictofindoutwhoistheattacker.Allthedatacollectedmustbestoredinasafedatabasesoitcanbeusedtodoforensicanalysisandassistlawenforcementincasesofsignificantfinancialdamage.8.ConclusionDDOSattacksarereallydangerousandcancausealotoftroubles,mixingthatwiththefactthatishardlytraceable,itmakesasafeandeffectiveattacktoperformagainstyourtargets.Thereisthemostcommonattacksthataremadebyafewpeoplewithsomebotnets,andthiscancauserealtroubletosmall/mediumcompanies,buttheydontreallyhasmucheffectivenessagainstlargecompaniesasAmazon,eBayandMicrosoft.Butthereisthehackerelitegroupsthathavealotofinfluenceinthehackersceneandcangatherahugenumberoffollowersandbotnetstoorchestrateapowerfulattackcapableoftakingdownevenlargecompanies.Theinternetusersneedtostartthinkingmoreaboutthesecureoftheirownsystemstonotbecomeinfected,networkprovidersneedstomonitorbettertheirtraffictotrackattackersandhelpcompaniestoresistwhenbeingattackedandITcompaniesneedtoinvestmoreinfindingnewgeneralDDOSsolutions,andsharetheknowledgewithsmallercompanies.ThatwaytheDDOSattackcanbeweakenedandwontbethebigconcernthatitistoday.

    13

  • 9.ReferencesLipson,HowardF.TrackingandTracingCyberattacks:TechnicalChallengesandGlobalPolicyIssues.Pittsburgh,PA:CarnegieMellonUniversity,SoftwareEngineeringInstitute,2002.Print."GRC|SecurityNow!TranscriptofEpisode#8."GRC|SecurityNow!TranscriptofEpisode#8.N.p.,n.d.Web.10Dec.2013.."ATimelineofHackingGroupLulzSec'sAttacks."Msnbc.com.N.p.,n.d.Web.10Dec.2013.."DoSAttackKnocksOutMicrosoftSites."DoSAttackKnocksOutMicrosoftSites.N.p.,n.d.Web.10Dec.2013.."NetworkDoSAttacksOverview."JUNOSSoftwareSecurityConfigurationGuide.N.p.,n.d.Web.10Dec.2013.."DDoSProtection."DDoSProtection.N.p.,n.d.Web.10Dec.2013..

    14

    https://www.grc.com/sn/SN%C2%AD008.htm

  • "DistributedDenialofServiceAttacks."N.p.,n.d.Web.10Dec.2013.."AdvancedDDOSTools."ADVANCEDDDOSTOOLS~Prince4Hack.N.p.,n.d.Web.10Dec.2013.."DOSAttacksandFreeDOSAttackingToolsInfoSecInstitute."InfoSecInstitute.N.p.,n.d.Web.10Dec.2013..

    15


Commune d’ASCAIN - CAUE 64

Commune d’ASCAIN - CAUE 64

Documents
Techtalk CSS4 - Fellyph Cintra

Techtalk CSS4 - Fellyph Cintra

Technology
CAUE- ingeniería economica

CAUE- ingeniería economica

Documents
GISELE AMARAL CINTRA - tede.ufam.edu.br

GISELE AMARAL CINTRA - tede.ufam.edu.br

Documents
Guide de l’embellissement - CAUE 64

Guide de l’embellissement - CAUE 64

Documents
CAUE de l'Ain AG 2014

CAUE de l'Ain AG 2014

Art & Photos
Concours photographique du CAUE

Concours photographique du CAUE

Education
Les maisons paysannes - CAUE 80

Les maisons paysannes - CAUE 80

Documents
JEUDI 8 AVRIL - CAUE Sarthe

JEUDI 8 AVRIL - CAUE Sarthe

Documents
conter - FN CAUE

conter - FN CAUE

Documents
Commune de PAU - CAUE 64

Commune de PAU - CAUE 64

Documents
Roof gardens bela cintra

Roof gardens bela cintra

Documents
Teoria Cintra

Teoria Cintra

Education
CAUE de l'Ain AG 2013

CAUE de l'Ain AG 2013

Documents
Le CAUE de Côte-d’Or

Le CAUE de Côte-d’Or

Documents
CURSO RODRIGO CINTRA

CURSO RODRIGO CINTRA

Documents
Architecture contemporaine - FN CAUE

Architecture contemporaine - FN CAUE

Documents
CAUE des Deux-Sèvreswp.caue79.fr/wp-content/themes/CAUE2018/telechargement/...Les architectes et paysagistes du CAUE Le CAUE repose sur une équipe pluridisciplinaire composée d’architectes,

CAUE des Deux-Sèvreswp.caue79.fr/wp-content/themes/CAUE2018/telechargement/...Les architectes et paysagistes du CAUE Le CAUE repose sur une équipe pluridisciplinaire composée d’architectes,

Documents
CAUE (1).ppt

CAUE (1).ppt

Documents
Adriana Araujo Cintra

Adriana Araujo Cintra

Documents
Fleurir dans l’Orne - CAUE 61

Fleurir dans l’Orne - CAUE 61

Documents
MODE D’EMPLOI - CAUE de Paris

MODE D’EMPLOI - CAUE de Paris

Documents
CAUE 62 Le Mag

CAUE 62 Le Mag

Documents
Luiz Cintra

Luiz Cintra

Documents
Revista Greta Caue

Revista Greta Caue

Documents
Métodos del CAUE

Métodos del CAUE

Economy & Finance
RAPPORT D'ACTIVIT S - CAUE 89

RAPPORT D'ACTIVIT S - CAUE 89

Documents
Erbs Cintra Dr2011

Erbs Cintra Dr2011

Documents
CLAUDIA CINTRA BORTOLETTO GIANSANTE.pdf

CLAUDIA CINTRA BORTOLETTO GIANSANTE.pdf

Documents
Vitor caue

Vitor caue

Documents