The Science behind Denial of Service attack (DoS)

What is a Denial of Service (DoS) attack

Denial of Service (DoS) attacks have become a major threat to current computer systems plaguing the internet and applications since their first big appearance. DoS attacks are capable of attacking and tearing down the Internet’s backbone thus forcing all communication across it to a grinding halt. The early DoS attacks started as “Script Kiddie pranks”, has now evolved to organized digital crime, targeting networks and applications of government and business establishments, with motives ranging from defamation to extortion. Suddenly your web server becomes unavailable. When you investigate, you realize that a flood of packets is surging into your network. You have just become one of the hundreds of thousands of victims of a denial-of-service attack, a pervasive and growing threat to the Internet. Internet Denial of Service sheds light on a complex and fascinating form of computer attack that impacts the confidentiality, integrity, and availability of millions of computers worldwide. It tells the network administrator, corporate CTO, incident responder, and student how DDoS attacks are prepared and executed, how to think about DDoS, and how to arrange computer and network defenses.

What is a Denial of Service (DoS) attack?

A Denial of Service (DoS) attack by definition is any attack, which denies a particular service or resource to legitimate users. Back in the year 1974, a person by name David Dennis who was 13 year old performed the first DoS attack. He basically wrote a command “ext” which impacted a research lab nearby of a university that forced the computer systems to power off. A more organized, structured, evolved and sophisticated version of DoS is called Distributed Denial of Service (DDoS) attack. A Distributed Denial of Service (DDoS) is a very large scale coordinated attack aimed at disrupting the user of a resource or service by its legitimate users. According to Computer Incident Advisory Capability (CIAC), the first DDoS attacks were seen in the year 1999. The first big commercial impact of DDoS was felt when popular Internet site Yahoo.com was made offline for almost two hours, leading to huge revenue losses for Yahoo. DDoS attacks now have become a very regular affair on the Internet with dozens of sites being brought down every week. The motivation behind these attacks has drastically transitioned from “casual play” by script kiddies to “extortion demands” by an organized professional group of hackers. Attackers include hacktivists (hackers whose activity is aimed at promoting a social or political cause), profit-motivated cybercriminals, and nation-states.

Understanding DoS

A quick understanding of TCP 3-way handshake will help to grasp the further details of DoS attacks

1. The client sends an SYN packet to the server

2. The server responds with SYN/ACK packet which indicates the packet was received

3. The client completes the connection by sending an acknowledgment ACK packet

Working of DoS attack

To run a DoS attack, it doesn’t depend on any special program. Instead, it takes advantage of an inherent vulnerability in the way computer networks communicate. For example, suppose you wish to visit a banking site in order to transfer some money to a friend. Your computer sends a small packet of information to the website. The packet works as a messenger and it says “Hi, I would like to visit your page, please let me in.” When the server receives your computer’s message, it sends a short message back, saying in a sense, “OK, are you real?”, Your computer responds “Yes” and communication is established. The website’s homepage then pops up on your screen, and you can navigate to login with your net banking credentials.

In a DoS attack, a computer is manipulated to send not just one “introduction” to a server, but hundreds or thousands. The server — which cannot tell that the introductions are fake — sends back its usual response, waiting up to a minute in each case to hear a reply. When it gets no reply, the server shuts down the connection, and the computer executing the attack repeats, sending a new batch of fake requests. DoS attacks mostly affect organizations and how they run in a connected world. For consumers, the attacks hinder their ability to access services and information.

Working of DDoS attack

Distributed Denial of Service attacks represents the next step in the evolution of DoS attacks as a way of disrupting the internet and software applications. There is a significant reason why DDoS attacks have become a weapon of choice for disrupting networks, servers, and web applications or web sites.

The attacks use a large number of compromised computers, as well as other electronic devices — such as webcams, and smart televisions that make up the ever-increasing internet of things to force shut down the targeted website, server, or network.

In most general form, a DDoS network consists of the Attacker, the Master, and the Slave machines (also called Zombies). The attacker controls the Masters, which in turn controls the Slaves. The hierarchy for control and command execution is pyramidal in architecture with the Attacker at the apex, Masters in the middle tier, and Zombies at the base. The Attackers mostly use well known publicly released software exploits to compromise Master and Slave machines. Once compromised, DDoS tools are installed on these captured machines. After compromising a few thousands of such hosts, the Attacker gets ready to launch a DDoS attack. During an attack, the Attacker commands the Master machines, which in turn command the Slaves to start attacking the target.

Key Categories of DoS or DDoS attacks

Volumetric Attacks: Consumes the bandwidth of target network or service. The magnitude of attack is measured in bits per second (bps). Types of bandwidth depletion attacks are Flood attacks and Amplification attacks. The attack techniques include UDP flood attack, ICMP flood attack Ping of Death attack, Smurf attack.

Protocol based Attacks: Consumes other types of resources like connection state tables present in the network infrastructure components such as load balancers, firewalls, and application servers. The magnitude of attack is measured in packets per second (pps). The attack techniques include SYN flood attack, Fragmentation attack, ACK flood attack, TCP state exhaustion attack.

Application Layer based Attacks: Consumes the application resources or service thereby making it unavailable to other legitimate users. The magnitude of attack is measured in requests per second (rps). The attack techniques include HTTP GET or POST attack, Slowloris attack.

Common types of DoS or DDoS attacks

UDP Flood attack: An attacker sends spoofed UDP packets at a very high packet rate to a remote host on random ports of a target server using a large source IP range. Flooding of UDP packets causes server to repeatedly check for non-existent applications at the ports. Legitimate applications are inaccessible by the systems and gives a error reply with an ICMP ‘Destination Unreachable’ packet. This attack consumes network resources and available bandwidth, exhausting the network until it goes offline.

ICMP Flood Attack: Network administrators use ICMP primarily for IP operations, troubleshooting, and error messaging of undeliverable packets. ICMP flood attack is a type of attack in which attackers send large volumes of ICMP echo request packets to a victim system directly or through reflection networks. These packets signal the victim’s system to reply and the combination of traffic saturates the bandwidth of the victim’s network connection causing it to be overwhelmed and subsequently stop responding to legitimate TCP/IP requests. To protect against ICMP flood attacks, set a threshold limit, which when exceeded invokes the ICMP flood attack protection feature.

Ping of Death Attack: In Ping of Death (PoD) attack, an attacker tries to crash, destabilize, or freeze the targeted system or service by sending malformed or oversized packets using a simple ping command. For instance, attacker sends a packet which has a size of 65538 bytes to the target web server. This size of the packet exceeds the size limit prescribed by RFC 791 IP which is 65535 bytes. The reassembly process by the receiving system might cause the system to crash.

Smurf Attack: In Smurf attack, the attacker spoofs the source IP address with the victim’s IP address and sends large number of ICMP ECHO request packets to an IP broadcast network. This cause all the hosts on the broadcast network to respond to the received ICMP ECHO requests. These responses will be sent to the victim machine, ultimately leading the machine to crash.

SYN Flood Attack: The attacker sends a large number of SYN request to target server (victim) with fake source IP addresses. The target machine sends back a SYN ACK in response to the request and waits for the ACK to complete the session setup. The target machine does not get the response because the source address is fake. SYN Flooding takes advantage of a flaw in the way most hosts implement the TCP three way handshake. When host B receives the SYN request from host A, it must keep track of the partially — opened connection in a “listen queue” for at least 75 seconds. A malicious host can exploit the smal size of the listen queue by sending multiple SYN requests to a host, but never replying to the SYN/ACK. The victim’s listen queue is quickly filled up. This ability of holding up each incomplete connection for 75 seconds can be cumulatively used as a Denial of service attack.

Fragmentation Attack: These attacks destroy a victim’s ability to re-assemble the fragmented packets by flooding it with TCP or UDP fragments, resulting in reduced performance. Attacker sends large number of fragmented (1500+ bytes) packets to a target web server with relatively small packet rate. Since the protocol allows the fragmentation, these packets usually pass through the network equipment like routers, firewalls, IDS/IPS etc, uninspected. Reassembling and inspecting these large fragmented packets consumes excessive resources. Moreover the content in the packet fragments will be randomized by the attacker, which makes the process to consume more resource and leading the system to crash.

HTTP GET and POST Attack: HTTP clients such as web browsers connect to a web server through HTTP protocol to send HTTP requests. These requests can either be HTTP GET or HTTP POST. In HTTP GET attack, the attackers use time delayed HTTP header to hold on to HTTP connections and exhaust web server resources. In HTTP POST attack, the attacker sends the HTTP requests with complete headers but incomplete message body to the target web server or application making the server wait for the rest of the message body.

Slowloris Attack: in the Slowroris attack, the attacker sends partial HTTP requests to the target web server or application. Upon receiving the partial HTTP requests, the target server opens multiple open connections and keeps waiting for the requests to complete. These requests will not be complete and a result, the target server’s maximum concurrent connection pool will be filled up and additional connection attempts will be denied.

Multi-Vector attack: In the multi-vector DDoS attacks, the attackers use combinations of volumetric, protocol, and application-layer attacks to take down the target system or service. The attacker quickly changes from one form of DDoS attack (eg: SYN packets) to another, and so on. These attacks are either launched one vector at a time or in parallel, in order to confuse a company’s IT department and to make them spend all their resources and divert their focus to the wrong side.

Peer — to — Peer attacks: Using peer — to — peer attacks, attackers instruct clients of peer — to — peer file sharing hubs to disconnect from their peer — to — peer network and to connect to the victim’s take website. Attackers exploit flaws found in the network using the DC ++ (Direct Connect) protocol that is used for sharing all types of files between instant messaging clients. Using this method, attackers launch massive denial of service attacks and compromise websites.

Permanent denial of service attack: Permanent denial of service, known as phlashing, refers to attacks that cause irreversible damage to system hardware. Unlike other DoS attacks, it sabotages the system hardware, requiring the victim to replace or reinstall the hardware. This attack is carried out using a method known as “bricking a system”. Using this method, attackers send fraudulent hardware updates to the victims.

Distributed Reflection Denial of Service (DRDoS): A distributed reflected denial of service attack (DRDoS), also known as spoofed attack, involves the use of multiple intermediary and secondary machines that contribute to the actual DDoS attack against the target machine or application. The attacker launches this attack by sending requests to the intermediary hosts; these requests are then redirected to the secondary machines which in turn reflects the attack traffic to the target. The main advantage is that the primary target seems to be directly attacked by the secondary victim, not the actual attacker. Multiple intermediary victim servers are used, which results in an increase in attack bandwidth.

The motivation behind DoS or DDoS attacks

Ideology: Usually known as hacktivism, the attackers become motivated to attack opposition parties because of the party’s ideologies or ideological principles which the attackers find against their belief or nation’s belief.

Revenge: Typically used against companies, organizations, and individuals where the attackers are disgruntled groups or individuals.

Cyber war: Utilized at nation-state level, for political and military advantages, designed to inflict physical or economic impact on the counter targets. It includes well trained, organized attackers.

Pirates: Sometimes software pirates will compromise systems in an effort to gain access to resources with which to aid the spread of their unlicensed software, media files, and other similar items. Such compromised machines can be used as storage space to host download sites for such files, often causing a heavy drain in network and storage resources on the machine in question.

Mitigation of Dos attacks and DDoS attacks

Comprehensive protection against a variety of DDoS threats such as brute force attacks, spoofing, zero-day DDoS attacks, and attacks targeting DNS servers. If you operate on a smaller scale — say, you operate a basic website offering a service — your chances of becoming a victim of a DDoS attack is probably quite low. Even so, taking certain precautions will help protect you against becoming a victim of any type of attack by hackers.

Here are a few things that can help.

· Keep your security software, operating system, and applications updated. Security updates help patch vulnerabilities that hackers may try to exploit. Consider a trusted security software like Norton Security.

· Consider a router that comes with built-in DDoS protection.

· Look for a website hosting service with an emphasis on security.

Taking simple precautions can make a difference when it comes to your online security. For large organizations, the precautions become far more complex.

Prevention of DoS attacks

1. Protect Secondary Victims

o Monitor security on regular basis to remain protected from DDoS agent software.

o Install anti-virus and anti-trojan software and keep these up-to-date.

o Increase awareness of security issues and prevention techniques in all internet users.

o Disable unnecessary services, uninstall unused applications, and scan all the files received from external sources.

o Properly configure and regularly update the built in defensive mechanisms in the core hardware and software of the systems.

2. Detech and Neutralize Handlers

o Network traffic analysis — Analyze communication protocols and traffic patterns between handlers and clients or handlers and agents in order to identify the network nodes that might be infected by the handlers.

o Neutralize Botnet Handlers — There are usually few DDoS handlers deployed as compared to the number of agents. Neutralizing a few handlers can possibly render multiple agents useless, thus thwarting DDoS attacks.

o Spoofed Source Address — There is a decent probability that the spoofed source address of DDoS attack packets will not represent a valid source address of the definite sub-network.

3. Prevent Potential Attacks

o Egress Filtering

§ Egress filtering scans the headers of IP packets leaving a network.

§ Egress filtering ensures that unauthorized or malicious traffic never leaves the internal network.

§ The packets will not reach the targeted address if they do not meet the necessary specifications.

o Ingress Filtering

§ Ingress filtering prevents source address spoofing of internet traffic.

§ It protects from flooding attacks which originate from the valid prefixes or IP addresses.

§ It enables the originator to be traced to its true source

o TCP Intercept

§ TCP Intercept feature in router protects TCP servers from a TCP SYN-flooding attack.

§ Configuring TCP Intercept prevents DoS attacks by intercepting and validating the TCP connection requests

o Rate Limiting

§ Rate limiting controls the rate of outbound or inbound traffic of network interface controller.

§ It reduces the high volume inbound traffic that cause DDoS attack

4. Deflect Attacks

o Systems that are set up with limited security, also known as Honeypots, act as an enticement for an attacker.

o Honeypots serve as a means for gaining information about attackers, attack techniques and tools by storing a record of the system activities.

o Use defense — in — depth approach with IPSes at different network points to divert suspicious DoS traffic to several honeypots.

5. Mitigate Attacks

o Load Balancing

§ Increase bandwidth on critical connections to absorb additional traffic generated by an attack.

§ Replicate servers to provide additional failsafe protection.

§ Balance load on each server in a multiple-server architecture to mitigate DDoS attack

o Throttling

§ Set routers to access a server with a logic to throttle incoming traffic levels that are safe for the server.

§ Throttling helps in preventing damage to servers by controlling the DoS traffic.

§ This method helps routers manage heavy incoming traffic, so that the server can handle it.

§ It filters legitimate user traffic from fake DDoS attack traffic.

o Drop requests

§ In this technique, servers and routers drop packets when load increases

§ System induces requester to drop the request by making it to solve a difficult puzzle that requires lot of memory or computing power before continuing with the request.

6. Post — Attack Forensics

o Traffic pattern analysis

§ Traffic pattern analysis can help the network administrators to develop new filtering techniques and preventing the attack from entering or leaving the networks.

§ Output to traffic pattern analysis helps in updating load balancing and throttling countermeasures to enhance efficiency and protection ability.

o Packet traceback

§ Packet traceback is similar to reverse engineering.

§ It helps in identifying the true source of attack and taking necessary steps to block further attacks

o Event log analysis

§ Even log analysis helps in identifying the source of the DoS traffic.

§ This allows network administrators to recognize the type of DDoS attack or a combination of attacks used