4BA2

leaflet

Technology Survey

Denial of Service and Countermeasures

by Alexander Murphy, Audrey Pender, Louise Reilly and Siobhan Connel

Introduction

The function of a denial of service attack is fundamentally to flood its target machine with so much traffic that it prevents it from being accessible to any other requests or providing services. The target machine is kept so busy responding to the traffic it is receiving from its attacker that it has insufficient resources to respond to legitimate traffic on the network. A distributed denial of service attack adds a many-to-one dimension to these forms of attacks. This form of denial of service generally involves a machine containing a master program and several machines which have been enslaved as zombie machines. They are referred to as zombies as these machines which are originally the victim of a denial of service attack unwittingly become an attacker. These zombies or daemons reside on the victim's machine until they are instructed by the master machine to attack another target. This makes it almost impossible to track down the real attacker as the attack is coming from zombie machines which have no knowledge of the origin of the attack.

[Figure 1]: Distributed Denial of Service (DDoS)

[Figure 1]: Distributed Denial of Service (DDoS)

In this paper we will discuss some of the more commonly known methods of both denial of service and distributed denial of service attacks and the possible countermeasures.

Smurf Attack:
This form of an attack involves sending Internet Control Message Protocol (ICMP) or ping requests to multiple Internet Protocol (IP) broadcast addresses. All of these messages have a spoofed source address of the intended victim. The hosts receiving the ICMP echo request upon accepting it reply with an echo to the source address, which in this case is the target of the attack. [1] The weight of this attack is therefore effectively multiplied by the number of responding hosts. If the attack took place on a multi-broadcast network there could potentially be hundreds of machines to reply to each packet sent. [2]

UDP Flood:
A UDP flood, also known as a fraggle, is a cousin to the Smurf attack. This is based on UDP echo and character generator (chargen). It uses a forged UDP packet to connect the echo service on one machine to the chargen on another. These two machines then use up all available bandwidth, sending characters back and forth between themselves.

SYN Flood:
A SYN flood exploits the TCP standard 3-way handshake protocol. The attacker initiates a connect request to the server and then ignores the acknowledgement (ACK). This forces the server to wait for the ACK from the attacker, wasting time and resources. A server can at any given time only process a fixed number of requests and so this form of attack can effectively block all legitimate traffic.

The following are examples of distributed denial of service attacks and the way in which the zombie machines in each case are controlled. There are numerous variations of this kind of attack in existence.

Trinoo:
The master program is given the command to commence the attack by the attacker using TCP. The zombie machines are then given their orders by the master program through UDP packets. The zombie machines then launch a UDP flood attack on the target victim. [1]

Tribe Flood Network:
The communication between the attacker and the master control program in this instance takes place over a command line interface. The control program then communicates with the zombie machine using ICMP echo reply packets. The attack zombies then in turn implement Smurf, SYN flood and UDP flood attacks.

In the past year or more, hackers have begun turning their armies of zombie computers to gambling sites, crippling them when they're needed most, at large events such as Wimbledon and the Super Bowl. The demands are simple, 'pay us money, or your system will be unusable'. These extortionists have demanded anything between $20,000 and $50,000 in recompense. With gambling sites expected to lose literally millions while these attacks are continuing, most pay up.

"BetWWTS.com in Antigua paid $30,000 to hackers when their attacks meant thousands of its customers couldn't place wagers worth an estimated $5 million, CEO Simon Noble says." [3]

 

Figure 2

[Figure 2]

Shown above is a performance diagram of some UK betting sites which were targeted and disrupted in June 2004. It's noticeable just how disastrous these attacks can be if they bring some of these main sites to their knees for several hours.

Britain's National Hi-Tech Crime Unit has been investigating such cases. Recently, in association with Russian police, three "masterminds" [4] were arrested in connection with targeting gambling sites

"authorities say the suspects had netted hundreds of thousands of dollars from October 2003 through early 2004 in extortion payments." [4]

Countermeasures

There are several stages involved in combating denial of service attacks. The first is recognising that you are undergoing an attack. The second is determining what kind of attack is being executed. For example is it a single source attack or are there multiple sources being used? The final stage involves counteracting the attack. Different methods are utilised to combat different types of attacks and knowledge of how the attack is being performed can help in choosing the best solution. Different techniques can also be used depending on whether or not the network has mobile components in it. We will illustrate some techniques that have been suggested to determine the type of attack and some of the countermeasures that can be instigated in response.

Characterising the type of Attack:

One approach is simply to analyse the header fields of the packets being used in an attack. However due to the ease with which attackers can forge most packet information analysing something as obvious as the source field is futile. Heidemann et al. [5] suggest that other fields such as the fragment ID or time to live may be utilised. Packets generated by the same host will contain monotonically increasing ID values. Time to live values will remain constant for the same source-destination pair assuming the routes remain relatively stable during the attack. These characteristics can be used to classify the attacks as single or multi-source.

Heidemann also proposes analysing the ramp-up behaviour of the attack. The intensity with which an attack increases, or 'ramps-up', over time can be used as an indication of the number sources being used in the attack. With multiple sources the intensity of packets being sent to the victim tends to build up more slowly than for a single attack. The signal to start the attack will reach the zombie computers across the network at slightly different times due to path latency. Their attacks will therefore start at different times and so build up more slowly than single source attacks (which typically begin at full strength). [Figure 3] illustrates the ramp up characteristic of a multi-source attack. There is a three second ramp up at about 27 seconds as the number of attackers increases from one to six. This method is not robust however as an attacker could create an artificial ramp-up from a single site.

[Figure 3]:Ramp up characteristic of a multi-source attack
[Figure 3]:Ramp up characteristic of a multi-source attack

Counteracting DoS attacks:

An obvious approach to deal with DDoS attacks would simply be to trace the attacker and prevent those responsible from controlling the zombie computers which attack the computer or network. However this is not possible because usually zombies are controlled by an attack control mechanism, which is of course remotely controlled by the attacker. To make tracing the attack significantly more difficult communication between the zombie, control mechanism and attacker is often encrypted. [6]

There are a number of proposed schemes to deal with DDoS attacks. A method worthy of mentioning is the Center Track approach devised by Robert Stone. This works by creating special tracking routers, which links all edge routers to a central tracking router. This is referred to as an overlay network. During an attack the victim is routed through this network dynamically. Then hop-by-hop tracking is used to trace back to the access point of the attacking source, beginning from the tracking router that is closest to the victim. A major advantage to this scheme is the reduced number of hops that is required to trace back to the source of the attack. However if this system is not implemented perfectly it could mean that, even the tiniest error could severely disrupt the system. [6] For most, Stone's approach is a little too volatile. He also suggests another method. All edge routers store information concerning the traffic that passes through them in a database. This should include information such as the source and destination address. In the event of an attack, this database is searched based on the signature of the attack so as to determine the ingress adjacency. This method does not require any tracking hops to trace the ingress edge. Also tracing is not limited to the duration of the attack. [6]

Tupakula and Varadharajan suggest a Packet Marking Technique.

"Our aim is to prevent the attack at the nearest point to the source of attack (that is the ingress edge)" [6]

Their technique involves a Controller-Agent that is assumed to be an entirely trusted entity. This entity is responsible for the management of DDoS attacks. Agents may be implemented on either transit or edge routers, which are both internal routers that belong to the ISP domain. With the use of Packet Marking the routers would be able to identify marked packets from both other agents and attackers. It is important that only the Ingress agent should mark the packet. If an agent receives a marked packet then it should easily determine whether it was marked from an authorized agent or an attacker. The packet should be marked in such a way that the agent that first marked the packet can be identified with a minimum number of packets. Previous methods used probabilistic techniques to mark the packet thus requiring a substantial amount of packets to calculate the total path traversed by the attack traffic, which of course is time consuming. An ideal situation would only require observing a single packet. So Tupakula and Varadharajan mark packets using an algorithm based on their fragment ID that may allow the ingress packet to be calculated by looking at only one packet. If a packet does not have a valid marker and is deduced to have come from an attacker then it will be dropped. [6]

Counteracting DoS attacks on a wireless network:

Denial of service attacks in mobile networks can involve different techniques to those with no wireless component. Either bypassing MAC-layer protocols and bombarding the victim with packets or simply emitting a signal targeted at jamming a particular channel accomplishes one attack. A solution for this type of attack which utilises channel surfing, is proposed by Xu et al. [7]

"Typically, when radio devices communicate they operate on a single channel. When an adversary comes in range and blocks the use of a specific channel, it is natural to migrate to another channel." [7]

The two devices should of course both migrate to orthogonal channels in order to avoid any interference with that attackers jamming signal. If the attacker is using the same technology as the devices it is jamming it is important to know how many orthogonal channels are available to switch to [7]. It is of course conceivable that the attacker would periodically check to see if it is still interfering with the two devices and change the channel that it is jamming on if not. The obvious solution is to change to the next orthogonal channel above or below the one being used. This would however make it easy to track which channels the devices have changed to. Instead it is proposed that the devices should generate the next channel pseudo-randomly and communicate this through a shared key [7].

Conclusion

Denial of service and distributed denial of service attacks cause a major disruption to businesses world wide. Launching a DDoS attack is trivial in comparison to the amount of time and resources spent on creating an effective countermeasure. New techniques for detecting and combating these attacks are constantly being created, however new forms of attacks are also being created rendering these countermeasures obsolete. This is an ongoing problem to which there is no permanent solution in sight.

References

[1] F. Lau, S.H Rubin, M.H Smith and L Trajkovic, Distributed denial of service attacks. Systems, Man, and Cybernetics, 2000 IEEE International Conference on, Volume: 3 , 8-11 Oct. 2000, Pages:2275 - 2280 vol.3.

[2] "The latest in denial of service attacks: "Smurfing" Description and information to minimize effects" by Craig A. Huegen. Smurfing 21-02-2005.

[3] "Gambling Sites Prime DoS Targets" by Paul Rothman. Gambling Sites, 20-02-2005.

[4] "Experts fret over online extortion attempts" by Bob Sullivan. MSNBC, 20-02-2005

[5] Alefiya Hussain, John Heidemann and Christos Papadopoulos, Denial-of-service: A framework for classifying denial of service attacks. In Proceedings of the 2003 conference on Applications, technologies, architectures, and protocols for computer communications, August 2003.

[6] Udaya Kiran Tupakula and Vijay Varadharajan, A practical method to counteract denial of service attacks. Proceedings of the twenty-sixth Australasian computer science conference on Conference in research and practice in information technology - Volume 16, February 2003.

[7] Wenyuan Xu, Timothy Wood, Wade Trappe and Yanyong Zhang, Wireless monitoring and denial of service: Channel surfing and spatial retreats: defenses against wireless denial of service. Proceedings of the 2004 ACM workshop on Wireless security, October 2004.

[Figure 1] F. Lau, S.H Rubin, M.H Smith and L Trajkovic, Distributed denial of service attacks. Systems, Man, and Cybernetics, 2000 IEEE International Conference on, Volume: 3 , 8-11 Oct. 2000, Pages:2275 - 2280 vol.3.

[Figure 2] "Euro 2004 Gambling Sites Hit By Denial Of Service Attacks". Euro Gambling

[Figure 3] Alefiya Hussain, John Heidemann and Christos Papadopoulos, Denial-of-service: A framework for classifying denial of service attacks. In Proceedings of the 2003 conference on Applications, technologies, architectures, and protocols for computer communications, August 2003.