What is the primary defense against many DoS attacks what steps should be taken when a DoS attack is detected?

13.5.1 Primitives for Responding to DDoS

DDoS attacks typically require four components: an attacker, master hosts, zombie hosts, and a victim host. Using exploits in a remote system, an attacker installs the attack program that can be remote controlled by the master host. When the attack begins, it usually falls in to one of two classes: bandwidth depletion and resource depletion. Attackers can perform these attacks directly or through reflection. Reflection makes it more difficult to track down the source of the problem and offers a greater challenge to DDoS handling systems by bouncing packets off other hosts. The first line of defense against DDoS attacks is intrusion prevention. Rate-limiting filters are commonly used for preventing DDoS attacks [37, 38]. The reason why intrusion prevention and intrusion detection are unlikely to solve all kinds of DDoS attacks is that it is often difficult to tell the two kinds of traffic apart. Although some DDoS traffic can be easily distinguished from legitimate traffic, this is not true in the general case. More sophisticated DDoS toolkits generate traffic that “blends in” with legitimate traffic and, therefore, cannot be blocked. Hence, autonomous intrusion response is called for. Responses when a DDoS attack is detected usually involve some type of trace back or packet marking procedure to locate the source of the attack and block it.

Fundamentally, response mechanisms for DDoS attacks have to be distributed in nature as pointed out in Koutepas et al. [21]. This is due to several factors: (1) attackers most of the time spoof the packet source IP's address, (2) the possibility of the attack initiating from a wide range of networks worldwide, and (3) the inability of a domain to enforce incoming traffic shaping. Detected malicious flows can be blocked locally but the assistance of the upstream network is still needed in order to free the resources occupied on the incoming link.

Over-Provisioning and Adaptive Provisioning

The DDoS attack will only succeed if it can overwhelm your network bandwidth or your servers. One way to prevent a DDoS attack is simply to increase your network and server capacity beyond what is necessary for legitimate traffic. This extra capability can be brought online if a DDoS attack is detected. This over-provisioning can be expensive, however.

An alternative if you use an ISP is to purchase additional capacity for the duration of the DDoS attack. This adaptive provisioning can be provided via burstable circuits, which can carry additional capacity if necessary. You typically pay a rate based on your average use of the connection. Since attackers often “tune” the attack while it is in progress, you will still need to carefully monitor the attack to determine how best to respond. For example, an attack may change from trying to overload a server to exploiting a network protocol.

Good old DDoS

DDoS attacks are making a comeback as actively as they once were. Prolexic reported [39] a steep increase of 718 percent on bandwidth-related attacks, moving from 5.9 Gbps in Q4 2012 to 48.25 Gbps in Q1 2013. These findings, together with the 32.4 Mpps statistic, make blackholing mitigation techniques nonviable. In March 2013, Spamhaus was under the fiercest DDoS attack ever. The attack caused quite a commotion in the media and the industry. CloudFlare diluted an impressive bombardment of 300 Gbps [40] against Spamhaus—a mark that became iconic. Such a high bit rate was attained through DNS reflection and amplification by querying open DNS resolvers around the world with small-sized ANY questions. In return, large-sized responses would be redirected to the target spoofed IP address.

Distributed Denial-of-Service Attacks

Distributed denial-of-service (DDoS) attacks are a relatively new development, made possible (and attractive to attackers) by the ever-expanding number of machines that are attached to the Internet. The first major wave of DDoS attacks on the Internet appeared in early 2000 and targeted such major e-commerce and news sites as Yahoo!, eBay, Amazon, Datek, and CNN. In each case, the Web sites belonging to these companies were unreachable for several hours at a time, causing a severe disruption to their online presence and effectiveness. Many more DDoS attacks have occurred since then, affecting networks and Web sites large and small.

The DDoS attack begins with a human attacker using a small number of computers, called masters. The master computers use network scanners to find as many weakly secured computers as it can, and they use system vulnerabilities (usually well-known ones) to install a small script or a service (referred to in the UNIX world as a daemon) onto the insecure computer. This machine becomes a zombie and can now be triggered by the master computer to attack any computer or network attached to the Internet. Once the organizer of the DDoS attack has a sufficient number of zombie machines under control, he or she will use the “zombi-fied” machines to send a stream of packets to a designated target computer or network, called the victim. For most of these attacks, these packets are directed at the victim machine. The distributed nature of the DDoS attack makes it extremely difficult to track down the person or persons who began it; the actual attacks are coming from zombie machines, and the owners of these machines are often not even aware that their machines have been compromised. Making matters even more difficult, most network packets used in DDoS attacks use forged source addresses, which means that they are essentially lying about where the attack is coming from.

2.3.4 Distributed denial of service taxonomies

Distributed denial of service (DDoS) attacks against cloud providers are a serious threat due to the high impact of availability disruptions, with consequences such as loss of business, loss of reputation, and possible ransom demands by the attackers (Chonka et al., 2011).

Specht and Lee (2004) present three taxonomies in the DDoS space, namely, attacks, attack tools, and countermeasures. The attack taxonomy uses impact as its main classifier, where the impact of the attack is either resource depletion or bandwidth depletion. The tools used in orchestrating a DDoS give an insight into how the attack is performed. Specht and Lee (2004) classify the tools into agent setup, attack network communication, and targets. Comparing this with the tool taxonomy by Hoque et al. (2014), the agent setup is similar to the preattack tool category, and the attack network communication in Specht and Lee (2004) can be seen as the vector of the attack in Hoque et al. (2014). The countermeasure taxonomy can also be seen in parallel to those of Hoque et al. (2014) and Venter and Eloff (2003), as the former effectively classifies the defense mechanisms by stage of the attack: detect/prevent, mitigate/stop and deflect, and finally postattack forensics.

While Mirkovic and Reiher (2004) include impact as one of the classes, their focus is on the attack and defense strategies of DDoS. It is a comprehensive taxonomy which includes classifications of scanning strategies, propagation mechanisms, spoofing techniques, and attack rate dynamics. Their defense mechanisms taxonomy differentiates between preventative and reactive strategies (similar to that of Venter and Eloff (2003)).

Douligeris and Mitrokotsa (2004) classify DDoS attacks based on the degree of automation, the vulnerability that was exploited, the attack rate dynamics, and whether the impact is disruptive or degrading. The vulnerabilities enumerated are UDP/ICMP flooding attacks, Smurf and Fraggle amplification attacks, protocol exploit attacks, and malformed packet attacks.

Distributed Denial-of-Service Attacks

A distributed denial-of-service attack (DDoS) is an Internet-based assault that is delivered from multiple sources (botnet) to one destination. The goal of these attacks is to severely impair the victim's network or Web site in such a way that it can no longer service legitimate requests. During a large-scale attack, Internet service provider (ISP) networks can also be affected, resulting in degraded services to its customers. The botnet master can control a large number of bot computers from a remote location, leveraging their bandwidth and resources to send session requests to the intended victim. Botnets are frequently used to carry out these types of attacks because their sessions closely resemble normal Internet traffic patterns, just in excessive amounts. Depending on the nature of the attack, it can be hard to filter out what is and is not bad traffic. The most common tactics that attackers use in DDoS attacks are TCP SYN and UDP floods.

Distributed denial-of-service

A DDoS attack occurs when multiple systems flood the bandwidth or resources of a targeted system, usually one or more web servers. Such an attack is often the result of multiple compromised systems (e.g., a botnet) flooding the targeted system with traffic. A botnet is a network of zombie computers programmed to receive commands without the owner's knowledge. When a server is overloaded with connections, new connections can no longer be accepted. The major advantages to an attacker of using a distributed DoS attack are that multiple machines can generate more attack traffic than one machine, multiple attack machines are harder to turn off than one attack machine, and that the behavior of each attack machine can be stealthier, making it harder to track and shut down. These attacker advantages cause challenges for defense mechanisms. For example, merely purchasing more incoming bandwidth than the current volume of the attack might not help, because the attacker might be able to simply add more attack machines. This after all will end up completely crashing a website for periods of time.

Malware can carry DDoS attack mechanisms; one of the better-known examples of this was MyDoom. Its DoS mechanism was triggered on a specific date and time. This type of DDoS involved hardcoding the target IP address prior to release of the malware and no further interaction was necessary to launch the attack.

A system may also be compromised with a trojan, allowing the attacker to download a zombie agent, or the trojan may contain one. Attackers can also break into systems using automated tools that exploit flaws in programs that listen for connections from remote hosts. This scenario primarily concerns systems acting as servers on the web. Stacheldraht is a classic example of a DDoS tool. It utilizes a layered structure where the attacker uses a client program to connect to handlers, which are compromised systems that issue commands to the zombie agents, which in turn facilitate the DDoS attack. Agents are compromised via the handlers by the attacker, using automated routines to exploit vulnerabilities in programs that accept remote connections running on the targeted remote hosts. Each handler can control up to a thousand agents. In some cases a machine may become part of a DDoS attack with the owner's consent, for example, in Operation Payback, organized by the group Anonymous. These attacks can use different types of internet packets such as: TCP, UDP, ICMP, etc.

These collections of systems compromisers are known as botnets/rootservers. DDoS tools like Stacheldraht still use classic DoS attack methods centered on IP spoofing and amplification like smurf attacks and fraggle attacks (these are also known as bandwidth consumption attacks). SYN floods (also known as resource starvation attacks) may also be used. Newer tools can use DNS servers for DoS purposes. Unlike MyDoom's DDoS mechanism, botnets can be turned against any IP address. Script kiddies use them to deny the availability of well known websites to legitimate users. More sophisticated attackers use DDoS tools for the purposes of extortion—even against their business rivals.

DARPA (and the Pentagon) is so concerned about the continued vulnerability of all their systems—embedded devices in weapons systems, on board vessels, in communications devices, in Internet of Things devices being used in the military and intelligence communities, as well as their large enterprise systems—to DoS attacks that a new program called STAC (Space/Time Analysis for Cybersecurity) was created to research ways to determine susceptibility to DoS attacks in a given software system. As new defensive technologies make old classes of vulnerability difficult to exploit successfully, adversaries move to new classes of vulnerability. Vulnerabilities based on flawed implementations of algorithms have been popular targets for many years. However, once new defensive technologies make vulnerabilities based on flawed implementations less common and more difficult to exploit, adversaries will turn their attention to vulnerabilities inherent in the algorithms themselves.

What Is Denial of Service?

Although they do not destroy or steal data like some other types of attacks, DoS attackers aim to bring down a network, denying service to its legitimate users. DoS attacks are easy to initiate; software is readily available from hacker Web sites and warez newsgroups that allow anyone to launch a DoS attack with little or no technical expertise.

The purpose of a DoS attack is to render a network inaccessible by generating a type or amount of network traffic that crashes the servers, overwhelms the routers, or otherwise prevents the network's devices from functioning properly. DoS can be accomplished by tying up the server's resources by, for example, overwhelming the CPU and memory resources. In other cases, a particular user or machine can be the target of DoS attacks that hang up the client machine and require it to be rebooted.

As we mentioned earlier in this chapter, distributed DoS, or DDoS, attacks use intermediary computers, called agents, on which programs called zombies have previously been surreptitiously installed. The hacker activates these zombie programs remotely, causing the intermediary computers (which can number in the hundreds or even thousands) to simultaneously launch the actual attack. Because the attack comes from the computers running the zombie programs, which could be on networks anywhere in the world, the hacker is able to conceal the true origin of the attack.

Examples of DDoS tools hackers use are Tribe FloodNet (TFN), TFN2K, Trinoo, and Stacheldraht (German for barbed wire). Early versions of DDoS tools targeted UNIX and Solaris systems, but TFN2K can run on both UNIX and Windows systems. Tools and information regarding DDoS attacks are available from http://packetstormsecurity.org/distributed/.

Because DDoS attacks are so popular, many tools have been developed to help you detect, eliminate, and analyze DDoS software that could be installed on your network. It is important to note that DDoS attacks pose a two-layer threat. Not only could your network be the target of a DoS attack that crashes your servers and prevents incoming and outgoing traffic, but also your computers could be used as the “innocent middlemen” to launch a DoS attack against another network or site.

DoS/DDoS attacks can be accomplished in a number of ways. Application exploits, operating system exploits, and protocol exploits can all be used to overload systems and create a denial of service. In the following sections, we address specific types of DoS and DDoS attacks and explain how they work.

On the Scene

Distributed Denial-of-Service Attacks

The DDoS attack is another type of attack at the OSI level of the network. The first mass DDoS attack took place in February 2000.75 Although the attack was reminiscent of a by then well-known DoS strategy, its ferocity justified placing it in a class of its own.76 Seven major Web sites at the time,77 including eBay, CNN, Amazon, and Yahoo!,78 fell victim to the first DDoS. In recent years, DDoS assaults have become increasingly popular, largely due to the availability of exploits, which require little knowledge and/or skills to implement.79

Unlike a DoS attack, the source of a DDoS attack originates from a multitude80 of workstations, possibly located all across the world.81 Its aim, however, is identical: to bar legitimate parties from accessing and using a specific system or service.82

The use of intermediate workstations, sometimes referred to as agents83 or zombies,84 presupposes that in carrying out a DDoS assault, the perpetrator would go through a two-step process.85 First, a number of workstations (which may number in the thousands)86 are compromised to turn them into a weapon in the main action. To achieve this goal, the attacker must either gain unauthorized access to the system or induce an authorized user or users to install software that is instrumental for the purposes of the DDoS assault.87

Thereafter, the hacker launches the attack against a third system by sending appropriate instructions with data88 on the specific target system to the compromised machines.89 Thus the attack is carried out against a third system through remote control of other systems over the Internet.90 Application, operating system, and protocol exploits could all be used to cause a system to overload and consequently create a DoS on an unprecedently large scale.91 The end result would depend on the size of the attack network in question, keeping in mind that even ordinary Web traffic may be sufficient to speedily overwhelm even the largest of sites92 and render them absolutely useless.93

Tribe FloodNet (also known as TFN), TFN2K, Trinoo, and Stacheldraht are all examples of DDoS tools. Some of them (the TFN2K) can be used against both Unix and Windows systems.94

What is interesting is that not only hackers have contemplated the use of DoS and DDoS attacks to further their aims. Information recently leaked from military sources indicates that warfare capabilities are currently officially classified to include DoS attacks as opposed to just conventional weapons of massive destruction.95 The logical conclusion, therefore, is that a DDoS assault, as part of IW, represents a type of attack that is considered capable of bringing any country to a standstill.

In considering technical remedies for a DDoS, it should be kept in mind that DDoS attacks pose a dual threat96 to both a primary or secondary victim network in that a network could be either the target or the vehicle of the DDoS assault. As is the case with DoS, the most effective precaution against a DDoS attack is ensuring that the latest patches and upgrades are installed on the system concerned.97 Finally, the system administrator may also adjust “the timeout option for TCP connections”98 as well as try to intercept or block the attack messages.99

The Optima/Darkness Botnet

One botnet known to be involved in the April 2011 DDoS attack was known as the “Destination Darkness Outlaw System”59 also referred to as “Optima” or simply “Darkness.”60 The creators of this botnet first started renting the use of the botnet—allowing users in the criminal underworld to launch attacks or steal data—in March 2009.61 However, even though the services of the botnet were advertised for rent at this early stage, the earliest evidence of its use was not discovered by security experts until 2010.62,63 The willingness of botnet authors to sell its services is not uncommon. It was observed that, during the time of the LiveJournal attack (March 23-April 1, 2011), besides the various Navalny Web sites (rospil.info and navalny.livejournal.com), the Web site of the Northwest arm of the Federal office handling industrial supervision as well as the Web site of a furniture factory, kredo-m.ru, were also targeted.64 The target of a furniture business might indicate a business-to-business attack occurring at the same time as the politically motivated one.65 Optima/Darkness was well developed by the time of the attack. At that point, the newest version was at least 8—which indicates rapid development and bug-fixing on the part of the authors who initially released the bot in 200966 (at the time of this writing; the current version is 1067). SecureList identifies Optima's authors as “Russian-speaking malware writers,” which is mainly sold over Russian-language forums.68 The author also reports about the uncertainty in determining Optima's size due to its highly segmented structure. With such a structure, the botnet owners may rent out parts of the botnet and may have more than one renter at any given time.69 The segmented nature could also explain why the furniture factory as well as the federal office was targeted at the same time as the Russian opposition, although seemingly unrelated. In 2010, it appeared that there were two C&C servers for Optima/Darkness—greatfull.ru and greatfulltoolss.ru, both registered to [email protected] Further analysis of this e-mail address led to advertisements for the botnet.70 In early 2011, researchers identified 16 C&C sites—likely indicating the growth of the botnet in both size and popularity.71

The botnet's DDoS capabilities include flooding via various different protocols including HTTP, ICMP, TCP, and UDP. The HTTP and ICMP protocols are used for Web page delivery and system-level message communication, respectively. TCP and UDP are two of the core protocols that many applications on the Internet leverage for communication. Often, the Optima malware makes use of specific design flaws in these protocols.72 At the time of the attack, the size of the botnet was assessed to be in the tens of thousands of compromised systems.73,74 Since its inception, the bots of Optima/Darkness were designed to use 100 threads. The use of “threads” allows a computer to run multiple processes at once (each process is run in a different “thread”). As a result, the software running on the infected computer could actually conduct 100 attacks at the same time.75 The malware was also configured in a manner to make it appear as if each of the hundred threads was running on a different computer—which allows the botnet to fool some DDoS protection tools.e The end result is that an attack performed byOptima/Darkness would be substantially amplified. As early as 2010, the authors of Optima/Darkness claimed that just 30 of their bots could overwhelm most Web sites.76 Other features of the malware include the ability to steal passwords, files, and log keystrokes of the bots.77