17-10-2016, 04:39 PM
1459502942-finalversions.docx (Size: 112.39 KB / Downloads: 4)
Abstract
Distributed Denial of Service attack is a most serious problem for the users connected to the network.The people who choose DDoS technique to attack
use secondary victim systems to attack primary victim systems.
The countermeasures developed to mitigate DDoS attacks are suppressed, asv attackers are also developing
new methods to overcome these countermeasures. In this paper, we describe DDoS architectures and
propose conventions to tell about the scope of DDoS attacks, the types of the tools used to attack , and the
defense mechanisms proposed.
1 INTRODUCTION
Distributed Denial of Service Attack is a kind of attack which prevents a network from doing its normal operations by flooding it with traffic.Primary victim systems are attacked with the help of secondary victim systems .The use of secondary victim systems in a DDoS attack provides the attacker with the ability to cause a large attack while remaining on the safe side, since the secondary victims actually perform the attack making it more difficult to know the original attacker.In the year 2000 in the month of February , one of the first major Distributed Denial of Service attack was against the Yahoo server, which prevented it from using the the Internet for about 2 hours, it was a huge loss. Recently, attackers used a series of DDoS attacks against a number of companies .These attacks caused many of them to stop their services.This paper provides conventions for understanding different types of DDoS attacks and also suggests defense mechanisms.
2 DDoS ATTACK ARCHITECTURES
There are 2 types of DDoS attack networks: t Agent-Handler model and the Internet Relay Chat (IRC)-based model. The Agent-Handler model contains clients, handlers, and agents (see Figure 1). The attacker communicates with the rest of the DDoS attack system using client. The handlers are software packages located throughout the Internet which the attacker’s client uses to communicate with the agents are Handlers. The agent software resides in systems which are responsible for carrying out the attack. The attacker communicates with anumber of handlers to identify which agents are currently running, when to schedule attacks, or when to upgrade agents. Depending on the way attacker configures the DDoS attack network, agents can be
instructed to communicate with single handler or multiple handlers. Generally, attackers will place handler software on compromised router or network server which handles huge volumes of traffic. This makes it difficult to identify messages between client and handler and between the handler and agents.
The IRC-based DDoS attack architecture is just like the Agent-Handler model, but instead of using a handler program installed on a network server, It uses a communication channe to connect the client to the agents.
In IRC-based DDoS attack architecture, the agents called as “Zombie Bots” or “Bots”.
In IRC-based and Agent-Handler DDoS attack models, agents are refered as “secondary victims” or “zombies”, and target is called “primary victim”.
3 DDoS ATTACK CONVENTIONS
There are many types of DDoS attacks. (Figure 3). There are 2 prominant classes of DDoS attacks: bandwidth depletion and resource depletion attacks. Abandwidth depletion floods the victim network with unwanted traffic which prevents genuine traffic from reaching primary victim. Resource depletion attack ties up the resources of a victim system making it unable to process genuine requests for service.
3.1 Bandwidth Depletion Attacks
Bandwidth depletion attacks are classified as flood attacks and amplification attacks.
Flood Attack
In direct attack, zombies will flood the victim system directly with IP traffic. The lhuge amount of traffic saturates the victim’s network bandwidth so that other genuine users will not be able to access the service or face severe slow down. Mostly in those attacks, the following packets are used.
– TCP floods
– ICMP echo request/reply
Amplification Attacks. Amplification attack
involves the attacker or the zombies sending messages to a
broadcast IP address, and causes all systems in the
subnet which are reached by the broadcast address to send a reply to
victim system. The broadcast IP address feature is
present on routers; when a sending systemmentions a
broadcast IP address as destination address, the routers
replicate the packet and send them to every IP address
within the broadcast address range. Here, the
broadcast IP address is used to amplify and reflect
attack traffic, hence reduces the victim system’s
bandwidth.
Malformed Packet attacks.
In Malformed packet attack the attacker instructs the zombies to send incorrectly formed IP packets to the victim system so as to crash it.
Resource Depletion Attack
It involves the
attacker sending packets to misuse network protocol.
These triggers in TCP packet header hint the victim system to upload whole data in TCP buffer and send an acknowledgement after completion. If same is repeated with many agents, the receiving system cannot process huge amounts of incoming packets and it crashes.
4.DDoS ATTACK METHODS
Various tools have been used to aid Distributed Denial of Service Attacks they have a number of features in
common.
4.1 DDoS Agent Setup
In this section we classify the techniques attackers use to install harmful Distributed Denial of Service
agent code onto a secondary victim system,by being an active agent or a passive agent.
In Active DDoS agent installation techniques the attacker scans the network for systems which have
common vulnerabilities, then use different codes to harm the system.
In passive DDoS installation methods techniques ,the DDos agent software is installed into the genuine
system when the user visits a harmful website or opens a corrupted file.
4.2 How the attacker communicates with the network
The attacker uses TCP, UDP, ICMP protocols to communicate with the network.
Few Distributed Denial of Service Attack attack methods use of encrypted communication to attack the
network. Agenthandler DDoS attacks might use encrypted communications either between the clienthandlers or
between the handlersagents. These attacks can make use of any of the following channels public, private, secret
channel for communication Both private and secret IRC channels provide encryption,private channels appear in the
IRC server’s channel list, where as secret channels do not appear.
4.3 Types of Operating Systems Supported
Distributed Denial of Service attack methods are compatible with the following operating systems Unix,
Linux, Solaris, Windows.These systems have the handler code installed on them.Agent code is more suitable for
Windows platform since many attackers target home users who use DSL and cable modems,and most of the home
users use Windows Operating System.
l
5 DDoS COUNTERMEAUSRES
There are 4 types of DDoS
There are three categories of DDoS
Countermeasures:
1)preventing
secondary victims
2) Mitigating Effects of DDoS Attacks
3) Deflect Attacks
4) Post-Attack Forensics
5.1 Prevent secondary victims:
Here the secondary victim systems shoud be resisted from participation in attack. For this to happen, the systems should consistently monitor their own security. They have to verify and make sure that no agent programs have been installed on their system and also they are not sending agent traffic into the network indirectly. So in order to be successful, end users should have the resources to afford protective measures and the knowledge to select right protections. Further, secondary victims must identify when they are participating in an attack and if so they need to know the way to stop it.
5.2 Mitigating the Effects of DDoS Attacks :
Load balancing improves normal performance and mitigates a DDoS attack. Network providers can increase bandwidth on critical connections to prevent them from going down in any attack. Moreover, providers can replicate servers and provide additional right protection if some go down during an attack.
5.3 Deflect Attacks
Honeypots are systems which are intentionally set up with limited security. So as to woo an attacker’s. They serve to deflect attacks from attacking the systems they are protecting and serving as a medium of gaining information about attackers by storing a record of their activities and knowing what types of attacks and software tools the attacker is using.The goal of this type of honeypot is to woo an attacker to install either handler or agent code within the honeypot, thereby enabling the honeypot owner to track the handler or agent behavior and understand how to defend against future attacks.
5.4 Post-Attack Forensics
If traffic pattern data is stored during an attack, this data can be analyzed post-attack to look for particular characteristics within the attacking traffic. This characteristic data can be used for updating load balancing
countermeasures to enhance their efficiency and protection ability. Further, DDoS attack traffic patterns enable network administrators to develop new filtering methods for preventing DDoS attack traffic from entering or leaving their networks.
6 6. CONCLUSION
DDoS attacks make a networked system unavailable to genuine users. These attacks can be seriously damaging if a critical system is the primary victim. Loss of network resources causes economic loss, work delays, and loss of communication between network users. Solutions must be developed to prevent these DDoS attacks.
There are many DDoS attack tools available to attackers. These tools are easy to implement and can have disastrous effects. There are methods of preventing these attacks from succeeding, however, many of these are still being developed and evaluated. It is necessary, that as the Internet and Internet usage expand, more comprehensive solutions and countermeasures to DDoS attacks be developed, verified, and implemented