Denial of Service Issues and Solutions - Dissertation Example

?Denial of Service Attacks I. Literature Review 1 Definition Denial of Service (DoS) is the disruption of an entire system, either by disabling thesystem or by overloading it with messages so as to degrade performance. (Stallings, 2006) In DoS attacks, attackers hold the data to modify or change it so that the data transfer time will be longer than usual to reach the intended websites or servers. 1.2 Purpose The major intention of DoS attacks is to hinder legitimate users from accessing the resources that they should be allowed to. It has been argued that DoS attacks usually consumes software bugs to crash a service or network resource or even bandwidth limits by flooding attacks to saturate all bandwidth. (Chau) The real intent of those attacks is to shut down a site and not to penetrate it. Purpose may also be vandalism, extortion or social action including terrorism. (Crocker, 2007) 1.3 How DoS works The nature of DoS can be explained using Figure 1.1. In the figure, Bob is the authentic user of the system and he sends messages using the insecure Internet to the server. Darth, the attacker interfere the services offered by server and make the genuine user, Bob, invisible to server. In a normal connection, users transmit a message to the server to get authentication from the server. Then, the server returns a message to authenticate to the user as a genuine user of the system. Also, from the user side, the acknowledge message is sent back to approve the server and the connection between the user and the server is established. Figure 1.1 Denial of Service (Stallings, 2006) When a denial of service attack is taken place, the server receives several authentication requests, seemingly came from the authentic users, which have false return addresses. The server fails to successfully locate the user while trying to return the authentication acknowledgement. Then, the server waits so that it can authenticate the user before stopping the connection. In most DoS attacks, the attackers flood the servers with forged requests and make servers delayed. 1.4 Types and Generation of DoS Attacks Generally, there are three major classifications of DoS attacks depending on the victims targeted by attackers—users, hosts or networks though there are several types of DoS attack prevalent on Internet. US Cert advisory suggests that the three main types of DoS attacks are bandwidth, protocol and software vulnerability attacks. The major aspects that most DoS attacks are focusing on are bandwidth, CPU time and memory. Most common DoS attacks can be summarized as the following. 1.4.1 TCP SYN Flood Attack Flood type attacks are the first known form of a DoS attack and their attacking mechanism of is quite simple – attackers send more traffic to a server than it can handle. (Georgieva, 2009) SYN Flood attack is a protocol type and exploits the weakness of TCP/IP protocol. US CERT advisory defines SYN flood as “an asymmetric resource starvation attack in which the attacker floods the victim with TCP SYN packets and the victim allocates resources to accept perceived incoming connections”. In TCP SYN flood attack, the legitimate users are ignored when the attacker initiates a TCP connection to the serve with a SYN. The victim server responds to the request with spoofed IP address and waits for ACK from the client side. Then, the connection table of the server is filled up and it neglects all new connections from legitimate users. This phenomenon can be clarified using Figure 1.2. Figure 1.2 Comparison of Normal TCP 3 ways Handshake and TCP SYN Flood attack demonstration (cisco.com) Flood type attacks are so common and powerful. Georgieva (2009) suggests that “even if a webmaster adds more bandwidth, this still is not a sufficient protection against a flood attack”. Because of the bandwidth insufficiency, even the normal volume of legitimate requests may appear as flood attacks. 1.4.2 Ping of Death Attack The Ping of Death or POD attack is another DoS attack with simple principle. It exploits software vulnerabilities. During this incidence, a ping command normally with 32 bytes is simply sent to the victim. (Bidou) The command (C:> ping -l 65.511) is quite larger than the maximum packet size of 65,535 bytes that IPv4 can handle and the target system is crashed or freeze. (Georgieva, 2009) But the favorable fact with this attack is that most current systems can defend it well and only application of latest patches can strengthen the protection level. 1.4.3 Smurf Attack Smurf attack is another protocol type attack and referred to “an asymmetric reflector attack that targets a vulnerable network broadcast address with Internet Control Message Protocol (ICMP) ECHO REQUEST packets and spoofs the source of the victim”. (US CERT) It is sophisticated and mainly focuses on attacking the broadcasting server. First, the hacker finds out the server inside a network and submits a ping request with counterfeit IP address to resemble the authentic one from inside the network. (Georgieva, 2009) Smurf is considered to be the most devastating DoS attack. (Chau) Once the broadcasting server, which is providing addresses for the client machines, accepts the pings or ICMP requests and re-sends them to all the clients in the network, the traffic can slow down the entire network. All machines send responses and those are redirected via the server to the target machine. This phenomenon can be observed in Figure 1.3. Figure 1.3 Smurf Attack (learn-networking.com) 1.4.4 Fraggle Attack Fraggle resembles to Smurf and it transmits UDP packets to echo or ports on broadcasting addresses while spoofing the source of the victim. (US CERT) It is less popular than Smurf attack because UDP echo is less important than ICMP echo in most networks. 1.4.5 Tear Drop Attack Tear drop attack is a software vulnerability attack which focuses on vulnerabilities in web servers and TCP/IP stacks. CERT advisory defines tear drop attacks as they exploit TCP/IP IP stacks that do not properly handle overlapping IP fragments. Hole (2008) argues that Window’s TCP/IP stack couldn’t handle fragmented packets whose offset and length didn’t match and caused remote host to crash, hang, or reboot. 1.4.6 DNS Recursion DNS is an abbreviation of Domain Name System. Actually, it offers name resolution services for protocols and enables computers to differentiate hostnames from IP addresses. There are two types of DNS requests—recursive or non-recursive. US CERT National Cyber Alert system claimed that "An attacker with the ability to conduct a successful cache poisoning attack can cause a name server's clients to contact the incorrect, and possibly malicious, hosts for particular services”. As a result, the attacker can control the systems and redirect web traffic, email, and other important network data. 1.5 DDos or Distributed Denial of Service DDoS attacks are normally generated by a very large number of hosts, amplifiers or reflectors. Sometimes, DDoS attacks are initiated by zombies which are agent programs have been waiting for the command to attack the victim. (Farraposo, Gallon and Owezarski, 2005) In DDoS, the attacker can control a number of distributed hosts in the public network or Internet to simultaneously attack the target. (Stallings, 2006) The important mechanism of DDoS is bulk flooding, with which an attacker can make the victim flooded with many packets and make the resource unavailable to legitimate users. Figure 1.4 DDoS attack (Stallings, 2006) Figure 1.4 (a) shows how Distributed SYN flood attack is taken place. The attack machine controls multiple hosts known as slave servers and directs them to send TCP/IP SYN packets via Internet to the target web server. The target server responds with SYN/ACK and keeps waiting for ACK and then bogged down when more traffic comes in. (Stallings, 2006) Figure 1.4 (b) explains how Distributed ICMP attack is carried out. The attacker machine control and force the slave servers to send ICMP echo packets to the reflector machines. Then, thousands of reflector machines are again enforced to generate ping commands to the target server. The server is now flooded with packets from reflectors and has no room for further data transmission. (Stallings, 2006) DDoS attacks are necessary to have a large number of hosts performing the intrusion together at the same time and can be successful by infecting a bunch of Internet hosts with zombies or agents. DDoS agents are installed in normal PCs through hacking or spreading viruses. Most DDoS agents can be found via Internet Relay Chat or IRC. DDoS attacks have become major security threats today for they can deteriorate thousands of hosts or clients by flooding data and it’s quite difficult to hinder this phenomenon. Moreover, they can consume a large number of resources in the network infrastructure and might cause the entire ISP’s network down. 1.6 Attacker Tools Denial-of-service attacks have targeted and intruded websites even like eBay, Amazon, Yahoo and CNN. It is very easy and ready for anyone who want to initiate an attack because denial-of-service tools can easily be downloaded from the Net and utilized them. Those attacks can be initiated using a wide range of programs or tools which are seemingly benign at first but can effectively damage the victim networks. 1.6.1 Hping According to hping.org, “Hping is a command-line oriented TCP/IP packet assembler/analyzer and the interface is inspired to the ping (8) UNIX command, but hping isn't only able to send ICMP echo requests”. There are a variety of protocols that Hping can support such as TCP, UDP, ICMP and RAW-IP. It is very helpful in learning TCP/IP protocols and functions well on most well-known operating systems like Windows, Mac, Solaris, Linux, etc. It was created for positive usage and formerly, hping was mainly used as a security tool in testing networks and hosts. Attackers misused this tool for DoS attacks for Hping can fulfill a lot of stuffs that intruders intend to do with DoS such as Firewall testing Advanced port scanning Network testing, using a variety of protocols, fragmentation and TOS Manual path MTU discovery Advanced trace routing to assist in tracing the route along the network between two systems Remote OS fingerprinting Remote uptime guessing TCP/IP stacks auditing (Hping.org) 1.6.2 Http-ping Like the normal ping utility, Http-ping is an easy-to-use Windows command line utility that can investigate an URL and finds out appropriate statistics about the address. It performs differently from the normal ping with working over HTTP rather than ICMP which ping focuses on. Moreover, Http-ping emphasizes on a URL address and not on IP address. (coretechnologies.com) For every request, http-ping provides the following information once it completes investigation. 1. The HTTP return code with its brief textual description 2. The number of bytes returned by the server without headers (excluding headers) 3. The time taken to complete the request for example round-trip time 1.6.3 DDoS Attack Tools Most common distributed denial of service attack tools are TrinOO, TFN2K and Stacheldraht. Those tools allow the attackers to automatically set the times and frequencies of the attacks so that the whole incident can be controlled under the attacker. The source and information about the attack launched by those tools are almost impossible to discover to carry out anti attack programs. Technically, TrinOO mainly affects operating systems of Windows and UNIX for it is a Master/Slave or Master/Daemons program which work together to start a UDP flood on a victim machine. (Chau) TFN2K or Tribal Flood Network 2K is also a Master/Slave program like TrinOO and more dangerous and difficult to identify than TrinOO. It can handle a range of attacks such as Smurf, ICMP Flood, SYN Flood and UDP Flood. Stacheldraht controls the communication between the attacker’s machine and the Master machines in order to help Slave machines or Agents can launch different types of attacks like ICMP Flood, SYN Flood, UDP flood and Smurf Attack automatically. (Chau) These tools may also create other services so that the attacking computer has to change its source address randomly. Therefore, it seems as if the attack is launched from thousands of machines although there are only a few computers actually harassing. As Distributed denial-of-service attacks are usually directed to very sensitive and crucial networks or systems like national security sites, the issues concerning those attacks are also concerns for legal agencies and law firms. But they are still a very distressing problem for legal agencies and, even when the perpetrators can be traced; there may be delays in bringing the attackers under the authority of the law with respect of international extradition law. 1.7 Code In addition to attacker tools, there are many ways to make a service unavailable for legitimate users by injecting and executing arbitrary code to get access on vital information or generate commands to control the server. (OWSAP Testing Guide v2) 1.7.1Vulnerable Codes User-defined programs written on application servers may become targets or initiators of DoS attacks, intentionally or not, if they have vulnerable codes. Users can define the number of objects to locate on the application server but the servers should limit the maximum amount for it can lead to memory shortage, degrade the performance and act like Flood attacks. Example 1: Java code with looping controlled by users (owasp.org) public class MyServlet extends ActionServlet { public void ServletHandler (HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { . . . String [] values = request.getParameterValues("CheckboxField"); // Permit users to enter the loop value without checking it is valid or not for ( int i=0; i Read More