Differentiation Between DOS and DDOS - Term Paper Example

Introduction In modern times, the ordinary computer user is faced with plethora of attacks from outside. The vulnerabilities become more likely and attacking when the computer is connected across the network and is interacting with the outside world. Viruses, unauthorized data access, malware existence, system crash due to this are all the reasons as common as the rightful activities of computer. The concept of malware and possible threats is quite an old one, and its roots can be traced to the time (nearly three decades ago) when the first viruses were introduced. Viruses are equal programs in nature, yet their cause and purpose of existence are destructive. Their scope is affecting internal data, crashing the system, enabling outsiders to access data, slowing down processes and halting hardware, and various other forms. The scope of these viruses and malware is quite extended. Virus can be termed as a general term for this malware. This malicious material can be a spam, Trojan, spyware, or malware; in short, anything that damages the data or puts the individual computer user or network at risk can be termed as one of the aforementioned program. While these malware codes act in different ways and have specialization in different zones, denial of service is one of these and has a large application area. Distributed denial of service (D.O.S) is one of these malware programs and attempts at sneaking into the private data and system of individual users. Differentiation Between D.O.S and D.D.O.S A differentiation must be made between the two. While both are equally dangerous, their domain of action is slightly different. The former acts from a computer onto a network, while the latter constitutes an attack by a set of computers onto a network, which, in other words, means a more potent attempt at the target. It is like a single soldier attacking a front and a group and unit of soldiers acting and targeting a site. Obviously the latter would have a more severe impact than the action conducted by a single soldier. For this reason, counteracting D.D.O.S needs a more formulated action strategy from the network side in order to avoid any losses and be able to withstand it. How does D.D.O.S work: Denial of service in general, as the name implies, takes the users offline from the network, deactivate their resources and connection, and strangulates their utilities. Their main tools are bot net and zombies that overtake the network and, on proxy basis, may do anything they want. Their main targets are often the servers that control access and distribution. They usually jam the entire network and server and infiltrate like proxies and spam the overall setup. The scope of these kinds of attacks is not limited to any particular area of network; they are prone to attack and damage all parts of the network ranging from private network layers and application layers to network layers. U.D.P flooding, H.T.T.P flooding, and sync flood are a few of the kinds of attacks and targets of D.D.O.S. The aim is the same in both processes and that is to quench the network of its resources by flooding and making it void of providing any resource or service to genuine clients. The history of D.D.O.S attacks is far stretched and they have attacked international organizations, military placements, defense institutes, servers, banks, databases, and news channels. Nearly all those places that hold some valuable information and material have been the target of D.D.O.S in the recent past. C.N.N and Yahoo were a few of the sites that have tasted this and were targeted early in 2000 by online attacks (Kumar & Selvakumar, 2012). Various Types of D.D.O.S Actions: D.D.O.S action can be in various forms, each having its own characteristic ability and target area. Impact in all is of an equal affect and can paralyze the network very easily. The following are a few of the kinds of D.D.O.S Distributed Reflectors Attack It is a sort of an intermediary action process, where the action implementing body conducts the action on behalf of others. For this reason, they are usually termed as the “slaves” and target those networks that respond back when pinged. Normally the servers respond back to any request sent its way. The main targets in this type of attack are the routers and D.N.S servers since they by default respond back or ping back. The slave behaves as an ordinary user once the request is acknowledged and is sent directly to the reflector. IP Spoofing It is more a sort of deception and beguile than any other technique. The attacking entity comes up with a faux IP address and infiltrates into the network pretending to be an authenticated user with permission to the access. This is achieved through the IP address of the host. This totally keeps the network in the dark and the network and router are unable to determine the real nature of the entering source. IP spoofing can be very menacing since it is the action of identifying the source from within with barely any concrete evidence of a malicious element hidden inside the IP address. Most hackers rely on this method to infiltrate into the network and cause damage. The advantage served by this mechanism is the fact that it allows information to be disclosed from within and hence makes it easy to cause the desired damage. App Layer D.D.O.S Attack While D.D.O.S attacks have an array of options to be launched from, they can either be initiated at the network layer where routers operate, or they can be introduced into the system through the application layer. App–D.D.O.S is of a similar kind and targets the application layer of the network and O.S.I model. They vary from the network layer attacks. While F.T.P and H.T.T.P protocols are used in the application layer, the D.D.O.S in this layer makes itself coalesced in a manner that it is difficult to identify and separate the genuine client and the attacking element (Patil & Kulkarn, 2011). They, like other attacks, target the entire H.T.T.P servers with the aim to run out the resources of network which are otherwise present for the clients’ usage. Various techniques have been introduced in recent times that enable identification of the App- D.D.O.S. The strategies used in this regard are based on the separation of the genuine users and the attacking elements. Of notable mention is the method of spatial pattern method that will work on distinguishing between the two kinds of clients – genuine and fake. Their target across the application layer includes web servers, chat servers damages, and most importantly, the VoIP server. Although several firewalls are suggested as a solution, many a times these firewalls fall victim to the outside attacks themselves. There has to be some mechanism for penetrating into the network in presence of firewalls. The D.D.O.S infiltrates via a fake identity by using the ordinary client IP address in form of spoofing. Trust value assignment is part of this technique that segregates the kinds of requests and categories to which an individual client may belong. The segregation would help watching over those elements that are possible threat holders. The basic variable of trust mechanism is the rate at which the client sends request for connection establishment. Their behavior can be studied from the pattern in which they have requested for access in the recent past and before. This technique also involves the trust value calculation. They can be prevented through the use of firewalls and other authentication mechanisms. D.D.O.S Detection Methods Various methods can be used to detect the presence of any malicious material that may have been injected into the system through D.D.O.S. One of these methods is entropy calculation method or the use of Sync Key. The Sync key enables authentication and encryption and decryption of the data and the users and there by reduces the chances of unauthorized users in the network. Software registration information is another way of distinguishing between the genuine user and attacker. Their identity can reveal the real motif behind the request for access. Entropy mechanism: The concept of entropy is related to the probabilistic mechanism. It determines the probability and possible occurrence of random data in the network. The higher the occurrence, the higher the entropy, and hence a gauge of determination of any possible weak links and threats in the network. For the avoidance of D.D.O.S, a small entropy level is desired that would minimize the probability of random data (Feinstein, Schnackenberg, Balupari, & Kindred, 2003). Rule Based Mechanism Various algorithms are being established by experts to mitigate the impact of this form of threat. A rule based mechanism is one of them; however, the efficiency rate is less than desired. The principle of this concept is based on the idea of behavior observation. While it is a known phenomenon that a normal client would not request entry excessively and abundantly, anytime an abnormal request is noticed, the rules set in place enable alarm activation and monitoring of such clients who exhibit relatively unconventional behavior. This, in a certain way, allows monitoring the possible insurgent elements into the system. This system does lack accuracy and is prone to false alarms. The false alarms do add to the overheads of the system, and hence are the complete solution to the problem. This mechanism involves the pre-process activity which is based on gathering of information about the applicants and clients who seek entry into the network. Various data sets are being used, which segregate the normal users and attackers based on the information collected. This mechanism can be further improved if the false alarm element is reduced or contained in some possible way because it adds to the extra utilities of the network. K-NN method of detection N.N. is the nearest neighbor approach which checks the entire network one by one across the neighbors and verifies the possibility of any attacker that might be present amongst the ranks. Proper implantation of this method enables early detection and can save the network and server from any drop and downtime. An important feature of this mechanism is that it enables control over false alarms which are never desired in the system (Nguyen & Choi, 2010). T.C.P Flow Rate Calculation This is another method of determining the effect of any malicious element present in the network, especially in form of IP spoof. The logic used in this process is the fact that a genuine user would send a certain number of packets (usually limited) and then wait and till sending a further request, the difference between a genuine user and a spam arises here. The attacking entity does not stop with a limited set of packets and requests. Their requests are long, constant and rapid. Since the aim is to flood the entire network, for this reason they send packets at a rapid pace. The mathematical formula is often used for this purpose, which can help determine the overall situation in terms of the flow rate. Flow Rate= (Tp+Tp)/4= Tp/2, where Tp is the time of propagation of each packet request. Comparing this with the total channel capacity, it can be easily elucidated that the source is genuine enough to be allowed access. The channel capacity is determined through the multiplication of bandwidth with the propagation time. Conclusion and Mitigation Strategy D.D.O.S is a serious threat to both the individual and collective users. Large numbers of corporate enterprises suffer millions of dollars every year due to data loss and privacy breaches. It has become the dominant evil and in order to cover up and mitigate, safe practices are the order of the day. Safe practices come not just in the form of equipment installation or software; rather, it is about making sure that no unauthenticated websites or emails are being opened. On the server level, they should ensure that the entry seeking client is authorized and would not cause any panic amongst the ranks if allowed. The algorithms are tools of counteracting the D.D.O.S, which should be effectively utilized for this purpose. References Feinstein, L., Schnackenberg, D., Balupari, R., & Kindred, D. (2003). Statistical approaches to DDoS attack detection and response. DARPA Information Survivability Conference and Exposition. Kumar, A. R., & Selvakumar, S. (2012). M2KMIX: Identifying the type of high rate flooding attacks using a mixture of expert systems. I. J. Computer Network and Information Security, 12. Nguyen, H. V., & Choi, Y. (2010). Proactive detection of DDoS attacks utilizing k-NN classifier in an anti-DDos framework. International Journal of Electrical and Electronics Engineering , 247–252. Patil, M. M., & Kulkarn, U. L. (2011). Mitigating App-DDoS attacks on Web servers. International Journal of Computer Science and Telecommunications, 13–18. Read More