Denial of Service Attacks - Term Paper Example

DIGITAL SECURITY MANAGEMENT by Number of words 2,011 Table of Content Introduction DDoS Attack Enrolling the Vulnerable Machines Propagating the Malicious Code DDoS Attack Taxonomy Typical DDoS Attacks DRDoS Attacks Problems Caused and Countermeasures Conclusion Introduction The billions of computers that exist globally are all connected through the internet. Millions of people on a daily basis utilize the internet, capitalizing on the professional and personal level advantages that it presents. The computer interconnectivity, which is dependent, on the global internet, however, makes its components an easy target for attackers who try to deplete their resources and launch (DOS) denial of service attacks against them. The DoS attacks can be described as a single group or person’s spiteful attack to cause the site, or victim to prevent the customers from accessing its normal services. The problem occurs simultaneously from various points on the client’s computer. This kind of occurrence is what is known as a DDoS or DoS attack. It is from this overview that this paper will analyze this attack, how it happens, propagates the Malicious Code, its taxonomy, problems caused and countermeasures. It will also have a conclusion that sums up all the aspects discussed (Peng, Leckie & Ramamohanarao, 2005:771). DDoS Attack Description The DDoS attacks are aimed at draining the resources of the target or victim. These stated resources can be the data structures of operating systems, computer power, or network bandwidth. For the malicious users, to launch a successful DDoS attack, they first have to build a computer network that will be used in producing the traffic volume necessary to prevent the users from gaining the computer services. For this attack to be made network attackers discover potential valuable host or sites online. Potential hosts are either often those that have antivirus softwares that are old, or those, not properly installed. The attacker then exploits the vulnerability of the hosts to be able to access them. Next, the intruder installs attack tools or new programs on these already affected host networks. Hosts referred to as zombies manage these new programs, and under the attackers control they can perform attacks as commanded. In addition, many zombies grouped together are referred to as an army (Moore & Shannon, 2009). This article will look on how the attackers can easily install the attack tools and pinpoint a vulnerability point within the systems. This preparation phase is very important, however, installing attack tools and identifying vulnerable hosts has become a relatively easy process. Since prepared programs already exist that automatically finding, hack, and install the necessary attack programs, meaning the intruder does not waste time programming the attack tools again. After that, the system infected looks for other similar machines and instills in them the malicious codes. The widespread scanning used to identify victim systems, actually makes it possible for large attack networks to be created much faster. A DDoS attack network creation that consists of handler agent (slave, daemon) and (master) and machines, is the aftermath of the attack (Weaver, 2005:12) Enrolling the Vulnerable Machines For the attackers to identify the vulnerable machines several techniques can be implemented that are also known as scanning techniques, the pattern they often follow might include; Implementing a random scanning of the machine whereby, checks the vulnerability, randomly probes IP addresses, and uses the malicious code to infect the machines. Once the vulnerability is identified, it tries to infect and break it mainly by introducing a similar affected code like the one has. Significant traffic is created in this technique, mainly since the process of scanning that is random causes a massive amount of compromised hosts to check and probe the same addresses. This scanning method is advantageous to attackers since, it can originate from anywhere and this makes it spread very quickly. In a hit list scanning, extensive lists of potentially machines that can be affected are collect long before attackers start their actions. Once one is found, the identified machines are divided and the installation of the codes commences. They keep one half, and give the other half of the potential list of the machines. The newly infected hosts, list starts being scanned down to find more vulnerable machines. It, thus, implements the earlier described procedures if it finds vulnerable machines, and in this manner, the hit list scanning occurs concurrently from the increasing endearing number of compromised machines. The malicious code through this mechanism ensures that it is spread and installed in all potential machines detailed in collected list in a limited period (Alefiya, Heidemann & Papadopoulo, 2003). Propagating the Malicious Code Two groups of mechanisms can be identified for building attack networks and propagating malicious code namely the autonomous propagation and the central source propagation. Central source propagation: This happens after knowing the potentially susceptible systems that will be one of the robots or zombies. In this system mechanism, a central source gets the orders so that a duplicate of the attack toolkit program is transferred to the newly affected machine or system from a centralized location. Once the toolkit has been transferred, the system automatically installs the attack tools, with scripting mechanism for control (Gibson, 2010). That starts a new cycle of attacks that has other systems that can be infiltrated being searched for on which the attack toolkit can be installed in a similar manner. Like other mechanisms of file-transfer, this mechanism generally uses FTP, HTTP and (RPC) remote-procedure call protocols. The attacking host in the autonomous propagation mechanism allocates to the newly infiltrated its initial attack toolkit concurrently while corrupting it. This system is different from the initially discussed mechanisms in that the tools for attacking are installed into the already affected machines as compared to the external file sources. After the attack network’s construction, the intruders to customize the attack victim’s address, attack type, and wait for the right time to launch the action can implement handler machines. Then either the daemons agents "wake up" simultaneously and proceed with the action. In turn the agent machines start to send to the victims a stream of packets, thus depleting their resources, while flooding their systems with useless load. The attacker in this way can render the machines of the victim unavailable to its legitimate clients, so that they can cause indiscriminate destruction. The traffics size may be steep that the connecting networks that link the victim to the attacker may also be affected. Therefore, over these networks the provision of the initial services is not possible anymore, and from this their clients cannot access their initial services. Thus the network that has been overloaded by the attack can be considered as another victim of the DDoS attack (Ho Chung, 2006:7). DDoS Attack Taxonomy As initially stated, a DDoS attack occurs when various machines are compromised and infected simultaneously by a code act that is malicious and are coordinated by an attacker, to break the target or victims system and exhaust its resources. The two main types of DDoS attacks that exist include the distributed reflector attacks DoS (DRDoS) and DDoS attacks (Mirkovic, Martin & Reiher, 2009:12). Typical DDoS Attacks In this type of attack, the army consists of slave and master zombies. Both categories hosts are machines that have been compromised during the scanning process. In addition, have infected malicious codes that are placed during the scanning process. Master zombies are coordinated and ordered by the attacker and, they trigger and coordinate, in turn, the slave zombies. The attacker, more specifically sends an attack order to master zombies and initiates, all processes for attack on the dormant machines that are waiting for the right period for initiating the attack. Through these processes, the master zombies launch the DDoS attack through manipulating the slave zombies. The agent machines in that way begin to flood the victims system, by sending useless information that depletes the resources and load the systems (Axelsson, 2010:102). DRDoS Attacks In DRDoS attacks unlike the latter attack the army of the antagonist consists of reflectors, slave and master zombies. This type of attacks scenario is similar as to other DDoS attacks but only up to a certain phase. The attackers control the master zombies that in turn manipulate the slave zombies. The main difference between the two is that the reflectors or other infected machines get the victims IP address from the slave zombies, forcing the machines to link with the target. Confirming its new open connection the victim gets the sent excess traffic, since the machines are of the idea that the victim requested for them as the host. The attack in DRDoS, therefore, is fixed on machines that are not compromised, which even without understanding its implication support the action (Yanet, 2008). Comparison of the two attacks shows that the DRDoS attack as compared to the DDoS attack is more detrimental. This is because DRDoS infiltration has more machines to divide the attack, and therefore, it is more spread. Secondly, another reason is that a large amount of traffic is created by the DRDoS attack because of its more shared aspects. Problems Caused and Countermeasures These attacks outcomes are often disastrous. It has been noted that the DDoS attacks have two main characteristics in that they are both denial-of-service and distributed attacks. Denial of service points out that their aim is to prevent access to the victims to certain services or products. While distributed on the other hands signifies that they are wide scale attacks that greatly affect the victim. These attacks impact is catastrophic, especially when the target is a company. These types of attacks hinder the people from contacting others or from using the internet, when the victim is an internet service provider or ISP; the outcome is more drastic, mainly since the clients of the ISP will not be attended to. Top on these attackers hit list is the E- based businesses; they are affected since being denied access to internet greatly affects their businesses. Lastly, the fact that corporate use the internet for providing services and goods and during their advertising processes and this greatly increases such attacks seriousness (Garg & Reddy, 2006:522). There are preventive measures that try to limit the DDoS attacks altogether or allow the targeted or potential victims to brace for the attacks without denying the legitimate clients their services. Countermeasures, in regards to attack prevention can be taken on zombies or victims. This actually indicates that the redesigning of the configuration system can be used to mitigate the possibility of un-willfully participating or accepting a DDoS attack. Hosts need to be alert to the illegitimate traffic towards or from the machine. By maintaining updated software and protocols, computers vulnerability can be reduced. The machines regular scanning is also necessary to identify any abnormal behavior. System security mechanisms examples include; installation, application and monitoring firewall systems, security patches, intrusion detection and virus scanner systems automatically. The early warning systems or the reactive systems try to respond and single out the attack immediately. Therefore, they mitigate and lessen largely the impact of the problem to the victim or clients (Moore & Shannon, 2009). Conclusion The internet can be described as being unstable and as such ever evolving. This points out to the fact that DDoS remedies or countermeasures become obsolete quickly. The internet offers new services through the internet, and new attacks are initiated to hinder clients from gaining access to these offered products or services. The basic issue, however that DDoS attacks signify an individual or network issue or both. Internet protocols alterations can be the sorted solution, if the problem is mainly a network-based issue. Routers specifically could filter malicious traffic and there would be no issue while redirecting the procedures mainly since the attackers could not spoof the IP addresses. If the case that the issues are individual related, the mitigation could originate from an antivirus, or an effective IDS system. Thus, the zombie armies could not be created if the system is compromised. It appears obviously that both individual and network host constitute the issue. Countermeasures consequently should be taken each aspect. Security developers and legitimate users should also cooperate to mitigate the threats; since the attackers are doing the same while they build and come up with the best means of attacking. The resolution will originate from combining both individual and network countermeasures. Reference List Alefiya H., Heidemann, J. & Papadopoulo, C. (2003). A Framework for Classifying Denial of Service Attacks. Axelsson, .S. (2010) Intrusion Detection Systems: A Survey and Taxonomy, Technical Report 99-115, Department of Computer Engineering, Chalmers University, Garg, A., & Reddy, A. L. (2004). Mitigation of DoS attacks through QoS regulation. Microprocessors and Microsystems, 28(10), 521-530. Gibson, S. (2010). Distributed Reflection Denial of Service Description and Analysis of a Potent, Increasingly Prevalent, and Worrisome Internet Attack. Ho Chung (2006). An Evaluation on Defensive Measures against Denial-of-Service Attacks, fall Manzano, Y. (2008). Tracing the Development of Denial of Service Attacks: A Corporate Analogy. Retrieved from http://www.acm.org/crossroads/xrds10-1/tracingDOS.html Mirkovic, J. Martin, J. & Reiher, P. (2009). A Taxonomy of DDoS Attacks and DDoS Defense Mechanisms. UCLA Moore, D. & Shannon, C. (2009). The Spread of the Code Red Worm (crv2), retrieved. From http://www.caida.org/analysis/security/codered/coderedv2_analysis.xml Peng, T., Leckie, C., & Ramamohanarao, K. (2004). Proactively detecting distributed denial of service attacks using source IP address monitoring. In NETWORKING 2004. Networking Technologies, Services, and Protocols; Performance of Computer and Communication Networks; Mobile and Wireless Communications (pp. 771-782). Springer Berlin Heidelberg. Weaver, N. (2005). Potential Strategies for High Speed Active Worms: A Worst Case Analysis, U.C. Berkeley BRASS group. Read More