ddos notes
TRANSCRIPT
-
8/8/2019 Ddos Notes
1/23
DDoS Attacks
A bot network or botnet is a collection of computers that have infected by a
software application called a bot . A bot typically installs itself using security
vulnerability either in users operating system or in one of his softwareapplications. By exploiting the vulnerability, the bot can install itself on the system
automatically, with no user interaction required. A bot can be installed by a worm
or a Trojan that arrives via spammed email. Once the bot is installed, the computer
joins a larger collection of bot-infected computers referred to as Zombies , and
can be controlled by a remote malicious user without the knowledge or permission
of the computers rightful owner.
DDOS ATTACKS: A GROWING THREAT
DDoS attacks intentionally deprive legitimate users of Internet resources, typically
by overloading a network with a flood of data packets from multiple sources.Attackers usually create the Denial of Service condition by either consumingserver bandwidth or by impairing the server itself.
Today, malevolent actors are enlisting the help of compromised computers to form
botnets capable of launching major attacks against unsuspecting victims.
Estimates suggest that anywhere between 4 and 6 million computers are actively
used in botnets at any time. These botnets harness the processing power and
bandwidth of thousands of compromised computers to bring down the largest and
most sophisticated networks. Some reports estimate that more than 10,000 attacksoccur each day with many ISPs reporting attacks in excess of 10Gbps.
What is a DoS or DDoS attack?
A Denial of Service attack orDistributed Denial of Service attack occurs when a
single host (DoS), or multiple hosts (DDoS), send legitimate traffic to a target with
malicious intent for the purpose of disrupting an application or service either
temporarily or permanently. Targets can include, but are not limited to Web
servers, DNS servers, application servers, routers, firewalls, and Internet
bandwidth.
Can I setup my firewall to thwart a DDoS attack?
Firewalls are not designed to mitigate DDoS attacks. Using a firewall for
mitigation could cause the CPU to spike and deplete memory resources. Also,
firewalls dont have anomaly detection capabilities.
-
8/8/2019 Ddos Notes
2/23
Can I setup my router to thwart a DDoS attack?
Routers cannot block spoofed IP sources or manually traceback to thousands of IP
addresses, which makes Access Control Lists (ACLs) useless against DDoS
attacks.
A zombie is a computer that has been silently infected with a virus, givingunauthorized or remote users the ability to control it. Once a computer has been
turned into a zombie, hackers use it to commit a wide range of crimes by linking
with a network of thousands of other infected computers. Networks of zombie
computers are used by hackers to send spam, viruses, phishing emails and
pornography from within unwitting organizations. Sophos estimates that over 60%
of all spam originates from hijacked computers. Zombies have been found in
organizations of all kinds, from financial planning companies to universities and
nursing homes. They cause business disruption, network damage, information theft
and harm to an organizations reputation.Can I setup my inline IPS or my IDS to thwart a DDoS attack?Yes, but IPSs and IDSs require extensive manual tuning that takes time and can
leave you vulnerable. An IDS traditionally sits behind the firewall with an uplink
to a router or switch that sits in front of the firewall. An IDS issues an alert when it
detects an anomaly. At that point, the attack traffic is already consuming your
internet bandwidth with the potential of saturating the link, which can cause the
CPU to spike and deplete memory resources. An IPS has the capability to work as
an anomaly detector; however, it requires several weeks for an IPS to understand
normal traffic patterns and frequent manual tuning to specify which traffic is
allowed and which should be alerted or blocked.
What about blackholing the IP address(es)?
Blackholing an IP address or a range of IP addresses can result in legitimate
packets being discarded along with malicious attack traffic, which means the
attacker wins. If an ISP performs the blackhole, they must first identify thesource
of the traffic, which can cost valuable time, and may still end up blocking
legitimate traffic.
The increasing frequency and severity ofDistributed Denial of Service (DDoS)attacks is rapidly changing the face of network security. Driven by financially,
politically, or technologically-motivated criminals, these attacks routinely exceed
the largest events of only a few years ago. Stopping them at organizational network
borders has become an expensive and often ineffective solution. As a result, DDoS
-
8/8/2019 Ddos Notes
3/23
mitigation has become one of the top security issues for any organization
conducting business online.
Fast and invisible
Zombies typically operate without end users knowledge, and the damage they
cause to organizations builds up unnoticed. For example, zombies are often
programmed to keep their true nature hidden by waking up for very short periods
in order to send spam before becoming dormant again.
How computers become zombiesA computer becomes a zombie when a bot, or automated software robot, is
installed on it, giving a hacker control and making the computer part of a zombie
network, or botnet. Once a zombie has been created it can then be used to turn
other computers into zombies. For the bot to be installed, an internet port needs tobe opened in the computer. Back doors (open internet ports) are opened by viruses,
worms or Trojan horses when they infect computers. After the back door is
opened, the bot is installed, often by the same virus, and the computer becomes a
zombie. In some cases it is hackers who install the bot, having searched for open
ports through which they can access the computer, although the increased use of
Windows XP with SP2s firewall has significantly reduced this. One of the most
common ways in which viruses infect computers and turn them into zombies is by
exploiting operating system vulnerabilities. Toolkits can even be downloaded from
the internet for free allowing zombies to be created quickly to exploit new
operating system vulnerabilities before they are patched. Viruses also spread
through social engineering techniques, where recipients of emails with a viral
payload are tricked into activating them by opening an attachment or by clicking
on a link. A common method of activating zombies once they have been created is
to program them to monitor a chatroom. When the hackers type a specific
command into the chatroom, the zombies awake and carry out their instructions.
Zombies can also carry out pre-programmed instructions. For example, in May
2005, the Sober-Q Trojan horse and Sober-N worm worked in tandem to infect and
hijack computers around the world, programming them to send out German
nationalistic spam during an election. However, the complexity of some networks,combined with the speed and intensity of attacks demands a contingency solution.
Behind a Client is a person that orchestrate an attack. A Handler is a
compromised host with a special program running on it. Each handler is capable of
controlling multiple agents. An Agent is a compromised host that runs a special
-
8/8/2019 Ddos Notes
4/23
program. Each agent is responsible for generating a stream of packets that is
directed toward the intended victim.
What is a Denial of Service Attack?Denial of Service (DoS) attacks are network-based attacks that prevent access to a
service. DoS attacks disable a network service by flooding connections, crashing
servers or programs running on the servers, exhausting server resources, or
otherwise preventing legitimate clients from accessing the network service.
DoS attacks range from single packet attacks that crash servers to coordinated
packet floods from multiple hosts. In single packet attacks, a carefully crafted
packet that exploits a known operating system or application vulnerability is sent
through the network to disable a server and/or any associated services it performs.
The Slammer worm exploited one such vulnerability. In a flood attack, server or
network resources are corrupted or exhausted by a flood of packets. Since a single
site launching a flood can be identified and isolated fairly easily, a moresophisticated approach, called a Distributed DoS (DDoS) attack, is the tool of
choice for many flood attacks.
The Evolution of Denial of Service AttacksAlthough the methods and motives behind Denial of Service attacks have changed,
the fundamental goal of attacks, to deny legitimate users of some resource or
service, has not. Similarly, attackers have always, and will continue to look for
methods to avoid detection. The evolution in the technology ofDoS attacks
originates from this fundamental premise: establish a denial of service condition
without getting caught. Malicious actors constantly explore new ways to leverage
todays technology to meet their goals. Attackers work hard to engineer new
techniques to distance themselves from the victim while amplifying the impact of
their attack. Much of the evolution in DoS attacks goes hand-in-hand with the use
and popularity of botnets. Botnets provide the perfect tool to help magnify the
impact of an attack while distancing the attacker from the victim.
Building a Botnet The earliest DoS attacks utilized one host machine to create thedenial of service condition. Because of the ease of detection and, in turn,
mitigation of this type of attack, attackers rapidly migrated to a more distributedmodel. The Distributed Denial of Service (DDoS) attack leverages multiple
sources to create the denial-of-service condition. By using multiple sources to
attack a victim, the mastermind is not only able to amplify the magnitude of the
attack, but can better hide his or her actual source IP address. The more layers that
the attacker can place between him and the victim, the greater the chances of
avoiding detection. Todays DoS attacks are generally all distributed in nature
-
8/8/2019 Ddos Notes
5/23
because of the ease in which malicious actors can compromise other devices and
leverage them for their purposes. Once a computer is compromised, the controller
can leverage it to engage in nefarious activities. This collection of compromised
devices, or a botnet, is the launching pad for many of todays Internet threats.
From spam to phishing, compromised devices sit at the core of many of todays
Internet security challenges. Attackers gain control of other computers by
exploiting vulnerabilities in their operating system or other software. The rapid
expansion of the Internet, lack of sufficient security tools, and illegally copied
operating systems makes the landscape ripe for malicious actors to prey upon a
host of system vulnerabilities. As a result, botherders are gathering and
organizing attack machines in record numbers.
Figure 1 - Sample Anatomy of a DDoS Attack
Individually, each compromised device, or bot, can send small volumes of traffi
c that may do little harm. Collectively though, the network of compromised
devices are capable of launching devastating DDoS attacks. Malicious actors have
automated the harvesting process in order to compromise vast numbers of
systems in a relatively short period of time. The largest botnets are amassed via
Internet worms which compromise the victim computer and then use it as a
launching pad to immediately compromise other computers. The Kraken botnet,
which reportedly overtook Storm as the largest botnet on the Internet, is
suspected to have 400,000 active bots, according to researchers at security fi rm
Damballa (Higgins, 2008). Botnets and DDoS The connection between botnets and
-
8/8/2019 Ddos Notes
6/23
DDoS attacks is so intertwined it is diffi cult to separate the two. According to a
recent Yankee Group study of Tier 1 ISPs (Partridge, 2007), DDoS attacks ranked
fi rst on a list of security threats, with botnets a close second. Malicious actors
continue to leverage botnet technology to enhance the effectiveness of DDoS
attacks. Over time, attack profi les have changed enabling the mastermind to
distance himself or herself from the actual attack. The fi rst phase of this evolution
was the shift from standard DoS to DDoS attacks. Attackers soon realized that they
could further separate themselves from the attack by introducing server bots for
command and control purposes. By communicating with a few command and
control server bots, attackers could manage hundreds and even thousands of client
bots. Recently, malicious actors complicated the attack by introducing new layers
to the architecture. Distributed ReflectorDenial-of-Service Attacks (DRDoS) take
advantage of uncompromised devices that unwittingly participate in the attack.
Typically seen through use ofDNS servers that act as the refl ector, the design of
the attack sends several times more traffi c to the victim than what was sent to it. Acase study in section 2.4 discusses the DRDoS attack in more detail.
Using Technology AgainstUsDDoS attackers are using all aspects of networking technology to perform their
assaults. Some of the very tools that were designed to help support the growth of
the Internet are now being leveraged to conduct attacks. From misuse of the TCP
three-way handshake to incorporating the Domain Name System into attack
scenarios, malicious actors are constantly evolving. SYN Flood. During the early
days of network protocol development, few envisioned attackers utilizing the
three-way handshake of a TCP connections establishment (the SYN, SYN-
ACK, ACK sequence) to perform DDoS attacks. Today, SYN-fl ood attacks
are one of the most common DDoS attack profi les on the Internet. Although more
sophisticated variants of the attack are evolving (see Manzano, 2004), some
organizations still fall victim to the basic approach that earlier attackers discovered
(opening multiple connections with illegitimate SYN requests that deny legitimate
users connection capability). UDP Misuse. Misuse of UDP is another great
example of repurposing legitimate Internet technologies for malicious purposes.
UserDatagram Protocol was designed to be a quick, easy method of transferring
small amounts of data like DNS queries and answers. Unfortunately, quick andeasy is ripe for attacker misuse.Forging the header information, specifi cally the
source IP address, within UDPs packets has also become easy and attackers
readily use the technique to mask their identity from legitimate users. Encryption.
Although encryption is a necessary security tool to protect the data of
organizations and individuals, criminals have used it for decades to hide the secrets
of their misdeeds. After security analysts and law enforcement agencies discovered
-
8/8/2019 Ddos Notes
7/23
that botmasters utilize unencrypted IRC channel directives to control botnets,
attackers now encrypt the command and control signals of their botnets.
Fast-Flux. The evolution of the technology that attackers are taking advantage of
continues today with the recent trend in fast-fl ux networks. Here, botnets
manipulate DNS records to hide malicious Web sites behind a rapid-changing
network of compromised hosts acting as proxies. The fast-fl ux trend refl ects the
need for attackers to try to mask the source of their attacks so that they are able to
sustain the botnet for as long as possible.
Glossary
Bot/Zombie: a computer compromised with the intention of using it to
commit cyber-crimes.
Botnet: a collection of compromised, networked computers used to commit
cyber-crime.
Botmaster: A cyber-criminal that uses botnets to commit his crimes.
DoS Attack: Denial of Service Attack a criminal attack where the goal is to
prevent a computing resource from being used.
DDoS Attack: Distributed Denial of Service Attack A DoS attack where the
source attacker is not one computer or device, but several of them, typically
located in disparate locations.
DRDoS Attack: Distributed Refl ectorDenial of Service Attack A DDoS attack
that is amplifi ed by a refl ector. A refl ector is typically an uncompromised
device that unwittingly participates in a DDoS attack. Due to the design of theattack, it sends several times more traffi c to the victim than what was sent to it.
III. EVALUATION OF TRACEBACK SYSTEMS
This section provides a current state of the art approaches to IP traceback and
evaluates them against the ideal system. Overview of an ideal traceback system is
given below.
Able to trace the attacker with a single packet.
Minimal processing overhead during traceback.
Very low level of ISP involvement.
Classification based evaluation. No packet transformed through that techniques.
Limited amount of additional memory requirement at the dedicated server and no
additional memory requirement on network equipment (routers and switches).
High level of protection is preferred in a traceback.
Network overhead based evaluation
Router overhead based evaluation.
-
8/8/2019 Ddos Notes
8/23
Correctly trace back attacks consisting of packets that undergo any number of
transformations of any type.
Producing meaningful traces are limited to the range of deployment of the
traceback system. Those are the some of the ways of evaluating the different
traceback mechanisms.
DDOS ATTACKS: A GROWING THREAT
DDoS attacks intentionally deprive legitimate users of Internet resources, typically
by overloading a network with a flood of data packets from multiple sources.
Attackers usually create the Denial of Service condition by either consumingserver bandwidth or by impairing the server itself.
Today, malevolent actors are enlisting the help of compromised computers to form
botnets capable of launching major attacks against unsuspecting victims.
Estimates suggest that anywhere between 4 and 6 million computers are actively
used in botnets at any time. These botnets harness the processing power and
bandwidth of thousands of compromised computers to bring down the largest and
most sophisticated networks. Some reports estimate that more than 10,000 attacks
occur each day with many ISPs reporting attacks in excess of 10Gbps.
DDoS Mitigation Challenges: Why Traditional Tactics
Arent SufficientWhile many organizations are increasingly concerned about the DDoS threat, few
organizations have specific DDoS protection mechanisms in place. Those that do
address DDoS often rely on approaches that lack the capacity and agility to
mitigate attacks rapidlyand preferably before they reach the network. Despite
popular belief, the following measures, when implemented within most
organizations, are insufficient to mitigate todays diverse, large-scale attacks:
.Over-provisioning of bandwidth Although overprovisioning of bandwidth isone of the most common anti-DDoS measures, it is neither cost efficient norhighly
effective for most organizations. It is not uncommon for organizations to spend anextra 75 percent for bandwidth beyond what they need to handle peak loads, and
over-provisioning becomes useless as soon as an attack exceeds the amount of
bandwidth that has been provisioned. In addition, over-provisioning only addresses
network-level attacks, not application- or OS-level attacks. With attacks now
capable of carrying more than one million packets per second (Mpps), even the
most well-provisioned network can be overwhelmed.
-
8/8/2019 Ddos Notes
9/23
.Firewalls Whereas firewall management used to be a sufficient strategy tomanage denial of service (DoS) attacks, botnets and reflectors have since reduced
the effectiveness of blocking attacks at the network edge. Using a firewall for
mitigation may cause the CPU to spike and deplete memory resources. In addition,
firewalls do not have anomaly detection capabilities.
. Intrusion detection system (IDS) An IDS device typically sits behind thefirewall and links to a router in front of the firewall. Like an IPS (discussed in the
next bullet), an IDS is designed and fine-tuned to inspect for single malicious
packets. Neither IDS nor IPS devices are designed to handle high-volume attacks.
Using them forDDoS mitigation can impact performance in their intended role of
intrusion mitigation. In addition, by the time an IDS detects an anomaly and issues
an alert, attack traffic is already consuming Internet bandwidth, potentially
saturating the network, causing the CPU to spike, and depleting memory resources.
. Intrusion prevention system (IPS) An IPS has the capability to work as an
anomaly detector; however, it can require a few weeks to understand normaltraffic patterns and then organizations (or their IPS vendors) must spend several
more days on manual tuning to specify which traffic is allowed and which should
be alerted or blocked. For this reason, threat signature updates often occur too late
to block a DDoS attack. In addition, many IPS devices rely on vendorspecific
threat information, so they are not tuned and updated to address the full range of
threats, which may include DDoS attack signatures. Finally, IPS devices are
limited in the number of TCP sessions and amount of bandwidth that they can
handle at a given moment. When overloaded, they shut down.
.RoutersRouters cannot block spoofed IP sources (which are a leading sourceofDDoS packets) or manually trace back to thousands of IP addresses, rendering
access control lists (ACLs) useless against DDoS attacks.
.Blackhole routing Black hole routing an IP address or a range of IP addresses(i.e., intentionally causing packets coming from a specific IP address to be
discarded rather than forwarded) can protect your resources from the ill effects of
DDoS, but can also result in legitimate packets being discarded along with
malicious attack traffic, effectively ensuring that the attack is successful in
disrupting your operations.
.Reliance on Internet service provider (ISP)mitigation Many organizations
assume that their ISPprovides DDoS protection without inquiring specificallyabout service level agreements, attack reporting,bandwidth capabilities, black hole
routing, and otherimportant details of third-party DDoS mitigation.
-
8/8/2019 Ddos Notes
10/23
Abstract: The Internet has experienced a tremendous growth in its size and
complexity since its commercialization. Internet hosts are threatened by large-scale
Distributed Denial-of-Service (DDoS) attacks. DDoS attacks typically rely on
compromising a large number of hosts to generate traffic to a single destination,
the severity ofDDoS attacks will likely increase as greater numbers of poorlysecured hosts are connected to high-bandwidth Internet connections. In this study
we present the routing instability in the Internet due to the IP Spoofing and
analyzed a survey of possible attacks and controlling mechanism available.
INTRODUCTION
The Internet consists of rapidly increasing number of hosts interconnected by
constantly evolving networks of links and routers. Internet connects thousands of
Autonomous Systems (ASs) operated by many different administrative domains
such as Internet Service Providers (ISPs) companies and universities (Gao, 2001).
Routing within an AS is controlled by intra domain protocols such as Open
Shortest Path First (OSPF), Intermediate System to Intermediate System (IS-IS)
and Routing Information Protocol (RIP).
IP Spoofing has often been exploited by DDoS attacks to conceal flooding sources
and dilute localities in flooding traffic and coax legitimate hosts into reflectors,
redirecting and amplifying flooding traffic (Wang et al., 2007). IP Spoofing is also
known as IP address forgery and is a hijacking technique in which the hackermasquerades as a trusted one to get the access to a network. Spoofing is a process
whereby one entity masquerades as another.
IP Networks are vulnerable to source address into packet headers. DDoS block
legitimate access by either exhausting victim servers resources or saturating stub
networks access links to the Internet. By masquerading as a different host an
attacker can hide its actual identity and location, rendering source-based packet
filtering less effective. Many popular attacks use IP Spoofing and require the
ability to forge source addresses. DDoS attacking tools spoof IP addresses by
randomizing the 32-bit source address field in the IP headerDietrich (2000) whichconceals attacking sources and dilutes localities in attaching traffic. IP Spoofing
remain popular for number of reasons like as it makes isolating attack traffic from
legitimate traffic header: packets with spoofed source address may appear to be
from all around the Internet and also it presents the attacker with an easy way to
insert a level of indirection (Duan et al., 2008).
-
8/8/2019 Ddos Notes
11/23
While DdoS attack the attacker increases the amount of illegitimate traffic
originating from the systems under the users control (Snyder et al., 2007). This
results in a positive increase by some ratio where 01 relative to the traffic that
was present in the system to begin with The attacker is analyzed into four kinds as
follows:
Random: Ratio of attack traffic for each division of the attack dimension is a
randomly chosen normalized distribution.
Base: Attack traffic is spread so that it matches the distribution for divisions in the
base traffic distribution for the attack dimension.
Uniform: Attack traffic is spread evently amongst the divisions in the attack
dimensions.
Loaded: Attacker directs all of the attack traffic at initial division of the attack
dimension.
In order to analyze all possible moves for attacker and defender a sensitivity matrix
was generated in all the four kinds of attacker.
DDoS attack presents a very serious threat to the stability on the Internet. In this, a
large number of hosts are amassed to send useless packets to jam a victim or its
Internet connections (Song and Manjkopoulos, 2006). There are two reasons that
are why defending against DDoS attacks is challenging. First, very large number ofattackers is involved in DdoS attack. Even if the volume of traffic sent by a single
attacker might be small, the volume of aggregated traffic arriving at the victim host
is overwhelming. Secondly, it is very difficult to trace the attack traffic back to its
sources, since attackers usually spoof their IP address (Chen et al., 2007).
DDoS attacks can be considered into two distinct approaches named router-based
approach and host-based approach. In case of router-based approach the required
defense mechanisms are installed inside the IP routers. This is used to trace the
source of attack or to detect and block the attacking traffic.
Rather than router support but also coordinates different routers and networks
which results in wide spread deployment. In host-based approach an Internet server
is used as resource management schemes or by significantly reducing the resource
consumption to withstand the flooding traffic.
-
8/8/2019 Ddos Notes
12/23
DDoS attack can be categorized into four classes named prevention, detection,
mitigation and response. Among this mitigation techniques can be categorized into
two. First is a resource allocation problem which employ techniques such as client
puzzles, max-min server centric router throttles or differentiated service to allocate
network or server resources to clients in a fair fashion thus preventing attackers
from consuming an excessive amount of network resources. Secondly attacks by
filtering or rate-limiting attack packets that consist of two modules named an
attack detection module and a packet filtering module.
The attack detection module is used to extract the characteristics of attack packets
or attack signatures such as source IP address or marked IP header values. After
that this information is used by the packet filtering module to filter malicious
packets. The attack detection module is placed near the victim and packet filtering
module is placed as close to the attack as possible (Chang, 2002).
Instead of subverting services, DDoS attacks limits and block legitimate users
access by exhausting victim servers resources or saturating stub networks access
links to the Internet (Venkatesu et al., 2008) Attackers often spoof IP addresses by
randomizing the 32 bit source address field in the IP header to conceal flooding
sources and localities in flooding traffic.
Each spoofed packet with the victims IP address is masquerade with the source IP
address to network attacks. Because of the stateless and destination based routing
of the Internet, it is difficult to counter IP Spoofing. The IP Protocol lacks the
control to prevent a sender from hiding the origin of its packets and destinationbased routing does not maintain state information on senders and forwards each IP
packet toward its destination without validating the origin of the packet.
CONTROL MECHANISM
Because ofDDoS attacks IP Spoofing was exploited to conceal flooding sources
and localities in flooding traffic and amplifying flooding traffic. The ability to filter
spoofed IP packets near victims is essential to their own protection as well as to
their avoidance of becoming involuntary attacks. An attack can forge any field in
the IP header that falsify the number of hops an IP packet takes to reach itsdestination. Basically there are two different control approaches for preventing the
DDoS attacks. First is a router-based controlling mechanism and second is a
victim-based controlling mechanism. The router-based approach makes
improvements to the routing infrastructure while the victim-based approach
enhances the resilience of Internet servers against attacks.
-
8/8/2019 Ddos Notes
13/23
The router-based control mechanism installs defense mechanisms inside IP routers
to trace the origin of attack or to detect and block attacking traffic. This approach
not only requires router support but also coordination among different routers and
networks and wide-spread deployment to reach their potential. Inside a router both
the off-line analysis of flooding traffic and on-line filtering ofDDoS traffic was
performed in router-based control approach.
The off-line IP trace back attempts to establish procedures to track down flooding
sources but help pinpoint locations of flooding sources. It also does not keep
sustain service availability during an attack (Savage et al., 2000). To detect
abnormal traffic patterns and foil DDoS attacks on-line filtering mechanisms rely
on IP router enhancements. For efficient prevention coordination among different
routers network and its wide spread deployment other than router support is
needed.
Implementation of security mechanism in the host is provided in the victim-based
control approach (CERT, 2000). To deploy defense mechanisms than network
service providers a potential victim has a much stronger incentive. This approach
uses sophisticated resource management schemes which provide accurate resource
accounting and fine grained service isolation and differentiation.
So victim-based filtering that detects and discards spoofed traffic without any
router support is essential to protecting against DDoS attacks. Due to resource
depletion caused by spoofed IP packets the victim-based approach is unlikely to be
able to sustain service availability under intense attacks. Moreover this mechanismcannot prevent the victim server from consuming CPU resource in servicing
interrupts from spoofed IP traffic as this mechanism work at the transport-layer.
CONCLUSION
Despite the fact that Spoofing based attacks have severe consequences and are
wide-spread much of the present day Internet. To trace back the origin of an
Internet attack, strategic importance is given to cyber space security.
From the survey it is analyzed that each method has certain features that make itmore suitable to implement in one situation than another. The routing instability in
the Internet due to the IP Spoofing is depicted in this study and a survey of
possible attacks and controlling mechanism available are made.
-
8/8/2019 Ddos Notes
14/23
RECOMMENDATION
By introducing a filter function on the forwarding path of the packets, the cost can
be analyzed. Also research can be done on the AS relationship and routing
information which improves the performance of the IP Spoofing. For Internet
security it is essential to trace back to the original source of the attacks. IPSpoofing makes it difficult for the victim to determine the IP packets origin. As a
result, there is a need for a mechanism that could rapidly trace back to the origin of
attacks for the victim. Trace back can be performed by Intelligent Techniques to
get better performance.
The primary function of a EBGP is to exchange network reachability information between autonomous
systems, including information about the list of autonomous system routes. The autonomous systems
use EGBP border edge routers to distribute the routes, which include label switching information. Each
border edge router rewrites the next-hop and MPLS labels.
IP traceback is a name given to any method for reliably determining the origin of a packet onthe Internet. Due to the trusting nature of the IPprotocol, the source IP address of a packet isnot authenticated. As a result, the source address in an IP packet can be falsified (IP addressspoofing) allowing forDenial Of Service attacks (DoS) or one-way attacks (where the responsefrom the victim host is so well known that return packets need not be received to continue theattack[clarification needed]). The problem of finding the source of a packet is called the IP tracebackproblem. IP Traceback is a critical ability for identifying sources of attacks and institutingprotection measures for the Internet. Most existing approaches to this problem have beentailored toward DoS attack detection. Such solutions require high numbers of packets toconverge on the attack path(s).
Trace-back of active attack flows
In this type of solution, an observer tracks an existing attack flow by examining incoming
and outgoing ports on routers starting from the host under attack. Thus, such a solution
requires having privileged access to routers along the attack path.
To bypass this restriction and automate this process, Stone proposes routing suspicious
packets on an overlay network using ISP edge routers. By simplifying the topology,
suspicious packets can easily be re-routed to a specialized network for further analysis.
This is an interesting approach. By nature of DoS, any such attack will be sufficientlylong lived for tracking in such a fashion to be possible. Layer-three topology changes,
while hard to mask to a determined attacker, have the possibility of alleviating the DoS
until the routing change is discovered and subsequently adapted to. Once the attacker
has adapted, the re-routing scheme can once again adapt and re-route; causing an
-
8/8/2019 Ddos Notes
15/23
oscillation in the DoS attack; granting some ability to absorb the impact of such an
attack.
Router based approach
With router based approaches, the router is charged with maintaining informationregarding packets that pass through it. For example, Sager proposes to log packets and
then data mine them later. This has the benefit of being out of band and thus not
hindering the fast path.[citation needed]
Snoeren et al. propose marking within the router. The idea proposed in their paper is to
generate a fingerprint of the packet, based upon the invariant portions of the packet
(source, destination, etc.) and the first 8 bytes of payload (which is unique enough to
have a low probability of collision). More specifically, m independent simple hash
functions each generate an output in the range of 2n-1. A bit is then set at the indexgenerated to create a fingerprint when combined with the output of all other hash
functions. All fingerprints are stored in a 2n bit table for later retrieval. The paper shows
a simple family of hash functions suitable for this purpose and present a hardware
implementation of it.[7]
The space needed at each router is limited and controllable (2n bits). A small n makes
the probability of collision of packet hashes (and false identification) higher. When a
packet is to be traced back, it is forwarded to originating routers where fingerprint
matches are checked. As time passes, the fingerprint information is clobbered byhashes generated by other packets. Thus, the selectivity of this approach degrades with
the time that has passed between the passage of the packet and the traceback
interrogation. [7]
Another known take on the router-based schemes comes from Hazeyama et al. In their
approach, they wish to integrate the SPIE approach as outlined by Snoeren[7], with their
approach of recording the layer 2 link-id along with the network ID (VLAN or true ID),
the MAC address of the layer 2 switch that received the packet and the link id it came in
on. This information is then put into two look-up tables both containing the switch
(layer 2 router) MAC id for look-up. They rely on the MAC:port tuple as a method of
tracing a packet back (even if the MAC address has been spoofed). [8]
To help mitigate the problem of storage limitations they use Snoerens hashing
approach and implementation (SPIE) modifying it to accept their information for
hashing. They admit their algorithm is slow (O(N2)) and with only 3.3 million packet
-
8/8/2019 Ddos Notes
16/23
hashes being stored the approximate time before the digest tables are invalid is 1
minute. This dictates that any attack response must be real-time a possibility only on
single-administrative LAN domains.[8]
Other approaches
Burch and Cheswick propose a controlled flooding of links to determine how this
flooding affects the attack stream. Flooding a link will cause all packets, including
packets from the attacker, to be dropped with the same probability. We can conclude
from this that if a given link were flooded, and packets from the attacker slowed, then
this link must be part of the attack path. Then recursively upstream routers are
coerced into performing this test until the attack path is discovered. [9]
The traceback problem is complicated because of spoofed packets. Thus, a related
effort is targeted towards preventing spoofed packets; known as ingress filtering.Ingress Filtering restricts spoofed packets at ingress points to the network by tracking
the set of legitimate source networks that can use this router.
Park and Lee present an extension of Ingress Filtering at layer 3. They present a means
of detecting false packets, at least to the subnet, by essentially making use of existing
OSPF routing state to have routers make intelligent decisions about whether or not a
packet should be routed.[citation needed]
In computer networking, the term IP address spoofing orIP spoofing refers to the creationofInternet Protocol (IP) packets with a forged source IP address, called spoofing, with thepurpose of concealing the identity of the sender or impersonating another computing system.
Applications of IP Spoofing
IP spoofing is most frequently used in denial-of-service attacks. In such attacks, the
goal is to flood the victim with overwhelming amounts of traffic, and the attacker does
not care about receiving responses to the attack packets. Packets with spoofed
addresses are thus suitable for such attacks. They have additional advantages for this
purposethey are more difficult to filter since each spoofed packet appears to comefrom a different address, and they hide the true source of the attack. Denial of service
attacks that use spoofing typically randomly choose addresses from the entire IP
address space, though more sophisticated spoofing mechanisms might avoid
unroutable addresses or unused portions of the IP address space. The proliferation of
large botnets makes spoofing less important in denial of service attacks, but attackers
-
8/8/2019 Ddos Notes
17/23
typically have spoofing available as a tool, if they want to use it, so defenses against
denial-of-service attacks that rely on the validity of the source IP address in attack
packets might have trouble with spoofed packets. Backscatter, a technique used to
observe denial-of-service attack activity in the Internet, relies on attackers' use of IP
spoofing for its effectiveness.
IP spoofing can also be a method of attack used by network intruders to defeat network
security measures, such as authentication based on IP addresses. This method of
attack on a remote system can be extremely difficult, as it involves modifying thousands
of packets at a time. This type of attack is most effective where trust relationships exist
between machines. For example, it is common on some corporate networks to have
internal systems trust each other, so that users can log in without a username or
password provided they are connecting from another machine on the internal network
(and so must already be logged in). By spoofing a connection from a trusted machine,an attacker may be able to access the target machine without an authentication.
Services vulnerable to IP spoofing
Configuration and services that are vulnerable to IP spoofing:
RPC (Remote Procedure Call services)
Any service that uses IP address authentication
The X Window System
The R services suite (rlogin, rsh, etc.)
Network ingress filteringis a packet filtering technique used by many Internet service
providers to try to prevent source address spoofing of Internet traffic, and thus indirectly
combat various types ofnet abuse by making Internet traffic traceable to its source.
Routing Information Protocol (RIP)RIP is a dynamic, distance vectorrouting protocol based around the BerkelyBSD applicationrouted andwas developed for smallerIPbasednetworks. RIP uses UDPport 520 for route updates. RIP calculates thebest route based on hop count. Like alldistance vectorroutingprotocols, RIP takes some timeto converge. While RIP requires less CPUpower andRAMthan some otherrouting protocols, RIP doeshave some limitations:Metric: Hop Count
-
8/8/2019 Ddos Notes
18/23
Since RIP calculates the best route to a destination based solely on how many hops it is to the
destination network, RIP tends to be inefficient in networkusing more than one LANprotocol, such as Fast
EthernetandserialorToken Ring. This is because RIP prefers paths with the shortest hop count. The path
with the shortest hop count might be over the slowest link in the network.
Hop Count Limit
RIP cannot handle more than 15 hops. Anything more than 15 hops away is considered unreachable by
RIP. This fact is used by RIP to preventrouting loops.
Classful Routing Only
RIP is a classfulrouting protocol. RIP cannot handle classless routing. RIP v1 advertises allnetworks it
knows as classfulnetworks, so it is impossible to subnet a networkproperly viaVLSMif you are running RIP
v1, which
However, it must be pointed out that RIP is the onlyrouting protocol that allrouting devicesandsoftware support, so in a mixed equipment environment, RIP may be your only option fordynamicrouting. This is changing with the widespread use ofOSPF.
RIP MESSAGESRIP updates are placed as UDPpayload inside an IPdatagram. Below is the base format of a RIPmessage.
command version zeroes
Address Family ID zeroes
IP Address
zeroes
zeroes
Metric
Payload...
COMMAND types (field value)y REQUEST (1)- Request either a partial or full table update from another RIProuter.y RESPONSE (2) - A response to a request. All route updates use this command in the command field.
y TRACEON (3) / TRACEOFF (4) - Obsolete and ignored.
-
8/8/2019 Ddos Notes
19/23
y RESERVED (5) - Sun Microsystems uses this field for it's own purposes.
VERSION field - Describes which version of the RIP protocol it is (1 or 2).ADDRESS FAMILY ID - Identifies which addressing protocol is being used (CLNS, IPX, IP etc.)METRIC - Metric measures how 'good' a route is. RIP uses the number of hops as the metric. The routewith the fewest number of hops is preferred.
RIP ROUTING UPDATESRouters running IPRIP broadcast the full list of all the routes they know every 30 seconds. Whena routerrunning RIP hears a broadcast it runs the distance vectoralgorithm to create a list of best routes.
RIP TIMERS
TIMER DEFAULTCONTROLS
Update 30 sec. Interval between route update advertisements
Hold-
Down
90 sec. Period a route is withdrawn from the table to prevent a routing loop.
Timeout 180 sec.Interval a route should stay 'live' in the routing table. This counter is reset every
time the router hears an update for this route.
Flush 120 sec. How long to wait to delete a route after it has timed out.
The routing-update timer controls the time between routing updates. Default is usually 30 seconds, plus asmall random delay to prevent all RIProuters from sending updates simultaneously.The route-timeout timer controls when a route is no longer available. The default is usually180 seconds. Ifa routerhas not seen the route in an update during this specified interval, it is dropped fromthe router's announcements. The route is maintained long enough for the routerto advertise the route asdown (hop count of 16).The route-flush timer controls how long before a route is completely flushed from the routingtable. Thedefault setting is usually 120 seconds.
CISCO ROUTERS - Configuring RIPConfiguring a Cisco routerfor RIP requires a series of configuration steps. First you must turn on theRIProuting protocol, then you must identify the networkthat will be advertised and which interfaces willadvertise it with the networkstatement.
BASIC RIP CONFIGURATION (Cisco)According to the recollection of InetDaemon, configuring a Cisco routerfor a basic RIP configuration wouldlook something like this:router> enable
Password:
router# conf t
-
8/8/2019 Ddos Notes
20/23
router(config)#interface ethernet 0
router(config-if)# ip address 192.168.42.1
router(config-if)# interface ethernet 1
router(config-if)# ip address 192.168.43.1
router(config-if)# exit
router(config)# router rip
router(config-router)# network 192.168.42.0
router(config-router)# network 192.168.43.0
router(config-router)# exit
router(config-router)# ^z
router#
The example above assumes that the interfaces that will be running RIP have IPaddresses on them thatfall within the 204.191.42.0, and 204.191.43.0 class C ranges.
y How switches and routers interconnect using equipment from multiple vendors
y IP addressing and how to create subnets
y How TCP/IP works and how to configure it on various devices
y Capture and view network traffic using a protocol analyzer
y Wireless network options available
y Basic security and firewall issues
y How Ethernet works and how all of the various forms can be connected
y Basics of layered network protocols
y Difference between logical and physical network segments
y Install Cat 5e UTP and fiber optic cables
y How VLANs function
y When and how to use NAT
y Function of various routing protocols such as RIP, IGRP, and OSPF
-
8/8/2019 Ddos Notes
21/23
y An overview of WAN technologies
y Functions ofNetBIOS and NetBEUI
y Benefits and issues of Instant Messaging
y How switches and routers interconnect using equipment from multiple vendors
y IP addressing and how to create subnets
y How TCP/IP works and how to configure it on various devices
y Capture and view network traffic using a protocol analyzer
y Wireless network options available
y Basic security and firewall issues
y How Ethernet works and how all of the various forms can be connected
y Basics of layered network protocols
y Difference between logical and physical network segments
y Install Cat 5e UTP and fiber optic cables
y How VLANs function
y When and how to use NAT
y Function of various routing protocols such as RIP, IGRP, and OSPF
y An overview of WAN technologies
y Functions ofNetBIOS and NetBEUI
y Benefits and issues of Instant Messaging
y Basic components and characteristics of a network
y Host-to-network and network-to-network connections
y LAN wiring components and conventions
y Differentiate between wired networking devices
y How to configure your workstation, switch, and router
y TCP/IP communications protocols basics
y Practical overview of IP subnetting and how it works
y Wireless networking components
y Common security threats and mitigation techniques
y Securing systems and network devices
y Controlling access to the network
y Monitoring network resources
y Troubleshooting the network
y Operations Security
-
8/8/2019 Ddos Notes
22/23
y Access Control
y Cryptography
y Security Architecture and Design
y Telecommunications and Network Security
y DisasterRecovery and Business Continuity Planning
y Legal, Regulations, Compliance, and Investigations
y Application Security
y Information Security and Risk Management
y Physical (Environmental) Security
y Develop a comprehensive network security policy to counter threats against
information security
y Configure routers with Cisco IOS Software security features
y Configure a Cisco IOS zone-based firewall to perform basic security operations on
a network
y Configure site-to-site VPNs using Cisco IOS features
y Configure IPS on Cisco network routers
y Configure security features on IOS switches to mitigate various Layer 2 attacks
y Review how to configure and troubleshoot a switch and router in a small network
environmenty Expand the switched network from a small to medium network environment
y Dangers of redundant switching
y Spanning Tree
y Concepts of VLANs and trunking
y Implementing VLSM
y Configure, verify, and troubleshoot OSPF and EIGRP
y
When to use access control lists (ACLs)y Configure, verify, and troubleshoot ACLs
y Configure NAT and PAT
y IPv6 addressing
y Configure PPP, CHAP, and PAP
-
8/8/2019 Ddos Notes
23/23
y Frame Relay operation
y VPN solutions
y How networks function
y Network components and their functions
y Open Systems Interconnection (OSI) reference model
y Binary, decimal, and hexadecimal numbering
y Switching operations and theory
y Host-to-Host packet delivery process
y TCP/IP network addressing and routing
y IP subnetting
y Providing Local Area Network (LAN), Wide Area Network (WAN), and remote
access services
y Advanced network theory, including Virtual Private Networks (VPN), Content
Delivery Networks (CDN), Intranets and extranets, and wireless networking
y Introduction to Cisco Internet Operating System (IOS)
y Initial configuration of Cisco Catalyst Switches and Routers
y Network discovery and management using Cisco Discovery Protocol (CDP),
telnet, and Trivial FTP (TFTP)
http://ibmtvdemo.edgesuite.net/software/rational/demos/hacking101/webcast.wmv