Embed Size (px)
DESCRIPTION
Research paper on DDOS mitigation
Citation preview
An Adaptive approach combining aggressive aging and IPSec to combat against
DDos attack in networks.
Mr. Mohammed Bilal
Electronics and Communication Engineering Dept.
Sri Bhagawan Mahaveer Jain College of Engineering,
Bangalore, India
Mr. Palivela Hemant
Computer Science and Engineering Dept.
East West Institute of Technology,
Bangalore, India
Abstract
The major threat to availability of resources in
distributed networks is Distributed denial-of-service
(DDoS) .The variety and number of both attacks and
defense approaches are overwhelming. Overview of
the DDoS problem, Attack: Modus Operandi,
Classification of DDoS attacks, Defense mechanism
and Challenges are presented. For a better
understanding of the problem latest solution and
future scope is provided. Prevention, Detection,
Tracing, and Tolerance and Mitigation to tackle
DDoS problem are revisited and an integrated
comprehensive solution is proposed.
Keywords—Distributed Denial-of-service, Internet
Security, Attack Taxonomy, Integrated Approach.
1. Introduction
The traditional intent and impact of DDoS attacks is
to prevent or impair the legitimate use of computer or
network resources. Regardless of the diligence,
effort, and resources spent securing against intrusion,
Internet connected systems face a consistent and real
threat from DDoS attacks. Recently, these attacks
have been used to deny service to commercial web
sites that rely on a constant Internet presence for their
business. The attacks differ from traditional DDoS
attacks in the targeted nature and sheer number of
attacking hosts. Even hardened Internet companies
such as the SCO group and Microsoft are not immune
to attack, and historically high-profile e-tailors such
as eBay have had their services disrupted. A Denial
of Service (DoS) attack can be characterized as an
attack with the purpose of preventing legitimate users
from using a victim computing system or network
resource (Engineering, October 2001)[1]. A
Distributed Denial of Service (DDoS) attack is a
large-scale, coordinated attack on the availability of
services of a victim system or network resource,
launched indirectly through many compromised
computers on the Internet. The services under attack
are those of the ―primary victim‖, while the
compromised systems used to launch the attack are
often called the ―secondary victims.‖ The use of
secondary victims in performing a DDoS attack
provides the attacker with the ability to wage a much
larger and more disruptive attack, while making it
more difficult to track down the original attacker.
Recent reports from the NHTCU have warned of
DDoS attacks that use SYN flooding and SMTP
flooding to saturate the bandwidth of targeted sites.
Although, these are by no means the only attack
vectors, they will be the main focus of this paper as
they pose the greatest threat to the availability of
business sites. SYN flood attacks exploit a feature of
the TCP connection by making seemingly legitimate
connection requests, and then discarding the
responses. These results in the attacked server
responding to requests and waiting for connections to
complete that never do. The server wastes resources
on maintaining these non-existent connections and
the bandwidth suffers as a result of the high volume
of traffic generated by the initial request and server
response. It is believed that SMTP attacks simply
send a high volume of e-mails to the targeted server
thereby overwhelming both the server and the
available bandwidth. Both types of attack effectively
deny service to legitimate users by reducing the
performance of the site to make it unusable, or
causing it to fail altogether. Douligeris et al [2], Chen
et al. [3], and Mircovik et al. [4] have reviewed
various DDoS attack, and defense methods. The
remainder of this paper is organized as follows.
Section II gives overview of DDoS. Section III
discusses Taxonomy of DDoS Countermeasures.
Section IV proposes an integrated approach to solve
DDoS problem. Last Section finally concludes the
paper.
2. DDoS Attack Networks
Figure 1 shows two main types of DDoS attack
networks: the Agent-Handler model and the Internet
Relay Chat (IRC-Based) model.
2.1 Agent-Handler Model
An Agent-Handler DDoS attack network consists of
clients, handlers, and agents (see Figure 2). The
client platform is where the attacker communicates
with the rest of the DDoS attack network. The
handlers are software packages located on computing
systems throughout the Internet that the attacker uses
to communicate indirectly with the agents. The agent
software exists in compromised systems that will
eventually carry out the attack on the victim system.
The attacker communicates with any number of
handlers to identify which agents are up and running,
when to schedule attacks, or when to upgrade agents.
Depending on how the attacker configures the DDoS
attack network, agents can be instructed to
communicate attack network, agents can be
instructed to communicate with a single handler or
multiple handlers. Usually, attackers will try and
place the handler software on a compromised router
or network server that handles large volumes of
traffic. This makes it harder to identify messages
between the client and handler and between the
handler and agents. The communication between
attacker and handler and between the handler and
agents can be via TCP, UDP, or ICMP protocols. The
owners and users of the agent systems typically have
no knowledge that their system has been
compromised and will be taking part in a DDoS
attack. When participating in a DDoS attack, each
agent program uses only a small amount of resources
(both in memory and bandwidth), so that the users of
these computers experience minimal change in
performance.
In descriptions of DDoS tools, the terms
handler and agents are sometimes replaced with
master and daemons respectively. Also, the systems
that have been violated to run the agent software are
referred to as the secondary victims, while the target
of the DDoS attack is called the (primary) victim.
2.2 IRC-Based DDoS Attack Model
Internet Relay Chat (IRC) is a multi-user, on-line
Agent – Handler
Client - Handle r Communication
TCP UDP ICMP
DDoS Attack Network
IRC Based
Agent-Handler Communication
TCP UDP ICMP
Secret/ Private Channel
Public Channel
Figure 1: DDoS Attack Network
Figure 2 : DDoS Agent
Agent - Handler Attack Model
H
Attacker
Handler
H
Client
Victim
A A
Attacker …
…
H
A A …
H
A A …
……
Agent
s
Figure 3 : DDoS IRC - Based Attack Model
IRC
Network
Victim
A A …
A A …
A A …
Agent
s
Attack
er
Client Attack
er
…
chatting system. It allows computer users to create
two-party or multi-party interconnections and type
messages in real time to each other [5]
. IRC network
architecture consist of IRC servers that are located
throughout the Internet with channels to
communicate with each other across the Internet. IRC
chat networks allow their users to create public,
secret, and private channels. Public channels are
channels where multiple users can chat and share
messages and files. Public channels allow users of
the channel to see all the IRC names and messages of
users in the channel [6]
. Private and secret channels
are set up by users to communicate with only other
designated users. Both private and secret channels
protect the names and messages of users that are
logged on from users who do not have access to the
channel [7]
. Although the content of private channels
is hidden, certain channel locator commands will
allow users not on the channel to identify its
existence whereas secret channels are much harder to
locate unless the user is a member of the channel.
IRC-Based DDoS attack architecture is
similar to the Agent-Handler DDoS attack model
except that instead of using a handler program
installed on a network server, an IRC communication
channel is used to connect the client to the agents.
By making use of an IRC channel, attackers using
this type of DDoS attack architecture have additional
benefits. For example, attackers can use ―legitimate‖
IRC ports for sending commands to the agents [8]
.
This makes tracking the DDoS command packets
much more difficult. Additionally, IRC servers tend
to have large volumes of traffic making it easier for
the attacker to hide his presence from a network
administrator. Another advantage is that the attacker
no longer needs to maintain a list of all of the agents,
since he can simply log on to the IRC server and see
a list of all available agents [9]
. The agent software
installed in the IRC network usually communicates to
the IRC channel and notifies the attacker when the
agent is up and running. IRC networks also provide
the added benefit of easy file sharing. This makes it
easier for attackers to secure secondary victims to
participate in their attacks.
In IRC-based DDoS attack architecture, the
agents are often referred to as ―Zombie Bots‖ or
―Bots‖. In both IRC-based and Agent-Handler DDoS
attack models, we will refer to the agents as
―secondary victims‖ or ―zombies.‖
3. Taxonomy of DDoS Countermeasures
There are a number of proposals and partial solutions
available today for mitigating the effects of a DDoS
attack. Many of these solutions and ideas assist in
preventing certain aspects of a DDoS attack.
However, there is no comprehensive solution to
protect against all known forms of DDoS attacks.
Also, many derivative DDoS attacks are continually
being developed by attackers to bypass each new
countermeasure employed. More research is needed
to develop more effective and encompassing
countermeasures and solutions. The purpose of this
paper is to assist in understanding the nature and
scope of DDoS attack networks, attack techniques,
and software attack tools, to aid in developing better
Figure 4: DDoS
Countermeasures
Mitigate /Stop Attacks
DDoS Countermeasures
Detect /Prevent Potential Attacks
Deflect Attacks
Detect/Prevent
Secondary Victims
Dynamic Pricing
Install Software Patches
Post - Attack Forensics
Network Service
Providers
Individual Users
MIB Statistics
Egr ess Filtering
Drop Requests
Throttling Load Balancing
Honeypots
Study Attack Shadow Real Network
Resources
Traffic Pattern
Analysis
Event Logs
Packet Traceback
Detect and Neutralize Handlers
Built - in Defenses
preventive, defensive and forensic methods. We
propose a preliminary taxonomy of DDoS
Countermeasures in Figure 4.
There are three essential components to
DDoS countermeasures. There is the component for
preventing the DDoS attack which includes
preventing secondary victims and detecting and
neutralizing handlers. There is the component for
dealing with a DDoS attack while it is in progress,
including detecting or preventing the attack,
mitigating or stopping the attack, and deflecting the
attack. Lastly, there is the post-attack component
which involves network forensics.
3.1 Prevent Secondary Victims
Individual Users:
One of the best methods to prevent DDoS attacks is
for the secondary victim systems to prevent
themselves from participating in the attack. This
requires a heightened awareness of security issues
and prevention techniques from all Internet users. If
attackers are unable to break into and make use of
secondary victim systems, then the attackers will
have no ―DDoS attack network‖ from which to
launch their DDoS attacks.
In order for secondary victims to not
become infected with the DDoS agent software, users
of these systems must continually monitor their own
security. They must check to make sure that no agent
programs have been installed on their systems and
that they are not sending DDoS agent traffic into the
network. The Internet is so de-centralized, and since
there are so many different hardware and software
platforms, it is quite difficult for typical users to
implement the right protective measures. Typically
this would include installing anti-virus and anti-
Trojan software and keeping these up to date. Also,
all software patches for discovered vulnerabilities
must be installed.
Since these tasks can be viewed as daunting
for the average ―web-surfer‖, recent work has
proposed built-in mechanisms in the core hardware
and software of computing systems that can provide
defenses against malicious code insertion, for
example through exploiting buffer overflow
vulnerabilities [10]
.
4. Discussion and proposed system
Many techniques have been introduced to prevent
DDOS but there is no technique available which will
work effectively in differentiating between the
attacker and user of the site. The methods which are
currently being employed disrupt the connectivity
with majority of the users of a web server. The
service is denied for both the user and the attackers.
Aggressive Aging introduces a new set of short
timeouts called aggressive timeouts. When a
connection is idle for more than its aggressive
timeout it is marked as "eligible for deletion". When
the connections table or memory consumption
reaches the user defined threshold, Aggressive Aging
begins to delete "eligible for deletion" connections,
until memory consumption or connections capacity
decreases back to the desired level.
If the defined threshold is exceeded, each incoming
connection triggers the deletion of ten connections
from the Eligible for Deletion list. An additional ten
connections are deleted with every new connection
until the memory consumption or the connections
capacity falls below the enforcement limit. If there is
no one eligible for deletion connections, no
connections are deleted at that time, but the list is
checked after each subsequent connection that
exceeds the threshold.
In aggressive aging rather than disallowing new
connections when the state table is full, a state-full
firewall should have the capability of aggressively
timing out its oldest entries to make room for new
connections. In theory, the oldest connections are
those that are least likely to resurface, thus they
should not take priority over new connections.
Established connections on the other hand should
have the greatest priority of all over embryonic
connections since they have the highest likelihood of
legitimacy.
The Aggressive Aging provides the firewall the
capability of aggressively aging out sessions to make
room for new sessions, thereby protecting the
firewall session database from filling. The firewall
protects its resources by removing idle sessions
(sessions that are idle for a period of time). The
Aggressive Aging allows firewall sessions to exist for
a shorter period of time defined by a timer called
aging out time. The Aggressive Aging feature
includes thresholds to define the start and end of the
aggressive aging period—high and low watermarks.
The aggressive aging period starts when the session
table crosses the high watermark and ends when it
falls below the low watermark. During the aggressive
aging period, sessions will exist for a shorter period
of time that you have configured by using the aging-
out time
Figure 5
In step (1), as new entries are added to the session
table, it will eventually fill up to capacity if enough
old entries have not sufficiently timed out. For the
amount of time between phases (2) and (3), all new
connections are dropped because the firewall is
unable to service new requests when the session table
is full. The number of connections dropped can be
calculated by multiplying the time by the rate at
which new connections are coming in (20 * m). This
is a far cry from the optimal scenario.
If aggressive aging were enabled on this firewall with
an enable watermark of Y (1), old entries could begin
to be aggressively timed out until the disable
watermark was reached at Y (4). At this point, all
would return to normal and aggressive aging would
be disabled until needed once again.Internet Protocol
Security (IPSec) provides application-transparent
encryption services for IP network traffic. IPSec
provides secure gateway-to-gateway connections
across outsourced private wide area network (WAN)
or Internet-based connections using L2TP/IPSec
tunnels or pure IPSec tunnel mode. Once the peer
computers have authenticated each other, they
generate bulk encryption keys for the purpose of
encrypting application data packets. These keys are
known only to the two computers, so their data is
very well protected against modification or
interpretation by attackers who may be in the
network.
We have proposed a research paper wherein, the web
server can be made available to normal users by
using the combination of IPSec and Aggressive
aging. As we know the DDOS, slowly eats up
resources without being noticed. Thus these
disruptive or degrading attack flows often lead to
complete shutdowns of Internet resources or at least
cause performance degradations.
In the proposed model, web server continuously
monitors its resource consumption. Whenever the
resource consumption level reaches 60% of the
normal usage, the server enters into DDOS
prevention mode. In DDOS prevention mode all the
existing valid connection are secured by IPSec. IPSec
is a set of protocols that can be used to establish
cryptographic keys and other relevant parameters
between a pair of hosts, and then protect (encrypt and
authenticate) the traffic between them. Aggressive
aging is initiated in the firewall. The Aggressive
Aging provides the firewall the capability of
aggressively aging out sessions to make room for
new sessions, thereby protecting the firewall session
database from filling.
Figure 6:
If (Aggressive aging =1) { Delete Connection }
Firewall
If (resources<60%) ( Initiate IPSec Initiate Aggressive aging }
Server
Conclusion:
An overview of DDoS problem, classification of
DDoS attacks, defense principles and challenges are
presented in this paper. Potential research issues are
also highlighted. We propose a level 1 integrated
approach to combat DDoS menace.
References:
[1] David Karig and Ruby Lee, ―Remote Denial of
Service Attacks and Countermeasures,‖ Princeton
University Department of Electrical Engineering
Technical Report CE-L2001-002, October 2001
[2] C. Douligeris, and A. Mitrokotsa, ―DDoS attacks
and defense mechanisms: classification and state-of-
the-art,‖ Computer Networks, 2004, pp.643–666,
[3] Li-Chiou Chen, Thomas A. Longstaff, and
Kathieen M. Carley, ―Characterization of defense
mechanisms against distributed denial of service
attacks,‖ Computer & Security 23, 2004, pp.665-
678.
[4] J. Mirkovic, and P. Reiher, ―A Taxonomy of
DDoS Attack and DDoS defense Mechanisms,‖
ACM SIGCOMM Computer Communications
Review, Volume 34, Number 2, April 2004.
[5] Joseph Lo and Others. ―An IRC Tutorial‖,
irchelp.com. 1997
www.irchelp.org/irchelp/irctutorial.html#part1. (8
April 2003).
[6] Nicolas Pioch. ―A Short IRC Primer‖. Edition
1.2, January 1997.
http://www.irchelp.org/irchelp/ircprimer.html#DDC.
(21 April 2003).
[7] Kleinpaste, Karl, Mauri Haikola, and Carlo Kid.
―The Original IRC Manual‖. March 18, 1997.
http://www.user-com.undernet.org/documents/irc-
manual.html#seen (21 April 2003).
[8] Kevin J. Houle. ―Trends in Denial of Service
Attack Technology‖. CERT Coordination Center,
Carnegie Mellon Software Engineering Institute.
October 2001. www.nanog.org/mtg-
0110/ppt/houle.ppt. (14 March 2003).
[9] David Mankins, Rajesh Krishnan, Ceilyn Boyd,
John Zao, and Michael Frentz, ―Mitigating
Distributed Denial of Service Attacks with Dynamic
Resource Pricing‖, Computer Security Applications
Conference, 2001. ACSAC 2001 Proceedings 17th
Annual, pp. 411-421, 2001.
[10] Ruby Lee, David Karig, Patrick McGregor and
Zhijie Shi, ―Enlisting Hardware Architecture to
Thwart Malicious Code Injection‖, Proceedings of
the International Conference on Security in Pervasive
Computing (SPC-2003), pp. N/A, March 2003.
