7/31/2019 Distributed Denial

1/4

Distributed denial-of-service attack (DDoS)

Around the world hundreds of millions of computing devices are connected to form a new virtualworld Internet. The World of internet relies on the interconnectivity between the computing

devices; this interconnectivity if on the one side is blessing but on the other side is hot target forthe malicious users attempt to exhaust resources and launch attacks against them.

In a DoS attack, a malicious attempt takes place to prevent the legitimate users from accessinginformation and services from the victim, sites, or nodes. The Dos attacks are derived from asingle host of the network.

On the other hand, it is also feasible that a lot of malicious hosts organize in way that the attacktakes place simultaneously from multiple points. This type of attack is called a Distributed DoS, orDDoS attack.

A Short History of DDoS

According to numbers of experts the Denial-of-service attack has been around for decades ascompare to Distributed DoS attacks which first appeared in late June and early July of 1999.

The first well-documented DDoS attack appears to have occurred in August 1999, when a DDoStool called Trinoo was deployed in at least 227 systems, of which at least 114 were on Internet2,to flood a single University of Minnesota computer; this system was knocked off the air for morethan two days. The first well-publicized DDoS 2 attack in the public press was in February 2000.On February 7, Yahoo! Was the victim of a DDoS during which its Internet portal wasinaccessible for three hours. On February 8, Amazon, Buy.com, CNN, and eBay were all hit byDDoS attacks that caused them to either stop functioning completely or slowed them downsignificantly. Analysts estimated that during the three hours Yahoo was down, it suffered a lossof e-commerce and advertising revenue that amounted to about $500,000. According to bookseller Amazon.com, its widely publicized attack resulted in a loss of $600,000 during the 10hours it was down. During the DDoS attacks, Buy.com went from 100% availability to 9.4%,while CNN.coms users went down to below 5% of normal volume. The downtime loss was

huge [1].

How a Distributed denial-of-service attack (DDoS) works.

A computer under the command of malicious users is known as a zombie or bot. A group of co-opted computers is known as a botnet or a zombie army.

In a typical DDoS attack, malicious users establish an attack by taking advantage of weakness inone computer system on the network and making it the DDoS master. It is from the mastersystem that the zombie identifies and communicates with other systems that can becompromised. The zombie loads cracking tools available on the Internet on multiple --

http://searchmidmarketsecurity.techtarget.com/definition/zombiehttp://searchsoa.techtarget.com/definition/bothttp://searchsecurity.techtarget.com/definition/botnethttp://searchsecurity.techtarget.com/definition/botnethttp://searchsoa.techtarget.com/definition/bothttp://searchmidmarketsecurity.techtarget.com/definition/zombie

7/31/2019 Distributed Denial

2/4

sometimes thousands of -- compromised systems. With a single command, the zombie instructsthe controlled machines to launch attacks against a specified target to causes a denial of service.

In October 2010, a massive DDoS attack took the entire country of Myanmar offline.[2]

In February 15th 2012, Stock exchange operators Nasdaq and BATS saw their Web sitesattacked for over 24 hours on Tuesday, blocking access to sites although trading was notaffected, report said. Security watcher noted such denial-of-service (DoS) attacks "impossible" toprevent, though.[3]

Liau Yun Qing, ZDNet Asia on February 15th, 2012 (February 15th, 2012)

Facebook, Twitter,Yahoo, Buy.com, RIAA and the United States Copyright Office are amongthe victims of DDoS attacks.

The largest DDoS attacks have now grown to 40 gigabit barrier this year and may reach to 100

gigabitssoon. So if someone threatens to bring down the cloud system with DDoS attack cloudmay become worrisome. Preventing zombies from attacking the cloud infrastructure is the onlyrealisticthing the staff, management and planners can predict.

Distributed denial-of-service attack (DDoS) and Cloud.

Cloud computing is a combination of distributed system, utility computing and grid computing.

In cloud computing we use combination of all these three in virtualized manner. Cloud

computing converts desktop computing into service based computing using server cluster and

huge databases at data center. Cloud as the nature rule with increase in facility vulnerabilityalso increases. The same concept apply in cloud computing also, it is provides the facility to

consumers in the same way it provides facility to attackers also. There are more chance of

attacks in cloud computing. As cloud computing mainly provides three types of services so in

each layer have some soft corners which invite attackers to attack.

Some of these soft corners are

(1) SaaS vulnerability

(a)Insecure Application Programming

Interface (API)

(b)Account or Service hacking

(c)Attack on cloud firewall / Attack on public

firewall

(d)Attack on consumer browser

(e)Integrity, Confidentiality and Availability

(2) PaaS vulnerability

(a)Insecure Application Programming

http://whatis.techtarget.com/definition/0,,sid9_gci812488,00.htmlhttp://whatis.techtarget.com/definition/0,,sid9_gci812488,00.html

7/31/2019 Distributed Denial

3/4

Interface (API)

(b)Unknown risk profile (Heartland Data

Breach)

(c)Integrity, Confidentiality and Availability

(3) IaaS vulnerability

(a) Data leakage in Virtual Machine

(b) Shared technology issues

(c)Integrity, Confidentiality and Availability

So among all these different vulnerabilities

Availability affects all three layers and more harmful.

Since cloud computing security follows the idea of cloud computing, there are two main areas

that security experts look at security in a cloud system: These are VM (Virtual Machine)

vulnerabilities and message Availability between cloud systems.

Intrusion detection system (IDS) is a practical solution to resist these kinds of attacks. However,

if IDS is deployed in each cloud computing region, but without any cooperation and

communication, IDS may easily suffers from single point of failure attack. Obviously, the

abilities of intrusion detection and response are decreased significantly. Thus, the cloud

environment could not support services continually. Intrusion detection technique has become

an extremely feature of the system defense. Intrusion detection system sets off alerts aboutdetected intrusions so that a system administrator or the system itself may take appropriate

action.

In general, IDS collects network traffics, analyzes these traffics, and makes response or alerts

the network to the manager if there is an intrusion taking place. Thus, the aim of the IDS is to

alert or notify the system that some malicious activities have taken place and try to eliminate it.

According to the method of the collection of intrusion data, all the intrusion detection systems

can be classified into two types: host-based and network-based IDSs. Host-based intrusion

detection systems (HIDSs) analyze audit data collected by an operating system about the

actions performed by users and applications; while network-based intrusion detection systems(NIDSs) analyze data collected from network packets.

IDSs analyze one or more events gotten from the collected data. According to analysis

techniques, IDS system is classified into two different parts: misuse detection and anomaly

detection. Misuse detection systems use signature patterns of exited well-known attacks of the

system to match and identify known intrusions. Misuse detection techniques, in general, are

not effective against the latest attacks that have no matched rules or pattern yet. Anomaly

detection systems identify those activities which deviate significantly from the established

7/31/2019 Distributed Denial

4/4

normal behaviors as anomalies. These anomalies are most likely regarded as intrusions.

Anomaly detection techniques can be effective against unknown or the latest attacks. However,

anomaly detection systems tend to generate more false alarms than misuse detection systems

because an anomaly may be a new normal behavior or an ordinary activity.

While IDS detects an intrusion attempt, IDS should report to the system administrator. There

are three ways to report the detection results [3]: notification, manual response, and automaticresponse. In notification response system, IDS only generates reports and alerts. In manual

response system, IDS provides additional capability for the system administrator to initiate a

manual response. In automatic response system, IDS immediately respond to an intrusion

through auto response system.

References

[1] Gary C. Kessler, Defenses against distributed denial of service attacks,http://www.garykessler.net/library/ddos.html, November 2000.

[2]http://searchsecurity.techtarget.com/definition/distributed-denial-of-service-attack(This was last

updated in November 2010)

[3]Liau Yun Qing, ZDNet Asia on February 15th, 2012 (February 15th, 2012)