Distributedenialofservice(DDOS)attacks

CaueKoisumiCintra
StevensInstituteofTechnology

Abstract
DistributedDenialofService(DDOS)attacksareadeadlyagainsttheavailabilityofInternet
servicesandresources.DDOSattackersinfectslargenumbersofcomputersbyexploiting
softwarevulnerabilitiestosetupbotnets.
Thenallthesezombiecomputersareinvokedtounleashacoordinated,largescaleattack
againstavictimssystems.Asspecificcountermeasuresarebeingdeveloped,attackers
continuetoenhanceexistingDDOSattacktools,developingnewandderivativeDDOS
techniquesandtools.Ratherthanalwaysreacttonewattackswithspecificcountermeasures,it
wouldbedesirabletodevelopsolutionsthatdefendagainstknownandfutureDDOSattack
variants.However,thisisreallyhardtodoasisneededagreatunderstandingofthescopeand
techniquesusedonDDOSattacks.
ThispaperattemptstocategorizeDDOSattacknetworks,toclassifythedifferenttechniques
usedinaDDoSattack,andtodescribethecharacteristicsoftoolsusedtoperformDDOS.
Giventhisnewunderstanding,proposeclassesofcountermeasuresthattargettheDDOS
problembefore,duringandafteranattack.

1.Introduction
TheInternetwasoriginallydesignedtolinktogetheracooperativeandcollaborativecommunity
ofresearcher(LIPSON,2002).Itwasntaconcernthinkaboutsecuritywhenthefirstthoughts
oftheinternetwasbeginning,becauseitwassupposedtobeanetworktosomeresearchersto
exchangeknowledge,soeveryuserwastrustablethatmeansthenetworkwouldalwaysbe
secure.
Withtheevolutionoftheinternetsecurityissuesstartedtooccur,andinthe90soneofthe
manytypesofsecurityattacksthatwerecreatedwastheDOS(DenialofService),thisattackis
fairlysimpleandbasicallyconsistsinanattempttomakeanetworkresourceunavailableforits
realusers.LateronthisattackevolvedtoDDOS(DistributedDenialofService)whichis
basicallythesamethingasDOS,butnowtheattackcomesfromseveralsourcesthatcanbe
spreadallovertheworld.Thisattacksareexecutedfordifferentkindsofreasons,themost
commonsthougharefinancialandpoliticalmotives.
Thecurrentstateofthecyberworldtodaystillisinlackofabilitytoprevent,correct,trackand
traceDDOSattacks,Theanonymityenjoyedbytodayscyberattackersposesagravethreat
totheglobalinformationsociety,theprogressofaninformationbasedinternationaleconomy,
andtheadvancementofglobalcollaborationandcooperationinallareasofhumanendeavor.
(LIPSON,2002),wecanclearlyseethatwithgroupslikeLulzSecandAnonymousthatcan
remainalotoftimelaunchingattacksbeforebeingcaught,orsomeotherhackersthatarenot
caughtatall.

2.WhatisDDOS?
DOSattacksarejustanexplicitattemptfromanattackertomakeaserverunabletoprovide
servicestoitsusersbyfloodingorcrashingthesystem.Unlikeconventionalelectronicattacks,
thereislittleinformationoreffortrequiredtoinitiateaDOSattackonthetargetwebsiteallthatis
neededisthewebsiteaddress,aprogramthatcanperformarapidnumberofrequeststothe
targetedwebsiteandabotnet(ForDDOSattacks)
ThefirstsprogramstomakeDOSremoteattacksstartedtoappearinthe90sandforthese
programstobeeffectivetheyneededlargesizecomputersornetworkslikefromanuniversity.
In1997werediscoveredalargenumberoffailuresintheTCP/IP(TransmissionControl
Protocol/InternetProtocol)andthenthenumberofattacksstartedtogrowusingIRC(Internet
RelayChat)networkandexploitingknownvulnerabilitiesonWindowstocrashit.
Thelate1999wastheariseoftheDDOSattacks,wheretheattackerscouldgetcontrolofother
machines(botsorzombies)tomaximizethepoweroftheattackagainsthisttarget.
Inthe2000theDDOSattacksstartedtogettingmixedwithworms(malwareprogramthatcan
replicateitselfandinfectothercomputersthroughvulnerabilitiesinthenetwork)turningthe
affectedtargetsmorevulnerabletootherattacks.
InJanuary2001MicrosoftswebsitesufferedapowerDDOSattackthatlastedforhoursand
madethewebpageunavailabletorealusers,duringsomeperiods98%oftheserviceswere
affectedbytheattack.EventheFBIwascalledtotakecareofthecase,showingthatevena
hugecompanyasMicrosoftwasntimmuneagainstaDDOSattack.
DDOSattackscanbedividedinthreegeneralcategories:
VolumeBasedAttacksthatconsistsinsaturatethebandwidthoftheattackedserver,andits
powerismeasuredinbitspersecond(bps).Someexamplesare:UDPfloods,ICMPfloodsand
otherspoofedpacketfloods.
ProtocolAttacksthattriestoconsumetheactualserverresourcesorfirewallsandload
balancersanditsmagnitudeismeasuredinpacketspersecond.Someexamplesare:SYN
floods,PingofDeathandSmurfDDOS.
ApplicationLayerAttacksthatconsistsinsendingapparentlylegitimaterequestswiththegoal
ofcrashthewebserver,anditsmeasuredinrequestspersecond.Someexamplesare:
Slowloris,ZeroDayDDOSattacks,Windowsvulnerabilities.

3Typesofattack
ThereisseveralformsofDOSattacks,herearesomeofthemostcommonused.

3.1UDPFlood
ThisattackusestheUserDatagramProtocol(UDP),asessionlessnetworkingprotocol.Itfloods
randomportsofaremotehostwithnumerousUDPpacketsmakingthehostconstantlychecks
fortheapplicationlisteningatthatporthowevernoapplicationslistensatthatportsothehost
needstoreplywithanICMPDestinationUnreachablewhichendsupcausinganexcessiveuse
ofthehostresourcesthatcanleadtoinaccessibility.ThisattackisusedwithIPspoofingsothat
theICMPreturnpacketswon'treachthemandhidingthenetworklocation.

3.2ICMPFloodorPingFlood
TheprincipleissimilarfromtheUDPfloodattack,butnowthetargetisoverwhelmedwithICMP
Echo(ping)requestspacketsusingamethodsendingICMPpacketscontinuouslywithout
waitingforreply.TheattackedserverwilloftenattempttorespondwithICMPreplypackets
whichconsumebothincomingandoutgoingbandwidthwhichcanresultinanoverallsystem
slowdown.

3.3SYNFlood
Thisattackexploitsthethreewayhandshake,aknownweaknessintheTCPconnection
sequence,whenaSYNrequestissenttobeginaTCPconnectionthehostneedstoanswer
withaSYNACKresponseandthenbeconfirmedbyanACKresponsefromtherequester.
TheattackersendsmultipleSYNrequestsbuthedoesntrespondtothetargetsSYNACK
responses,ortheattackercansendtherequestsfromspoofedIPaddresses,sothevictims
serverkeepswaitingfortheresponsesforeachrequestsbindingresourcesuntilnonew
connectionscanbemade.

3.4PingofDeath(POD)
GenerallythemaximumpacketlengthofanIPpacketonIPv4is65,535bytesandsendingaping
ofthissizecouldcrashthetargetscomputer,thisvulnerabilitystartedtobeingexploitedasthe
attackersstartedtosendalargeIPpacket(biggerthan65,536bytes)splittedinmultipleminor
packetssowhenthehostwouldassembletheminorpacketsitcouldendupcausingamemory
bufferoverflowdenyingserviceforlegitimatepackets.Todayitsreallyhardforaservertocrash
becauseofthisattack.

3.5Slowloris
Slowlorisisahighlytargetedattackthatpermitsoneservertotakedownanotheronewith
minimalbandwidthandsideeffectsonunrelatedservicesandports.Theattackerstrytokeep
openandforaslongaspossiblemanyconnectionswiththetargetedserver,thisisdoneby
constantlysendingHTTPheadersbutwithoutcompletetherequest.Thetargetedserverwill
keepthoseconnectionsopenandthiseventuallywillleadtoanoverflowoftheconnectionspool
leavinglegitimaterequestsfromclientsdeniedofservice.ItisspeciallyusedagainstApache,
Tomcat,dhttpdandGoAheadWebServer.

3.6ZerodayDDOS
Zerodayattacksareunknownornewattacksexploitingvulnerabilitiesthatdontstilldonthavea
solution,sobasicallyitsanattackthatexploitsavulnerabilitythatthesoftwareownerdoesnt
evenknowaboutyetordidnthavedevelopedapatchtofixit.Somebigproblemsaboutthose
attacksisthattradingzerodayvulnerabilitiesarequitepopularintheblackhatcommunityand
evenifthecompanydevelopapatchlater,youcomputermayalreadybeeninfectedwithworms
andtrojans.

4.Attackersandmotives
Thereisalargediversityinattackersandtheirmotives.Andsometimestwoofthoseclasses
canmerge,asexample:Anextorquistsgroupcanuseahacktivistexcusetoattackaweb
servicebuttheirrealpurposeistogetmoney.

4.1Extorquists
Theseattackersthreatstheirtargetaskingformoneyortheywilltakedowntheirservers,they
workwithafinancialpurpose.

4.2Hacktivists
TheHacktivistgroupwastheonethatgotmostofthespotlightwithDDOSattacksinthelast
years,theygrewandunitedthemselvesreallyfastandstartedtomakeInternetStreetProtests
(RichardStallman).SomehackgroupseventookdownUSgovernmentalsitescausingagreat
splurgeonthecommunity,theirmotivesaretotrytochangedecisionsmadebyorganizationsor
thegovernment.

4.3Competitors,unsatisfiedemployeesandcustomers
ThereweresomecaseswhereacompanywouldlaunchaDDOSattackagainstacompetitorto
harmtheirimagesothecustomerswouldtradecompaniesandtheywouldgetmoreprofit.
ItcanalsohappenthatafiredorunsatisfiedemployeeorcustomerwouldlaunchaDDOSattack
againstacompanyasavendetta.

4.4ScriptKiddies
Theybasicallyareunskilledindividualsthatusesautomatedtoolscreatedbyotherstorealize
attacks,theirpurposenormallyistoimpressfriendsortrytobecomefamousandclimbupinthe
hackercommunity,somescriptkiddiescanlaunchanattackjustforthefunofit.

5.Tools
OneofthemotivesforthegreatgrowingoftheDOSattacksistheappearanceofmanyfree
toolsontheweb,herearesomeofthem.

5.1LOIC(Loworbitioncannon)
ItsoneofthemostpopularfreeDOSattackingtoolontheweb,ithasauserfriendlyinterfaceso
itseasytolearnanduse.ThetoolcanperformDOSattackbysendingTCP,UDPorHTTP
requeststothetargetssystem.Abotnetcanbeusedtoimprovethepoweroftheattackand
makeitadistributedattack.

5.2HOIC(Highorbitioncannon)
ItwasmadeoutoftheconceptofLOIC,butthedeveloperstriedtoimproveitsstrenghtand
includedaboosterfeaturetomaketheattackstronger.

5.3XOIC
Itsaverysimpleandeasytousetool,comeswithawhoisfeaturetofindIPandportandhave3
modesofattack,abasictestmode,anormalDOSmodeandaDOSmodewitha
TCP/HTTP/UDP/ICMPmessage.

5.4Pyloris
PyLorisisascriptabletoolfortestingaserver'svulnerabilitydenialofservice(DoS)attacks.
PyLoriscanutilizeSOCKSproxiesandSSLconnections,andcantargetprotocolssuchas
HTTP,FTP,SMTP,IMAP,andTelnet.

10

6.DefenseagainstDOSattacks
6.1Howtoprevent?
Untilnowthereisnosilverbullet(Brooks)againstDDOSattacks,butthereissomestrategies
tomitigatetheattack.
Somerecommendedstrategiestopreventattacksare:
Incrementhostsecurity:AstheprimarycharacteristicoftheDDOSistheuseofabotnet,itis
veryimportanttoimprovethesecurityofyourmachinessoitwontbecomeazombie.
Installpatches:Themachinesusedaszombiesarenormallyinfectedwithknown
vulnerabilities.Soitishighlyrecommendedthatyoualwaysupdateyoursystemwhenpossible.
Applyantispoofingfilters:DuringtheDDOS,theattackerstrytohidetheirrealIPusing
spoofingmechanismsthatforgesfakeIPsmakingithardertotracktheattackorigin.Soitis
necessarythattheaccessprovidersimplementantispoofingfiltersontheroutersentrance,so
thenetworkoftheirclientscantusespoofing.Andthatalltheinternetnetwork,inageneralway,
implementantispoofingfiltersontheborderroutersexitpreventingtheuseofspoofing.
PreviousplanningagainstDDOS:Apreviousplanningandcoordinationisessentialto
guaranteeanadequateanswerwhenaDDOSattackstartstohappen.Thisplanningmust
includecounterattackprocedureswithyourbackboneprovider.

6.2Howtoreact?
6.2.1DDOStoolsareinstalledonyoursystem
Thiscanmeanthatyoursystemisbeingusedasamasteroragent.Itsimportanttodetermine
whatisthepartofthetoolsfoundandtrytodiscoverworthinformationthatwouldallowtracking
othercomponentsinthebotnet,prioritizingthediscoveringofmasters.Dependingonthe
situation,itisrecommendedtotryshutdownimmediatelythemasters,butsometimesitcanbe
worthtomonitortheactivitiestogatherinformation.

6.2.2IfyoursystemissufferingaDDOSattack
ThespoofingmechanismsusedonDDOSattacksmakesreallyhardtoidentifytheattacker,but
ifthereisamomentthatispossibletobacktraceandgettherealresponsible,itiswhenthe
attackishappening.Itiscriticaltohaveaquickcommunicationwithyourbackboneproviderto
trytotracktheattacker.
ThereissometechniquestomitigatetheDDOSattackhappening.
LoadBalancing:Networkproviderscanincreasebandwidthoncriticalconnectionstoprevent
themfromgoingofflineinthemiddleofanattack.Balancingtheloadtoeachserverina
multipleserverarchitecturecanimprovenormalperformanceandmitigatetheeffectofaDDOS
attack.
11

DropRequests:Thesystemcansimplydroprequestswhentheloadincreases.Thiscanbe
donebytherouterortheserver.Alternatively,therequestermaybeinducedtodroptherequest
bymakingtheitssystemsolveahardpuzzlethattakesalotofcomputepowerormemory
space,beforecontinuingwiththerequest.Thiswillmaketheusersofzombiesystemsdetect
performancedegradation,makingthemawarethatsomethingwrongishappeningandleading
themtolookandsolvetheproblem,gettingridofbeingazombiemachine.
Outsourcedcompanies:Thereisanumberofoutsourcedcompaniesthatoffersserviceagainst
DDOSattacks,theygiveyou24/7support,monitoringandinthemiddleofaneventtheyuse
theirservertohelpmitigatetheattack.

7.Myanalysis.Nextstepsforfutureresearch
Distributeddenialofserviceattacksarestillrising,becausetheyarefairlyeasytoexecuteand
itshardtogetbacktraced,anditseemsitwontstopsoon.Thereisnoeasysolutionagainst
thesetypeofattacks,andthroughoutthehistorywecanseethatthehackerswerealwaysone,
twoorevenmorestepsaheadfromthesecurityteamsfromcompanies.Butthereissome
arrangementsthatshouldbedone.
Raiseinternetusersawareness:Ifwecanmaketheinternetusersmoreawareofsecurity
issues,wecanpreventthosemachinesfrombeingpartofabotnet,andwiththisthebotnetswill
becomesmallermakingtheDDOSattackwayweaker.
Honeypots:Theyaresystemsmadewithknownvulnerabilitiestoinstigatetheattack.Itnotonly
avoidtheattackfromgoingtothecriticalareasofthesystembutitgatherrelevantdataand
recordsallabouthowtheattackisbeingperformed,whichtoolsarebeingused.Sowiththat
kindofinformationyoucanfortifyyoursystemtopreventnextattacks.Thehackerseliteare
alreadywellawareofthistechnique,soinordertoimproveitseffectiveness,itmustbemade
bettercamouflageforthehoneypotslookexactlylikerealsystems.
PostattackForensics:WhenbeingunderaDDOSattackitisrecommendedtogatherthemost
possibledatatolateranalyzeandlookforspecificcharacteristicsintheattackingtraffic,thiscan
beusedtodevelopnewfilteringtechniquesagainstDDOS.
Packettracestechniqueconsistsonthefactofinternettrafficcanbetracedbacktoitstrue
source.Thisallowsbacktracetheattackerstraffictofindoutwhoistheattacker.
Allthedatacollectedmustbestoredinasafedatabasesoitcanbeusedtodoforensicanalysis
andassistlawenforcementincasesofsignificantfinancialdamage.

12

8.Conclusion
DDOSattacksarereallydangerousandcancausealotoftroubles,mixingthatwiththefactthat
ishardlytraceable,itmakesasafeandeffectiveattacktoperformagainstyourtargets.
Thereisthemostcommonattacksthataremadebyafewpeoplewithsomebotnets,andthis
cancauserealtroubletosmall/mediumcompanies,buttheydontreallyhasmuch
effectivenessagainstlargecompaniesasAmazon,eBayandMicrosoft.Butthereisthehacker
elitegroupsthathavealotofinfluenceinthehackersceneandcangatherahugenumberof
followersandbotnetstoorchestrateapowerfulattackcapableoftakingdownevenlarge
companies.
Theinternetusersneedtostartthinkingmoreaboutthesecureoftheirownsystemstonot
becomeinfected,networkprovidersneedstomonitorbettertheirtraffictotrackattackersand
helpcompaniestoresistwhenbeingattackedandITcompaniesneedtoinvestmoreinfinding
newgeneralDDOSsolutions,andsharetheknowledgewithsmallercompanies.Thatwaythe
DDOSattackcanbeweakenedandwontbethebigconcernthatitistoday.

13

9.References
Lipson,HowardF.TrackingandTracingCyberattacks:TechnicalChallengesandGlobal
PolicyIssues.Pittsburgh,PA:CarnegieMellonUniversity,SoftwareEngineeringInstitute,2002.
Print.
"GRC|SecurityNow!TranscriptofEpisode#8."GRC|SecurityNow!TranscriptofEpisode
#8.N.p.,n.d.Web.10Dec.2013.<https://www.grc.com/sn/SN008.htm>.
"ATimelineofHackingGroupLulzSec'sAttacks."Msnbc.com.N.p.,n.d.Web.10Dec.2013.
<http://www.nbcnews.com/id/43529667/>.
"DoSAttackKnocksOutMicrosoftSites."DoSAttackKnocksOutMicrosoftSites.N.p.,n.d.
Web.10Dec.2013.<http://www.secure64.com/newshackersmicrosoftdnsswitch>.
"NetworkDoSAttacksOverview."JUNOSSoftwareSecurityConfigurationGuide.N.p.,n.d.
Web.10Dec.2013.
<http://www.juniper.net/techpubs/software/junossecurity/junossecurity10.0/junossecurityswc
onfigsecurity/id16414.html>.
"DDoSProtection."DDoSProtection.N.p.,n.d.Web.10Dec.2013.
<http://www.ddosprotection.net/>.
"DistributedDenialofServiceAttacks."N.p.,n.d.Web.10Dec.2013.
<http://www.incapsula.com/ddos/ddosattacks>.
"AdvancedDDOSTools."ADVANCEDDDOSTOOLS~Prince4Hack.N.p.,n.d.Web.10
Dec.2013.<http://prince4hack.blogspot.com/2012/12/advancedddostools.html>.
"DOSAttacksandFreeDOSAttackingToolsInfoSecInstitute."InfoSecInstitute.N.p.,n.d.
Web.10Dec.2013.
<http://resources.infosecinstitute.com/dosattacksfreedosattackingtools/>.

14