1 DENIAL OF SERVICE

CHAPTER 1: INTRODUCTION
Denial of Service attacks have been headline news since February 2000, when several major high profile web sites including Yahoo, Ebay, E*trade and CNN were attacked 1. In recent months the Arab Satellite Television network Al-Jazeera , who published the now infamous photographs of US POW's inside of Iraq suffered extensive Denial of Service attacks throughout their network of news web sites There are perhaps several motivations for these attacks.No doubt, many Denial of Service attacks are performed by mischievous teenagers for negative attention . However, other attacks have more sinister motives and are performed by malicious hackers trying to sabotage the business of major companies; The attacks of February 2000 for example cost these companies an estimated 1.2 billion US dollars 4 and, were probably done for this effect. Other motivations for such attacks may include censorship or even be the motivation behind the Al-Jazeera network attack.Basically, the aim of a Denial of Service attack is to disrupt and prevent normal usage of a system. This can be done by overwhelming the victim's resources. These resources may include the system's power to compute and resolve problems or, it may be an attack on the system's bandwidth. Although, this type of attack doesn't directly effect computer data or hardware, it has the potential to cost companies millions of dollars and thwart the further economic potential of e-commerce by denying access to a remote system . Unfortunately there are no sure defences against Denial of Service attacks , however, monitoring a system as well as taking other security precautions may limit the potential effects of a Denial of Service attack] Long term solutions include providing economic incentives to encourage better computer security . An even more drastic solution involves redesigning the Internet 7. Distributed responsibility and software correctness provide some countermeasures against Denial of Service attacks . Although there is a lot one can do to limit Denial of Service attacks and thus limit the risks of such attacks, a permanent solution may not become available in the foreseeable future The Internet connects hundreds of millions of computers across the world running on

DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING

JULY 2010

2 DENIAL OF SERVICE

multiple hardware and software platforms. It serves uncountable personal and professional needs for people and corporations. However, this interconnectivity among computers also enable malicious users to misuse resources and mount denial of service (DoS) attacks against arbitrary sitesun a denial of service attack, a malicious user exploits the connectivity of the Internet to cripple the services offered by a victim site, often simply by flooding a victim with many requests. A DoS attack can be either a single-source attack, originating at only one host, or a multi-source, where multiple hosts coordinate to flood thevictim with a barrage of attack packets. The latter is called a distributed denial of service (DDoS) attackykophisticated attack tools that automate the procedure of compromising hosts and launching attacks are readily available on the Internet, and detailed instructions allow even an amateur to use them effectively.Denial of service attacks cause significant financial damage every year, making it essential to devise techniques to detect and respond to attacks quickly. Development of effective response techniques requires intimate knowledge of attack dynamics, yet little information about attacks in the wild is published in the research community. Moore et al provide insight into the prevalence of DoS activity on the Internet , but their analysis is based on back-scatter packets and lacks the level of detail required to study attack dynamics or generate high-fidelity models needed for DoS research. Monitoring tools today can detect an attack and identify basic properties such as traffic rates and packet types. However ,because attackers can forge most packet information, characterizing attacks as single- or multi source and identifying the number of attackers is difficult .In this paper, we develop a framework to classify attacks based on header analysis, ramp-up behavior and spectral analysis. First,we analyze the header content to get a rapid characterization ofthe attackers. Since headers can be forged by the attacker, we develop two new techniques to analyze packet stream dynamics using the ramp-up behavior and the spectral characteristics of the attack traffic. In order to achieve business goals, organisations frequently have to develop bespoke application solutions or customise commercial off-theshelf (COTS) packages. These range from complex back-office database applications, CRMs and asset management systems to customer-facing fat and thin applications. Corporate webapplications offer anything from a simple brochure request to a full e-business implementation. Availability of these services is important for customers and users of the site, with any disruption directly affecting revenues, negatively impacting confidence in the company or even damaging the brand.
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING JULY 2010

3 DENIAL OF SERVICE

CHAPTER 2:DENIAL OFSERVICE

In a denial-of-service (DoS) attack, an attacker attempts to prevent legitimate users from accessing information or services. By targeting your computer and its network connection, or the computers and network of the sites you are trying to use, an attacker may be able to prevent you from accessing email, websites, online accounts (banking, etc.), or other services that rely on the affected computer. The most common and obvious type of DoS attack occurs when an attacker "floods" a network with information. When you type a URL for a particular website into your browser, you are sending a request to that site's computer server to view the page. The server can only process a certain number of requests at once, so if an attacker overloads the server with requests, it can't process your request. This is a "denial of service" because you can't access that site. An attacker can use spam email messages to launch a similar attack on your email account. Whether you have an email account supplied by your employer or one available through a free service such as Yahoo or Hotmail, you are assigned a specific quota, which limits the amount of data you can have in your account at any given time. By sending many, or large, email messages to the account, an attacker can consume your quota, preventing you from receiving legitimate messages. In a distributed denial-of-service (DDoS) attack, an attacker may use your computer to attack another computer. By taking advantage of security vulnerabilities or weaknesses, an attacker could take control of your computer. He or she could then force your computer to send huge amounts of data to a website or send spam to particular email addresses. The attack is "distributed" because the attacker is using multiple computers, including yours, to launch the denial-of-service attack. There are various classifications for denial of Service attacks.A DoS attack can be either a single source attack,originating only at one host, or a multi source,where multiple hosts coordinate to flood the victim with a barrage of attack packets.The latter is called distributed denial of service attacks.Yet another classification of DoS attacks are,logic attacks and resource attacks,which degrade the performance by exploiting the software flaws and overwhelming the

DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING

JULY 2010

4 DENIAL OF SERVICE

victims resources by sending spurious requests. Denial-of-service attacks consume the resources of a remote host or network that would otherwise be used to serve legitimate users. There are two principal classes of attacks: logic attacks and resource attack. Attacks in the first class, such as the "Ping-of-Death", exploit existing software flaws to cause remote servers to crash or substantially degrade in performance. Many of these attacks can be prevented by either upgrading faulty software or filtering particular packet sequences, but they remain a serious and ongoing threat. The second class, resource attacks, overwhelm the victim's CPU, memory, or network resources by sending large numbers of spurious requests. Because there is typically no simple way to distinguish the "good" requests from the "bad", it can be extremely difficult to defend against resource attack. For the purposes of this study we focus solely on this latter class of attacks. 2.1 ATTACK TYPES There are two related consequences to a resource attack the network load induced and the impact on the victim's CPU. To load the network, an attacker sends packets as rapidly as possible towards the victim hoping to overwhelm the capacity of intervening network devices. Since many network devices are limited by packet processing before bandwidth, packets-persecond is frequently a better measure of network load during an attack. An attacker often simultaneously attempts to load the victim's CPU by requiring additional processing above and beyond that required to receive a packet. For example, the best known denial-of-service attack is the "SYN flood" [Computer Emergency Response Team 1996], which consists of a stream of TCP SYN packets directed to a listening TCP port at the victim. For each such SYN packet received, the host victim must search through existing connections and if no match is found, allocate a new data structure for the connection. Moreover, the number of these data structures may be limited by the victim's operating system. Consequently, without additional protection, even a small SYN flood can overwhelm a remote host. There are many similar attacks that exploit other code vulnerabilities including TCP ACK, NUL, RST and DATA floods, IP fragment floods, ICMP Echo Request floods, DNS Request floods, and so forth. Finally, while most of target their victim directly, some sophisticated attackers will implicitly attack sites by focusing on dependent infrastructure such as upstream routers or back-end database servers.

DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING

JULY 2010

5 DENIAL OF SERVICE

CHAPTER 3:LOGIC ATTACKS

The types of logic attacks that we are going to discuss here are IRC Zombie attack Reflection DoS attacks Buffer overflows Peer-to-peer attacks 3.1.IRC ZOMBIE ATTACKS As mentioned earlier,the difference between a Denial of Service attack,such as the one described above ,and a Distributed Denial of Service attack,is that multiple distributed computers are used to disrupt service.Early in 2001, the site of Steve Gibson ,avsecurity researcher and author, was the victim of a Distributed Denial of Service attack.In the space of a couple of minutes, the output traffic from the website is dropped to zero, while the input traffic increased to the maximum 1.54 megabit rate.Access to the site was being bombarded by millions of UDP packets.These packets could be filtered and discarded by the firewall so that the internal systems were not affected.However, the attack still used up the systems bandwidth in handling these nuisance packets.In noting the locations from where the packets came, it was determined that the packets originated from 474 windows PCs.The machines had been infected by a Trojan program IRC Zombie. IRC Zombie cause no harm to the computer on which they are installed,however they may be used in Distributed Denial of Service attacks.Typically, they infect insecure highbandwidth systems and can be controlled remotely by the master program.They cause or no disruption to the communication potential of an infected computer .Zombie programs typically have similar names to windows components. An example zombie program name isrundll.exe. rundll.exe is similar to the commonly used Windows componentrundll.exe Someone inspecting a windows directory for suspicious files may mistake it for a valid file .In examining an infected PC, the process of the Zombie connecting with a master IRC command program may be observed .Once it is activated, it is ready to be used for a Distributed Denial of Service attack. Two typical attacks, by this strain of Trojan are the ping of death and large UDP packet attacks. The ping command only produces a low speed stream of packets because it waits for a reply before
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING JULY 2010

6 DENIAL OF SERVICE

trying again. If several hundred machines are pinging simultaneously, the effect is cumulative and can be significant. The second attack is perhaps more devastating. Maximum size UDP packets are send to the victim's computer, without time-outs and without any need to wait for replies .Spoofed packets sent from the zombie machines add a degree of separation between the attacker and the victim, making the source of the attack difficult to identify, especially when the attack has hundreds or thousands of zombies sending packets .IRC zombies may be transferred via e-mail attachments, or in Trojan downloads on the internet or in user groups. There is no need for an attacker to search for their zombies asthey automatically connect to the master program once the systems have been turned on. The malicious hacker only needs to make sure that his zombie programs are transferred to enough computers throughout the Internet for the attack to be effective

3.2REFLECTION DENIAL OF SERVICE ATTACKS An attacker can further remove himself from the source of an attack by using an attack known as a Distributed Reflection Denial of Service, hi some ways, this can be described as an extension of a Distributed Denial of Service attack. The attacker still has a fleet of zombies awaiting commands; however, instead of attacking the victim directly with spoofed packets, the zombies send spoofed packets to reflectors. A reflector is any IP address on the Internet that will return a packet when it receives one.Examples are web servers, DNS server and routers. The Internet is comprised of millions of such entities, all of which can be used maliciously to flood the bandwidth of a victim site.In this attack, the malicious hacker uses a list of available reflectors, a task that is easy to accomplish with port scans through high bandwidth IP regions or by using other tools such as backtrace to generate lists of candidate reflectors . The attacker can then use the zombies to take advantage of several Internet protocols. By generating ICMP packets, such as ping requests, "host unreachable," "need fragmentation" and "time exceeded" are used to tie up bandwidth. The three-way handshake authentication of TCP is a stronger option Xike a normal Distributed Denial of Service attack, the zombies generate SYN packets but these SYN packets do not reach the target system. Since reflectors are out of control of the attacker and they do not have an existing connection with the victim, when a reflector receives a SYN packet, with the source IP address spoofed with the victim's, it can only reply with a SYN/ACK or RST packet, according to the TCP specification. Since the SYN packets are not sent to the target, resources are not allocated. In this way, a Distributed Reflection Denial of Service is distinct. It works on sheer

DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING

JULY 2010

7 DENIAL OF SERVICE

force of the millions of reflectors filling the victim's bandwidth. Also DNS is vulnerable. By sending a flood of name queries to a target machine, the victim will be overwhelmed with recursive queries. The backbone connections of the Internet can handle the large amounts of packets created by the reflectors being used for an attack. The path begins to narrow as the packets reach the target, consuming all of the bandwidth and blocking legitimate traffic. The number of reflectors used in the attack can flood commercial sites with large bandwidth and resources that could withstand a normal distributed attack. These sites usually have a load balancer maintaining connections for several servers. Load balancers are designed to keep several web servers working at maximum usage, redirecting IP packets to servers in a way that best uses the system processing power .Protecting against these attacks can be difficult. Filtering packets would be one possible defence. 3.3.BUFFER OVERFLOWS There are also several attacks that exploit code vulnerabilities, such as buffer overflows. As mentioned, buffer overflows are a common flaw in computer programs 10. A buffer overflow may be exploited and used in Denial of Service attacks. To understand how they may be exploited, one needs to have a basic understanding of system calls. Each time a function is called, its arguments get copied to an area of memory called the stack. In the assembler, an argument is stored on the stack by a process called pushing, and is retrieved from the stack in a second process known as popping. All CPU architectures currently in use support the notion of a stack and have a special register (the stack pointer) and operations for pushing and popping.There is also an operator that takes an address off the stack and copies it into the program counter, the register that determines the address of the next instruction to executed! Calling a Function always pushes the return address onto the stack. Any variables defined within
this function are also stored in space allocated on the stack. For name of a file to open, or a password,needs to be defined

example, if a string, such as the

in the function, a number of bytes will be allocated on the stack. The function can then use this memory, but it will automatically be unallocated after the function returns .There are however some problems in the implementation in the C programming language with stacks. The C programming language does no bound checking when data is stored in this area.

An attacker must understand enough Assembly to take advantage of this vulnerability. In a buffer
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING JULY 2010

8 DENIAL OF SERVICE

overflow exploit,code is written on the stack beyond the return address and function call arguments .The return address is modified so that it points to the beginning of the code. Then ,when the function call returns, the attacker's code gets executed instead of the Normal program that is being executed. One such usage may be in a HTTP application, where a HTTP request may be used to download any application the attacker desires

3.4.PEER-TO-PEER ATTACKS Attackers have found a way to exploit a number of bugs in peer-to-peer servers to initiate DDoS attacks. The most aggressive of these peer-to-peer-DDoS attacks exploits DC++. Peer-to-peer attacks are different from regular botnet-based attacks. With peer-to-peer there is no botnet and the attacker does not have to communicate with the clients it subverts. Instead, the attacker acts as a 'puppet master,' instructing clients of large peer-to-peer file sharing hubs to disconnect from their peer-to-peer network and to connect to the victim's website instead. As a result, several thousand computers may aggressively try to connect to a target website. While a typical web server can handle a few hundred connections/sec before performance begins to degrade, most web servers fail almost instantly under five or six thousand connections/sec. With a moderately big peer-to-peer attack a site could potentially be hit with up to 750,000 connections in a short order. The targeted web server will be plugged up by the incoming connections. While peer-topeer attacks are easy to identify with signatures, the large number of IP addresses that need to be blocked (often over 250,000 during the course of a big attack) means that this type of attack can overwhelm mitigation defenses. Even if a mitigation device can keep blocking IP address, there are other problems to consider. For instance, there is a brief moment where the connection is opened on the server side before the signature itself comes through. Only once the connection is opened to the server can the identifying signature be sent and detected, and the connection torn down.Even tearing down connections takes server resources and can harm the server.

DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING

JULY 2010

9 DENIAL OF SERVICE

CHAPTER 4: DISTRIBUTED DENIAL OF SERVICE ATTACKS

'
4.1 OVERVIEW The Internet consists of hundreds of thousands or millions of small networks (called Local Area Networks, or LANs), all interconnected; attached to these LANs are many millions of separate computers. Any of these computers can communicate with any other computer. This works by assigning every computer an address. The addresses are structured (organized into groups) so that special-purpose traffic-handling computers, called routers, can direct them in the right direction to reach their intended destination. A typical connection today may require 15 or more hops, crossing from one LAN to another, before it reaches its final destination. But most of these "LANs" are actually special-purpose links within and between network transport companies. These backbone providers handle the hard problems of routing traffic. The packets used in today's DDoS attacks use forged source addresses; they are lying about where the packet comes from. The very first router to receive the packet can very easily catch the lie; it has to know what addresses lie on every network attached to it, so that it can correctly route packets to them. If a packet arrives, and the source address doesn't match the network it's coming from, the router should discard the packet. This style of packet checking is called variously Ingress or Egress filtering, depending on the point of view; it is Egress from the customer network, or Ingress to the heart of the Internet. If the packet is allowed past the border, catching the lie is nearly impossible. 4.2 PING OF DEATH The Ping of Death uses a ping system utility to create an IP packet that exceeds the maximum 65,536 bytes of data allowed by the IP specification. The oversize packet is then sent to an unsuspecting system. Systems may crash, hang, or reboot when they receive such a maliciously crafted packet. This attack is not new, and all OS vendors have fixes in place to handle the oversize packets.
j

DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING

JULY 2010

10 DENIAL OF SERVICE

Fig.1

4.3 TEARDROP The recently developed Teardrop attack exploits weaknesses in the reassembly of IP packet fragments. During its journey through the Internet, an IP packet may be broken up into smaller chunks. Each fragment looks like the original IP packet except that it contains an offset field that says, for instance, "This fragment is carrying bytes 600 through 800 of the original (nonfragmented) IP packet." The Teardrop program creates a series of IP fragments with overlapping offset fields. When these fragments are reassembled at the destination host, some systems will crash, hang, or reboot.

DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING

JULY 2010

11 DENIAL OF SERVICE

Fig.2 4.4 SYN ATTACK

I
Weaknesses in the TCP/IP specification leave it open to SYN attacks, executed during the threeway handshake that kicks off the conversation between two applications. Under normal

circumstances, the application that initiates a session sends a TCP SYN synchronization packet to the receiving application. The receiver sends back a TCP SYN-ACK acknowledgment packet and then the initiator responds with an ACK acknowledgment. After this handshake, the

applications are set to send and receive data.But a SYN attack floods a targeted system with a series of TCP SYN packets. Each packet causes the targeted system to issue a SYN-ACK

response. While the targeted system waits for the ACK that follows the SYN-ACK, it queues up

all outstanding SYN-ACK responses on what is known as a backlog queue. This backlog queue has a finite length that is usually quite small. Once the queue is full, the system will ignore all incoming SYN requests. SYN-ACKs are moved off the queue only when an ACK comes back or
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING JULY 2010

12 DENIAL OF SERVICE

when an internal timer (which is set at relatively long intervals) terminates the three-way handshake.A SYN attack creates each SYN packet in the flood with a bad source IP address, which under routine procedure identifies the original packet. All responses are sent to the source IP address. But a bad source IP address either does not actually exist or is down ;therefore the ACK that should follow a SYN-ACK response will never come back. This creates a backlog queue thats always full, making it nearly impossible for legitimate TCP SYN requests to get into the system.

4.4.1.PROTECTION AGAINST TCP SYN ATTACK To protect against TCP SYN attacks, you can configure the HP device to drop SYN packets when excessive numbers are encountered. You can set the threshold values for TCP SYN packets that are targeted at the router itself or passing through an interface, and drop them when the thresholds are exceeded. The syntax for setting the threshold values is: Syntax:ip tcp burst-normal<value>burst-max<value>lockup<seconds>

DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING

JULY 2010

13 DENIAL OF SERVICE

The burst-normal value can be from 1-100000 The burst-max value can be from 1-100000 The lockup value can be from 1-10000 The number of incoming TCP SYN packets per second are measured and compared to the threshold values as follows: If the number of TCP SYN packets exceeds the burst-normal value, the excess TCP SYN packets are dropped If the number of TCP SYN packets exceeds the burst-max value,all TCP SYN packets are dropped for the number of seconds specified by the lockup value. When the lockup period expires, the packet counter is reset and measurement is restarted.

CHAPTER:5. SMURFING
A smurf attack is one particular variant of a flooding DoS attack on the public Internet. It relies on misconfigured network devices that allow packets to be sent to all computer hosts on a particular network via the broadcast address of the network, rather than a specific machine. The network then serves as a smurf amplifier, hi such an attack, the perpetrators will send large numbers of IP packets with the source address faked to appear to be the address of the victim. The network's bandwidth is quickly used up, preventing legitimate packets from getting through to their destination. To combat Denial of Service attacks on the Internet, services like the Smurf Amplifier Registry have given network service providers the ability to identify misconfigured networks and to take appropriate action such as filtering.
IC P e h (sp o d so rce M co o fe u a d s o victim d re s f ) S ent to IP broadcast address IC P e o reply M ch

DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING

JULY 2010

14 DENIAL OF SERVICE

5.1 PROTECTION AGAINST SMURF ATTACKS 5.1.1. AVOIDING BEING AN INTERMEDIARY IN A SMURF ATTACK

To Avoiding Being an Intermediary in a Smart Attack, make sure forwarding of

directed broadcasts is disabled on the HP device. Directed broadcast forwarding is disabled by default. To disabled directed broadcast forwarding, the syntax is follows Syntax:[no] ip directed- broadcast 5.1.2.AVOID BEING A VICTIM IN A SMURF ATTACK To protect against TCP SYN attacks, you can configure the HP device to drop SYN packets when excessive numbers are encountered. You can set the threshold values for TCP SYN packets that are targeted at the router itself or passing through an interface, and drop them when
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING JULY 2010

15 DENIAL OF SERVICE

the thresholds are exceeded. The syntax for setting the threshold values is: Syntax:ip tcp burst-normal<value>burst-max<value>lockup<seconds> The burst-normal value can be from 1-100000 The burst-max value can be from 1-100000 The lockup value can be from 1-10000 The number of incoming TCP SYN packets per second are measured and compared to the threshold values as follows: If the number of TCP SYN packets exceeds the burst-normal value, the excess TCP SYN packets are dropped If the number of TCP SYN packets exceeds the burst-max value,all TCP SYN packets are dropped for the number of seconds specified by the lockup value. When the lockup period expires, the packet counter is reset and measurement is restarted.

CHAPTER 6: APPLICATION DOS ATTACK

6.1 APPLICATION DOS OVERVIEW Application DoS attacks exploit flaws in the bespoke application design and implementation to prevent legitimate access to the victims service. They represent a subset of potential attack on such applications,as they are aimed specifically at disrupting operation rather than subverting the application controls. Attacks based on exploting these flaws can offer the attacker a number of advantages over traditional DoS attacks: The attack will typically not be detectable or preventable by existing security monitoring solution- Since the attacks do not consume an unreasonable amount of bandwidth and could, In many cases, be indistinguishable from normal traffic. Application attacks are more efficient
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING JULY 2010

16 DENIAL OF SERVICE

The attacker may not need as much resource at their disposal to successfully complete the attack. Application level attack target bottlenecks and resource limitations within the application and do not require many zombie systems or large amount of bandwidth. Furthermore, they can be targeted at the weakest link in an environment- for example if a web-farm of a hundred servers relies on a single back-office host to authenticate users, an application attack may br able to directly target it. Application level attack are harder to trace Application level attacks normally use HTTP or HTTPs as their transport.Proxy server can therefore be used the to obfuscate the true origin of the attacker; and many are aviailable for an attacker to redirect his malicious traffic. Many of these proxy servers do not keep logs of attacker to redirect his malicious traffic. Many of these proxy servers do not keep logs of connection attempts and could therefore successfully hide the true origin of the attacking host.

6.2 FAVOURS 6.2.1 POOR DATA VALIDATION Another common mistake is to implicitly trust input from the client side and user.in many cases, the application acts as a structured portal through which users interact with back-end services and databases.If these functions do not suffiently validate client-input,it may be possible to disrupt those back-end services through attacks such as Database (SQL) or Script (XSS) imsertion.

6.2.2 AUTOMATED DATA SUBMISSION Web application architects and designers frequently assume that user of the application is a person and not an automated script.This assumption often leads to vulnerabilities that can be exploited by attacks who craft automated tools to attack the application.A simple example would be a dictionary attack on the authentication process.If a username is known ,an attacker
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING JULY 2010

17 DENIAL OF SERVICE

may automate the login process using passwords from a dictionary of common words until a match is found.There are many tools available to perform dictionary attacks on various protocols.Similarly, various on this theme can be used to attack specific weaknesses in the applications design,for example by overwhelming application functions,invoking race conditions or systematically attacking multiple entities. 6.2.3.DATA MANIPULATION Any data sent from the client-side may be manipulated by an attacker, from obvious form elements that are completed by the user to hidden fields, cookies and bespoke data channels. Commonly, manipulation of this data before sending it to the server results in errors or unusual application behavior- even as a result of simple modification such as sending letters instead of numbers.These back-end errors may in turn lead to exploitable vulnerabilities

CHAPTER \

7:

STRATEGIES

FOR

PROTECTION

The best security strategies encompass people, operations, and technology. The first two typically fall within an autonomous domain, e.g. within a company or IT department that can
j

enforce procedures among employees, contractors or partners. But since the Internet is a public
.'I

resource, such policies cannot be applied to all potential users of a public website or email server. Thankfully, technology offers a range of security products to address the various vulnerabilities. 7.1.FIREWALLS Firewalls can go a long way to solving some problems by restricting access to authorized users and blocking unwanted protocols. As such, they are a valuable part of a security strategy. But public websites and ecommerce servers cannot know in advance who will be accessing them and cannot 'prescreen' users via an access list. Certain protocols can be blocked by firewalls, but most
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING JULY 2010

18 DENIAL OF SERVICE

DoS attacks utilize authorized ports (e.g TCP port 80 for a web server) that cannot be blocked by a firewall without effectively blocking all legitimate HTTP traffic to the site, thereby completing the hacker's task.

7.2. ROUTER ACCESS CONTROL LISTS Likewise, access lists in the router can be used to block certain addresses, if such addresses can be known a priori. But websites open to the public are, by nature, open to connections from individual computers, which are exactly the agents hackers use to initiate attacks. In a Distributed DoS (DDoS) Attack, thousands of innocent looking connections are used in parallel. Although router access lists can be used to eliminate offending packets once they are identified, routers lack the processing power and profiling heuristics to make such identifications on their own. 7.3. ANTI-VIRUS SOFTWARE End systems cannot be considered secure without anti-virus software. Such software will scan all inputs to the system for known viruses and worms, which can cause damage to the end system and any others they may infect. Even after a virus is known and characterized, instances of it are still circulating on the Internet, through email, on CDs and floppy disks. A good anti-virus subscription that is frequently updated for the latest protection is invaluable to any corporate or individual computer user. But even anti-virus software is not enough to catch certain attacks that have been cleverly disguised. Once a system is infected with a new strain, the damage can be done before the virus or worm is detected and the system is disinfected.

7.4. FILTERING PACKETS Large scale filtering is generally the approach that many Internet Service Providers take to limiting the effect of Denial of Service attacks. There are many different ways that packets can be filtered. One way is to filter the malicious packets, however,one recent topic of research is the idea of using history based IP-filtering 22. It comes from the fact that large distributed attacks work by spoofing packets with a source from a large range of random IP addresses while, the majority of normal web traffic is regular, visiting the same sites on a normal Basis During times of rising congestion as a result of a Denial of Service attack, servers should focus on keeping bad traffic out
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING JULY 2010

19 DENIAL OF SERVICE

and valid traffic in. In order to tell the difference between attack packets from normal traffic, a list of IP addresses from previous connections is maintained. When under attack, filtering packets from non-trusted sources will give a high probability of removing malicious traffic from the bandwidth. Similarly, counting the number of hops a packets makes is another method of distinguishing between valid and invalid packets. The hop count in a packet's header cannot be altered like a spoofed IP return address. Therefore, a server can keep track of normal hop count numbers for clusters of IP prefixes for filtering packets later on. The spoofed packets of a Denial of Service attack will not have the same hop count values as those previously collected 23. Filtering, however requires a lot of effort and reduces the bandwidth noticeably 12. CNN, one of the sites that was attacked in 2000, noted that their filtering efforts compromised the system itself 24. Filter really only limits the effects of Denial of Service attack at the time at which they are happening. They can not provide a permanent solution to Denial of Service attacks.

DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING

JULY 2010

20 DENIAL OF SERVICE

7.5.DISTRIBUTED RESPONSIBILITY The Internet is build on the principle of distributed responsibility 8. In the same way as each node in the Internet is responsible for a packet moving through the Internet from one node to another, each node should also be responsible that malicious traffic isn't allowed to be transported. The responsibility however doesn't only lie with Internet Service Providers. Each user should be responsible for preventing malicious Denial of Service attacks in making sure their system is secure from the outside world and not infected with Denial of Service attack tools. Operating System developers are also responsible for preventing the creation of potential malicious Internet software. Distributed responsibility may not prevent all further Denial of Service attacks, however it may improve the over state of Internet security in regards to this problem . 7.6.REDESIGNING THE INTERNET A long term solution to Denial of Service attacks may require the redesigning of the Internet 7. when the telephone system was redesigned, phone phreakers were able to whistle, click or do whatever into the telephone system and cause it to do things that it wasn't designed to do 7. The problem was that the telephone system used only one channel for voice and signalling data. The solution to the problem was to perform signalling out-of-band and thus outside of the audio channel. In this way, this type of attack on the telephone system is no longer possible, because the signalling no longer uses the audio channel. However redesigning the Internet even if it were planned would not be that easy to undertake.

DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING

JULY 2010

21 DENIAL OF SERVICE

CHAPTER 8:CONCLUSION
The Internet is a changing and growing world. At the same time as the amount of business conducted electronically is increasing, Internet connections are becoming not only cheaper but the speed at which one can connect is also increasing.As well as the technical challenges required to achieve higher productivity using electronic commerce, systems are become increasingly vulnerable to electronic attacks such as Denial of Service attacks.Each of the solutions discussed above may provide for some defence against these attacks. But ultimately experience demonstrates that if computer vulnerabilities exist, means of taking advantage of these vulnerabilities also exist. New computer vulnerabilities are being discovered all the time and thus, there may never a permanent solution to this problem.Several types of Denial of Service attacks have been discussed. These included SYN flooding, IRC Zombie Distributed Denial of Service attacks, Reflection Denial of Service attacks, Slammer and the Code Red attacks. Possible defences against each particular attack have been considered, but ultimately prevention of further attacks through the use of computer security primitives such as those discussed above is more desirable.Computer security primitives can not provide a solution to every vulnerability.Reality demonstrates that providing a solution for every potential security problem is impossible. Computer Security primitives can however be used to manage the risks of further attacks. The main risks in the case of Denial of Service attacks are insecure computers, malicious messages and potential exploitation of vulnerabilities in systems. These primitives provide some protection but further work is required in this area, to find a permanent solution to this problem.This paper presented a framework to classify DoS attacks into single- and multi-source attacks. DoS attacks are constantly evolving, and currently there is a dearth of detailed information regarding attack dynamics. Vulnerabilities in web applications can allow attackers to exhaust available resources andthereby deny access to legitimate users. Companies that rely on web applications to provide critical business functions are therefore at risk from attackers wishing to disrupt these functions by exploiting application level vulnerabilities.Application based DoS attacks require considerably less resource in terms of processing power and bandwidth on the part of the attacker, and therefore present a higher risk to business as the number of possible threatagents is much greater.

DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING

JULY 2010

22 DENIAL OF SERVICE

REFERENCES
1.Moore, D, Inferring Internet Denial-Of-Server Activity 2.Roberts P, PC World, Al-Jazeera Site hit with Denial of Service Attack, March 26, 2003 3.Gibson S, The Strange Tale of the Denial of Service Attack against grc.com www.grc.com, 2001 4.Geng X. and Whinston, A., Defeating Distributed Denial of Service Attacks,IT Pro, July/ August 2000, P40. 5.Kargl, F. et al., Protecting Web Servers from Distributed Denial of Service Attacks, WWW10, May 1-5, 2001P516 6.Schneier B, Cryptogram, February 2000, www.counterpane.com 7.Schneier B, Security and lies, Digital Security in a Networked World, 2000, P186 8.Gibson S, Denial of Service Attack page www.grc.com, 2001 9.Gibson S, Distributed Reflection Denial of Service www.grc.com, 2002 10.Ferguson, N. and Schneier, B. 2003practical Security, 2003, P149 11.Denial-of-service attack - Wikipedia, the free encyclopedia 12.Tanenbaum, A, Distributed Systems,2002, P69 13.TCP/IP protocol suit FerhuzonBerhzon 14.Crosaire white papers 15.IBM denial of service papers 16.Schneier B, Security and lies, Digital Security in a Networked World, 2000PXII 17.Schneier B, Security and lies, DigitalSecurity in a Networked World, 2000,P210 18.Ferguson, N. and Schneier, B., Practical Security, 2003, PI 19.Ferguson, N. and Schneier, B. 2003,P5

DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING

JULY 2010

23 DENIAL OF SERVICE

LIST OF FIGURES AND TABLES

FIGURES 1.Ping of death 2.Tear drop 3.SYN attack 4.Smurfing PAGE NO 10 11 12 13

DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING

JULY 2010