Free eBooks > Computers & Internet > Programming > Introductory & Beginning > General > Internet Denial of Service Attack and Defense Mechanisms Dec 2004

Internet Denial of Service Attack and Defense Mechanisms Dec 2004

by Jelena Mirkovic, Sven Dietrich, David Dittrich, and Peter Reiher

On the Internet, a distributed denial-of-service (DDoS) attack is one in which amultitude of compromised systems attack a single target, thereby causing denialof service for users of the targeted system. The flood of incoming messages tothe target system essentially forces it to shut down, thereby denying service tothe system to legitimate users.The FBI's latest survey of cyber crime lists denial of service as the second mostcostly form of cyber attack, only slightly trailing theft of proprietaryinformation. This book offers an in-depth examination of this increasinglypopular form of network-based attacks by providing a thorough description ofthe scope of the problem, both actual and potential, enabling readers tounderstand the severity of the problem and why it occurs. It also containsdetailed guidelines to practical methods of protecting one's network fromDDoS attacks and responding to them when they occur.

Suddenly your Web server becomes unavailable. When you investigate, you realize that a flood of packets is surging into your network. You have just become one of the hundreds of thousands of victims of a denial-of-service attack, a pervasive and growing threat to the Internet. What do you do?

Internet Denial of Service sheds light on a complex and fascinating form of computer attack that impacts the confidentiality, integrity, and availability of millions of computers worldwide. It tells the network administrator, corporate CTO, incident responder, and student how DDoS attacks are prepared and executed, how to think about DDoS, and how to arrange computer and network defenses. It also provides a suite of actions that can be taken before, during, and after an attack.

Inside, you'll find comprehensive information on the following topics

• How denial-of-service attacks are waged
• How to improve your network's resilience to denial-of-service attacks
• What to do when you are involved in a denial-of-service attack
• The laws that apply to these attacks and their implications
• How often denial-of-service attacks occur, how strong they are, and the kinds of damage they can cause
• Real examples of denial-of-service attacks as experienced by the attacker, victim, and unwitting accomplices

The authors' extensive experience in handling denial-of-service attacks and researching defense approaches is laid out clearly in practical, detailed terms.

Jelena Mirkovic has been an assistant professor at the University of Delaware since 2003. She holds a Ph.D. in computer science from the University of California, Los Angeles, where she developed effective defenses against distributed denial-of-service attacks.

Sven Dietrich is a member of the technical staff at the CERT Coordination Center, part of the Software Engineering Institute at Carnegie Mellon University, and is affiliated with Carnegie Mellon CyLab, a university-wide cyber security research and education initiative. He has worked and published on DDoS since 1999.

David Dittrich, senior security engineer/researcher at the University of Washington's Center for Information Assurance and Cybersecurity and a founding member of the Honeynet Project, published the first detailed technical analyses of DDoS tools in 1999. He maintains the largest Web page on the subject.

Peter Reiher is an adjunct associate professor at the University of California, Los Angeles. His research includes defenses against denial-of-service attacks.

It is Monday night and you are still in the office, when you suddenly become aware of the whirring of the disks and network lights blinking on the Web server. It seems like your company's Web site is quite well visited tonight, which is good because you are in e-business, selling products over the Internet, and more visits mean more earnings. You decide to check it out too, but the Web page will not load. Something is wrong.

A few minutes later, network operations confirm your worst fears. Your company's Web site is under a denial-of-service attack. It is receiving so many requests for a Web page that it cannot serve them all--50 times your regular load. Just like you cannot access the Web site, none of your customers can. Your business has come to a halt.

You all work hard through the night trying to devise filtering rules to weed out bogus Web page requests from the real ones. Unfortunately, the traffic you are receiving is very diverse and you cannot find a common feature that would make the attack packets stand out. You next try to identify the sources that send you a lot of traffic and blacklist them in your firewall. But there seem to be hundreds of thousands of them and they keep changing. You spend the next day bringing up backup servers and watching them overload as your earnings settle around zero. You contact the FBI and they explain that they are willing to help you, but it will take them a few days to get started. They also inform you that many perpetrators of denial-of-service attacks are never caught, since they do not leave enough traces behind them.

All you are left with are questions: Why are you being attacked? Is it for competitive advantage? Is an ex-employee trying to get back at you? Is this a very upset customer? How long can your business be offline and remain viable? How did you get into this situation, and how will you get out of it? Or is this just a bug in your own Web applications, swamping your servers accidentally?

This is a book about Denial-of-Service attacks, or DoS for short. These attacks aim at crippling applications, servers, and whole networks, disrupting legitimate users' communication. They are performed intentionally, easy to perpetrate, and very, very hard to handle. The popular form of these attacks, Distributed Denial-of-Service (DDoS) attacks, employs dozens, hundreds, or even well over 100,000 compromised computers, to perform a coordinated and widely distributed attack. It is immensely hard to defend yourself against a coordinated action by so many machines.

This book describes DoS and DDoS attacks and helps you understand this new threat. It also teaches you how to prepare for these attacks, preventing them when possible, dealing with them when they do occur, and learning how to live with them, how to quickly recover and how to take legal action against the attackers.

1.1 DoS and DDoS

The goal of a DoS attack is to disrupt some legitimate activity, such as browsing Web pages, listening to an online radio, transferring money from your bank account, or even docking ships communicating with a naval port. This denial-of-service effect is achieved by sending messages to the target that interfere with its operation, and make it hang, crash, reboot, or do useless work.

One way to interfere with a legitimate operation is to exploit a vulnerability present on the target machine or inside the target application. The attacker sends a few messages crafted in a specific manner that take advantage of the given vulnerability. Another way is to send a vast number of messages that consume some key resource at the target such as bandwidth, CPU time, memory, etc. The target application, machine, or network spends all of its critical resources on handling the attack traffic and cannot attend to its legitimate clients.

Of course, to generate such a vast number of messages the attacker must control a very powerful machine--with a sufficiently fast processor and a lot of available network bandwidth. For the attack to be successful, it has to overload the target's resources. This means that an attacker's machine must be able to generate more traffic than a target, or its network infrastructure, can handle.

Now let us assume that an attacker would like to launch a DoS attack on example.com by bombarding it with numerous messages. Also assuming that example.com has abundant resources, it is then difficult for the attacker to generate a sufficient number of messages from a single machine to overload those resources. However, suppose he gains control over 100,000 machines and engages them in generating messages to example.com simultaneously. Each of the attacking machines now may be only moderately provisioned (e.g., have a slow processor and be on a modem link) but together they form a formidable attack network and, with proper use, will be able to overload a well-provisioned victim. This is a distributed denial-of-service--DDoS.

Both DoS and DDoS are a huge threat to the operation of Internet sites, but the DDoS problem is more complex and harder to solve. First, it uses a very large number of machines. This yields a powerful weapon. Any target, regardless of how well provisioned it is, can be taken offline. Gathering and engaging a large army of machines has become trivially simple, because many automated tools for DDoS can be found on hacker Web pages and in chat rooms. Such tools do not require sophistication to be used and can inflict very effective damage. A large number of machines gives another advantage to an attacker. Even if the target were able to identify attacking machines (and there are effective ways of hiding this information), what action can be taken against a network of 100,000 hosts? The second characteristic of some DDoS attacks that increases their complexity is the use of seemingly legitimate traffic. Resources are consumed by a large number of legitimate-looking messages; when comparing the attack message with a legitimate one, there are frequently no telltale features to distinguish them. Since the attack misuses a legitimate activity, it is extremely hard to respond to the attack without also disturbing this legitimate activity.

Take a tangible example from the real world. (While not a perfect analogy to Internet DDoS, it does share some important characteristics that might help you understand why DDoS attacks are hard to handle.) Imagine that you are an important politician and that a group of people that oppose your views recruit all their friends and relatives around the world to send you hate letters. Soon you will be getting so many letters each day that your mailbox will overflow and some letters will be dropped in the street and blown away. If your supporters send you donations through the mail, their letters will either be lost or stuffed in the mailbox among the copious hate mail. To find these donations, you will have to open and sort all the mail received, wasting lots of time. If the mail you receive daily is greater than what you can process during one day, some letters will be lost or ignored. Presumably, hate letters are much more numerous than those carrying donations, so unless you can quickly and surely tell which envelopes contain donations and which contain hate mail, you stand a good chance of losing most of the donations. Your opponents have just performed a real-world distributed denial of service attack on you, depriving you of support that may be crucial to your campaign.

What could you do to defend yourself? Well, you could buy a bigger mailbox, but your opponents can simply increase the number of letters they send, or recruit more helpers. You must still identify the donations in the even larger pool of letters. You could hire more people to go through letters--a costly solution since you have to pay them from diminishing donations. If your opponents can recruit more helpers for free, they can make your processing costs as high as they like. You could also try to make the job of processing mail easier by asking your supporters to use specially colored envelopes. Your processing staff can then simply discard all envelopes that are not of the specified color, without opening them. Of course, as soon as your opponents learn of this tactic they will purchase the same colored envelopes and you are back where you started. You could try to contact post offices around the country asking them to keep an eye on people sending loads of letters to you. This will only work if your opponents are not widely spread and must therefore send many letters each day from the same post office. Further, it depends on cooperation that post offices may be unwilling or unable to provide. Their job is delivering letters, not monitoring or filtering out letters people do not want to get. If many of those sending hate mail (and some sending donations) are in different countries, your chances of getting post office cooperation are even smaller. You could also try to use the postmark on the letters to track where they were sent from, then pay special attention to post offices that your supporters use or to post offices that handle suspiciously large amounts of your mail. This means that you will have to keep a list of all postmarks you have seen and classify each letter according to its postmark, to look for anomalous amounts of mail carrying a certain postmark. If your opponents are numerous and well spread all over the world this tactic will fail. Further, postmarks are fairly nonspecific locators, so you are likely to lose some donations while discarding the hate letters coming to you from a specific postmark.

As stated before, the analogy is not perfect, but there are important similarities. In particular, solutions similar to those above, as well as numerous other approaches specific to the Internet world, have been proposed to deal with DDoS. Like the solutions listed above that try to solve the postal problem, the Internet DDoS solutions often have limitations or do not work well in the real world. This book will survey those approaches, presenting their good and bad si...

Related Free eBooks

• Limiting the Threat of Denial of Service Attacks
• How to become Internet Service Provider
• The Technical Side of Being an Internet Service Provider
• The Domino Defense: Security in Lotus Notes 4.5 and the Internet
• Patterns: Service-Oriented Architecture and Web Services
• A Buffer Overflow Study Attacks and Defenses (2002)
• Internet PG: Parental Guidance Suggested
• Internet Publishing With Adobe Acrobat
• Internet Companion - A Beginner's Guide to Global Networking
• Internet and Intranet with WinNT
• Insight Into Current Internet Traffic Workloads
• Internet Routing Architectures [CISCO]
• Internet Security Professional Reference, 2nd Edition
• Introduction to the Internet Protocols
• Service Orientation Test-Drive with Linux on xSeries
• Patterns: SOA Foundation Service Connectivity Scenario
• Novell's Guide to Internet Access Solutions
• Netscape Internet Service Broker for Java Reference Guide [ISB]
• Netscape Internet Service Broker for Java Programmer's Guide [ISB]
• Netscape Internet Service Broker for C++ Reference Guide [ISB]
• Netscape Internet Service Broker for C++ Programmer's Guide [ISB]
• Microsoft Internet Information Services 5.0  Resource Guide
• Linux Internet Server Administration Guide [LISA]
• Special Edition Using Microsoft Commercial Internet System
• IBM TotalStorage Copy Services and System i5 Setup examples using DS CLI
• Computer Networking and Internet Protocols
• Computer Networking A Top-Down Approach Featuring the Internet
• Brief History of the Internet
• Art of Electronic Publishing: The Internet and Beyond
• Managing Operations on AS/400s with IBM SAA SystemView OMEGAMON Services/400
• Enterprise Integrated Services Digital Network eXchange (ISDNX)
• Networking BroadBand Services (NBBS) Architecture
• Accessing the Internet
• Connected: An Internet Encyclopedia
• Curious About The Internet

Related Tags