IJCEM International Journal of Computational Engineering & Management, Vol. 11, January 2011 ISSN (Online): 2230-7893 www.IJCEM.

org

38

Mitigation of Denial of Service (DoS) Attack

Lecturer, Department of Information and Technology, Maharishi Markandeshwar College of Engineering, Maharishi Markandeshwar University, Mullana, Ambala (Haryana) [email protected]
2

Manager HR, Fore Solutions (P) Ltd, Chandigarh, India, [email protected]

Lecturer, Department of Information and Technology, Maharishi Markandeshwar College of Engineering, Maharishi Markandeshwar University, Mullana, Ambala (Haryana) [email protected]

Abstract
The recent Denial of Service (DoS) attacks against high-profile web sites shows how overwhelming DoS attacks are and how unprotected the Internet is under such attacks. We present a survey of the current proposed mitigations against Denial of Service (DoS) attacks that give a promising approach to the field. Weaknesses of the available methods are also presented which result to the fact that no unified method has been adopted yet. We also make a discussion about the future trends in DoS defense. In fact DoS is technical attack therefore can be handled only by knowing its technical aspects. Most commonly targeted application are DNS servers, Websites, E-commerce applications, online gaming, VOIP services by blocking customers access to these applications.

The attack traffic can be similar to the legitimate traffic that causes difficulty in defense.

Malware
Malware is software used by a hacker designed to gain access, not purposefully permitted by a user, to a computer and instruct the computer to perform a task for the hacker. Various types of Malware are Trojans, spyware, adware, key loggers, dialers, root kits, botnets, crimeware, badware, viruses and worms. The purposes for writing malware include financial gain, espionage, revenge, anger, and recognition or just to see how fast it might spread [15]. These attacks exploits security hole of the software such as operating system and web server bugs, then causes system crash or degrade in the performance [16]
Bandwidth Attack Congested Overloaded Malicious Unresponsive Any Any Unpredictable Flash Crowd Congested Overloaded Genuine Responsive Mostly web Large no. of Flows Mostly predictable

Keywords: Malware, Hacker, Trojan, Counter Measure

1. INTRODUCTION
The basic idea behind DoS attacks is to force a large number of individual systems connected to the Internet, to send bulk traffic to the same destination at the same time. The aggregated traffic that those systems produce can easily cripple the available network or system resources of the recipient. Thus the recipient, the victim, of this attack will no longer be able to have reliable network access or serve legitimate clients, if the victim is a network server. Mostly two methods are used for lunching DoS attacks. One of these methods is known as flooding, other is implementing a malware that can change system configuration causing DoS attacks. Next subsections describe both of these in detail.

Network impact Server impact Traffic Response to traffic control Traffic Type No. of Flows Predictability

Table I. Comparison between bandwidth attacks and ash crowds [5]

Classification of DoS attacks

Flooding
The most straightforward method is sending a stream of packets to the victim to use all of the systems resources [1]. Victim can be a single PC, Web server or proxy connected to the Internet. The strength of an attack lies in the volume rather than the contents of the attack traffic.

IJCEM International Journal of Computational Engineering & Management, Vol. 11, January 2011 ISSN (Online): 2230-7893 www.IJCEM.org

39

the basis of either Volume of packets [17] or Methods of attack [5].

are elucidated by [27] & yearning that these types of high performance platforms will become as common place as firewall and routers to provide much needed counter-DoS techniques and will be of major benefits overall within the security parameters. After realizing the power of DoS attacks Bryan gatenby suggested action in the encouragement of overall internet Security, implementation of a detection mechanism & firewall, rate limiting and resource multiplication policy and agreement with IPS concerning malicious traffic [18]. Hacker can use different ways for executing attacks successfully. Author explores the effectiveness of machine learning techniques in developing automatic defense against DDoS attacks based on artificial neural networks. But concludes that this technique can be extended to use multiple algorithms. A look at the above literature spark the fact the there is a still some unfolded challenges that still needs to be addressed. Following sections discuss the existing challenges & their counter measures in details.

Method Protocol Based Attack Application Based Attack Distributed Reflector Attack Infrastructure Attack

Types ICMP Flood, SYN Flood HTTP Flood , SIP Flood DNS Amplification Attack

Table II: Classification of DoS attacks based on Methods used by the attackers

4. CHALLENGES Internet development provides a golden way to share information & resources but unfortunately its security becomes the biggest challenge for secure working. According to (Denial-of-service attack, 2007) Dos Attack can result in: 1. Consumption of computational resources, such as bandwidth, disk space, or CPU time; 2. Disruption of configuration information, such as routing information; 3. Disruption of physical network components. 4. Damages physical network components. Malware intended to: 1. Trigger error in the micro code of the machine. 2. Trigger error in the sequencing of instruction. 3. Exploit error in the operating system to cause resource starvation and thrashing. 4. Crash the Operating System itself. There is no particular answer to the question that why these kinds of attacks are initiated? What is the real motive behind these attacks? It is the mind stance of hacker for 1. Just having fun 2. Extortion 3. Online gaming 4. Hacktivism. IJCEM www.ijcem.org

3. RELATED WORK
Arguably, a researcher can mark the beginnings of Denial of Service Attacks by carefully choosing their history. The more modern, technology-oriented, among us could argue that it occurred after the First World War when Germany tried jamming Russian wireless transmitters. [BER00]. [3] Describes various IT weaknesses, techniques that involved in DoS attack & their impact. It realizes that the real difficulty in reducing DoS effect is multiple techniques involve in such attacks. Attacker takes advantage of the holes in the application. After the failure they have plenty of optional techniques to carry on. Researchers introduce a framework for classifying DoS attack based on header contents, ramp-up behaviors and novel techniques based on spectral analysis. With this they agree on when large attacks occurs like root server attack additional-detection sites would provide more insight when projecting the prevalence of DoS activity on the internet. Sailesh Kumar in [27] evaluates a no. of current NIDS system and algorithms they employ to detect and combat security threats, both technical and economical perspectives. Finally giving the idea that more distributed version of NIDS mechanisms need to be standardized. Review analysis of DoS/DDoS attacks & list of basic network attack prevention techniques & their comparison

IJCEM International Journal of Computational Engineering & Management, Vol. 11, January 2011 ISSN (Online): 2230-7893 www.IJCEM.org

40

A botnet owner was hacked by a businessman to take down the website of his competitors causing them to loss more than $1million [leyden.2005]. Due to IP Spoofing, Nil Security between Victim & hacker, No distributed defense System, hiding details of attack by the company owners for their Goodwill are some reasons why these attacks are so powerful. It is difficult to eliminate the effect of attack completely but it is very crucial to mitigate the risk by applying multi-pronged approach [4]. Design your business for survivability, Design your network for survivability, be a good netizen (net citizen). Security of your system also depends on the security measures applied by other computers in your network. There is No universal solution to this problem but something can be done to minimize the possibility of launching DoS attacks, some of them are describe in net few sub sections:

behavior. Before planning monitoring aspects one should pay attention to the mostly targeted resources during the attack. Monitoring can be performed at two levels 1 network level (throughput monitoring, device performance metrics) 2. Host level monitoring (gathering performance static, network behavior). To avoid bottleneck pay attention while implementing remote monitoring capabilities. Some non-technical steps to reduce DoS risk are: cultivate analysis capabilities, create an incident response plane, and develop an ongoing relationship with your service providers. Placing firewalls prevents unauthorized access to private networks by analyzing packet entering the network and blocking those, which do not satisfy security criteria.

Detect
Today networks are extremely heterogeneous. An effective detection system is needed to prevent or respond any DoS attacks in real time. Why we need detection system? First, after detecting an attack before the actual damage occurs, the target has more time to implement attack reaction techniques to protect legitimate users. Second, it helps to identify the attackers so that legal actions can be taken. Third, if attacks can be detected close to attack sources, attack traffic can be filtered before it wastes any network bandwidth [5].Requirements of good Detection system are: 1. Multiple detection Mechanism 2. Attack coverage 3. Granularity of attack detection 4. Consolidation of alarms 5. Response action. [20]. A good detection technique should have a short detection time and low false positive rate. [5]. There are various types of detection mechanism 1 Anomaly detection. 2. Signature/Pattern based detection. [17]. 3 DoS-attack-specific Detection. Signature Based Detection is simply looking for the signatures of known attacks in order to detect the attack. A database of signatures is built by hand a priori [21]. This technique is used by Snort [22]. Snort has one main disadvantage; new attacks that do not have well-defined signatures may go undetected until the signature is defined.[17] on the other hand, Anomaly Based detection cope the current traffic with the base line[23], set of pre programmed threshold[20 ] . This includes statistical approaches like a Chi-Square-Test on IJCEM www.ijcem.org

COUNTER MEASURE
As the frequency of the Dos attack is concern it is very difficult to eradicate the effect of attack completely. However mitigation is possible by executing AvoidDetect-Prevent cycle, which is described in subsequent subsection below:

Avoid
Avoidance is a crucial phase of any defense system. Yet it is not taken seriously by some sites in the beginning and prompted after experience. Attack can be handled only after knowing its technical aspects such as network design, agreements with your ISP, putting detection mechanism and response plan in place and perhaps taking out an insurance policy. General Principal that apply to the DoS defense system are-Differentiate critical services with non-critical once, Identify and understand the inter-dependences of various service providers on your network. System and network must go for absorbing the attack, degrade services or shut down all service till the attack last. It is important to have discussion phase during and after the attack within organization (Technical staff, service management) and outside organization (ISP, law enforcement, media & other). The important concepts related to Avoidance of these attacks are:Design network or system for survivability: It means separate critical services if possible, over provision as much as possible & minimizes your target-cross-section. Monitoring: system and network performance matrices, network protocol mix, n/w traffic flows are some characteristics that form the definition for a normal system

IJCEM International Journal of Computational Engineering & Management, Vol. 11, January 2011 ISSN (Online): 2230-7893 www.IJCEM.org

41

the entropy values of the packet headers [7], covariance analysis [8], clustering and feature space modeling [9]. Different techniques taken from pattern analysis and machine learning such as Wavelets, Markov Models [4], Genetic Algorithms [10], Artificial Neural Networks (ANN) [11], [12] and Bayesian Learning [8] have also been applied. Because of the irregular traffic in the network cause static threshold to fail [8]. Thats why threshold are to change timely. DoS-attack-specific detection. It is based on the special features of DoS attack. Generally, DoS attack traffic is created at an attacker's will. First, attackers want to send as much traffic as possible to make an attack powerful. Hence, attack traffic does not observe any traffic control protocols, such as TCP flow control. In addition, there will be a flow rate imbalance between the source and the victim if the victim is unable to reply to all packets. Second, attack traffic is created in a random pattern to make an attack anonymous. Third, for each known attack, attack traffic at the target is highly correlated with abnormal traffic behavior at the attack sources. [5] Many techniques have been proposed to detect an ongoing DoS attack. Cisco routers provide support for attack detection via RMON [35] and Netflow [32] data that can be processed offline to detect an attack. Multops exploits the correlation of incoming and outgoing packet rates at different level of subnet prefix aggregation to identify attacks [31]. Wang provides a rigorous statistical model to detect abrupt changes in the number of TCP SYN packets as compared to the TCP SYN ACK packets [34]. Bro, an intrusion detection system uses change in (statistical) normal behavior of applications and protocols to detect attacks [35] while Cheng use spectral analysis to detect high volume DoS attack due to change in periodicities in the aggregate traffic. All the above techniques are based on anomaly-detection which is faster than static Signature-scan.[13]technique on the basis of ramp-up & spectral analysis to build upon existing approach of header analysis thats track no. of source connection to a single destination.[14] Prevent Attack Prevention aims to stop attacks before they actually cause damage. Distributed packet filtering [24] block spoof packets using local routing information and SOS[]uses overlay techniques with selective re-routing to prevent large flooding attack. Some prevention schemes are given below [5]:

In order to minimize the loss caused by DoS attacks, a reaction scheme must be employed when an attack is underway.

Prevention Techniques Ingress Filtering

Implementation difficulty Difficult For Universal Deployment

Common Advantage Prevent IP Source Address Spoofing. Filter attack Traffic Before it reaches the Target, reduce Collateral damage

Common Limitation s Need wide Adoption to be effective. Not effective against IP spoofing within The same network or nonspoofed attacks.

Router-based Packet Filtering

Possible if tier-1 ISPs are involved

SAVE Protocol

Difficult due to the need for routing protocol change

Table III. techniques

Comparison

between

attack

prevention

The requirements for an effective response to a DoS attack are: (a) Early detection both at the victim site and at upstream stages, (b) flow of incident information between domains, effective and timely domain cooperation but according to each domain's policies (c) quick, automatic, and effective response in as many domains on the attack path as possible, and (d) avoiding extra network overloading due to these communications [2]. Response mechanism usually takes following approaches: localizing the source of the attack using traceback techniques [13, 14, 28, 29], or reducing the intensity of the attack [24, 25, 30] by blocking attack packets. A model of DoS attack reaction schemes:

IJCEM www.ijcem.org

IJCEM International Journal of Computational Engineering & Management, Vol. 11, January 2011 ISSN (Online): 2230-7893 www.IJCEM.org

42

widespread in the future if it were enforced, possibly as part of the agreements between the network and its ISPs. Other changes in filtering activities are suggested by ISP behavior during recent outbreaks of the Code Red and Nimda worms, when the ISPs disconnected customers who were infected. Network operators discuss blackholing entire networks, and some mail administrators do not accept connections from blacklisted servers. A similar approach could be applied to egress filtering, in which sites are quarantined if they pass on spoofed traffic. Promising Research While backscatter analysis does nothing to stop or mitigate any one DoS attack, research in this area has helped to quantify the frequency and scope of DoS attacks. Backscatter analysis is based on a set of assumptions, one of which is that attacks use random spoofed source addresses. Therefore, backscatter analysis does not count attacks that do not spoof source addresses. It is important to take different creative approaches in analyzing DoS attacks. While many attacks today may be characterized at the packet level, better attack tools may generate traffic that is not as easily identified. 6. Conclusion The most fundamental lesson to be learned from distributed denial of service is the fact that all sites on the Internet are interdependent, whether they know it or not. The impact upon your site and its operations is dictated by the (in) security of other sites and the ability of a remote attacker to implant the tools and, subsequently, to control and direct multiple systems worldwide to launch an attack. Attackers typically exploit well-known vulnerabilities, many of which have readily available fixes. Complicating matters are the intrusion tools that are widely available. Intruders have automated the processes for discovering vulnerable sites, compromising them, installing daemons, and concealing the intrusion. Even security-conscious sites can suffer a denial of service because attackers can control other, more vulnerable computer systems and use them against the more secure site. Thus, although you may be able to harden your own systems to help prevent having them used as part of a distributed attack, currently available technology does not enable you to avoid becoming a victim. There is some hope for the future in technological and other approaches. Handling denial of service is essentially an exercise in risk management. There are sometimes technical solutions to management problems. There are always management solutions to technical problems. We encourage readers to look at denial of service from both points of view.

Reacting Reaction steps, hopefully put in place as part of preparing for an attack, include following your response plan, implementing specific steps based on the type of attack, calling your ISP, enabling backup links, moving content, and more. Technical steps include traffic limiting, blocking, and filtering. Possibilities for the Future There are number of possibilities for the future that might provide some relief from denial of service attacks. In this section, we consider commercial activities, research, and protocol development. Commercial Developments Commercial products are available today to help with detecting and reacting to DoS attacks. In general, these products monitor network traffic for attack signatures and/or anomalous traffic that may indicate a DoS attack in progress. These products then may alert administrators and recommend, or even perform, configuration changes such as rate limiting filtering. It is important to note that these products only work within the network where they are deployed, so while they might alleviate traffic internally, they have no effect on traffic coming from an ISP and cannot filter or limit an attack at that point. A more promising approach is for an ISP to employ such technology, which might make that ISP more attractive to concerned customers. Good citizenship today dictates that customers perform egress filtering to prevent traffic with improper source addresses from leaving their networks. Since legitimate traffic from your network will always have source addresses from your assigned address space, traffic with spoofed source addresses should not be allowed to leave your network. Egress filtering at your network border can prevent traffic with spoofed source addresses from reaching the Internet and ensures that traffic from your network can be traced back to its true point of origin. This behavior could become more

IJCEM www.ijcem.org

IJCEM International Journal of Computational Engineering & Management, Vol. 11, January 2011 ISSN (Online): 2230-7893 www.IJCEM.org

43

Reference
[1.] J. Mirkovic and P. Reiher, A Taxonomy of DDoS Attack and DDoS Defense Mechanisms, ACM SIGCOMM Computer Communications Review, Volume 34, Number 2, April 2004, pp. 39-53 [2] G. Koutepas, F. Stamatelopoulos, and B. Maglaris, "Efficiency and Performance Issues in Distributed Intrusion Detection Systems", Applied Telecommunication Symposium 2002 (ATS 02), San Diego, CA, USA, April 2002 [3] DoS attack Techniques june22, 2005 [4] Y. Xie and S.-Z. Yu, A novel model for detecting application layer ddos attacks, in Computer and Computational Sciences, 2006. IMSCCS 06. First International Multi-Symposiums on. IEEE Press, 2006, pp. 5663. [5] Survey of Network-based Defense Mechanisms Countering the DoS and DDoS Problems ACM Transactions on Computational Logic, Vol. 2, No. 3, 09 2006, Pages 1{0??. [6] M. V. Mahoney and P. K. Chan, Learning nonstationary models of normal network traffic for detecting novel attacks, in KDD 02 Proceedings of the eighth ACM SIGKDD international conference on Knowledge discovery and data mining. New York, NY, USA: ACM Press, 2002, pp. 376385. [7] L. Feinstein, D. Schnackenberg, R. Balupari, and D. Kindred, Statistical approaches to ddos attack detection and response, in DARPA Information Survivability Conference and Exposition, 2003. Proceedings, vol. 1. IEEE Press, 2003, pp. 303314. [8] S. Jin and D. Yeung, A covariance analysis model for ddos attack detection, in Communications, 2004 IEEE International Conference on, vol. 4. IEEE Press, 2004, pp. 18821886. [9] S.-Y. Jin and D. Yeung, Ddos detection based on feature space modeling, in Machine Learning and Cybernetics, 2004. Proceedings of 2004 International Conference on, vol. 7. IEEE Press, 2004, pp. 42104215. [10] T. Shon, Y. Kim, C. Lee, and J. Moon, A machine learning framework for network anomaly detection using svm and ga, in Systems, Man and Cybernetics (SMC) Information Assurance Workshop, 2005. Proceedings from the Sixth Annual IEEE. IEEE Press, 2005, pp. 176183. [11] D. Gavrilis and E. Dermatas, Real-time detection of distributed denialof- service attacks using rbf networks and statistical features, Comput. Netw. ISDN Syst., vol. 48, no. 2, pp. 235245, 205. [12] Y. Xiang and W. Zhou, Mark-aided distributed filtering by using neural network for ddos defense, in

Global Telecommunications Conference, 2005. GLOBECOM 05. IEEE, vol. 3. IEEE Press, 2005, pp. 17011705 [13] Hal Burch and Bill Cheswick. Tracing anonymous packets to their approximate source. In Proceedings of the USENIX Large Installation Systems Administration Conference, pages 319327, New Orleans, USA, Decemeber 2000. USENIX. [14] John Ioannidis and Steven M. Bellovin. Implementing pushback: Router-based defense against DDoS attacks. In Proceedings of Network and Distributed System Security Symposium, San Diego, CA, February 2002. The Internet Society. [15] David Slee Common Denial of Service Attacks Jul 10,2007 [16] Detection of Denial of Service attacks using AGURI [17]A Frame Work for Classifying Denial of service attacks SI-TR-2003-569, 25,Feb 2003{Hussain,johnh,christos}@isi.edu [18] Denial of service attack detection and mitigation [19] A survey of the denial of service problem [20] Deciphering Detection Techniques: Part III Denial of Service Detection,By Dr Fengmin Gong, Chief Scientist, McAfee Network Security Technologies Group Jan 03 [21] Y. Xu and R. Guerin, On the robustness of routerbased denial-ofservice (dos) defense systems, SIGCOMM Comput. Commun. Rev.,vol. 35, no. 3, pp. 4760, 2005. [22] Martin Roesch. Snort - lightweight intrusion detection for networks. http://www.snort.org [23] M. V. Mahoney and P. K. Chan, Learning nonstationary models of normal network traffic for detecting novel attacks, in KDD 02:Proceedings of the eighth ACM SIGKDD international conference on Knowledge discovery and data mining. New York, NY, USA: ACM Press, 2002, pp. 376385 [24] Ratul Mahajan, Steven M. Bellovin, Sally Floyd, John Ioannidis, Vern Paxson, and Scott Shenker. Controlling high bandwidth aggregates in the network. In ACM Computer Communication Review, July 2001. [25]Peter Reiher Jelena Mirkovic, Greg Prier. Attacking DDoS at the source. In Proceedings of the IEEE International Conference on Network Protocols10, Paris, France,November 2002. [26] Survey on current network Intrusion Detection Techniques Sailesh Kumar 12/19/2007 [email protected] [27] Denial of Service attacks and the emergence of Intrusion Prevention Systems, SANS GSEC Practical Assignment v1.4b Option 1 (Re-Submission) Adrian Brindley November 1, 2002 IJCEM www.ijcem.org

IJCEM International Journal of Computational Engineering & Management, Vol. 11, January 2011 ISSN (Online): 2230-7893 www.IJCEM.org

44

[28] Stefan Savage, David Wetherall, Anna Karlin, and Tom Anderson. Practical network support for IP traceback. In Proceedings of the ACM SIGCOMM Conference, pages 295306, Stockholm, Sweeden, August 2000. ACM. [29] Alex C. Snoeren, Craig Partridge, Luis A. Sanchez,Christine E. Jones, Fabrice Tchakountio Stephen T. Kent,and W. Timothy Strayer. Hash-based ip traceback. In Proceedings of the ACM SIGCOMM, pages 314, San Deigo CA, August 2001. ACM. [30]E. Zwicky, S. Cooper, D. Chapman, and D.Ru. Building Internet Firewalls. 2nd Edition. OReilly and Associates, 2000. [31] Cisco Systems. Netflow services and applications. http://www.cisco.com/warp/public/732/netflow. [32] Cisco Systems. Rmon. http://www.cisco.com/warp/public/614/4.html. [33] Haining Wang, Danlu Zhang, and Kang Shin. Detecting SYN flooding attacks. In Proceedings of the IEEE Infocom, pages 000001, New York, NY, June 2002. IEEE. [33] Thomer M. Gil and Massimiliano Poletto. MULTOPS: A Data-Structure for bandwidth attack detection. In Proceedings of the USENIX Security Symposium, pages 2338, Washington, DC, USA, July 2001. USENIX. [34] Vern Paxson. Bro: A system for detecting network intruders in real-time. Computer Networks, 31(23 24):24352463,Decemeber 1999. (revised web page version).

IJCEM www.ijcem.org