Combating DoS or DDoS Attacks

The reality is Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks have been around for many years. While there are not new developments in which the mechanism that these attacks are carried out, these attacks are simply becoming more and more sophisticated. There is also legal precedence which individuals or groups can target a specific entity as long as there is a legitimate underlying cause. Taking in account the growing sophistication and legal background it becomes ever more important for organizations to formulate a plan in detecting, preventing, and mitigating the risks surrounding DoS and DDoS attacks. The shift to a defensive posture may be foreign to many organizations however to ensure services continue uninterrupted these organizations must take these type of attacks much more seriously.

Combating DoS or DDoS Attacks

To combat Denial of Service attacks it is essential to understand that the idea of this attack encapsulates the concept of flooding the target network, breaking the network connection, and finally the hindrance of an individual or even a group to access a particular service. The cyber battlefield concerning this type of attack is depicted in figure 1. Here the attacker seeks out what is known as a handler where software is installed that allows the handler to be controlled via the attacker.

Figure 1: DDoS Attack Diagram
Figure: 1

At this point, the attacker issues commands to the handler that in turn controls the agents and the agents then act as the solider that attacks the target. Often the agents are unsuspecting computers that may be infected with malware. Of course, denial of service attacks also are executed by a single entity by taking advantage of vulnerabilities within program flaws, specifically in the areas of resource starvation and buffer overflows (Northcutt, 2007). At the end of the day, the threat of a DoS or DDoS is real and to reduce these threats the next steps are detecting and mitigating the threat. Keeping in mind these steps, I selected three research papers focus on detection and prevention in order to reduce the risk surrounding denial of service attacks. The key factor is to remember that risks cannot entirely be removed, but these same risks can be mitigated to an acceptable level with everyone involved.

Attacks in History

To put into perspective all one has to do is turn attention back in time to 2007 when Estonia feel victim to a DoS attack. What propagated the attack was the action that the Estonian citizens relocated a Soviet war memorial from the city of Tallinn. At the time, Estonians believed that the Russian government was behind the attack however, the Russian government denied all involvement. The other widely adopted believe was that hackers who sympathized with the Russians where behind the attack and this included China. This DoS attack was viewed as a cyberwar between Russia and Estonia and because of this; both organizations and countries alike took notice of the importance of cybersecurity.

Detecting the Threat

Over the years network centric defense systems has evolved to the level where the traffic can be monitored and categorized to the level in which traffic can be determined if it is acceptable or unacceptable (Ying, Incheol, Thai, and Taieb, 2010). Accountability must be at the center of computing, in other words every action must be both measurable and traceable by to a given entity. The reason this is important is so the organization can take the information in order to step through the attack in the hope that this test scenario points out the vulnerability and how the vulnerability was exploited. Ying et al. (2010) emphasize that detection and testing sounds simple of the surface however there are three problems areas to address, which include having a sold testing structure, planning the infrastructure to mimic the attacker, and finally the test case must provide accurate results. Once test cases are in place and executed, then and only then can an organization be successful.

Modern day business is widely conducted over the Internet and be of this it is extremely more important than ever to conduct testing across the spectrum. For example, computer on a network typically communicate via routers and it is not overly difficult to execute a denial of service attack on a given network. One such attack vector is exploiting Internet Protocol (IP) version 6 by sending a flood data packets, which will advertise a network. This exploit then will cause all devices on the network to then attempt to connect and now the computers fall victim to resource starvation. In fact, this exploit will force clients to join hundreds of advertised networks until the computer becomes utterly non-responsive. A great test scenario is to configure the operating systems (OS) to ignore a predetermined number networks, of course the root vulnerability resides with the vendor to patch. Ying et al. (2010) proposal surrounding a testing based approach to both DoS and DDoS attacks attempts to establish a solid framework in which these types of attacks are reduced by understanding the day-to-day network activity. The downside to this approach is public facing networks are difficult to measure because the usage often peaks over time making it challenging to define what traffic is acceptable.

Counter the Attack

At this stage in DoS attacks the idea is that if an attack is determined to be underway there must be measures in place to fight off the attack. As mentioned previously, many aspects of business are often conducted over the Internet and because of this fact; a pronounced example of a DoS attack of service are password attacks. Goyal, Kumar, Singh, Abraham, and Sanyal, (2006) point out that a vast amount of systems utilize passwords for two reasons which include convenience and the fact that end users widely accept the use of a password to gain access to a service. For similar reasons that passwords are popular with users, they are also popular forms of DoS attacks.

Figure 2: Password Length Example
Figure: 2

When it comes to password attacks, the hacker community has a vast arsenal at their disposal whereas security measures typically are limited or as they evolve, they often fall victim to an attack. The reality is DoS attacks will likely always be reactive but this does not mean that proactive measures should not be implemented. A password by definition means a word or phrase that is unknown to others than the intended party. However, the reality is passwords are weak and easily guessed or even cracked as figure 2 represents they typical length of a password. Because of this fact, Goyal et al. (2006) propose a measure that will prevent dictionary attacks by shrinking the attack window, which in turn will require the hacker to rethink the attack. The core of this idea is the protocol initiates a four-pass transmission where the final two passes involve a computation that is negotiated between the server and the client. To put passwords into perspective when it comes to DoS attacks it is important to understand that while typically attacks are carries out on tiers three and four, it is entirely feasible to also attack tier two via the password vulnerability. Case in point, Cisco (2005) released an advisory that outlined their Application and Content Networking System (ACNS) software could fall victim to a DoS attack by exploiting the default password used for administrative accounts.

Mitigating the Threat

An interesting aspect of prevention within Service-Oriented Architecture (SOA) is outline by Shah, Mangal, Agarwal, Mehra, and Patel (2010) where a heavy focus is given to web services. In several aspects of Internet based communications, many vendors provide an Application Programing Interface in which a great deal of these communications takes place via a web service. The idea is that a Web Service is no different from a web application in the sense that both are open to attacks. Shah et al. (2010) put forth the idea of leveraging Simple Object Access Protocol (SOAP) at both the server and client using encryption to combat a DoS attack by use of handlers. These handlers provide a number of actions one being encryption and the second being validation of the SOAP envelop. Both of these options greatly reduce the DoS threat in the area of web services.

In reality there has been a great deal of both solutions provided in the defense of DoS attacks which include anomaly detection, IP tracing, and filtering packets and the area of DoS is constantly evolving (Yu, Fang, Lu, and Li, 2010). When it all comes down to reducing the threat the obvious answer resides in the area of trust management, in other words know your user base and establish strong boundaries of network usage. Yu et al. (2010) also present the use of a license management server, which would serve out a license to authorized users, and without the license at the client, all network communications sent to the receiver would be ignored. The idea here of mitigating the DoS attacks is both lightweight and feasible to the degree that interested parties could quickly and easily adopt a defensive posture against DoS attacks.

Conclusion

At this point, it should be clear that DoS attacks are not overly complicated to both defend and attack. Referencing figure 3 it is clear that DoS can affect each tier of the OSI model.

Figure 3: OSI Model
Figure: 3

What makes DoS difficult to defend are the facts that it is often difficult to distinguish between legitimate traffic and the fact that all software contains defects that can be exploited. While DoS is difficult to defend, it is not impossible. Actions such as reviewing network infrastructure against the National Institute of Standards and Technology (NIST) standards and load testing the network will both assist in finding vulnerabilities and understanding at what stress point the network will break under a given load. Monitoring is also extremely important therefor an Intrusion Detection System (IDS) or Intrusion Prevention System (IPS) will assist immensely in protecting the network. Of course, the single most important aspect is to have an established policy and procedure that outlines the course of action taken before, during, and after the attack. If the network is a victim of an attack, as soon as possible the Internet Service Provider (ISP), Information Security (IS) personnel, and the appropriate law enforcement agency must all be alerted.

References

  • Goyal, V., Kumar, V., Singh, M., Abraham, A., & Sanyal, S. (2006). A new protocol to counter online dictionary attacks. Computers & Security, 25(2), 114-120. doi:10.1016/j.cose.2005.09.003
  • Cisco. (2005). ACNS Denial of Service and Default Admin Password Vulnerabilities. Cisco Security Advisory. Retrieved from http://tools.cisco.com
  • Northcutt, S. (2007). Security Laboratory: Methods of Attack Series. SANS Technology Institute. Retrieved from http://www.sans.edu
  • Shah, D., Mangal, A., Agarwal, M., Mehra, M., & Patel, D. (2010). Mitigating DoS using handlers for Global SOA. Journal of Algorithms & Computational Technology, 4(4), 381-394. Retrieved from http://www.multi-science.co.uk/
  • Ying, X., Incheol, S., Thai, M. T., & Taieb, Z. (2010). Detecting application denial-of-service attacks: A group-testing-based approach. IEEE Transactions On Parallel & Distributed Systems, 21(8), 1203-1216. doi:10.1109/TPDS.2009.147
  • Yu, J. J., Fang, C. C., Lu, L. L., & Li, Z. Z. (2010). Mitigating application layer distributed denial of service attacks via effective trust management. IET Communications, 4(16), 1952-1962. doi:10.1049/iet-com.2009.0809

Leave a Reply

Required fields are marked *.