• Like
Denial of Service Attacks
Upcoming SlideShare
Loading in...5
×

Denial of Service Attacks

  • 3,124 views
Uploaded on

This report details various security vulnerabilities facing organisations that are connected to the Internet. It focuses primarily on Denial of Service (DoS) attacks, providing an understanding of how …

This report details various security vulnerabilities facing organisations that are connected to the Internet. It focuses primarily on Denial of Service (DoS) attacks, providing an understanding of how these types of attacks are carried out and outlines the current technological resources available to provide countermeasures to DoS attacks. The recommendations provided at the end of the report allow organisations to gain the ability to minimise the harmful impact that DoS attacks can inflict upon their business.

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
3,124
On Slideshare
0
From Embeds
0
Number of Embeds
1

Actions

Shares
Downloads
47
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Queensland University of Technology Brisbane Brent Muir and Simon Weiss 2009 DENIAL OF SERVICE ATTACKS
  • 2. Muir and Weiss Denial of Service Attacks 2009 - I - ABSTRACT This report details various security vulnerabilities facing organisations that are connected to the Internet. It focuses primarily on Denial of Service (DoS) attacks, providing an understanding of how these types of attacks are carried out and outlines the current technological resources available to provide countermeasures to DoS attacks. The recommendations provided at the end of the report allow organisations to gain the ability to minimise the harmful impact that DoS attacks can inflict upon their business.
  • 3. Muir and Weiss Denial of Service Attacks 2009 - II - ABOUT THE AUTHORS BRENT MUIR Brent Muir is an information security professional working in Australasia. His interests include digital forensics, malware analysis and privacy. He is the co- founder of the Digital Forensics Focus Group, a sub-chapter of the Australian Information Security Association. To find out more about Brent’s research, or to contact him, check out his LinkedIn profile, https://au.linkedin.com/in/brentmuir/. SIMON WEISS Simon Weiss is research assistant and doctoral student at the Institute of Information Management at the University of St. Gallen, Switzerland. He works in the area of Enterprise Architecture and Transformation Management with a focus on mechanisms to institutionalize EAM in organizations. His professional profile can be found at https://www.xing.com/profile/Simon_Weiss7.
  • 4. Muir and Weiss Denial of Service Attacks 2009 - III - TABLE OF CONTENTS Abstract ........................................................................................................................................................I Table of contents ......................................................................................................................................III List of figures .............................................................................................................................................IV List of tables ..............................................................................................................................................IV List of abbreviations .................................................................................................................................IV 1 Introduction ...........................................................................................................................................5 2 Vulnerabilities in general.....................................................................................................................2 2.1 Software vulnerabilities...............................................................................................................2 2.2 Social engineering .......................................................................................................................3 3 Denial of Service and Distributed Denial of Service .......................................................................5 3.1 Overview .......................................................................................................................................5 3.2 Exploitations .................................................................................................................................8 3.3 Results of an attack...................................................................................................................10 3.4 Example: DDoS attack on Estonia in 2007............................................................................13 3.5 Countermeasures and prevention...........................................................................................16 4 Conclusion...........................................................................................................................................20 5 Recommendations .............................................................................................................................22 Reference List ..........................................................................................................................................23 Appendix ...................................................................................................................................................30 A Details of DDoS attack against Estonia ..................................................................................30
  • 5. Muir and Weiss Denial of Service Attacks 2009 - IV - LIST OF FIGURES Fig. 3.1: A traffic superflow by DDoS flooding attacks launched from a large number of zombies toward a common victim host............................................................................7 Fig. 3.2: Russian DDoS Attack advertisement..............................................................................15 LIST OF TABLES Tab. 5.1: Attack on Estonia: Targeted destinations ......................................................................30 Tab. 5.2: Attack on Estonia: Attack dates ......................................................................................30 Tab. 5.3: Attack on Estonia: Attack durations................................................................................31 Tab. 5.4: Attack on Estonia: Attack bandwidths............................................................................31 LIST OF ABBREVIATIONS CERT Computer Emergency Response Team DDoS Distributed Denial of Service DoS Denial of Service FIRST Forum for Incident Response and Security Teams FSB Federal Security Service ICMP Internet Control Message Protocol IP Internet Protocol ISP Internet Service Provider NATO North Atlantic Treaty Organisation TCP Transmission Control Protcol TERENA Trans-European Research and Education Networking Association UDP User Datagram Protocol
  • 6. Muir and Weiss Denial of Service Attacks 2009 - V - INTRODUCTION Computers and networks are an important part of the information systems of modern organisations. A lot, if not all services, depend on certain parts of these systems. This trend will continue as computer systems become even more complex and will be capable of supporting us in more and more aspects. However, as soon as a network is connected to the Internet, it becomes vulnerable to various threats and cyber attacks. For instance, about 50 new vulnerabilities in software are discovered or announced each week, and the amount spam, viruses and exploits continues to increase.1 The danger of compromised security goals like confidentiality, integrity and availability is eminent. Consequently, there is no better time to deal with vulnerabilities and its countermeasures. This work aims at clarifying the threat of Denial of Service attacks, which represent a more and more prevalent method to effectively compromise the availability of online services. In case of distributed DoS (DDoS), it is even more difficult to prevent and fight such an attack. We will examine what DoS attacks are, how they are orchestrated, the results of such attacks, and which countermeasures can be applied. Chapter 2 will first of all elaborate on vulnerabilities in general. The two major aspects discussed are software vulnerabilities (section 0) and social engineering (section 0). After this, (D)DoS will be examined in more detail (see chapter 0). Subsequent to an overview, we will explain exploitations (section 0), results (section 0) and examine a well-documented example of a massive DDoS attack against Estonia in 2007, which represents a typical DDoS scenario (section 0). Lastly, we will conclude this work by presenting the countermeasures currently available to help prevent DoS attacks (section 0). 1 See Bradley (2006, p 56)
  • 7. Muir and Weiss Denial of Service Attacks 2009 - 2 - VULNERABILITIES IN GENERAL SOFTWARE VULNERABILITIES The amount of software used in a corporate network is immense and is more and more exploited by crackers. Today, a big range of opportunities to get unauthorized access to computers or confidential data by exploiting software vulnerabilities is at hand. In general one can say, the wider distributed particular software is, the more attackers are attracted to it trying to find and exploit vulnerabilities. Hence, the most affected software in the past was the Microsoft Windows 2000 and XP operating systems (comprising Internet Explorer), and the Microsoft Office Suites. Recently, more and more cross-platform (third-party) software that is e.g. imbedded into a range of browser gets into the focus of attackers. Adobe’s Flash Player2 and PDF Reader are prominent examples, where Adobe Reader had so critical vulnerabilities that the Anti-Virus manufacturer F-Secure even recommended, not to use Adobe Reader anymore, until the leak was fixed. 3 According to Microsoft’s biannual Security Intelligence Report (2008), the overall amount of vermin and critical leaks increased again. “According to the report, 48% of all security vulnerabilities must be classified critical”, meaning that serious harm may result.4 Viruses, Worms, Malware, Trojans, Rootkits and Backdoors are the names for some of the most common techniques used to affect a system and compromise security goals in the one way or the other. According to the 2008 E-Threats 2 See iDefense Labs (2009) 3 See heise Security (2009) 4 BürgerCERT (2008)
  • 8. Muir and Weiss Denial of Service Attacks 2009 - 3 - Landscape Report of BitDefender, Trojans were leading the list of worldwide Malware-Threats, with a share of more than 80%.5 In consequence of the aforementioned situation, the most crucial thing is to install security updated regularly. Far the most attacks rely on vulnerabilities due to unpatched systems, whether it is a threat directly induced by being connect to the Internet or a threat due to weaknesses of an application. A common procedure for the former is for crackers6 to e.g. scan an IP address range for a certain open port of an application. Then, a (possibly new) vulnerability is tried to be exploited at the responding hosts. A lot of cases also exist for the latter in terms of prepared documents (e.g. for MS Word) that are processed incorrectly and consequently allow an execution of arbitrary code. Besides of patching, a lot of other measures should be put in place to comply with stated security goals. Interesting real-time statistics about current attacks, viruses and a “Threat Index” can for instance be found on the Arbor Website.7 SOCIAL ENGINEERING Social engineering deals with vulnerabilities of the human part of an information system to gain access to information assets. Most of these weaknesses are based on human indiscretion or ignorance. For the former, the statistics about loss and theft of laptops for instance, speak volumes: Laptop theft accounted for 50% of reported security attacks.8 Lost or stolen laptops and mobile devices are the most frequent cause of a data breach, accounting for 5 See BitDefender (2009) 6 The term cracker is used in this work to denote a person that wants to harm computer system. The more common term ’hacker’ denotes a person with indepth computer skills. Hence, a cracker is an ’evil hacker’. 7 See http://atlas.arbor.net/ 8 See AbsoluteSoftware (2009) according to Richardson (2007)
  • 9. Muir and Weiss Denial of Service Attacks 2009 - 4 - 49% of data breaches in 2007.9 And last but not least: 12,000 laptops are lost in U.S. airports each week, and two-thirds are never returned.10 These facts already clearly indicate that employees’ awareness for data security and cyber threats in general are in need of improvement. An increasingly used method to obtain any sort of user data related to the use of E-Mail and Web is Phishing. At phishing, users are tricked with a web site that looks the same as a service provider’s original one. Recent phishing attempts targeted for instance Internal Revenue Service to glean sensitive data from U.S. taxpayers, but also users of social networks like MySpace and file hoster RapidShare were targeted.11 Another aspect of social engineering is industrial espionage or any other form of disclosure of confidential information by employees. This may happen deliberately but also accidentally. Appropriate trust systems and policies need to be put in place in order to prevent such breach of security goals. This comprises for instance a strong password and user rights policy. However, no system can ever be 100% secure. 9 See AbsoluteSoftware (2009) according to Ponemon Institute (2007) 10 See AbsoluteSoftware (2009) according to Dell & Ponemon Institute (2008) 11 See Wikipedia (2009a)
  • 10. Muir and Weiss Denial of Service Attacks 2009 - 5 - DENIAL OF SERVICE AND DISTRIBUTED DENIAL OF SERVICE OVERVIEW As discussed previously, computers attached to the Internet are susceptible to many vulnerabilities, including Denial of Service (DoS) attacks. For the remainder of this report DoS vulnerabilities, and its bigger brother, Distributed Denial of Service (DDoS) will be discussed in more detail. Firstly an overview of DoS and DDoS will be given. Next the specific exploitations available in these attacks will be examined. After this the possible results of these types of attacks will be discussed, including further analysis of three real-world examples. Lastly, the countermeasures available to users and businesses alike will be examined to give appropriate responses to these threats. Denial of Service (DoS) attacks are generally regarded as “an explicit attempt of attackers to prevent legitimate users from gaining a normal network service”12 . This means that a user trying to reach a website that is under attack by DoS would not be able to make a connection. Not all DoS attacks are based solely over the Internet and CERT further breaks down the definition of DoS into four categories13 :  attempts to "flood" a network, thereby preventing legitimate network traffic 12 Wang et. al., 2007: 3565 13 CERT, 2001
  • 11. Muir and Weiss Denial of Service Attacks 2009 - 6 -  attempts to disrupt connections between two machines, thereby preventing access to a service  attempts to prevent a particular individual from accessing a service  attempts to disrupt service to a specific system or person The number of DoS attacks has been rising steadily and Carl (et. al.) found that there were over 12,000 attacks over a three-week period in 200114 . There has been a shift away from DoS to DDoS in recent years, and Messmer notes that 15 ; Distributed DoS attacks are now reaching 42Gbps in sustained intensity, up from 24Gbps last year and just 17Gbps the year prior to that, according to Arbor Networks' annual survey of ISPs from North America, Europe and Asia. The simplest form of DoS is the result of a weakness that has existed in the IP protocol ever since the “internet” was developed. ‘‘The weakness in this scheme (the IP protocol) is that the source host itself fills in the IP source host id, and there is no provision to discover the true origin of the packet’’16 . This weakness allows for SYN-flooding attacks17 ; In SYN-flooding attacks, attackers initiate many SYN requests without sending ACK packets. This exhausts the server’s half-open waiting queue and thus blocks a legitimate client’s request from being serviced. The reason this type of attack is so effective is that once the network is flooded with a large volume of data, the network’s resources are strained, for example the process control blocks and the maximum allowed connections. “In particular, DoS attacks may disrupt the normal operation of physical components in the network, and may also manipulate data in transit such as encrypted data”18 . Carl explains that it is not only network resources that are susceptible to DoS attacks, but also 14 Carl, et. al., 2006: 82 15 Messmer, 2008 16 Morris in Glenebe and Loukas, 2007: 1299 17 Wang and Reiter, 2008: 244 18 Wang et. al., 2007: 3565
  • 12. Muir and Weiss Denial of Service Attacks 2009 - 7 - “CPU processing cycles”. “When any resources form a bottleneck, system performance degrades or stops, impeding legitimate system use”19 . Distributed Denial of Service (DDoS) attacks occur when multiple hosts “are employed to coordinate an attack by flooding a victim with a barrage of attack packets”20 . Glenebe and Loukas give a detailed definition for DDoS21 ; The attacker takes control of a large number of lightly protected computers (e.g., without firewall and up-to-date antivirus software) and orders them to send simultaneously a large number of packets to a specific target. The attacker exploits the weakness of IP by faking their source IP address (‘‘IP spoofing’’). As a result, some routers and links in the vicinity of the target are overwhelmed, and a number of legitimate clients cannot connect to it anymore. The process of DDoS is demonstrated in Diagram 1, below. Fig. 0.1: A traffic superflow by DDoS flooding attacks launched from a large number of zombies toward a common victim host 22 19 Carl, et. al., 2006: 82 20 Wang et. al., 2007: 3565 21 Glenebe and Loukas, 2007: 1299 22 Chen, et. al., 2007: 1650
  • 13. Muir and Weiss Denial of Service Attacks 2009 - 8 - As Carl explains, "in a DDoS attack, the assault is coordinated across many hijacked systems (zombies) by a single attacker (master)”23 . The reason that these types of attacks are prevalent is that there is no easy solution to mitigating the risks associated with DDoS, in fact “CERT... found no simple fix or patch” to this problem24 . EXPLOITATIONS There are numerous methods available for conducting DoS attacks and CERT breaks down these vulnerabilities into three basic types of attack25 :  consumption of scarce, limited, or non-renewable resources  destruction or alteration of configuration information  physical destruction or alteration of network components In the first category, consumption of scarce resources, exploitations exist in the various protocols used to communicate over the internet, for example TCP and UDP. As previously stated, SYN flooding is a commonly exploited method for conducting DoS26 ; SYN flooding attacks exploit network vulnerabilities with respect to the TCP protocol, where the three-way handshake algorithm is used. In general, the arrival of SYN packets contains two types: the regular request packets and the attack packets that request for connections. A large number of SYN packets are always sent to a victim for pretending to make connections with the victim. However, the 23 Carl, et. al., 2006: 82 24 Hancock, 2000: 6 25 CERT, 2001 26 Wang, et. al., 2007: 3566
  • 14. Muir and Weiss Denial of Service Attacks 2009 - 9 - victim can hardly differentiate the attack packets from the regular request packets, and therefore it has to respond by sending back the SYNACK packets. CERT explains that UDP packets can also be used as an exploit to carry out a DoS attack from intruders within your own network27 ; The intruder uses forged UDP packets to connect the echo service on one machine to the chargen service on another machine. The result is that the two services consume all available network bandwidth between them. Thus, the network connectivity for all machines on the same networks as either of the targeted machines may be affected. Another method of exploitation of UDP packets is “created when the attacker sends UDP packets to random ports on the target”28 . These types of exploitations all target bandwidth consumption on networked computers, but computers are not the only devices susceptible to DoS attacks. A DoS exploit has recently been identified in the iPhone. This is an application-level DoS which results in crashing the Safari browser and which has been speculated as being able to crash the whole device29 . Another method of DoS is achieved by utilising email messages30 ; An attacker can use spam email messages to launch a similar attack on your email account. Whether you have an email account supplied by your employer or one available through a free service such as Yahoo or Hotmail, you are assigned a specific quota, which limits the amount of data you can have in your account at any given time. By sending many, or large, email messages to the account, an attacker can consume your quota, preventing you from receiving legitimate messages. The second and third categories, the destruction or alteration of configuration information, and the physical destruction or altercation of network components, 27 CERT, 2001 28 Cabrera, et. al., 2002: 242 29 Wireless News, 2008 30 McDowell, 2004
  • 15. Muir and Weiss Denial of Service Attacks 2009 - 10 - can result in permanent damage to equipment. For example, Higgins identifies an exploitation that exists in the firmware of network-enabled routers and states that these systems are “susceptible to a remote, permanent DoS attack, called "phlashing", known as Permanent DoS (PDoS)”31 . RESULTS OF AN ATTACK Before going into the specific examples in greater detail, it is important to highlight the numerous negative outcomes attributed to DoS attacks. By looking at the Information Security goals we can break down these results into various categories; Confidentiality, Integrity, and Availability. It is also important to examine the possible motives behind the attacks; Financial gain, publicity, and political motivations. As Glenebe and Loukas state, “DoS attacks have reportedly been used against Business competitors, for extortion purposes, for political reasons, and even as a form of ‘‘legitimate’’ protest”32 . CONFIDENTIALITY Confidentiality of information is an important Information Security goal that is not usually affected by DoS attacks. INTEGRITY The integrity of an organisation’s network resources is an important issue to many businesses. DoS attacks can compromise this Information Security goal by tampering with network resources and equipment. Leyden cites an example where 31 Higgins, 2008: 20 32 Glenebe and Loukas, 2007: 1300
  • 16. Muir and Weiss Denial of Service Attacks 2009 - 11 - an online payment system was targeted by a DoS attack with the organisation involved hoping that the “customer data remains secure”33 . AVAILABILITY Schwartau states that the “first large-scale media-grabbing DOS attack in the US struck Panix, a New York based ISP in September of 1996”34 . Attacking an ISP is a direct threat to the availability of a network’s resources, and is a good example of what can happen to this information security goal. The availability of network resources is a security goal that many organisations rely on to conduct business, yet it is a challenge which many websites cannot keep up with, Lemos explains that many of the attacks produce more than a gigabit of junk data every second35 . Edwards notes that at the pinnacle of a DoS attack a certain web site was struck by 488 attacks, each lasting up to 1.8 hours36 . Messmer cites statistics regarding the mitigation of detected DoS attacks within organisations37 ; Fifteen percent of respondents said it typically took 15 minutes or less to mitigate an attack. Another 15% said it took less than 20 minutes, and 14% said it took less than 30 minutes. It took an hour for 26% of respondents, and 30% typically needed more than an hour to mitigate a distributed DoS attack, even after it had been detected. FINANCIAL GAIN One of the main motivations of DoS attacks is for financial gain, either via bringing down a competitors website/business, or via extortion/blackmail at the hands of the attackers. Carl notes that the within the 2004 CSI/FBI Computer Crime and Security Survey, DoS attacks were listed as being amongst the most financially expensive security incidents38 . Glenebe and Loukas cite a case in the United 33 Leyden, 2004 34 Schwartau, 1999: 125 35 Lemos, 2007 36 Edwards, 2008 37 Messmer, 2008 38 Carl, et. al., 2006: 82
  • 17. Muir and Weiss Denial of Service Attacks 2009 - 12 - States where a “corporate executive in Massachussets was charged with using DoS attacks to cause a total of $2 billion in losses to three of his main competitors”39 . Leyden notes that many DoS attacks have been linked to extortion attempts40 . PUBLICITY Publicity is sometimes the goal of a DoS attack. Many times the instigator is just looking for bragging rights amongst other hackers41 . POLITICAL MOTIVATION As explained in greater detail below, political motivation is often the reason behind a DoS attack. 39 Glenebe and Loukas, 2007: 1300 40 Leyden, 2004 41 Chen et. al., 2004; Carl et. al., 2006
  • 18. Muir and Weiss Denial of Service Attacks 2009 - 13 - EXAMPLE: DDOS ATTACK ON ESTONIA IN 2007 Overview and background From the 27th of April until the 18th of Mai, Estonia, a known Internet Pioneer, was victim of the probably biggest DDoS attack ever.42 The in general not very good relationship between Estonians and Russians escalated into a cyber-war after the removal of the Red Army monument "Bronze Soldier" from a central place in Tallinn to a military cemetery (on 27th ). While the monument is supposed to generally remind of the people fallen in WW2, for Russians it is also a symbol for the defeat of Nazi Germany. However, for the most Estonians, it is rather a reminder of the more than four decades that the Soviets occupied the nation.43 After the removal, a lot of demonstrations and protests followed, the Estonian 42 At least, ever against one country. See Wikipedia (2009b) 43 See Lemos (2007)
  • 19. Muir and Weiss Denial of Service Attacks 2009 - 14 - embassy in Moscow has been besieged, and a 19 year old Russian demonstrator died. Attack details According to NAZARIO from Arbor Networks, 128 unique DDoS attacks on Estonian websites were registered. “Of these, 115 were ICMP floods, 4 were TCP SYN floods, and 9 were generic traffic floods. Attacks were not distributed uniformly, with some sites seeing more attacks than others.”44 Also, some attacks were low skill “Scriptkiddie” attacks, whereas others were complex Bot-Net attacks. Governmental and bank sites were the primary target, but also web sites of other politicians and parties, the police, newspapers, a school, critical Russian media and opposition (in Russia) and even an Estonian Forum for Ford-Tuning enthusiasts were attacked.45 The attacks itself originated from all over the world, but mainly from Russia and peaked on the 9th of May, the Russian public holiday of the victory over Hitler. The masterminds behind these attacks could not be identified yet and probably never will be. The Kremlin and Russia’s secret service (FSB) were (not only at this attack) accused to be behind the attacks,46 but despite of some indications there was (of course) no ultimate proof and Estonia eventually weakened reproaches against Russia.47 It is only pretty certain that a lot of excited, patriotic or angry Russians contributed; from 10 year old kids up to organized hacker crews that give advertise and even offer their services on the web (See Fig. 0.2). 44 See Appendix Details of DDoS attack against Estonia for detailed statistics. 45 See Rötzer (2007), Lischka (2007) 46 See e.g. Rötzer (2007) 47 However, it is likely that Moscow at least „tolerates such attacks“. See Lischka (2007), Warner (2007)
  • 20. Muir and Weiss Denial of Service Attacks 2009 - 15 - Fig. 0.2: Russian DDoS Attack advertisement 48 Consequences The result of the attack was that a lot of websites were not available; E- Government services were out of order, as were credit card services, online- banking, news services and E-Mail systems of the parliament and some defacement took place as well. However, there was no blackmailing, theft of data or attack on very critical governmental infrastructure recorded, so the main security goal compromised was Availability.49 The Estonian providers reacted by setting additional firewall DROP rules, applying traffic shaping and putting websites into text-only mode. Estonia also requested help from the NATO, the Trans-European Research and Education Networking Association (TERENA) and e.g. the Forum for Incident Response and Security Teams (FIRST). In 2008, Estonia obtained the NATO-Excellence-Centre for Cyber Defence and a research centre with advisory purpose. 48 F-Secure Weblog (2007) 49 See Tittelbach (2008)
  • 21. Muir and Weiss Denial of Service Attacks 2009 - 16 - Bottom line The attack on Estonia is a typical example for DDoS with different types of flooding and spamming from distinct and probably spoofed locations. (D)DoS and spam (which can be regarded a type of DoS as well) attacks have become more popular during the last years, which fits to the aforementioned fact that Trojans are the leading Malware-Threat, because Trojans are among others used for such attacks. A similar politically motivated attack was launched against Georgia even weeks before the war between Russia and Georgia began. The attack was much smaller than against Estonia though. However, (D)DoS attacks are launched in almost every country against all sort of service providers. This comprises online-game providers, news websites, anti-spam organisations, private companies and many more.50 COUNTERMEASURES AND PREVENTION As DoS attacks vary in motivation and in methodology, preventing these attacks is not simply a matter of installing one piece of hardware or one piece of software. The variance found in DoS attacks actually weakens the countermeasures currently available. The most common methods of protection against DoS attacks will be discussed, including some proposed future strategies. Methods discussed 50 See Wikipedia (2009b)
  • 22. Muir and Weiss Denial of Service Attacks 2009 - 17 - include; Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), DoS mitigation services, and packet filtering. Rather than being a reactive method for countering DoS attacks, IDS works in real-time to asses the network traffic coming into an organisation and blocks any traffic that is deemed to be malicious. By spotting telltale deviations in traffic flow, an IDS can warn the network administrator in advance and give him or her time to take actions, such as switching to an emergency block of IP addresses with a separate route for critical servers51 . There are two detection methods utilised in IDS, these are signature-based and anomaly-based. In signature-based detection the IDS matches traffic to known malicious traffic and blocks it, whereas in anomaly-based detection the IDS is “trained” to recognise known good traffic. “In anomaly- based detection, the system recognises a deviation from the standard behaviour of its clients, while in the latter it tries to identify the characteristics of known attack types”52 . One of the major issues with IDS is that it produces a large number of false- positives. This means that the IDS may often block network traffic that is harmless, and in the case of many organisations this may affect revenue. “IDSs are plagued by high rates of false alarm; explainable in part by the base rate fallacy of classical statistics, a result of the rarity of attacks in comparison to normal activity”53 . Another issue with IDS is that it relies on being taught to recognise good behaviour, which often takes a long time to establish. As Edwards states, “an IDS can help an organisation identify the start of a DoS attack”54 . A similar DoS countermeasure is offered through Intrusion Prevention Systems (IPS). Their successfulness at preventing DoS attacks is noted by Edwards who 51 Edwards, 2008 52 Glenebe and Loukas, 2007: 1300 53 Cabrera, et. al., 2002: 250 54 Edwards, 2008
  • 23. Muir and Weiss Denial of Service Attacks 2009 - 18 - writes, “adding an IPS can help deflect some of a DoS attack's impact”55 . IPS usually consist of an IDS and a firewall solution that are designed “to take swift action — such as blocking specific IP addresses — whenever a traffic-flow anomaly arises”56 . This allows network administrators the chance to instigate back- up strategies. Many organisations want to outsource the responsibility for DoS prevention and this can be achieved by utilising a “DoS mitigation service”. A DoS mitigation service protects businesses from DoS and DDoS attacks by “placing its own servers in front of the attacked machines, filtering out bad packets and passing genuine traffic to the organisation's servers”57 . These mitigation services all rely on packet filtering in one way or another. As described by Matrawy et. al., “the idea is to categorize traffic according to their... characteristics hoping that disruptive traffic can effectively be separated from non-disruptive traffic”58 . There are numerous methods used for the filtration and separation of network traffic but these often result in performance issues. (Van Oorschot et al., 2006: 188) Ingress filtering is the most common type of packet filtering utilised to prevent DoS attacks. One of the first defensive measures proposed was Ingress Filtering, which is an approach to thwart IP address spoofing by configuring routers to drop arriving packets that arrive with IP addresses which are deemed to be outside a predetermined ‘‘acceptable’’ range Response. In the most general sense, the protection system either drops the attacking packets or it redirects them into a trap for further evaluation and analysis59 . One of the major benefits of Ingress filtering is that it is relatively cheap to employ. Unfortunately this type of filtering is “designed to defend against attacks involving 55 Edwards, 2008 56 Edwards, 2008 57 Edwards, 2008 58 In Van Oorschot et al., 2006: 188 59 Glenebe and Loukas, 2007: 1300
  • 24. Muir and Weiss Denial of Service Attacks 2009 - 19 - spoofed IP addresses and therefore is less effective when adversaries can use (many) zombies’ authentic IP source addresses”60 . Another method of filtering utilises “Change-point detection algorithms”. This filtering technique isolates any changes located in the network traffic's statistic61 . More advanced methods of DoS prevention have been developed including the use of multi-layer puzzle-based architecture, and cryptographic web connection authentication. Wang and Reiter describe puzzle-bases DoS architecture as embedding “puzzle techniques into both end-to-end and IP-layer services”62 . In this approach, a client solves a computational “puzzle” for requesting service before the server commits resources, thereby imposing a massive computational burden on adversaries bent on generating legitimate service requests to consume substantial server resources63 . Cryptographic web connection authentication systems have been proposed to protect web servers from TCP SYN attacks where the IP address has been spoofed64 . This method drops the first TCP SYN packet from the sender and sends back an HTTP redirection with two Message Authentication Code (MAC) keys. The first MAC is encoded with the pseudo-IP address of the redirected web site and the port number pair. The second MAC is encoded with the source IP address of the client and the port number pair. The second MAC is sent in the TCP sequence number of TCP SYN cookie. Future packets with the correct MAC keys will pass through perimeter routers and the ones without will be filtered out65 . 60 Wang and Reiter, 2008: 244 61 Carl, et. al., 2006: 84-85 62 Wang and Reiter, 2008: 243 63 Wang and Reiter, 2008: 243-244 64 Xu and Lee in Chen et. al., 2004: 670 65 Chen, et. al., 2004: 670
  • 25. Muir and Weiss Denial of Service Attacks 2009 - 20 - Carl states that “techniques that detect DoS also apply to DDoS”66 . Yet Wang and Reiter note that “existing DDoS tools are carefully designed not to disrupt the zombie computers, so as to avoid alerting the machine owners of their presence”67 . This demonstrates another benefit of utilising puzzle-based DoS architecture as the extra use of computing resources on a zombie machine “may alert the owner to the attacker’s use of this machine and motivate the owner to stop the attack”68 . The issue with the majority of currently utilised DoS prevention techniques is that these defence mechanisms are relatively passive in nature, as Wang and Reiter state, “it is the sole responsibility of the defender to detect and filter denials-of- service, while the attacker is spared any penalty for squandering server resources” (Wang and Reiter, 2008: 243). CONCLUSION 66 Carl, et. al., 2006: 82 67 Wang and Reiter, 2008: 245 68 Wang and Reiter, 2008: 245
  • 26. Muir and Weiss Denial of Service Attacks 2009 - 21 - This work shows that many serious cyber threats exist when connected to the Internet. A lot of these threats have the potential to cause serious harm by compromising security goals, and (D)DoS attacks in particular cannot be fully protected against. In chapter 2, we discussed software vulnerabilities and social engineering. The important insight here is that exploits and threats are still growing and that attacks become more and more sophisticated and tricky. In order not to become a victim, one should take these threats serious and put basic measures in place, such as patching & updating, anti-virus programs, firewalls and last but not least to educate employees. Guidelines like the AS/NZS ISO/IEC 27002:2006 Code of practice for information security management can help to put up appropriate policies.69 Chapter 3 discussed the threat of Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks in detail. DDoS attacks are very powerful and are able to compromise the availability of services, and they can also be used to distract organisations from a real hacking attack aimed at compromising other security goals like confidentiality and integrity of assets. The example of the DDoS attack against Estonia shows that small, trivial causes like a relocation of a war memorial can be enough for criminals to virtually shut down vital Internet services for weeks and potentially even longer. It is even stated “since the end of the nineties, every political crisis, every conflict, every war between nations is being accompanied in the Web with mutual attacks by politically motivated hackers”70 . It will be crucial for our modern Internet society to ensure that governments and infrastructure providers work together in order to stem against compromised (Bot-) networks. The introduction of new technology and software will certainly play a major role in achieving this goal. Maybe, the introduction of the IPv6 protocol can already solve some of the current major network weaknesses.71 69 See Standards Australia (2006) 70 Patalong, 2008 71 See e.g. Pouffary (2002)
  • 27. Muir and Weiss Denial of Service Attacks 2009 - 22 - RECOMMENDATIONS The following recommendations are suggested for any organisation that has computers, or a network, attached to the Internet: 1. Install an Intrusion Detection System at the point of entry for the internet 2. Install a hardware firewall at the point of entry for the internet 3. Install and maintain antivirus software on each machine, ensure that it is updated weekly at a minimum 4. If alternate online hosting is required, investigate Internet Service Providers that offer DoS mitigating services
  • 28. Muir and Weiss Denial of Service Attacks 2009 - 23 - REFERENCE LIST AbsoluteSoftware (2009) COMPUTER THEFT & RECOVERY STATISTICS, URL: http://www.absolute.com/resources/computer-theft-statistics.asp (accessed 18/05/2009) Arbor Atlas (2009) Global Dashboard, URL: http://atlas.arbor.net/ Badishi, G., Herzberg, A. and Keidar, I. (2007) IEEE Transactions on Dependable and Secure Computing, Keeping Denial-of-Service Attackers in the Dark, Volume 4, Issue 3, pp/ 191-204. BitDefender (2009) Trojaner waren im Jahr 2008 Sicherheitsbedrohung Nr. 1, URL: http://www.itseccity.de/?url=/content/virenwarnung/statistiken/090202_vir_ sta_bitdefender.html (accessed 28/05/2009) Bradley, T. (2006) Essential Computer Security, Rockland: Syngress Publishing. BürgerCERT (2008) Aufgepasst!: Anzahl von Schädlingen und kritischen Lücken nimmt zu, URL: http://www.buerger- cert.de/newsletter_suche.aspx?param=HGf116Hsnmjdg%2b95Lx4xLSsU LoURkvgpGUO3n7iKs8xI1eXl5Yo85xLSpHmHtYx%2f%2bPTfXjtKpVudkI Xw6g7KXMR5BiOyaKocPMEfofMlpo61sJFK2BTqSw%253d%253d#anch or11 (accessed 28/05/2009) Cabrera, J. B., Lewis, L., Qin, X., Lee, W. and Mehra, R.K. (2002) Journal of Network and Systems Management, Proactive Intrusion Detection and Distributed Denial of Service Attacks—A Case Study in Security Management, Volume 10, Issue 2, pp. 225-254. Carl, G. and Kesidis, G., Brooks, R.R. and Rai, S. (2006) IEEE Computer Society, Denial-of-Service Attack-Detection Techniques, January, pp. 82-89.
  • 29. Muir and Weiss Denial of Service Attacks 2009 - 24 - CERT (2001) Denial of Service Attacks, URL: http://www.cert.org/tech_tips/denial_of_service.html (accessed 01/04/2009) Chen, L., Longstaff, T.A. and Carley, K.M. (2004) Computers and Security, Characterization of defense mechanisms against distributed denial of service attacks, Issue 23, pp. 665-678. Chen, Y., Hwang, K. and Ku, W. (2007) IEEE Transactions on Parallel and Distributed Systems, Collaborative Detection of DDoS Attacks over Multiple Network Domains, Vol. 18, Issue 12, pp. 1649-1662. Dell & Ponemon Institute (2008) Airport Insecurity: The Case of Missing & Lost Laptops, URL: http://www.dell.com/downloads/global/services/dell_lost_laptop_study.pdf (accessed 28/05/2009) Edwards, J. (2008) 6 Lessons from the Church of Scientology DoS Attack, URL: http://www.itsecurity.com/features/scientology-dos-attack-021108/ (accessed 01/04/2009) Edwards, J. (2008) Network Security Journal, DoS Attacks Take Aim at Small Business, January 17th URL: http://www.networksecurityjournal.com/features/DoS-attacks-011708/ (accessed 01/04/2009) Edwards, J. (2008) The Rise of Botnet Infections, URL: http://www.networksecurityjournal.com/features/botnets-rising-021308/ (accessed 01/04/2009) F-Secure (2007) Weblog 9th of May, URL: http://www.f- secure.com/weblog/archives/archive-052007.html#00001188 (accessed 28/05/2009)
  • 30. Muir and Weiss Denial of Service Attacks 2009 - 25 - Gelenbe, E. and Loukas, G. (2007) Computer Networks, A self-aware approach to denial of service defence, Issue 51, pp. 1299-1314. Goodin, D. (2008) Radio Free Europe hit by DDoS attack, URL: http://www.securityfocus.com/news/11515 (accessed 01/04/2009) Hancock, B. (2000) Computers and Security, Mass Network Flooding Attacks (Distributed Denial of Service - DDoS) Surface in the Wild, Volume 19, Issue 1, pp. 6-17. Heise Security (2009) Antivirenhersteller rät vom Einsatz des Adobe Readers ab, URL: http://www.heise.de/security/Antivirenhersteller-raet-vom-Einsatz- des-Adobe-Reader-ab--/news/meldung/136535 (accessed 28/05/2009) Higgins, K.J. (2008) Information Week, Denial Of Service 2.0, May 26, pp. 20. iDefense Labs (2009) Adobe Flash Player Invalid Object Reference Vulnerability, URL: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=773 (accessed 28/05/2009) IT Security Staff (2007) Dive Into Intrusion Detection, URL: http://www.itsecurity.com/features/intrusion-detection-030807/ (accessed 01/04/2009) Kawamoto, D. (2009) GoGrid hit with DDoS attack, affects half its customers, URL: http://news.cnet.com/8301-1009_3-10208732- 83.html?tag=mncol;title (accessed 01/04/2009)
  • 31. Muir and Weiss Denial of Service Attacks 2009 - 26 - Kretkowski, P.D. (2007) The 10 Worst Virus Attacks of All Time, URL: http://www.itsecurity.com/features/10-worst-virus-attacks-111207/ (accessed 01/04/2009) Kretkowski, P.D. (2007) Top 10 U.S. Government Web Break-ins of All Time, URL: http://www.networksecurityjournal.com/features/top-government-breakins- 031906/ (accessed 01/04/2009) Lemos, R. (2007) Estonia gets respite from Web attacks, URL: http://www.securityfocus.com/brief/504 (accessed 28/05/2009) Lemos, R. (2007) Peer-to-peer networks co-opted for DOS attacks, URL: http://www.securityfocus.com/news/11466 (accessed 01/04/2009) Leyden, J. (2004) WorldPay struggles under DDoS attack (again), URL: http://www.securityfocus.com/news/9632 (accessed 01/04/2009) Leyden, J. (2008) Estonia fines man for DDoS attacks, URL: http://www.securityfocus.com/news/11503 (accessed 01/04/2009) Li, J., Li, N., Wang, X. and Yu, T. (2009) International Journal of Information Security, Denial of service attacks and defenses in decentralized trust management, Issue 8, pp. 89-101. Lischka, K. (2007) Estland schwächt Vorwürfe gegen Russland ab, URL: http://www.spiegel.de/netzwelt/web/0,1518,483583,00.html (accessed 28/05/2009) Macia-Fernandez, G., Diaz-Verdejo, J.E. and Garcia-Teodoro, P. (2008) Computers and Security, Evaluation of a low-rate DoS attack against application servers, Issue 27, pp. 335-354.
  • 32. Muir and Weiss Denial of Service Attacks 2009 - 27 - McDowell, M. (2004) Understanding Denial-of-Service Attacks, URL: http://www.us-cert.gov/cas/tips/ST04-015.html (accessed 01/04/2009) Messmer, E. (2008) Network World, Distributed DoS attacks surging in scale, ISPs report, Southborough, November 11. Nazario, J. (2007) Estonian DDoS Attacks - A summary to date, URL: http://asert.arbornetworks.com/2007/05/estonian-ddos-attacks-a- summary-to-date/ (accessed 28/05/2009) Patalong, F. (2008) Ehrenamtliche Angriffe, URL: http://www.spiegel.de/netzwelt/web/0,1518,572033,00.html (accessed 28/05/2009) Ponemon Institute (2007) 2007 Annual Study: U.S. Cost of a Data Breach, URL: http://download.pgp.com/pdfs/Ponemon_COB-2007_US_071127_F.pdf (accessed 28/05/2009) Pouffary Y. (2002) An Industry view of IPv6 Advantages, URL: http://www.ipv6- es.com/02/docs/yanick_pouffary_1.pdf (accessed 28/05/2009) Poulsen, K. (2001) DoS attacks getting scarier, URL: http://www.securityfocus.com/news/271 (accessed 01/04/2009) Rantanen, M. (2007) Virtual harassment, but for real, URL: http://www.hs.fi/english/article/Virtual+harassment+but+for+real+/1135227 099868 (accessed 28/05/2009) Richardson, R. (2007) CSI The 12th Annual Computer Crime and Security Survey, URL: http://i.cmpnet.com/v2.gocsi.com/pdf/CSISurvey2007.pdf (accessed 28/05/2009)
  • 33. Muir and Weiss Denial of Service Attacks 2009 - 28 - Rötzer, F. (2007) DoS-Angriffe auf Internetseiten der estnischen Regierung, URL: http://www.heise.de/tp/r4/artikel/25/25218/1.html (accessed 28/05/2009) Schwartau, W. (1999) Computers and Security, Surviving Denial of Service, Volume 18, Issue 2, pp. 124-133. Security Focus (2007) Electronic Jihad rears its head, again, URL: http://www.securityfocus.com/brief/619 (accessed 01/04/2009) Security Focus (2008) Microsoft closes a critical network flaw, URL: http://www.securityfocus.com/brief/659 (accessed 01/04/2009) Security Focus (2008) TCP flaws allow deadly DoS attacks, finders say, URL: http://www.securityfocus.com/brief/831 (accessed 01/04/2009) Security Focus (2009) Cyber attacks disrupt Kyrgyzstan's networks, URL: http://www.securityfocus.com/brief/896 (accessed 01/04/2009) Security Focus (2009) Cyber conflict? More like censorship, URL: http://www.securityfocus.com/brief/925 (accessed 01/04/2009) Standards Australia (2006) AS/NZS ISO/IEC 27002:2006 Information Technology – Security techniques – Code of practice for information security management, URL: http://fulloffacts.com/get/x-misc/AS27002-2006-A1.pdf (accessed 28/05/2009) Sung, M. and Xu, J. (2003) IEEE Transactions on Parallel and Distributed Systems, IP Traceback-Based Intelligent Packet Filtering: A Novel Technique for Defending against Internet DDoS Attacks, Volume 14, Issue 9, pp. 861-872.
  • 34. Muir and Weiss Denial of Service Attacks 2009 - 29 - Van Oorschot, P.C., Robert, J. and Martin, M.V. (2006) International Journal of Information Security, A monitoring system for detecting repeated packets with applications to computer worms, Vol. 5, Issue 3, pp. 186-199. Wang, X.F. and Reiter, M.K. (2008) International Journal of Information Security, A multi-layer framework for puzzle-based denial-of-service defense, Vol. 7, pp. 243-263. Wang, Y., Lin, C., Li, Q. and Fang, Y. (2007) Computer Networks, A queueing analysis for the denial of service (DoS) attacks in computer networks, Issue 51, pp. 3564-3573. Warner, G. (2007) Estonia vs. Russia – The DDOS War, URL: http://www.birmingham- infragard.org/meetings/talks/presentations/Estonian.DDOS.pdf (accessed 28/05/2009) Wikipedia (2009a) Phishing – Recent phishing attempts, URL: http://en.wikipedia.org/wiki/Phishing#Recent_phishing_attempts (accessed 28/05/2009) Wikipedia (2009b) Denial of Service, URL: http://de.wikipedia.org/wiki/Denial_of_Service (accessed 28/05/2009) Wireless News (2008), Radware Reports Denial-of-Service Vulnerability in Apples' iPhone Safari, April 28th. Zhang, R. and Chen, K. (2005) Computers and Security, Improvements on the WTLS protocol to avoid denial of service attacks, Issue 24, pp. 76-82.
  • 35. Muir and Weiss Denial of Service Attacks 2009 - 30 - APPENDIX DETAILS OF DDOS ATTACK AGAINST ESTONIA 72 Not all attacks or attack dates are recorded in the following tables, but the most important dates are recorded. They give a good impression of the scope of this massive attack Attacks Destination Address or owner 35 “195.80.105.107/32″ pol.ee 7 “195.80.106.72/32″ www.riigikogu.ee 36 “195.80.109.158/32″ www.riik.ee, www.peaminister.ee, www.valitsus.ee 2 “195.80.124.53/32″ m53.envir.ee 2 “213.184.49.171/32″ www.sm.ee 6 “213.184.49.194/32″ www.agri.ee 4 “213.184.50.6/32″ 35 “213.184.50.69/32″ www.fin.ee (Ministry of Finance) 1 “62.65.192.24/32″ Tab. 0.1: Attack on Estonia: Targeted destinations Attacks Date 21 2007-05-03 17 2007-05-04 31 2007-05-08 58 2007-05-09 1 2007-05-11 Tab. 0.2: Attack on Estonia: Attack dates “As for how long the attacks have lasted, quite a number of them last under an hour. However, when you think about how many attacks have occurred for some of the targets, this translates into a very long-lived attack. The longest attacks themselves were over 10 and a half hours long sustained, dealing a truly crushing blow to the endpoints.” 72 For all of the following information, see Nazario (2007)
  • 36. Muir and Weiss Denial of Service Attacks 2009 - 31 - Attacks Duration 17 less than 1 minute 78 1 min - 1 hour 16 1 hour - 5 hours 8 5 hours to 9 hours 7 10 hours or more Tab. 0.3: Attack on Estonia: Attack durations Finally, this is a decent sized botnet behind the attack, with aggregate bandwidth that was maxing out at nearly 100 Mbps. Attacks Bandwidth measured 42 Less than 10 Mbps 52 10 Mbps - 30 Mbps 22 30 Mbps - 70 Mbps 12 70 Mbps - 95 Mbps Tab. 0.4: Attack on Estonia: Attack bandwidths