A SURVEY TO ANALYSE MITIGATION TECHNIQUES FOR DISTRIBUTED DENIAL OF SERVICE ATTACKS

Transcription

1 International Journal of Civil Engineering and Technology (IJCIET) Volume 9, Issue 11, November 2018, pp , Article ID: IJCIET_09_11_139 Available online at ISSN Print: and ISSN Online: IAEME Publication Scopus Indexed A SURVEY TO ANALYSE MITIGATION TECHNIQUES FOR DISTRIBUTED DENIAL OF SERVICE ATTACKS B. Rakhesh and S. Renuka Devi School of Computing Science and Engineering, Vellore Institute of Technology, Chennai, India ABSTRACT A Distributed Denial of Service (DDoS) attack is an attack in which multiple a computer system attack a target, such as a server, website or other network resource, and creates a denial of service for the legitimate users. The incoming messages, connection requests or malformed packets to the target system that are being flooded forces the victim to slow down or even crash and shut down, thereby service to legitimate users or systems is denied. In this paper, various techniques are studied to analyse mitigation methods in such a way that bot-masters attack is reduced thereby reducing the Distributed Denial of Service attack. This approach helps the legitimate users to reach the targeted resource without any denial of service. Keywords: DDoS, Attack, Botnet, Prevention, Detection Cite this Article: B. Rakhesh and S. Renuka Devi, A Survey to Analyse Mitigation Techniques for distributed Denial of Service Attacks, International Journal of Civil Engineering and Technology, 9(10), 2018, pp INTRODUCTION DDoS attacks are used for crashing many companies total system. By crashing the companies servers it can cause them a huge loss in financial and economic terms. Nowadays DDoS attacks are not only used to bring down the competitors in business field but also to bring a large scoop to the individuals who crash the system. For example in May 2018[7], an incident happened with Verge. Verge is an open source crypto-currency that offers anonymous transactions by using geo-location of users. An attacker attacked verge mining pools and made off with 1.7 million dollars. Within next 2 months, the currency was attacked twice. DDoS attacks has this much threat in society to bring down the business competitors and to make huge money for individuals who make an attack. Denial of service is an attack where the intruder tries to make a machine or network resource unavailable to its intended legitimate users by disrupting services [3]. Distributed editor@iaeme.com

2 A Survey to Analyse Mitigation Techniques for distributed Denial of Service Attacks Denial of Service uses a number of hosts to overwhelm a system making it to undergo a system crash. This is usually done by the botmasters [3]. A computer or networked device under the control of intruder is call bot. The attacker who controls and commands the network of bots is referred as botmasters [3]. The network of bots is called botnet. Figure 1 shows the DDoS attack of the targeted servers. Figure 1DDoS ATTACK DDoS attack makes use of number of masters to inculcate number of compromised machines to attack a victim [2]. Usually the victim might be a targeted server or machine that gets crashed due to enormous flow of packets or requests from the attacking armies [2]. The attacker usually sends the attack code to the master which enables the slaves to attack the victim in different networks. The degree of automation of all these works of attack are classified as [8] 1.1. Degree of Automation Manual All the work is done by the attacker itself that is the scanning of machines and the control of compromised machines are done manually [8]. Semi-Automatic The communication between the masters and slaves is manual based on the set of instructions from the attacker whereas the scanning and collecting the compromised machines is done automatically Direct Communication: The master and slaves are in good communication. Master s IP is sent to the slaves for the master to have good knowledge about the compromised slave Indirect Communication: The master doesn t have direct communication with the agents rather they make use of a communication service like Internet Relay Chat (IRC) to regulate the slaves work.[1] Automatic The scanning of machines, recruiting and compromising of machines are done automatically. There is no communication between the masters and slaves. All the requirements are in the attack code in slaves and attacked later on the victim [8]. Figure 2shows the grouping and communication of masters and slaves to attack victim editor@iaeme.com

3 B. Rakhesh and S. Renuka Devi Figure 2 Degree of Automation 1.2. Examples of DDoS Attacks Melbourne IT Domain name registrar Melbourne IT, as well as two of its subsidiaries netregistry and TPP wholesale (Australia s famous wholesale provider), suffered a DDoS attack on April 13, 2017 [4]. Dream Host: On august 24, 2017, a DDoS attack deluged web hosting provider and domain name registrar dream host, knocking its DNS infrastructure systems [4]. UK National Lottery: The attack knocked the lottery s website and its mobile app offline. This was attacked on 30 September, 2017 [4]. Electroneum: Electroneum crypto-currency startup had crowd-funded $40 million worth of bit-coins. Just before it launched its mobile mining application on November 2, 2017, the company s website suffered a DDoS attack [4]. 2. PHASES OF DDOS ATTACKS 2.1. Recruition of Attack Armies In this phase, the attacker creates a number of handlers or masters which in turn propagates the slaves or compromised agents. The worms are being used by the attackers for recruiting the attack armies. This is usually done by scanning of compromised agents [1]. Hit list Scanning: An initial list of machines that are prone to get attacked is created. When the worm is released, it scans through the list to create the compromised machines. When the worm infects a machine it would have propagated half of the list thereby reducing much time in infecting machines. Random Scanning: The IP address space consists of the IP address range of the network. Compromised machines with random IP address try to infect new machines. Topological Scanning: Here when the machine gets infected the worm tends to get a new target from the information contained in the machine. Ex: any peer to peer application. Permutation Scanning: A list of false-random permutation of the IP address space is used here to infect new machines. An index is used for mapping of IPs editor@iaeme.com

4 A Survey to Analyse Mitigation Techniques for distributed Denial of Service Attacks Local-Subnet Scanning: new machines are searched by already compromised machines in the own local subnet of the attack Propagation After recruiting all the armies the attack code must be propagated for the attack of the victim from the masters to the slaves. Central-Source: The attack code is given to compromised machines or victims by a central source. Major disadvantage is central point failure. Back Chaining: Here the attack code is got from the infected machine to attack the newly compromised machine. Autonomous: During the time of exploitation, the attack code is transferred from the attacker itself to the infected machine Attack After the grouping of attack armies and propagation of attack code, the compromised agents send enormous requests or packets to the targeted victims thereby attacking them to get crashed. Attacks are being done in Network layer, application layer and transport layer. The attack that overflows the major resources of the system is called Resource-Depletion attack. The attack that makes use of some protocols to exploit the weakness of the network layer is called Protocol-Exploit attacks Attacks on Transport Layer: TCP SYN Attack: TCP requires continuous acknowledgement for data transfer between 2 parties. This is done by three-way handshaking.first, SYN packet is sent to the server, next server acknowledges by sending ACK packet. Finally, client sends back ACK packet. All the intermediate states are stored in the memory of the server. Attacker makes use of this and floods server s memory and crashes access of legitimate users and since spoofed IP is used by the attacker, the ACK packet is also lost making the server to send the ACK requests number of times and get crashed [9]. Figure 3shows the TCP SYN Attack. Figure 3 TCP SYN Attack editor@iaeme.com

5 B. Rakhesh and S. Renuka Devi TCP PUSH+ACK Attack: the compromised agents send large number of packets by setting 1 to PUSH and ACK bits of header. The attackers flood the victim with this type of messages making it to run out of memory. UDP Flood Attack: A random port of the victim is targeted and large stream of User Datagram Protocol packets are sent by the attacker armies [10]. Figure 4 shows the UDP Flood Attack Attacks on Network Layer Figure 4 UDP Flood Attack Land Attack: The victims IP address is set to the packet source and destination IPs. This creates infinite loop and crashes the system as message is replied back to itself [11]. Figure 5 shows the Land Attack. Figure 5 Land Attack Ping of Death Attack: The attackers create a malformed packet of maximum size. When this packet is sent to the machine it causes the system to get freeze or stalled thereby making the system to get crash [12]. Figure 6 shows ping of death attack editor@iaeme.com

6 A Survey to Analyse Mitigation Techniques for distributed Denial of Service Attacks Figure 6 Ping of Death Attack Ip Packet Option Field Attack: The attacker attacks the victim by targeting and randomizing the optional fields of the IP packet. Thus the victim gets crashed as it is flooded with packets of such malformation. Teardrop Attack: This attack makes use of the attacker to manipulate the offset value which creates problem at the re-assembling of the fragmented packets Attacks on Application Layer HTTP Flood Attack: The attackers make use of the HTTP GET and POST requests. The GET request is used to download multiple large files. The attacker sends a large number of GET requests which makes the victim to download a large number of heavy files that gets stored in the backend storage. Thus a huge memory is used and this causes the victim to get crashed. Since the storage is used in here, this is one kind of resource depletion attack [13]. Figure 7shows http flood attack. Figure 7 HTTP Flood Attack SIP Flood Attack: Here the proxy server is flooded by the attacker over the application layer protocol call Session Initiation Protocol (SIP). The attacker sends a number of SIP requests and control messages like SIP INVITE and SIP NOTIFY, etc [14].Fig 8. Below shows Sip flood attack editor@iaeme.com

7 B. Rakhesh and S. Renuka Devi Figure 8 SIP Flood Attack Sloworis: In this type of attack, the targeted web server is kept open for a long time. Initially the HTTP headers are sent but not the complete request is done. In this fashion a huge number of requests are sent keeping the targeted web server open a long time which blocks the legitimate users from accessing the web server. Http Fragmentation: In this attack, The HTTP Packets are fragmented into a number of small packets and they are sent at a minimum possible rate through a valid connection. Thus the attacker keeps the web server open for a long time and prevents access from legitimate users. RUDY (R.U.Dead.Yet): In this attack, a web server is crashed by sending long term fields in a small sized packet usually 1byte in a very slow rate. This prevents the legitimate user to access the web server as it is waited for a long time. DNS Amplification Attack: The attacker maximizes the functionality of DNS by overwhelming it with an amplified amount of traffic [15]. Figure 9 show DNS amplification attack. Figure 9 DNS Amplification Attack editor@iaeme.com

8 A Survey to Analyse Mitigation Techniques for distributed Denial of Service Attacks NTP Amplification Attack: The attacker makes the Network time protocol servers to get exploited with UDP packets traffic. 3. DDOS ATTACKS MITIGATION DDoS Attacks are mitigated by implying the defence mechanisms that detect the attacks and prevent the attacks. The defence mechanisms has two methods: Detection and Prevention 3.1. DDoS Detection A number of methods are available to detect the DDoS attacks occurring at different layers. Detection is mainly classified into 2 types [1] [6]: Signature Based Detection: Based on the DDoS attacks, the attack signatures are identified and detected to differentiate a normal traffic from a malicious traffic Anomaly Based Detection This type of detection makes attempt to detect any type of misuse that falls out of normal system operation. Here the anomaly is used to differentiate the malicious traffic from a normal one. BRO: An anomaly based intrusion detection system which monitors the network traffic of an attacker. DWARD: It is installed at the source of the attack and detects anomalies using traffic statistics. It uses rate limitation technique based on the traffic categories: attack, legitimate, suspicious traffic. SNORT: A lightweight rule based detection tool. It depends upon pattern matching and has both signature and anomaly combined together DDoSAttack Prevention The attack once found how it works and detected, it needs to prevent them from attacking. Prevention is done using filters, load balancing, honey pots, etc [1] Prevention Using Filters Filters are used to prevent traffic. With the prevention of traffic, the anomalous traffic can be eliminated from attacking the victims. Ingress/Egress Filtering: most of the attack is done with spoofed IP in application layers. The protected networks require IPs to enter in them. The attack is made with the help of spoofed IPs. This filter helps in preventing the traffic with spoofed IPs. History Based Filtering: This filter enables the mechanism where normal traffic history is loaded and this prevents the malicious traffic to enter into because this filter notes the history of the normal traffic. Hop Count Filtering: For a packet to travel from source to destination, it has a number of hops to reach the destination from source. It is not possible to alter the number of hops of the packets. With the count of the number of hops, the validity of the packet is determined. This filter prevents traffic with this hop count validation Route Based Filtering: The core router has route information of the packets of each link. This filtering is done based on this route information. Border Gateway Protocol is required to implement this route filtering technique editor@iaeme.com

9 B. Rakhesh and S. Renuka Devi Path Identifier: The path the packet of the attacker is noted in here. This method filters the packets that come from the path detected by this filter Load Balancing: Managing the traffic loads also leads to important factor in DDoS attack prevention. This balanced load prevents the traffic of malicious packets and differentiates them from the packets of normal traffic. Hence no system gets overloaded of malicious packets Honeypots: Honeynets mimics the actual network and create a less secure network that attract the attackers [1]. Now the attackers attack the honeypots that are created and not the actual system. Hence the actual system is protected. 4. CONCLUSION In this survey, a number of systematic and comprehensive attacks of DDoS at different layers are presented. The defence methods and the detection methods are presented. The prevention of the attacks using filters at different layers are provided in this survey. However, this survey works as an easy basement for future DDoS attacks and their prevention and mitigation. REFERENCES [1] Tasnuva, M., Yang, X., Guang, S. and Wangdong J. A survey of distributed denial-ofservice attack, prevention, and mitigation techniques. International Journal of Distributed Sensor Networks.13 (12), [2] Shilpa, P., Ashutosh, G, G., and Ratul, D. Different Type Network Security Threats and Solutions, a Review. IPASJ International Journal of Computer Science. 5(4), April [3] DDoS Attack: / [4] DDos 2017: [5] DDoS Types: [6] Assad, R. Anomaly Detection Systems for Distributed Denial of Service Attack, [7] DDoS Report 2018: Q2 attack: [8] Abbass, A, Naghmeh, R.A. Comprehensive Taxonomy of DDoS Attacks and Defense Mechanism Applying in a Smart Classification. WSEAS Transactions on Computers, [9] TCP+SYN. [10] UDP flood. [11] Land Attack: [12] Ping of Death attack: [13] Chesla, A., Radware Ltd, Generated anomaly pattern for HTTP flood protection. U.S. Patent 7,617,170, [14] Geneiatakis, D., Vrakas, N., and Lambrinoudakis, C. Utilizing bloom filters for detecting flooding attacks against SIP based services. Computers& security, 28(7), 2009, pp [15] DNS Amplification attack: editor@iaeme.com

10 A Survey to Analyse Mitigation Techniques for distributed Denial of Service Attacks [16] N. Srihari Rao, Prof. K. Chandra Sekharaiah and Prof. A. Ananda Rao, An Approach to Distinguish the Conditions of Flash Crowd Versus Ddos Attacks and to Remedy a Cyber Crime. International Journal of Computer Engineering and Technology, 9(2), 2018, pp [17] Samer Charbaji. Comparison of the Accuracy of Bivariate Regression and Box Plot Analysis in Detecting DDOS Attacks. International Journal of Electronics and Communication Engineering & Technology, 6(12), 2015, pp [18] Dr. Imad S. Alshawi, Dr. Kareem R. Alsaiedy, Ms. Vinita Yadav and Ms. Rashmi Ravat4, Defense Framework (Stream) For Stream-Based Ddos Attacks On Manet, International Journal Of Information Technology & Management Information System (Ijitmis),5(1), Pp [19] Mahadev, Vinod Kumar and Himani Sharma, Detection and Analysis of DDOS Attack at Application Layer Using Naïve Bayes Classifier. International Journal of Computer Engineering & Technology, 9(3), 2018, pp editor@iaeme.com