Defence against Distributed denial of service attacks.docx

Defence against Distributed denial of service attacks AbstractWith the rapid development of the internet, computer and network are acting as a very important role in the world. Although the internet has brought lots of advantages, also there are many unforeseen weaknesses such as all kinds of virus and Cyber attack. Distributed denial of service (DDOS) attack is one typical Cyber attack. Because of too many techniques involved in DDOS attacks, it is quite difficult to solve DDOS from the root, so a further discussion on the matter is necessary. This essay will represent development status of DDOS, and research the methods used to defend against DDOS attack, and compare the advantages and disadvantages of these techniques. This essay represents 1. Introduction2. Literature Review2.1 History of DDOS attack tools2.2 Related work3. Analysis of the methods exist to defend against DDOS attacks4. Future Work and Conclusion1. Introduction In order to understand DDOS, it is essential to apprehend the concept of DOS. DOS describes that an attacker attempts to prevent the intended users accessing to the computer resources (Travis, nd). The principle of this attack is one target computer system can not process instructions coming from legitimate users through using logical service request to occupy overmuch service resources. Because of the development of computer information processing competency and network technique, it is difficult to launch an effective attack by DOS, and then DDOS come into existence as the situation requires. In fact, DDOS attack is developed by the enhancement of technique of DOS, which means that several attackers launch attacks to one target computer system at the same time, so DDOS is defined as: the attacker(s) implement an attack by amount of controlled hosts on the internet to prevent the intended users accessing to the computer resources (Keith, 2001). The hosts of multiple machines that have been controlled to use for a DDOS attack are the core of DDOS. Once attacker break into the systems that have security holes and the attacker setup DDOS attack in the computer, the attacker succeed in getting a daemon. In addition, the attacker always use some automated tools that is easy to be downloaded in hacker websites to get potential daemons. When the attacker controls adequate daemons, one DDOS attack will be implemented by one command program. Except for improving the effectiveness of attack, the reason why the attackers try to get thousand of daemons is to keep identity sealed (Zhou & Chonka 2007), because all daemons have an ability to send the command of attack and establish Stepping Stone that is new layer as the gloss of real attacker (Zhou & Chonka 2007).DDOS attack is intelligent technical criminality, and it will lead to heavy losses of money and time for criminals. Even the DDOS attacks are intent on more serious crimes such as fraud, theft and extortion (Enterprise/Salt Lake City, 2005). Moreover, the size and the variety of DDOS attacks constantly evolve (M2pressWIRE, 2007). However, current DDOS defence techniques such as traffic monitoring, congestion control and passive traceback are passive, because all actions based on the above techniques are taken after the attacks. Therefore, it is really significant to constantly research superior active defence mechanisms.2. Literature Review2.1 History of DDOS Attack toolsThe DDOS attack tools had a recent history. The first initial DDOS attack tools called TCP, UDP, and ICMP flood were worked with minimum bandwidth in 1998, the attacks had the characteristic of combination of attack, however, there was a limitation that only be used on a less ten hosts network (Zaroo, nd). In the next year, multiple attack tools appeared such as trinoo, and then the attackers can work together to bring down systems, it means that, the ability of attack was improved dramatically (Zaroo, nd). In February 2000, the judgment on the above was proved. Yahoo, Amazon, B, CNN, eBay, E*Trade and ZDNet were all hit by DDOS attack. As a result, all company suffered huge economic loss (Kessler, 2000). In 2001, worm is used to improve automatic propagation of daemons and implement the aggressive scanning (Zaroo, nd). The notorious SQL slammer worm was exploited in 2003 for the vulnerability of the Microsoft SQL server. The fastest speed of injection contributed to enhancement of the damage of DDOS attack (Zaroo, nd).2.2 Related workThe damage of DDOS attack is becoming more powerful, so it is essential to research more sophisticated defence systems and techniques, and all this time passive defence methods are used to defend against DDOS attack. However, it is far from enough to protect the victim. Detecting mechanism and reacting mechanism are the most common detection method. Detecting mechanism mainly includes traffic volume monitoring, source IP address monitoring, and packet content analysis. The concept of theses methods is using statistical analysis to identify an authorized connection (Naim, 2008). Reacting mechanism mainly includes filtering, congestion control, passive traceback and replication. These methods are established to stop DDOS attack from overrunning the system (Naim, 2008). However, it is an inevitable fact that the automaticity of the current passive systems should be improved. For example, the routers produced by Cisco just are able to detect the attack manually through access list logging and IP accounting (Zhou, Xiang & Chowdhury, 2004). Therefore, it is clear that passive defence system just can detect and react after one attack is launched and the development of active defence system and techniques is a hopeful trend.3. Active methods exist to defend against DDOS attacks3.1 Distributed Active Defence SystemAs we mentioned before, the main limitation of passive defence system is that it can defend against DDOS attack after the attack is launched. Therefore, in order to minimize the damage of DDOS attack as much as possible and control the attack as soon as possible, the active defence system and techniques should be exploited. The original of active defence technique is a surveillance-trace-control cycle. In this active defence cycle, surveillance, trace and control are three key stages. Surveillance has more advantages than the technique of monitoring in passive defence system. For example, except for malicious packets, surveillance is able to distinguish many possible attack signatures such as the scanning signatures, propagation patterns and communication patterns of the agents (Zhou, Xiang & Chowdhury, 2004). Traceback can be used to identify the identity of the attackers. Compared to passive traceback, active traceback not only fix the position of thousands of agents, but also try to finding out the real criminal (Zhou, Xiang & Chowdhury, 2004). Finally, the control technique used in active defence system is to prevent attack packets both in victim side and in criminal side (Zhou, Xiang & Chowdhury, 2004). Therefore, distributed active defence system can provide an extensive defence for system and web service. In the following sections, this thesis will explain three types of current active defence techniques that are source end defence, active traceback and protocol-based defence. 3.2 Source End DefenceIt is ideal to block DDOS attacks as close to the sources as possible, which means that to remove attack traffic at its source. Source end defence can contribute to it. Source end defence includes two aspects. The first aspect is source end detection, and the typical approach is source end firewall. Firewalls are able to filter out malicious packets through using known attack signatures. Another aspect is source end response. All response should be liberal, selective and dynamic because of the unreliability of attack detection (Mirkovic, 2003).DDOS Network Attack Recognition and Defense (D-WARD) is a popular source end defence system which is used to detect outgoing attack, prevent it and provide normal service to users when the system is being attacked. Figure 1: the D-WARD system is installed at the source routerSource: SecurityD, 2004As shown in Figure 1, the D-WARD system is installed at the source routers and the source router serves is only one connection between the source network and the rest part of the Internet. The basic D-WARD deployment includes three steps. In the first stage, D-WARD monitors the flow statistics between the source network and the rest of the internet. In the next step, D-WARD makes a comparison between the collected statistics and normal flow models. Finally, if the collected statistics is not corresponding to a normal flow model, the flow will be recognized as one attack to be filtered (Peng, Leckie & Ramamohanarao, 2007).The detection components and defeating components are both deployed at the source end of attacking, and then the system can detect DDOS attack as soon as possible and avoid serious congestion of network (Zhou, Xiang & Chowdhury, 2004). Therefore, source end defence is a good active defence system.Active Traceback As the name suggests, active traceback can defend DDOS attack in advance compared to passive traceback. IP traceback scheme include ingress filtering, link testing, logging, ICMP traceback and PPM. Logging traceback and packet marking traceback are two typical techniques used in active defence system. Logging is used to analyze the traffic pattern through analysis of probabilistic sampling and transformed information and simulate the path of attack traffic. In other words, the network routers can log the path of attack packets (Zhou, Xiang & Chowdhury, 2004). Logging can tell the real paths that packets arrives the target system between the correct and the false source address information, so the method has a good ability to observe the attack. One of logging approach is that “source Path Isolation Engine (SPIE) exploited for IP version 4. SPIE is designed to identify the real source IP packet by the intermediate routers logging all paths of all packets (Lee et al, 2003). The advantage of logging technique is that it can search after the source of attack packets effectively and trace the real attackers. In addition, in order to reduce the requirement of storage, hashing is used in logging traceback. The application of hashing can reduce 0.5% of link bandwidth per unit time in the router (Lee et al, 2003). Hence, logging traceback is a good method as active defence system too.The concept of packet marking is to mark the attack packet by putting traceback data into the IP packet when the packet starts to go to the target system through many routers, and then simulate the path of attack packets according to the marked packets (Zhou, Xiang & Chowdhury, 2004). The basic approach of packet marking is called Probabilistic Packet Marking (PPM). In a PPM approach, the victim system can rebuild the attack path by analysis of the marked packets that are marked by identification information in the router (Gone & Sarac, 2007). Generally, there are many attackers and paths that attacks take, so PPM classify the routers through edge marking scheme and node marking scheme. There are many advantages to using packet marking. The first one is packet marking not only can identify the real attacker, but also can filter the attack packets. Moreover, if the traceback data is put in IP header, there is no need for more route storage (Christos & Aikaterini, 2003). Thereby, packet marking could be a good way to defend DDOS actively.Protocol-based DefenceThe reason why DDOS attack happens is that the protocols have many limitations, and in order to solve DDOS attack completely, fixing the limitations of the protocols could be an advanced approach. In recent years, some new protocols are devised to prevent DDOS attacks such as Internet Key Exchange (IKE).Internet Key Exchange is a key management protocol standard. It is used with the IP Security (IPsec) standard that provides strong authentication and encryption of IP packets together (cisco, nd). IKE is a complex protocol, so the algorithm of IKE requires a large number of steps to finish, but DDOS attack can make use of this shortcoming to misuse the resources of servers (Zhou, Xiang & Chowdhury, 2004). In order to protect IKE from DDOS attacks, a new key exchange protocol is specifically exploited, that is Just Fast Keying (JFK). JFK include two variants that are JFKr and JFKi. JFKr can protect the initiator against active attacks, and JFKi can protect the identity of responder against active attackers. The responder does not need to store any session state by the effect of the cookie, and perform any public key operations in the first reply (Aiello et al, 2003). As a result, the goal of protecting IKE from DDOS attacks can be achieved. In December 2005, IKEv2 based on internet standard was exploited to keep IEK from DDOS attacks, and this protocol is characteristic of reliability and rekeying. If the limitations of the protocols would be fixed, DDOS attacks could be solved completely, and with the development of technology, as shown as the above, it is obvious that the protocols have been improved endlessly. Therefore, protocol-based defence is worth being researched in the future. 4. Future Work and ConclusionActive defence against DDOS attacks is still not mature, although the idea of that is widely accepted in the abstract, undeniably there are many shortages. For example, the effectiveness of protocol-based defence depends on the extent and degree of the deployment of new protocols. Another example is that many functions of active defence system are based on router. However, the architecture and the defence principles of one router are easy to be understood and cracked. Hence, it is really necessary to develop the technique of Anti-Crack.In conclusion, this thesis explains the problem of DDOS attack and active defence techniques in recent years. The process of science brings out the appearance of DDOS attack, also the defence schemes are developed all the while for the same reason, so as long as the development of science will not be stopped, there is no end for the defence stacking up against attacks, so more research should be carried out in the future.ReferencesAiello, W, Bellovin, S, Balze, M, Canetti, R, Loannidis J, Keromytis, AD & Reingold O 2003, Just Fast Keying: Key Agreement in a Hostile Internet, retrieved 22 April 2009, /canetti/materials/jfk.pdfChristos, D & Aikaterini, M 2003, DDoS attacks and defense mechanisms: classification and state-of-the-art, Computer Networks, Vol. 44, no. 5, p. 643, retrieved 19 April 2009, EBSCO database.Cisco, nd, Internet Key Exchange Security Protocol, retrieved 21 April 2009,/en/US/docs/ios/11_3/feature/guide/isakmp.html#wp11565Enterprise/Salt Lake City, 2005 Distributed denial of service a true and current menace, Enterprise/Salt Lake City, vol. 35, no. 5, p. 20, retrieved 22 April 2009,EBSCO database.Gong, C & Sarac, K 2007, Toward a Practical Packet Marking Approach for IP Traceback, retrieved 20 April 2009,.tw/paper_upload/IJNS-2007-02-05-1.pdfKeith, W 2001, Flood Protection, Boardwatch magazine, vol. 15, no. 14, P.32, retrieved 15 April 2009, EBSCO database.Kessler, G