★ Distributed Denial of Service (DDoS) attacks are becoming more frequent and the size of these attacks is increasing rapidly every year. This increases the load on the networks of Internet Service Providers (ISPs) and many Cloud computing providers. Cloud computing is an emerging technology and adopted by many Cloud providers. But, there are many issues and one of them is Distributed Denial of Service(DDOS).
Distributed Denial of Service (DDoS) attack is the most prominent attack in this area of computing. DDoS is the single largest threat to the internet and the internet of things. The frequency and sophistication of Distributed Denial of Service attacks (DDoS)on the Internet are rapidly increasing.
★ In this article, we conduct an up-to-date review of essential Cloud Network threats and present a methodology for the evaluation of existing security proposals. Based on this, we introduce a comprehensive and up-to-date survey of proposals intended to make the Network Infrastructure highlysecure and introducing new methods for detection and mitigation
of routing instabilities and these generic countermeasure model can be used to prevent secondary victims and to prevent DDoS attacks.
These taxonomies define various similarities and different patterns in Dos and DDoS attacks, configuration, functional tools, to assist in further improvement on Network Infrastructure security and proposed a solution to countering DDoS attacks.
★ DDoS attacks can be classified further as the primary target is to congest the network with a massive amount of the bandwidth Utilization and it could cause the network abruption to the victim network.
Attack Classifications: (Figure 1) Besides, these classifications, all forms of attacks fall under these two functions.
Connection-based attack: This type of attacks can be carried out through an established connection of any client and server by using certain connection-oriented protocols.
Connection-less attack: An attack that doesn’t require a standard protocol-based session. Connection-less meant to be formally established before a server can send the “data packets” — typically a the basic unit of communication information which is transferred over a digital network to a client.
Volumetric Attack: The Specific goal of this type of attack is to cause the congestion traffic while sending the data packets over the line and it would cause bandwidth to overwhelm the scenario. Especially, most of the attacks are executed using botnets. A botnet is a group of agent handlers in a DDoS attack which provides the attacker with the ability to wage a much larger and more wild attack than a DoS attack while remaining anonymous on the Internet. It is measured by the number of received bits per second (bps).
Protocol Attack: In general, this type of attack focal point is on actual web/DNS/FTP servers, core Routers and switch, firewall devices and LB (load balancers) to disrupt the well-established connections, and also causing the exhaustion of their limited number of concurrent sessions on the device. It is measured by the number of received packets per second (PPS).
Application Layer Attack: It is also known as Connection-oriented attacks. Application attacks occur in Layer 7 of an OSI Model. Most of the Applications are under vulnerable scenarios by consisting of many loopholes. This specific type of attack is pretty much hard to detect because these sophisticated threats are generated from the limited number of attack machines, on top of that it's only generating low traffic rate which appears to be legitimate for the victim to realize. It is measured by the number of received requests per second (RPS).
A. Tree view architecture of DoS/DDoS Attack Protocols in OSI Layers (Figure 2)
B. Types of DDoS Attack
★ Before, classifying the types of DDoS attacks. In Fig 6. Shows a hierarchical model of DDoS attacks.
★ DDoS attacks can be classified further as the primary target is to congest the network with a massive amount of the bandwidth Utilization and it could cause the network abrupt-ion to the victim network. The secondary focus is on Network resource depletion. Which means the Attacker depletes the key components such as Memory, Device CPU, and so on.
★ The attacker's intention behind this is to consume the available resources to the point where the service can’t be responded to. A complete view of bandwidth attack in-depth and we will go through the most prime factors and some of them are outside the scope of this paper. Flood type attacks can be further evaluated by their amplification factor.
This means the volume of each source packet is multiplied several times by this factor functionalities, when it reaches the victim it will be like a huge bomb of packets. We will learn something about understanding the DDoS Attacks and how it happens and how will it happen on your Network. This paper will not specify the general details about the OSI protocols and its functions, it's out of the scope of this research (Figure 3).
★ UDP Flood: In the UDP Flood Attack, the attacker floods a particular target with N number of UDP packets. It is a session-less service. The purpose of this attack is to target the opened UDP ports on the victim network and start to flood the UDP Packets.
This attack creates uncertainty by letting the host check the application listening ports and later it will make a check if there is none of the host applications is responding back with an application not found a status mark. It triggers the Destination Unreachable packet and it could lead to resource inaccessibility. UDP Flood (Figure 4).
★ In the Testbed, we permitted 10000 UDP Packet per second. If you take one sample were it reached 1000 attack count limits in the device and the accumulation of this attack is 100x10000 pps = 1 a million bps of the attack were performed.
★ The Attacker uses some tool, to spoof the source IP address of the packets and somehow it helps the attacker to be anonymous by hiding his identity. It triggers the victim unable to track the origin of the attack. When victim applications try to response packets, it will not reach the zombies' network; instead of that, it will reach some other random computers on the internet by spoofing its address in the packet.
ICMP Flood: In the ICMP Flood Attack, the attacker floods a particular target with N number of ICMP Echo Request (ping) packets to the victim. Attack executed by the zombies sending packets to the target in an instantaneous manner, and it causes the victim network to reply back to the requested ICMP_ECHO_REPLY packets.
This ICMP flood saturates a high volume of both egress and ingress bandwidth and resulting in an overall network abruption.
ICMP Flood Attack (Figure 5)
We permitted 10000 ICMP Packet per second. If you take one sample were it reached 1500 attack count limits in the device and the accumulation of this attack is 1500x10000 PPS = 1.5 Million bps of the attack were performed. Attack statistics can be identified In Fig 28.
ICMP Packet Format Statistics (Figure 6)
★ The Ingress/egress received forged ICMP packets with bad checksum and echo request packets, it creates an echo reply loop and occupies device resources critically.
TCP SYN Flood: In this TCP SYN Attack, the attacker floods a particular target with N number of SYN flood packets. Obviously, it is a connection-oriented protocol. Notably, the attacker gives the instructions to the Agents Handler(zombies) to send the bogus TCP SYN packet request to the victim server because it would affect the victim server resources and prevent the server from further responding back to the legitimate traffic packets.
When there is a large volume of an attack to the victim server these SYN requests are being received by the server and failed to Acknowledge back the ACK+SYN response in return to the request and none of them are responded, would trigger the server to run out of the processor utilization and ultimately resulting in Denial of service attack.
TCP SYN Flood Attack (Figure 7)
TCP-SYN Attack Statistics (Figure 8)
★ In the Testbed, we permitted 10000 SYN TCP Packet per second. If you take one sample were it reached 800 attack count limits in the device and the accumulation of this attack is 800x10000 PPS = 0.8 Million bps of the attack were performed.
The Ingress/egress received forged TCP packets with bad header and corrupted flags packets, it creates tons of TCP request on the server and server try to send TCP SYN critically which leads the device to use more resources.
TCP Reset Attack: In this attack, the attacker floods a particular target with N number of TCP reset packets or called it as forged TCP packets. The main cause of this attack is to send a forged TCP packet header to the victim network to end the genuine TCP connections on the end to abrupt the internet service.
IP Fragmentation Flood
It is a pretty common one on the Internet in which the attacker overbears a network by exploiting the fragmented datagram packet mechanisms. The actual attack process of IP fragmentation is simple as it looks,larger data-grams are broken down into small size packets and transmitted over a network and then reassembled back into the original datagram. It is a necessary procedure for successful data transmission between the two endpoints.
★ There is a size limit for the Data-gram transmission unit and it’s known as maximum transmission unit (MTU). Whenever the data-gram exceeds the actual MTU size as its fixed, it has to be segregated into the small size of MTU packets.
An attack occurs when the data-gram was modified as “don’t fragment” on the IP packet header, the packet is dropped immediately from the server and send out a message as ICMP datagram is too large to process it. When there is a false packet and are unable to re-sequence it, the target server resources are quickly consumed and could cause server unavailability.
Two forms of protocol attack can be executed by an attacker.
Fragmented Packet Statistics (Figure 9)
✓ TCP Teardrop attack: When the Teardrop attack performed on the target through the TCP/IP reassembly mechanisms, preventing them from putting together fragmented data packets. In the end, the data packets may overlap immediately and overwhelm the target server’s resources and causing them to unavailable. TCP Teardrop Fragmentation Attack Packet Scenario
(Figure 10)
✓ HTTP Flood: In this particular attack, the attacker targets the webserver or any web applications through the legitimate HTTP GET and POST requests to the server. In General, the HTTP flood attack does not contain any forged or malformed packets, IP spoofing, or reflection attacks. The main purpose is to take down the victim’s server resource by sending the legitimate request and demanding resources in each single request which it receives. (Figure 11).
✓ DNS Flood: In this particular attack, the attacker targets the DNS server by running a script to flood UDP Packets to the DNS resolver. In General, the script is running from multiple servers and it is programmed to forge the IP Packet header, Flag size, and DNS request. These UDP packets are flooded from the spoofed IP Address.
One more common type of DNS flood attack is known as DNS NXDOMAIN flood attack, in which the attacker floods the DNS server with requests for records that are nonexistent or invalid DNS attack requests. Once the DNS resolver received a request it starts to process the request by looking for these records, eventually it has no legitimate resources to serve back to the request (Figure 12).
★ NTP Amplification Attack: In NTP amplification attacks, the attacker
exploits public based accessible Network Time Protocol (NTP) timer servers, which is available in every country's time zone. In general, users sync the network devices such as Switch, Router, and Firewall to the NTP server to keep the device Time up to date. The Attacker uses this opportunity to Overwhelm a targeted Public NTP server with UDP attack traffic.
★ This type of attack can be defined as an amplification attack because the UDP flood causes the query and response scenarios anywhere between 1:30 and 1:300 or much more, it totally depends on the attacker happiness. As a result, that list of public NTP servers IP’s can be targeted using some attack tools to randomly generate UDP Flood traffic from the Agent handlers, the devastating attack could cause high-bandwidth saturation in the server.
★ Smurf Attack: Smurf attack processed on layer 3 OSI model. A Smurf attack is pretty much similar to the ping attack method, carried out by sending an N number of ICMP Echo request packets. Smurf attack is generated through malware. Notably, Smurf is an amplification attack vector, the malware generates the fake Echo request packets with a spoofed IP Address, which is actually the target (victim) address.
Each and every received request-host sends an ICMP response to the forged source IP address. The fact about the amplification factor of the Smurf attack corresponding to the number of the hosts on the target network.
★ In the Testbed, we broadcast a network with 100 hosts that will produce 100 responses for each fake Echo request, which it received. Typically, each of the requested ICMP packet sizes relies on the same size as the original ping request. It should be noted that, during the attack, the network service on the target network is likely to be degraded severely.
★ SNMP Reflection Attack:
SNMP reflection attack is similar to other for of reflection attacks, which involves overwhelming the device response resource by flooding packets to a single spoofed IP address. During an SNMP reflection attack, the attacker sends out a large number of SNMP query packets with a spoofed IP address of the Victim address and many connected devices respond back to the queries.
Mail Bomb Attack: Mail Bomb attack is a type of abusing any form of an email address on the Internet by the Phishing bomb attack. It is a form of Electronic-mail abuse on the Internet, by sending high volumes of phishing emails to a specific target address in an attempt to overflow or take-down the victim email server by overwhelming the email server where the email address is currently hosted. There are three forms of email attack which can be executed by an attacker.
★ DNS Amplification Attack: A Domain Name Server (DNS) the amplification attack is quite popular among recent years. The Amplification attack relies on the use of publicly accessible open DNS servers to overwhelm a target system with DNS response traffic.
★ Ping of Death Attack: Ping of Death attack in which an attacker attempts to crash or freeze the targeted Network service by sending forged or oversized ICMP packets using a certain ping command. Several Patch has been released to reduce the weakness of this attack. However, still several systems not updated their patch lead to the severe cause. The legitimate size of a normal IPv4 packet IP header is 65,535 bytes, including the payload size of 84 bytes.
Many outdated computer systems could not handle larger IP packets, and would cause the system to crash. This bug was exploited in early TCP/IP implementations in a wide range of operating systems including Windows, Mac, Unix, Linux, as well as network devices. When the received system tries to re-sequence the broken IP fragments and ends up with an oversized packet or overlapped packet.
★ Slowloris Attack: Slowloris is a type of denial of service attack tool invented by Robert “RSnake” Hansen which allows a single machine to take down the entire web server with limited bandwidth. Slowloris is clearly different from other forms of attacks rather, it uses perfectly legitimate HTTP traffic. Slowloris software tool allows the attacker to generate a complete TCP connection and then it requires only 100 HTTP requests with regular intervals.
As a result, the Slowloris software tool doesn’t need to send a lot of traffic. All the available TCP/IP connections will be used up quickly and none another request will be able to connect until few held connections are released instantaneously. This makes it quite possible for hackers with limited traffic to perform this dangerous attack. Slowloris is mostly not detected by Firewall IDS (Intrusion Detection System’s), because the attacker does not send any malformed request, it is all a legitimate request to the webserver.
In most cases, it bypasses the IDS system’s security. Once the attacker, stops the attack, the target website will be available online. In figure 15 as you can see the recorded live DDoS attacks and the green-colored section represent the Slowloris attacks. Global Slowloris Attack Statistics Map (Figure 13).
Ten years of Peak Attack survey Size Map (Figure 14)
★ Ten years of survey analysis from 2007 to 2017, attackers have gained much control in the network and their trends are changing. Notably, they are approaching reflection, amplification techniques to exploit vulnerabilities in these popular protocol service such as DNS (Domain Name Service), NTP (Network Time Protocol), SSDP (Simple Service Discovery Protocol), TCP (Transport control Protocol), UDP (User Datagram Protocol), Chargen, SNMP (Simple Network Management Protocol), Port map, and other protocols to maximize the large scale of their attacks.
In addition to that, there has been a tremendous increase in the exploitation of IoT devices to generate a large number of packet floods, without using IP spoofing or any other reflection/amplification techniques.
CONCLUSION:
★ DDoS attacks had a significant impact on the Internet over the past decade by the manual efforts which applied to the botnet machines. However, as overall network bandwidth grows in any organization, the volume of packets slung as part of DDOS (Distributed denial-of-service)
attacks will grow and will have a huge impact on the Network Infrastructure as well.
DDoS attacks are emerging rapidly every year according to the statistics, and companies have been scrambling to put the right DDoS detection mechanisms on the cloud protection to defend its
customers.
According to various DDoS attack observance on live environment and attack measure has been given out in this paper to overcome any kind of DDoS attacks, to defend yourself and your the company from the botnet machines and from any intruder.
Also published at https://medium.com/faun/abc-935f9b23707a