distributed denial of service attacks - idrbt kati… ·  · 2013-07-18distributed denial of...

22
Distributed Denial of Service Attacks Methods And Mitigation techniques INSTITUTE FOR DEVELOPMENT AND RESEARCH IN BANKING TECHNOLOGY July 11, 2013 Authored by: ABHISHEK KATIYAR IIT ROPAR [email protected]

Upload: vuongthuan

Post on 17-Mar-2018

217 views

Category:

Documents


1 download

TRANSCRIPT

Page 1: Distributed Denial of Service Attacks - IDRBT KATI… ·  · 2013-07-18Distributed Denial of Service Attacks Methods And Mitigation techniques ... many systems then it is called

Distributed Denial of Service Attacks

Methods And Mitigation techniques

INSTITUTE FOR DEVELOPMENT AND RESEARCH IN BANKING TECHNOLOGY

July 11, 2013 Authored by: ABHISHEK KATIYAR

IIT ROPAR [email protected]

Page 2: Distributed Denial of Service Attacks - IDRBT KATI… ·  · 2013-07-18Distributed Denial of Service Attacks Methods And Mitigation techniques ... many systems then it is called

INSTITUTE FOR DEVELOPMENT AND RESEARCH IN BANKING TECHNOLOGY (IDRBT) ROAD NO. 1, CASTLE HILLS, MASAB TANK,

HYDERABAD-500057

CERTIFICATE

This is to certify that Mr Abhishek Katiyar, pursuing B.Tech in Computer Science

and Engineering at Indian Institute of Technology Ropar has undertaken a project

as an intern at IDRBT, Hyderabad from May 13, 2013 to July 19, 2013.

He was assigned the project “Distributed Denial of Service Attacks” under my

guidance. During the course of the project he had described different methods of

DDoS attacks and mitigation techniques and simulated the DDoS attack in virtual

environment.

He had done excellent work. During the course of intern his behaviour was

generous. I wish him all the best for all his endeavours.

Patrick Kishore (Project Guide)

Chief operating officer IDRBT’s SBU, Hyderabad

1

Page 3: Distributed Denial of Service Attacks - IDRBT KATI… ·  · 2013-07-18Distributed Denial of Service Attacks Methods And Mitigation techniques ... many systems then it is called

Acknowledgment

I express my deep sense of gratitude to my guide Shri Patrick Kishore, Chief

operating officer, IDRBT for giving me an opportunity to do this project in the

Institute for development and research in Banking Technology and providing all

the support and guidance needed which made me complete the project in time.

I am also thankful to IIT Ropar for giving me this golden opportunity to work in a

high-end research institute like IDRBT.

Abhishek Katiyar

B.Tech (3rd Year)

Computer Science and Engineering

Indian Institute of Technology, ROPAR

2

Page 4: Distributed Denial of Service Attacks - IDRBT KATI… ·  · 2013-07-18Distributed Denial of Service Attacks Methods And Mitigation techniques ... many systems then it is called

Abstract

Distributed Denial of Service (DDoS) attacks are one of the major cyber-security threats that web servers and users face. We can define Denial of service as an attempt by an attacker to prevent legitimate users from using web services offered by hosts on internet. When this Denial of service attack is done from many systems then it is called Distributed Denial of Service attack.

Motivation behind this project is to get knowledge about basic terminology of DDoS attacks, motivation behind DDoS attacks, implementation of DDoS attacks, various kinds of DDoS attacks and countermeasures to mitigate DDoS attacks.

3

Page 5: Distributed Denial of Service Attacks - IDRBT KATI… ·  · 2013-07-18Distributed Denial of Service Attacks Methods And Mitigation techniques ... many systems then it is called

Table of Contents

1. Introduction…………………………………………………………………….5 2. Some cases of DDos attacks………………………………………….…5 3. Motivation behind DDoS attacks…………………………………..…5 4. Components of DDoS attacks………………………………………..…6 5. Different techniques of DDoS attacks………………………………7 6. Preparations done before attempting DDoS attacks………..8 7. Different types of DDoS attacks…………………………………….…9 8. Mitigation techniques…………………………………………………….10 9. Simulation………………………………………………………………………12

a. Scenario 1 (Firewall OFF) ……………………………………….14 b. Scenario 2 (Firewall ON) ………………………………………..17

10. Tools used……………………………………………………………………..19 11. Conclusion………………………………………………………………..……19 12. References…………………………………………………………...……….19

4

Page 6: Distributed Denial of Service Attacks - IDRBT KATI… ·  · 2013-07-18Distributed Denial of Service Attacks Methods And Mitigation techniques ... many systems then it is called

1 Introduction It is very important for web servers to host services continuously without crashing and shutting down. For financial institutions, industries, cloud hosting servers and online gaming servers even a single reboot can cause huge loss. In DDoS attacks, attacker tries to consume bandwidth and server resources so that legitimate users are unable to use these resources. In DDoS attacks, attacker does not actively participates in attack, he is behind the whole scene giving commands to compromised systems and then these compromised systems floods the victim network and consumes the resources. In case of DDoS attack it is very difficult to identify who is the man behind the attack as main attack is done by compromised systems.

2 Some cases of DDoS attacks Here are some examples of DDoS attacks that show the vastness of their severity. These are only few cases, there had been a lot of such attacks, and idea is to tell why protection against DDoS attacks is important.

1. More than 300Gbps of traffic was thrown against anti-spam organization “Spamhouse” by attackers. Attack started on Monday, March 18, 2013 with initial traffic of around 10Gbps. Spamhouse contacted CloudFlare to mitigate this attack; they succeeded in mitigating the attack by using anycast methodology.

2. Izz ad-Din al-Qassam, a group of Cyber Fighters took credit of launching DDoS attacks on multiple American banks while they were in protest of “Innocence of Muslims”, a YouTube movie trailer viewed as offensive to Muslims. They launched attack on more than 46 US banks in three phases. First campaign started in September 18, 2012 and lasted for six weeks, second campaign started in December 10, 2012 and lasted for seven weeks, third campaign started in March 5, 2013 and lasted for eight weeks. More than 200 separate DDoS attacks of various degree of impact were launched against these banks. Nearly 3200 bots were used to perform these attacks. Some attacks of size more than 110Gbps were performed against these banks.

These examples clearly show that if some institutions are not prepared for such attacks then they can lose a lot of money and reputation in the sight of their users. Institutions should be well prepared to defend their wealth and reputation against such attacks and keep their services available for the legitimate users.

3 Motivation behind DDoS attacks There are a lot of reasons why attackers perform DDoS attacks. Here are some of the reasons, understanding them can help us to understand the mindset of the attacker.

1. Revenge is the main cause behind such attacks. Due to disputes in ideology some people wants to take down their opponents and thus they may perform such attacks on government websites, home network of some particular person, network of industries, online gaming servers etc.

5

Page 7: Distributed Denial of Service Attacks - IDRBT KATI… ·  · 2013-07-18Distributed Denial of Service Attacks Methods And Mitigation techniques ... many systems then it is called

2. Money is the other cause. There is underground economy growing in which people sells botnets to perform attack and they get money in return. Such people try to grow their bot network. These people sell botnets on the basis of duration of attack (i.e. rate on the basis of per hour), bandwidth of attack (i.e. amount of bandwidth required to takedown the rival), timing (i.e. time at which how many bots are online). People just pay money and work is done.

3. Terrorism is also a reason behind some of the DDoS attacks. Some terrorist organizations grow botnet and sell them to raise funds. Sometimes they themselves perform attack on government and military networks.

4. To perform Collateral damage. Most of the times one server is hosting many websites on internet. So performing attack on one website can render the performance of server and thus affects other websites hosted by that server. If server is misconfigured then it can get crashed.

5. Multiplying effects of attack. If there is war going between two countries then performing DDoS attack on enemy network can give a tactical advantage. DDoS attack can takedown enemy network and thus communication of enemy country gets affected. Right now this is not used in war strategies but in cyber war it will be one of the dangerous weapons.

6. Demonstration of power of botnets to impress the purchaser of botnet is also a cause for DDoS attacks. Some people also perform DDoS attacks because they can, they think that they can takedown well secured servers, thus they perform attacks.

7. Extortion: DDoS attacks act as Intimidating acts by attackers to raise ransom. They takedown online banking, bet placing, gambling and gaming servers and ask for money. If owner of server negotiates for paying money, they let them resume their work.

8. Fraud: Sometimes DDoS attack is just a diversion by attackers; they perform DDoS attack so that IT personnel look for defenses and mitigation, attackers get chance to break into security. They may steal personal information and can cause fraud transactions.

9. Hacktivists can lead to the DDoS attacks. Some very well-known hactivist groups are “Anonymous”, “Izz ad-Din al-Qassam”, “Decocidio”, Honker Union”, etc. They can launch attack on some specific geographical network area.

4 Components of DDoS attacks There are four components of DDoS attacks; we can define them as follows:

1. Primary victim is the target host whose resources are exhausted by attack. It is the main target of the attack and suffers most.

2. Secondary victims are the systems who perform attack on primary victim. These are the systems which are compromised by the attacker. Attacker gains access to these systems to deploy daemon programs on these systems. Daemon programs take instructions from handlers and perform attack. These are called secondary victim because their resources are used to perform attack thus they also suffer.

3. Handler or master program is the program with the help of which attacker communicates with the daemons and gives orders to them. Orders could be like when to perform an attack and what will be the duration of the attack. These handlers also keep update to attacker that how many bots are up

6

Page 8: Distributed Denial of Service Attacks - IDRBT KATI… ·  · 2013-07-18Distributed Denial of Service Attacks Methods And Mitigation techniques ... many systems then it is called

to perform attack. Handlers also help attacker to remain behind the scene and make it difficult to detect attacker.

4. Attacker is the one who attacks on victim system so that victim is unable to provide its services to legitimate users. Attacker is the mastermind behind whole plan. He just gave orders to handler and handler does its works.

There can be many attackers performing an attack on a victim. One attacker can communicate with one or many handlers to give commands to daemons. One handler can communicate with multiple daemons. Attacker can specify time, harshness and duration of attack to handler, handler would find out which daemons are online at that time and would command them to perform attack.

5 Different Techniques of DDoS attacks There are different techniques used to perform DDoS attacks. The basic idea is to prevent users from using services or prevent hosts from providing services. Some techniques that can be used to perform DDoS attacks are described here:

1. Bandwidth Consumption is the most common technique used to perform DDoS attacks. Attacker tries to flood the network so that either network goes down or legitimate users become unable to get services. If victim has bandwidth of 20 Mbps then attacker tries to send a little more than 20 Mbps of data so that victim network gets flooded. When victim network gets flooded then a lot of congestion occurs due to huge traffic. If congestion algorithm is not good then network will go down very easily. During congestion there is huge load on routers; packets fill up their buffers so new requests can’t be handled, and to prevent damage routers have to discard some packets. Here comes the role of load shedding algorithms. To shed the load, router picks up packets depending on the implemented algorithm and will discard them. So by implementing good load shedding algorithm we can discard those packets which are not legitimate.

2. Resource depletion is the technique in which attacker tries to exhaust resources of the victim system so that victim becomes unable to handle new requests. There is a limit on number of connections that a server can hold at a time, attacker would try to make as many connections as possible and keep on holding them as much he can so that server is unable to make new connections. This method does not require high bandwidth to attack. When a connection is established then some resources are allocated to it such as memory, CPU cycles, port number and so on. If connection is not done by legitimate users then these resources gets wasted. If there are huge number of connections on a server then to process each connection server will require time and it will get slow, sometimes it may get crash. By using a little number of daemons and huge number of connection requests an attacker can exhaust the system resources. If there is a DHCP server having subnet mask of /24 then it can use 254 IP addresses(as .0 is used for network identifier and .255 is used for broadcast ) to allocate to different machines. Attacker can write a script or use tools to launch new connection requests as appeared to DHCP server coming from different machines, so DHCP server will allot IP addresses to these connection requests and when new request will come for connection it will be put on hold. Thus legitimate users will not be able to get IP address from DHCP server.

7

Page 9: Distributed Denial of Service Attacks - IDRBT KATI… ·  · 2013-07-18Distributed Denial of Service Attacks Methods And Mitigation techniques ... many systems then it is called

3. Application Exploitation is used to exploit the vulnerability in an application and by using them attacker can attack on server or prevent users from using services. Broadly used application exploitation vulnerabilities are buffer overflow and SQL injection. Using buffer overflow and SQL injection attacker can gain access to the system and can prevent users from using services. Other variance of the application exploitation can be that sometimes for the purpose of security there are number of attempts defined by system administrator for log in by users. If someone attempts wrong passwords on a user’s account then his account gets locked and he is unable to access his account. If attacker knows usernames, then he can write a script that will attempt to login using some random password, there is high probability that password is wrong, thus after several attempts all accounts will be locked.

6 Preparations done before attempting DDoS attacks: There is a lot of work done by attacker before attempting any DDoS attack. From identification of a victim to attacking on the victim a lot of steps are involved. A lot of research is done by attacker on the topology of victim, hardware and software used by victim, working schedule of victim etc. If victim is some regular user then a lot of preparation is not needed, but if victim is some organization then attacker needs a lot of information to attack, thus he do a lot of preparation. Broadly we can classify these steps as follows:

1. Selection of victim: Depending on his motivation attacker selects his victim. Victim can be a single user, a group of users or an organization.

2. Research on victim is very important step in gathering the information about victim. Attacker uses many tools to gather as much information about victim as much possible. He learns about the topology of victim, devices used by victim, bandwidth used by victim, OS deployed, applications running on systems, firewalls deployed, vulnerabilities in applications, bottlenecks in network etc. After completing the research he looks for the resources needed for attack.

3. Deploying daemon programs: Usually attacker deploys daemon programs on general users to get a large number of bots. Most of the user uses Windows as their operating system so preferably daemon programs are written for windows. When attacker needs high bandwidth for attack then he deploys daemons on the servers, which are mostly Linux based, then attacker wrote daemons for Linux operating system. There are a lot of methods to deploy daemon programs and almost all of them require infiltration of security. Attackers have to put a lot effort to infiltrate security of servers to gain their access, but they don’t need that much effort to infiltrate the security of the home users. There are two ways in which daemon programs are deployed on the secondary victims. In Active way attacker scans the network of secondary victim, look for vulnerabilities and using those vulnerabilities he gains the access of the system and deploys the daemon program on it. Buffer overflow, Trojan horse, Software vulnerabilities are used by attackers to actively gain the access of system and then he installs daemon programs. In Passive way attacker does not participate actively to deploy daemons, secondary victim itself deploys daemon program on its system. Secondary victims by visiting unsafe websites or by opening corrupted files can install daemon programs unknowingly.

8

Page 10: Distributed Denial of Service Attacks - IDRBT KATI… ·  · 2013-07-18Distributed Denial of Service Attacks Methods And Mitigation techniques ... many systems then it is called

4. Deploying Handlers: Handlers keep the attacker behind the whole scene and make it difficult to find out who is the attacker. Attackers generally make handler programs in such a way that they support many operating systems. Mostly handlers are deployed on servers to gain fast access to the bots. Handlers are also deployed in same way as daemon programs are deployed.

7 Different Types of DDoS attacks: Before describing different types of DDoS attacks I will describe some DoS attacks because DoS attacks are used from multiple locations to perform DDoS. Some of the DoS attacks are as follows:

1. Smurf attack: Attacker spoofed the source address of the packet as the address of the victim and sends it to broadcasting device. When packet is broadcasted it is sent to every device on the network. When someone receives this broadcasted packet it replies with other packet and put the destination address as the source address of the received packet. Thus when everybody replies network gets flooded and victim system gets crashed. This attack overloads the whole network and every device on that network gets affected but victim sees the worst of attack.

2. SYN flood attack: This attack exploits the “Three way hand shake” policy of establishing TCP connection. When client wants to establish a new connection it sends SYN request to server and waits for SYN+ACK reply, when server receives SYN request from a client it replies with SYN+ACK and waits for ACK from client, when client receives SYN+ACK from server it sends ACK to server, when ACK is received by server then connection is established and transferring of data starts. Attacker sends spoofed packets for establishing connection, server replies with SYN+ACK and waits for ACK but as packet was spoofed no reply comes to server so server keeps on waiting until time out, and when a large number of such requests arrive buffer of server gets filled and new connection requests are dropped. This is resource depletion technique.

3. ICMP ping flood: It is one of the most basic techniques to flood victim. Attacker pings the target machine continuously. When there is huge amount of ICMP ping packets bandwidth of the victim gets saturated. Sending pings can also be automated.

4. UDP flood attack: Attacker sends a lot of UDP packets at every port of the victim, victim checks at port that is there any process listening on that port or not, if there is no process listening then victim replies with ICMP packet with notification “Destination port unreachable”. When there is enormous number of such requests then system is unable to service legitimate requests and throughput of victim falls. Sometimes victim may hang up or gets crashed.

5. Fraggle attack: Attacker sends UDP Echo packets to victim at that port which is used for character generation and spoof the source of the packet with that port which is used for echo service. This creates infinite loop between these two ports. Attacker can also use broadcasting to create huge number of infinite loops between character generator port of devices on broadcast network and echo service port of the victim. This attack causes huge impairment to the victim.

Using these Denial of service attacks from multiple locations and by using huge number of bots attacker can incapacitate the victim. Base of each DDoS attack is same, they use these DoS attacks for attacking but they differ in the way that communication happens between attacker, handler and daemon

9

Page 11: Distributed Denial of Service Attacks - IDRBT KATI… ·  · 2013-07-18Distributed Denial of Service Attacks Methods And Mitigation techniques ... many systems then it is called

program. The distributed nature of DDoS attacks prevent attackers from detection and are difficult to protect against. Some of the main Distributed denial of service attacks are briefed in table below:

Different types of DDoS attack tools

Communication between attacker and handler via

Communication between handler

and daemon programs via

Type of DoS launched by bots

Description

TFN (Tribe flood network)

Command line ICMP connection Smurf , SYN flood, UDP flood and ICMP flood

attack

Written in C, works on

Windows, Solaris, Linux

Shaft TCP telnet connection

UDP connection SYN flood, UDP flood and/or ICMP

flood attack

Able to switch between different ports and handlers

in real time. Trinoo TCP connection UDP connection UDP flood attack Automated tool to

increase size of botnet

Stacheldraht Encrypted TCP connection

ICMP and TCP connection

Smurf , SYN flood, UDP flood and ICMP flood

attack

Automatically enables source address forgery

TFN2K Encrypted TCP, UDP or ICMP

Encrypted TCP, UDP or ICMP

Smurf , SYN flood, UDP flood and ICMP flood

attack

Has capability to hide itself from

intrusion detection program

8 Mitigation techniques There is no proper tool or mechanism available that guarantees to protect a server or network completely from distributed denial of service attacks. If attacker has access to more bandwidth than victim, he can always overpower victim until victim takes safety measures to mitigate effects of attack. There is no universal method that would protect from all types of DDoS attacks, but by implementing following techniques one can reduce the effect of attacks:

1. We can use intrusion detection software to detect intrusions and attack and to detect whether we are hosting an attack or not.

2. We should keep update applications and apply security patches. 3. Use firewalls, malware detectors, spyware detectors and antiviruses to protect our device. 4. In network we can disable IP broadcasts to prevent against amplifying attacks, use IP broadcasts

only when it is needed. This helps against Smurf and Fraggle attacks.

5. Disable services and close ports which are not required. This helps in protection against fraggle attack. When unused services are disabled it is difficult for the intruder to enter the system. To

10

Page 12: Distributed Denial of Service Attacks - IDRBT KATI… ·  · 2013-07-18Distributed Denial of Service Attacks Methods And Mitigation techniques ... many systems then it is called

protect against SYN flood attack, we can increase the buffer size to hold large number of connections, decrease the time wait to discard unacknowledged connections early. This will increase the chance for legitimate users to get service.

6. We can continuously look at the statistics of system resources to detect and siege the attacks. We can make some automated scripts that can alert user whenever statistics are crossing threshold limit.

7. We can use packet filtering techniques to prevent packets from entering our network. Packet filtering is mostly done in firewalls. Packet filtering is done on the basis of the packet size, source and destination address, ports and protocols being used. There are three methods to filter packets 1.) Make some accepting rules, those packets that follow these rules accept them and discard all others. This is most secure method but it can prevent some legitimate packets from entering network. 2.) Make some discarding rules, those packets that follow these rules discard them and accept all others. This is very insecure method as it is accepting most of the packets. 3.) Make some accepting rules, those packets that follow these rules accept them, those that does not follow these rules ask users what to do with them. This method can annoy users by prompting dialog box again and again.

8. We can use deep packet inspection technique with NGFW (Next Generation FireWall). In deep packet inspection packet is inspected thoroughly even data part is also inspected if it is not encrypted. Deep packet inspection is used to protect against viruses, spams, intrusions and worms. It is also used for data mining and collection of statistical information to manage the network traffic, user service and censorship. NGFW are built with the capabilities of standard firewalls additionally they have features like application awareness, intrusion detection, intrusion prevention and intelligent blocking decisions based on active directory information.

9. Get more bandwidth. This may be costly for small organizations but this will help from most of the attacks as most of the attackers do not have access to high bandwidth or huge number of bots. Still a good attacker can get as many bots as he can to cause damage to its victim. Some internet service providers provide solution for this problem, if there is an attack on victim then ISPs will provide more bandwidth to victim to consume attack but they charge more money for it.

10. One other variation to above situation is that ISPs provide clean pipe service. In this service they rigorously scan for security threats in real time and stop the DDoS attacks at core-router level from ISP side so users need not to worry about such attacks. Those users who use this service need not to worry about costly hardware and software to deploy. However users are charged more for such service.

11. Some attacks are specifically based on IP addresses; by moving to new IP address from time to time we can prevent these attacks. But this will not work if attack is done on the basis of domain name.

12. We can use load balancing technique to fight against DDoS attacks. In load balancing load on network is distributed among the various resources of the network such as network links and routers. Load balancing optimizes utilization of network resources, maximizes throughput, minimizes response time, minimizes congestion and increases reliability.

13. Anycast methodology can be used to mitigate the effect of DDoS attack. In anycast methodology datagram is routed to topologically nearest node in the group of recipients. All recipients are

11

Page 13: Distributed Denial of Service Attacks - IDRBT KATI… ·  · 2013-07-18Distributed Denial of Service Attacks Methods And Mitigation techniques ... many systems then it is called

identified by the same destination address as group address. Any member of that recipient group will work fine.

These techniques were to prevent against DDoS attacks. We can also use some techniques to trace back to attacker or to understand how attack is done and protect our devices from future attacks. Honeypots are used to detect, deflect and get information about DDoS attacks. These are used as a trap so that attacker would find some security vulnerability and will deploy handler or daemon on it. Security analyst look at the information gathered from honeypot and try to secure network in more efficient way. Honeypots are regularly monitored by security professionals. A group of such honeypots working together forms Honeynet. Packet sniffers, event logs, firewall and honeypots stores every event that happened during attack this data can be analyzed to improve security. Packet traceback technique can be used to find out the origin of the packet.

9 Simulation To examine the effect of the DDoS attack I had made a virtual network in Graphical Network Simulator v3, which is shown in figure1. In simulation I had shown that how the resources of victim gets wasted if proper mitigation techniques are not used. I had taken two scenarios in first scenario victim do not use the firewall and in second scenario victim uses the firewall. We will see how statistics differ in both scenarios.

Figure 1 Topology of network for simulation

12

Page 14: Distributed Denial of Service Attacks - IDRBT KATI… ·  · 2013-07-18Distributed Denial of Service Attacks Methods And Mitigation techniques ... many systems then it is called

In Figure 1 topology Attacker #1 and Attacker #2 are two attackers who are performing attacks. Victim #1 is the primary victim on which attackers are performing attacks and Victim #2 is the victim which is also affected by the attack. Attacker #1 has its OS as “Backtrack” and Attacker #2 has its OS as “Windows XP pro sp3”. In encircled network Victim #1 and #2 has their OS as “Windows XP pro sp3 clone1” and “Windows XP pro sp3 clone2” which are clone images of “Windows XP pro sp3” in Virtualbox. Others in encircled network are Linux tinycore and Virtual PC Simulator, which represents other users on the same network. Cisco router is used as the gateway router to the encircled network which also acts as the DHCP server to the 10.0.0.0/24 network.

Before performing any kind of attack, attacker should be aware of the topology of the victim network. So to gain the knowledge of the network Attacker #1 performs scan of the victim network using Zenmap (which is graphical version of the nmap). Results of this scan are shown in Figure 2 and Figure 3.

In Figure 2 we can see all the allocated IP addresses in the network 10.0.0.0/24 which are 10.0.0.11, 10.0.0.12, 10.0.0.13 and 10.0.0.14. Localhost is the device of the Attacker #1. 12.0.0.1 and 10.0.0.1 are the interface IP address of the Cisco router.

Figure 3 Scanned hosts and services

In Figure 3 we can see which hosts are up and on which ports they are listening. We can also get the details of hosts and running services using nmap and Zenmap. On the basis of the details of scan I choose my primary victim as Victim #1 which has “Windows XP pro sp3” as its OS. When there is no attack at the victim #1 then we can see the traffic at victim #1 using WinPcap and Wireshark, which is shown in Figure 4. There are only 1-2 packets coming in or going out, these are routing packets. We can

Figure 2 scanned topology of victim network by Attacker #1

Page 15: Distributed Denial of Service Attacks - IDRBT KATI… ·  · 2013-07-18Distributed Denial of Service Attacks Methods And Mitigation techniques ... many systems then it is called

also see in Figure 5 and 6 that when there is no attack on victims then their processor time is very low and incoming and outgoing IP packets are nearly 0.

Figure 4 Wireshark statistics at Victim #1

Figure 5 Victim #1 normal statistics

13

Page 16: Distributed Denial of Service Attacks - IDRBT KATI… ·  · 2013-07-18Distributed Denial of Service Attacks Methods And Mitigation techniques ... many systems then it is called

Figure 6 Victim #2 normal statistics

9.1 Scenario 1 (Firewall OFF) First we will see how DDoS attack changes the statistics of victim devices if Firewall is not used at the site of Victims. So firewall is turned OFF on both Victim #1 and Victim #2. Now we will see change in the statistics of victims as we perform SYN flood, UDP flood and ICMP flood attack. I am performing SYN flood attack from Attacker #1 and UDP flood and ICMP ping flood attack from Attacker #2.

SYN flood, UDP flood and ICMP ping flood attack First we will perform SYN flood attack from Attacker #1 on Victim #1 using Metasploit framework console. We will send enormous number of SYN requests to victim #1 for establishing connection at different ports. We will also spoof the source address of the SYN packets as address of Victim #2, so when Victim #1 will receive any spoof packet it will reply with SYN+ACK to spoofed address. In this way we can also consume resources of victim #2.

For performing UDP flood and ICMP ping flood attack I had installed Nettools on the site of the Attacker #2. In Nettools using UDP flooder I’m performing UDP flood attack and using Packet generator I’m performing ICMP ping flood attack. To perform attack on victim #1 I had given its IP address as destination address of the packets. Now we will see how statistics changes as we perform these three attacks from different attacking sites.

In Figure 7 we can see that there are a lot of UDP, TCP and ICMP packets are coming at victim #1. Also processor time has been increased to a maximum of 70%. In TCP section we can see that count of incoming and outgoing packets is nearly same it is because victim #1 is sending SYN+ACK for each SYN it acknowledges. Using wireshark we can verify that these SYN+ACK packets are being send to the victim #2 as source address is spoofed. In figure 8 Histogram gave us a relative statistics to see which kind of packets are affecting victims we can also verify it using wireshark.

14

Page 17: Distributed Denial of Service Attacks - IDRBT KATI… ·  · 2013-07-18Distributed Denial of Service Attacks Methods And Mitigation techniques ... many systems then it is called

Figure 7 Victim #1 Statistics during attack

Figure 8 Victim #1 histogram Statistics during attack

From Figure 4 and 9 we can see that when there was no attack only 1 or 2 packets were coming in or going out but when we are performing attack we can see that this number has been increased up to 110, which shows that bandwidth and resources are being consumed by these attacks.

15

Page 18: Distributed Denial of Service Attacks - IDRBT KATI… ·  · 2013-07-18Distributed Denial of Service Attacks Methods And Mitigation techniques ... many systems then it is called

Figure 9 Victim #1 wireshark Statistics during attack

In Figure 10, under TCP section we can see that those packets which are send by victim #1 i.e. SYN+ACK packets are received by victim #2. But as these packets were spoofed and were not sent by victim #2 so victim #2 is not sending back any ACK. We can see that bandwidth of and resources of victim #2 are also being consumed during this attack. So this DDoS attack is affecting not only particular victims but it is also affecting the network.

Figure 10 Victim #2 Statistics during attack

16

Page 19: Distributed Denial of Service Attacks - IDRBT KATI… ·  · 2013-07-18Distributed Denial of Service Attacks Methods And Mitigation techniques ... many systems then it is called

9.2 Scenario 2 (Firewall ON) When firewall was turned OFF we have seen how bandwidth and resources were being consumed. Now we will see how statistics changes as we turn on the firewall. So now I had turned on the firewall on both victim #1 and victim #2. In Figure 11 we can see that as packets which are sent to victim #1 during attack are not legitimate so they are get dropped by victim #1. We can also see that processor time is also same as processor time when there was no attack. Any packet that does not follow the firewall rule is just dropped, so resources and bandwidth are not gets wasted. In figure 12 we can see that traffic has been reduced as some of the packets are gets dropped and no packets are being forwarded from victim #1 to victim #2.

Figure 11 Victim #1 Statistics during attack firewall ON

Figure 12 victim #1 wireshark statistics during attack firewall ON

17

Page 20: Distributed Denial of Service Attacks - IDRBT KATI… ·  · 2013-07-18Distributed Denial of Service Attacks Methods And Mitigation techniques ... many systems then it is called

In Figure 13 we can see that there are no incoming packets in TCP section, when any SYN request is sent to victim #1 by attacker it gets dropped, thus victim #1 does not forwarded any SYN+ACK to victim #2. So victim #2 does not feel any effect of the attack. In this way resources and bandwidth are also saved at victim #2 side.

Figure 13 victim #2 Statistics during attack firewall ON

18

Page 21: Distributed Denial of Service Attacks - IDRBT KATI… ·  · 2013-07-18Distributed Denial of Service Attacks Methods And Mitigation techniques ... many systems then it is called

10 Tools used During the simulation following tools were used:

1. GNS 3 2. Virtualbox 3. Wireshark 4. Backtrack OS 5. Virtual PC Simulator 6. Windows XP pro sp3 OS 7. Linux Tinycore virtual machine os 8. Nettools (UDP flooder, Packet generator) 9. Metasploit framework, Armitage 10. Cisco C3700 router image 11. Dynamips

11 Conclusion DDoS attacks are being encountered from long time and still there is no absolute solution to this problem. Such attacks are critical to the functioning of the industries and financial institutions. These attacks can cause pecuniary loss, communication loss, work delay, loss of private information etc. There are a lot of tools available on internet, now even newbies are attempting to attack on illustrious institutes. Daily a lot of attempts are done by attackers on prestigious institutes to take them down. So it is very important to take countermeasures to prevent such attacks. Some of such countermeasures are described above and many tools and methods are still under development to protect against such attacks.

12 References 1. Stephen Specht and Ruby Lee, “Distributed Denial of Service: Taxonomies of Networks, Attacks,

Tools, and Countermeasures,” Princeton University Department of Electrical Engineering Technical Report CE-L2003-03, May 2003

2. Jelena Mirkovic and Peter Reiher, “A Taxonomy of DDoS Attack and DDoS Defense Mechanisms”.

3. Team Cymru, “DDoS basics”, 2010 4. Felix Lau, Stuart H. Rubin, Michael H. Smith and Ljiljana Trajkovic, “Distributed Denial of Service

Attacks”. 5. A white paper by Gunter Ollmann, “Understanding the Modern DDoS threat”. 6. Sven Dietrich, Neil Long and David Dittrich “An analysis of the “Shaft” distributed denial of

service tool” 7. “An overview of next generation firewalls” by Alfonso Barreiro on August 27, 2012, 6:00 AM ,

http://www.techrepublic.com/blog/security/an-overview-of-next-generation-firewalls/8305 8. “The DDoS That Almost Broke the Internet” by Matthew Prince on March 27, 2013, 04:35

PM, http://blog.cloudflare.com/the-ddos-that-almost-broke-the-internet

19

Page 22: Distributed Denial of Service Attacks - IDRBT KATI… ·  · 2013-07-18Distributed Denial of Service Attacks Methods And Mitigation techniques ... many systems then it is called

9. “Are DDoS Attacks Against Banks Over?” by Tracy Kitten on May 31, 2013, http://www.bankinfosecurity.com/are-ddos-attacks-against-banks-over-a-5801/p-1

10. “DDoS Attacks on Banks: No Break In Sight” by Tracy Kitten on April 24, 2013, http://www.bankinfosecurity.com/ddos-attacks-on-banks-no-break-in-sight-a-5708

11. “DDoS: Is Phase 3 Over?” by Tracy Kitten on May 17, 2013, http://www.bankinfosecurity.com/ddos-phase-3-over-a-5770

12. “Are the ongoing DDoS attacks against U.S. banks just the calm before the storm?” by Avivah Litan on March 14, 2013, http://blogs.gartner.com/avivah-litan/2013/03/14/are-the-ongoing-ddos-attacks-against-u-s-banks-just-the-calm-before-the-storm/

13. “Phase3/W8 Operation Ababil” by Qassamcyberfighters On April 23, 2013, http://pastebin.com/C8u4jSTR

20