A Seminar Report on Vulnerability and Attack
Chapter One
Preamble of the Report
One common method of attack involves saturating the target machine with external communications requests, such that it cannot respond to legitimate traffic, or responds so slowly as to be rendered effectively unavailable. Such attacks usually lead to a server overload. In general terms, DoS attacks are implemented by either forcing the targeted computer(s) to reset, or consuming its resources so that it can no longer provide its intended service or obstructing the communication media between the intended users and the victim so that they can no longer communicate adequately.
Denial-of-service attacks are considered violations of the IAB’s Internet proper use policy, and also violate the acceptable use policies of virtually all Internet service providers.
Chapter Two
Review of the Related Literature
Introduction of DDoS
A distributed denial-of-service (DDoS) attack is one in which a multitude of compromised systems attack a single target, thereby causing denial of service for users of forces it to shut down, thereby denying service to the system to legitimate users.
Classification of DDoS
Classification by exploited vulnerability DDoS attacks according to the exploited vulnerability can be divided in the following categories flood attacks, amplification attacks, protocol exploit attacks and malformed packet attacks.
Flood Attacks:
In a flood attack, the zombies send large volumes of IP traffic to a victim system in order to congest the victim system_s bandwidth. Theimpact of packet streams sent by the zombies to thevictim system varies from slowing it down or crashing the system to saturation of the network bandwidth. Some of the well-known flood attacks are UDP flood attacks and ICMP flood attacks.
UDP Attacks:
A UDP Flood attack is possible when a large number of UDP packets is sent to a victim system. This has as a result the saturation of the network and the depletion of available bandwidth for legitimate service requests to the victim system. In a DDoS UDP Flood attack, the UDP packets are sent to either random or specified ports on the victim system. Typically, UDP flood attacks are designed to attack random victim ports. A UDP Flood attack is possible when an attacker sends a UDP packet to a random port on the victim system. When the victim system receives a UDP packet, it will determine what application is waiting on the destination port. When it realizes that there is no application that is waiting on the port, it will generate an ICMP packet of ‘‘destination unreachable’’ to the forged source address. If enough UDP packets are delivered to ports of the victim, the system will go down. By the use of a DDoS tool the source IP address of the attacking packets can be spoofed and this way the true identity of the secondary victims is prevented from exposure and the return packets from the victim system are not sent back to the zombies.
ICMP Flood Attacks:
ICMP Flood attacks exploit the Internet Control Message Protocol (ICMP), which enables users to send an echo packet to a remote host to check whether it_s alive. More specifically during a DDoS ICMP flood attack the agents send large volumes of ICMP_ECHO_ REPLY packets (‘‘ping’’) to the victim. These packets request reply from the victim and this has as a result the saturation of the bandwidth of the victim_s network connection .During an ICMP flood attack the source IP address may be spoofed.
Amplification Attacks:
In amplification attacks the attacker or the agents exploit the broadcast IP address feature found on most routers to amplify and reflect the attack and send messages to a broadcast IP address. This instructs the routers servicing the packets within the network to send them to all the IP addresses within the broadcast address range. This way the malicious traffic that is produced reduces the victim systems bandwidth. In this type of DDoS attack, the attacker can send the broadcast message directly, or by the use of agents to send the broadcast message in order to increase the volume of attacking traffic. If the broadcast message is sent directly, the attacker can use the systems within the broadcast network as agents without needing to infiltrate them or install any agent software.Some well known amplification attacks, are Smurf and Fraggle attacks.
Smurf Attacks:
Smurf attacks send ICMP echo request traffic with a spoofed source address of the target victim to a number of IP broadcast addresses. Most hosts on an IP network will accept ICMP echo requests and reply to the source address, in this case, the target victim. On a broadcast network, there could potentially be hundreds of machines to reply to each ICMP packet. The use of a network in order to elicit many responses to a single packet has been labeled as ‘‘amplifier’’ . In this type of attack the party that is hurt is not only the spoofed source address target (the victim) but also he intermediate broadcast devices (amplifiers).
Chapter Three
CONCLUSION
DDos attack tools are readily available and any internet host is targetable as either a zombie or the ultimate DDos focus. These attacks can be costly and frustrating and are difficult, if not impossible to eradicate. The best defence is to hinder attackers through vigilant system administration.
Applying patches, updating anti-malicious software programs, system monitoring, and reporting incidents go further than retarding DDos attacks – these defences also protect against other attacks. The Internet is not stable—it reforms itself rapidly. This means that DDoS countermeasures quickly become obsolete.
New services are offered through the Internet, and new attacks are deployed to prevent clients from accessing these services. However, the basic issue is whether DDoS attacks represent a network problem or an individual problem—or both. If attacks are mainly a network problem, a solution could derive from alterations in Internet protocols.
Specifically, routers could filter malicious traffic, attackers could not spoof IP addresses, and there would be no drawback in routing protocols.
If attacks are mostly the result of individual system weaknesses, the solution could derive from an effective IDS system, from an antivirus, or from an invulnerable firewall. Attackers then could not compromise systems in order to create a “zombies” army.
Obviously, it appears that both network and individual hosts constitute the problem. Consequently, countermeasures should be taken from both sides.
Because attackers cooperate in order to build the perfect attack methods, legitimate users and security developers should also cooperate against the threat. The solution will arise from combining both network and individual countermeasures.
REFERENCES
- CERT Coordination Center, Denial of Service attacks, Available from <http://www.cert.org/tech_tips/denial_of_ service.html>.
- Computer Security Institute and Federal Bureau of Investigation, CSI/FBI Computer crime and security survey 2001, CSI, March 2001, Available from <http://www.gocsi. com>.
- Moore, G. Voelker, S. Savage, Inferring Internet Denial of Service activity, in: Proceedings of the USENIX Security Symposium, Washington, DC, USA, 2001, pp. 922.
- D. Stein, J.N. Stewart, The World Wide WebSecurity FAQ, version 3.1.2, February 4, 2002, Available from<http://www.w3.org/Security/Faq>.
- Karig, R. Lee, Remote Denial of Service Attacks and countermeasures, Department of Electrical Engineering, Princeton University, Technical Report CE- L2001-002, October2001.
- CIAC, Information Bulletin, I-020: Cisco 7xx password buffer overflow, Available from <http://cllnl.gov/ciac/bulletins/i-020.shtml>.
- Kenney, Malachi, Ping of Death, January 1997, Available from<http://www.insecure.org/sploits/ping-o-death. html>. 662 C. Douligeris, A. Mitrokotsa / Computer Networks 44 (2004) 643–666
- Finger bomb recursive request, Available from <http://iss.net/static/47.php>.
- Davidowicz, Domain Name System (DNS) Security, 1999, Available from <http://compsec101.antibozo.net/ papers/dnssec/dnssec.html>.
