Document Sample
DDOS ATTACK Powered By Docstoc

            Mitigation approach at DDOS attacks using
                      crypto encoded puzzles
                                         Shahzad Ahmed Malik, Middlesex University

                                                                     administrators life. At this point of time when this paper is
    Abstract— This paper is aimed at discussing how DDOS              begin written there are many forms and ways of controlling or
(Denial Service of Attacks) have been the recent and most             trace back mechanisms in the form of research by various
successful way of computer warfare. While this paper will look
                                                                      researchers and some of them even tried and implemented by
insightfully into the existing methods of preventing these attacks,
it is also aimed at providing my personal opinions on how it could    various     security    giants    including   “Symantec.Inc”
be prevented keeping security considerations in mind. This paper      ,”McAfee.Inc” , “Cisco” etc.
will also take a detailed look at how cryptographic puzzles can be
used to aid in mitigation of DDOS and its advantages and                    II. BASIC WORKING AND VARIOUS FORMS OF DDOS
                                                                       A. How the DDOS ball was set rolling:
   This paper will conclude that though there are many methods
to try and trace back and prevent DDOS, the only way of actually
stopping or preventing an attack is by combining many forms of
prevention all together in one system. Basically I will stress upon
the idea that “Prevention is better than cure”.

  Index Terms—Computer           Network    Security,   Computer
Network Management

                     I. SO WHAT IS DDOS?

T    he term DDOS (Distributed Denial Of service) is actually
     derived from the term DOS (Denial of Service). The main
aim of the attack is to take out a victim computer or a target by
use of a built army of several hundreds of computers within or
outside the network. This method of attack is so successful
and destroying because of its widespread effects. The usage of
multiple computers aka master computers who use the other
computers aka zombie computers to generate voluminous
traffic to the victim is the base of the attack .
                                                                          Figure 1- Diagram showing the structure of DOS, DDOS
                                                                                       and DDOS using reflectors.
There are several ways of causing these attacks and with
increasing complexity of the networks , the attacks and the
means by which the attacks are being carried out is growing in
                                                                        DDOS works with the principle that the attacker takes
complexity too. One of the main reasons of success and hence
                                                                      control of many master computers and hence using the
a growing difficulty in controlling these attacks are the trace
                                                                      software loaded on the master computer, it is used to attract
back mechanisms. The usage of maser and zombie computers
                                                                      zombie computers[1] to build the army.
within or outside the network especially with requests being
made to look placed by the victim itself makes
                                                                         Now the term zombie computers[1] are just names given by
the trace back very hard and a nightmare in every system
                                                                      attackers to the computers that belong to respectable networks
                                                                      of multinational co operations, universities within or outside
                                                                      the network.

                                                                    The attacker would also have taken careful notice to ensure
                                                                    that there are not many zombie/slave computers attached to
                                                                    the same reflector as this would prevent trace back of the
                                                                    whole attacking army.
   By using this attack zombie computers are unaware of their
actions or data stream packets requests or otherwise sent by
them through their network. The use of zombie computers [1]
make the trace back of the attacker a very difficult and almost
impossible and heavily time consuming task. The recent
coming of technology and with the inventions of IDS [2] and
the combination of the firewall and the IPS [3] systems has
made the tracking of the package and also led to the invention
of many techniques to prevent while the attack is still active or
if the active is already done and gone , to trace back to a
certain permissible degree. The techniques used for these will
be explained in the next section as I will explain the current
techniques in place for preventing DDOS attacks.

 B. DDOS using reflectors.

As described above distributed denial of service (DDOS)
being performed by the use of masters and slaves and thus
complicating the trace back of the attacker nevertheless making
the attack a very successful one.

As more and more methods came up of tracing back these
normal DDOS attacks using especially ITRACE [4], SPIE[5]
and probabilistic packet marking [6], the tracing back of
packages sent by the attacking zombie/slave computers became
feasible and implementation and enforcement was a thought at
many levels. More on the above quoted trace back mechanisms
will be discussed in the next section.

In the reflection way of attacking, the attacker makes use of the      III. POSSIBLE EXISTING WAYS OF LIMITING THE ATTACKS
slaves to send data to the free available web servers or other
hosts. “So, for example, all Web servers, DNS servers,
and routers are reflectors, since they will return SYN                 A. ITRACE [4]
ACKs or RSTs in response to SYN or other TCP                        Bellovin’s proposed scheme was initially designed for tracking
packets” [7] . Why these attacks are successful and make            back packets where the source of the packets that caused the
them so difficult in tracing back so difficult is that since the    attacks was unknown. In this method the process basically told
zombie computers send fake requests by spoofing the victims         that the routers that forwarded the data could send icmp data
ip address , so on the available techniques of “reverse ip trace    back to the destinations and hence with high traffic volume
back” the process as long and tedious as it is , it comes back      flow they would eventually trace back as to which source had
and shows the victim itself.                                        it come to the respective router and then routed to the victim
The limitation also being that since it’s a web server or a free    that the packet was being targeted at.
unused host that is being used as reflector millions of them
are being taken over by the attacker hence taking the task of       In this method eventually the ICMP packets would give the
the trace back to a new horrifying level .In addition the web       location of the zombie/slave computer that was used .
server/ reflector should have maintained clear logs of all the
traffic that they receive on a particular day which will have to    The main limitation of this technique was that it needed a high
be analysed by contacting hundreds of ISP’s and network             volume of data to be processed and hence sure of the location
providers and system administrators.

of the slave and hence otherwise could not be processed if the     amount of data. Every single packet of data between the victim
attack was not active at that point of time.                       and a particular router can be queried and found the location of
                                                                   the slave.
                                                                      The record of the packet being queried has to be present on
                                                                   the router recording the hashes and this is only possible ad
                                                                   only highly effective in the case of an going attack when the
 B. Probability Packet marking [6]                                 network traffic is high and in the middle of the action.

   In this method we are implementing the system that a set of     IV. PROPOSAL FOR STOPPING ATTACK USING CRYPTO PUZZLES
routers that router data in to the main network marks the data
packets with a very highly compressed piece of hidden code           This principle is based on the principle that a client
that the target computer/server can decode. This form of trace     requesting for services should exhaust its own resources before
back is and has proved to pave ways to many other forms of         the server exhausts its own resources. [8].
research as there are many more wider forms of this trackback
research going on . In this method the victim is able to trace
back the path every data packet that been encode by the packet
mark which will eventually lead to the location of a slave .
This method also eventually failed as with the coming and
usage of reflectors or massive amount of slaves in the order of
millions , the computational data was way too large for
analytical or trace back purposes.

 C. SPIE [5]

                                                                      This principle of preventing the attacks was considered very
                                                                   famous and considered a good breakthrough in the field of
                                                                   using game theory.

  Fig 3-Representation of traffic isolation                          A. Working Principle
                                                                   When a server comes under attack it distributes cryptographic
   This technique is based on a principle that every packet that   puzzles to all the hosts requiring services from the server. BY
is going through the router is marked and categorized with a       doing this, though we are utilizing the server computational
set of hashes. By using the principle a packet’s set destination   resources, we are using more of the host computer resources
and hence the path it travelled after leaving the router can be    that is demanding or requiring services.
found by sending customized queries to the routers and hence
                                                                   The crypto graphic puzzles that are being distributed are being
obtaining the path of the same. It technically isolates the
                                                                   distributed from the server itself to the hosts demanding
packet and puts a unique hash to it so that it can be easily be
                                                                   service and it also has many sub divisions based on difficulty
found and trace backed. The advantage being that this              and also on time which guarantees legitimate users service
technique of tracing back can also be used for every small

while the attacker is at bay as the attacker is lost on how to
resolve the puzzle.
The method succeeds in many ways and in recent studies they         [1]   Tom Spring (2006, June 20) [Online]. Available “Spam
have also proved that it has proved effective almost more than            Slayer: Slaying Spam-Spewing Zombie PCs,” PC World,
eighty percent rate of proven success rate of less utilization on   [2]   NIST CSRC SP 800-94, (2007, February). “Guide to
routers and more than seventy percent of less utilization on              Intrusion Detection and Prevention Systems (IDPS)”,
individual host and servers . This is basically credited to the     [3]   Symantec (2003, February 27th ( , [Online] , Available:
fact that once the puzzles are released the users on solving the
same are given rights or services on the server and the attackers         next-step-evolution-ids
                                                                    [4]   S. Bellovin, (2000, March) [Online]“ICMP Traceback Messages,”
who are not able to solve the puzzles are not given any service           Available :
hence rendering the attack ineffective.                                   00.txt
                                                                    [5]   A. Snoeren, C. Partridge, L. Sanchez, W. Strayer, C. Jonesand F.
                                                                          Tchakountio (2001, August), “Hash-Based IP Traceback,”
 B. Disadvantages and why didn’t it work?                                 Proc.ACM/SIGCOMM.
                                                                    [6]   S. Savage, D. Wetherall, A. Karlin and T. Anderson (2000,
                                                                          August)“Practical Network Support for IP Traceback,” Proc.
The method though a brilliant one, was yet susceptible and not            ACM/SIGCOMM, pp. 295–306.
                                                                    [7]   Vern Paxson, , “An Analysis of Using Reflectors for Distributed Denial-
irons clad solution to the attacker spoofing the IP address of            of-Service Attacks” AT&T Center for Internet Research at
the host itself. The attacker could take over the zombie/slave            ICSI.International Computer Science Institute Berkeley, CA USAY.
computer hence using the same computational; power to solve         [8]   Aura T, Nikander P and Leiwo .J, (April 2000) “DOS-Resistant
                                                                          Authentication with client puzzles “ , Cambridge security protocol
the cryptographic puzzle.

Yet another disadvantage or hurdle was that the cryptographic
puzzle technique only got triggered in the event of an active
attack, and if the attacker as in the reflector technique did a
“divide and rule” and divided the army and attacked the system
, the server continue operation as usual and the system would
break down eventually.

Also one of the main and foremost disadvantages was that the
system could be turned on itself as the server could exhaust all
the resources generating and routing cryptographic puzzles to
all the resources requesting access as a prerequisite hence
causing a legitimate shut down on itself.

                       V. CONCLUSIONS
In this paper , keeping in mind the scope and reach of the
same many but few methods of trace back have been discussed
but it’s to the ultimate result and knowledge that with the
ongoing research there is yet a silver bullet panache yet to be
discovered for this form of attack.

By the end of this paper I recommend that keeping the
advantages and disadvantages of various methods in mind, it’s
better to have a holistic approach and implement a system with
a multitude of options built on it and using various methods of
prevention and trace back. A cumulative system does not
guarantee a complete stop to all attacks but yet guarantees
better protection and readiness.

Having a combative system also adds to the overhead and also
to massive security costs that any institution will have to take
the brunt of to provide security for themselves. Hence I
conclude this paper by saying that “Prevention is better than