Talking about the DDoS attack in the Internet

Introduction

The DDoS attack is a kind of attack based on the traditional DoS attack. Generally, the single DoS attack is always adopt the one-to-one mode. This kind is suit for the situation that the object computers are low performance computers. However, with the development of the technology, nowadays the computers become more and more powerful. So the DDoS was born. Distributed Denial of Service attack, with the aid of the Client/Server technology, can make multiple computers together as an attack platform. It can attack one or more objects to achieve the multiple times effect of distributed denial of service attack. Typically, this kind of attack makes use of the puppet computers on the network, which is called the corpse or the zombie, to send the intensive ‘denial of service’ attack and exhaust all the network resources and the system resources of the object computers. As a result, these object computers cannot afford the normal services to the real users. With a lot of zombies controlled by the hackers, obviously, the hackers can launch a massive DDos or SYN flooding attack via the zombie network. 

Usually, an attacker uses a steal account to install the DDoS master controlled program on a computer. In a set of time, the master program will commune with a large number of agents that have been installed on many computers on the Internet. Agents will attack the object computers when they receive the commands. Because of the Client/Server technology, master controlled program can activate the operations of the agents the thousands of times in a few seconds.

 

Methods of attack

The attacks can be classified into five parts:
(1). Consumption of computational resources, such as bandwidth, memory, disk space, or processor time.
(2). Disruption of configuration information, such as routing information.
(3). Disruption of state information, such as unsolicited resetting of TCP sessions.
(4). Disruption of physical network components.
(5). Obstructing the communication media between the intended users and the victim so that they can no longer communicate adequately.

IP Spoofing

In terms of IP Spoofing, hackers always send the false data packets to the server. In detail, hackers set the IP addresses to be the non-exist or illegal values. Once the server receives these packets, it returns the ack packets immediately. As a matter of fact, these packets will never return to the source computers. This kind of attack compels the server to open its monitor port and wait infinitely, which leads to the resources waste.

LAND attack

This kind of attack is similar to the SYN flooding attack. However, the source address and the destination address, which is the IP address of the object computer, are the same and both of them are in the LAND attack packet. What’s the worse, it can lead to the dead loop to the computers that are attacked.

SYN flood

A SYN flood occurs when a host sends a flood of TCP/SYN packets, often with a forged sender address. Each of these packets is handled like a connection request, causing the server to spawn a half-open connection, by sending back a TCP/SYN-ACK packet, and waiting for a packet in response from the sender address (response to the ACK Packet). However, because the sender address is forged, the response never comes. These half-open connections saturate the number of available connections the server is able to make, keeping it from responding to legitimate requests until after the attack ends.

ICMP floods

ICMP floods send the broadcast message to the routers that are not configured properly. Then take up the system resources.

The attack characteristic

Distributed denial of service attacks means that the attack is based on the distributed form. The attack mode changed the traditional point-to-point to the irregular situation. Meanwhile, the attack adopts the common protocol and service, so it is difficult to distinguish the type of the attack. When attack, the data packet is disguised, the source IP address is a fake address too. So the attacker’s address is always uncertain and hard to find. Thus it leads to the difficult testing method of the distributed denial of service attack.

Classification

ARP attack

The ARP protocol is connectionless. When the server receives the ARP response from the attacker, it will receive all the information of the response and refresh the ARP cache. Thus, the ARP request that contain the false source address information and the ARP response that contain the false destination address information will make the higher layer too busy to response any other normal request, and then make the object computers lose the network communication capability. For example, the ARP redirection attacks.

ICMP attack

The attacker sends many ICMP Echo request data packets to the multicast address of a subnet and change the source address to the address of object computer that is to be attacked. As a result, all the computers of the subnet will response to this ICMP Echo request packet and send data packets to the object computer. Then the network is block.

IP attack

In TCP/IP, when the IP data packets transmit in the network, the data packet can be divided into much smaller fragments. After arriving at the destination, these fragments will be reassembled. However, there are some loopholes in the reassembled process because of the shortage of inspection. Make use of the overlap situation in the reassembled process and attack the server then lead to the server kernel crash.

Application-level flood

The application layer includes SMTP, HTTP, DNS and many other protocols. In terms of the SMTP, it defines how to transmit the email between two computers. The server that based on the standard SMTP protocol does not verify the identity of the clients when the clients ask for sending the email. What’s more, a lot of the email servers allow relaying. Attackers can continuously send the junk email to the objects, which leads to the useless occupation of the server resources.

Defense

Host settings:
(a). Close all the unnecessary services
(b). Restrict the number of the Syn half-connections that are opened at the same time.
(c). Reduce the time of Syn half-connection time out.
(d). Update the system patches on time.

Network settings:

(a). Firewall.
Forbidden the visit authority of the hosts to the non-opening services. Restrict the max number of the SYN connections that are opened at the same time. Restrict the visit of the special IP addresses. Open the defense of DDoS service of the firewall. Restrict the server to visit outside.
(b). Routers
Set proper flow rate of the SYN data packets. Build up the log server to the routers.

DDoS in the field of Cloud computing

In terms of the cloud computing, for example, an important service website often use many IP address to connect more servers and dynamically load balancing. The website will not easily get crashed with the DDoS attacks.

The elastic of the cloud computing is the most difference between the traditional local computers systems and the cloud computing. The change of the elastic is the demand for computing resources that can do dynamic capacity increase or decrease. Widespread adoption of cloud computing server virtualization technology also can make dynamic load balancing to be very efficient and complete automation. When more services are needed, cloud computing infrastructure service providers can automatically increase the quantity of servers and network bandwidth. Because the expansion is completed by increase the virtual machines and it is also easy to be automation, so it can manifest the advantages of the cloud computing. Obviously, the DDoS (distributed denial of the service) attacks may have little bad influence to the cloud computing field.

Reference

1. Wikipedia
2. CSDN blogs
3. Handley M DoS-resistant Internet subgroup report. Internet Architecture WG.
4. Kumar V, Jayalekshmy P, Patra G, et al. On Remote Exploitation of TCP Sender for Low-Rate Flooding Denial-of-Service Attack [J]. IEEE Communications Letters, 2009, 13(1): 46-48.
5. Mirkovic J, and Reiher P. D-WARD: A Source-End Defense Against Flooding Denial-of-ServiceAttacks," IEEE Trans. on Dependable and SecureComputing, Vol. 2, No. 3, July 2005, pp. 216-232
6. Peng T, Leckie C, Kotagiri R. Proactively detecting distributed denial of service attacks using source IP address monitoring [C]. In Proceedings of the Third International IFIP-TC6 Networking Conference, 2004.771-782.