Distributed Denial of Service Attacks have recently evolved as one of the most significant, if not the greatest, weaknesses of the Internet. This paper tries to explain how they work, why they are hard to argue today, and what will need to happen if they are to be brought under control. It is classified into four parts. The first is an synopsis of the current situation. The second is a in depth explanation of exactly how this attack works, and why it is hard to deal with today; The third part describes the immediate diagnosis, what can be done today to help lessen this problem; and the final section describes the long-lasting picture, what will change to bring this class of problem under control, if not eliminate it entirely. And at last there are some references which helped make this paper achievable.Introduction
Denial of Service (DoS) attack can be defined as an attack which causes a valid user unable to access the service. Whereas Distributed Denial of Service (DDos) is a collection of computers which floods a number of requests to the victim , which took out many well-known sites, including Google, eBay, etc. The victims were inaccessible for several hours each. We cannot find out the people committing these attacks, and why we can't defend against them. The network in which these kind of attacks are carried out is internet, which is a public network over world wide.Detailed explanation of DDoS attacks
DDoS attacks engage with breaking into hundreds or thousands of machines all over the Internet. Then the attacker establishes DDoS software on them, allowing them to control all these burglarized machines to establish synchronized attacks on victim sites. These attacks usually weakens bandwidth, router processing capacity, or network stack resources, breaking the network connectivity to the victims.
The cracker firstly breaks into weakly-secured computers, using well-known in normal network service programs, and general weak configurations in operating systems. Once they break into a system, they perform some extra activities. First, they install software to mask the fact of the break-in, and to conceal the traces of their consequential movement. Considering the following example, the standard commands used in showing running processes are replaced with newer versions which fails to display the attacker's processes. Then they establish a special process, used to remotely control the victim`s machine. This process accepts commands to and from over the Internet, and as a reply to those commands it establishes an attack over the Internet in opposition to some selected victim site. And finally, The burgled machines IP address is noted. All these steps are well programmed. At the moment of attack, The attacker runs a command, which sends command packets to all the victim`s machines, Commanding them to launch a particular attack in opposition to a specific victim. When the attacker wishes to stop the attack, another command is used.
Now from the victim`s point of view. The first sign would be a router crash, And the traffic between you and Internet will be stopped. We can perform only a few traces and the possibility of finding the cracker is very low, Which even depends on luck sometimes. So as long as the cracker stops the attack after a few hours, you will come to know that thousands of compromised machines are used in launching attack on your system. And there is no chance of finding the original attacker, thereby the trace stops there itself.Classification of DDoS
DDoS attacks can be classified as two categories, they are:
- Flood Attacks: In this case, the victim`s machine is flooded with a number of requests, Which results in the system`s shutdown.
- Logic or Software Attacks:
A small number of deformed packets are intended to make use of known software bugs on the aimed system.
Flood Attacks involve:
- TCP SYN Flood Attack:The attacker sends a request to victim`s machine with a unreachable IP address. Enumerous incompleted requests make the server resources wasted, which ultimately leads to the lack of memory, CPU utilization, etc.
- Smurf IP Attack: A cracker sends a number of ICMP echoes to IP broadcast addresses with the vulnerable machine IP addresses, In return the hosts sends reply to the requests, which leads to traffic congestion on the victim`s network.
- UDP Flood Attack:In this attack, the attacker sends a UDP packet to a random port of the victim`s system with forged IP address. As a response the victim sends reply to the unreachable cracker. The result would shut down the machine.
The above diagram explains about the architectural part of DDoS, Which involves Hacker, Masters, Zombies and finally the Victim. Firstly the cracker creates masters (Most unsecure Workstations),which are appointed in generating the zombies. The functionality of zombie is to launch attack on victim's machine, on behalf of the cracker. That is how on the command of the hacker, enumerous zombies attack a victim, Which ultimately results in DDoS.Methods in detecting and Tracing DDoS
- Link Testing: Only works while the attack is in progress, Input debugging takes place.
- Controlled Flooding: Iteratively flood each incoming link of the router; if attack traffic decreases, this must be the guilty link.
- IP Traceback: Route from source to destination remains the same, Through which we can trace.
Here we discuss what can be done to avoid being part of the problem, what can be done if you are the victim. First and most important, secure your servers. It's easy to prioritize the machines to be secured, to determine which ones need attention most urgently. At the low end, dialup machines are the lowest worry.
Second, ensure that packets are being filtered at the point where you connect to the Internet, to prevent forged source addresses. This provides protection in both directions; it prevents your machines from being used to mount these attacks, if any are broken into, and it prevents some attacks that might help intruders break into your machines.
And a third defensive measure prevents you from being used to mount the smurf attacks that are part of this pattern of DDoS. Packets directed at the broadcast address from outside the net are called IP Directed Broadcast packets, and should be blocked at the border. The command to do this for Cisco routers is ``no ip directed-broadcast''.
The above measures help ensure that your systems won't be used to help mount one of these attacks, and they are the place where you can be most effective today. But they don't help you defend against an attack like this, they just ensure that you won't inadvertently assist in one.
But in the final analysis, the only real defense against DDoS today is to not be sufficiently newsworthy to attract the attention of an attacker.Long-term prospects
Two major developments are currently actively underway, to help prevent DDoS attacks from remaining unmanageable. The primary one is ingress filtering. Today some routers can be told to do ingress filtering completely automatically, and nearly all the rest can be manually configured to do it.
If we consider recently, the normal way to configure email servers allowed ``open relaying''; anyone could send a message to any email server, and it would accept it and do its best to deliver it to its final destination. Spammers exploited this to relay their torrents of junk mail. Shortly thereafter, people learned how to modify email servers to prevent open relaying; the fixed servers would accept email from anyone for their local users, and would accept email from their local users for anyone, but would refuse to relay email from one stranger to another. Soon it will be the default configuration for new routers, and eventually there will be blacklists of sites whose routers don't provide this protection, and people will have to fix their routers if they want to be able to reach most of the Internet.
Possibly the hardest part of the problem lies in notification. How do you contact the people who need to help you solve one of these problems, rapidly? It can take days to find and speak to the responsible systems administrator for a given machine, knowing only that machine's address. People are working out the design for an alert notification system, to help speed response.Conclusion
Technology resisting DDoS attacks has drawn considerable attention in recent years. However, most existing approaches suffer from either low detectionrate, high deployment cost, or lack of effective attack response mechanisms. To effectively stop DDoS attacks, our approach needs to be deployed in routers serving as default gateways. With cooperative routers, our approach provides an effective defense mechanism against DDoS attacks.
- http://www.isi.edu/deter/community.meetings/CommMeet15jun06/presentations/1-schwab- EMIST-DDoS-June-2006.pdf