Indeed, these simple and cheap attacks allow to put websites down with littel resources during several hours. Our very high security Cloud, CerberHost , provides solutions against these attacks, but it is still interesting to know how they work. A DoS or DDoS aims to exhaust the resources at the disposal of a server , most often the ones linked to the network. We separate here the applicative DDoS from the network DDoS , since the method are different, as well as the way to block them.
|Published (Last):||16 August 2008|
|PDF File Size:||16.59 Mb|
|ePub File Size:||19.83 Mb|
|Price:||Free* [*Free Regsitration Required]|
More than half of all attacks were executed by using multiple types of attacks. Development of new protection mechanisms against such attacks is one of the most important tasks in the field of computer security.
We simulated several protection mechanisms as well as a mechanism developed by us. We compared these protection mechanisms for different kinds of attacks. Those kinds of attacks are executed as follows. The attacking nodes generate some requests where the source IP address is replaced by the IP address of the attacked host.
These requests are sent to servers or other devices that may be used to reflect network traffic. The replies to these requests are sent to the target node.
The mechanism of traffic reflection increases the complexity to identify the real source of the attack. According to reports , in the total number of DDoS-attacks increased significantly, those attacks became more powerful than before. More than half of all attacks were based on UDP protocol. As the most frequently attacked services cloud environments, web-financial corporations, political organizations, online commerce, media and entertainment companies, as well as telecommunications are mentioned.
According to analysts, in it is expected that DDoS-attacks will become more and more powerful and complicated, their total number is supposed to increase . The tendency to execute various types of attacks in a single attack increases the requirements on the mechanisms of abnormal traffic detection. The mechanism of traffic reflection makes the identification of the real source of the attack more complicated, as for victims of computer attacks source is used to reflect the server, which a priori is a legitimate site.
Therefore, protection methods for traditional DDoS-attacks are unable to adequately detect DRDoS-attacks and to identify the sources of these attacks.
When using only traffic reflection, it is impossible to achieve the high power, but some vulnerabilities of specific protocols allow to amplify reflected traffic, thereby significantly increasing the attack power. There are some requests causing responses which are several times larger than requests. Thus, attackers do not need to send a large amount of traffic for the successful implementation of the attack, but to send the requests of small size, while having the desired effect.
Record values of attack power were achieved by the attacks based on the traffic reflection and amplification . In  14 popular protocols that can be used to implement traffic attacks with amplification were described. These protocols are based on UDP. They can be used for other types of DRDoS-attack with appropriate modifications.
Furthermore, the use of certain methods for protection against multiple types of attacks may require large volume of memory. It is therefore necessary to develop protection methods against any DRDoS-attacks without requiring a large amount of resources taking into account not only the reflection realization in general, but also the characteristics of each type of attack. In this paper, we propose a new method of protection against DRDoS-attacks, carried out experiments to test its effectiveness in comparison with existing methods.
Nowadays, many groups are doing research related to the investigation of DRDoS attacks and protection mechanisms against them. In  the authors propose a protection method, that is based on the fact that the victim receives more replies than requests were sent.
The authors propose to monitor to which DNS servers the requests were sent from each node and store the information in a database. All replies from a DNS server are checked and if the incoming packet is really a reply to the request it will be accepted.
If the node did not send the DNS request, the response is rejected. It is designed to limit the number of unique responses from the DNS server. This protection mechanism is used on the DNS server side and analyzes outgoing traffic only.
It completely ignores the incoming traffic. The method bases on the fact that the addresses to which the replies were sent are recorded. The number of replies from the server to each address is limited.
If this limit is exceeded, no answers will be sent. In  a method based on the detection of traffic deviation with respect to a template is proposed.
The authors analyzed the number of incoming packets of the DNS protocol as well as their size. If the number and size of the packets exceed a predetermined value, the situation is recognized as an attack.
In this paper, we compare the performance of some of the protection mechanisms against DRDoS attacks using the developed simulation library. We also offer a protection mechanism against DRDoS attacks which has been designed using our simulation library . Experiments have shown that the developed protection mechanism is quite versatile and an effective method to protect against DRDoS like attacks. In this section, we discuss experiments on reflection attacks and protection mechanisms against them.
To perform the experiments, a simulation environment described in  was used. The authors have created models of various types of servers used to reflect traffic. For any protocol, we have developed the models of legitimate traffic and attack traffic, taking into account differences in the packet header and a data field.
Depending on the request content different responses are generated, including in some cases traffic amplification is realized. For our experiments, we have chosen the DAAD and the RRL methods since they have different location and they are based on different rules.
In the simulation, the DAAD method has a database, which stores the destination address of the DNS-requests are sent from the local network. After receiving a DNS-packet, the source address is checked against the record in the database. If there is such address in the database, the packet is passed, and the entry is deleted from the database. Adding a new record to the database takes into account only the fact of sending a request from a particular source address to the particular destination address using a particular port.
The RRL protection mechanism is used on the server side that is used for reflection and analyze outbound traffic only. The destination addresses are recorded. The number of responses for each address are limited. If the threshold is exceeded, the answers to this address are no longer available. In this experiment threshold was packets, locking time of 5 seconds. At first, we describe a reflection attack with small amplification.
The attack power was 6. Legitimate and attacking nodes were located in several local networks, traffic reflection was performed by 3 DNS servers. The amplification factor was 3. The figures show the false positive errors FP Fig. The DAAD method does not analyze the request type and its content.
Similarly, after receiving the responses they are not analyzed by the type and their contents. The main factor is the number of requests sent from a particular node. The reason of the errors is follow. If the victim server sends a legitimate request to a DNS-server its address is stored to the database. If the same DNS-server is used for traffic reflection, the malicious packet can be passed since it has the source address stored in the database.
If the legitimate response comes after passing the malicious packet there is no more entry with such source address and this legitimate packet is blocked. The experiment showed that the proposed algorithm using all legitimate answers to requests reached the goal, in case of incorrect locking package occurred only once, and the error of the first kind is practically absent.
The presence of a certain number of packets received incorrectly due to the fact that present components, generating requests attacking the attacked network server. Since the source address was changed to the address of the victim, then these requests, leaving local network have been fixed, and the answers to them are regarded as legitimate. The RRL method also analyze the content of outgoing packets and the restriction is only the number sent to the same address of the packet. Thus, all malicious packets are passed until a threshold value is reached.
Moreover, if during the lockout the responses to legitimate requests are sent, the answers to them are blocked. The response period and the threshold may vary, however, increasing the threshold will increase number of passed malicious packets.
In contrast, decreasing the threshold may increase the number of blocked legitimate packets. Increasing the blocking time will also lead to the false positive error. Reducing this period will allow a greater number of malicious packets reach the goal.
Therefore, almost all legitimate packets reached their destination node because the proposed mechanism analyses not only the event of sending packets by vulnerable protocol but the type of request. It helps to differ packets by the type and no to allow amplified responses to pass instead of responses to standard requests.
We put some attacking nodes in the same network as the victim server, the spoofed requests of such nodes were rated as legitimate and the responses to them were rated legitimate as well. Therefore, it caused the false negative error. Further experiments of the attacks simulation implementing traffic reflection with amplification were performed. As an example of such an attack NTP type of attack it has been performed. Legitimate and attacking nodes were located in several local networks, traffic reflection carried out with the help of three NTP servers.
The amplification factor was Since NTP legitimate traffic is usually small, the number of missed incoming packet does not exceed the number of outbound and was accordingly low. However, there are some false positive and false negative errors. The reason of the errors is the same as discussed in the section dedicated to the modeling of the DNS protocol attacks.
Obviously, the attack based on the reflection, represent a serious threat to the computer networks. It is therefore necessary to develop methods for their detection and improve their accuracy. As can be seen from Table 1, the proposed method in the experiments showed the same kind of error 2, compared with the method of the DAAD.
However, for the attack scenarios, the proposed method showed the best result by mistake one kind. For the attacks based on NTP protocol, similar results were obtained. We compare the results. As can be seen from Table 2, the proposed method showed again the same result for false negative error as DAAD but showed the best result for false positive.
It means that during the attack there were almost no blocked legitimate packets.
Development of protection mechanisms against DRDoS-attacks and combined DRDoS-attacks
Hacking techniques evolve rapidly so keeping your finger on the pulse is essential for protecting your website. A DDoS attack, as we know, happens when a group of computers generates a huge amount of traffic to floods a website with traffic, overwhelming the server so that it crashes, meaning that legitimate traffic cannot reach the site. A botnet is the name for the collection of computers that have been affected by a virus or malware for this purpose. Control over these botnet computers is taken over by the person who has installed the virus or malware , known as a botnet herder.