Denial of Service (DoS) Detection, Prevention, and Mitigation Techniques
Author Amy L. Wees
Today most businesses host websites where customers can access their account information, employees can access timecards, conduct discussions, input customer information, track financials, and countless other activities. Without access to a network, productivity and profitability plummets. Denial of Service attacks aim large amounts of traffic at a server causing it to crash or become overloaded limiting access to legitimate customers. Denial of Service (DoS) attacks can do a lot of damage with little warning and much to recover for the victim (Goldman, 2012). For this reason it is imperative to detect, prevent, and mitigate DoS attacks where possible. This paper aims to summarize methods for DoS detection, prevention and mitigation based on the research of three separate sources.
Denial of Service (DoS) Detection, Prevention, and Mitigation Techniques
Corporations, schools, government agencies, and even home computer users conduct most of their business on a computer network by sharing information, resources, and files. This networking can be accomplished on a closed network or in most cases from one network or host to another via the Internet. As soon as information travels over the wire from one place to the next, it becomes vulnerable to interception, corruption, theft or misuse. Information entering a network from the Internet can also make an entire network and hosts vulnerable to computer viruses, Trojans, malicious malware, and a myriad of other dangerous possibilities.
Today most businesses host websites where customers can access their account information, employees can access timecards, conduct discussions, input customer information, track financials, and countless other activities. Without access to a network, productivity and profitability plummets. In September 2012, the websites of Bank of America, Wells Fargo, PNC, JP Morgan, and US Bank were inaccessible to customers for over a week during the largest reported Denial of Service attacks in history (Goldman, 2012). Denial of Service attacks aim large amounts of traffic at a server causing it to crash or become overloaded limiting access to legitimate customers. In the recent bank attack, large application servers were connected from various locations and used as a botnet to overwhelm the bank’s servers, resulting in an extended period of blocked access to customer financial information (Goldman, 2012). Botnets are often created from distributed computers which have been taken over without the user’s knowledge through the use of viruses or malware. Although this type of attack was thought to require a lot of preplanning; it was not very sophisticated and proves that Denial of Service (DoS) attacks can do a lot of damage with little warning and much to recover for the victim (Goldman, 2012). For this reason it is imperative to detect, prevent, and mitigate DoS attacks where possible.
This paper aims to summarize methods for DoS detection, prevention and mitigation based on the research of three separate sources. The research papers chosen for this summary are as follows:
1. A Taxonomy of DDoS Attack and DDoS Defense Mechanisms by Jelena Mirkovic and Peter Reiher
2. DDoS attacks and defense mechanisms: classification and state-of-the-art by Christos Douligeris and Aikaterini Mitrokotsa
3. Survey of Network-Based Defense Mechanisms Countering the DoS and DDoS Problems by Tao Peng, Christopher Leckie, and Kotagiri Ramamohanarao
These sources were selected because each uses similar methodology in analyzing DoS attacks. Each paper explores the different types of Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks, the tools available to both perpetrate and defend against attacks, and prevention or mitigation techniques. Where other research works focus on one technique for detection and prevention such as Internet Protocol (IP) trace back, packet filtering or flow control; the above listed works examine a broad range of practices for DoS and DDoS detection, prevention and mitigation based on the situations presented.
There is not one clear path for detection DoS or DDoS attacks. Detection is very much dependent on the type of attack, the target and the perpetrator’s method. This paper will first describe the various types of attack and based on the sources chosen list various methods for detection, prevention or mitigation. Accidental denial of service such as a misconfigured computer or router will not be considered in this summary.
DoS attacks can be categorized by protocols such as network device layer, operating system layer, application layer, data flooding and protocol features (Douligeris & Mitrokotsa, 2004). Examples of these attacks, detection, prevention and mitigation strategies follow.
Network Layer Attack
At the network layer attacks target weaknesses in the software or hardware in devices such as routers. For example, Cisco 700 series routers are known to have a buffer overrun issue during the password checkout process. This weakness can be exploited by connecting to the router via telnet and entering lengthy passwords (Douligeris & Mitrokotsa, 2004). Routers can also be exploited by IP spoofing where IP packets containing forged information are sent to the router. Since the router has no authentication or trace-back mechanism the packets continue on their path with no way for the receiving target to detect what is happening or where that packets are coming from (Peng, Leckie, & Ramamohanarao, 2007). The problem is that spoofed packets can congest the bandwidth of the system allowing rogue and legitimate traffic; eventually denying service altogether.
Network Attack Detection
Router based attacks can usually be detected by monitoring the amount of traffic across the network. If the traffic is unusually high, this may be reason for concern. Those attacks which are launched at a numerous rates may be more difficult to recognize (Mirkovic & Reiher, 2004). A detection method called MULTOPS is mentioned by Mirkovic and Reiher (2004). MULTOPS will detect IP addresses that have been known to participate in DoS attacks and keep track of the packet activity per IP address. This allows the victim to possibly identify the attack source and filter or block the IPs immediately and in the future.
Network Attack Prevention and Mitigation
Mitigating attacks against routers or domain name service (DNS) servers can be accomplished through setting up secondary fail-over resources within the network design (Mirkovic & Reiher, 2004). To prevent attacks Peng, Leckie, and Ramamohanarao (2007) recommend packet filtering at the router to prevent spoofed traffic from entering the network with the caveat that filtering requires extensive deployment to be effective. Traffic should be filtered when entering and leaving the network and at each router along the way that way traffic that may be allowed to enter certain areas may be dropped throughout the process if it does not meet network criteria.
Operating System and Host Attacks
Attacks on operating systems utilize weaknesses in protocol execution. An example is the Internet Control Message Protocol (ICMP) flood. Since ICMP messages are usually broadcast to all machines in a network, an ICMP echo request can be sent to the broadcast machine and that request is forwarded to all network hosts, then when all hosts send the echo reply the traffic floods the victim’s network. This particular example represents a “smurf” attack (Peng, Leckie, & Ramamohanarao, 2007). Another ICMP related attack is the ping of death which sends echo requests larger than the maximum IP size which crashes the victim’s machine (Douligeris & Mitrokotsa, 2004).
The SYN flood attack exploits the three-way handshake required of a TCP connection to overload the memory of the targeted machine. The memory is overloaded because the attacker sends false IP addresses to the targeted machine and that machine stores the initial contact in its memory stack, waiting for a response to complete the data connection. Because a response will never be sent from the false IP the machine has too many half-open connections and the memory stack eventually times out (Peng, Leckie, & Ramamohanarao, 2007).
Operating System and Host Detection
To detect TCP SYN floods, Mirkovic & Reiher (2004) recommend using a standard detection strategy that is based on a rule-set that looks for half-open TCP connections allowing for deletion from the memory stack. Batch detection can also be used to detect SYN floods and captures statistical information about incoming traffic over time. When the traffic patterns change, an attack can be detected (Peng, Leckie, & Ramamohanarao, 2007).
Operating System and Host Prevention and Mitigation
Mitigation of the ICMP flood can be accomplished by disabling the automatic rebroadcasting service or reconfiguring the routers to forward only specified traffic. To prevent a SYN flood, the operating system can be set to limit the number of TCP connections waiting for response and eventually drop them after a timed period (Peng, Leckie, & Ramamohanarao, 2007). To further prevent TCP SYN attacks, protocols on host machines should be patched and updated often (Mirkovic & Reiher, 2004).
Application Layer Attacks
Applications on hosts can also be attacked based on their vulnerabilities. One instance given by the Mirkovic & Reiher (2004) is attacking an authentication server by sending phony signatures. The server will continue to function otherwise but any other application requiring authentication will be denied to the user.
A more commonly seen application level of attack is high traffic on a web site causing the web server to crash. This can be accomplished through a website’s search engine, forms, account request pages or number of simultaneous visits such as an HTTP flood. Because the Internet is utilized so heavily, most firewalls allow open traffic on port 80 (http) making it a prime target for attack. During an HTTP flood, distributed attackers, known as botnets, will flood the web server with requests. Most botnet software is designed to help attackers avoid detection by hiding IP addresses and pushing large files to sites taking up even more bandwidth (Peng, Leckie, & Ramamohanarao, 2007).
Detection of Application Attacks
Detecting application attacks is problematic because there is not a complete denial of service, the malicious activity level is very low and packets are not necessarily identifiable. In order to detect application level attacks Mirkovic & Reiher (2004) recommend monitoring each application in the intrusion detection system and screening regularly for suspicious activity. HTTP floods can be detected by looking for repeat requests for large files and then blocked by the server (Peng, Leckie, & Ramamohanarao, 2007).
Prevention and Mitigation of Application Layer Attacks
Douligeris & Mitrokotsa (2004) reference throttling as a mitigation tactic. Web servers which are overloaded can set router throttles so that all traffic passing through the router is limited to the throttle limit set. This prevents the web server from becoming overloaded and crashing. This also limits requests pushing large files (thus over the throttle rate) from reaching the server and allows legitimate requests through. The throttling method has not yet been proven in a large commercial setting.
Mirkovic & Reiher (2004) recommend overall system security to defend against DDoS atack. Ensuring system security is in place such as intrusion prevention and detection system, and security patching on all hosts. The idea is that attackers are able to gain control of zombie machines for botnets because so many machines are not secured properly. If simple security recommendations were followed the chances of attackers gaining control of such a militia of machines would be lessened and the level of attack subsequently lessened.
Denial of service and distributed denial of service attacks can happen at many different layers and levels within a network. The examples given in this paper only scratch the surface of what is possible. The sources used for this summary offer a wealth of information on the detection, prevention and mitigation of these attacks, all of which are significant in understanding the scope of the problem. Most importantly, they provide a way ahead for securing systems against specific attacks and make valid the difficulty in complete detection, prevention, and mitigation of denial of service attacks.
Douligeris, C., & Mitrokotsa, A. (2004). DDoS attacks and defense mechanisms: classification and state-of-the-art. Computer Networks, 643-666.
Goldman, D. (2012, September 28). Cnn money. Retrieved from http://money.cnn.com/2012/09/27/technology/bank-cyberattacks/index.html
Mirkovic, J., & Reiher, P. (2004). A Taxonomy of DDoS Attack and DDoS Defense Mechanisms. ACM.
Peng, T., Leckie, C., & Ramamohanarao, K. (2007). Survey of Network-Based Defense Mechanisms Countering the DoS and DDoS Problems. ACM Computer Surveys, 1-42.