This report details various security vulnerabilities facing organisations that are connected to the Internet. It focuses primarily on Denial of Service (DoS) attacks, providing an understanding of how these types of attacks are carried out and outlines the current technological resources available to provide countermeasures to DoS attacks. The recommendations provided at the end of the report allow organisations to gain the ability to minimise the harmful impact that DoS attacks can inflict upon their business.
How to Troubleshoot Apps for the Modern Connected Worker
Denial of Service Attacks
1. Queensland University of Technology Brisbane
Brent Muir and Simon Weiss
2009
DENIAL OF SERVICE ATTACKS
2. Muir and Weiss Denial of Service Attacks 2009 - I -
ABSTRACT
This report details various security vulnerabilities facing organisations that are
connected to the Internet. It focuses primarily on Denial of Service (DoS)
attacks, providing an understanding of how these types of attacks are carried
out and outlines the current technological resources available to provide
countermeasures to DoS attacks. The recommendations provided at the end of
the report allow organisations to gain the ability to minimise the harmful impact
that DoS attacks can inflict upon their business.
3. Muir and Weiss Denial of Service Attacks 2009 - II -
ABOUT THE AUTHORS
BRENT MUIR
Brent Muir is an information security professional working in Australasia. His
interests include digital forensics, malware analysis and privacy. He is the co-
founder of the Digital Forensics Focus Group, a sub-chapter of the Australian
Information Security Association. To find out more about Brent’s research, or to
contact him, check out his LinkedIn profile, https://au.linkedin.com/in/brentmuir/.
SIMON WEISS
Simon Weiss is research assistant and doctoral student at the Institute of
Information Management at the University of St. Gallen, Switzerland. He works
in the area of Enterprise Architecture and Transformation Management with a
focus on mechanisms to institutionalize EAM in organizations. His professional
profile can be found at https://www.xing.com/profile/Simon_Weiss7.
4. Muir and Weiss Denial of Service Attacks 2009 - III -
TABLE OF CONTENTS
Abstract ........................................................................................................................................................I
Table of contents ......................................................................................................................................III
List of figures .............................................................................................................................................IV
List of tables ..............................................................................................................................................IV
List of abbreviations .................................................................................................................................IV
1 Introduction ...........................................................................................................................................5
2 Vulnerabilities in general.....................................................................................................................2
2.1 Software vulnerabilities...............................................................................................................2
2.2 Social engineering .......................................................................................................................3
3 Denial of Service and Distributed Denial of Service .......................................................................5
3.1 Overview .......................................................................................................................................5
3.2 Exploitations .................................................................................................................................8
3.3 Results of an attack...................................................................................................................10
3.4 Example: DDoS attack on Estonia in 2007............................................................................13
3.5 Countermeasures and prevention...........................................................................................16
4 Conclusion...........................................................................................................................................20
5 Recommendations .............................................................................................................................22
Reference List ..........................................................................................................................................23
Appendix ...................................................................................................................................................30
A Details of DDoS attack against Estonia ..................................................................................30
5. Muir and Weiss Denial of Service Attacks 2009 - IV -
LIST OF FIGURES
Fig. 3.1: A traffic superflow by DDoS flooding attacks launched from a large number of
zombies toward a common victim host............................................................................7
Fig. 3.2: Russian DDoS Attack advertisement..............................................................................15
LIST OF TABLES
Tab. 5.1: Attack on Estonia: Targeted destinations ......................................................................30
Tab. 5.2: Attack on Estonia: Attack dates ......................................................................................30
Tab. 5.3: Attack on Estonia: Attack durations................................................................................31
Tab. 5.4: Attack on Estonia: Attack bandwidths............................................................................31
LIST OF ABBREVIATIONS
CERT Computer Emergency Response Team
DDoS Distributed Denial of Service
DoS Denial of Service
FIRST Forum for Incident Response and Security Teams
FSB Federal Security Service
ICMP Internet Control Message Protocol
IP Internet Protocol
ISP Internet Service Provider
NATO North Atlantic Treaty Organisation
TCP Transmission Control Protcol
TERENA Trans-European Research and Education Networking
Association
UDP User Datagram Protocol
6. Muir and Weiss Denial of Service Attacks 2009 - V -
INTRODUCTION
Computers and networks are an important part of the information systems of
modern organisations. A lot, if not all services, depend on certain parts of these
systems. This trend will continue as computer systems become even more
complex and will be capable of supporting us in more and more aspects. However,
as soon as a network is connected to the Internet, it becomes vulnerable to
various threats and cyber attacks. For instance, about 50 new vulnerabilities in
software are discovered or announced each week, and the amount spam, viruses
and exploits continues to increase.1
The danger of compromised security goals like
confidentiality, integrity and availability is eminent. Consequently, there is no better
time to deal with vulnerabilities and its countermeasures.
This work aims at clarifying the threat of Denial of Service attacks, which represent
a more and more prevalent method to effectively compromise the availability of
online services. In case of distributed DoS (DDoS), it is even more difficult to
prevent and fight such an attack. We will examine what DoS attacks are, how they
are orchestrated, the results of such attacks, and which countermeasures can be
applied.
Chapter 2 will first of all elaborate on vulnerabilities in general. The two major
aspects discussed are software vulnerabilities (section 0) and social engineering
(section 0). After this, (D)DoS will be examined in more detail (see chapter 0).
Subsequent to an overview, we will explain exploitations (section 0), results
(section 0) and examine a well-documented example of a massive DDoS attack
against Estonia in 2007, which represents a typical DDoS scenario (section 0).
Lastly, we will conclude this work by presenting the countermeasures currently
available to help prevent DoS attacks (section 0).
1
See Bradley (2006, p 56)
7. Muir and Weiss Denial of Service Attacks 2009 - 2 -
VULNERABILITIES IN GENERAL
SOFTWARE VULNERABILITIES
The amount of software used in a corporate network is immense and is more and
more exploited by crackers. Today, a big range of opportunities to get
unauthorized access to computers or confidential data by exploiting software
vulnerabilities is at hand.
In general one can say, the wider distributed particular software is, the more
attackers are attracted to it trying to find and exploit vulnerabilities. Hence, the
most affected software in the past was the Microsoft Windows 2000 and XP
operating systems (comprising Internet Explorer), and the Microsoft Office Suites.
Recently, more and more cross-platform (third-party) software that is e.g.
imbedded into a range of browser gets into the focus of attackers. Adobe’s Flash
Player2
and PDF Reader are prominent examples, where Adobe Reader had so
critical vulnerabilities that the Anti-Virus manufacturer F-Secure even
recommended, not to use Adobe Reader anymore, until the leak was fixed. 3
According to Microsoft’s biannual Security Intelligence Report (2008), the overall
amount of vermin and critical leaks increased again. “According to the report, 48%
of all security vulnerabilities must be classified critical”, meaning that serious harm
may result.4
Viruses, Worms, Malware, Trojans, Rootkits and Backdoors are the names for
some of the most common techniques used to affect a system and compromise
security goals in the one way or the other. According to the 2008 E-Threats
2
See iDefense Labs (2009)
3
See heise Security (2009)
4
BürgerCERT (2008)
8. Muir and Weiss Denial of Service Attacks 2009 - 3 -
Landscape Report of BitDefender, Trojans were leading the list of worldwide
Malware-Threats, with a share of more than 80%.5
In consequence of the aforementioned situation, the most crucial thing is to install
security updated regularly. Far the most attacks rely on vulnerabilities due to
unpatched systems, whether it is a threat directly induced by being connect to the
Internet or a threat due to weaknesses of an application. A common procedure for
the former is for crackers6
to e.g. scan an IP address range for a certain open port
of an application. Then, a (possibly new) vulnerability is tried to be exploited at the
responding hosts. A lot of cases also exist for the latter in terms of prepared
documents (e.g. for MS Word) that are processed incorrectly and consequently
allow an execution of arbitrary code. Besides of patching, a lot of other measures
should be put in place to comply with stated security goals. Interesting real-time
statistics about current attacks, viruses and a “Threat Index” can for instance be
found on the Arbor Website.7
SOCIAL ENGINEERING
Social engineering deals with vulnerabilities of the human part of an information
system to gain access to information assets.
Most of these weaknesses are based on human indiscretion or ignorance. For the
former, the statistics about loss and theft of laptops for instance, speak volumes:
Laptop theft accounted for 50% of reported security attacks.8
Lost or stolen laptops
and mobile devices are the most frequent cause of a data breach, accounting for
5
See BitDefender (2009)
6
The term cracker is used in this work to denote a person that wants to harm computer
system. The more common term ’hacker’ denotes a person with indepth computer
skills. Hence, a cracker is an ’evil hacker’.
7
See http://atlas.arbor.net/
8
See AbsoluteSoftware (2009) according to Richardson (2007)
9. Muir and Weiss Denial of Service Attacks 2009 - 4 -
49% of data breaches in 2007.9
And last but not least: 12,000 laptops are lost in
U.S. airports each week, and two-thirds are never returned.10
These facts already clearly indicate that employees’ awareness for data security
and cyber threats in general are in need of improvement.
An increasingly used method to obtain any sort of user data related to the use of
E-Mail and Web is Phishing. At phishing, users are tricked with a web site that
looks the same as a service provider’s original one. Recent phishing attempts
targeted for instance Internal Revenue Service to glean sensitive data from U.S.
taxpayers, but also users of social networks like MySpace and file hoster
RapidShare were targeted.11
Another aspect of social engineering is industrial espionage or any other form of
disclosure of confidential information by employees. This may happen deliberately
but also accidentally. Appropriate trust systems and policies need to be put in
place in order to prevent such breach of security goals. This comprises for
instance a strong password and user rights policy. However, no system can ever
be 100% secure.
9
See AbsoluteSoftware (2009) according to Ponemon Institute (2007)
10
See AbsoluteSoftware (2009) according to Dell & Ponemon Institute (2008)
11
See Wikipedia (2009a)
10. Muir and Weiss Denial of Service Attacks 2009 - 5 -
DENIAL OF SERVICE AND DISTRIBUTED DENIAL OF SERVICE
OVERVIEW
As discussed previously, computers attached to the Internet are susceptible to
many vulnerabilities, including Denial of Service (DoS) attacks. For the remainder
of this report DoS vulnerabilities, and its bigger brother, Distributed Denial of
Service (DDoS) will be discussed in more detail. Firstly an overview of DoS and
DDoS will be given. Next the specific exploitations available in these attacks will
be examined. After this the possible results of these types of attacks will be
discussed, including further analysis of three real-world examples. Lastly, the
countermeasures available to users and businesses alike will be examined to give
appropriate responses to these threats.
Denial of Service (DoS) attacks are generally regarded as “an explicit attempt of
attackers to prevent legitimate users from gaining a normal network service”12
.
This means that a user trying to reach a website that is under attack by DoS would
not be able to make a connection. Not all DoS attacks are based solely over the
Internet and CERT further breaks down the definition of DoS into four categories13
:
attempts to "flood" a network, thereby preventing legitimate network traffic
12
Wang et. al., 2007: 3565
13
CERT, 2001
11. Muir and Weiss Denial of Service Attacks 2009 - 6 -
attempts to disrupt connections between two machines, thereby preventing
access to a service
attempts to prevent a particular individual from accessing a service
attempts to disrupt service to a specific system or person
The number of DoS attacks has been rising steadily and Carl (et. al.) found that
there were over 12,000 attacks over a three-week period in 200114
. There has
been a shift away from DoS to DDoS in recent years, and Messmer notes that 15
;
Distributed DoS attacks are now reaching 42Gbps in sustained intensity, up from
24Gbps last year and just 17Gbps the year prior to that, according to Arbor
Networks' annual survey of ISPs from North America, Europe and Asia.
The simplest form of DoS is the result of a weakness that has existed in the IP
protocol ever since the “internet” was developed. ‘‘The weakness in this scheme
(the IP protocol) is that the source host itself fills in the IP source host id, and there
is no provision to discover the true origin of the packet’’16
. This weakness allows
for SYN-flooding attacks17
;
In SYN-flooding attacks, attackers initiate many SYN requests without sending
ACK packets. This exhausts the server’s half-open waiting queue and thus blocks
a legitimate client’s request from being serviced.
The reason this type of attack is so effective is that once the network is flooded
with a large volume of data, the network’s resources are strained, for example the
process control blocks and the maximum allowed connections. “In particular, DoS
attacks may disrupt the normal operation of physical components in the network,
and may also manipulate data in transit such as encrypted data”18
. Carl explains
that it is not only network resources that are susceptible to DoS attacks, but also
14
Carl, et. al., 2006: 82
15
Messmer, 2008
16
Morris in Glenebe and Loukas, 2007: 1299
17
Wang and Reiter, 2008: 244
18
Wang et. al., 2007: 3565
12. Muir and Weiss Denial of Service Attacks 2009 - 7 -
“CPU processing cycles”. “When any resources form a bottleneck, system
performance degrades or stops, impeding legitimate system use”19
.
Distributed Denial of Service (DDoS) attacks occur when multiple hosts “are
employed to coordinate an attack by flooding a victim with a barrage of attack
packets”20
. Glenebe and Loukas give a detailed definition for DDoS21
;
The attacker takes control of a large number of lightly protected computers (e.g.,
without firewall and up-to-date antivirus software) and orders them to send
simultaneously a large number of packets to a specific target. The attacker exploits
the weakness of IP by faking their source IP address (‘‘IP spoofing’’). As a result,
some routers and links in the vicinity of the target are overwhelmed, and a number
of legitimate clients cannot connect to it anymore.
The process of DDoS is demonstrated in Diagram 1, below.
Fig. 0.1: A traffic superflow by DDoS flooding attacks launched from a large number of zombies toward a common victim
host
22
19
Carl, et. al., 2006: 82
20
Wang et. al., 2007: 3565
21
Glenebe and Loukas, 2007: 1299
22
Chen, et. al., 2007: 1650
13. Muir and Weiss Denial of Service Attacks 2009 - 8 -
As Carl explains, "in a DDoS attack, the assault is coordinated across many
hijacked systems (zombies) by a single attacker (master)”23
.
The reason that these types of attacks are prevalent is that there is no easy
solution to mitigating the risks associated with DDoS, in fact “CERT... found no
simple fix or patch” to this problem24
.
EXPLOITATIONS
There are numerous methods available for conducting DoS attacks and CERT
breaks down these vulnerabilities into three basic types of attack25
:
consumption of scarce, limited, or non-renewable resources
destruction or alteration of configuration information
physical destruction or alteration of network components
In the first category, consumption of scarce resources, exploitations exist in the
various protocols used to communicate over the internet, for example TCP and
UDP. As previously stated, SYN flooding is a commonly exploited method for
conducting DoS26
;
SYN flooding attacks exploit network vulnerabilities with respect to the TCP
protocol, where the three-way handshake algorithm is used. In general, the arrival
of SYN packets contains two types: the regular request packets and the attack
packets that request for connections. A large number of SYN packets are always
sent to a victim for pretending to make connections with the victim. However, the
23
Carl, et. al., 2006: 82
24
Hancock, 2000: 6
25
CERT, 2001
26
Wang, et. al., 2007: 3566
14. Muir and Weiss Denial of Service Attacks 2009 - 9 -
victim can hardly differentiate the attack packets from the regular request packets,
and therefore it has to respond by sending back the SYNACK packets.
CERT explains that UDP packets can also be used as an exploit to carry out a
DoS attack from intruders within your own network27
;
The intruder uses forged UDP packets to connect the echo service on one
machine to the chargen service on another machine. The result is that the two
services consume all available network bandwidth between them. Thus, the
network connectivity for all machines on the same networks as either of the
targeted machines may be affected.
Another method of exploitation of UDP packets is “created when the attacker
sends UDP packets to random ports on the target”28
.
These types of exploitations all target bandwidth consumption on networked
computers, but computers are not the only devices susceptible to DoS attacks. A
DoS exploit has recently been identified in the iPhone. This is an application-level
DoS which results in crashing the Safari browser and which has been speculated
as being able to crash the whole device29
.
Another method of DoS is achieved by utilising email messages30
;
An attacker can use spam email messages to launch a similar attack on your email
account. Whether you have an email account supplied by your employer or one
available through a free service such as Yahoo or Hotmail, you are assigned a
specific quota, which limits the amount of data you can have in your account at any
given time. By sending many, or large, email messages to the account, an attacker
can consume your quota, preventing you from receiving legitimate messages.
The second and third categories, the destruction or alteration of configuration
information, and the physical destruction or altercation of network components,
27
CERT, 2001
28
Cabrera, et. al., 2002: 242
29
Wireless News, 2008
30
McDowell, 2004
15. Muir and Weiss Denial of Service Attacks 2009 - 10 -
can result in permanent damage to equipment. For example, Higgins identifies an
exploitation that exists in the firmware of network-enabled routers and states that
these systems are “susceptible to a remote, permanent DoS attack, called
"phlashing", known as Permanent DoS (PDoS)”31
.
RESULTS OF AN ATTACK
Before going into the specific examples in greater detail, it is important to highlight
the numerous negative outcomes attributed to DoS attacks. By looking at the
Information Security goals we can break down these results into various
categories; Confidentiality, Integrity, and Availability. It is also important to
examine the possible motives behind the attacks; Financial gain, publicity, and
political motivations. As Glenebe and Loukas state, “DoS attacks have reportedly
been used against Business competitors, for extortion purposes, for political
reasons, and even as a form of ‘‘legitimate’’ protest”32
.
CONFIDENTIALITY
Confidentiality of information is an important Information Security goal that is not
usually affected by DoS attacks.
INTEGRITY
The integrity of an organisation’s network resources is an important issue to many
businesses. DoS attacks can compromise this Information Security goal by
tampering with network resources and equipment. Leyden cites an example where
31
Higgins, 2008: 20
32
Glenebe and Loukas, 2007: 1300
16. Muir and Weiss Denial of Service Attacks 2009 - 11 -
an online payment system was targeted by a DoS attack with the organisation
involved hoping that the “customer data remains secure”33
.
AVAILABILITY
Schwartau states that the “first large-scale media-grabbing DOS attack in the US
struck Panix, a New York based ISP in September of 1996”34
. Attacking an ISP is
a direct threat to the availability of a network’s resources, and is a good example
of what can happen to this information security goal. The availability of network
resources is a security goal that many organisations rely on to conduct business,
yet it is a challenge which many websites cannot keep up with, Lemos explains
that many of the attacks produce more than a gigabit of junk data every second35
.
Edwards notes that at the pinnacle of a DoS attack a certain web site was struck
by 488 attacks, each lasting up to 1.8 hours36
. Messmer cites statistics regarding
the mitigation of detected DoS attacks within organisations37
;
Fifteen percent of respondents said it typically took 15 minutes or less to mitigate
an attack. Another 15% said it took less than 20 minutes, and 14% said it took less
than 30 minutes. It took an hour for 26% of respondents, and 30% typically needed
more than an hour to mitigate a distributed DoS attack, even after it had been
detected.
FINANCIAL GAIN
One of the main motivations of DoS attacks is for financial gain, either via bringing
down a competitors website/business, or via extortion/blackmail at the hands of
the attackers. Carl notes that the within the 2004 CSI/FBI Computer Crime and
Security Survey, DoS attacks were listed as being amongst the most financially
expensive security incidents38
. Glenebe and Loukas cite a case in the United
33
Leyden, 2004
34
Schwartau, 1999: 125
35
Lemos, 2007
36
Edwards, 2008
37
Messmer, 2008
38
Carl, et. al., 2006: 82
17. Muir and Weiss Denial of Service Attacks 2009 - 12 -
States where a “corporate executive in Massachussets was charged with using
DoS attacks to cause a total of $2 billion in losses to three of his main
competitors”39
. Leyden notes that many DoS attacks have been linked to extortion
attempts40
.
PUBLICITY
Publicity is sometimes the goal of a DoS attack. Many times the instigator is just
looking for bragging rights amongst other hackers41
.
POLITICAL MOTIVATION
As explained in greater detail below, political motivation is often the reason behind
a DoS attack.
39
Glenebe and Loukas, 2007: 1300
40
Leyden, 2004
41
Chen et. al., 2004; Carl et. al., 2006
18. Muir and Weiss Denial of Service Attacks 2009 - 13 -
EXAMPLE: DDOS ATTACK ON ESTONIA IN 2007
Overview and background
From the 27th
of April until the 18th
of Mai, Estonia, a known Internet Pioneer, was
victim of the probably biggest DDoS attack ever.42
The in general not very good
relationship between Estonians and Russians escalated into a cyber-war after the
removal of the Red Army monument "Bronze Soldier" from a central place in
Tallinn to a military cemetery (on 27th
). While the monument is supposed to
generally remind of the people fallen in WW2, for Russians it is also a symbol for
the defeat of Nazi Germany. However, for the most Estonians, it is rather a
reminder of the more than four decades that the Soviets occupied the nation.43
After the removal, a lot of demonstrations and protests followed, the Estonian
42
At least, ever against one country. See Wikipedia (2009b)
43
See Lemos (2007)
19. Muir and Weiss Denial of Service Attacks 2009 - 14 -
embassy in Moscow has been besieged, and a 19 year old Russian demonstrator
died.
Attack details
According to NAZARIO from Arbor Networks, 128 unique DDoS attacks on Estonian
websites were registered. “Of these, 115 were ICMP floods, 4 were TCP SYN
floods, and 9 were generic traffic floods. Attacks were not distributed uniformly,
with some sites seeing more attacks than others.”44
Also, some attacks were low
skill “Scriptkiddie” attacks, whereas others were complex Bot-Net attacks.
Governmental and bank sites were the primary target, but also web sites of other
politicians and parties, the police, newspapers, a school, critical Russian media
and opposition (in Russia) and even an Estonian Forum for Ford-Tuning
enthusiasts were attacked.45
The attacks itself originated from all over the world,
but mainly from Russia and peaked on the 9th
of May, the Russian public holiday
of the victory over Hitler.
The masterminds behind these attacks could not be identified yet and probably
never will be. The Kremlin and Russia’s secret service (FSB) were (not only at this
attack) accused to be behind the attacks,46
but despite of some indications there
was (of course) no ultimate proof and Estonia eventually weakened reproaches
against Russia.47
It is only pretty certain that a lot of excited, patriotic or angry
Russians contributed; from 10 year old kids up to organized hacker crews that give
advertise and even offer their services on the web (See Fig. 0.2).
44
See Appendix Details of DDoS attack against Estonia for detailed statistics.
45
See Rötzer (2007), Lischka (2007)
46
See e.g. Rötzer (2007)
47
However, it is likely that Moscow at least „tolerates such attacks“. See Lischka (2007),
Warner (2007)
20. Muir and Weiss Denial of Service Attacks 2009 - 15 -
Fig. 0.2: Russian DDoS Attack advertisement
48
Consequences
The result of the attack was that a lot of websites were not available; E-
Government services were out of order, as were credit card services, online-
banking, news services and E-Mail systems of the parliament and some
defacement took place as well. However, there was no blackmailing, theft of data
or attack on very critical governmental infrastructure recorded, so the main
security goal compromised was Availability.49
The Estonian providers reacted by setting additional firewall DROP rules, applying
traffic shaping and putting websites into text-only mode. Estonia also requested
help from the NATO, the Trans-European Research and Education Networking
Association (TERENA) and e.g. the Forum for Incident Response and Security
Teams (FIRST).
In 2008, Estonia obtained the NATO-Excellence-Centre for Cyber Defence and a
research centre with advisory purpose.
48
F-Secure Weblog (2007)
49
See Tittelbach (2008)
21. Muir and Weiss Denial of Service Attacks 2009 - 16 -
Bottom line
The attack on Estonia is a typical example for DDoS with different types of flooding
and spamming from distinct and probably spoofed locations. (D)DoS and spam
(which can be regarded a type of DoS as well) attacks have become more popular
during the last years, which fits to the aforementioned fact that Trojans are the
leading Malware-Threat, because Trojans are among others used for such attacks.
A similar politically motivated attack was launched against Georgia even weeks
before the war between Russia and Georgia began. The attack was much smaller
than against Estonia though. However, (D)DoS attacks are launched in almost
every country against all sort of service providers. This comprises online-game
providers, news websites, anti-spam organisations, private companies and many
more.50
COUNTERMEASURES AND PREVENTION
As DoS attacks vary in motivation and in methodology, preventing these attacks is
not simply a matter of installing one piece of hardware or one piece of software.
The variance found in DoS attacks actually weakens the countermeasures
currently available. The most common methods of protection against DoS attacks
will be discussed, including some proposed future strategies. Methods discussed
50
See Wikipedia (2009b)
22. Muir and Weiss Denial of Service Attacks 2009 - 17 -
include; Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS),
DoS mitigation services, and packet filtering.
Rather than being a reactive method for countering DoS attacks, IDS works in
real-time to asses the network traffic coming into an organisation and blocks any
traffic that is deemed to be malicious.
By spotting telltale deviations in traffic flow, an IDS can warn the network
administrator in advance and give him or her time to take actions, such as
switching to an emergency block of IP addresses with a separate route for critical
servers51
.
There are two detection methods utilised in IDS, these are signature-based and
anomaly-based. In signature-based detection the IDS matches traffic to known
malicious traffic and blocks it, whereas in anomaly-based detection the IDS is
“trained” to recognise known good traffic. “In anomaly- based detection, the
system recognises a deviation from the standard behaviour of its clients, while in
the latter it tries to identify the characteristics of known attack types”52
.
One of the major issues with IDS is that it produces a large number of false-
positives. This means that the IDS may often block network traffic that is harmless,
and in the case of many organisations this may affect revenue. “IDSs are plagued
by high rates of false alarm; explainable in part by the base rate fallacy of classical
statistics, a result of the rarity of attacks in comparison to normal activity”53
.
Another issue with IDS is that it relies on being taught to recognise good
behaviour, which often takes a long time to establish. As Edwards states, “an IDS
can help an organisation identify the start of a DoS attack”54
.
A similar DoS countermeasure is offered through Intrusion Prevention Systems
(IPS). Their successfulness at preventing DoS attacks is noted by Edwards who
51
Edwards, 2008
52
Glenebe and Loukas, 2007: 1300
53
Cabrera, et. al., 2002: 250
54
Edwards, 2008
23. Muir and Weiss Denial of Service Attacks 2009 - 18 -
writes, “adding an IPS can help deflect some of a DoS attack's impact”55
. IPS
usually consist of an IDS and a firewall solution that are designed “to take swift
action — such as blocking specific IP addresses — whenever a traffic-flow
anomaly arises”56
. This allows network administrators the chance to instigate back-
up strategies.
Many organisations want to outsource the responsibility for DoS prevention and
this can be achieved by utilising a “DoS mitigation service”. A DoS mitigation
service protects businesses from DoS and DDoS attacks by “placing its own
servers in front of the attacked machines, filtering out bad packets and passing
genuine traffic to the organisation's servers”57
. These mitigation services all rely on
packet filtering in one way or another. As described by Matrawy et. al., “the idea is
to categorize traffic according to their... characteristics hoping that disruptive traffic
can effectively be separated from non-disruptive traffic”58
. There are numerous
methods used for the filtration and separation of network traffic but these often
result in performance issues. (Van Oorschot et al., 2006: 188)
Ingress filtering is the most common type of packet filtering utilised to prevent DoS
attacks.
One of the first defensive measures proposed was Ingress Filtering, which is an
approach to thwart IP address spoofing by configuring routers to drop arriving
packets that arrive with IP addresses which are deemed to be outside a
predetermined ‘‘acceptable’’ range Response. In the most general sense, the
protection system either drops the attacking packets or it redirects them into a trap
for further evaluation and analysis59
.
One of the major benefits of Ingress filtering is that it is relatively cheap to employ.
Unfortunately this type of filtering is “designed to defend against attacks involving
55
Edwards, 2008
56
Edwards, 2008
57
Edwards, 2008
58
In Van Oorschot et al., 2006: 188
59
Glenebe and Loukas, 2007: 1300
24. Muir and Weiss Denial of Service Attacks 2009 - 19 -
spoofed IP addresses and therefore is less effective when adversaries can use
(many) zombies’ authentic IP source addresses”60
. Another method of filtering
utilises “Change-point detection algorithms”. This filtering technique isolates any
changes located in the network traffic's statistic61
.
More advanced methods of DoS prevention have been developed including the
use of multi-layer puzzle-based architecture, and cryptographic web connection
authentication. Wang and Reiter describe puzzle-bases DoS architecture as
embedding “puzzle techniques into both end-to-end and IP-layer services”62
.
In this approach, a client solves a computational “puzzle” for requesting service
before the server commits resources, thereby imposing a massive computational
burden on adversaries bent on generating legitimate service requests to consume
substantial server resources63
.
Cryptographic web connection authentication systems have been proposed to
protect web servers from TCP SYN attacks where the IP address has been
spoofed64
.
This method drops the first TCP SYN packet from the sender and sends back an
HTTP redirection with two Message Authentication Code (MAC) keys. The first
MAC is encoded with the pseudo-IP address of the redirected web site and the
port number pair. The second MAC is encoded with the source IP address of the
client and the port number pair. The second MAC is sent in the TCP sequence
number of TCP SYN cookie. Future packets with the correct MAC keys will pass
through perimeter routers and the ones without will be filtered out65
.
60
Wang and Reiter, 2008: 244
61
Carl, et. al., 2006: 84-85
62
Wang and Reiter, 2008: 243
63
Wang and Reiter, 2008: 243-244
64
Xu and Lee in Chen et. al., 2004: 670
65
Chen, et. al., 2004: 670
25. Muir and Weiss Denial of Service Attacks 2009 - 20 -
Carl states that “techniques that detect DoS also apply to DDoS”66
. Yet Wang and
Reiter note that “existing DDoS tools are carefully designed not to disrupt the
zombie computers, so as to avoid alerting the machine owners of their
presence”67
. This demonstrates another benefit of utilising puzzle-based DoS
architecture as the extra use of computing resources on a zombie machine “may
alert the owner to the attacker’s use of this machine and motivate the owner to
stop the attack”68
.
The issue with the majority of currently utilised DoS prevention techniques is that
these defence mechanisms are relatively passive in nature, as Wang and Reiter
state, “it is the sole responsibility of the defender to detect and filter denials-of-
service, while the attacker is spared any penalty for squandering server resources”
(Wang and Reiter, 2008: 243).
CONCLUSION
66
Carl, et. al., 2006: 82
67
Wang and Reiter, 2008: 245
68
Wang and Reiter, 2008: 245
26. Muir and Weiss Denial of Service Attacks 2009 - 21 -
This work shows that many serious cyber threats exist when connected to the
Internet. A lot of these threats have the potential to cause serious harm by
compromising security goals, and (D)DoS attacks in particular cannot be fully
protected against.
In chapter 2, we discussed software vulnerabilities and social engineering. The
important insight here is that exploits and threats are still growing and that attacks
become more and more sophisticated and tricky. In order not to become a victim,
one should take these threats serious and put basic measures in place, such as
patching & updating, anti-virus programs, firewalls and last but not least to educate
employees. Guidelines like the AS/NZS ISO/IEC 27002:2006 Code of practice for
information security management can help to put up appropriate policies.69
Chapter 3 discussed the threat of Denial of Service (DoS) and Distributed Denial
of Service (DDoS) attacks in detail. DDoS attacks are very powerful and are able
to compromise the availability of services, and they can also be used to distract
organisations from a real hacking attack aimed at compromising other security
goals like confidentiality and integrity of assets. The example of the DDoS attack
against Estonia shows that small, trivial causes like a relocation of a war memorial
can be enough for criminals to virtually shut down vital Internet services for weeks
and potentially even longer. It is even stated “since the end of the nineties, every
political crisis, every conflict, every war between nations is being accompanied in
the Web with mutual attacks by politically motivated hackers”70
.
It will be crucial for our modern Internet society to ensure that governments and
infrastructure providers work together in order to stem against compromised (Bot-)
networks. The introduction of new technology and software will certainly play a
major role in achieving this goal. Maybe, the introduction of the IPv6 protocol can
already solve some of the current major network weaknesses.71
69
See Standards Australia (2006)
70
Patalong, 2008
71
See e.g. Pouffary (2002)
27. Muir and Weiss Denial of Service Attacks 2009 - 22 -
RECOMMENDATIONS
The following recommendations are suggested for any organisation that has
computers, or a network, attached to the Internet:
1. Install an Intrusion Detection System at the point of entry for the internet
2. Install a hardware firewall at the point of entry for the internet
3. Install and maintain antivirus software on each machine, ensure that it is
updated weekly at a minimum
4. If alternate online hosting is required, investigate Internet Service Providers
that offer DoS mitigating services
28. Muir and Weiss Denial of Service Attacks 2009 - 23 -
REFERENCE LIST
AbsoluteSoftware (2009) COMPUTER THEFT & RECOVERY STATISTICS, URL:
http://www.absolute.com/resources/computer-theft-statistics.asp
(accessed 18/05/2009)
Arbor Atlas (2009) Global Dashboard, URL: http://atlas.arbor.net/
Badishi, G., Herzberg, A. and Keidar, I. (2007) IEEE Transactions on Dependable
and Secure Computing, Keeping Denial-of-Service Attackers in the Dark,
Volume 4, Issue 3, pp/ 191-204.
BitDefender (2009) Trojaner waren im Jahr 2008 Sicherheitsbedrohung Nr. 1,
URL:
http://www.itseccity.de/?url=/content/virenwarnung/statistiken/090202_vir_
sta_bitdefender.html (accessed 28/05/2009)
Bradley, T. (2006) Essential Computer Security, Rockland: Syngress Publishing.
BürgerCERT (2008) Aufgepasst!: Anzahl von Schädlingen und kritischen Lücken
nimmt zu, URL: http://www.buerger-
cert.de/newsletter_suche.aspx?param=HGf116Hsnmjdg%2b95Lx4xLSsU
LoURkvgpGUO3n7iKs8xI1eXl5Yo85xLSpHmHtYx%2f%2bPTfXjtKpVudkI
Xw6g7KXMR5BiOyaKocPMEfofMlpo61sJFK2BTqSw%253d%253d#anch
or11 (accessed 28/05/2009)
Cabrera, J. B., Lewis, L., Qin, X., Lee, W. and Mehra, R.K. (2002) Journal of
Network and Systems Management, Proactive Intrusion Detection and
Distributed Denial of Service Attacks—A Case Study in Security
Management, Volume 10, Issue 2, pp. 225-254.
Carl, G. and Kesidis, G., Brooks, R.R. and Rai, S. (2006) IEEE Computer Society,
Denial-of-Service Attack-Detection Techniques, January, pp. 82-89.
29. Muir and Weiss Denial of Service Attacks 2009 - 24 -
CERT (2001) Denial of Service Attacks, URL:
http://www.cert.org/tech_tips/denial_of_service.html (accessed
01/04/2009)
Chen, L., Longstaff, T.A. and Carley, K.M. (2004) Computers and Security,
Characterization of defense mechanisms against distributed denial of
service attacks, Issue 23, pp. 665-678.
Chen, Y., Hwang, K. and Ku, W. (2007) IEEE Transactions on Parallel and
Distributed Systems, Collaborative Detection of DDoS Attacks over
Multiple Network Domains, Vol. 18, Issue 12, pp. 1649-1662.
Dell & Ponemon Institute (2008) Airport Insecurity: The Case of Missing & Lost
Laptops, URL:
http://www.dell.com/downloads/global/services/dell_lost_laptop_study.pdf
(accessed 28/05/2009)
Edwards, J. (2008) 6 Lessons from the Church of Scientology DoS Attack, URL:
http://www.itsecurity.com/features/scientology-dos-attack-021108/
(accessed 01/04/2009)
Edwards, J. (2008) Network Security Journal, DoS Attacks Take Aim at Small
Business, January 17th
URL:
http://www.networksecurityjournal.com/features/DoS-attacks-011708/
(accessed 01/04/2009)
Edwards, J. (2008) The Rise of Botnet Infections, URL:
http://www.networksecurityjournal.com/features/botnets-rising-021308/
(accessed 01/04/2009)
F-Secure (2007) Weblog 9th of May, URL: http://www.f-
secure.com/weblog/archives/archive-052007.html#00001188 (accessed
28/05/2009)
30. Muir and Weiss Denial of Service Attacks 2009 - 25 -
Gelenbe, E. and Loukas, G. (2007) Computer Networks, A self-aware approach to
denial of service defence, Issue 51, pp. 1299-1314.
Goodin, D. (2008) Radio Free Europe hit by DDoS attack, URL:
http://www.securityfocus.com/news/11515 (accessed 01/04/2009)
Hancock, B. (2000) Computers and Security, Mass Network Flooding Attacks
(Distributed Denial of Service - DDoS) Surface in the Wild, Volume 19,
Issue 1, pp. 6-17.
Heise Security (2009) Antivirenhersteller rät vom Einsatz des Adobe Readers ab,
URL: http://www.heise.de/security/Antivirenhersteller-raet-vom-Einsatz-
des-Adobe-Reader-ab--/news/meldung/136535 (accessed 28/05/2009)
Higgins, K.J. (2008) Information Week, Denial Of Service 2.0, May 26, pp. 20.
iDefense Labs (2009) Adobe Flash Player Invalid Object Reference Vulnerability,
URL:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=773
(accessed 28/05/2009)
IT Security Staff (2007) Dive Into Intrusion Detection, URL:
http://www.itsecurity.com/features/intrusion-detection-030807/ (accessed
01/04/2009)
Kawamoto, D. (2009) GoGrid hit with DDoS attack, affects half its customers,
URL: http://news.cnet.com/8301-1009_3-10208732-
83.html?tag=mncol;title (accessed 01/04/2009)
31. Muir and Weiss Denial of Service Attacks 2009 - 26 -
Kretkowski, P.D. (2007) The 10 Worst Virus Attacks of All Time, URL:
http://www.itsecurity.com/features/10-worst-virus-attacks-111207/
(accessed 01/04/2009)
Kretkowski, P.D. (2007) Top 10 U.S. Government Web Break-ins of All Time, URL:
http://www.networksecurityjournal.com/features/top-government-breakins-
031906/ (accessed 01/04/2009)
Lemos, R. (2007) Estonia gets respite from Web attacks, URL:
http://www.securityfocus.com/brief/504 (accessed 28/05/2009)
Lemos, R. (2007) Peer-to-peer networks co-opted for DOS attacks,
URL: http://www.securityfocus.com/news/11466 (accessed 01/04/2009)
Leyden, J. (2004) WorldPay struggles under DDoS attack (again), URL:
http://www.securityfocus.com/news/9632 (accessed 01/04/2009)
Leyden, J. (2008) Estonia fines man for DDoS attacks, URL:
http://www.securityfocus.com/news/11503 (accessed 01/04/2009)
Li, J., Li, N., Wang, X. and Yu, T. (2009) International Journal of Information
Security, Denial of service attacks and defenses in decentralized trust
management, Issue 8, pp. 89-101.
Lischka, K. (2007) Estland schwächt Vorwürfe gegen Russland ab, URL:
http://www.spiegel.de/netzwelt/web/0,1518,483583,00.html (accessed
28/05/2009)
Macia-Fernandez, G., Diaz-Verdejo, J.E. and Garcia-Teodoro, P. (2008)
Computers and Security, Evaluation of a low-rate DoS attack against
application servers, Issue 27, pp. 335-354.
32. Muir and Weiss Denial of Service Attacks 2009 - 27 -
McDowell, M. (2004) Understanding Denial-of-Service Attacks, URL:
http://www.us-cert.gov/cas/tips/ST04-015.html (accessed 01/04/2009)
Messmer, E. (2008) Network World, Distributed DoS attacks surging in scale, ISPs
report, Southborough, November 11.
Nazario, J. (2007) Estonian DDoS Attacks - A summary to date, URL:
http://asert.arbornetworks.com/2007/05/estonian-ddos-attacks-a-
summary-to-date/ (accessed 28/05/2009)
Patalong, F. (2008) Ehrenamtliche Angriffe, URL:
http://www.spiegel.de/netzwelt/web/0,1518,572033,00.html (accessed
28/05/2009)
Ponemon Institute (2007) 2007 Annual Study: U.S. Cost of a Data Breach, URL:
http://download.pgp.com/pdfs/Ponemon_COB-2007_US_071127_F.pdf
(accessed 28/05/2009)
Pouffary Y. (2002) An Industry view of IPv6 Advantages, URL: http://www.ipv6-
es.com/02/docs/yanick_pouffary_1.pdf (accessed 28/05/2009)
Poulsen, K. (2001) DoS attacks getting scarier, URL:
http://www.securityfocus.com/news/271 (accessed 01/04/2009)
Rantanen, M. (2007) Virtual harassment, but for real, URL:
http://www.hs.fi/english/article/Virtual+harassment+but+for+real+/1135227
099868 (accessed 28/05/2009)
Richardson, R. (2007) CSI The 12th Annual Computer Crime and Security Survey,
URL: http://i.cmpnet.com/v2.gocsi.com/pdf/CSISurvey2007.pdf (accessed
28/05/2009)
33. Muir and Weiss Denial of Service Attacks 2009 - 28 -
Rötzer, F. (2007) DoS-Angriffe auf Internetseiten der estnischen Regierung, URL:
http://www.heise.de/tp/r4/artikel/25/25218/1.html (accessed 28/05/2009)
Schwartau, W. (1999) Computers and Security, Surviving Denial of Service,
Volume 18, Issue 2, pp. 124-133.
Security Focus (2007) Electronic Jihad rears its head, again, URL:
http://www.securityfocus.com/brief/619 (accessed 01/04/2009)
Security Focus (2008) Microsoft closes a critical network flaw, URL:
http://www.securityfocus.com/brief/659 (accessed 01/04/2009)
Security Focus (2008) TCP flaws allow deadly DoS attacks, finders say, URL:
http://www.securityfocus.com/brief/831 (accessed 01/04/2009)
Security Focus (2009) Cyber attacks disrupt Kyrgyzstan's networks, URL:
http://www.securityfocus.com/brief/896 (accessed 01/04/2009)
Security Focus (2009) Cyber conflict? More like censorship, URL:
http://www.securityfocus.com/brief/925 (accessed 01/04/2009)
Standards Australia (2006) AS/NZS ISO/IEC 27002:2006 Information Technology
– Security techniques – Code of practice for information security
management, URL: http://fulloffacts.com/get/x-misc/AS27002-2006-A1.pdf
(accessed 28/05/2009)
Sung, M. and Xu, J. (2003) IEEE Transactions on Parallel and Distributed
Systems, IP Traceback-Based Intelligent Packet Filtering: A Novel
Technique for Defending against Internet DDoS Attacks, Volume 14, Issue
9, pp. 861-872.
34. Muir and Weiss Denial of Service Attacks 2009 - 29 -
Van Oorschot, P.C., Robert, J. and Martin, M.V. (2006) International Journal of
Information Security, A monitoring system for detecting repeated packets
with applications to computer worms, Vol. 5, Issue 3, pp. 186-199.
Wang, X.F. and Reiter, M.K. (2008) International Journal of Information Security,
A multi-layer framework for puzzle-based denial-of-service defense, Vol. 7,
pp. 243-263.
Wang, Y., Lin, C., Li, Q. and Fang, Y. (2007) Computer Networks, A queueing
analysis for the denial of service (DoS) attacks in computer networks,
Issue 51, pp. 3564-3573.
Warner, G. (2007) Estonia vs. Russia – The DDOS War, URL:
http://www.birmingham-
infragard.org/meetings/talks/presentations/Estonian.DDOS.pdf (accessed
28/05/2009)
Wikipedia (2009a) Phishing – Recent phishing attempts, URL:
http://en.wikipedia.org/wiki/Phishing#Recent_phishing_attempts (accessed
28/05/2009)
Wikipedia (2009b) Denial of Service, URL:
http://de.wikipedia.org/wiki/Denial_of_Service (accessed 28/05/2009)
Wireless News (2008), Radware Reports Denial-of-Service Vulnerability in Apples'
iPhone Safari, April 28th.
Zhang, R. and Chen, K. (2005) Computers and Security, Improvements on the
WTLS protocol to avoid denial of service attacks, Issue 24, pp. 76-82.
35. Muir and Weiss Denial of Service Attacks 2009 - 30 -
APPENDIX
DETAILS OF DDOS ATTACK AGAINST ESTONIA
72
Not all attacks or attack dates are recorded in the following tables, but the most
important dates are recorded. They give a good impression of the scope of this
massive attack
Attacks Destination Address or owner
35 “195.80.105.107/32″ pol.ee
7 “195.80.106.72/32″ www.riigikogu.ee
36 “195.80.109.158/32″
www.riik.ee, www.peaminister.ee,
www.valitsus.ee
2 “195.80.124.53/32″ m53.envir.ee
2 “213.184.49.171/32″ www.sm.ee
6 “213.184.49.194/32″ www.agri.ee
4 “213.184.50.6/32″
35 “213.184.50.69/32″ www.fin.ee (Ministry of Finance)
1 “62.65.192.24/32″
Tab. 0.1: Attack on Estonia: Targeted destinations
Attacks Date
21 2007-05-03
17 2007-05-04
31 2007-05-08
58 2007-05-09
1 2007-05-11
Tab. 0.2: Attack on Estonia: Attack dates
“As for how long the attacks have lasted, quite a number of them last under an
hour. However, when you think about how many attacks have occurred for some
of the targets, this translates into a very long-lived attack. The longest attacks
themselves were over 10 and a half hours long sustained, dealing a truly crushing
blow to the endpoints.”
72
For all of the following information, see Nazario (2007)
36. Muir and Weiss Denial of Service Attacks 2009 - 31 -
Attacks Duration
17 less than 1 minute
78 1 min - 1 hour
16 1 hour - 5 hours
8 5 hours to 9 hours
7 10 hours or more
Tab. 0.3: Attack on Estonia: Attack durations
Finally, this is a decent sized botnet behind the attack, with aggregate bandwidth
that was maxing out at nearly 100 Mbps.
Attacks Bandwidth measured
42 Less than 10 Mbps
52 10 Mbps - 30 Mbps
22 30 Mbps - 70 Mbps
12 70 Mbps - 95 Mbps
Tab. 0.4: Attack on Estonia: Attack bandwidths