radicalde ve lo pm e nt .

ne t

http://radicaldevelo pment.net/co mbating-do s-o r-ddo s-attacks/

Combating DoS or DDoS Attacks

T he reality is Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks have been around f or many years. While there are not new developments in which the mechanism that these attacks are carried out, these attacks are simply becoming more and more sophisticated. T here is also legal precedence which individuals or groups can target a specif ic entity as long as there is a legitimate underlying cause. Taking in account the growing sophistication and legal background it becomes ever more important f or organizations to f ormulate a plan in detecting, preventing, and mitigating the risks surrounding DoS and DDoS attacks. T he shif t to a def ensive posture may be f oreign to many organizations however to ensure services continue uninterrupted these organizations must take these type of attacks much more seriously. To combat Denial of Service attacks it is essential to understand that the idea of this attack encapsulates the concept of f looding the target network, breaking the network connection, and f inally the hindrance of an individual or even a group to access a particular service. T he cyber battlef ield concerning this type of attack is depicted in f igure 1. Here the attacker seeks out what is known as a handler where sof tware is installed that allows the handler to be controlled via the attacker.

Figure: 1 At this point, the attacker issues commands to the handler that in turn controls the agents and the agents then act as the solider that attacks the target. Of ten the agents are unsuspecting computers that may be inf ected with malware. Of course, denial of service attacks also are executed by a single entity by taking advantage of vulnerabilities within program f laws, specif ically in the areas of resource starvation and buf f er overf lows (Northcutt, 2007). At the end of the day, the threat of a DoS or DDoS is real and to reduce these threats the next steps are detecting and mitigating the threat. Keeping in mind these steps, I selected three research papers f ocus on detection and prevention in order to reduce the risk surrounding denial of service attacks. T he key f actor is to remember that risks cannot entirely be removed, but these same risks can be mitigated to an acceptable level with everyone involved.

Attacks in History

To put into perspective all one has to do is turn attention back in time to 2007 when Estonia f eel victim to a DoS attack. What propagated the attack was the action that the Estonian citizens relocated a Soviet war memorial f rom the city of Tallinn. At the time, Estonians believed that the Russian government was behind the attack however, the Russian government denied all involvement. T he other widely adopted believe was that hackers who sympathized with the Russians where behind the attack and this included China. T his DoS attack was viewed as a cyberwar between Russia and Estonia and because of this; both organizations and countries alike took notice of the importance of cybersecurity.

Detecting the Threat

Over the years network centric def ense systems has evolved to the level where the traf f ic can be monitored and categorized to the level in which traf f ic can be determined if it is acceptable or unacceptable (Ying, Incheol, T hai, and Taieb, 2010). Accountability must be at the center of computing, in other words every action must be both measurable and traceable by to a given entity. T he reason this is important is so the organization can take the inf ormation in order to step through the attack in the hope that this test scenario points out the vulnerability and how the vulnerability was exploited. Ying et al. (2010) emphasize that detection and testing sounds simple of the surf ace however there are three problems areas to address, which include having a sold testing structure, planning the inf rastructure to mimic the attacker, and f inally the test case must provide accurate results. Once test cases are in place and executed, then and only then can an organization be successf ul. Modern day business is widely conducted over the Internet and be of this it is extremely more important than ever to conduct testing across the spectrum. For example, computer on a network typically communicate via routers and it is not overly dif f icult to execute a denial of service attack on a given network. One such attack vector is exploiting Internet Protocol (IP) version 6 by sending a f lood data packets, which will advertise a network. T his exploit then will cause all devices on the network to then attempt to connect and now the computers f all victim to resource starvation. In f act, this exploit will f orce clients to join hundreds of advertised networks until the computer becomes utterly nonresponsive. A great test scenario is to conf igure the operating systems (OS) to ignore a predetermined number networks, of course the root vulnerability resides with the vendor to patch. Ying et al. (2010) proposal surrounding a testing based approach to both DoS and DDoS attacks attempts to establish a solid f ramework in which these types of attacks are reduced by understanding the day-to-day network activity. T he downside to this approach is public f acing networks are dif f icult to measure because the usage of ten peaks over time making it challenging to def ine what traf f ic is acceptable.

Counter the Attack

At this stage in DoS attacks the idea is that if an attack is determined to be underway there must be measures in place to f ight of f the attack. As mentioned previously, many aspects of business are of ten conducted over the Internet and because of this f act; a pronounced example of a DoS attack of service are password attacks. Goyal, Kumar, Singh, Abraham, and Sanyal, (2006) point out that a vast amount of systems utilize passwords f or two reasons which include convenience and the f act that end users widely accept the use of a password to gain access to a service. For similar reasons that passwords are popular with users, they are also popular f orms of DoS attacks.

Figure: 2 When it comes to password attacks, the hacker community has a vast arsenal at their disposal whereas security measures typically are limited or as they evolve, they of ten f all victim to an attack. T he reality is DoS attacks will likely always be reactive but this does not mean that proactive measures should not be implemented. A password by def inition means a word or phrase that is unknown to others than the intended party. However, the reality is passwords are weak and easily guessed or even cracked as f igure 2 represents they typical length of a password. Because of this f act, Goyal et al. (2006) propose a measure that will prevent dictionary attacks by shrinking the attack window, which in turn will require the hacker to rethink the attack. T he core of this idea is the protocol initiates a f our-pass transmission where the f inal two passes involve a computation that is negotiated between the server and the client. To put passwords into perspective when it comes to DoS attacks it is important to understand that while typically attacks are carries out on tiers three and f our, it is entirely f easible to also attack tier two via the password vulnerability. Case in point, Cisco (2005) released an advisory that outlined their Application and Content Networking System (ACNS) sof tware could f all victim to a DoS attack by exploiting the def ault password used f or administrative accounts.

Mitigating the Threat

An interesting aspect of prevention within Service-Oriented Architecture (SOA) is outline by Shah, Mangal, Agarwal, Mehra, and Patel (2010) where a heavy f ocus is given to web services. In several aspects of Internet based communications, many vendors provide an Application Programing Interf ace in which a great deal of these communications takes place via a web service. T he idea is that a Web Service is no dif f erent f rom a web application in the sense that both are open to attacks. Shah et al. (2010) put f orth the idea of leveraging Simple Object Access Protocol (SOAP) at both the server and client using encryption to combat a DoS attack by use of handlers. T hese handlers provide a number of actions one being encryption and the second being validation of the SOAP envelop. Both of these options greatly reduce the DoS threat in the

area of web services. In reality there has been a great deal of both solutions provided in the def ense of DoS attacks which include anomaly detection, IP tracing, and f iltering packets and the area of DoS is constantly evolving (Yu, Fang, Lu, and Li, 2010). When it all comes down to reducing the threat the obvious answer resides in the area of trust management, in other words know your user base and establish strong boundaries of network usage. Yu et al. (2010) also present the use of a license management server, which would serve out a license to authorized users, and without the license at the client, all network communications sent to the receiver would be ignored. T he idea here of mitigating the DoS attacks is both lightweight and f easible to the degree that interested parties could quickly and easily adopt a def ensive posture against DoS attacks.

Conclusion
At this point, it should be clear that DoS attacks are not overly complicated to both def end and attack. Ref erencing f igure 3 it is clear that DoS can af f ect each tier of the OSI model.

Figure: 3 What makes DoS dif f icult to def end are the f acts that it is of ten dif f icult to distinguish between legitimate traf f ic and the f act that all sof tware contains def ects that can be exploited. While DoS is dif f icult to def end, it is not impossible. Actions such as reviewing network inf rastructure against the National Institute of Standards and Technology (NIST ) standards and load testing the network will both assist in f inding vulnerabilities and understanding at what stress point the network will break under a given load. Monitoring is also extremely important theref or an Intrusion Detection System (IDS) or Intrusion Prevention System (IPS) will assist immensely in protecting the network. Of course, the single most important aspect is to have an

established policy and procedure that outlines the course of action taken bef ore, during, and af ter the attack. If the network is a victim of an attack, as soon as possible the Internet Service Provider (ISP), Inf ormation Security (IS) personnel, and the appropriate law enf orcement agency must all be alerted.

References
Goyal, V., Kumar, V., Singh, M., Abraham, A., & Sanyal, S. (2006). A new protocol to counter online dictionary attacks. Computers & Security, 25(2), 114-120. doi:10.1016/j.cose.2005.09.003 Cisco. (2005). ACNS Denial of Service and Def ault Admin Password Vulnerabilities. Cisco Security Advisory. Retrieved f rom http://tools.cisco.com Northcutt, S. (2007). Security Laboratory: Methods of Attack Series. SANS Technology Institute. Retrieved f rom http://www.sans.edu Shah, D., Mangal, A., Agarwal, M., Mehra, M., & Patel, D. (2010). Mitigating DoS using handlers f or Global SOA. Journal of Algorithms & Computational Technology, 4(4), 381-394. Retrieved f rom http://www.multi-science.co.uk/ Ying, X., Incheol, S., T hai, M. T., & Taieb, Z . (2010). Detecting application denial-of -service attacks: A group-testing-based approach. IEEE Transactions On Parallel & Distributed Systems, 21(8), 12031216. doi:10.1109/T PDS.2009.147 Yu, J. J., Fang, C. C., Lu, L. L., & Li, Z . Z . (2010). Mitigating application layer distributed denial of service attacks via ef f ective trust management. IET Communications, 4(16), 1952-1962. doi:10.1049/iet-com.2009.0809 Highly motivated inf ormation technology prof essional with 16+ years of experience. Working as a sof tware engineer Steven develops and maintains web based sof tware solutions. As a skilled prof essional he is f ocused on the design and creation of sof tware. Because communication skills are extremely important Steven continues to expand his knowledge in order to communicate clearly with all f acets of business. Recently Steven has been leading ef f orts to standardize sof tware development tools and technology, plans and coordinates web accessibility as applied to IT Solutions, and he is tackling application security in terms of best practices and implementation of the Security Development Lif e-cycle.