Analyzing DoS and DDos Attacks to Identify Effective Mitigation Techniques

Kamrul Shaker

Master of Science in Computer Science

Department of Computer Science Faculty of Science & Information Technology American International University-Bangladesh (AIUB)

January 2014

Analyzing DoS and DDoS Attacks to Identify Effective Mitigation Techniques

Kamrul Shaker (12-95364-1)

A thesis submitted in partial fulfillment of the requirements for the Degree of Master of Science in Computer Science

Department of Computer Science Faculty of Science & Information Technology American International University-Bangladesh (AIUB)

January 2014

Declaration
I declare that this thesis is my original work and has not been submitted in any form for another degree or diploma at any university or other institute of tertiary education. Information derived from the published and unpublished work of others has been acknowledged in the text and a list of references is given.

I declare that this thesis does not contain any content that discloses the secret of any organization or related parties. American International University Bangladesh (AIUB) will not be held liable for any such activities, as for the thesis is solely presented as my original work.

-------------------------------------Kamrul Shaker 12-95364-1

APPROVAL
The thesis titled Analyzing DoS and DDos Attacks to Identify Effective Mitigation Techniques has been submitted to the following respected members of the board of examiners of the department of computer science in partial fulfillment of the requirements for the degree of Master of Science in Computer Science on 6th January 2014 by Kamrul Shaker (ID: 12-95364-1) and has been accepted as satisfactory.

-----------------------------------------------------Md. Manirul Islam Supervisor Assistant professor Department of Computer Science AIUB

-----------------------------------------------------Dr. Tabin Hasan External Assistant professor Department of Computer Science AIUB

-----------------------------------------------------Dr. Dip Nandi Assistant Professor and Head (Graduate Program) Department of Computer Science AIUB

-----------------------------------------------------Prof. Dr. Tafazzal Hossain Vice President Academic Affairs & Dean (in-charge), Faculty of Science & Information Technology, AIUB

-----------------------------------------------------Dr. Carmen Z. Lamagna Vice Chancellor AIUB

ACKNOWLEDGEMENT
I would like to express my appreciation to my supervisor Md. Manirul Islam, Assistant professor of computer science department, AIUB and Dr. Dip Nandi, Assistant professor of computer science department, AIUB. Thanks for giving me the opportunity to be part of this research. Once again special thanks to Md. Manirul Islam whose continuous guidance, encouragement, invaluable suggestions, untiring co-operation and amicable behavior that helped me a lot to complete and publish the report successfully.

I am grateful for the Access to AIUB Cisco LAB, by allowing me to use Cisco Devices for technical work and analysis purpose. Moreover, I would like to acknowledge all of my respondents who answered my queries.

The authors would like to express their gratefulness to all the teachers of computer science department and all officials of the American International University-Bangladesh and also classmates for their encouragement and co-operation.

Kamrul Shaker 12-95364-1

ABSTRACT
In this thesis I present an Analyzing DoS and DDoS Attacks to Identify Effective Mitigation Techniques. This paper presents an analytical model that relates the DoS and DDoS attack in real time environment. Here I have described different type of DoS and DDoS attack with several attack ratio in different scenarios. Here we discussed about different type of mitigation techniques to minimize and slow down the effect of dos and ddos attack in real time network environment. In my finding result, I am showing the uses of firewall rules and built-in security can be much effective than other commercial solution.

TABLE OF CONTENT
SL# Contents Declaration Approval Acknowledgement Abstract Page 03 04 05 06

1
1.1 1.2 1.3 1.4 1.5

Chapter 1 Introduction
Introduction Attacker Handler Zombie Victim

10
11 14 14 14 14

2
2.1 2.2 2.2.1 2.2.1.1 2.2.1.2 2.2.2 2.2.2.1 2.2.2.2 2.2.3 2.3 2.3.1 2.3.2 2.3.3 2.3.4 2.3.5 2.3.6
2.3.7 2.3.8

Chapter 2 DoS And Ddos Attack And Tools

DoS And DdoS Attacks Category Of Attacks Bandwidth Attack or Volume Based Attack UDP Flood ICMP Flood Protocol Attacks SYN Floods Ping Of Death Application Layer Attack Attack Tools Backtrack or Kali Linux Slowloris UDP Unicorn Hping or hping3 Yersinia Metasploit UDP War Floorder LOIC

15
16 17 18 18 19 19 19 20 21 22 22 22 23 23 23 24 24 24 7

2.4 2.4.1 2.4.2 2.4.3 2.4.4 2.4.5 2.4.6 2.5

Detection and Mitigation Tools Wireshark Snort Backtrack or Kali Linux IPTables Firewall TCPDump Total Attacks Statistics

25 25 27 29 31 32 32 33

3
3.1 3.1.1 3.1.2 3.1.3 3.1.4 3.1.5

Chapter 3 Attacks, Analysis And Mitigation

Attacks DHCP Attack Using Yersinia DHCP DoS Attack Using hping3 CDP Attack Using Yersinia MAC Address Table flood Using macof WiFi Jamming Attack Using mdk3

36
37 37 43 47 52 56

4
4.1

Chapter 4 Conclusion
Conclusion

59
60

TABLE OF FIGURE
SL# 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. Figure Figure 1.1: Sample Flow Architecture of Distributed Denial of Service Figure 2.1: SYN Attack Figure 2.2: Wireshark Figure 2.3: Backtrack Linux Figure 2.4: Kali Linux Figure 2.5: Prolexic Attack Graph of all time Figure 3.1: DHCP Attack Diagram Figure 3.2: DHCP Messages Figure 3.3: Yersinia Figure 3.4: Yersinia Figure 3.5: Yersinia Page 14 20 27 29 30 34 37 38 40 40 41 8

12. 13. 14. 15. 16. 17. 18. 19. 20. 21. 22. 23. 24. 25. 26 27 28 29 30.

Figure 3.6: Wireshark Capture from Attacker PC Figure 3.7: DHCP DoS Attack Diagram Figure 3.8: hping3 Figure 3.9: Wireshark Capture Figure 3.10: DHCP Client Figure 3.11: DHCP Client is not getting IP Figure 3.12: CDP Attack Diagram Figure 3.13: Yersinia Figure 3.14: Yersinia Interface Choose Figure 3.15: Yersinia Attack Figure 3.16: Yersinia CDP Attack Launch Figure 3.17: Yersinia during attack Figure 3.18: Wireshark Packet Capture Figure 3.19: MAC Address Flood Attack Diagram Figure 3.20: macof attack Figure 3.21: Macof flood Figure 3.22: Show Mac-Address Table Figure 3.23: Show Mac-Address Table Figure 3.24: Wireshark Capture

41 43 44 45 45 46 47 48 49 49 50 50 51 52 53 54 54 55 57

Analyzing DoS and DDos Attacks to Identify Effective Mitigation Techniques

Chapter 1

Introduction

10

1.1 Introduction
The topic of this paper is to Defense against Distributed Denial of Service Attack and Analyze the traffic pattern to prevent future attack.

Technology is upgrading day by day and people are using those technologies to communicate with each other. Communication via mobile network, private network, internet (Chat, Social Networking) etc. Financial Institutes, Educational Institutes also depends on Internet. As example, Financial Institutes can be Stock Market or Bank etc.

Modern life has grown dependent on internet communication and any means used to disrupt this proves disastrous for social and business network. Finding technologies to minimize denial of service is crucial to unfettered growth of the Internet.

We can see, technology can be used for good manner, as also it can be used for bad manner (Destruction). We will not talk about important data stealing here as Bad manner. This bad manner can be preventing use of important data. This can be defining by Denial of Service.

Denial of Service means, attack from a single point to specific network or application. Here we will not talk about single point attack. Attack source can be many with spoofed source address to specific destination network or host. We can call the attack is Distributed. Distributed means, attack(s) origins are distributed. So, finally we can call the attack is Distributed Denial of Service.

DoS and DDoS In short: Penetration Attacker gets inside your machine Can take over machine and do whatever he wants Achieves entry via software flaw(s), stolen passwords or insider access

11

Flooding Attack Attacker sends an overwhelming number of messages at your machine; great congestion The congestion may occur in the path before your machine3 Messages from legitimate users are crowded out Usually involves a large number of machines, hence Distributed Denial of Service (DDoS) attack

Denial of Service Attacks A Denial of Service (DoS) attack is an orchestrated traffic jam Purpose is to shut down a site, not penetrate it. Purpose may be vandalism, extortion or social action (including terrorism) Sports betting sites often extorted Large numbers of attacks - few visible Estonia Root servers, TLD operations

Distributed DoS (DDoS) Most common DoS attacks use thousands of computers Sometimes hundreds of thousands Individual computers (zombies) are penetrated and marshaled into common force (bot armies) Tools easily available Bot armies available for rent

Effects of Attacks Modification of internal data, change of programs includes defacement of web sites Destruction of data Unauthorized Disclosure Denial of Service (DoS) 12

Some Definition of Distributed Denial of Service Attack:

No. Source 1 Wikipedia Definition DDOS, short for Distributed Denial of Service, is a type of DOS attack where multiple compromised systems -which are usually infected with a Trojan -- are used to target a single system causing a Denial of Service (DoS) attack. Victims of a DDoS attack consist of both the end targeted system and all systems maliciously used and controlled by the hacker in the distributed attack.

http://www.techopedia.com/def A distributed denial-of-service (DDoS) is a type of inition/10261/distributeddenial-of-service-ddos computer attack that uses a number of hosts to overwhelm a server, causing a website to experience a complete system crash. This type of denial-of-service attack is perpetrated by hackers to target large-scale, farreaching and popular websites in an effort to disable them, either temporarily or permanently. This is often done by bombarding the targeted server with information requests, which disables the main system and prevents it from operating. This leaves the site's users unable to access the targeted website.

13

Figure 1.1: Sample Flow Architecture of Distributed Denial of Service Attack.

1.2 Attacker
Attacker is a master mind hacker or intruder. Attacker can choose different ways to take down victim systems or machines. There are several ways to attack and being hidden from the victim. Where real attacker will never exposed identity. Further in the paper, we will describe the attack techniques and behavior.

1.3 Handler
Handler is a system or machine equipped with special programs, which can compromise bunch of machines.

1.4 Zombie
In respect of the dos or ddos attack, zombies are compromised machines, which used for attack victim systems or machines to take them down.

1.5 Victim
Victim is the attacked systems or machines. 14

Analyzing DoS and DDos Attacks to Identify Effective Mitigation Techniques

Chapter 2

DOS and DDoS Attacks and Tools

15

2.1 Dos and DDoS Attacks

DoS are an attack from single source and DdoS are attacks from multitude compromised sources with spoofed IP. Those attacks are huge in volume and can be paralyze a running network.

In DoS and DdoS attack, hacker or intruder tries to find out a vulnerability of a network and attack against the vulnerability. The vulnerability can be an open port or any service. The attack depends on the purpose of the attacker.

Distributed Denial of Service is a hot topic in a present world. Because it can hamper online applications like banking, trade and e-commerce etc.

Many researchers are working on this issue, till before 2000. According to many researcher DDoS attacks victim can be several types. A specific host can be targeted with some specific service or applications or It can be a small/big network consists of many hosts etc.

According to some research paper, attack can be two types: i) Semantic Attach and ii) Bruite Force Attack. Semantic Attack initiates attack from a single PC or workstation. Bruite Force Attack compromise many PCs around the globe connected with Internet with low level of security to attack a specific Network consists of many hosts.

To mitigate/prevent/stop those DDoS attack, Nathalie Weiler proposed a design with Honeypot Server. Where, attacker traffic can be analyzed using Honeypot to prevent/mitigate the attack. Nathalie Weiler also mentioned about DDoS attack tools, like Trinoo, Trible Flood Network (TFN), Stacheldraht, TFN2K etc. We will talk about more Attacking tools further in the research.

In another paper, Hasan Chowdhury proposed a solution with snort IDS. Where defined rules will detect UDP Flooding attack according to rules. The alert will be captured in a log file for further investigation. 16

Some of the paper has described some mitigation techniques, which was well-known and prebuilt in industry. Here, some of the techniques:

1. 2. 3. 4. 5. 6. 7.

Disable unused services. Used of commercial or freeware security patches. Disabling IP broadcast. Enable firewall on server for access restrictions. Limit the user access. Use pool of IP for Servers. Ingoing/Outgoing traffic filtering.

Another major attack described by Daljeet Kaur and Monika Sachdeva about DNS query flooding. This kind of attack mainly floods the DNS Server with fake queries and DNS Server will try to resolve those queries and failed. So, other legitimate queries will be unresolved or timeout.

Many researcher just design the prevent/mitigate technique of DDoS attack. Some of them actually tested in real network like ISP Network.

2.2 Category of Attacks

According to my study on DoS and DDoS attack, I like to categorize dos and DDoS attacks in three parts. Because, may an attacker want to take down a whole network or want to take down a specific service from legitimate users.

Categories are:

i. ii. iii.

Bandwidth Attack or Volume Based Attack Protocol Attacks Application Layer Attack

17

2.2.1 Bandwidth Attack or Volume Based Attack

Its just overload the network traffic with huge broadcast traffic from outside network. Here, attacker specially use spoofed source addresses, so that attack cant be traceable from victim's network.

In this scenario, attacker attack the network with huge amount of traffic and the victim will process that traffic and at a certain time, victim started to drop packets and at the other end sender sent more packets continuously. After a certain time victim unable to accept legitimate traffic.

On the other hand, the network bandwidth was consumed by the massive attack. Where legitimate traffic was blocked due to massive amount of traffic.

Bandwidth or Volume based attacks are UDP Flood, ICMP Flood etc.

2.2.1.1 UDP Flood

A UDP flood attack is a denial-of-service (DoS) attack using the User Datagram Protocol (UDP), a sessionless/connectionless computer networking protocol. Using UDP for denial-of-service attacks is not as straightforward as with the Transmission Control Protocol (TCP). However, a UDP flood attack can be initiated by sending a large number of UDP packets to random ports on a remote host. As a result, the distant host will:
Check for the application listening at that port; See that no application listens at that port; Reply with an ICMP Destination Unreachable packet.

Thus, for a large number of UDP packets, the victimized system will be forced into sending many ICMP packets, eventually leading it to be unreachable by other clients. The attacker(s) may also spoof the IP address of the UDP packets, ensuring that the excessive ICMP return packets do not reach them, and anonym zing their network location(s).

18

2.2.1.2 ICMP Flood

An ICMP flood attack is a method of denial-of-service (or DoS) attack otherwise known as a ping flood. An ICMP flood is one of the simplest ping-based DoS attacks, largely what it sounds like, in which the attacker overloads the victims system with ICMP/ping packets by using a method of sending ICMP packets constantly without waiting for reply. In effect, drowning the victim with a flood of packets.

2.2.2 Protocol Attacks

This type of DDoS attack consumes the resources of either the servers themselves, or of intermediate communication equipment, such as routers, load balancers and even some firewalls. Some examples of protocol attacks include SYN floods, fragmented packet attacks, Ping of Death, Smurf DDoS and more. Protocol attacks are usually measured in Packets per second.

2.2.2.1 SYN Floods

Normally when a client attempts to start a TCP connection to a server, the client and server exchange a series of messages which normally runs like this: 1. The client requests a connection by sending a SYN (synchronize) message to the server. 2. The server acknowledges this request by sending SYN-ACK back to the client. 3. The client responds with an ACK, and the connection is established.

This is called the TCP three-way handshake, and is the foundation for every connection established using the TCP protocol. A SYN flood attack works by not responding to the server with the expected ACK code. The malicious client can either simply not send the expected ACK, or by spoofing the source IP address in the SYN, causing the server to send the SYN-ACK to a falsified IP address which will not send an ACK because it "knows" that it never sent a SYN. 19

The server will wait for the acknowledgement for some time, as simple network congestion could also be the cause of the missing ACK, but in an attack increasingly large numbers of half-open connections will bind resources on the server until no new connections can be made, resulting in a denial of service to legitimate traffic. Some systems may also malfunction badly or even crash if other operating system functions are starved of resources in this way.

Figure 2.1: SYN Attack

2.2.2.2 Ping of Death

On the Internet, ping of death is a denial of service (DoS) attack caused by an attacker deliberately sending an IP packet larger than the 65,536 bytes allowed by the IP protocol. One of the features of TCP/IP is fragmentation; it allows a single IP packet to be broken down into smaller segments. In 1996, attackers began to take advantage of that feature when they found that a packet broken down into fragments could add up to more than the allowed 65,536 bytes. Many operating systems didn't know what to do when they received an oversized packet, so they froze, crashed, or rebooted.

20

2.2.3 Application Layer Attack

Perhaps the most dangerous type of DDoS attack, application layer attacks are comprised of seemingly legitimate and innocent requests. The intent of these attacks is to crash the web server. SDome examples of application layer attacks include Slowloris, Zero-day DDoS attacks, DDoS attacks that target Apache, Windows or OpenBSD vulnerabilities and more. The magnitude of this type of attack is measured in Requests per second.

1. Teardrop Attack: In a Teardrop attack the target machine is attacked by sending mangled IP fragments with overlapping, over-sized payloads. This can lead to the crashing of various operating systems due to a bug in their TCP/IP fragmentation re-assembly code.

2. Portscan: Portscan involves an attack that sends client requests to a range of server port addresses on a host, with the goal of finding an active port and exploiting a known vulnerability of that service. A port sweep is a transport layer attack. It can lead to a TCP/SYN flooding attack.

3. Worm: A worm is a self-replicating malware computer program capable of sending copies of itself to other nodes in the network. Once it enters a network, it can reproduce itself without any user intervention and is very difficult to stop it. Worms almost always cause at least some harm to the network, even if only by consuming bandwidth, and can also harm up to system failure and can lead to system failures.

4. Spam: Spam is most often considered to be electronic junk mail or junk newsgroup postings. Some people define spam even more generally as any unsolicited email. However, if a long-lost brother finds your email address and sends you a message, this could hardly be called spam, even though it is unsolicited. Real spam is generally email advertising for some product sent to a mailing list or newsgroup. In addition to wasting people's time with unwanted e-mail, spam also eats up a lot of

21

network bandwidth. Consequently, there are many organizations, as well as individuals, who have taken it upon themselves to fight spam with a variety of techniques. But because the Internet is public, there is really little that can be done to

2.3 Attack Tools

Below are some well known attacking tools for dos and ddos attack:

I. II. III. IV. V. VI. VII. VIII.

Backtrack or Kali Linux Slowloris UDP Unicorn hping or hping3 Yersinia Metasploit UDP War Flooder etc. LOIC

2.3.1 Backtrack or Kali Linux

Backtrack or Kali Linux is mainly a OS. Its include with lots of attacking tools. Its mainly a LAB Testing OS. Beside attacking tools, its also loaded with mitigation and prevention tools.

Further in this paper, we will discuss briefly about Backtrack and Kali Linux.

2.3.2 Slowloris
Slowloris is a piece of software written by Robert "RSnake" Hansen which allows a single machine to take down another machine's web server with minimal bandwidth and side effects on unrelated services and ports. Slowloris tries to keep many connections to the target web server open and hold them open as long as possible. It accomplishes this by opening connections to the target web server and 22

sending a partial request. Periodically, it will send subsequent HTTP headers, adding tobut never completingthe request. Affected servers will keep these connections open, filling their maximum concurrent connection pool, eventually denying additional connection attempts from clients.

2.3.3 UDP Unicorn

UDP Unicorn is a free tools in windows machine to generate UDP flood with bunch of options.

2.3.4 hping or hping3

hping is a free packet generator and analyzer for the TCP/IP protocol distributed by Salvatore Sanfilippo (also known as Antirez). Hping is one of the de facto tools for security auditing and testing of firewalls and networks, and was used to exploit the idle scan scanning technique (also invented by the hping author), and now implemented in the Nmap Security Scanner. The new version of hping, hping3, is scriptable using the Tcl language and implements an engine for string based, human readable description of TCP/IP packets, so that the programmer can write scripts related to low level TCP/IP packet manipulation and analysis in very short time. Like most tools used in computer security, hping is useful to both system administrators and hackers.

2.3.5 Yersinia
Yersinia - is a network security/hacking tool for Unix-like operating systems, designed to take advantage of some weakness in different network protocols. Yersinia is considered a valuable and widely used security tool. Attacks for the following network protocols are implemented: Spanning Tree Protocol (STP) Cisco Discovery Protocol (CDP) 23

 Dynamic Trunking Protocol (DTP) Dynamic Host Configuration Protocol (DHCP) Hot Standby Router Protocol (HSRP) IEEE 802.1Q IEEE 802.1X Cisco Inter-Switch Link (ISL)

VLAN Trunking Protocol (VTP) 2.3.6 Metasploit

The Metasploit Project is a computer security project that provides information about security vulnerabilities and aids in penetration testing and IDS signature development. Its best-known sub-project is the open source Metasploit Framework, a tool for developing and executing exploit code against a remote target machine.

2.3.7 UDP War Flooder

Its another windows based attacking tools similar to UDP Unicorn.

2.3.8 LOIC
DDoS attacks are quickly becoming the most prevalent types of attacks, growing rapidly in the past year in both number and volume, according to recent market research. The trend is towards shorter attack duration, but bigger packet-per-second attack volume, and the overall number of attacks reported has grown markedly, as well. During the Q4-2011, one survey found 45% more DDoS attacks compared to the parallel period of 2010, and over double the number of attacks observed during Q3-2011. The average attack bandwidth observed during this period was 5.2G bps, which is 148% higher than the previous quarter. Another survey of DDoS attacks found that more than 40% of respondents experienced attacks that exceeded 1G bps in bandwidth in 2011, and 13% were the targeted by at least one attack that exceeded 10G bps. 24

From a motivational perspective, recent research found that ideologically motivated DDoS attacks are on the rise, supplanting financial motivation as the most frequent motivator such attacks.

2.4 Detection and Mitigation Tools

I. II. III. IV. V. VI. Wireshark Snort Backtrack or Kali Linux IPTables Firewall Tcpdump

2.4.1 Wireshark
Wireshark is a capturing tool. Capable of capture data on live network environment. Wireshark is loaded with tons of options to capture, analysis, count, breakdown, detect live captured data. Its a handy tool for network professionals. Wireshark also can catch Voip traffic and can play unencrypted voice data from captured data. It can device captured data according to time, data type, data size, type of communication and many other options. A specific data can be searched from the captured file. Wireshark supports in all the OS like Windows, Linux or MAC OS etc.

Wireshark is software that "understands" the structure (encapsulation) of different networking protocols. It can parse and display the fields, along with their meanings as specified by different networking protocols. Wireshark uses pcap to capture packets, so it can only capture packets on the types of networks that pcap supports.

Data can be captured "from the wire" from a live network connection or read from a file of already-captured packets.

Live data can be read from a number of types of network, including Ethernet, IEEE 802.11, PPP, and loopback. 25

Captured network data can be browsed via a GUI, or via the terminal (command line) version of the utility, TShark.

Captured files can be programmatically edited or converted via command-line switches to the "editcap" program.

Data display can be refined using a display filter. Plug-ins can be created for dissecting new protocols. VoIP calls in the captured traffic can be detected. If encoded in a compatible encoding, the media flow can even be played.

Raw USB traffic can be captured.

Wireshark's native network trace file format is the libpcap format supported by libpcap and WinPcap, so it can exchange captured network traces with other applications that use the same format, including tcpdump and CA NetMaster. It can also read captures from other network analyzers, such as snoop, Network General's Sniffer, and Microsoft Network Monitor.

26

Figure 2.2: Wireshark

2.4.2 Snort
Snort is a signature-based network intrusion detection system that performs real-time trac analysis and packet logging on IP networks. It is intended to be a lightweight cost-ecient IDS that can be deployed to monitor small and lightly utilized networks. As one of the most widely deployed open-source IDS, Snort's architecture and rule language serve as a representative example of signature-based IDS.

Snort's open source network-based intrusion detection system (NIDS) has the ability to perform real-time traffic analysis and packet logging on Internet Protocol (IP) networks. Snort performs protocol analysis, content searching, and content matching. These basic 27

services have many purposes including application-aware triggered quality of service, to deprioritize bulk traffic when latency-sensitive applications are in use.

The program can also be used to detect probes or attacks, including, but not limited to, operating system fingerprinting attempts, common gateway interface, buffer overflows, server message block probes, and stealth port scans. Snort can be configured in three main modes: sniffer, packet logger, and network intrusion detection. In sniffer mode, the program will read network packets and display them on the console. In packet logger mode, the program will log packets to the disk. In intrusion detection mode, the program will monitor network traffic and analyze it against a rule set defined by the user. The program will then perform a specific action based on what has been identified. In attack detection mode, Snort monitors network trac, analyzes it based on a rule set that encodes attack signature, and performs specic actions as identied in the rules that are matched by the network packets. The analysis is typically carried out in the following components:

Packet Decoder
The Packet Decoder decodes the raw packets observed on the network according to the protocol that is used, from IP layer up to application layer. The decoded packet header values are stored in a data structure for later use in the Detection Engine.

Preprocessor
The Preprocessor performs a variety of preprocessing other than the standard packet decoding, before the data can be ana-lyzed by Detection Engine. These include IP fragment assembly, TCP stream assembly, packet header normalization, etc.

Detection Engine
The Detection Engine carries out the actual attack detection by matching various values obtained in the previous steps against a set of rules that encodes patterns of known attacks. If

28

a match is found, the corresponding action that is denied in rule will be executed, e.g. drop the packet, log the packet, generate alert to system administrator.

Logging and Alerting System

This last component logs or generates system alerts based on the action specied in the matched rules as well as the options given at the start of the system.

2.4.3 Backtrack or Kali Linux

Backtrack and Kali Linux are OS's for advanced digital forensic and penetration tests. There are tons of tools in Backtrack or Kali Linux.

BackTrack or Kali provides users with easy access to a comprehensive and large collection of security-related tools ranging from port scanners to Security Audit. Support for Live CD and Live USB functionality allows users to boot BackTrack or Kali directly from portable media without requiring installation, though permanent installation to hard disk and network is also an option.

Figure 2.3: Backtrack Linux BackTrack or Kali includes many well known security tools including: 29

 Wi-Fi drivers supporting monitor mode (rfmon mode) and packet injection Aircrack-ng Gerix Wifi Cracker Kismet Ophcrack Ettercap Wireshark (formerly known as Ethereal) BeEF (Browser Exploitation Framework) Hydra OWASP Mantra Security Framework, a collection of hacking tools, add-ons and scripts based on Firefox

Cisco OCS Mass Scanner, a very reliable and fast scanner for Cisco routers with telnet and enabling of a default password.

Figure 2.4: Kali Linux A large collection of exploits as well as more commonplace software such as browsers. 30

BackTrack or Kali arranges tools into 12 categories: Information gathering Vulnerability assessment Exploitation tools Privilege escalation Maintaining access Reverse engineering RFID tools Stress testing Forensics Reporting tools Services

Miscellaneous 2.4.4 IPTables

iptables is a user space application program that allows a system administrator to configure the tables provided by the Linux kernel firewall (implemented as different Netfilter modules) and the chains and rules it stores. Different kernel modules and programs are currently used for different protocols; iptables applies to IPv4, ip6tables to IPv6, arptables to ARP, and ebtables to Ethernet frames. iptables requires elevated privileges to operate and must be executed by user root, otherwise it fails to function. On most Linux systems, iptables is installed as /usr/sbin/iptables and documented in its man pages which can be opened using man iptables when installed. It may also be found in /sbin/iptables, but since iptables is more like a service rather than an "essential binary", the preferred location remains /usr/sbin. The term iptables is also commonly used to inclusively refer to the kernel-level components. x_tables is the name of the kernel module carrying the shared code portion used by all four modules that also provides the API used for extensions; subsequently, Xtables is more or less used to refer to the entire firewall (v4, v6, arp, and eb) architecture. 31

2.4.5 Firewall
A system designed to prevent unauthorized access to or from a private network. Firewalls can be implemented in both hardware and software, or a combination of both. Firewalls are frequently used to prevent unauthorized Internet users from accessing private networks connected to the Internet, especially intranets. All messages entering or leaving the intranet pass through the firewall, which examines each message and blocks those that do not meet the specified security criteria. There are several types of firewall techniques: Packet filter: Looks at each packet entering or leaving the network and accepts or rejects it based on user-defined rules. Packet filtering is fairly effective and transparent to users, but it is difficult to configure. In addition, it is susceptible to IP spoofing. Application gateway: Applies security mechanisms to specific applications, such as FTP and Telnet servers. This is very effective, but can impose a performance degradation. Circuit-level gateway: Applies security mechanisms when a TCP or UDP connection is established. Once the connection has been made, packets can flow between the hosts without further checking. Proxy server: Intercepts all messages entering and leaving the network. The proxy server effectively hides the true network addresses. In practice, many firewalls use two or more of these techniques in concert. A firewall is considered a first line of defense in protecting private information. For greater security, data can be encrypted.

2.4.6 TCPDump
TCPDump is a common packet analyzer that runs under the command line. It allows the user to intercept and display TCP/IP and other packets being transmitted or received over a network to which the computer is attached. Distributed under the BSD license, tcpdump is free software. 32

Tcpdump works on most Unix-like operating systems: Linux, Solaris, BSD, OS X, HP-UX and AIX among others. In those systems, tcpdump uses the libpcap library to capture packets. The port of tcpdump for Windows is called WinDump; it uses WinPcap, the Windows port of libpcap.

2.5 Total Attacks Statistics

According to shadow server below are the attack ratios in recent years:

Year

Unique C&C 414 848 618 590 430 322

Unique C&C ASN 214 390 332 272 157 98

Unique C&C Geo 40 67 66 53 41 30

Target Count 50650 35566 202678 7058221 1545208 27459

Unique Targets 25953 15755 21312 10991 13757 5327

Unique Target ASN 3079 1633 1870 1491 1697 756

Unique Target Geo 133 107 117 110 106 72

2006 2007 2008 2009 2010 2011

According to prolexic below are the 10 country rankings of all time:

Ran k 1 2 3 4 5 6 7 8 9 10

Bots 18102247 China 9119617 United States 2457469 India 2433247 Japan 2311915 Germany 2238308 Mexico 2220807 Russian Federation 2040336 United Kingdom 1929810 Italy 1810197 Thailand

Country

33

Figure 2.5: Prolexic Attack Graph of all time.

Below are some DDoS attacks in recent years:

Serial Date

DDoS Targtets/Incidents South Korea and

Consequences/ Description It is similar to those launched in 2009

March, 2012

United states Websites Official Web-site

Jan 1, 2012

of the office of the vice president of Russia

It caused the site to be down by more than 15 hours.

Flood of Traffic was 3 Nov 5 to 12 , 2011 Asian Ecommerce Company launched and 250,000

Computers are infected with Malware participated.

Nov 10, 2011

The traffic load has been Server immense with several

Thousands request per second. 34

Attacks were launched Site of National 5 October 2011 Election Commission of South Korea during the morning when citizens would look up information .and attack leads to fewer turnouts.

Experienced serious On Blogging Platform Live Journal functionality problems for over 12 Hours and resumed on April 4 and 5, 2011

March 30, 2011

December 8, 2010

Master Card, PayPal, Visa and Post Finance

Attack was launched in supportof WikiLeaks.ch and its founder. Attack lasts for more than 16 hours Attack size was 10 Gbps.

November 30, 2010

Whistleblower site Wikileaks

Caused the site unavailable to visitors. Attack was launched to prevent release of secret cables. Attack size was 2-4 Gbps.

November 28, 2010

whistleblower site Wikileaks

Attack was launched just after it released confidential US diplomatic cables.

10

November 12, 2010

Domain registrar Register.com

Impacted DNS, hosting and webmail clients. 24 hours of outage

35

Analyzing DoS and DDos Attacks to Identify Effective Mitigation Techniques

Chapter 3

Attacks, Analysis and Mitigation

36

3.1 Attacks
In the real and virtual lab environment below attacks have been tested and analyzed: i. ii. iii. iv. v. DHCP Attack using Yersinia DHCP DoS Attack using hping3 CDP Attack using Yersinia MAC Address Table flood using macof WiFi jamming attack using mdk3

3.1.1 DHCP Attack using Yersinia

Figure 3.1: DHCP Attack Diagram

37

Yersinia is a free tool in Linux Environment. Its a combination of couple of attacks in one tool. Here I will show the effect of DHCP attack using Yersinia.

First need to know about DHCP. DHCP means Dynamic Host Configuration Protocol, where DHCP Server provide IP Address, Subnet Mask, Gateway Address and DNS Server Addresses.

DHCP work like in 4 steps, I) When a client comes to online and if that client connected to local network with DHCP Configuration, then the client searches for DHCP Active Server in the local network with DHCP Discover message. II) If there was a DHCP Server and the server gets the DHCP Discover message, then the server offers the client an IP Address with DHCP Offer message. III) Client respond with DHCP Request message to get the IP Address from DHCP Server. IV) Server reply back with DHCP ACK message to the client.

Figure 3.2: DHCP Messages 38

Attack using Yersinia

I have tested the attack scenario in real time lab environment with one cisco router, one switch, one attacker pc and one client pc.

I. II. III. IV.

Cisco 2800 Series Router Cisco 2960 Series Switch Attacker PC Linux Client PC Windows

Procedure
I. II. III. IV. V. VI. First configure the Cisco Router as DHCP Server for connected networks. Connect the Cisco Router to the Cisco Switch using straight through cable. Connect client and attacker PC to the Cisco Switch. Power on all devices. Ensure connected PC's gets IP Address from DHCP Server. Launch Yersinia in Attacker PC from terminal using yersinia -G command.

39

Figure 3.3: Yersinia

VII.

The graphical interface of yersinia will be look like below:

Figure 3.4: Yersinia

VIII.

To launch the attack choose Launch Attack from above toolbar and select DHCP from 40

the open dialogue box.

IX.

Select sending DISCOVER packet and press OK. Then the attack will be launched.

Figure 3.5: Yersinia X. From client PC, enable DHCP and check the client will not get any ip address from

DHCP Server, because the DHCP Server Address space was exhausted and full. During the attack, I have captured data from attacker machine to analyze the data for further investigation.

Figure 3.6: Wireshark Capture from Attacker PC

41

Wireshark Data Analysis

Attack Ratio, PPS Attack Duration Attack Source, MAC Attack Message Type Attack Result : : : : 35000 (Avg.) : 1 minute to 5 minutes

Random or Dynamic DHCP Discover DHCP Address Space Exhausted and Legitimate Users will not get IP Address from DHCP Server

DHCP Attack Mitigation

We can mitigate the DHCP Attack using storm-control in switch port.

But before we enable storm-control in switch port, we need to identify normal traffic pattern and traffic rate in every switch port and compare the normal traffic with attacker machine traffic.

According to attacker machine, traffic rate is 35000 pps during broadcast DHCP Discover message. Let the normal traffic rate will be 100 to 10000 pps.

Now we will apply storm-control in switch port. I. II. Iii. iv. Open the Cisco Switch Terminal. Enter to the interface configuration mode followed by Global Configuration mode. First enable storm-control for broadcast message and limit the pps value to 30000. Then select the storm-control violation step as shutdown the port.

Switch> en Switch# conf t Switch(config)#interface range f 0/1 24 Switch(config-if)#storm-control broadcast level pps 30000 Switch(config-if)#storm-control action shutdown

42

If traffic rate exceed the limit 30000 in any of the switch port, the port will be immediately shutdown and attack wont be able to pass the switch. This is the most cost effective solution.

3.1.2 DHCP DoS Attack using hping3

Figure 3.7: DHCP DoS Attack Diagram

hping3 is an another free tool In Linux. Hping3 can generate several types of attacks like icmp flood, smurf attack, udp flood, tcp syn flood etc. Its a handy tool to take down any service.

To design the test environment, here I have used GNS3 emulator. The devices in the emulation are 2 Cisco Routers, one attacker PC and One client PC.

I. II. III.

Router Attacker PC Client PC

: : :

Cisco 7200 Series Kali Linux PC Windows XP PC

43

Procedure
I. II. III. IV. Server. V. VI. Now make sure connected workstations are getting ip address from DHCP Server. Now launch the attack from Kali Linux PC using hping3 command with target First configure the Cisco Router as DHCP Server for connected networks. Connect the Cisco Router with 2 nd Cisco Router, where clients are connected. Configure both Cisco Routers with proper static route. Configure ip-helper address on every interfaces of Routers to identify the DHCP

address and port specified. This attack can be tuned in different way.

Figure 3.8: hping3

Here the hping3 command specifies that, this is the udp flood attack from random source port to fixed destination port 67 with destination ip 10.40.40.2. Here 67 is the bootps or DHCP Server port and 10.40.40.2 is the DHCP Server IP Address. VII. Now if we check the wireshark capture from attacker PC:

44

Figure 3.9: Wireshark Capture Here we will find that, attack source is fixed with random port and destination is fixed with fixed port. Where the attack ratio is 3000 pps.

VIII.

Now we will check that, if client will get any IP from DHCP Server or not.

Figure 3.10: DHCP Client

45

Figure 3.11: DHCP Client is not getting IP

Here the client did not get any IP address from DHCP Server. Attacker machine exhaust the DHCP Server port with udp unicast messages.

DHCP DoS attack Mitigation

We can mitigate the DHCP DoS attack using extended access-list in Gateway Router for client machines. This solution is applicable for this scenario in small business environment.

Access-list for DHCP DoS attack mitigation: Router> en Router#conf t Router(config)# ip access-list extended 100 Router(config-ext-nacl)#permit udp any eq bootpc host 10.40.40.2 eq bootps Router(config-ext-nacl)#deny udp any host 10.40.40.2 eq bootps Router(config-ext-nacl)#permit ip any any Now apply the acl in Router interface where DHCP Server is connected: 46

Router(config)#interface fa1/1 Router(config-if)#ip access-group 100 out

Above access-list 100 state that, udp traffic for valid dhcp request to dhcp server will be accepted. In next line, udp traffic from any source to dhcp server bootps will be denied. At last all other traffic will be accepted. This acl should be applied in the Router interface where DHCP Server is connected.

3.1.3 CDP Attack using Yersinia

Figure 3.12: CDP Attack Diagram

We have already talked about Yersinia in our first attack. CDP Attack is only bounded to Cisco Devices. CDP is a useful command for cisco to know about other connected devices.

47

Procedure
Attack Type: CDP Table Flood Tools Used: Yersinia Yersinia Command : Yersinia -G

1. Launch Yersinia from Linux CLI. 2. Select proper interfaces for attack. 3. Click on Launch Attack. 4. Select CDP from the TAB. 5. Select flooding CDP Table using Radio Button. 6. Press OK and the attack will begin to flood the CDP Table.

Screenshots

Figure 3.13: Yersinia

48

Figure 3.14: Yersinia Interface Choose

Figure 3.15: Yersinia Attack 49

Figure 3.16: Yersinia CDP Attack Launch

Figure 3.17: Yersinia during attack

50

Packet Capture of attacker machine state that, attack comes with random ip and random mac address. From the victim router cdp table, we can find that cdp tables flooded with fake information, from where we wont able to find valuable information.

Figure 3.18: Wireshark Packet Capture

Attack Ratio, PPS

3150

Attack Behavior

RANDOM MAC

Attack Result

CDP Table Flood of connected Cisco device.

CDP Attack Mitigation

Mitigation Type : Disable cdp on client interface, where no other cisco device connected and enable storm-control on switch port.

CDP Disable command

: 51

interface fa1/1 no cdp enable storm-control broadcast lelvel pps 3000 storm-control action shutdown

Result

Switch port will not learn any cdp

advertisement

and if pps value exceed the limit of 3000, the switch port will be shutdown.

3.1.4 MAC Address Table flood using macof

Figure 3.19: MAC Address Flood Attack Diagram

Macof is a member of the Dsniff suit toolset and mainly used to flood the switch on a local network with MAC addressess . The reason for this is that the switch regulates the flow of data between its ports. It actively monitors (cache) the MAC address on each port, which helps it pass data only to its intended target. This is the main difference between a switch and passive hub. A passive hub has no mapping, and thus broadcasts line data to every port on the device. The data is typically rejected by all network cards, except the one it was intended for. However, in a hubbed network, sniffing data is very easy to accomplish by placing a network card into promiscuous mode. This allows that device to simply collect all the data passing through a hubbed network. While this is nice for a hacker, most networks use switches, which inherently restrict this activity. 52

Dsniffs macof generates random MAC addresses exhausting the switchs memory. It is capable of generating 155,000 MAC entries on a switch per minute. Some switches than revert to acting like a hub.

The following question then arises: What happens if the switch is asked to process a constant stream of MAC addresses? In certain circumstances and on certain switches, this will cause the switch to go into a fail-safe mode, in which it basically turns into a hub. In other words, by overloading the switch, a hacker could have access to all the data passing through the switch! One tool for doing this is called macof To use macof, you will need to install the dnsiff suite .

Macof attack is used for flood MAC address table. Attacker Victim : : Kali Linux Virtual Machine Cisco Layer 3 Switch

Procedure
I. We can launch the attack using macof command with switch -i for interface selection.

Figure 3.20: macof attack 53

II.

Figure 3.21: Macof flood Here, we can see attack has been generated from different spoofed mac-addresses with broadcast destination. III. If we see the Cisco Router MAC address-table:

Figure 3.22: Show Mac-Address Table 54

IV.

Figure 3.23: Show Mac-Address Table We can see, the mac-address table is already flooded with mac-addresses. As a result the switch cam table will overloaded and after a certain time switch will act like hub in the network.

MAC address-table flood Mitigation

Packet capture from attacker machine state that, attack ratio is random, means souce and destination is random. As a result, switch mac address-table flooded with random mac addresses. As a mitigation technique, we can use port security at switch port for limited number of mac addresses. And can bind the mac address to the switch port.

We can also use storm-control in switch port to mitigate the attack.

55

Port-security command

interface fa1/1 switchport port-security switchport port-security maximum 2 switchport port-security mac-address sticky storm-control broadcast level pps 500 storm-control action shutdown

3.1.5 WiFi jamming attack using mdk3

Wi-Fi is increasingly becoming the preferred mode of internet connection all over the world. To access this type of connection, one must have a wireless adapter on their computer. Wi-Fi provides wireless connectivity by emitting frequencies between 2.4GHz to 5GHz based on the amount of data on the network. Areas which are enabled with Wi-Fi connectivity are known as Hot Spots. One can use advanced softwares like Wirelessmon to detect and request connection to Hotspots. To start a Wireless connection, it is important that the wireless router is plugged into the internet connection and that all the required settings are properly installed.

Wi-Fi works with no physical wired connection between sender and receiver by using radio frequency (RF) technology, a frequency within the electromagnetic spectrum associated with radio wave propagation. When an RF current is supplied to an antenna, an electromagnetic field is created that then is able to propagate through space. The cornerstone of any wireless network is an access point (AP). The primary job of an access point is to broadcast a wireless signal that computers can detect and "tune" into. In order to connect to an access point and join a wireless network, computers and devices must be equipped with wireless network adapters.

56

Procedure
- First using iwlist command search for available wireless networks: iwlist wlan0 scan Then echo the available wireless network BSID to a blacklist file and note down the channel number. - Then search for monitor interface using airmon-ng: airmon-ng start wlan0 It will show the monitoring interface, as mon0 or mon1 etc. - Then start the attack using mdk3 mdk3 mon0 d b blacklist c 11 and mdk3 mon0 a m i BSSID This attack will flood the Wireless AP with authentication messages and jam the wireless network.

Figure 3.24: Wireshark Capture Attack Ratio Attack Type : : 217 pps Authentication Message from random spoofed 57

Attack Result

sources. Jam the WiFi BSSID with unicast flood and other mobile stations would be disconnected from the network.

WiFi jamming attack mitigation: Mitigation Type Result : : Disable SSID broadcast

The attacker machine will not find the ESSID BSSID and channel for attack.

58

Analyzing DoS and DDos Attacks to Identify Effective Mitigation Techniques

Chapter 4

Conclusion

59

4.1 Conclusion
The main purpose of this thesis is to analyze various DoS/DDoS attacks and find out some effective solutions to mitigate the damage of those attacks. During this thesis work, we tried to achieve that goal. Working area of this thesis topic is so vast that we worked some portions of the topic during limited time line. There are also some limitations we faced during our thesis work.

First of all, proper lab environment and lab equipment availability. Proper lab environment was crucial part of this thesis work. We faced some packet loss, some command line limitations on devices, device support limitations etc. without proper lab environment. Also, some part of this thesis we needed to generate more data traffic to analyze and gather data to find some effective solution. But because of device limitations, we could not generate enough data. To overcome the working device limitations, most part of the thesis work were done by virtual software or emulator like GNS3, Virtual box etc. Some solutions for the DoS/ DdoS attack applied for small networking environment which is another limitation of this thesis work. So, in future, we will try to analyze more Dos/DDoS attacks and their effects on networking system on wide area so that we can overcome small networking environment limitations.

Here are some future plans for this thesis work:

1. Narrow down the topic to specific attack. 2. Gather much data on that attack. 3. Analyze current solution. 4. Design Test Network. 5. Configure Vulnerable System. 6. Manage high power attacker machine. 7. Collect real time data. 8. Analyze real time data. 9. Creating some effective programs or scripts for DoS/DDoS attack mitigation. 60

10. Configure Honeypot server to detect DoS/DDoS attacks, traffic analysis etc. 11. Script creation- dos attack mitigation, honeypot server- gateway- snort detect etc. 12. Ddos attack -vast work limitation 13. proper lab envroment limited-packet loss 14. traffic generation limitation

61

4.2 Bibliography
[1] Denial-of-service attack. en.wikipedia.org. Wikipedia. 23 Jun. 2006. 25 Mar. 2013. <http://en.wikipedia.org/w/index.php?title=Denial-of service_attack&dir=prev&limit=500&action=history>. [2] Jannsse, Cory. Distributed Denial of Service (DdoS). www.techopedia.com. 25 Mar. 2013. <http://www.techopedia.com/definition/10261/distributed-denial-of-service-ddos>

[3] 2013.

Distributed Denial of Service Attacks. www.incapsula.com. 14 Jun. 2011. 25 Mar.

<http://www.incapsula.com/ddos/ddos-attacks>

[4]

UDP Flood Attack. en.wikipedia.org. Wikipedia. 16 Nov. 2011. 1 Apr. 2013. <http://en.wikipedia.org/wiki/UDP_flood_attack>

[5]

ICMP Flood Attack explained. www.ddosprotection.net. DdoS Methods. 21 Mar.

2013. 2 Jan. 2014. <http://www.ddosprotection.net/icmp-flood-attack-explained/>

[6]

Protocol

Attacks.

www.incapsula.com.

14

Jun.

2011.

Jan.

2014.

<http://www.incapsula.com/ddos/ddos-attacks/denial-of-service>

[7]

SYN Flood. en.wikipedia.org. Wikipedia. 26 Jan. 2007. 2 Jan. 2014. <http://en.wikipedia.org/wiki/SYN_flood>

[8]

ping of death. searchsecurity.techtarget.com. TechTarget. May. 2006. 3 Jan. 2014. <http://searchsecurity.techtarget.com/definition/ping-of-death>

[9] Sachdeva, Monika., Singh, Gurvinder. and Kumar, Krishnan. Deployment of Distributed Defense against DDoS Attacks in ISP Domain International Journal of Computer Applications (0975-8887), Volume 15- No. 2, February 2011. 62

[10] Fu, Zhang. Multifaceted Defense Against Distributed Denial of Service Attacks: Prevention, Detection, Mitigation. Division of Networks and Systems, Department of Computer Science and Engineering. C HALMERS UNIVERSITY OF TECHNOLOGY, Gothenburg, Sweden 2012.

[11]

Architecture

of

DDoS

Attack.

<http://4.bp.blogspot.com/_d_KhITjA_gA/TP2hyWRnYaI/AAAAAAAABxA/C_9Q4mAgr2 w/s1600/ddos_attack.gif>

[12]

Weiler, Nathalie. Honeypots for Distributed Denial of Service Attacks Computer

Engineering and Networks Laboratory (TIK), 2002.

[13]

Lin, Dong. Network Intrusion Detection and Mitigation against Denial of Service

Attack. Department of Computer and Information Science. University of Pennsylvania. April 15, 2013.

[14]

G. Loukas and G. Oke. Protection against denial of service attacks: A survey. The

Computer Journal, 2009.

63