DoS/DDoS attack aims to prevent legitimate users from accessing network resource and service. It has been classified into network-level based and application-level based attacks
CHAPTER 2. BACKGROUND AND RELATED WORK
[2]. The network-level based DDoS attack occurs from data link layer to transport layer of the OSI network model while application-level based DDoS attack exploits vulnerabil- ities of upper network layers. The network-level based DDoS attacks consume network resource while application-level based DDoS attacks consume server resource.
Network-level based attacks
Network-level based DDoS attack often exhausts network resource. It has also been classi- fied into four subclasses which are flooding attack, protocol exploitation flooding attack, reflection-based flooding attack and amplification-based flooding attack.
• Flooding attacks: this kind of attack focuses on disrupting legitimate user’s connec- tivity by exhausting victim network resource such as Internet Control Message Pro- tocol (ICMP) flood, Domain Name System (DNS) flood, User Datagram Protocol (UDP) flood. ICMP [10] is a network protocol used to check network connectivity.
It must be implemented in every IP network module to provide feedback of network connectivity. Its instance is a ping command in every Operating System (OS). When an abnormally large number of ICMP messages come to host, it can be overwhelmed by the requests; it is called ICMP flood or ping flood. UDP and DNS flooding attack operate the same way as ICMP flooding attack but on the different protocol.
• Protocol exploitation flooding attacks: The attacker exploits specific protocol fea- tures or bugs in implementation to send malformed packets to confuse victim’s sys- tem. The attacker often performs TCP SYN and TCP SYN/ACK flood in this kind of attack. Following are some examples of this kind of attack.
– Ping of death (PoD): The attacker exploits the IP specification [8], which only supports the largest packet size of 65,535 bytes, to perform PoD attack [11] by sending oversized packets. The oversized packet will cause victim system hang.
This vulnerability has been patched in modern OSs.
– Teardrop [11]: The attacker sends a packet to the victim, but this packet has been fragmented into IP fragments in which the header values are overlapped.
The victim’s machine will be crashed while re-assembling those fragments. Re- cently, OS and network devices have handled such attacks. Therefore, teardrop attacks no longer affect any layers of network devices. The Figure 2.1 describes more detail how Teardrop attack works.
– TCP SYN flood: TCP is a connection-oriented protocol. A TCP session starts with a three-way handshake. First, a legitimate user sends a connection request with synchronisation (SYN) message to the server. The server then acknowl- edges the SYN message by sending the SYN-ACK message back to the legit- imate user. Finally, the legitimate user sends an ACK request to the server to
CHAPTER 2. BACKGROUND AND RELATED WORK
Large IP Packet Fragment 1
Fragment 2Fragment 3
Fragment 4 Fragment 5 Frag n ...
Fragment 1
Fragment 2
Fragment 3 ...
Frag n
Fragment 1
Fragment 1 Fragment 2 Fragment 1
Fragment 2 Fragment 3
Fragment 1 Fragment 2
Fragment 3 Fragment 4
Frag n ...
Attacker Victim
Figure 2.1: Teardrop attack
establish connection session. The Figure 2.2(a) shows step-by-step of three-way handshaking process. The attacker exploits the three-way handshake to attack victim by sending a large number of SYN requests but does not send ACK re- quests to complete the process of the three-way handshake. The server waits for the ACK requests to complete those packets, which makes the server unable to precess legitimate requests. The SYN flood attack can be carried out by sending packets with a spoofed address. The Figure 2.2(b) describes this kind of attack.
SYN
Attacker Victim
SYN/ACK SYN
SYN/ACK SYN
User Server
SYN/ACK ACK
Three-way handshake completed
(a) (b)
Figure 2.2: SYN Flood attack
• Reflection-based flooding attacks: Instead of attacking the victim directly, the at- tacker sends spoofed packets to reflectors, and then responses are sent back to the victim and cause flooding (i.e., Smurf attack, Fraggle attack). In reflection-based flooding attack, the attacking packets are spoofed. Smurf attack [11] is an example of this kind of attack. The attacker sends ICMP echo requests with destination IP address is the broadcast address. These requests are spoofed such that its source IP address is the victim’s IP address. The router which receives these packets will
CHAPTER 2. BACKGROUND AND RELATED WORK
deliver these packets to clients (exploited as a reflector) that belong to the speci- fied broadcast address. As a result, the victim will be flooded with responses from reflectors. The Smurf attack applied multiple techniques such as IP spoofing, ampli- fication and reflection. The Figure 2.3 shows how Smurf attack works. The Smurf attack can be prevented by disabling IP-direct broadcast command in the network routers. Fraggle attack acts as the same way, but it uses UDP instead of ICMP.
Attacker
Victim
ICMP echo, src IP = 19.10.a.b, Dst IP = 19.10.255.255
IP Addr: 19.10.a.b
...
ICMP reply, src IP = 19.10.x.y, Dst IP = 19.10.a.b
Broadcast Domain
Figure 2.3: Smurf attack
• Amplification-based flooding attacks: Attackers exploit services that response a large message or multiple messages to amplify the traffic towards the victim. The reflection-based and amplification-based flooding attack work in tandem. Botnets have been employed for both of these types of attack. A botnet is a group of comput- ers employed and controlled through malware by the attacker. Smurf is a good exam- ple of this kind of attack. When the attacker sends a spoofed ICMP echo packet with the destination address is the broadcast address, all hosts that belong to the group of broadcast address may reply to the victim. The number of response is much larger than the initial request. The factor to indicate how much larger the response compare to the initial request is called amplification factor.
Application-level based attacks
Application-level based attacks exhaust server resource or exploit vulnerabilities of ap- plication protocol and application code. The attacker often exploits stateless protocols for this kind of attack such as DNS, Network Time Protocol (NTP). DDoS attack applied reflection technique is also called as Distributed Reflection DoS (DRDoS). The attacker often performs DDoS attack from a botnet. DDoS mitigation is even more challenging because botnet is popularly applied to perform an attack.
• DNS amplification attack [2]: DNS is a network name service which resolves a domain name to IP address and vice versa. A DNS query message is as small as 64
CHAPTER 2. BACKGROUND AND RELATED WORK
bytes, but its response is much bigger. The DNS response message may contain in- formation of inquiry domain, child domain and its services information. The attacker exploits this vulnerability to perform DDoS attack. The attacker sends DNS queries to DNS servers with option recursive query which requires DNS server to return all relative information of inquiring domain and its child domain. These packets are spoofed such that their source IP address is victim address. Therefore, the victim is flooded with huge responses from DNS servers. DNS amplification DDoS has been researched before [12]. The largest DNS amplification attack to Spamhaus with am- plification factor up to 200x, reached 300Gbps [12] [13]. This kind of attack can be mitigated by disabling recursive query from DNS servers to avoid exploitation.
• NTP amplification attack: NTP is a UDP-based protocol that supports time clock synchronisation. NTP server originally supports a monlist command just for moni- toring purpose. When receiving a monlist command, NTP server returns up to last 600 client’s IP address that have contacted the NTP server. The returned packets size is up to 206 times larger than the request [14]. To perform an attack, the attacker sends packets with a monlist command to NTP servers that support monlist com- mand. Those packets are forged such that its source IP address is victim’s address.
As a result, the victim is flooded with huge packets returned from NTP servers.
The largest DDoS attack has been recorded is an NTP amplification attack reached 400Gbps in 2014 [5] [14]. The way to avoid NTP amplification attack is to deny monlist command from NTP servers on the public network.