final thesis - 12-95364-1 _original
DESCRIPTION
ThesisTRANSCRIPT
-
1
Analyzing DoS and DDos Attacks to Identify Effective Mitigation Techniques
Kamrul Shaker
Master of Science in Computer Science
Department of Computer Science
Faculty of Science & Information Technology
American International University-Bangladesh (AIUB)
January 2014
-
2
Analyzing DoS and DDoS Attacks to Identify Effective Mitigation Techniques
Kamrul Shaker (12-95364-1)
A thesis submitted in partial fulfillment of the requirements for the
Degree of
Master of Science in Computer Science
Department of Computer Science
Faculty of Science & Information Technology
American International University-Bangladesh (AIUB)
January 2014
-
3
Declaration
I declare that this thesis is my original work and has not been submitted in any form for another
degree or diploma at any university or other institute of tertiary education. Information derived from
the published and unpublished work of others has been acknowledged in the text and a list of
references is given.
I declare that this thesis does not contain any content that discloses the secret of any organization or
related parties. American International University Bangladesh (AIUB) will not be held liable for any
such activities, as for the thesis is solely presented as my original work.
--------------------------------------
Kamrul Shaker
12-95364-1
-
4
APPROVAL
The thesis titled Analyzing DoS and DDos Attacks to Identify Effective Mitigation Techniques has been submitted to the following respected members of the board of examiners of the department of computer science in partial fulfillment of the requirements for the degree of Master of Science in Computer Science on 6th January 2014 by Kamrul Shaker (ID: 12-95364-1) and has been accepted as satisfactory. ------------------------------------------------------ Md. Manirul Islam Supervisor Assistant professor Department of Computer Science AIUB
------------------------------------------------------
Dr. Tabin Hasan External
Assistant professor Department of Computer Science
AIUB
------------------------------------------------------ Dr. Dip Nandi Assistant Professor and Head (Graduate Program) Department of Computer Science AIUB
------------------------------------------------------
Prof. Dr. Tafazzal Hossain Vice President Academic Affairs & Dean
(in-charge), Faculty of Science & Information Technology, AIUB
------------------------------------------------------ Dr. Carmen Z. Lamagna Vice Chancellor AIUB
-
5
ACKNOWLEDGEMENT I would like to express my appreciation to my supervisor Md. Manirul Islam, Assistant professor of
computer science department, AIUB and Dr. Dip Nandi, Assistant professor of computer science
department, AIUB. Thanks for giving me the opportunity to be part of this research. Once again
special thanks to Md. Manirul Islam whose continuous guidance, encouragement, invaluable
suggestions, untiring co-operation and amicable behavior that helped me a lot to complete and publish
the report successfully.
I am grateful for the Access to AIUB Cisco LAB, by allowing me to use Cisco Devices for technical
work and analysis purpose. Moreover, I would like to acknowledge all of my respondents who
answered my queries.
The authors would like to express their gratefulness to all the teachers of computer science department
and all officials of the American International University-Bangladesh and also classmates for their
encouragement and co-operation.
Kamrul Shaker 12-95364-1
-
6
ABSTRACT In this thesis I present an Analyzing DoS and DDoS Attacks to Identify Effective Mitigation
Techniques. This paper presents an analytical model that relates the DoS and DDoS attack in real
time environment. Here I have described different type of DoS and DDoS attack with several attack
ratio in different scenarios. Here we discussed about different type of mitigation techniques to
minimize and slow down the effect of dos and ddos attack in real time network environment. In my
finding result, I am showing the uses of firewall rules and built-in security can be much effective than
other commercial solution.
-
7
TABLE OF CONTENT SL# Contents Page Declaration 03 Approval 04 Acknowledgement 05 Abstract 06 1 Chapter 1
Introduction 10
1.1 Introduction 11 1.2 Attacker 14 1.3 Handler 14 1.4 Zombie 14 1.5 Victim 14 2 Chapter 2
DoS And Ddos Attack And Tools 15
2.1 DoS And DdoS Attacks 16 2.2 Category Of Attacks 17 2.2.1 Bandwidth Attack or Volume Based Attack 18 2.2.1.1 UDP Flood 18 2.2.1.2 ICMP Flood 19 2.2.2 Protocol Attacks 19 2.2.2.1 SYN Floods 19 2.2.2.2 Ping Of Death 20 2.2.3 Application Layer Attack 21 2.3 Attack Tools 22 2.3.1 Backtrack or Kali Linux 22
2.3.2 Slowloris 22
2.3.3 UDP Unicorn 23
2.3.4 Hping or hping3 23
2.3.5 Yersinia 23
2.3.6 Metasploit 24 2.3.7 UDP War Floorder 24 2.3.8 LOIC 24
-
8
2.4 Detection and Mitigation Tools 25 2.4.1 Wireshark 25
2.4.2 Snort 27
2.4.3 Backtrack or Kali Linux 29
2.4.4 IPTables 31
2.4.5 Firewall 32
2.4.6 TCPDump 32
2.5 Total Attacks Statistics 33 3
Chapter 3 Attacks, Analysis And Mitigation
36
3.1 Attacks 37 3.1.1 DHCP Attack Using Yersinia 37 3.1.2 DHCP DoS Attack Using hping3 43 3.1.3 CDP Attack Using Yersinia 47 3.1.4 MAC Address Table flood Using macof 52 3.1.5 WiFi Jamming Attack Using mdk3 56 4 4.1
Chapter 4 Conclusion Conclusion
59 60
TABLE OF FIGURE
SL# Figure Page 1. Figure 1.1: Sample Flow Architecture of Distributed Denial of Service 14 2. Figure 2.1: SYN Attack 20 3. Figure 2.2: Wireshark 27 4. Figure 2.3: Backtrack Linux 29 5. Figure 2.4: Kali Linux 30 6. Figure 2.5: Prolexic Attack Graph of all time 34 7. Figure 3.1: DHCP Attack Diagram 37 8. Figure 3.2: DHCP Messages 38 9. Figure 3.3: Yersinia 40 10. Figure 3.4: Yersinia 40 11. Figure 3.5: Yersinia 41
-
9
12. 13.
Figure 3.6: Wireshark Capture from Attacker PC Figure 3.7: DHCP DoS Attack Diagram
41 43
14. Figure 3.8: hping3 44 15. Figure 3.9: Wireshark Capture 45 16. Figure 3.10: DHCP Client 45 17. Figure 3.11: DHCP Client is not getting IP 46 18. Figure 3.12: CDP Attack Diagram 47 19. Figure 3.13: Yersinia 48 20. Figure 3.14: Yersinia Interface Choose 49 21. Figure 3.15: Yersinia Attack 49 22. Figure 3.16: Yersinia CDP Attack Launch 50 23. Figure 3.17: Yersinia during attack 50 24. Figure 3.18: Wireshark Packet Capture 51 25. Figure 3.19: MAC Address Flood Attack Diagram 52 26 Figure 3.20: macof attack 53 27 Figure 3.21: Macof flood 54 28 Figure 3.22: Show Mac-Address Table 54 29 Figure 3.23: Show Mac-Address Table 55
30. Figure 3.24: Wireshark Capture 57
-
10
Analyzing DoS and DDos Attacks to Identify Effective Mitigation Techniques
Chapter 1
Introduction
-
11
1.1 Introduction The topic of this paper is to Defense against Distributed Denial of Service Attack and
Analyze the traffic pattern to prevent future attack.
Technology is upgrading day by day and people are using those technologies to communicate
with each other. Communication via mobile network, private network, internet (Chat, Social
Networking) etc. Financial Institutes, Educational Institutes also depends on Internet. As
example, Financial Institutes can be Stock Market or Bank etc.
Modern life has grown dependent on internet communication and any means used to disrupt
this proves disastrous for social and business network. Finding technologies to minimize
denial of service is crucial to unfettered growth of the Internet.
We can see, technology can be used for good manner, as also it can be used for bad manner
(Destruction). We will not talk about important data stealing here as Bad manner. This bad
manner can be preventing use of important data. This can be defining by Denial of Service.
Denial of Service means, attack from a single point to specific network or application. Here
we will not talk about single point attack. Attack source can be many with spoofed source
address to specific destination network or host. We can call the attack is Distributed.
Distributed means, attack(s) origins are distributed. So, finally we can call the attack is
Distributed Denial of Service.
DoS and DDoS In short:
Penetration
Attacker gets inside your machine
Can take over machine and do whatever he wants
Achieves entry via software flaw(s), stolen passwords or insider access
-
12
Flooding Attack
Attacker sends an overwhelming number of messages at your machine; great
congestion
The congestion may occur in the path before your machine3
Messages from legitimate users are crowded out
Usually involves a large number of machines, hence Distributed Denial of
Service (DDoS) attack
Denial of Service Attacks
A Denial of Service (DoS) attack is an orchestrated traffic jam
Purpose is to shut down a site, not penetrate it.
Purpose may be vandalism, extortion or social action (including terrorism)
Sports betting sites often extorted
Large numbers of attacks - few visible Estonia
Root servers, TLD operations
Distributed DoS (DDoS)
Most common DoS attacks use thousands of computers Sometimes hundreds
of thousands
Individual computers (zombies) are penetrated and marshaled into common
force (bot armies)
Tools easily available
Bot armies available for rent
Effects of Attacks
Modification of internal data, change of programs includes defacement of web
sites
Destruction of data
Unauthorized Disclosure
Denial of Service (DoS)
-
13
Some Definition of Distributed Denial of Service Attack: No. Source Definition
1 Wikipedia DDOS, short for Distributed Denial of Service, is a type
of DOS attack where multiple compromised systems --
which are usually infected with a Trojan -- are used to
target a single system causing a Denial of Service (DoS)
attack. Victims of a DDoS attack consist of both the end
targeted system and all systems maliciously used and
controlled by the hacker in the distributed attack.
2 http://www.techopedia.com/def
inition/10261/distributed-
denial-of-service-ddos
A distributed denial-of-service (DDoS) is a type of
computer attack that uses a number of hosts to
overwhelm a server, causing a website to experience a
complete system crash. This type of denial-of-service
attack is perpetrated by hackers to target large-scale, far-
reaching and popular websites in an effort to disable
them, either temporarily or permanently. This is often
done by bombarding the targeted server with information
requests, which disables the main system and prevents it
from operating. This leaves the site's users unable to
access the targeted website.
-
14
Figure 1.1: Sample Flow Architecture of Distributed Denial of Service Attack.
1.2 Attacker Attacker is a master mind hacker or intruder. Attacker can choose different ways to take down
victim systems or machines.
There are several ways to attack and being hidden from the victim. Where real attacker will
never exposed identity. Further in the paper, we will describe the attack techniques and
behavior.
1.3 Handler Handler is a system or machine equipped with special programs, which can compromise
bunch of machines.
1.4 Zombie In respect of the dos or ddos attack, zombies are compromised machines, which used for
attack victim systems or machines to take them down.
1.5 Victim Victim is the attacked systems or machines.
-
15
Analyzing DoS and DDos Attacks to Identify Effective Mitigation Techniques
Chapter 2
DOS and DDoS Attacks and Tools
-
16
2.1 Dos and DDoS Attacks
DoS are an attack from single source and DdoS are attacks from multitude compromised
sources with spoofed IP. Those attacks are huge in volume and can be paralyze a running
network.
In DoS and DdoS attack, hacker or intruder tries to find out a vulnerability of a network and
attack against the vulnerability. The vulnerability can be an open port or any service. The
attack depends on the purpose of the attacker.
Distributed Denial of Service is a hot topic in a present world. Because it can hamper online
applications like banking, trade and e-commerce etc.
Many researchers are working on this issue, till before 2000. According to many researcher
DDoS attacks victim can be several types. A specific host can be targeted with some specific
service or applications or It can be a small/big network consists of many hosts etc.
According to some research paper, attack can be two types: i) Semantic Attach and ii) Bruite
Force Attack. Semantic Attack initiates attack from a single PC or workstation. Bruite Force
Attack compromise many PCs around the globe connected with Internet with low level of
security to attack a specific Network consists of many hosts.
To mitigate/prevent/stop those DDoS attack, Nathalie Weiler proposed a design with
Honeypot Server. Where, attacker traffic can be analyzed using Honeypot to prevent/mitigate
the attack. Nathalie Weiler also mentioned about DDoS attack tools, like Trinoo, Trible Flood
Network (TFN), Stacheldraht, TFN2K etc. We will talk about more Attacking tools further in
the research.
In another paper, Hasan Chowdhury proposed a solution with snort IDS. Where defined rules
will detect UDP Flooding attack according to rules. The alert will be captured in a log file for
further investigation.
-
17
Some of the paper has described some mitigation techniques, which was well-known and pre-
built in industry. Here, some of the techniques:
1. Disable unused services.
2. Used of commercial or freeware security patches.
3. Disabling IP broadcast.
4. Enable firewall on server for access restrictions.
5. Limit the user access.
6. Use pool of IP for Servers.
7. Ingoing/Outgoing traffic filtering.
Another major attack described by Daljeet Kaur and Monika Sachdeva about DNS query
flooding. This kind of attack mainly floods the DNS Server with fake queries and DNS
Server will try to resolve those queries and failed. So, other legitimate queries will be
unresolved or timeout.
Many researcher just design the prevent/mitigate technique of DDoS attack. Some of them
actually tested in real network like ISP Network.
2.2 Category of Attacks
According to my study on DoS and DDoS attack, I like to categorize dos and DDoS attacks
in three parts. Because, may an attacker want to take down a whole network or want to take
down a specific service from legitimate users.
Categories are:
i. Bandwidth Attack or Volume Based Attack
ii. Protocol Attacks
iii. Application Layer Attack
-
18
2.2.1 Bandwidth Attack or Volume Based Attack
Its just overload the network traffic with huge broadcast traffic from outside network. Here,
attacker specially use spoofed source addresses, so that attack cant be traceable from victim's
network.
In this scenario, attacker attack the network with huge amount of traffic and the victim will
process that traffic and at a certain time, victim started to drop packets and at the other end
sender sent more packets continuously. After a certain time victim unable to accept legitimate
traffic.
On the other hand, the network bandwidth was consumed by the massive attack. Where
legitimate traffic was blocked due to massive amount of traffic.
Bandwidth or Volume based attacks are UDP Flood, ICMP Flood etc.
2.2.1.1 UDP Flood
A UDP flood attack is a denial-of-service (DoS) attack using the User Datagram Protocol
(UDP), a sessionless/connectionless computer networking protocol.
Using UDP for denial-of-service attacks is not as straightforward as with the Transmission
Control Protocol (TCP). However, a UDP flood attack can be initiated by sending a large
number of UDP packets to random ports on a remote host. As a result, the distant host will:
Check for the application listening at that port;
See that no application listens at that port;
Reply with an ICMP Destination Unreachable packet.
Thus, for a large number of UDP packets, the victimized system will be forced into sending
many ICMP packets, eventually leading it to be unreachable by other clients. The attacker(s)
may also spoof the IP address of the UDP packets, ensuring that the excessive ICMP return
packets do not reach them, and anonym zing their network location(s).
-
19
2.2.1.2 ICMP Flood
An ICMP flood attack is a method of denial-of-service (or DoS) attack otherwise known as
a ping flood. An ICMP flood is one of the simplest ping-based DoS attacks, largely what it
sounds like, in which the attacker overloads the victims system with ICMP/ping packets by
using a method of sending ICMP packets constantly without waiting for reply. In effect,
drowning the victim with a flood of packets.
2.2.2 Protocol Attacks
This type of DDoS attack consumes the resources of either the servers themselves, or of
intermediate communication equipment, such as routers, load balancers and even some
firewalls. Some examples of protocol attacks include SYN floods, fragmented packet attacks,
Ping of Death, Smurf DDoS and more. Protocol attacks are usually measured in Packets per
second.
2.2.2.1 SYN Floods
Normally when a client attempts to start a TCP connection to a server, the client and server
exchange a series of messages which normally runs like this:
1. The client requests a connection by sending a SYN (synchronize) message to the
server.
2. The server acknowledges this request by sending SYN-ACK back to the client.
3. The client responds with an ACK, and the connection is established.
This is called the TCP three-way handshake, and is the foundation for every connection
established using the TCP protocol.
A SYN flood attack works by not responding to the server with the expected ACK code. The
malicious client can either simply not send the expected ACK, or by spoofing the source IP
address in the SYN, causing the server to send the SYN-ACK to a falsified IP address -
which will not send an ACK because it "knows" that it never sent a SYN.
-
20
The server will wait for the acknowledgement for some time, as simple network congestion
could also be the cause of the missing ACK, but in an attack increasingly large numbers of
half-open connections will bind resources on the server until no new connections can be
made, resulting in a denial of service to legitimate traffic. Some systems may also
malfunction badly or even crash if other operating system functions are starved of resources
in this way.
Figure 2.1: SYN Attack
2.2.2.2 Ping of Death
On the Internet, ping of death is a denial of service (DoS) attack caused by an attacker
deliberately sending an IP packet larger than the 65,536 bytes allowed by the IP protocol.
One of the features of TCP/IP is fragmentation; it allows a single IP packet to be broken
down into smaller segments. In 1996, attackers began to take advantage of that feature when
they found that a packet broken down into fragments could add up to more than the allowed
65,536 bytes. Many operating systems didn't know what to do when they received an
oversized packet, so they froze, crashed, or rebooted.
-
21
2.2.3 Application Layer Attack
Perhaps the most dangerous type of DDoS attack, application layer attacks are comprised of
seemingly legitimate and innocent requests. The intent of these attacks is to crash the web
server. SDome examples of application layer attacks include Slowloris, Zero-day DDoS
attacks, DDoS attacks that target Apache, Windows or OpenBSD vulnerabilities and more.
The magnitude of this type of attack is measured in Requests per second.
1. Teardrop Attack: In a Teardrop attack the target machine is attacked by
sending mangled IP fragments with overlapping, over-sized payloads. This can lead
to the crashing of various operating systems due to a bug in their TCP/IP
fragmentation re-assembly code.
2. Portscan: Portscan involves an attack that sends client requests to a range of server
port addresses on a host, with the goal of finding an active port and exploiting
a known vulnerability of that service. A port sweep is a transport layer attack. It can
lead to a TCP/SYN flooding attack.
3. Worm: A worm is a self-replicating malware computer program capable of sending
copies of itself to other nodes in the network. Once it enters a network, it can
reproduce itself without any user intervention and is very difficult to stop it. Worms
almost always cause at least some harm to the network, even if only by consuming
bandwidth, and can also harm up to system failure and can lead to system
failures.
4. Spam: Spam is most often considered to be electronic junk mail or junk newsgroup
postings. Some people define spam even more generally as any unsolicited email.
However, if a long-lost brother finds your email address and sends you a message,
this could hardly be called spam, even though it is unsolicited. Real spam is generally
email advertising for some product sent to a mailing list or newsgroup.
In addition to wasting people's time with unwanted e-mail, spam also eats up a lot of
-
22
network bandwidth. Consequently, there are many organizations, as well as
individuals, who have taken it upon themselves to fight spam with a variety of
techniques. But because the Internet is public, there is really little that can be done to
2.3 Attack Tools
Below are some well known attacking tools for dos and ddos attack:
I. Backtrack or Kali Linux
II. Slowloris
III. UDP Unicorn
IV. hping or hping3
V. Yersinia
VI. Metasploit
VII. UDP War Flooder etc.
VIII. LOIC
2.3.1 Backtrack or Kali Linux
Backtrack or Kali Linux is mainly a OS. Its include with lots of attacking tools. Its
mainly a LAB Testing OS. Beside attacking tools, its also loaded with mitigation and
prevention tools.
Further in this paper, we will discuss briefly about Backtrack and Kali Linux.
2.3.2 Slowloris
Slowloris is a piece of software written by Robert "RSnake" Hansen which allows a single
machine to take down another machine's web server with minimal bandwidth and side effects
on unrelated services and ports.
Slowloris tries to keep many connections to the target web server open and hold them open as
long as possible. It accomplishes this by opening connections to the target web server and
-
23
sending a partial request. Periodically, it will send subsequent HTTP headers, adding tobut
never completingthe request. Affected servers will keep these connections open, filling
their maximum concurrent connection pool, eventually denying additional connection
attempts from clients.
2.3.3 UDP Unicorn
UDP Unicorn is a free tools in windows machine to generate UDP flood with bunch of
options.
2.3.4 hping or hping3
hping is a free packet generator and analyzer for the TCP/IP protocol distributed by Salvatore
Sanfilippo (also known as Antirez). Hping is one of the de facto tools for security auditing
and testing of firewalls and networks, and was used to exploit the idle scan scanning
technique (also invented by the hping author), and now implemented in the Nmap Security
Scanner. The new version of hping, hping3, is scriptable using the Tcl language and
implements an engine for string based, human readable description of TCP/IP packets, so that
the programmer can write scripts related to low level TCP/IP packet manipulation and
analysis in very short time.
Like most tools used in computer security, hping is useful to both system administrators and
hackers.
2.3.5 Yersinia
Yersinia - is a network security/hacking tool for Unix-like operating systems, designed to
take advantage of some weakness in different network protocols. Yersinia is considered a
valuable and widely used security tool.
Attacks for the following network protocols are implemented:
Spanning Tree Protocol (STP)
Cisco Discovery Protocol (CDP)
-
24
Dynamic Trunking Protocol (DTP)
Dynamic Host Configuration Protocol (DHCP)
Hot Standby Router Protocol (HSRP)
IEEE 802.1Q
IEEE 802.1X
Cisco Inter-Switch Link (ISL)
VLAN Trunking Protocol (VTP)
2.3.6 Metasploit
The Metasploit Project is a computer security project that provides information about security
vulnerabilities and aids in penetration testing and IDS signature development.
Its best-known sub-project is the open source Metasploit Framework, a tool for developing
and executing exploit code against a remote target machine.
2.3.7 UDP War Flooder
Its another windows based attacking tools similar to UDP Unicorn.
2.3.8 LOIC
DDoS attacks are quickly becoming the most prevalent types of attacks, growing rapidly in
the past year in both number and volume, according to recent market research. The trend is
towards shorter attack duration, but bigger packet-per-second attack volume, and the overall
number of attacks reported has grown markedly, as well.
During the Q4-2011, one survey found 45% more DDoS attacks compared to the parallel
period of 2010, and over double the number of attacks observed during Q3-2011. The
average attack bandwidth observed during this period was 5.2G bps, which is 148% higher
than the previous quarter.
Another survey of DDoS attacks found that more than 40% of respondents experienced
attacks that exceeded 1G bps in bandwidth in 2011, and 13% were the targeted by at least one
attack that exceeded 10G bps.
-
25
From a motivational perspective, recent research found that ideologically motivated DDoS
attacks are on the rise, supplanting financial motivation as the most frequent motivator such
attacks.
2.4 Detection and Mitigation Tools
I. Wireshark
II. Snort
III. Backtrack or Kali Linux
IV. IPTables
V. Firewall
VI. Tcpdump
2.4.1 Wireshark
Wireshark is a capturing tool. Capable of capture data on live network environment.
Wireshark is loaded with tons of options to capture, analysis, count, breakdown, detect live
captured data. Its a handy tool for network professionals. Wireshark also can catch Voip
traffic and can play unencrypted voice data from captured data. It can device captured data
according to time, data type, data size, type of communication and many other options. A
specific data can be searched from the captured file. Wireshark supports in all the OS like
Windows, Linux or MAC OS etc.
Wireshark is software that "understands" the structure (encapsulation) of different networking
protocols. It can parse and display the fields, along with their meanings as specified by
different networking protocols. Wireshark uses pcap to capture packets, so it can only capture
packets on the types of networks that pcap supports.
Data can be captured "from the wire" from a live network connection or read from a
file of already-captured packets.
Live data can be read from a number of types of network, including Ethernet, IEEE
802.11, PPP, and loopback.
-
26
Captured network data can be browsed via a GUI, or via the terminal (command line)
version of the utility, TShark.
Captured files can be programmatically edited or converted via command-line
switches to the "editcap" program.
Data display can be refined using a display filter.
Plug-ins can be created for dissecting new protocols.
VoIP calls in the captured traffic can be detected. If encoded in a compatible
encoding, the media flow can even be played.
Raw USB traffic can be captured.
Wireshark's native network trace file format is the libpcap format supported by libpcap and
WinPcap, so it can exchange captured network traces with other applications that use the
same format, including tcpdump and CA NetMaster. It can also read captures from other
network analyzers, such as snoop, Network General's Sniffer, and Microsoft Network
Monitor.
-
27
Figure 2.2: Wireshark
2.4.2 Snort
Snort is a signature-based network intrusion
detection system that performs real-time trac
analysis and packet logging on IP networks. It
is intended to be a lightweight cost-ecient IDS
that can be deployed to monitor small and
lightly utilized networks. As one of the most widely deployed open-source IDS, Snort's
architecture and rule language serve as a representative example of signature-based IDS.
Snort's open source network-based intrusion detection system (NIDS) has the ability to
perform real-time traffic analysis and packet logging on Internet Protocol (IP) networks.
Snort performs protocol analysis, content searching, and content matching. These basic
-
28
services have many purposes including application-aware triggered quality of service, to de-
prioritize bulk traffic when latency-sensitive applications are in use.
The program can also be used to detect probes or attacks, including, but not limited to,
operating system fingerprinting attempts, common gateway interface, buffer overflows,
server message block probes, and stealth port scans.
Snort can be configured in three main modes: sniffer, packet logger, and network intrusion
detection. In sniffer mode, the program will read network packets and display them on the
console. In packet logger mode, the program will log packets to the disk. In intrusion
detection mode, the program will monitor network traffic and analyze it against a rule set
defined by the user. The program will then perform a specific action based on what has been
identified.
In attack detection mode, Snort monitors network trac, analyzes it based on a rule set that
encodes attack signature, and performs specic actions as identied in the rules that are matched
by the network packets. The analysis is typically carried out in the following components:
Packet Decoder The Packet Decoder decodes the raw packets observed on the network according to the
protocol that is used, from IP layer up to application layer. The decoded packet header values
are stored in a data structure for later use in the Detection Engine.
Preprocessor The Preprocessor performs a variety of preprocessing other than the standard packet
decoding, before the data can be ana-lyzed by Detection Engine. These include IP fragment
assembly, TCP stream assembly, packet header normalization, etc.
Detection Engine The Detection Engine carries out the actual attack detection by matching various values
obtained in the previous steps against a set of rules that encodes patterns of known attacks. If
-
29
a match is found, the corresponding action that is denied in rule will be executed, e.g. drop
the packet, log the packet, generate alert to system administrator.
Logging and Alerting System This last component logs or generates system alerts based on the action specied in the
matched rules as well as the options given at the start of the system.
2.4.3 Backtrack or Kali Linux Backtrack and Kali Linux are OS's for advanced digital forensic and penetration tests. There
are tons of tools in Backtrack or Kali Linux.
BackTrack or Kali provides users with easy access to a comprehensive and large collection of
security-related tools ranging from port scanners to Security Audit. Support for Live CD and
Live USB functionality allows users to boot BackTrack or Kali directly from portable media
without requiring installation, though permanent installation to hard disk and network is also
an option.
Figure 2.3: Backtrack Linux
BackTrack or Kali includes many well known security tools including:
-
30
Wi-Fi drivers supporting monitor mode (rfmon mode) and packet injection
Aircrack-ng
Gerix Wifi Cracker
Kismet
Ophcrack
Ettercap
Wireshark (formerly known as Ethereal)
BeEF (Browser Exploitation Framework)
Hydra
OWASP Mantra Security Framework, a collection of hacking tools, add-ons and
scripts based on Firefox
Cisco OCS Mass Scanner, a very reliable and fast scanner for Cisco routers with telnet and enabling of a default password.
Figure 2.4: Kali Linux
A large collection of exploits as well as more commonplace software such as
browsers.
-
31
BackTrack or Kali arranges tools into 12 categories:
Information gathering
Vulnerability assessment
Exploitation tools
Privilege escalation
Maintaining access
Reverse engineering
RFID tools
Stress testing
Forensics
Reporting tools
Services
Miscellaneous
2.4.4 IPTables
iptables is a user space application program that allows a system administrator to configure
the tables provided by the Linux kernel firewall (implemented as different Netfilter modules)
and the chains and rules it stores. Different kernel modules and programs are currently used
for different protocols; iptables applies to IPv4, ip6tables to IPv6, arptables to ARP, and
ebtables to Ethernet frames.
iptables requires elevated privileges to operate and must be executed by user root, otherwise
it fails to function. On most Linux systems, iptables is installed as /usr/sbin/iptables and
documented in its man pages which can be opened using man iptables when installed. It may
also be found in /sbin/iptables, but since iptables is more like a service rather than an
"essential binary", the preferred location remains /usr/sbin.
The term iptables is also commonly used to inclusively refer to the kernel-level components.
x_tables is the name of the kernel module carrying the shared code portion used by all four
modules that also provides the API used for extensions; subsequently, Xtables is more or less
used to refer to the entire firewall (v4, v6, arp, and eb) architecture.
-
32
2.4.5 Firewall
A system designed to prevent unauthorized access to or from a private network. Firewalls can
be implemented in both hardware and software, or a combination of both. Firewalls are
frequently used to prevent unauthorized Internet users from accessing private networks
connected to the Internet, especially intranets. All messages entering or leaving the intranet
pass through the firewall, which examines each message and blocks those that do not meet
the specified security criteria.
There are several types of firewall techniques:
Packet filter: Looks at each packet entering or leaving the network and accepts or
rejects it based on user-defined rules. Packet filtering is fairly effective and
transparent to users, but it is difficult to configure. In addition, it is susceptible to IP
spoofing.
Application gateway: Applies security mechanisms to specific applications, such as
FTP and Telnet servers. This is very effective, but can impose a performance
degradation.
Circuit-level gateway: Applies security mechanisms when a TCP or UDP connection
is established. Once the connection has been made, packets can flow between the
hosts without further checking.
Proxy server: Intercepts all messages entering and leaving the network. The proxy
server effectively hides the true network addresses.
In practice, many firewalls use two or more of these techniques in concert. A firewall is
considered a first line of defense in protecting private information. For greater security, data
can be encrypted.
2.4.6 TCPDump
TCPDump is a common packet analyzer that runs under the command line. It allows the user
to intercept and display TCP/IP and other packets being transmitted or received over a
network to which the computer is attached. Distributed under the BSD license, tcpdump is
free software.
-
33
Tcpdump works on most Unix-like operating systems: Linux, Solaris, BSD, OS X, HP-UX
and AIX among others. In those systems, tcpdump uses the libpcap library to capture packets.
The port of tcpdump for Windows is called WinDump; it uses WinPcap, the Windows port of
libpcap.
2.5 Total Attacks Statistics
According to shadow server below are the attack ratios in recent years:
Year Unique
C&C
Unique
C&C
ASN
Unique
C&C
Geo
Target
Count
Unique
Targets
Unique
Target
ASN
Unique
Target
Geo
2006 414 214 40 50650 25953 3079 133
2007 848 390 67 35566 15755 1633 107
2008 618 332 66 202678 21312 1870 117
2009 590 272 53 7058221 10991 1491 110
2010 430 157 41 1545208 13757 1697 106
2011 322 98 30 27459 5327 756 72
According to prolexic below are the 10 country rankings of all time:
Rank Bots Country
1 18102247 China 2 9119617 United States 3 2457469 India 4 2433247 Japan 5 2311915 Germany 6 2238308 Mexico 7 2220807 Russian Federation 8 2040336 United Kingdom 9 1929810 Italy 10 1810197 Thailand
-
34
Figure 2.5: Prolexic Attack Graph of all time.
Below are some DDoS attacks in recent years:
Serial Date DDoS Targtets/Incidents Consequences/
Description
1 March, 2012
South Korea and
United states
Websites
It is similar to those launched
in 2009
2 Jan 1, 2012
Official Web-site
of the office of
the vice president
of Russia
It caused the site to be down
by more than 15 hours.
3 Nov 5 to 12
, 2011 Asian Ecommerce Company
Flood of Traffic was
launched and 250,000
Computers are infected with
Malware participated.
4 Nov 10,
2011 Server
The traffic load has been
immense with several
Thousands request per second.
-
35
5 October
2011
Site of National
Election
Commission of
South Korea
Attacks were launched
during the morning when
citizens would look up
information .and attack leads
to fewer turnouts.
6 March 30,
2011
On Blogging
Platform Live
Journal
Experienced serious
functionality problems for
over 12 Hours and resumed
on April 4 and 5, 2011
7 December
8, 2010
Master Card,
PayPal, Visa and
Post Finance
Attack was launched in
supportof WikiLeaks.ch and
its founder. Attack lasts for
more than 16 hours
8 November
30, 2010
Whistleblower
site Wikileaks
Attack size was 10 Gbps.
Caused the site unavailable
to visitors. Attack was
launched to prevent release
of secret cables.
9 November
28, 2010
whistleblower
site Wikileaks
Attack size was 2-4 Gbps.
Attack was launched just
after it released confidential
US diplomatic cables.
10 November
12, 2010
Domain registrar
Register.com
Impacted DNS, hosting and
webmail clients. 24 hours of
outage
-
36
Analyzing DoS and DDos Attacks to Identify Effective Mitigation Techniques
Chapter 3
Attacks, Analysis and Mitigation
-
37
3.1 Attacks
In the real and virtual lab environment below attacks have been tested and analyzed:
i. DHCP Attack using Yersinia
ii. DHCP DoS Attack using hping3
iii. CDP Attack using Yersinia
iv. MAC Address Table flood using macof
v. WiFi jamming attack using mdk3
3.1.1 DHCP Attack using Yersinia
Figure 3.1: DHCP Attack Diagram
-
38
Yersinia is a free tool in Linux Environment. Its a combination of couple of attacks in one
tool. Here I will show the effect of DHCP attack using Yersinia.
First need to know about DHCP. DHCP means Dynamic Host Configuration Protocol, where
DHCP Server provide IP Address, Subnet Mask, Gateway Address and DNS Server
Addresses.
DHCP work like in 4 steps, I) When a client comes to online and if that client connected to
local network with DHCP Configuration, then the client searches for DHCP Active Server in
the local network with DHCP Discover message. II) If there was a DHCP Server and the
server gets the DHCP Discover message, then the server offers the client an IP Address with
DHCP Offer message. III) Client respond with DHCP Request message to get the IP Address
from DHCP Server. IV) Server reply back with DHCP ACK message to the client.
Figure 3.2: DHCP Messages
-
39
Attack using Yersinia
I have tested the attack scenario in real time lab environment with one cisco router, one
switch, one attacker pc and one client pc.
I. Cisco 2800 Series Router
II. Cisco 2960 Series Switch
III. Attacker PC Linux
IV. Client PC Windows
Procedure
I. First configure the Cisco Router as DHCP Server for connected networks.
II. Connect the Cisco Router to the Cisco Switch using straight through cable.
III. Connect client and attacker PC to the Cisco Switch.
IV. Power on all devices.
V. Ensure connected PC's gets IP Address from DHCP Server.
VI. Launch Yersinia in Attacker PC from terminal using yersinia -G command.
-
40
Figure 3.3: Yersinia
VII. The graphical interface of yersinia will be look like below:
Figure 3.4: Yersinia
VIII. To launch the attack choose Launch Attack from above toolbar and select DHCP from
the open dialogue box.
-
41
IX. Select sending DISCOVER packet and press OK. Then the attack will be launched.
Figure 3.5: Yersinia
X. From client PC, enable DHCP and check the client will not get any ip address from
DHCP Server, because the DHCP Server Address space was exhausted and full.
During the attack, I have captured data from attacker machine to analyze the data for further
investigation.
Figure 3.6: Wireshark Capture from Attacker PC
-
42
Wireshark Data Analysis
Attack Ratio, PPS : 35000 (Avg.)
Attack Duration : 1 minute to 5 minutes
Attack Source, MAC : Random or Dynamic
Attack Message Type : DHCP Discover
Attack Result : DHCP Address Space Exhausted and Legitimate
Users will not get IP Address from DHCP Server DHCP Attack Mitigation
We can mitigate the DHCP Attack using storm-control in switch port.
But before we enable storm-control in switch port, we need to identify normal traffic pattern
and traffic rate in every switch port and compare the normal traffic with attacker machine
traffic.
According to attacker machine, traffic rate is 35000 pps during broadcast DHCP Discover
message. Let the normal traffic rate will be 100 to 10000 pps.
Now we will apply storm-control in switch port.
I. Open the Cisco Switch Terminal.
II. Enter to the interface configuration mode followed by Global Configuration mode.
Iii. First enable storm-control for broadcast message and limit the pps value to 30000.
iv. Then select the storm-control violation step as shutdown the port.
Switch> en
Switch# conf t
Switch(config)#interface range f 0/1 24
Switch(config-if)#storm-control broadcast level pps 30000
Switch(config-if)#storm-control action shutdown
-
43
If traffic rate exceed the limit 30000 in any of the switch port, the port will be immediately
shutdown and attack wont be able to pass the switch. This is the most cost effective solution.
3.1.2 DHCP DoS Attack using hping3
Figure 3.7: DHCP DoS Attack Diagram
hping3 is an another free tool In Linux. Hping3 can generate several types of attacks like
icmp flood, smurf attack, udp flood, tcp syn flood etc. Its a handy tool to take down any
service.
To design the test environment, here I have used GNS3 emulator. The devices in the
emulation are 2 Cisco Routers, one attacker PC and One client PC.
I. Router : Cisco 7200 Series
II. Attacker PC : Kali Linux PC
III. Client PC : Windows XP PC
-
44
Procedure
I. First configure the Cisco Router as DHCP Server for connected networks.
II. Connect the Cisco Router with 2nd Cisco Router, where clients are connected.
III. Configure both Cisco Routers with proper static route.
IV. Configure ip-helper address on every interfaces of Routers to identify the DHCP
Server.
V. Now make sure connected workstations are getting ip address from DHCP Server.
VI. Now launch the attack from Kali Linux PC using hping3 command with target
address and port specified. This attack can be tuned in different way.
Figure 3.8: hping3
Here the hping3 command specifies that, this is the udp flood attack from random source port
to fixed destination port 67 with destination ip 10.40.40.2. Here 67 is the bootps or DHCP
Server port and 10.40.40.2 is the DHCP Server IP Address.
VII. Now if we check the wireshark capture from attacker PC:
-
45
Figure 3.9: Wireshark Capture
Here we will find that, attack source is fixed with random port and destination is fixed with
fixed port.
Where the attack ratio is 3000 pps.
VIII. Now we will check that, if client will get any IP from DHCP Server or not.
Figure 3.10: DHCP Client
-
46
Figure 3.11: DHCP Client is not getting IP
Here the client did not get any IP address from DHCP Server.
Attacker machine exhaust the DHCP Server port with udp unicast messages.
DHCP DoS attack Mitigation
We can mitigate the DHCP DoS attack using extended access-list in Gateway Router for
client machines. This solution is applicable for this scenario in small business environment.
Access-list for DHCP DoS attack mitigation:
Router> en
Router#conf t
Router(config)# ip access-list extended 100
Router(config-ext-nacl)#permit udp any eq bootpc host 10.40.40.2 eq bootps
Router(config-ext-nacl)#deny udp any host 10.40.40.2 eq bootps
Router(config-ext-nacl)#permit ip any any
Now apply the acl in Router interface where DHCP Server is connected:
-
47
Router(config)#interface fa1/1
Router(config-if)#ip access-group 100 out
Above access-list 100 state that, udp traffic for valid dhcp request to dhcp server will be
accepted. In next line, udp traffic from any source to dhcp server bootps will be denied. At
last all other traffic will be accepted. This acl should be applied in the Router interface where
DHCP Server is connected.
3.1.3 CDP Attack using Yersinia
Figure 3.12: CDP Attack Diagram
We have already talked about Yersinia in our first attack.
CDP Attack is only bounded to Cisco Devices. CDP is a useful command for cisco to know
about other connected devices.
-
48
Procedure
Attack Type: CDP Table Flood
Tools Used: Yersinia
Yersinia Command : Yersinia -G
1. Launch Yersinia from Linux CLI.
2. Select proper interfaces for attack.
3. Click on Launch Attack.
4. Select CDP from the TAB.
5. Select flooding CDP Table using Radio Button.
6. Press OK and the attack will begin to flood the CDP Table.
Screenshots
Figure 3.13: Yersinia
-
49
Figure 3.14: Yersinia Interface Choose
Figure 3.15: Yersinia Attack
-
50
Figure 3.16: Yersinia CDP Attack Launch
Figure 3.17: Yersinia during attack
-
51
Packet Capture of attacker machine state that, attack comes with random ip and random mac
address. From the victim router cdp table, we can find that cdp tables flooded with fake
information, from where we wont able to find valuable information.
Figure 3.18: Wireshark Packet Capture
Attack Ratio, PPS : 3150
Attack Behavior : RANDOM MAC
Attack Result : CDP Table Flood of connected Cisco device.
CDP Attack Mitigation
Mitigation Type : Disable cdp on client interface, where no other cisco
device connected and enable storm-control on switch
port.
CDP Disable command :
-
52
interface fa1/1
no cdp enable
storm-control broadcast lelvel pps 3000
storm-control action shutdown
Result : Switch port will not learn any cdp advertisement
and if pps value exceed the limit of 3000, the
switch port will be shutdown.
3.1.4 MAC Address Table flood using macof
Figure 3.19: MAC Address Flood Attack Diagram
Macof is a member of the Dsniff suit toolset and mainly used to flood the switch on a local
network with MAC addressess . The reason for this is that the switch regulates the flow of
data between its ports. It actively monitors (cache) the MAC address on each port, which
helps it pass data only to its intended target. This is the main difference between a switch and
passive hub. A passive hub has no mapping, and thus broadcasts line data to every port on the
device. The data is typically rejected by all network cards, except the one it was intended for.
However, in a hubbed network, sniffing data is very easy to accomplish by placing a network
card into promiscuous mode. This allows that device to simply collect all the data passing
through a hubbed network. While this is nice for a hacker, most networks use switches, which
inherently restrict this activity.
-
53
Dsniffs macof generates random MAC addresses exhausting the switchs memory. It is
capable of generating 155,000 MAC entries on a switch per minute. Some switches than
revert to acting like a hub.
The following question then arises: What happens if the switch is asked to process a constant
stream of MAC addresses? In certain circumstances and on certain switches, this will cause
the switch to go into a fail-safe mode, in which it basically turns into a hub. In other words,
by overloading the switch, a hacker could have access to all the data passing through the
switch! One tool for doing this is called macof To use macof, you will need to install the
dnsiff suite .
Macof attack is used for flood MAC address table.
Attacker : Kali Linux Virtual Machine
Victim : Cisco Layer 3 Switch
Procedure I. We can launch the attack using macof command with switch -i for interface selection.
Figure 3.20: macof attack
-
54
II.
Figure 3.21: Macof flood
Here, we can see attack has been generated from different spoofed mac-addresses with
broadcast destination.
III. If we see the Cisco Router MAC address-table:
Figure 3.22: Show Mac-Address Table
-
55
IV.
Figure 3.23: Show Mac-Address Table
We can see, the mac-address table is already flooded with mac-addresses.
As a result the switch cam table will overloaded and after a certain time switch will act like
hub in the network.
MAC address-table flood Mitigation
Packet capture from attacker machine state that, attack ratio is random, means souce and
destination is random. As a result, switch mac address-table flooded with random mac
addresses.
As a mitigation technique, we can use port security at switch port for limited number of mac
addresses. And can bind the mac address to the switch port.
We can also use storm-control in switch port to mitigate the attack.
-
56
Port-security command :
interface fa1/1
switchport port-security
switchport port-security maximum 2
switchport port-security mac-address sticky
storm-control broadcast level pps 500
storm-control action shutdown
3.1.5 WiFi jamming attack using mdk3
Wi-Fi is increasingly becoming the preferred mode of internet connection all over the world.
To access this type of connection, one must have a wireless adapter on their computer. Wi-Fi
provides wireless connectivity by emitting frequencies between 2.4GHz to 5GHz based on
the amount of data on the network. Areas which are enabled with Wi-Fi connectivity are
known as Hot Spots. One can use advanced softwares like Wirelessmon to detect and request
connection to Hotspots. To start a Wireless connection, it is important that the wireless router
is plugged into the internet connection and that all the required settings are properly installed.
Wi-Fi works with no physical wired connection between sender and receiver by using radio
frequency (RF) technology, a frequency within the electromagnetic spectrum associated with
radio wave propagation. When an RF current is supplied to an antenna, an electromagnetic
field is created that then is able to propagate through space. The cornerstone of any wireless
network is an access point (AP). The primary job of an access point is to broadcast a wireless
signal that computers can detect and "tune" into. In order to connect to an access point and
join a wireless network, computers and devices must be equipped with wireless network
adapters.
-
57
Procedure - First using iwlist command search for available wireless networks: iwlist wlan0 scan Then echo the available wireless network BSID to a blacklist file and note down the channel number. - Then search for monitor interface using airmon-ng: airmon-ng start wlan0 It will show the monitoring interface, as mon0 or mon1 etc. - Then start the attack using mdk3 mdk3 mon0 d b blacklist c 11 and mdk3 mon0 a m i BSSID This attack will flood the Wireless AP with authentication messages and jam the wireless network.
Figure 3.24: Wireshark Capture
Attack Ratio : 217 pps Attack Type : Authentication Message from random spoofed
-
58
sources. Attack Result : Jam the WiFi BSSID with unicast flood and other mobile stations would be disconnected from the network. WiFi jamming attack mitigation: Mitigation Type : Disable SSID broadcast Result : The attacker machine will not find the ESSID BSSID and channel for attack.
-
59
Analyzing DoS and DDos Attacks to Identify Effective Mitigation Techniques
Chapter 4
Conclusion
-
60
4.1 Conclusion
The main purpose of this thesis is to analyze various DoS/DDoS attacks and find out some
effective solutions to mitigate the damage of those attacks. During this thesis work, we tried
to achieve that goal. Working area of this thesis topic is so vast that we worked some portions
of the topic during limited time line. There are also some limitations we faced during our
thesis work.
First of all, proper lab environment and lab equipment availability. Proper lab environment
was crucial part of this thesis work. We faced some packet loss, some command line
limitations on devices, device support limitations etc. without proper lab environment. Also,
some part of this thesis we needed to generate more data traffic to analyze and gather data to
find some effective solution. But because of device limitations, we could not generate enough
data. To overcome the working device limitations, most part of the thesis work were done by
virtual software or emulator like GNS3, Virtual box etc. Some solutions for the DoS/ DdoS
attack applied for small networking environment which is another limitation of this thesis
work. So, in future, we will try to analyze more Dos/DDoS attacks and their effects on
networking system on wide area so that we can overcome small networking environment
limitations.
Here are some future plans for this thesis work:
1. Narrow down the topic to specific attack.
2. Gather much data on that attack.
3. Analyze current solution.
4. Design Test Network.
5. Configure Vulnerable System.
6. Manage high power attacker machine.
7. Collect real time data.
8. Analyze real time data.
9. Creating some effective programs or scripts for DoS/DDoS attack mitigation.
-
61
10. Configure Honeypot server to detect DoS/DDoS attacks, traffic analysis etc.
11. Script creation- dos attack mitigation, honeypot server- gateway- snort detect etc.
12. Ddos attack -vast work limitation
13. proper lab envroment limited-packet loss
14. traffic generation limitation
-
62
4.2 Bibliography [1] Denial-of-service attack. en.wikipedia.org. Wikipedia. 23 Jun. 2006. 25 Mar. 2013. .
[2] Jannsse, Cory. Distributed Denial of Service (DdoS). www.techopedia.com. 25 Mar. 2013.
[3] Distributed Denial of Service Attacks. www.incapsula.com. 14 Jun. 2011. 25 Mar.
2013.
[4] UDP Flood Attack. en.wikipedia.org. Wikipedia. 16 Nov. 2011. 1 Apr. 2013.
[5] ICMP Flood Attack explained. www.ddosprotection.net. DdoS Methods. 21 Mar.
2013. 2 Jan. 2014.
[6] Protocol Attacks. www.incapsula.com. 14 Jun. 2011. 2 Jan. 2014.
[7] SYN Flood. en.wikipedia.org. Wikipedia. 26 Jan. 2007. 2 Jan. 2014.
[8] ping of death. searchsecurity.techtarget.com. TechTarget. May. 2006. 3 Jan. 2014.
[9] Sachdeva, Monika., Singh, Gurvinder. and Kumar, Krishnan. Deployment of Distributed
Defense against DDoS Attacks in ISP Domain International Journal of Computer
Applications (0975-8887), Volume 15- No. 2, February 2011.
-
63
[10] Fu, Zhang. Multifaceted Defense Against Distributed Denial of Service Attacks:
Prevention, Detection, Mitigation. Division of Networks and Systems, Department of
Computer Science and Engineering. C HALMERS UNIVERSITY OF TECHNOLOGY,
Gothenburg, Sweden 2012.
[11] Architecture of a DDoS Attack.
[12] Weiler, Nathalie. Honeypots for Distributed Denial of Service Attacks Computer
Engineering and Networks Laboratory (TIK), 2002.
[13] Lin, Dong. Network Intrusion Detection and Mitigation against Denial of Service
Attack. Department of Computer and Information Science. University of Pennsylvania.
April 15, 2013.
[14] G. Loukas and G. Oke. Protection against denial of service attacks: A survey. The
Computer Journal, 2009.