DOCSLIB.ORG

Ddos Attacks

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Ddos Attacks INFORMATION TECHNOLOGY Bhattacharyya • DDoS Attacks Kalita Evolution, Detection, Prevention, DDoS Reaction, and Tolerance DDoS Attacks DDoS DDoS Attacks: Evolution, Detection, Prevention, Reaction, and Tolerance discusses the evolution of distributed denial-of-service (DDoS) attacks, how to detect a DDoS attack when one is mounted, how to prevent such attacks from taking place, and how to react when a DDoS attack is in progress, with the goal of tolerating the attack. It introduces Attacks types and characteristics of DDoS attacks, reasons why such attacks are often successful, what aspects of the network infrastructure are usual targets, and methods used to launch Evolution, Detection, attacks. The book elaborates upon the emerging botnet technology, current trends in the evolution Prevention, Reaction, and use of botnet technology, its role in facilitating the launching of DDoS attacks, and challenges in countering the role of botnets in the proliferation of DDoS attacks. It intro- duces statistical and machine learning methods applied in the detection and prevention of and Tolerance DDoS attacks in order to provide a clear understanding of the state of the art. It presents DDoS reaction and tolerance mechanisms with a view to studying their effectiveness in protecting network resources without compromising the quality of services. To practically understand how attackers plan and mount DDoS attacks, the authors discuss the development of a testbed that can be used to perform experiments such as attack launching, monitoring of network traffic, and detection of attacks, as well as for testing strategies for prevention, reaction, and mitigation. Finally, the authors address current issues and challenges that need to be overcome to provide even better defense against DDoS attacks. Dhruba Kumar Bhattacharyya K26076 Jugal Kumar Kalita 6000 Broken Sound Parkway, NW Suite 300, Boca Raton, FL 33487 711 Third Avenue New York, NY 10017 2 Park Square, Milton Park Abingdon, Oxon OX14 4RN, UK www.crcpress.com @nettrain i \K26076_FM" | 2016/3/17 | 14:34 | page 3 | #3 i i i @nettrain i i i i i \K26076_FM" | 2016/3/17 | 14:34 | page 2 | #2 i i i DDoS Attacks Evolution, Detection, Prevention, Reaction, and Tolerance @nettrain i i i i i \K26076_FM" | 2016/3/17 | 14:34 | page 3 | #3 i i i @nettrain i i i i i \K26076_FM" | 2016/3/17 | 14:34 | page 4 | #4 i i i DDoS Attacks Evolution, Detection, Prevention, Reaction, and Tolerance Dhruba Kumar Bhattacharyya Jugal Kumar Kalita Boca Raton London New York CRC Press is an imprint of the Taylor & Francis Group, an informa business @nettrain i i i i CRC Press Taylor & Francis Group 6000 Broken Sound Parkway NW, Suite 300 Boca Raton, FL 33487-2742 © 2016 by Taylor & Francis Group, LLC CRC Press is an imprint of Taylor & Francis Group, an Informa business No claim to original U.S. Government works Version Date: 20160308 International Standard Book Number-13: 978-1-4987-2965-9 (eBook - PDF) This book contains information obtained from authentic and highly regarded sources. Reasonable efforts have been made to publish reliable data and information, but the author and publisher cannot assume responsibility for the validity of all materials or the consequences of their use. The authors and publishers have attempted to trace the copyright holders of all material reproduced in this publication and apologize to copyright holders if permission to publish in this form has not been obtained. If any copyright material has not been acknowledged please write and let us know so we may rectify in any future reprint. Except as permitted under U.S. Copyright Law, no part of this book may be reprinted, reproduced, transmitted, or utilized in any form by any electronic, mechanical, or other means, now known or hereafter invented, including photocopying, microfilming, and recording, or in any information stor- age or retrieval system, without written permission from the publishers. For permission to photocopy or use material electronically from this work, please access www.copy- right.com (http://www.copyright.com/) or contact the Copyright Clearance Center, Inc. (CCC), 222 Rosewood Drive, Danvers, MA 01923, 978-750-8400. CCC is a not-for-profit organization that pro- vides licenses and registration for a variety of users. For organizations that have been granted a photo- copy license by the CCC, a separate system of payment has been arranged. Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are used only for identification and explanation without intent to infringe. Visit the Taylor & Francis Web site at http://www.taylorandfrancis.com and the CRC Press Web site at http://www.crcpress.com @nettrain i \K26076" | 2016/3/25 | 12:19 | #1 i i i Contents List of Figures xiii List of Tables xvii Preface xix Acknowledgments xxi Authors xxiii 1 Introduction 1 1.1 Anomalies in Networks . .2 1.2 Distributed Denial-of-Service (DDoS) Attacks . .3 1.3 Causes of DDoS Attacks . .4 1.4 Targets of DDoS Attacks . .5 1.5 Launching of DDoS Attacks . .5 1.6 Current Trends in Botnet Technology . .6 1.7 Machine Learning in DDoS Attack Handling . .6 1.7.1 Traffic Attributes and User-Parameter Selection7 1.7.2 Selection of Metrics or Measures . .7 1.7.3 Analysis of Data . .8 1.7.4 Mode of Detection . .8 1.7.5 Generation of Alarm Information and Reaction .9 1.8 DDoS Defense . .9 1.9 Modules of a DDoS Defense System . 10 1.10 Types of DDoS Defense Systems . 11 1.10.1 Based on Approach . 11 1.10.1.1 DDoS Detection . 11 1.10.1.2 DDoS Prevention . 11 1.10.1.3 DDoS Response . 11 v @nettrain i i i i i \K26076" | 2016/3/25 | 12:19 | #2 i i i vi CONTENTS 1.10.1.4 DDoS Tolerance . 12 1.10.2 Based on Nature of Control . 12 1.10.2.1 Centralized DDoS Defense . 12 1.10.2.2 Hierarchical DDoS Defense . 12 1.10.2.3 Distributed DDoS Defense . 13 1.10.3 Based on Defense Infrastructure . 13 1.10.3.1 Host-Based DDoS Defense . 13 1.10.3.2 Network-Based DDoS Defense . 14 1.10.4 Based on Defense Location . 14 1.10.4.1 Victim-End DDoS Defense . 14 1.10.4.2 Source-End DDoS Defense . 15 1.10.4.3 Intermediate Network DDoS Defense . 15 1.10.5 Based on Technique Used . 15 1.10.5.1 Misuse Detection . 15 1.10.5.2 Anomaly Detection . 16 1.11 DDoS Tools and Systems . 16 1.12 DDoS Defense Evaluation . 17 1.13 Prior Work . 17 1.14 Contribution of This Book . 20 1.15 Organization of This Book . 20 2 DDoS, Machine Learning, Measures 23 2.1 Issues in Internet Design . 25 2.1.1 Complex Edge but Simple Core . 25 2.1.2 Link Bandwidth Mismatch between Core and Edge 25 2.1.3 Routing Principles . 26 2.1.4 Lack of Centralized Network Management . 26 2.1.5 Sharing of Reserved Resources across Data Centers 26 2.2 DDoS Attacks and Their Types . 27 2.2.1 Agent-Handler and IRC-Based DDoS Attack Gen- eration . 28 2.2.2 Types of DDoS Attacks . 28 2.2.2.1 Layer-Specific DDoS Attacks . 28 2.2.2.2 Direct and Reflector-Based DDoS Attacks 30 2.2.2.3 Direct and Indirect DDoS Attacks . 31 2.2.2.4 High-Rate and Low-Rate DDoS Attacks 31 2.2.2.5 Attack Types Based on Rate Dynamics 32 2.3 DDoS Attack Targets . 33 2.3.1 On Infrastructure . 33 2.3.2 On Link . 33 @nettrain i i i i i \K26076" | 2016/3/25 | 12:19 | #3 i i i CONTENTS vii 2.3.3 On Router . 34 2.3.4 On OS . 34 2.3.5 On Defense Mechanism . 34 2.4 Current Trends in DDoS Attacks . 34 2.5 Strength of DDoS Attackers . 36 2.6 Desired Characteristics of DDoS Defense System . 37 2.7 Recent DDoS Attacks . 38 2.8 Machine Learning Background . 39 2.8.1 Supervised and Unsupervised Machine Learning 40 2.8.2 Measures: Similarity and Dissimilarity . 41 2.8.2.1 Dissimilarity Measures . 42 2.8.2.2 Correlation Measures . 43 2.8.2.3 f-Divergence Measures . 46 2.8.2.4 Information Metrics . 48 2.8.3 Discussion . 49 2.9 Some Empirical Studies . 50 2.9.1 Using Information Metrics . 50 2.9.1.1 Testbed Used . 52 2.9.1.2 Datasets Used . 53 2.9.1.3 Results of Empirical Study . 53 2.9.1.4 Discussion . 59 2.9.2 Using Correlation Measures . 59 2.9.2.1 An Example . 60 2.9.3 Using f-Divergence Measures . 62 2.9.3.1 Results . 65 2.9.4 Discussion . 69 2.10 Chapter Summary . 70 3 Botnets: Trends and Challenges 73 3.1 DDoS Attacks Using Stationary Botnets . 74 3.1.1 Botnet Characteristics . 74 3.1.2 Botnet Models . 75 3.1.2.1 Agent Handler Model . 76 3.1.2.2 IRC-Based Model . 76 3.1.2.3 Web-Based Model . 77 3.1.3 Botnet Formation Life Cycle . 78 3.1.4 Stationary Botnet Architecture . 78 3.1.4.1 Botnet Topology . 78 3.1.4.2 Protocols Used . 79 3.1.4.3 Botnet C&C Systems . 80 @nettrain i i i i i \K26076" | 2016/3/25 | 12:19 | #4 i i i viii CONTENTS 3.1.5 Some Stationary Botnets . 83 3.1.6 DDoS Attacks Using Mobile Botnets . 89 3.1.6.1 Mobile Botnet Characteristics . 89 3.1.6.2 C&C Mechanisms in Mobile Botnet .
Load more

Recommended publications
  • S. Shiaeles: Real Time Detection and Response of Distributed Denial of Service Attacks for Web Services
    Contents Real time detection and response of distributed denial of service attacks for web services A thesis submitted for the degree of Doctor of Philosophy by Stavros Shiaeles Democritus University of Thrace Department of Electrical and Computer Engineering Xanthi, October 2013 i Contents Copyright ©2013 Stavros Shiaeles Democritus University of Thrace Department of Electrical and Computer Engineering Building A, ECE, University Campus – Kimmeria, 67100 Xanthi, Greece All rights reserved. No parts of this book may be reproduced or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior written permission of the author. ii Contents I would like to dedicate this thesis to my parents. iii Contents iv Contents Contents Advising Committee of this Doctoral Thesis .................................... ix Approved by the Examining Committee .......................................... xi Acknowledgements ........................................................................ xiii Abstract ......................................................................................... xv Extended Abstract in Greek (Περίληψη) ......................................... xvii List of Figures ................................................................................ xxiii List of Tables .................................................................................. xxv Abbreviations ................................................................................. xxvii Chapter 1: Introduction
    [Show full text]
  • Festi Botnet Analysis and Investigation
    Festi botnet analysis and investigation Aleksandr Matrosov, Eugene Rodionov Keywords: Festi, spam, botnet, rootkit, DDoS, OOP, HIPS, firewall Abstract. The botnet Festi has been in business since the autumn of 2009 and is currently one of the most powerful and active botnets for sending spam and performing DDoS attacks [1]. Festi is an interesting and untypical malware family implementing rootkit functionality with strong protection against reverse engineering and forensic analysis. It is capable of bypassing sandboxes and automated trackers using some advanced techniques such as inserting timestamps in its communication protocol, detecting virtual machines, and subverting personal firewalls and HIPS systems [2]. The bot consists of two parts: the dropper, and the main module, the kernel-mode driver, which is detected by ESET as Win32/Rootkit.Festi. The malware's kernel-mode driver implements backdoor functionality and is capable of: – Updating configuration data from the C&C (command and control server); – Downloading additional dedicated plugins. In our presentation we will concentrate on the latest Festi botnet update from June 2012 and offer comprehensive information gleaned from our investigations, furnishing details on developers of the botnet and reverse engineering of the bot’s main components – the kernel-mode driver and the plugins (DDoS, Spam). The presentation starts with a description of our investigation and an account of how the Festi botnet evolved over time. We will present a binary analysis kernel-mode driver and downloaded plugins – volatile kernel-mode modules which aren’t saved on any storage device in the system, but in memory, making forensic analysis of the malware significantly more difficult.
    [Show full text]
  • Mcafee Threats Report: Third Quarter 2012
    Report McAfee Threats Report: Third Quarter 2012 By McAfee Labs Table of Contents Operation High Roller 4 Dynamically hiding the evidence 5 Links to European and Asia-Pacific campaigns 6 Mobile Malware 7 General Malware Threats 9 Ransomware 15 Network Threats 16 Database Security 19 Web Threats 20 Phishing 23 Spam URLs 25 Messaging Threats 25 Spam volume 26 Botnet breakdowns 28 New botnet senders 29 Drug spam a popular subject 32 Cybercrime 33 Demanding ransom 33 Crimeware tools 34 Actions against cybercriminals 35 Hacktivism 36 A touch of cyberwarfare 37 About the Authors 39 About McAfee Labs 39 About McAfee 39 2 McAfee Threats Report: Third Quarter 2012 Threat analysis, in many ways, is equal parts art and science. At McAfee Labs we try to apply as much math and analytical rigor to our analysis as we can, but we often cannot see the whole picture. We must also interpret and surmise many things. German philosopher Friedrich Nietzsche wrote “There are no facts, only interpretations.” This bit of wisdom strikes us as quite relevant to analyzing threats. Depending on one’s perspective, threats can mean many things. Spam, for example, looks like it’s on a steady decline when viewed globally, but when looked at locally or by country we see tremendous variations. The same can be said of many threat vectors we analyze in this edition of the McAfee Threats Report: One’s perspective makes all the difference. The trends within the threats landscape seem at times akin to predicting weather patterns or stock prices. We know they will go up and they will go down.
    [Show full text]
  • Botnet Detection Techniques: Review, Future Trends, and Issues*
    Karim et al. / J Zhejiang Univ-Sci C (Comput & Electron) 2014 15(11):943-983 943 Journal of Zhejiang University-SCIENCE C (Computers & Electronics) ISSN 1869-1951 (Print); ISSN 1869-196X (Online) www.zju.edu.cn/jzus; www.springerlink.com E-mail: [email protected] Review: Botnet detection techniques: review, future trends, and issues* Ahmad KARIM†1, Rosli Bin SALLEH1, Muhammad SHIRAZ1, Syed Adeel Ali SHAH1, Irfan AWAN2, Nor Badrul ANUAR1 (1Faculty of Computer Science and Information Technology, University of Malaya, Kuala Lumpur, Malaysia) (2Department of Computer Science, University of Bradford, Bradford BD7 1DP, UK) †E-mail: [email protected] Received Aug. 31, 2013; Revision accepted Jan. 23, 2014; Crosschecked Oct. 15, 2014 Abstract: In recent years, the Internet has enabled access to widespread remote services in the distributed computing envi- ronment; however, integrity of data transmission in the distributed computing platform is hindered by a number of security issues. For instance, the botnet phenomenon is a prominent threat to Internet security, including the threat of malicious codes. The botnet phenomenon supports a wide range of criminal activities, including distributed denial of service (DDoS) attacks, click fraud, phishing, malware distribution, spam emails, and building machines for illegitimate exchange of information/materials. Therefore, it is imperative to design and develop a robust mechanism for improving the botnet detection, analysis, and removal process. Currently, botnet detection techniques have been reviewed in different ways; however, such studies are limited in scope and lack discussions on the latest botnet detection techniques. This paper presents a comprehensive review of the latest state-of-the-art techniques for botnet detection and figures out the trends of previous and current research.
    [Show full text]
  • Internet Security Threat Report 2014
    2013 Trends, Volume 19, Published April 2014 INTERNET SECURITY THREAT REPORT 2014 INTERNET SECURITY THREAT REPORT 2014 Distributed By Foreword As Secretary-General of the International Telecommunication Union (ITU), it gives me great pleasure to present the 2014 edition of Symantec’s Internet Security Threat Report. Technology is ever-evolving and criminals continue to devise new cyberthreats. An important element in effectively countering cyber-threats is to have an accurate and adequate picture of the profile of such threats, their evolution and their impact. ITU’s ongoing commitment to partner with Symantec on distributing these important security reports developed by Symantec illustrates our aim to help our 193 Member States and over 700 private sector members better assess the growing nature of online threats, and to create a safer and more secure cyberspace for consumers, businesses and, most significantly, children and youth online. This overview and analysis of global threat activity for the year 2013 reveals the ways in which the cyber-threat landscape is evolving. It compiles information from more than 41.5 million attack sensors in 157 countries around the world. I believe that the findings from this report will enable us all to be better prepared in our efforts to create a more protected, safe and trustworthy online environment. Dr. Hamadoun I. Touré Secretary General, ITU ITU 2013 Trends, Volume 19, Published April 2014 INTERNET SECURITY THREAT REPORT 2014 p. 2 Symantec Corporation Internet Security Threat Report 2014 ::
    [Show full text]
  • Festi Botnet Analysis
    King of Spam: Festi Botnet Analysis Eugene Rodionov Malware Researcher Aleksandr Matrosov Security Intelligence Team Lead Table of Contents Introduction .................................................................................................................................................. 3 Investigation.................................................................................................................................................. 4 Win32/Festi architecture .............................................................................................................................. 9 Configuration information .......................................................................................................................... 10 OOP Framework .......................................................................................................................................... 11 Managing plugins ........................................................................................................................................ 12 Built in plugins ......................................................................................................................................... 13 Configuration manager ....................................................................................................................... 13 Plugin manager ................................................................................................................................... 14 Network Communication ...........................................................................................................................
    [Show full text]
  • A Taxonomic Evaluation of Rootkit Deployment, Behavior and Detection
    A Taxonomic Evaluation of Rootkit Deployment, Behavior and Detection A Thesis Presented in Partial Fulfillment of the Requirements for the Degree of Master of Science with a Major in Computer Science in the College of Graduate Studies University of Idaho by Maxine Major Major Professor: Jim Alves-Foss, Ph.D. Committee Members: Daniel Conte de Leon, Ph.D.; Sara Eftekharnejad, Ph.D. Department Administrator: Gregory Donohoe, Ph.D. July 2015 ii Authorization to Submit Thesis This Thesis of Maxine Major, submitted for the degree of Master of Science with a ma- jor in Computer Science and titled \A Taxonomic Evaluation of Rootkit Deployment, Behavior and Detection", has been reviewed in final form. Permission, as indicated by the signatures and dates given below, is now granted to submit final copies to the College of Graduate Studies for approval. Major Professor Date Jim Alves-Foss, Ph.D. Committee Members Date Daniel Conte de Leon, Ph.D. Date Sara Eftekharnejad, Ph.D. Computer Science Department Administrator Date Gregory Donohoe, Ph.D. iii Abstract Increased inter-connectivity between cyber and cyber-physical systems increases the danger of Advanced Persistent Threat (APT) cyber attacks, against which perimeter-focused defenses are no longer sufficient. Rootkits are debatably the most important piece of malicious software to the success of an APT. Rootkits are are often planted through social engineering, which intend to bypass perimeter{focused defenses. APTs, the most dangerous of cyber attacks, is facilitated by one of the least-detected attack methods. In order to further the practice of detecting rootkits and aid with early detection, this thesis presents a taxonomy of rootkit activities through each stage of installation and exploita- tion.
    [Show full text]